From f09d7d2652b66e9881d6a6bda67e4bec995c51ba Mon Sep 17 00:00:00 2001
From: Tobias Eidelpes <tobias@eidelpes.info>
Date: Wed, 17 Nov 2021 18:07:05 +0100
Subject: [PATCH] Add image1 report

---
 connections-image1.txt |   4 +
 envars-image1.txt      | 333 +++++++++++++++++++++++++++++++++++++++++
 iehistory-image1.txt   |  12 ++
 imageinfo-image1.txt   |  12 ++
 malfind-image1.txt     |  45 ++++++
 processes-image1.txt   |  39 +++++
 report.tex             |  84 +++++++++++
 screenshot.png         | Bin 0 -> 8081 bytes
 8 files changed, 529 insertions(+)
 create mode 100644 connections-image1.txt
 create mode 100644 envars-image1.txt
 create mode 100644 iehistory-image1.txt
 create mode 100644 imageinfo-image1.txt
 create mode 100644 malfind-image1.txt
 create mode 100644 processes-image1.txt
 create mode 100644 screenshot.png

diff --git a/connections-image1.txt b/connections-image1.txt
new file mode 100644
index 0000000..ac1bf02
--- /dev/null
+++ b/connections-image1.txt
@@ -0,0 +1,4 @@
+Offset(P)  Local Address             Remote Address            Pid
+---------- ------------------------- ------------------------- ---
+0x01ff1330 192.168.187.130:1037      99.1.23.71:443            3708
+0x023c9638 192.168.187.130:1035      2.21.99.235:443           1032
diff --git a/envars-image1.txt b/envars-image1.txt
new file mode 100644
index 0000000..dc69d88
--- /dev/null
+++ b/envars-image1.txt
@@ -0,0 +1,333 @@
+Volatility 3 Framework 1.0.1
+
+PID	Process	Block	Variable	Value
+
+600	csrss.exe	0x110048	ComSpec	C:\WINDOWS\system32\cmd.exe
+600	csrss.exe	0x110048	FP_NO_HOST_CHECK	NO
+600	csrss.exe	0x110048	NUMBER_OF_PROCESSORS	1
+600	csrss.exe	0x110048	OS	Windows_NT
+600	csrss.exe	0x110048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+600	csrss.exe	0x110048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+600	csrss.exe	0x110048	PROCESSOR_ARCHITECTURE	x86
+600	csrss.exe	0x110048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+600	csrss.exe	0x110048	PROCESSOR_LEVEL	6
+600	csrss.exe	0x110048	PROCESSOR_REVISION	2502
+600	csrss.exe	0x110048	SystemDrive	C:
+600	csrss.exe	0x110048	SystemRoot	C:\WINDOWS
+600	csrss.exe	0x110048	TEMP	C:\WINDOWS\TEMP
+600	csrss.exe	0x110048	TMP	C:\WINDOWS\TEMP
+600	csrss.exe	0x110048	windir	C:\WINDOWS
+624	winlogon.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+624	winlogon.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+624	winlogon.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+624	winlogon.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+624	winlogon.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+624	winlogon.exe	0x20048	FP_NO_HOST_CHECK	NO
+624	winlogon.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+624	winlogon.exe	0x20048	NUMBER_OF_PROCESSORS	1
+624	winlogon.exe	0x20048	OS	Windows_NT
+624	winlogon.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+624	winlogon.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+624	winlogon.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+624	winlogon.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+624	winlogon.exe	0x20048	PROCESSOR_LEVEL	6
+624	winlogon.exe	0x20048	PROCESSOR_REVISION	2502
+624	winlogon.exe	0x20048	ProgramFiles	C:\Program Files
+624	winlogon.exe	0x20048	SystemDrive	C:
+624	winlogon.exe	0x20048	SystemRoot	C:\WINDOWS
+624	winlogon.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+624	winlogon.exe	0x20048	TMP	C:\WINDOWS\TEMP
+1032	svchost.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1032	svchost.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1032	svchost.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1032	svchost.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1032	svchost.exe	0x20048	FP_NO_HOST_CHECK	NO
+1032	svchost.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1032	svchost.exe	0x20048	OS	Windows_NT
+1032	svchost.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1032	svchost.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1032	svchost.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1032	svchost.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1032	svchost.exe	0x20048	PROCESSOR_LEVEL	6
+1032	svchost.exe	0x20048	PROCESSOR_REVISION	2502
+1032	svchost.exe	0x20048	ProgramFiles	C:\Program Files
+1032	svchost.exe	0x20048	SystemDrive	C:
+1032	svchost.exe	0x20048	SystemRoot	C:\WINDOWS
+1032	svchost.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+1032	svchost.exe	0x20048	TMP	C:\WINDOWS\TEMP
+1032	svchost.exe	0x20048	USERPROFILE	C:\Documents and Settings\NetworkService
+1032	svchost.exe	0x20048	windir	C:\WINDOWS
+1512	explorer.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1512	explorer.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1512	explorer.exe	0x20048	CLIENTNAME	Console
+1512	explorer.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1512	explorer.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1512	explorer.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1512	explorer.exe	0x20048	FP_NO_HOST_CHECK	NO
+1512	explorer.exe	0x20048	HOMEDRIVE	C:
+1512	explorer.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1512	explorer.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1512	explorer.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1512	explorer.exe	0x20048	OS	Windows_NT
+1512	explorer.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1512	explorer.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1512	explorer.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1512	explorer.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1512	explorer.exe	0x20048	PROCESSOR_LEVEL	6
+1512	explorer.exe	0x20048	PROCESSOR_REVISION	2502
+1512	explorer.exe	0x20048	ProgramFiles	C:\Program Files
+1512	explorer.exe	0x20048	SESSIONNAME	Console
+1512	explorer.exe	0x20048	SystemDrive	C:
+1512	explorer.exe	0x20048	SystemRoot	C:\WINDOWS
+1512	explorer.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1752	VMwareTray.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1752	VMwareTray.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1752	VMwareTray.exe	0x20048	CLIENTNAME	Console
+1752	VMwareTray.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1752	VMwareTray.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1752	VMwareTray.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1752	VMwareTray.exe	0x20048	FP_NO_HOST_CHECK	NO
+1752	VMwareTray.exe	0x20048	HOMEDRIVE	C:
+1752	VMwareTray.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1752	VMwareTray.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1752	VMwareTray.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1752	VMwareTray.exe	0x20048	OS	Windows_NT
+1752	VMwareTray.exe	0x20048	Path	C:\Program Files\VMware\VMware Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1752	VMwareTray.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1752	VMwareTray.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1752	VMwareTray.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1752	VMwareTray.exe	0x20048	PROCESSOR_LEVEL	6
+1752	VMwareTray.exe	0x20048	PROCESSOR_REVISION	2502
+1752	VMwareTray.exe	0x20048	ProgramFiles	C:\Program Files
+1752	VMwareTray.exe	0x20048	SESSIONNAME	Console
+1752	VMwareTray.exe	0x20048	SystemDrive	C:
+1752	VMwareTray.exe	0x20048	SystemRoot	C:\WINDOWS
+1752	VMwareTray.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1752	VMwareTray.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1752	VMwareTray.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+1752	VMwareTray.exe	0x20048	USERNAME	Administrator
+1772	VMwareUser.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1772	VMwareUser.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1772	VMwareUser.exe	0x20048	CLIENTNAME	Console
+1772	VMwareUser.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1772	VMwareUser.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1772	VMwareUser.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1772	VMwareUser.exe	0x20048	FP_NO_HOST_CHECK	NO
+1772	VMwareUser.exe	0x20048	HOMEDRIVE	C:
+1772	VMwareUser.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1772	VMwareUser.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1772	VMwareUser.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1772	VMwareUser.exe	0x20048	OS	Windows_NT
+1772	VMwareUser.exe	0x20048	Path	C:\Program Files\VMware\VMware Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1772	VMwareUser.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1772	VMwareUser.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1772	VMwareUser.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1772	VMwareUser.exe	0x20048	PROCESSOR_LEVEL	6
+1772	VMwareUser.exe	0x20048	PROCESSOR_REVISION	2502
+1772	VMwareUser.exe	0x20048	ProgramFiles	C:\Program Files
+1772	VMwareUser.exe	0x20048	SESSIONNAME	Console
+1772	VMwareUser.exe	0x20048	SystemDrive	C:
+1772	VMwareUser.exe	0x20048	SystemRoot	C:\WINDOWS
+1772	VMwareUser.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1772	VMwareUser.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1772	VMwareUser.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+1772	VMwareUser.exe	0x20048	USERNAME	Administrator
+1796	AdobeARM.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1796	AdobeARM.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+1796	AdobeARM.exe	0x20048	CLIENTNAME	Console
+1796	AdobeARM.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1796	AdobeARM.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1796	AdobeARM.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1796	AdobeARM.exe	0x20048	FP_NO_HOST_CHECK	NO
+1796	AdobeARM.exe	0x20048	HOMEDRIVE	C:
+1796	AdobeARM.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+1796	AdobeARM.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+1796	AdobeARM.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1796	AdobeARM.exe	0x20048	OS	Windows_NT
+1796	AdobeARM.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1796	AdobeARM.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1796	AdobeARM.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1796	AdobeARM.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1796	AdobeARM.exe	0x20048	PROCESSOR_LEVEL	6
+1796	AdobeARM.exe	0x20048	PROCESSOR_REVISION	2502
+1796	AdobeARM.exe	0x20048	ProgramFiles	C:\Program Files
+1796	AdobeARM.exe	0x20048	SESSIONNAME	Console
+1796	AdobeARM.exe	0x20048	SystemDrive	C:
+1796	AdobeARM.exe	0x20048	SystemRoot	C:\WINDOWS
+1796	AdobeARM.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1796	AdobeARM.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+1796	AdobeARM.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+1796	AdobeARM.exe	0x20048	USERNAME	Administrator
+1796	AdobeARM.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+252	vmtoolsd.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+252	vmtoolsd.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+252	vmtoolsd.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+252	vmtoolsd.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+252	vmtoolsd.exe	0x20048	FP_NO_HOST_CHECK	NO
+252	vmtoolsd.exe	0x20048	NUMBER_OF_PROCESSORS	1
+252	vmtoolsd.exe	0x20048	OS	Windows_NT
+252	vmtoolsd.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+252	vmtoolsd.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+252	vmtoolsd.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+252	vmtoolsd.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+252	vmtoolsd.exe	0x20048	PROCESSOR_LEVEL	6
+252	vmtoolsd.exe	0x20048	PROCESSOR_REVISION	2502
+252	vmtoolsd.exe	0x20048	ProgramFiles	C:\Program Files
+252	vmtoolsd.exe	0x20048	SystemDrive	C:
+252	vmtoolsd.exe	0x20048	SystemRoot	C:\WINDOWS
+252	vmtoolsd.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+252	vmtoolsd.exe	0x20048	TMP	C:\WINDOWS\TEMP
+252	vmtoolsd.exe	0x20048	USERPROFILE	C:\Documents and Settings\LocalService
+252	vmtoolsd.exe	0x20048	windir	C:\WINDOWS
+992	wmiprvse.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+992	wmiprvse.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+992	wmiprvse.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+992	wmiprvse.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+992	wmiprvse.exe	0x20048	FP_NO_HOST_CHECK	NO
+992	wmiprvse.exe	0x20048	NUMBER_OF_PROCESSORS	1
+992	wmiprvse.exe	0x20048	OS	Windows_NT
+992	wmiprvse.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+992	wmiprvse.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+992	wmiprvse.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+992	wmiprvse.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+992	wmiprvse.exe	0x20048	PROCESSOR_LEVEL	6
+992	wmiprvse.exe	0x20048	PROCESSOR_REVISION	2502
+992	wmiprvse.exe	0x20048	ProgramFiles	C:\Program Files
+992	wmiprvse.exe	0x20048	SystemDrive	C:
+992	wmiprvse.exe	0x20048	SystemRoot	C:\WINDOWS
+992	wmiprvse.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+992	wmiprvse.exe	0x20048	TMP	C:\WINDOWS\TEMP
+992	wmiprvse.exe	0x20048	USERPROFILE	C:\WINDOWS\system32\config\systemprofile
+992	wmiprvse.exe	0x20048	windir	C:\WINDOWS
+1132	wuauclt.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+1132	wuauclt.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+1132	wuauclt.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+1132	wuauclt.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+1132	wuauclt.exe	0x20048	FP_NO_HOST_CHECK	NO
+1132	wuauclt.exe	0x20048	NUMBER_OF_PROCESSORS	1
+1132	wuauclt.exe	0x20048	OS	Windows_NT
+1132	wuauclt.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+1132	wuauclt.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+1132	wuauclt.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+1132	wuauclt.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+1132	wuauclt.exe	0x20048	PROCESSOR_LEVEL	6
+1132	wuauclt.exe	0x20048	PROCESSOR_REVISION	2502
+1132	wuauclt.exe	0x20048	ProgramFiles	C:\Program Files
+1132	wuauclt.exe	0x20048	SystemDrive	C:
+1132	wuauclt.exe	0x20048	SystemRoot	C:\WINDOWS
+1132	wuauclt.exe	0x20048	TEMP	C:\WINDOWS\TEMP
+1132	wuauclt.exe	0x20048	TMP	C:\WINDOWS\TEMP
+1132	wuauclt.exe	0x20048	USERPROFILE	C:\Documents and Settings\NetworkService
+1132	wuauclt.exe	0x20048	windir	C:\WINDOWS
+3692	AcroRd32.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3692	AcroRd32.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3692	AcroRd32.exe	0x20048	CLIENTNAME	Console
+3692	AcroRd32.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3692	AcroRd32.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3692	AcroRd32.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3692	AcroRd32.exe	0x20048	FP_NO_HOST_CHECK	NO
+3692	AcroRd32.exe	0x20048	HOMEDRIVE	C:
+3692	AcroRd32.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3692	AcroRd32.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3692	AcroRd32.exe	0x20048	NUMBER_OF_PROCESSORS	1
+3692	AcroRd32.exe	0x20048	OS	Windows_NT
+3692	AcroRd32.exe	0x20048	Path	C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins;C:\Program Files\Adobe\Reader 9.0\Reader\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3692	AcroRd32.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3692	AcroRd32.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+3692	AcroRd32.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3692	AcroRd32.exe	0x20048	PROCESSOR_LEVEL	6
+3692	AcroRd32.exe	0x20048	PROCESSOR_REVISION	2502
+3692	AcroRd32.exe	0x20048	ProgramFiles	C:\Program Files
+3692	AcroRd32.exe	0x20048	SESSIONNAME	Console
+3692	AcroRd32.exe	0x20048	SystemDrive	C:
+3692	AcroRd32.exe	0x20048	SystemRoot	C:\WINDOWS
+3692	AcroRd32.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3692	AcroRd32.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3692	AcroRd32.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+3692	AcroRd32.exe	0x20048	USERNAME	Administrator
+3692	AcroRd32.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3692	AcroRd32.exe	0x20048	windir	C:\WINDOWS
+3728	AcroRd32Info.ex	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3728	AcroRd32Info.ex	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3728	AcroRd32Info.ex	0x20048	CLIENTNAME	Console
+3728	AcroRd32Info.ex	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3728	AcroRd32Info.ex	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3728	AcroRd32Info.ex	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3728	AcroRd32Info.ex	0x20048	FP_NO_HOST_CHECK	NO
+3728	AcroRd32Info.ex	0x20048	HOMEDRIVE	C:
+3728	AcroRd32Info.ex	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3728	AcroRd32Info.ex	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3728	AcroRd32Info.ex	0x20048	NUMBER_OF_PROCESSORS	1
+3728	AcroRd32Info.ex	0x20048	OS	Windows_NT
+3728	AcroRd32Info.ex	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3728	AcroRd32Info.ex	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_ARCHITECTURE	x86
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_LEVEL	6
+3728	AcroRd32Info.ex	0x20048	PROCESSOR_REVISION	2502
+3728	AcroRd32Info.ex	0x20048	ProgramFiles	C:\Program Files
+3728	AcroRd32Info.ex	0x20048	SESSIONNAME	Console
+3728	AcroRd32Info.ex	0x20048	SystemDrive	C:
+3728	AcroRd32Info.ex	0x20048	SystemRoot	C:\WINDOWS
+3728	AcroRd32Info.ex	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3728	AcroRd32Info.ex	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3728	AcroRd32Info.ex	0x20048	USERDOMAIN	SECURITY-91B8EC
+3728	AcroRd32Info.ex	0x20048	USERNAME	Administrator
+3728	AcroRd32Info.ex	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3728	AcroRd32Info.ex	0x20048	windir	C:\WINDOWS
+3968	rundll32.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3968	rundll32.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3968	rundll32.exe	0x20048	CLIENTNAME	Console
+3968	rundll32.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3968	rundll32.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3968	rundll32.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3968	rundll32.exe	0x20048	FP_NO_HOST_CHECK	NO
+3968	rundll32.exe	0x20048	HOMEDRIVE	C:
+3968	rundll32.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3968	rundll32.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3968	rundll32.exe	0x20048	NUMBER_OF_PROCESSORS	1
+3968	rundll32.exe	0x20048	OS	Windows_NT
+3968	rundll32.exe	0x20048	Path	C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins;C:\Program Files\Adobe\Reader 9.0\Reader\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3968	rundll32.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3968	rundll32.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+3968	rundll32.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3968	rundll32.exe	0x20048	PROCESSOR_LEVEL	6
+3968	rundll32.exe	0x20048	PROCESSOR_REVISION	2502
+3968	rundll32.exe	0x20048	ProgramFiles	C:\Program Files
+3968	rundll32.exe	0x20048	SESSIONNAME	Console
+3968	rundll32.exe	0x20048	SystemDrive	C:
+3968	rundll32.exe	0x20048	SystemRoot	C:\WINDOWS
+3968	rundll32.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3968	rundll32.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3968	rundll32.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+3968	rundll32.exe	0x20048	USERNAME	Administrator
+3968	rundll32.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3968	rundll32.exe	0x20048	windir	C:\WINDOWS
+3976	Netlogon.exe	0x20048	ALLUSERSPROFILE	C:\Documents and Settings\All Users
+3976	Netlogon.exe	0x20048	APPDATA	C:\Documents and Settings\Administrator\Application Data
+3976	Netlogon.exe	0x20048	CLIENTNAME	Console
+3976	Netlogon.exe	0x20048	CommonProgramFiles	C:\Program Files\Common Files
+3976	Netlogon.exe	0x20048	COMPUTERNAME	SECURITY-91B8EC
+3976	Netlogon.exe	0x20048	ComSpec	C:\WINDOWS\system32\cmd.exe
+3976	Netlogon.exe	0x20048	FP_NO_HOST_CHECK	NO
+3976	Netlogon.exe	0x20048	HOMEDRIVE	C:
+3976	Netlogon.exe	0x20048	HOMEPATH	\Documents and Settings\Administrator
+3976	Netlogon.exe	0x20048	LOGONSERVER	\\SECURITY-91B8EC
+3976	Netlogon.exe	0x20048	NUMBER_OF_PROCESSORS	1
+3976	Netlogon.exe	0x20048	OS	Windows_NT
+3976	Netlogon.exe	0x20048	Path	C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
+3976	Netlogon.exe	0x20048	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
+3976	Netlogon.exe	0x20048	PROCESSOR_ARCHITECTURE	x86
+3976	Netlogon.exe	0x20048	PROCESSOR_IDENTIFIER	x86 Family 6 Model 37 Stepping 2, GenuineIntel
+3976	Netlogon.exe	0x20048	PROCESSOR_LEVEL	6
+3976	Netlogon.exe	0x20048	PROCESSOR_REVISION	2502
+3976	Netlogon.exe	0x20048	ProgramFiles	C:\Program Files
+3976	Netlogon.exe	0x20048	SESSIONNAME	Console
+3976	Netlogon.exe	0x20048	SystemDrive	C:
+3976	Netlogon.exe	0x20048	SystemRoot	C:\WINDOWS
+3976	Netlogon.exe	0x20048	TEMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3976	Netlogon.exe	0x20048	TMP	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
+3976	Netlogon.exe	0x20048	USERDOMAIN	SECURITY-91B8EC
+3976	Netlogon.exe	0x20048	USERNAME	Administrator
+3976	Netlogon.exe	0x20048	USERPROFILE	C:\Documents and Settings\Administrator
+3976	Netlogon.exe	0x20048	windir	C:\WINDOWS
diff --git a/iehistory-image1.txt b/iehistory-image1.txt
new file mode 100644
index 0000000..62ec49f
--- /dev/null
+++ b/iehistory-image1.txt
@@ -0,0 +1,12 @@
+**************************************************
+Process: 1512 explorer.exe
+Cache type "DEST" at 0x15c445
+Last modified: 2011-11-30 12:12:28 UTC+0000
+Last accessed: 2011-11-30 11:12:30 UTC+0000
+URL: Administrator@file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/navy%20procurement.pdf
+**************************************************
+Process: 1512 explorer.exe
+Cache type "DEST" at 0x15c6ed
+Last modified: 2011-11-30 12:12:28 UTC+0000
+Last accessed: 2011-11-30 11:12:30 UTC+0000
+URL: Administrator@file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/navy%20procurement.pdf
diff --git a/imageinfo-image1.txt b/imageinfo-image1.txt
new file mode 100644
index 0000000..25d9ad7
--- /dev/null
+++ b/imageinfo-image1.txt
@@ -0,0 +1,12 @@
+          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
+                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
+                     AS Layer2 : FileAddressSpace (/home/zenon/Nextcloud/uni/2021WS/df/assignment2/image1.vmem)
+                      PAE type : PAE
+                           DTB : 0x319000L
+                          KDBG : 0x80545b60L
+          Number of Processors : 1
+     Image Type (Service Pack) : 3
+                KPCR for CPU 0 : 0xffdff000L
+             KUSER_SHARED_DATA : 0xffdf0000L
+           Image date and time : 2011-11-30 11:14:10 UTC+0000
+     Image local date and time : 2011-11-30 12:14:10 +0100
diff --git a/malfind-image1.txt b/malfind-image1.txt
new file mode 100644
index 0000000..c9acb5b
--- /dev/null
+++ b/malfind-image1.txt
@@ -0,0 +1,45 @@
+Volatility 3 Framework 1.0.1
+
+PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm
+
+3708	svchost.exe	0x400000	0x404fff	VadS	PAGE_EXECUTE_READWRITE	5	1	Disabled	
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........	
+0x400000:	add	byte ptr [eax], al
+0x400002:	add	byte ptr [eax], al
+0x400004:	add	byte ptr [eax], al
+0x400006:	add	byte ptr [eax], al
+0x400008:	add	byte ptr [eax], al
+0x40000a:	add	byte ptr [eax], al
+0x40000c:	add	byte ptr [eax], al
+0x40000e:	add	byte ptr [eax], al
+0x400010:	add	byte ptr [eax], al
+0x400012:	add	byte ptr [eax], al
+0x400014:	add	byte ptr [eax], al
+0x400016:	add	byte ptr [eax], al
+0x400018:	add	byte ptr [eax], al
+0x40001a:	add	byte ptr [eax], al
+0x40001c:	add	byte ptr [eax], al
+0x40001e:	add	byte ptr [eax], al
+0x400020:	add	byte ptr [eax], al
+0x400022:	add	byte ptr [eax], al
+0x400024:	add	byte ptr [eax], al
+0x400026:	add	byte ptr [eax], al
+0x400028:	add	byte ptr [eax], al
+0x40002a:	add	byte ptr [eax], al
+0x40002c:	add	byte ptr [eax], al
+0x40002e:	add	byte ptr [eax], al
+0x400030:	add	byte ptr [eax], al
+0x400032:	add	byte ptr [eax], al
+0x400034:	add	byte ptr [eax], al
+0x400036:	add	byte ptr [eax], al
+0x400038:	add	byte ptr [eax], al
+0x40003a:	add	byte ptr [eax], al
+0x40003c:	add	byte ptr [eax], al
+0x40003e:	add	byte ptr [eax], al
diff --git a/processes-image1.txt b/processes-image1.txt
new file mode 100644
index 0000000..b96f45a
--- /dev/null
+++ b/processes-image1.txt
@@ -0,0 +1,39 @@
+Volatility 3 Framework 1.0.1
+
+PID	PPID	ImageFileName	Offset	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output
+
+3692	1512	AcroRd32.exe	0x1fc5958	4	161	0	False	2011-11-30 11:12:27.000000 	N/A	Disabled
+3728	860	AcroRd32Info.ex	0x1ffa918	7	149	0	False	2011-11-30 11:12:28.000000 	N/A	Disabled
+3560	1032	wuauclt.exe	0x201cb08	6	118	0	False	2011-11-30 11:11:55.000000 	N/A	Disabled
+992	860	wmiprvse.exe	0x2023878	5	189	0	False	2011-11-30 11:10:54.000000 	N/A	Disabled
+252	676	vmtoolsd.exe	0x2027da0	6	222	0	False	2011-11-30 11:10:51.000000 	N/A	Disabled
+3976	1512	Netlogon.exe	0x2067308	1	14	0	False	2011-11-30 11:14:06.000000 	N/A	Disabled
+1028	1036	wuauclt.exe	0x2075be0	0	-	0	False	2011-11-30 11:05:21.000000 	2011-11-30 11:10:23.000000 	Disabled
+1804	1512	ctfmon.exe	0x207a2a0	1	99	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+1796	1512	AdobeARM.exe	0x207d020	8	143	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+1620	676	spoolsv.exe	0x20a1558	14	123	0	False	2011-11-30 11:10:42.000000 	N/A	Disabled
+1088	668	svchost.exe	0x20d3c50	7	0	0	False	2011-11-30 11:05:07.000000 	N/A	Disabled
+932	668	svchost.exe	0x2107160	10	-	0	False	2011-11-30 11:05:07.000000 	N/A	Disabled
+1080	676	svchost.exe	0x2296748	5	-	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+688	624	lsass.exe	0x22a3aa8	24	362	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+940	676	svchost.exe	0x2300b28	9	261	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+1124	676	svchost.exe	0x239d578	15	210	0	False	2011-11-30 11:10:41.000000 	N/A	Disabled
+1132	1032	wuauclt.exe	0x23a1650	8	177	0	False	2011-11-30 11:10:54.000000 	N/A	Disabled
+512	676	VMUpgradeHelper	0x23a23c0	6	97	0	False	2011-11-30 11:10:54.000000 	N/A	Disabled
+3708	3632	svchost.exe	0x23d7da0	5	144	0	False	2011-11-30 11:12:28.000000 	N/A	Disabled
+1368	676	alg.exe	0x23e3260	7	104	0	False	2011-11-30 11:10:56.000000 	N/A	Disabled
+1988	1032	wscntfy.exe	0x23ea4c0	1	39	0	False	2011-11-30 11:10:56.000000 	N/A	Disabled
+416	1828	svchost.exe	0x23fb3d8	4	138	0	False	2011-11-30 11:10:53.000000 	N/A	Disabled
+1772	1512	VMwareUser.exe	0x2403da0	6	211	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+1512	1460	explorer.exe	0x240ac08	16	424	0	False	2011-11-30 11:10:42.000000 	N/A	Disabled
+1752	1512	VMwareTray.exe	0x24149f8	1	58	0	False	2011-11-30 11:10:43.000000 	N/A	Disabled
+552	4	smss.exe	0x24224c8	3	19	N/A	False	2011-11-30 11:10:38.000000 	N/A	Disabled
+844	676	vmacthlp.exe	0x2425020	1	25	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+860	676	svchost.exe	0x2428020	19	204	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+624	552	winlogon.exe	0x24479c0	24	522	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+3968	3692	rundll32.exe	0x248c400	1	59	0	False	2011-11-30 11:14:06.000000 	N/A	Disabled
+3832	3692	dumprep.exe	0x248dd48	0	-	0	False	2011-11-30 11:12:31.000000 	2011-11-30 11:12:31.000000 	Disabled
+1032	676	svchost.exe	0x2493728	84	1552	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+676	624	services.exe	0x249db68	15	259	0	False	2011-11-30 11:10:40.000000 	N/A	Disabled
+600	552	csrss.exe	0x24aaae0	10	431	0	False	2011-11-30 11:10:39.000000 	N/A	Disabled
+4	0	System	0x25c8830	56	252	N/A	False	N/A	N/A	Disabled
diff --git a/report.tex b/report.tex
index 6167c7c..d208415 100644
--- a/report.tex
+++ b/report.tex
@@ -4,6 +4,22 @@
 \usepackage[english]{babel}
 \usepackage{microtype}
 \usepackage{hyperref}
+\usepackage{listings}
+\usepackage{graphicx}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,
+    breaklines=true,
+    captionpos=b,
+    keepspaces=true,
+    showspaces=false,
+    showstringspaces=false,
+    showtabs=false,
+    tabsize=2
+}
+
+\lstset{style=mystyle}
 
 \setlength{\parindent}{0pt}
 
@@ -16,11 +32,79 @@
 
 \section{Introduction}
 
+This report documents the findings and the analysis of those findings while
+performing extensive forensic analysis on a RAM dump. The RAM dump was obtained
+after a computer showed suspicious activity and was subsequently shut down. The
+dump is provided via a zip file which is extracted to be able to perform
+forensic analysis.
+
+A second RAM dump is analyzed to find information about a PC running in the
+server room which has no apparent owner or user. This dump is also provided as a
+zip file and is password protected with the password \texttt{infected}.
 
 \section{Findings}
 
+All information is obtained through the use of the open soure \texttt{Volatility
+3 Framework} at version \texttt{1.0.1} except for the screenshot for the first
+RAM dump, because this command requires the \texttt{Volatility Framework 2.6}.
+
+\subsection{Image 1}
+
+\subsubsection{Basic Information}
+
+This image is running Windows XP with the Service Pack 2. It was created on
+2011-11-30 12:14:10. The machine is running an Intel x86 processor and is named
+\texttt{SECURITY-91B8EC}. The user logged in at the time of the dump was the
+\texttt{Administrator} user. This information is provided by the volatility
+\texttt{windows.info.Info} and \texttt{windows.envars.Envars} commands.
+
+\subsubsection{Processes and Network Connections}
+
+The process list is obtained with the \texttt{pslist} command. It includes
+common Windows processes as well as \texttt{AcroRd32.exe} and
+\texttt{VMWareUser.exe}. There are also multiple \texttt{svchost.exe} processes
+running.
+
+\subsubsection{Other Information}
+
+Interesting information can also be found with the \texttt{iehistory},
+\texttt{screenshot} and \texttt{malfind} commands. \texttt{IEHistory} shows that
+the user \texttt{Administrator} accessed a file on the filesystem called
+\texttt{navy procurement.pdf}. Furthermore, the \texttt{screenshot} command
+attempts to reconstruct the user's view just before the dump was created. The
+image shows that the \texttt{navy procurement.pdf} file was opened in Adobe
+Acrobat Reader with a message saying that Windows has closed this program to
+protect the computer.
+
+\begin{center}
+    \begin{figure}
+        \includegraphics[width=1\textwidth]{./screenshot.png}
+        \caption{\texttt{navy procurement.pdf} open in Adobe Acrobat Reader}
+    \end{figure}
+\end{center}
+
+\subsection{Image 2}
 
 \section{Analysis}
 
+\subsection{Image 1}
+
+The information gathered with volatility strongly suggests that the computer had
+been infected with malware. The malware seems to have been installed after
+opening the \texttt{navy procurement.pdf} file and is also most likely running
+as an additional \texttt{svchost.exe} process. This process could be responsible
+for the connection made to the IP-address \texttt{99.1.23.71}. A WHOIS lookup
+provides the company who has the address: \texttt{SUN COUNTRY MEDICAL
+EQUIPMENT} based in Texas, US.
+
+\subsection{Image 2}
+
+\section{Appendix}
+
+\lstinputlisting[caption=Image1 Info]{imageinfo-image1.txt}
+\lstinputlisting[caption=Image1 Processes List]{processes-image1.txt}
+\lstinputlisting[caption=Image1 Connections]{connections-image1.txt}
+\lstinputlisting[caption=Image1 IEHistory]{iehistory-image1.txt}
+\lstinputlisting[caption=Image1 MalFind]{malfind-image1.txt}
 
 \end{document}
diff --git a/screenshot.png b/screenshot.png
new file mode 100644
index 0000000000000000000000000000000000000000..d440d111f77163f13722ea8174d058608f4f4bd7
GIT binary patch
literal 8081
zcmeHMc~q0vwm*OZA{f0YqY|gewSuTYK!%{LXep>5${;d00BV>q1`-mWs9ZroOA7)*
zdZEfpm?T0H2v9)EtdIZ!5<tQb6ULYUNZwc9TkF2{)_Yxj>$Yq4kN)%JB>BGcowLv0
z`}f<w{m}8;84WdEH2{Ey-B+hB0I*I003`)gMd+6;r!5))fV<h9I(aeTIe&zenp3N*
z?C74$mVZB@C1}nG-;*;wmbsJ@Z+r4@J+spK%_Z$ZEDd_{NNW4!9%TSd{KMB>HvCE?
zjnLC$@L_%rJuDSB06^`NBk0w2^>@@3SS{DOSs$_2yG;*o8#^h40bn5JAx}8n?{=7H
z_D6^ISx~&K2JQ|~n;i4*v*P$^&UvZ;1guuBU2{);wK&Qcq}`I$YLb!*;lUzrvdKg%
zHo#M`5n4k?$25|DwX>s#(sr2L#c!9O&p->}CyCZ|<6KhzF3`@GDF9CBr0!aSimZdG
z_u6aNMr`s=?2KGY7j^<oMFl`Vl4!<M1Sh_Ob}`6?CKc~K3e9}uDP*HviR#eM{RVV-
zvquS<SyKlZR=j~OPi&#B#~A(_x5}ucGrsO#OmhHMt9e3cPOA4ag+rtrX3+Ptw645*
zQzb`=b(YH8Ua5s!atYb0{f9{=8XI5*z_7itSeMB|>#4x}AC?5hv0f(BDL0w-^iImI
z!g<?3%*!<Y7+-gWV(IbNk*ML-px%J;DPLzz(GYQlMmUV<@@j9cAz3beE*?ouG=@7U
zb`D|7d|ADm<2&!%!G+*1nI!85%skGML}_&Cf?dNp#EloXMcJOcl7_+r9w?-bv{Go@
zRqxdIb>b7k*_&`ZLZ1#{5Dklwc!U#kUio=<sw1?=R`0C|DiO!Cx!aY&4^tXM4U5wK
z#0yO$x;kdZ^0RS#6N8ynv%il{OUYa$%VK5WX?Imm(G2qlyZ_u(Zlns}Xw0ePy9V{0
zb7O|?3hVe_#pX<Pc-Wv`t-Tixmaeb8!xdv%mo_jp0LPxj558xOI)^VClD(~MIy@RC
z!E887%4(?1NXKU=-4xi^G&W7*D&N(TMl)8ps<??;rURCROx#?)RH6ucIQN}<?fqY^
zt&XLQ4IusX*J=ntDge(!K1S9-l0cDyGD9*l0zxD;1#E9?V*rq?1~Poi)FF!eP(9WQ
zfT*PNRLHLZHR+G^nCI_0D-5UZtOJ0}!_u;Q+U;~WVGIcX^fZgW(c#Ox{s=$)W4!;b
zS^u)YUl#Zk3q+4vgRiO#+bQv2eoHBn2Yo)g0U}`aAA!R^=#)2LekQ1XuZ;o1q;=_5
z+^{g#Kh$pyHHPL1LYN2@O}xVV2I%%o{<?v!?YUSl{=Fey!=Z#D^+j%0|77Rf^h))`
zM-92NJr+nS?9&wMsFzQLn*lOj9R%MkdcwF|cKjqxLJ874U#xj)=;Qo21#Jms_%COT
zChlhB-cE|7>2`(+l0sgJw6dBXN!J-?nG9qW&UwaqIa5gaTvW0Cl21EF+SeaFS7=IH
z;6{Lm=iTeSfn8u0u<XXMD-l?s3#v3;%d?Na%>&zvJ(4XvIcGSllH!_+shil+wJfWx
zbd#AzznmB~fCm!=3$o@K(Ssv4T&{4&x3>Y|woVTMcH0|3ybEz@G3v9C;<txNG6JGF
z=^4(wwgp3(v!m9etykox1L0x!(3Z{p`SoatrOeuX3&M-JXy2_Eqlb#+#F;R^*v6*K
z@ZX_AaN-KGGCr)PJ+A0lhTmlz18GJwPxNHgyVk1@TT;1!v5|=O*lgJ&=7eEa;|Pe!
z3x|WzfWz_DZf|<8e2o;l;Kf59ELfK@7vtlxWd034KQuUqAlhTnO2s=S*J$4kCJr6!
zx^~)lg#QuwS~pGhy$%_1v#=oI`%PZ=(3NSjgkpOkwy0H^9!?8U46uy6zDK2c^%S_W
z>aY5J`0SLg`>@KtNjZMS-Tp;n+KCt#$T4bP6zm4n1|b$N+Po_Ratp53?k6qFD%7l3
zCw>q5^Jy)MQzJ^i??2yVBf!$?aH@12=ur0)td&UDa}>fLH(z0}c@wJTYr^O+2415v
z!Dm{Nq)`S$rUNF$I1^`yzZTcoLVPO|IFhwO%9coVS7PCuH8Ag+THm?jsQWipNUqI4
z8@qe&=GC)qqeV3YY2w%mQt4D3cJB7=vP$9s&h;7?@aAG^r74LhI}Fo7UfV6s-{aFU
z=L{o7P_09(h!)`&!>!^*d99uH7DzT%l~;6R;An(?rt9^vdrL~wp0VT9jHx>7!pJ=n
zWBj^J{zK_Cn-E6HA{{f9)zh3o$&$tDyT0MTsJ@Q#X7j9Jl^A1}iyP8ti@ua@ffLF-
zWDdEMY@GS<EtZ&`i=7w@IxwWO!`!Q;+_G_;&QDDrZFRlwcMp+Z@2XymBynqCrQsvC
zb5XeNMF&d+Ns^x0+C3AoDpXB0<uRMY)J<}e{*ytX{Lz7!9Y?__+{~QJBP-OkVaQ%L
zuhY5fQKVJ2lK%+ejpq_yYjSRD|9xRCzK*g`ED5s2&`hyLL}vv!1=&0%sw-vWW<<_B
zBwgb0+%~T3MUFA$g2rTSUqEo(M{M`)^y~V>N9@2=?!qB2%(2pb?6>Xg_4v7$XRekd
z-F%saBPNap#<n$ODwz+jq}$*-dFuP1n5lCp*OY|a`Th;I&*ETBR(7$!U8|89)9=xl
zfh*?aJG(oaCKi@A6|@doEi}H)lJMS9zoxk6nl-kyEplZvCEk{gT~+3}ffKC)xuIU%
z-3*>b!fEVEfQNqlEZ5j+=~0Hkv2eU#?N*@*BI4Du1q}t~s8H{kqHw&WtuOV)z6{v-
z9YquUd^P+|FnVP-^7dCG{YP@o=(adgYO8lZ9_@M38eDZlR{=52Hxv$TW~S>B2d5mG
z0|YFZRGLpDw2isi<Kap^X(A;Mh-m&PZ~Km06OyW>$u053v&KpsAo`;#hu<E?ubV0i
z=kyi9ybua1sA3SVo~z%34j^^7s%s+|e1mBtIScrIs}Qpj?xoRZE02e1BcJcmfRJO?
zo6Ey}$FI(pkRMIeJf=>50AjbJAnNhf{ZrWW<F!^CkFVSKuZA|EaccJ)$onm8hojw-
z(3fExMpuPlr$WaEr4!q9KwX=C5qad=vJ0}*_Pr@=`Rg%^?*qR;>wydPxju{A7)c3g
z6y)u)7iQW1w#K$LU_DVoZAZD$cf5j07A6tT2+pb=if|khJ#Y<};Uiq&$41{;77~Un
zThq%UNe1Ac4tRFy{8wgq^2|sdO7{le>FO?mRoITAGF;903GdF0lr@3iv+V#3RA{Q2
z=Xkw*yVO#<w9x+%WtoBx41Q=bB_<MT{1R4jFm?bsw;0PuQ{qfZWBFy+ae0ag&sW-<
z8i=kl`YtoivFeK1e^m_EzB=0}{GzirJ9<z->?TkGD+$Srnkw$MWL9SQ7|n>(vx6RS
zcw)VXvQtCKKURSY-B0ST98%a7zw$o{#{~lLX=T#VmU+tRz#v5-<|zqhIm6V@23`I}
zn}59s6$d!_yjQY8MX$~f;pRSK3*>bzLbf{iAkM$-^YSNozCsgo%a6Nb)qz#RWs?Bj
zT;OL;!ND%Gop-&gyTWS)8v7CD4%sV`^J*tlb-)0#h)dSv)iklPY5cRDcQ;LIMD)n^
zdd_(f5%@kI{pDh&5?BwJ8-4Ii!rv;N_3Z4PGi`s@&;pfib04`6Gha<WcyHP)xVU^*
z&KDkdz@!EV$7l=5#;)c5BYtz~x&Z~oixF0|+}XTaqG29lJ*Ot>(B=^G!YSDcZ<;5G
zIX)0L>FO{*VwZ&5It7)U70z<~_I4`X=@Gu(M-zGxIWIo{CfKr=QsR+Nm!VaNsZmZ)
z#!dA<(qOf+6uRNZBCO0s*z+LUUK#k&at!q@&UcPx#*^fl&Tni-q6S{yuVs&#8;gj3
zJGJ+-(oIr6OR}D5PC1IWyj2eJ$~9G=33KcQ+jK+gz8ltGEdC;LegrLzE|X4PI2*>q
z?DLcAlEdj6-ti}n+14)$*2fr+Bf;S!vd>F`qj8eA>8ufDD<6##K2hdxJ9u^0h}osM
z7RZb{S<2>L`e?h+b|S5Qs=d|V0@)ctl^+~Q^qG>j0#@Yvd~R1~IGn6ZkMlBDs>=ES
z8&#o3XsZTU^4<txw^QZX`IWJeo!#;3;(HR|(%O4FC(E(;=>d7{6V7vKq`M}RYqAR>
z&vR6seXAn=Y!n9O9c)~rq+hDnqY$h?;srz+?naFaC6n|HgXa#)F~MO3^a}dmiMk*<
z2th(2`e0TQM5xXEF5Kc1o^vKseIrGi>zagEPdMdfO0|}TSo0`2vF`p*Y3($o_paU7
z^Dl0I7)O-wqto|-z>C7Ds3UK<E#U!0qsg^*z!LP|F55Ni;y%IFqA5h;+_eF6DUmRf
zaIw-bF-GB+68p)ulB0>zSEa~c7{i(j%Qzdz`f#a~rOC)j%uV34{4(QgOdA_^sWj<p
ztqEtCBae-HOA<Y1>a9PPrmEm~M*JKD=Z43E@#2(0URqi->ZhCwB={9+|ND-0lFM8M
z-qW;s+M<!0%H{Z<c7qedIol1;w>(?;PD^RiZtW9w`jJ1!5ces8dE%Lb#sw#qZtd~z
zwF|7$^V8+b5eKFa*=ebbYNr{sN)^9=kaM&D{DYyk7sh8NBtq6j{K#U*d#RvoDxTbx
z$YyoXXrlddnB>AVrR`_>4c_ulBD*Rz)oX149AIppN_&XKS7dQhL*45IJywPKH_Bf;
zbAgje=CXP{U#$8N@Ro%QJ63B$Lmp-@sdcB&&|7&Qk6qjW?a^D<*zLlSF{6B1))NLU
z7*#$<!}cEJH$0SV9X{4L{`uPb<f(VWitDaz^4Om6b8A$?L?}ZI`<FRPei<cGJ<t8-
zmynNHi6U%~NcLK#Z&cg{#q6)ArC-s;WK<jg&#$_tVqjw{uW!;x-zoqC`xC*eOHNc?
zJ&cO|&63-KStF-&b@zo`Jr#yBH9hLn|CU-AiVc}HdYgVM->f>?g@<C`|IqG`TB>yq
z>h~*09fb>(yiY-)G45(OpYCvhj)C&Q@22zpCba$|g~mU}0zRb%LD{E*7DQP?iKpe$
z(SsOopWlFW5eT>h_9=m37N5!iT~fSW5z=1;N_3o?;yOTu3>fUQVKbON&45JR-&Lsn
zbJ*{9*Ps8|)?XI*%L4yj3oK4mWvBWcFM)ahKTQ3o9zyf#o`JAJyYgR%G5HD=ONHnZ
zKz43K#E75)T?MK?{)B)6Ep4@QGOXqbiHU(tY&2}IpgEF_6CXnjL0^xee2?sL%AxDw
zRqYk4I`Hrso83Ds6Z$EKI3?`NJ^W$IZ0>F^Z9q>x@N?#?3|%cNqT_+bM?ng<f9Xgv
zIV8Y}Y)x)OqO7_Dp;ium_S;)V<7vJ#BM0-7b%ROuXq0>rGjHzbyOySq&=|TF#yYzt
zs5)<GN6^JVGIFvxRoc#tv!6O}6Zx)_Pb1)rv-qi8onw`!c7|k<60pzXa$Ec@^!GtP
zkkQPF%{`R4oeQaxcgpc00ju(2JZWTDnVj8H`=Zo^*D7?1&9IgDro7F79qPA52`cr#
z?A2|s>Z|2uqIv=*B&|@p`-K{T#eDlZt0CPKrUJwc!h77;4mMYQvYD2P6c`y{j_!=5
zVOFp(>F0&xWMuXE$;8p>3ZrF=_i#LA0Do2y7(}>cNzt=8z7;WphjO)zd-B;;ksZ;f
z*n|TEUMfpwJKugyURWe8S%=|nx&}Kr2a~VU)V)#wJ$+Tv>oIe=+mJC(sD+yo)DR?Z
z!hWz}c_kvNovF<~284c9PQ8Kai#>ub;J*tAxJ$*@k?(qpuDN6hX1AY2?-fQKa~=;I
z=ydIJu#DUK5No7B7u}W-;M-tJw)10kUjKA8-@e{~W->h*${?#|A8pffEr7eQ_1q_z
zl$P+CC1q!lR0R<F7a!Hb9M9hwtv2(>EI5*VDW002eIS+I$6m`(D?C2ryDCx;pP0~^
z6hE;*5}1kFAcAsDx9W{j^EXeg9jC7%(e16$&yzB)lsX%i=@=7ar{xgg8=k5S6+cme
zTx#2_ZL@88Ile4oFfT~r=H2WhjB6MS%*2lGc@EnRbypAb-q*|r;-iljsj*)sdE?`9
zpk5k%X{R{qyOVn<@Xr>PBjyp4gcL}30U_}yUfgE#!SEJ1%q?ngIB#%qa!v$>gSJ@7
zobKJXuvb4fhJzS1_)x@b^|rW=4)1PD#p$Wcv8@?hW6IHcl_6UGn_Ii}Ta*Dki7jq&
zEB+;4oc5D3f|J<)`0{_J8tu(1R@~K=6&nCJ(d!};az*2$*U)3Y&i34?(l30z`41mh
By5;}?

literal 0
HcmV?d00001