EEM Roadmap Sept 16 (3).pptx
This report is generated from a file or URL submitted to this webservice on November 14th 2016 20:11:17 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v5.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
General
-
GETs files from a webserver
- details
-
"GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.omniroot.com" - source
- Network Traffic
- relevance
- 10/10
-
GETs files from a webserver
-
System Security
-
References security related windows services
- details
- "bc28b5f076654a3b96073bbbebfeb8c9" (Indicator: "bfe")
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Possible document exploit detected
- details
- Document is downloading files although no macro is present
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
Suspicious Indicators 12
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "POWERPNT.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"O83wj*z^'y{*gk2}K?-&yuX 7F}-RXqEMuXgb{+%A@"<4UZ5#9N:?k?\Je>4Q+6U<yOOD5[cWl#>I-hBb$C |n1c\!wkx$T+VJn" (Indicator: "qemu"), "=HS:NB#Cm-IpFQ&R9qS_qemUf+Fy( n" (Indicator: "qemu")
"QEmU=cPpfLg}?]4fF4o#/.n2-"uBH" (Indicator: "qemu"), "\@oAlHy<E2$L[Fmc
0sCi<cyV:P] mMn<Z=@(6G6S'`fcse.23_'qEmU:Ph./VP%>mQobF(&?R^1sGESc`rUJ(:Wmt;yU&B" (Indicator: "qemu") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "POWERPNT.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"6>Edcr 8iR}bg_S"IqP)vnc?eAwUW$GUJHxmS.#&h#;hq" (Indicator for product: Generic VNC), "<!{>riw2E"vnc0uFk(OKQXhmiW'Hubs/QU{4Fe!v]3),TS?t?+xQ|$^uL@x" (Indicator for product: Generic VNC)
"vncby}x" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
System Security
-
Hooks API calls
- details
-
"OleLoadFromStream@OLE32.DLL" in "POWERPNT.EXE"
"VariantClear@OLEAUT32.DLL" in "POWERPNT.EXE"
"SysFreeString@OLEAUT32.DLL" in "POWERPNT.EXE"
"VariantChangeType@OLEAUT32.DLL" in "POWERPNT.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "POWERPNT.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "POWERPNT.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"POWERPNT.EXE" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
"POWERPNT.EXE" wrote bytes "9cd49e24" to virtual address "0x69CACA70" (part of module "GFX.DLL")
"POWERPNT.EXE" wrote bytes "92e6c27779a8c777be72c777d62dc7771de2c27705a2c777bee3c277616fc7776841c5770050c57700000000ad375e778b2d5e77b6415e7700000000" to virtual address "0x75281000" (part of module "WSHTCPIP.DLL")
"POWERPNT.EXE" wrote bytes "e9c53291f1" to virtual address "0x77786143" ("OleLoadFromStream@OLE32.DLL")
"POWERPNT.EXE" wrote bytes "e936552af2" to virtual address "0x76853EAE" ("VariantClear@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "04f19e24" to virtual address "0x6B2521E8" (part of module "PPCORE.DLL")
"POWERPNT.EXE" wrote bytes "55a56824" to virtual address "0x2D1C15E4" (part of module "POWERPNT.EXE")
"POWERPNT.EXE" wrote bytes "09403301" to virtual address "0x68D10BA8" (part of module "MSO.DLL")
"POWERPNT.EXE" wrote bytes "e99e4878f2" to virtual address "0x76333D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"POWERPNT.EXE" wrote bytes "e99a5429f2" to virtual address "0x76853E59" ("SysFreeString@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "bbc49e24" to virtual address "0x69EC78E4" (part of module "OART.DLL")
"POWERPNT.EXE" wrote bytes "7739c37779a8c777be72c777d62dc7771de2c27705a2c777c868c67757d1cd77bee3c277616fc7776841c5770050c57700000000ad375e778b2d5e77b6415e7700000000" to virtual address "0x757A1000" (part of module "WSHIP6.DLL")
"POWERPNT.EXE" wrote bytes "c4ca327680bb327652ba32769fbb327608bb327646ce327661383376de2f3376d0d932760000000017798e764f918e767f6f8e76f4f78e7611f78e76f2838e76857e8e7600000000" to virtual address "0x6ECE1000" (part of module "MSIMG32.DLL")
"POWERPNT.EXE" wrote bytes "e923992cf2" to virtual address "0x76855DEE" ("VariantChangeType@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "e960332af2" to virtual address "0x76854731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"POWERPNT.EXE" wrote bytes "4d8eec00" to virtual address "0x63CB9904" (part of module "RICHED20.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "POWERPNT.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/54 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
- "ocsp.omniroot.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "72.21.91.8:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"POWERPNT.EXE" created file "%TEMP%\Cab3483.tmp"
"POWERPNT.EXE" created file "%TEMP%\Tar3484.tmp"
"POWERPNT.EXE" created file "%TEMP%\CabCED6.tmp"
"POWERPNT.EXE" created file "%TEMP%\TarCED7.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61249"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61249"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\S-1-5-21-4162757579-3804539371-4239455898-1000C:/Users/ilL3ED2/AppData/Local/Microsoft/DRM/GIC-*"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Local\c:!users!ill3ed2!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!ill3ed2!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!ill3ed2!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\S-1-5-21-4162757579-3804539371-4239455898-1000C:/Users/ilL3ED2/AppData/Local/Microsoft/DRM/CERT-Machine"
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "POWERPNT.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 63C70000
- source
- Loaded Module
-
Reads System Certificates Settings
- details
-
"POWERPNT.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\7D7F4414CCEF168ADF6BF40753B5BECD78375931"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CDD4EEAE6000AC7F40C3802C171E30148030C072"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\02FAF3E291435468607857694DF5E45B68851868"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\2796BAE63F1801E277261BA0D77770028F20EEE4"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5"; Key: "BLOB")
"POWERPNT.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "POWERPNT.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"Cab3483.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"~$EEM_Roadmap_Sept_16_3_.pptx" has type "data"
"40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" has type "data"
"CabCED6.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"Tar3484.tmp" has type "data"
"TarCED7.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"POWERPNT.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"POWERPNT.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"POWERPNT.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"POWERPNT.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"POWERPNT.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"POWERPNT.EXE" touched file "%WINDIR%\system32\spool\DRIVERS\W32X86\3\sendtoonenote.BUD"
"POWERPNT.EXE" touched file "%WINDIR%\system32\spool\DRIVERS\W32X86\3\sendtoonenote.gpd"
"POWERPNT.EXE" touched file "%WINDIR%\system32\spool\DRIVERS\W32X86\3\StdNames.gpd"
"POWERPNT.EXE" touched file "%WINDIR%\system32\spool\DRIVERS\W32X86\3\SendToOneNoteNames.gpd"
"POWERPNT.EXE" touched file "%WINDIR%\system32\spool\DRIVERS\W32X86\3\SendToOneNote.ini" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "D xX<*`.BZ"
Pattern match: "z.QKXM/dK"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/customXml/"
Pattern match: "http://schemas.openxmlformats.org/officeDocument/2006/cus"
Pattern match: "Nz.vXH/Q+ju$WLdL"
Pattern match: "mz.KGCA/8\%A]/dLI@"
Heuristic match: "}e^?fbRvy~:87s':pq/=-1{sN&3G3)Xn)1Nq.#lh&kHo~:n 0qTXp-][Cfy$S*>dV3yncu.Ma"
Heuristic match: "lTc\~Pf))P`CF8Ef0l{jMszlVaIY4|'YlyVg?P5I%u2^8xE-h~[7sDCk(^tUY.UY"
Pattern match: "https://licensing.drm.microsoft.com/licensing"
Heuristic match: "0I8D_}&oNpx.2R[.Y4[H+s~Z{0Yaj)0KDs`T{Z27V]^|+\'F*}a8?joQ{>MmgLZdn/m<,ju~b?pgrG4u4E~I.IE"
Heuristic match: "jX.io"
Pattern match: "U.Oz/Qq:mAp!U}.7"
Heuristic match: "ocsp.omniroot.com"
Heuristic match: "RKm:{:l<4dzPYI&LEsYOo_Falgl;/_=|UD.RO"
Pattern match: "S.BU/B}0$5rb"
Heuristic match: "[c2.MR"
Pattern match: "kCT0bb.qeO/{$X=K"
Pattern match: "F.TN/S&MY"
Heuristic match: "a|>-QaQR!57Z#`(}g.ca"
Heuristic match: "Y?&.dM"
Heuristic match: "]T_$'O>UfJpXM0I>r~U?w,7n0z'.,!9e^^i3UeKU>PH&fJ,.kR"
Pattern match: "K.XW/O/QVIYEklb?&,N32,ZT5o+u]xxdgF/&FE}n[uI/"
Heuristic match: "pscxU;DYq%.ukaS>(g_>.sb"
Pattern match: "wHj.NF/$7rF[1t7aL[:q;X/="
Pattern match: "AGdvC.yc/m$"
Pattern match: "f.rm/RjCoE4Yb"
Heuristic match: "Wp1S=4w./Z`vt2X36N:Bud0<YiMAS]LYmhPK .aT"
Pattern match: "69.lb/LzegVU]="
Heuristic match: "!]ua\7UcrS\faArYKus&jIh[>GQiuZu4Af.Fm"
Pattern match: "E.pI/qDo#86%mEktZ:~c0+^"
Heuristic match: "`zQ*dH&0SiMtxgQ*VTcCM5<L/+|)3qg{|3HfPfEFqY81!]I>;*5o8*3e[=t.br"
Heuristic match: ">;yHrh/uNm;4U^VE+,zk8A`O0%Bg/E%vd-`DPZ3Rtz+X,0Nz3Msxg_FzC`0{T'|oS(SB.BD"
Pattern match: "s5-7.M8n.Uw/b19\(-3b75HCx)"
Heuristic match: "b\aux1lq&SVx%ayp*D 9hIHoh+!DYBQ[0h)zYL'LE=+~)PF%B(Asw{deJ0`EG'zU9LEiin^~H25LJT>.ekG#)@/?8N?rllG:mp61S/Yed'!In7X`u}Gl;W`;:>MD}k.nz"
Pattern match: "20.Pd/DZw"
Heuristic match: "R'6E/18NI5kUj56u|Sr4ZX.UG"
Pattern match: "9X.MRa/MYl.HR89!3C!PQ5*AYT"
Pattern match: "XbpBm.hP/b7-0P%76/S"
Heuristic match: "vD6Yvt2[N4'3~otAN-LlO3D$cBz 73.ye"
Heuristic match: "nw(FAnqV&%trFb*:Wlr{~X6TTPWB#0e]_U@}q|%=R~,&9:IV.Cr"
Pattern match: "w87.gdye/Cuz!{chpw-?wkw1cy5BT%mlj}5R+x7"
Pattern match: "7F.Gd/sg[\P"
Pattern match: "7mb6.MmF/|zA~FO;N"
Pattern match: "C0tE.aOz/LW:MbEwx0'NTrJ5o-'%`%k\nB\?+^aUo(A|ct)/PG[9!Qq"
Heuristic match: "0=>p#>e?nbvMQ!O1PdUqb-ZT^2GsvoMOx_HsG?Z/K:2@$bf5J^<?aHY4~3Aqjn8`-Ho!Y\$I!e_{oYT\aptUO\ AR,cwmufUY}T^m.)N}<p>F:D-'d:VNPPk2qNP{^.Jo"
Pattern match: "MvzK2.jWj/sc770Ce"
Pattern match: "OPV.XV/=tQpxYLTy9N!&g,b5p4sPU"
Pattern match: "lyCgo.EPy/q]=?_q|4M=*i0"
Heuristic match: "lZ)ZR {IS|#}7St.4ffZQMfe*n/]83AKz1e:flyP]p0+?onGJi%a:7RoQ9}~G`Sk`Ws!KBMlUp2.'J161/oPaG2/BJG~@>aY00X 9)3xXvPX)P-ha=$HhBjA2UhqDDtQUr.Fj"
Heuristic match: "F`,*.Ng"
Pattern match: "9Md.ADf/jcpeP\okNy~c-%:QSU1fl?EL`6"
Heuristic match: "jiUc!Vv/[}\uJ#L`5D) 0YWQUc,k('16yV<cpPOC6S}BQ0{~(d7=+P?_RHhy\<'-nNJ,sahIt6MJNJ+DUz7p(.Gm"
Pattern match: "t.qiz/Oh^"
Pattern match: "B.Sa/.+:p\VlOgoeEY,/f^g6LgRt8G3Un*=E}1_:z=T"
Heuristic match: "kva43VR[@KVKSw].Bt"
Pattern match: "D.qE/z3+Bu"
Pattern match: "jG5zIi.Gm/7u%]}He{.v"
Pattern match: "XXSb.Cg/*-GXx{&X&!JQ;TUmA\"
Heuristic match: "1!zjw@*1RCaI#3mX<*Ux#|-m.SV"
Pattern match: "xuw.xm/y^zhdz8~p[x"
Pattern match: "RnY.sKH/vG*e^~T"
Heuristic match: "K5,V.pR"
Heuristic match: "CGtklG9H;J0S&`B~O.cS_u=dr1g*/*8%r-aeRfkVqfR7CHLo-SZ,gY_FJH6.AM"
Heuristic match: "Yfd6xC#kRVm(Y+yr|v~)!xQkni/(Jvm`2axDG?@5'(UD%?Q)lslOApT<[`B4{&+PXU1a6J{behr^8Q#{WaWDnB919=3n/1hQac3*\nn\iuf/cTog@.eg"
Pattern match: "1.EPXb/LZ;7xqiOO@"
Heuristic match: "t+t=?#kguN@cP=.9X.Eu"
Heuristic match: "=7_Bo6_MX:tn=lp/D:'u&?\A~3@S4+]ARNAPAz`o1.cd"
Heuristic match: "3-m'7Lc<xd'3vKVgs+M0V/he}P$_<Y6+g9R+!a~Ri2~#>8K6=cp;\L}3q.Gw"
Heuristic match: "6/YhGRP/9qR8=t?HsDU:^V}N Lcf@\>d-~i88j(hBsJbHp!^W>pJRSkdrP[N)6i1\cCyQsD Ks38##XVzwCt5U'M#$Ba&dIbek{>dBfWI@@6S!sp>ob?'<u{Pp0qU*,I\xf#{k`kk?_k\mzU}6@E( }Kn<J3kT;321f9@g/G.Tj;].tv"
Heuristic match: "rmoo8:IR?)Um.sv"
Heuristic match: "m0s#TQzZ>T{.g!6eQ.>UlPoa t^C1&}|?dY_9AZ,WP|&OUCVF4uP' >;Fcw09%7#.~-uh*I=.Lu"
Pattern match: "I.ZV/krp!X.HwOAUb_m;b]{v3o^0i7knHzO*B9s`b"
Heuristic match: "Fg4X1SZ&g2{U:!irftp~&y})Pg4+43X$b=g1QRa|M-Y:b>EGU:7.aZ"
Pattern match: "XP.Bes/EyDn]tS!Oz-o8R2k-[9l:;8"
Heuristic match: "j.0.rs"
Heuristic match: ",s1<I\7T.Gl"
Pattern match: "qT.kQi/:DeB/l7-R}n"
Heuristic match: "/q`?.nG"
Heuristic match: ".q<,*1_(w4:]},_W79eeS~6+0]g>x:3Jhshy\m}*M@t*63&Zg7G9r~_PZzeIU6OmclU,h`SCY(>EH>@.ax"
Pattern match: "00dA.kcG/BwwK@:G8#v|!HQx"
Pattern match: "nadlxI.LmB/NMiW="
Pattern match: "bI.eT/3]3[c@GNPx2wC@@|0%kTlpp7"
Heuristic match: "Fi':BFxV=AQa.CO"
Heuristic match: "T4$A*x\~tlF1P#$.PG"
Heuristic match: "HnE_9HE}`Y1L[@-{,b~<19,5=1ErH1mUoFW7&('b0vp#YOjX2[bfV{]L[Q\6B.jfI<^>\UJGo^m+~X![7h<Bm:T9W?4V/.tk"
Pattern match: "kHj.lp/se:\RJ#3uvbNNv$ZOfmE"
Heuristic match: "3Vl<C,1F.SC"
Heuristic match: "jB>$Eni:{!{9F]Licy$>}Ua@wGqU<3oMx>@SNj0DTWj\>{ZqL[NwKbzDpQ;,vGf:+/8.AD"
Heuristic match: "?^m$fWF?te_$]aBa,7a*(<R23y{rxWN/JN%$K=Gi$Sx[iwU(bEZ(IU6Ynq|UWt)CEwp.tn"
Pattern match: "i.sX/nSr/$SjN,YC|ZDq&"
Heuristic match: "g;Ef-U}81[;oWX!7>wdXsXScs`RODmTQfsWGO$YS`:{q^d-UX|_/Wp'V4]6u]aWh3]JdB,]YK;6vv.pw"
Heuristic match: "C V6(1vR`''{`%.it"
Heuristic match: "b'kSLzw>b^xdgO5.hM"
Pattern match: "C7aR.wR/SC\"
Heuristic match: "sf1E-N-jw_\0?5WjMX`g%[Rj\(Ni4Tw2tdwT\hmq? R.FM"
Pattern match: "4J.rI/$a0#3acw7^s"
Heuristic match: "O5$aA^qVpims`pt_x$.kE"
Heuristic match: ",rBM0<a^Xw.SGoZG*[|S.gT"
Pattern match: "I8B.notu/E9dN:wZoK'7lM?3"
Pattern match: "Lby.uD/mX*6PF_#"
Heuristic match: "\IlV3Fojo7V; ue +t-!f!.iR"
Heuristic match: "hCbTK3\+T#\#`!v+D70/y,/ow9.Ga"
Pattern match: "q.yQ/4oqmUm/1VEL"
Pattern match: "l.bV/22_57E"
Heuristic match: "G{AD6P+.)=K((&^v2Vw$Rhq=E#UB(y2(n6p|w=KK%.mR"
Pattern match: "7YY.iz/Y~%R]xHsO"
Pattern match: "B.YVcT/0{zO?;&JpP[=R"
Pattern match: "R.wX/']PyOps"
Pattern match: "T.pJB/&w;w=dh0v&l_ZDZcj.\paD|PR{q2e8`&v~*Y=.44LQLW"
Heuristic match: "fwHvEbD_gs1_sFwpE0+r=,aSU7V 9#2>\P{%DfY7CAP3%/2!vmMXSAe6|I{-/F}U+hY))&aBPrYsYN(=.kh"
Pattern match: "z.QKXM/dKLi%%r"
Pattern match: "WR.Ji/k`kF6"
Heuristic match: "?Ymb07'fE99q}s$=[Ru:n$[^/3A%a.R5A.MW"
Pattern match: "z.yCuj/S3p+o"
Pattern match: "krmYtYH.Vb/qzzg7:\vqeIMXP@R+u9Tjz"
Pattern match: "qE1.zkiM/;Dt1"
Pattern match: "QbFS.Fj/Uinr%+iCU*T#k%$K.IiwD"
Heuristic match: "jMYjNQ20H4nfnW?-<&X!RhPGPW9z:s@t)V:e5;J5<HqS18ol4UmhXKC,IqhrTgO#W.sa"
Heuristic match: "wvf3!'x)~yFDmvi(x+(qA'x38*UIN2OD..sz"
Pattern match: "XBsegSR8r.Aq/nZ"
Heuristic match: "j^-s9j:i1>9j:i1>9j:i1>?_KIqF%H/` <=r4db>8j](HbM;}pz}/|/|/|e~x/:C?5uOH,g++!BWGb!sE]ngfS0;nDfS0;nDfS0;nD?Q1N'g.vu"
Pattern match: "a.Nt/Usd2"
Heuristic match: "quT^>(lCU0_CLvChyn<?k6{[-4(F b3'6'wJ6^KLaD!*~KT8;'05Xd)xM1a;SXn?.Qa"
Pattern match: "UR.wAx/I9hw"
Heuristic match: "/+F QM''^2ZL2exXhq#P6h179O.BJ"
Pattern match: "N2.zAB/f9Q8;0wXi,h"
Heuristic match: "$%LjrR-,PI>&6Qc9|[Q@ W:H!>pd9+GK!SZ$o 7YZ=kidK~1L$4cVuee8*p%@Lm+:<{.J+v-<@lQ+{ O4>%Xo3xVn+uhwOr0=cCFHk+`RD:$'1;#Bgw\o0JRd56Lq&6A_QJSyO~dbOB|xB$gzwFVCx3{x@PrrN.K0/F16j.eS"
Pattern match: "IIV.ORM/*x7"
Heuristic match: "VV>Kw7EKM7\54[>4)Jd)GUMDM'O6l8HHriQg=7Zb6f*hI<|L3.8jS/{&'wwaF+T]]<y/Xs%2h=?FaG#oNB8iRG0Skd\sgGu:D1p$cGZX8gIs1qQ|yHZ/@^b1ft0st(yAl`:pUpP[bvMix)}9RS\m8mKxDZ3$e?UZ</Qz}3#f?13CBr+-Q4 cnZjt?Mgd[)Jc%NouHIm3I%dF]i(G+dHU=u:&v!IxI}Y2MOL:kr%g[SA/X.By"
Pattern match: "9u6.aU/-+jH*y't8/\-!R2.+#{+i?7.%oz=lU"
Pattern match: "u.uI/dQwcI'`S~yTBg"
Heuristic match: "X4Ku@PbJ)pDOQ%!XlX!'41x]Z-q=%E=jB+9_dj48q!I2.hT"
Pattern match: "9.KX/W*HGoUm"
Pattern match: "0DW7.pz/{dOG,%.F+c@P.'KqI&R4tK/&2t"
Heuristic match: "[/kw%rc{J&NiLTC6]9dYh<.pF"
Pattern match: "ey.eOWX/uqSE[B5Dd+8{+!`:^"
Heuristic match: "Q}pu3^vUI3)g%F\N +u+?/#K\cqEBh;-?8Lw4f&RgnTfx1bavek.HT"
Pattern match: "oYf.TSVj/GTJ\Gdj;P{-Y@QQ?oj;bf7,YLKf?$_nk"
Heuristic match: "@z;PT1{>sc\w>r|4{?jfKo]Q13=X#/7{=@iiby.K1tmC+;VL w0brj'Z2kkJppXmxNBBSF?@l@bF.dk"
Pattern match: "R.Sk//yx"
Pattern match: "T4.cIr/v2L_.{-]?]!fUKzbxn1!q!i.5+&"
Pattern match: "3.NxB/f&z&!~V6*"
Heuristic match: "|@*/]r&s:IpY%N*[%6,4^\3pM|7dB4m$X_%]7`m16ceW,f`@]0Di6c(F8G%zB7A!?$aN{'>2avBh9*u}S3IKl@%g%(ZF3*R{inlz0NK5wq=&_qGhwE%DoDg*/T3@4]b@/o/|g@c^H=\-kWw5SISNi.-+-:=)6lxn?n&h1~eloBy,=.gp"
Pattern match: "7KqR0o.avK/{n=Cbf*x"
Pattern match: "XY1.hgQ/?6.!a*LrH1Pmx"
Heuristic match: "t?YEw@[~W.|PELW_[:Hs>GY9fsBU'WZz=K>q~yDI*FlxbCCu~ S<Bh<~tPoX{hN%{hnf4X.75uBKBZ4L?j8;8u4,1'7/Ma/2<s|O~Ma+gX=9w$m7lBjJ(_7{\WZ<5[/z#@(}QWNpzvZW.z.Cd"
Heuristic match: "'rzF>4D+~z9Q^6hGMR(ntOk.S/}.wf"
Heuristic match: "g.)_k-Yy82B2|D Y|8.Pt"
Pattern match: "hrO.tj/l%USIfthU9+Qin-\d{#z*nv#{Sb"
Heuristic match: "er?I4ellw/FT%.Gq"
Pattern match: "lxf.VX/xp5q0y:d"
Pattern match: "9Q.FBj/F?eHA|;+0a"
Heuristic match: "r33g4%7rf;0w_V7NiI>:`o fMP#h^^\`oqH{nJZholl'Qe32wg5IeT-&4_ hrCyy{v(J$f@%krsQ*!w 'X$(Pj4PrZt)b)k0x$VUX+CB$j?=nf1RnMI1)eEa2K}?e+m{\2<_YK}&m:|X)OO7whLLSq.BA"
Pattern match: "8.Hn/Hk?n*,xl}@jc!$zBvEo\"
Heuristic match: "ctK?aZZ1QdcyNI.SO<;pB60nFetY+?N(SWKL4}gc\V}C425S2mf2bA-43n!amQ*TNW}rbCI@8N|.Tt"
Pattern match: "w.oYns/ED/o"
Pattern match: "X6S9CgajtH.EEOC/,_V&gkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJssn{Nxy*m5$1K"
Heuristic match: "\4 8,m cC@@e~Pp7tkqF.r~GSn)C]vmm?P5m KXRvV7&zX-{;M7XBSV~ppTCZM:.SD"
Heuristic match: "!bXPf-E:gK9l*?+6-zoSj]:p.tg"
Pattern match: "t.ID/[7iFE?pVK1Q!zp+P-02f*"
Pattern match: "-WWwHR.BLcw/JA_l0D{Al|o"
Pattern match: "tRYs43.QMD/6H8"
Heuristic match: "=?}wa:d/(gyCV%jUsQ-b9gEhqP9F\H6TH`LjR1.R^<VR-===Au#9:=~_ns-.>nyB?.qa"
Pattern match: "l.uZ/Ji0AH"
Heuristic match: "#f0;!>$`2%mgl-RnA/Y3Wpu beX:ky9schS[SX#|z}?BGfR6s5R~>O kPI2G.uz"
Pattern match: "-.PP/CsS{x3IznoJ/arI_hfm"
Heuristic match: "K 4~r^;%!(,.`OFwL#BtcJ{!NU#gkxPKjJgkxPKjJgkxPKjJgkxPKjJgkxPKjJJpJH/f^rpY>pjf>T9E6LRV.sg"
Heuristic match: "L#E.mZ"
Heuristic match: "3tLu[suM]?'GM*fde.@'sI,nWt.Ky"
Heuristic match: "A3ajY)KIOv(iPGCx:&p***+$wFP'f]h]lJ!L\aqm@?v|_#HNFHOnoXZn#b z^6y`F-FO0%<D_T#R!v8p(\>z6[3aDB>3HY:k-2~<bq)8FwZ<l8qcK~~OW3nf+)CRO]iizY.sv"
Heuristic match: "_id_S5.Fy'eu%lCp`QE$n,_G9ml|\9pNwi?\Pg'jt4+h#iUxB[DtH.d, &;om\-/*3A/gXJHBsQw?**I~+.MT"
Heuristic match: "')P][5}dZ'~z=[s,6;?J]Pi|mC$VJSZHQ)p,i'H9'^J3&rOIRPd9c^lDTPgi18#j yP@202eF%9:s)CMboujKE@{&y~g=G/8@ZsNBt)95y%l2paZf-`c6\Yf@1n81;{OOpI=NqC:5+BZD0Z3s\92fT~|?pb~ynt3l|k=4B!^5@@o'NCNuy,E@DG@bFOzT1<f}UI ,r01h$E5,ez@E4 v2g6_\DV\LbL>(Rr.HM"
Heuristic match: "okYyx2[nI&!wpa[37j<]:IiFKS$.#K69x-Z*PN4pKNi-p/e+5vz';=eBB/V3 #]zN4:9OcU0&D@[^^J:]b&0s{1Ijq(F.PT(tr(\K!2WX}{&>bT.YE"
Heuristic match: "j((LU=4y,pzO$vJ?.DZ"
Pattern match: "VK.CQ/ugrR?*7c"
Pattern match: "sx.GJdB/!(Yr0dKy:+)mAY~o{vE"
Pattern match: "stl9.XsX/%&,yT/wD'=B;h%K}C#&Vf}0"
Heuristic match: "J/.mu"
Pattern match: "wpl0AF8gLsDsrjS.Ha/0Ozzp]X4R/UzG.BSo&ay;3`gN'CU^"
Pattern match: "B.LE/f/Y$*^"
Heuristic match: ";00dTl.aO"
Pattern match: "tw.qV/.o'_4@kTv%.@8KA--i~*mU8Qy?bs!Rw[JMtg[i^4-4\^e*:NlQM=L?L^[M}74ouB2cb@?wKoSVK%8z;GB$%8,SL"
Heuristic match: "d\F)K93hza\J{w.XN"
Heuristic match: "h,R10S+cqK;W0G!?K1n XBX#@57^`fG/,M8.FI"
Heuristic match: "OE`JGz/#(u+7XLD;U=spXs%GbY{9Z\n|<c\jbQaA)/W:6=@9*Zy`rX1rR./lXN~# ndSh(Q#&Q;ZG^@[l192h/=z&?(nqev`zu*p6&BA{Z$9RUUpD]@).\TDsV2p~,qzg#[X/?Shp[QeJow+GOlTaKK(.cV"
Pattern match: "B.bs/f445p3;HyGI\RTpn"
Heuristic match: "q!:b6yI_Lu<]?@A<.vN"
Heuristic match: "k Vaz]Jt?f6%u.sj"
Pattern match: "3xNz7oT.GT/J$L\{sZ}B;M~@j/B!oy|03ZC@`?~$U3`UNG9t,[.Wvau|xX\j_mQqh%~-g=E!u&*vIUI^XzbR0Pq0NsIvay`N8nbkAY}Z\j-Pj=Fs$w+K"
Pattern match: "G.tMip/y7D1Zx.k:rs,6L!tJq~%v,k.qo5-W6uIM77F+"
Pattern match: "l9ln.rOm/c3!wjE4gFc.[v4"
Pattern match: "OIew.Hj/o.#V6"
Pattern match: "CJdcb.Xc/|%B&E,LD"
Heuristic match: "j/}r[Y<E;Fb*$.{:gWciek%V|m/V6rLX ~4U1V.rs"
Pattern match: "0.CGh/HK2"
Pattern match: "VDO.WlJM/CNWIRiP"
Pattern match: "utp.isV/`&%N$|`%61YAn"
Pattern match: "lD.WXn/Abe&|2ojxjpO2~.h"
Heuristic match: "!3;g9fpS4`F7lN8m4@;axOPE[`quEZv(6AV!GL`}MEK}}NFOUZ?;7PO+k_=bWyXf+K{#_EB-J=;}Dj2#2F&G*rc)Hs'q{5)j*WgOV:`=pLp>P,nd%WsE)g=lS\UHqp|[z1)A{C^}f4.nd>{js2{BDt)Vh|m[.AR"
Heuristic match: "m2i$k(CK;QSc.DM"
Heuristic match: "!uI5Qqn5AZnaziHVWPMc8k2KW p>DTGv:u9RyL,kK%eu^w44RMdltgK1$n_&Z_bb7<[GM#f f@2d*6L?wT=t;doqw9[k8f;mZ+I~p/$cb+|p2hsG-1wlo-j:a}|h=KWC|ADxu^l|`h@>ew+Tgt5Y-k(u$'Wldm$[S0yXAbRzN6k{Jm>cB1whUY:+;Y7t\0.Tr"
Pattern match: "h.NX/;Rfg8&AeeJQUMx"
Heuristic match: "T[m< wj[a/p'g#b-+Ipn#(_LQ .UNWnFC:9<$o[s|i9<owBkqpoh[!m(YK3/m=(+uty<>yhEL?kA=h0b?X,)JR5o4_td69d+z?PF:gt[AjW19Rri_`Rg>zGMKNxb]cKgs9x5(r?CS}X[3V4]J-C.Tz"
Heuristic match: "w-xA-t~i2k:T}k!`[ZptD(P8r-}8^k;XIhJXL&+1/[<c49^\zc)gH@Efl~{E\a8X'z!7]H\G*ZHXnpg+}ui@tiyJ%Vg$[Yx>i'<Z.+O]HS*b>R\Px0j=[i\4!cEp]PiW$5s&S+4~b?,iIz5Xv+k19R!rYb6<t:eClt3:ckv~L!6%-'@8;KP/.Z2$WhDN!9z7&d-OhV26x@5,B1+>rNV_P4V'r.hN"
Pattern match: "u4.cFW/4H?aCjRUwX2l#uS~7Bl4Pfexf8*`&cSf,y"
Pattern match: "6YU.jn/d!{D*qZ,-bV2=5LskuPom32$3zI6Y"
Pattern match: "R.kv/O/cBI"
Pattern match: "ZxP.PV/{`I"
Heuristic match: "`drd#?@cNsjWC|peJ2?6$^YG%}3z5(zeH/2o@[jE`s9nCw@\(^wu)xQT\kSu/rG8G3;Q4!&EMugU.de"
Heuristic match: "bO:.Us"
Heuristic match: "HP^P;%+(:c!3Z4,l0WpE=FIxsAYZP/#{e,B}>V1C%{0vI5NM{lQ t]0=LW'Qki6`7O[<.fk"
Pattern match: "8D.TCWy/9,JiW2vU]nW#ar5r4x?loY-Hs"
Pattern match: "yq.ZZaz/liY"
Heuristic match: "t~o=B6CLzPGC%Zx-},+0/(Ry!s.Al"
Heuristic match: "dqHm& --)}vFm|CCACdnTr}agG1T>rY lbsV$vu'.%III(G&r\!NH.ME"
Pattern match: "Xe6.He/j@;iGw{c]${=bI_&hNaIQnBHrqO,%YpXVO`=p4wiO"
Heuristic match: "^G}LR8l.vAS >wM!fH0B7O1~ P7v$XUIFc$&@=wv8&CW5mF9ups!`rVFZBU6voH50ZovWJy+,qR=bmQf.PW"
Heuristic match: "{#hE%XWq|fv\fCm=`p)>-/5*[9pbZ<'+h<[2[r7W.cO"
Pattern match: "gwu.qgZG/b=_TcUOH"
Heuristic match: ";:U^cnQh3zE.O#Wz ;.UQ.sT"
Pattern match: "oa.EUH/{F7"
Heuristic match: "J%f5cOAp7j/6G{lZ.ir"
Heuristic match: "[3.Gn"
Pattern match: "k.eiC/@}R-}jCVQuFZKKPe'Y~"
Heuristic match: "~Bn#JbOd26QcGj<fD=<nNNfsyah~B#~eWc_5B.Pr"
Pattern match: "WXb.yY/=XP;ky|KrQ-%\tF"
Pattern match: "Vi.aE/B?{ftx[v~"
Pattern match: "V.Zem/YkRT"
Pattern match: "n.zpyW/Y@3O"
Pattern match: "E.dpA/q}{48SBA{#8!RWVOSMjtY4L^6-"
Pattern match: "FH..Ca/|cAmr%4b"
Pattern match: "4.Th/:E!J"
Pattern match: "m4.SC/Re"
Heuristic match: "L\>G^(0Q-6D8r^N<.Gt"
Heuristic match: "KG@}8~75w?/<uW<u_BTMG%P}.iT"
Heuristic match: ";-!3.al"
Pattern match: "oN.DD/dpmgG"
Pattern match: "http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
Pattern match: "http://purl.org/dc/elements/1.1/"
Pattern match: "http://purl.org/dc/terms/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
EEM Roadmap Sept 16 (3).pptx
- Filename
- EEM Roadmap Sept 16 (3).pptx
- Size
- 12MiB (13070848 bytes)
- Type
- pptx office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: EMS Roadmap, Author: Microsoft, Last Saved By: Adam Baron, Revision Number: 795, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 37d+02:25:46, Last Printed: Thu Dec 4 18:59:39 2014, Create Time/Date: Mon Sep 15 23:30:59 2014, Last Saved Time/Date: Mon Aug 15 21:47:12 2016, Number of Words: 6240
- Architecture
- WINDOWS
- SHA256
- 649afa3343dfcb90abe44483a9f670f8b57f19d6fb5cfb667187af7552c7dbe1
- MD5
- 273451bddf84456fbd240bc354b991e5
- SHA1
- 4ae643a36a2afdf4eae82634ebb02d6b3ae9013c
Classification (TrID)
- 79.6% (.PPS/PPT) Microsoft PowerPoint document
- 20.2% (.) Generic OLE2 / Multistream Compound File
- 0.1% (.CPT) Corel Photo Paint
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- POWERPNT.EXE "C:\EEM_Roadmap_Sept_16_3_.pptx" (PID: 2696)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ocsp.omniroot.com | 72.21.91.8 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
72.21.91.8 |
80
TCP |
powerpnt.exe PID: 2696 |
United States
ASN: 15133 (EdgeCast Networks, Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
72.21.91.8:80 (ocsp.omniroot.com) | GET | ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D |
Extracted Strings
Extracted Files
Displaying 6 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Informative 6
-
-
40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1
- Size
- 1.3KiB (1372 bytes)
- Type
- data
- Runtime Process
- POWERPNT.EXE (PID: 2696)
- MD5
- 2f2b287f3e14996694c67dd3e9ecf441
- SHA1
- a01a1020aec5f336e91bf89d11f7926e12dbae54
- SHA256
- ec3060ad9a1964412f7e3b14b12cd5690033c94f7c6a142881aac2070cd2534c
-
Cab3483.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- POWERPNT.EXE (PID: 2696)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
CabCED6.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- POWERPNT.EXE (PID: 2696)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
Tar3484.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- POWERPNT.EXE (PID: 2696)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
TarCED7.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- POWERPNT.EXE (PID: 2696)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
~$EEM_Roadmap_Sept_16_3_.pptx
- Size
- 165B (165 bytes)
- Type
- data
- Runtime Process
- POWERPNT.EXE (PID: 2696)
- MD5
- d87b13bd9bfbb9a663392d6eb07d226f
- SHA1
- c8c33ebd3dcc2346075e07049e1968613b8499e0
- SHA256
- a879a012f2eaaede5207412ee3828387245191d388f7a1bb1c71ee6d71a77031
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)