8.0
高危
51 个模型检测该样本为恶意!
重新分析
更多

ee1ab7e8f5bc71fd8058523861d11d446b5d5e7a9054c026b744a00c193b8b98

33773450ecb91a9dfd5ce5322c5b9856.exe

分析耗时

129s

最近分析

文件大小

512.0KB
静态报毒 动态报毒 AGEN AIDETECTVM ATTRIBUTE BARYS CONFIDENCE EJIC EVJU FVJWNB GENCIRC GENERICRXIH GENKRYPTIK GM0@AEPFPFHI HIGH CONFIDENCE HIGHCONFIDENCE INJECT3 MALWARE1 MALWARE@#16TCGJH9ABH0U NMXPYOIIGII QVM03 SCORE SKEEYAH STATIC AI SUSPICIOUS PE THHADAI TRICKBOT TRICKSTER TROJANBANKER UNSAFE ZEVBAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXIH-FY!33773450ECB9 20201229 6.0.6.653
Alibaba TrojanBanker:Win32/Trickster.7aef69c7 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20201229 2017.9.26.565
Tencent Malware.Win32.Gencirc.1169d407 20201229 1.0.0.1
Avast Win32:Trojan-gen 20201229 21.1.5827.0
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (26 个事件)
Time & API Arguments Status Return Repeated
1619346100.129145
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346100.833145
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346101.067145
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346101.254145
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346149.286145
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619346149.301145
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346105.597897
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346108.753897
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346109.347897
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346109.597897
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346151.832897
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619346151.847897
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346113.114022
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346113.629022
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346114.176022
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346114.286022
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346148.161022
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619346148.176022
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346125.89477
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346126.22277
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346126.67577
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346127.33277
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346152.222395
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346153.753395
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346154.941395
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619346155.628395
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619346104.520145
IsDebuggerPresent
failed 0 0
1619346110.222897
IsDebuggerPresent
failed 0 0
1619346115.114022
IsDebuggerPresent
failed 0 0
1619346132.51977
IsDebuggerPresent
failed 0 0
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1619346053.020145
WriteConsoleW
buffer: [SC] ControlService 失败 1062: 服务尚未启动。
console_handle: 0x0000000000000007
success 1 0
1619346053.003897
WriteConsoleW
buffer: [SC] DeleteService 成功
console_handle: 0x0000000000000007
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 169 个事件)
Time & API Arguments Status Return Repeated
1619346118.583145
CryptExportKey
crypto_handle: 0x0000000000215fc0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346124.989145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346124.989145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346124.989145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346126.254145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346126.254145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346126.254145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346126.333145
CryptExportKey
crypto_handle: 0x000000001bb59b20
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346126.395145
CryptExportKey
crypto_handle: 0x000000001bb59dc0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346126.411145
CryptExportKey
crypto_handle: 0x000000001bb59dc0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346127.208145
CryptExportKey
crypto_handle: 0x000000001bb59ea0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346127.208145
CryptExportKey
crypto_handle: 0x000000001bb59ea0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346127.223145
CryptExportKey
crypto_handle: 0x000000001bb59ea0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346127.223145
CryptExportKey
crypto_handle: 0x000000001bb59ea0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346130.583145
CryptExportKey
crypto_handle: 0x000000001bb5a0d0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346130.598145
CryptExportKey
crypto_handle: 0x000000001bb5a0d0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346130.629145
CryptExportKey
crypto_handle: 0x000000001bb5a0d0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346130.864145
CryptExportKey
crypto_handle: 0x000000001bb59f10
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346130.864145
CryptExportKey
crypto_handle: 0x000000001bb59f10
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346130.864145
CryptExportKey
crypto_handle: 0x000000001bb59f10
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346131.645145
CryptExportKey
crypto_handle: 0x000000001bb59f10
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.567145
CryptExportKey
crypto_handle: 0x000000001bb59ab0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.567145
CryptExportKey
crypto_handle: 0x000000001bb59ab0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.567145
CryptExportKey
crypto_handle: 0x000000001bb59ab0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.583145
CryptExportKey
crypto_handle: 0x000000001bb5a760
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.583145
CryptExportKey
crypto_handle: 0x000000001bb5a760
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.598145
CryptExportKey
crypto_handle: 0x000000001bb5a760
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.629145
CryptExportKey
crypto_handle: 0x000000001bb5a760
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.629145
CryptExportKey
crypto_handle: 0x000000001bb5a760
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.629145
CryptExportKey
crypto_handle: 0x000000001bb5a840
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.645145
CryptExportKey
crypto_handle: 0x000000001bb5a840
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346139.661145
CryptExportKey
crypto_handle: 0x000000001bb5a840
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346141.489145
CryptExportKey
crypto_handle: 0x000000001bb5a840
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346141.520145
CryptExportKey
crypto_handle: 0x000000001bb5a840
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346145.145145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346145.301145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346145.426145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346145.973145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346146.114145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346146.145145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346146.473145
CryptExportKey
crypto_handle: 0x000000001bb5a8b0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346147.051145
CryptExportKey
crypto_handle: 0x00000000001bcb90
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346147.051145
CryptExportKey
crypto_handle: 0x00000000001bcb90
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346149.754145
CryptExportKey
crypto_handle: 0x00000000001bcb90
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346149.770145
CryptExportKey
crypto_handle: 0x00000000001bcb90
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346149.942145
CryptExportKey
crypto_handle: 0x00000000001bcce0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346149.942145
CryptExportKey
crypto_handle: 0x00000000001bcce0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346150.004145
CryptExportKey
crypto_handle: 0x00000000001bcce0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346150.395145
CryptExportKey
crypto_handle: 0x00000000001bcce0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619346150.411145
CryptExportKey
crypto_handle: 0x00000000001bcce0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345041.168857
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1619345030.434857
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1634120
registers.edi: 9270920
registers.eax: 1634120
registers.ebp: 1634200
registers.edx: 0
registers.ebx: 9270920
registers.esi: 9270920
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619345030.590857
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1634708
registers.edi: 9270920
registers.eax: 1634708
registers.ebp: 1634788
registers.edx: 0
registers.ebx: 9270920
registers.esi: 9270920
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619346509.73525
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1634120
registers.edi: 6260496
registers.eax: 1634120
registers.ebp: 1634200
registers.edx: 0
registers.ebx: 6260496
registers.esi: 6260496
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619346509.75025
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1634708
registers.edi: 6260496
registers.eax: 1634708
registers.ebp: 1634788
registers.edx: 0
registers.ebx: 6260496
registers.esi: 6260496
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 543 个事件)
Time & API Arguments Status Return Repeated
1619345030.715857
NtAllocateVirtualMemory
process_identifier: 420
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03040000
success 0 0
1619345030.715857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0043e000
success 0 0
1619345032.277857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345032.840857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345033.356857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345033.949857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345034.559857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345035.137857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345035.731857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345036.371857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345037.059857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345037.809857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345038.512857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345039.184857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345040.606857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03041000
success 0 0
1619345040.699857
NtAllocateVirtualMemory
process_identifier: 420
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x03050000
success 0 0
1619345040.699857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 172032
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x03051000
success 0 0
1619346102.161145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000002ca0000
success 0 0
1619346102.176145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002df0000
success 0 0
1619346102.879145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1b31000
success 0 0
1619346104.317145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1dae000
success 0 0
1619346104.317145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1dae000
success 0 0
1619346104.567145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.567145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.583145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.583145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.583145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.583145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.583145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.598145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1daf000
success 0 0
1619346104.598145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db0000
success 0 0
1619346104.598145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db0000
success 0 0
1619346104.598145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db0000
success 0 0
1619346104.598145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db0000
success 0 0
1619346104.614145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db0000
success 0 0
1619346104.614145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db1000
success 0 0
1619346104.614145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db1000
success 0 0
1619346104.614145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db1000
success 0 0
1619346104.614145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1db1000
success 0 0
1619346104.614145
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1dae000
success 0 0
1619346105.192145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00042000
success 0 0
1619346105.254145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1619346105.254145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619346105.254145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1619346105.254145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007ffffef0000
success 0 0
1619346105.254145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ffffef0000
success 0 0
1619346105.270145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fa000
success 0 0
1619346105.286145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1619346107.879145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002df2000
success 0 0
1619346108.614145
NtAllocateVirtualMemory
process_identifier: 364
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000002df4000
success 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (34 个事件)
cmdline cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
cmdline powershell Set-MpPreference -ModerateThreatDefaultAction 6
cmdline cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
cmdline powershell Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
cmdline powershell Set-MpPreference -SevereThreatDefaultAction 6
cmdline cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmdline cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 6
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
cmdline powershell Set-MpPreference -DisablePrivacyMode $true
cmdline powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
cmdline cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
cmdline cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
cmdline "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
cmdline cmd.exe /c sc stop WinDefend
cmdline cmd.exe /c sc delete WinDefend
cmdline powershell Set-MpPreference -DisableBehaviorMonitoring $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
cmdline powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
cmdline powershell Set-MpPreference -DisableIOAVProtection $true
cmdline powershell Set-MpPreference -DisableScriptScanning $true
cmdline cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmdline "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
cmdline powershell Set-MpPreference -LowThreatDefaultAction 6
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
cmdline "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
cmdline cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 6
A process created a hidden window (12 个事件)
Time & API Arguments Status Return Repeated
1619345041.387857
ShellExecuteExW
parameters: /c sc stop WinDefend
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345041.512857
ShellExecuteExW
parameters: /c sc delete WinDefend
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345041.621857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345041.840857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345041.949857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345042.231857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisableIOAVProtection $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345042.559857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisablePrivacyMode $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345043.184857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345043.949857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -SevereThreatDefaultAction 6
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345044.887857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -LowThreatDefaultAction 6
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345049.387857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619345054.106857
ShellExecuteExW
parameters: /c powershell Set-MpPreference -DisableScriptScanning $true
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619345029.606857
NtProtectVirtualMemory
process_identifier: 420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00360000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.952614910990603 section {'size_of_data': '0x0002c000', 'virtual_address': '0x00056000', 'entropy': 7.952614910990603, 'name': '.rsrc', 'virtual_size': '0x0002bb3c'} description A section with a high entropy has been found
entropy 0.3464566929133858 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 个事件)
Time & API Arguments Status Return Repeated
1619346116.958145
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619346116.988897
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619346117.036022
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619346140.14477
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (6 个事件)
cmdline sc delete WinDefend
cmdline sc stop WinDefend
cmdline "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
cmdline cmd.exe /c sc stop WinDefend
cmdline cmd.exe /c sc delete WinDefend
cmdline "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to stop active services (1 个事件)
Time & API Arguments Status Return Repeated
1619346052.958145
ControlService
service_handle: 0x00000000001865c0
control_code: 1
failed 0 0
Disables Windows Security features (5 个事件)
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Inject3.22695
MicroWorld-eScan Gen:Variant.Barys.61669
FireEye Generic.mg.33773450ecb91a9d
Qihoo-360 HEUR/QVM03.0.12FF.Malware.Gen
McAfee GenericRXIH-FY!33773450ECB9
Cylance Unsafe
K7AntiVirus Trojan ( 0055542a1 )
Alibaba TrojanBanker:Win32/Trickster.7aef69c7
K7GW Trojan ( 0055542a1 )
Cybereason malicious.0ecb91
Arcabit Trojan.Barys.DF0E5
BitDefenderTheta Gen:NN.ZevbaF.34700.Gm0@aePFpFhi
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Banker.Win32.Trickster.eny
BitDefender Gen:Variant.Barys.61669
NANO-Antivirus Trojan.Win32.Trickster.fvjwnb
Ad-Aware Gen:Variant.Barys.61669
Emsisoft Gen:Variant.Barys.61669 (B)
Comodo Malware@#16tcgjh9abh0u
F-Secure Heuristic.HEUR/AGEN.1116421
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.TRICKBOT.THHADAI
McAfee-GW-Edition BehavesLike.Win32.Generic.hh
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Banker.Trickster.rv
Webroot W32.Malware.Gen
Avira HEUR/AGEN.1116421
Gridinsoft PUP.Win32.Gen.vb!s1
Microsoft Trojan:Win32/Skeeyah.HK!MTB
AegisLab Trojan.Win32.Trickster.7!c
ZoneAlarm Trojan-Banker.Win32.Trickster.eny
GData Gen:Variant.Barys.61669
Cynet Malicious (score: 100)
VBA32 TrojanBanker.Trickster
ALYac Gen:Variant.Barys.61669
Malwarebytes Trojan.TrickBot
Panda Trj/CI.A
ESET-NOD32 a variant of Win32/Injector.EJIC
TrendMicro-HouseCall TrojanSpy.Win32.TRICKBOT.THHADAI
Tencent Malware.Win32.Gencirc.1169d407
Yandex Trojan.PWS.Trickster!nmXpYOiIGiI
Ikarus Trojan.Win32.Injector
Fortinet W32/GenKryptik.EVJU!tr
AVG Win32:Trojan-gen
Avast Win32:Trojan-gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-08-09 02:18:51

Imports

Library kernel32.DLL:
0x401000 RtlMoveMemory
Library oleaut32.DLL:
0x401008 SysAllocStringLen
0x401010 SysStringLen
Library user32.DLL:
0x401018 LoadStringW
Library MSVBVM60.DLL:
0x401020 __vbaVarTstGt
0x401024 __vbaStrI2
0x401028 _CIcos
0x40102c _adj_fptan
0x401030 __vbaStrI4
0x401034 __vbaVarMove
0x401038 __vbaVarVargNofree
0x40103c
0x401040 __vbaFreeVar
0x401044 __vbaAryMove
0x401048
0x40104c __vbaStrVarMove
0x401050 __vbaLenBstr
0x401054 __vbaLateIdCall
0x401058 __vbaFreeVarList
0x40105c _adj_fdiv_m64
0x401060
0x401064 __vbaRaiseEvent
0x401068 __vbaFreeObjList
0x40106c
0x401070 _adj_fprem1
0x401074 __vbaRecAnsiToUni
0x401078
0x40107c __vbaCopyBytes
0x401080 __vbaVarCmpNe
0x401084 __vbaStrCat
0x401088 __vbaLsetFixstr
0x40108c
0x401090 __vbaRecDestruct
0x401094 __vbaSetSystemError
0x40109c
0x4010a0 _adj_fdiv_m32
0x4010a4 __vbaAryVar
0x4010a8 __vbaAryDestruct
0x4010ac __vbaLateMemSt
0x4010b0
0x4010b4 __vbaForEachCollObj
0x4010b8 __vbaExitProc
0x4010bc __vbaVarForInit
0x4010c0
0x4010c4 __vbaObjSet
0x4010c8 __vbaOnError
0x4010cc _adj_fdiv_m16i
0x4010d0 __vbaObjSetAddref
0x4010d4 _adj_fdivr_m16i
0x4010d8 __vbaVarIndexLoad
0x4010dc
0x4010e0 __vbaFpR4
0x4010e4 __vbaStrFixstr
0x4010e8 __vbaBoolVar
0x4010ec __vbaRefVarAry
0x4010f0 __vbaFpR8
0x4010f4 __vbaVarTstLt
0x4010f8 __vbaBoolVarNull
0x4010fc _CIsin
0x401100
0x401108 __vbaVargVarMove
0x40110c __vbaVarCmpGt
0x401110 __vbaChkstk
0x401114
0x401118 __vbaI2Cy
0x40111c __vbaCyVar
0x401120 __vbaFileClose
0x401124 EVENT_SINK_AddRef
0x401128
0x401130
0x401134 __vbaStrCmp
0x401138 __vbaVarTstEq
0x40113c __vbaObjVar
0x401140 __vbaI2I4
0x401144 DllFunctionCall
0x401148 __vbaVarOr
0x40114c __vbaCastObjVar
0x401150 __vbaRedimPreserve
0x401154 __vbaLbound
0x401158 _adj_fpatan
0x40115c __vbaR4Var
0x401160 __vbaLateIdCallLd
0x401164 __vbaStrR8
0x401168 __vbaRedim
0x40116c __vbaR8Cy
0x401170 __vbaRecUniToAnsi
0x401174 EVENT_SINK_Release
0x401178 __vbaUI1I2
0x40117c _CIsqrt
0x401180 __vbaObjIs
0x401184 __vbaVarAnd
0x40118c __vbaFpCmpCy
0x401190 __vbaVarMul
0x401194 __vbaExceptHandler
0x401198
0x40119c
0x4011a0 __vbaStrToUnicode
0x4011a4 __vbaPrintFile
0x4011a8
0x4011ac _adj_fprem
0x4011b0 _adj_fdivr_m64
0x4011b4 __vbaR8ErrVar
0x4011b8 __vbaI2Str
0x4011bc __vbaLateIdStAd
0x4011c0 __vbaVarDiv
0x4011c4
0x4011c8 __vbaFPException
0x4011cc
0x4011d0 __vbaStrVarVal
0x4011d4 __vbaUbound
0x4011d8
0x4011dc __vbaVarCat
0x4011e0 __vbaCheckType
0x4011e4
0x4011e8 __vbaLsetFixstrFree
0x4011ec __vbaI2Var
0x4011f0
0x4011f4
0x4011f8 _CIlog
0x4011fc __vbaErrorOverflow
0x401200 __vbaFileOpen
0x401204 __vbaInStr
0x401208 __vbaVar2Vec
0x40120c __vbaNew2
0x401210 __vbaCyMulI2
0x401214 _adj_fdiv_m32i
0x401218 _adj_fdivr_m32i
0x40121c
0x401220 __vbaStrCopy
0x401224
0x401228 __vbaI4Str
0x40122c __vbaFreeStrList
0x401230 __vbaVarCmpLt
0x401234 _adj_fdivr_m32
0x401238 _adj_fdiv_r
0x40123c
0x401240
0x401244
0x401248 __vbaI4Var
0x40124c __vbaAryLock
0x401250 __vbaVarAdd
0x401254 __vbaStrToAnsi
0x401258 __vbaVarDup
0x40125c __vbaStrComp
0x401260
0x401264 __vbaVerifyVarObj
0x401268
0x40126c __vbaFpI2
0x401270
0x401274 __vbaFpI4
0x40127c __vbaLateMemCallLd
0x401280 _CIatan
0x401284 __vbaCastObj
0x401288 __vbaAryCopy
0x40128c __vbaStrMove
0x401290
0x401294 _allmul
0x401298 __vbaFpCSngR4
0x40129c __vbaLenVarB
0x4012a0 __vbaLateIdSt
0x4012a4 _CItan
0x4012a8 __vbaUI1Var
0x4012ac __vbaAryUnlock
0x4012b0 __vbaVarForNext
0x4012b4 _CIexp
0x4012b8 __vbaRecAssign
0x4012bc __vbaI4ErrVar
0x4012c0 __vbaFreeStr
0x4012c4 __vbaFreeObj
0x4012c8

Exports

Ordinal Address Name
1 0x43e4b0 EnumFontProc

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.