SmartHawk

12.6

0-day

该样本未表现出任何异常！

重新分析

下载样本

77b81e13e41d5db9150c78e6d7a2a850e3ad3e32a2f311601ea4867b4b3eca9d

3f3a5160797645acaa4911723ad3bfae.exe

分析耗时

127s

最近分析

文件大小

308.0KB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619399515.113625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619399517.035625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619399519.926625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619399520.176625 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619399512.270625 IsDebuggerPresent		failed	0	0
1619399512.270625 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619399512.270625 GlobalMemoryStatusEx		success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

CHECKLIST

One or more processes crashed (50 out of 31473 个事件)

Time & API	Arguments	Status
1619399503.645875 __exception__	stacktrace: registers.esp: 1637136 registers.edi: 1923210905 registers.eax: 4224792 registers.ebp: 10428887 registers.edx: 1637352 registers.ebx: 10421374 registers.esi: 9568232 registers.ecx: 10420224 exception.instruction_r: e5 e6 dc 99 e8 17 2d fe 4e 7f 63 89 bc f3 23 0a exception.instruction: in eax, -0x1a exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f20ec	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x4e06 @ 0x404e06 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 3f3a5160797645acaa4911723ad3bfae+0x2016 @ 0x402016 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637140 registers.edi: 1923210905 registers.eax: 4224792 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 10421374 registers.esi: 10424737 registers.ecx: 10420224 exception.instruction_r: 6e e9 8a f3 ff ff 64 ff 35 00 00 00 00 64 89 25 exception.instruction: outsb dx, byte ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f1d85	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1635336 registers.edi: 1636016 registers.eax: 16 registers.ebp: 10426753 registers.edx: 2010606285 registers.ebx: 0 registers.esi: 0 registers.ecx: 4294966940 exception.instruction_r: ec e9 9e 0a 00 00 e9 6b f5 ff ff 83 c4 08 9d 5b exception.instruction: in al, dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f0e51	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x4e06 @ 0x404e06 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 3f3a5160797645acaa4911723ad3bfae+0x2016 @ 0x402016 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637160 registers.edi: 1923210905 registers.eax: 4224792 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 10423908 registers.esi: 9568232 registers.ecx: 10420224 exception.instruction_r: e5 ea 05 41 5e f4 56 57 d7 ac 3b f5 ed fa 94 a9 exception.instruction: in eax, -0x16 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f1f56	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1635356 registers.edi: 0 registers.eax: 16 registers.ebp: 1636036 registers.edx: 2010606285 registers.ebx: 0 registers.esi: 10426375 registers.ecx: 10423908 exception.instruction_r: fa 36 94 7f b3 25 e0 be cf f8 27 03 60 40 09 4c exception.instruction: cli exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f02e2	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x4e06 @ 0x404e06 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 3f3a5160797645acaa4911723ad3bfae+0x2016 @ 0x402016 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637156 registers.edi: 10424408 registers.eax: 4224792 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9568232 registers.ecx: 10420224 exception.instruction_r: 6f e9 28 f3 ff ff 8b 34 04 52 51 e9 1a fb ff ff exception.instruction: outsd dx, dword ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f1c3f	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637128 registers.edi: 1637380 registers.eax: 4224792 registers.ebp: 10425675 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9568232 registers.ecx: 10420224 exception.instruction_r: 0f 06 5a ee a9 a4 a0 7c 85 f5 ef b3 ac bb ca 16 exception.instruction: clts exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f1484	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x4e06 @ 0x404e06 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 3f3a5160797645acaa4911723ad3bfae+0x2016 @ 0x402016 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637152 registers.edi: 1637380 registers.eax: 4224792 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 10421397 registers.esi: 9568232 registers.ecx: 10420224 exception.instruction_r: 6c b3 d4 71 58 20 bf e3 35 65 dd 7d 5f 31 e3 d1 exception.instruction: insb byte ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f0815	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x4e06 @ 0x404e06 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 3f3a5160797645acaa4911723ad3bfae+0x2016 @ 0x402016 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637160 registers.edi: 1923210905 registers.eax: 4224792 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10424518 registers.ecx: 10420224 exception.instruction_r: ef e3 5a 61 5e 07 6d c9 07 87 b5 89 6f 6b 40 dc exception.instruction: out dx, eax exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f0c8c	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 0 registers.ebp: 10424591 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429034 registers.ecx: 10420224 exception.instruction_r: 0f 06 e9 69 f8 ff ff 64 89 2d 00 00 00 00 e9 38 exception.instruction: clts exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f186e	success
1619399503.645875 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7460482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 registers.esp: 1635348 registers.edi: 0 registers.eax: 16 registers.ebp: 1635416 registers.edx: 2010606285 registers.ebx: 10427719 registers.esi: 0 registers.ecx: 10424591 exception.instruction_r: 6c 67 0a f9 a4 f2 21 20 2c cd 75 fa 0f ae 23 91 exception.instruction: insb byte ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f053c	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 1151885337 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429038 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 1151885337 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429038 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3580906136 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429042 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3580906136 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429042 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 213150145 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429046 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 213150145 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429046 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 2834391728 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429050 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 2834391728 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429050 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3408480745 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429054 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.645875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3408480745 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429054 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.645875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 1055416392 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429058 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 1055416392 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429058 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3188861073 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429062 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3188861073 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429062 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 1911544672 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429066 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 1911544672 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429066 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 2997398969 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429070 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 2997398969 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429070 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3396332536 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429074 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3396332536 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429074 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 972882273 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429078 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 972882273 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429078 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 867576336 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429082 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 867576336 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429082 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3827157897 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429086 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3827157897 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429086 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3868044712 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429090 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3868044712 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429090 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 2847945777 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429094 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 2847945777 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429094 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 559353536 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429098 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 559353536 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429098 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 745005913 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429102 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 745005913 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429102 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 3315623256 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429106 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 3315623256 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429106 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 4111401217 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429110 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success
1619399503.660875 __exception__	stacktrace: 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 3f3a5160797645acaa4911723ad3bfae+0x1e36 @ 0x401e36 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637136 registers.edi: 10420854 registers.eax: 4111401217 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429110 registers.ecx: 10420224 exception.instruction_r: fb f5 72 90 ec 22 2b 3e e4 70 c6 d5 01 73 f8 e8 exception.instruction: sti exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f023e	success
1619399503.660875 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 1923210905 registers.eax: 1933396336 registers.ebp: 10422527 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 10429114 registers.ecx: 10420224 exception.instruction_r: e5 af b6 e3 d8 48 ba e0 d3 1f 6c 62 30 68 f3 56 exception.instruction: in eax, -0x51 exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x9f08b0	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 142 个事件)

Time & API	Arguments	Status
1619399503.426875 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00990000	success
1619399503.426875 NtProtectVirtualMemory	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619399503.629875 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x009f0000	success
1619399511.270625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success
1619399511.270625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619399511.785625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619399511.785625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00af0000	success
1619399511.785625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bb0000	success
1619399512.113625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73801000	success
1619399512.129625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73741000	success
1619399512.145625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00920000	success
1619399512.145625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00990000	success
1619399512.176625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73801000	success
1619399512.270625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02a20000	success
1619399512.270625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bd0000	success
1619399512.270625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0050a000	success
1619399512.270625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73802000	success
1619399512.270625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00502000	success
1619399512.676625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00512000	success
1619399512.738625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00535000	success
1619399512.754625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053b000	success
1619399512.754625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00537000	success
1619399512.848625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x745d1000	success
1619399512.942625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00513000	success
1619399512.957625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75061000	success
1619399512.988625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00514000	success
1619399513.004625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0051c000	success
1619399513.067625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b90000	success
1619399513.067625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b91000	success
1619399513.067625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00517000	success
1619399513.754625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00518000	success
1619399513.926625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00526000	success
1619399514.051625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00991000	success
1619399514.113625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x745b1000	success
1619399514.129625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0052a000	success
1619399514.129625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00527000	success
1619399514.238625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf0000	success
1619399514.270625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b9f000	success
1619399514.379625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf1000	success
1619399514.410625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf2000	success
1619399514.488625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c30000	success
1619399514.488625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c31000	success
1619399514.582625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf3000	success
1619399514.629625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75011000	success
1619399515.113625 NtProtectVirtualMemory	process_identifier: 708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x703c1000	success
1619399515.348625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf4000	success
1619399515.379625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c32000	success
1619399515.676625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf5000	success
1619399515.863625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bf6000	success
1619399515.863625 NtAllocateVirtualMemory	process_identifier: 708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0051d000	success

Steals private information from local Internet browsers (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619399555.770625 CreateProcessInternalW	thread_identifier: 3464 thread_handle: 0x00000444 process_identifier: 3460 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000458 inherit_handles: 1	success	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619399503.332875 NtProtectVirtualMemory	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x00860000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.917689521869313

section

{'size_of_data': '0x00049000', 'virtual_address': '0x00001000', 'entropy': 7.917689521869313, 'name': '.text', 'virtual_size': '0x000488cc'}

description

A section with a high entropy has been found

entropy

0.9605263157894737

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619399514.520625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

"netsh" wlan show profile

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: ada689ed42f7e031246016bdcb4e7b5af890826e

Communicates with host for which no DNS query was performed (2 个事件)

host	113.108.239.196
host	172.217.24.14

A process attempted to delay the analysis task. (1 个事件)

description

RegAsm.exe tried to sleep 2728456 seconds, actually delayed analysis time by 2728456 seconds

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Newapp

reg_value

C:\Users\Administrator.Oskar-PC\AppData\Roaming\Newapp\Newapp.exe

Harvests credentials from local FTP client softwares (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619399571.879625 SetWindowsHookExW	thread_identifier: 0 callback_function: 0x009a77a2 module_address: 0x00400000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	1179803	0

Harvests credentials from local email clients (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 called NtSetContextThread to modify thread in remote process 708
1619399509.160875 NtSetContextThread	thread_handle: 0x00000150 registers.eip: 4530176 registers.esp: 3472276 registers.edi: 0 registers.eax: 4508670 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2010382788 process_identifier: 708	success	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Newapp\Newapp.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 resumed a thread in remote process 708
1619399509.223875 NtResumeThread	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 708	success	0	0

Executed a process and injected code into it, probably while unpacking (18 个事件)

Time & API	Arguments	Status	Return
1619399509.145875 CreateProcessInternalW	thread_identifier: 1816 thread_handle: 0x00000150 process_identifier: 708 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000154 inherit_handles: 0	success	1
1619399509.145875 NtGetContextThread	thread_handle: 0x00000150	success	0
1619399509.145875 NtUnmapViewOfSection	process_identifier: 708 region_size: 12845056 process_handle: 0x00000154 base_address: 0x00400000	failed	3221225497
1619399509.160875 NtMapViewOfSection	section_handle: 0x000000e0 process_identifier: 708 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000154 allocation_type: 0 () section_offset: 0 view_size: 352256 base_address: 0x00400000	success	0
1619399509.160875 NtSetContextThread	thread_handle: 0x00000150 registers.eip: 4530176 registers.esp: 3472276 registers.edi: 0 registers.eax: 4508670 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2010382788 process_identifier: 708	success	0
1619399509.223875 NtResumeThread	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 708	success	0
1619399512.270625 NtResumeThread	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 708	success	0
1619399512.270625 NtResumeThread	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 708	success	0
1619399512.285625 NtResumeThread	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 708	success	0
1619399516.613625 NtResumeThread	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 708	success	0
1619399516.723625 NtResumeThread	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 708	success	0
1619399519.910625 NtResumeThread	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 708	success	0
1619399526.176625 NtResumeThread	thread_handle: 0x000003fc suspend_count: 1 process_identifier: 708	success	0
1619399555.770625 CreateProcessInternalW	thread_identifier: 3464 thread_handle: 0x00000444 process_identifier: 3460 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000458 inherit_handles: 1	success	1
1619399560.426625 NtResumeThread	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 708	success	0
1619399560.582625 NtResumeThread	thread_handle: 0x00000484 suspend_count: 1 process_identifier: 708	success	0
1619399590.442625 NtResumeThread	thread_handle: 0x0000048c suspend_count: 1 process_identifier: 708	success	0
1619399557.052125 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 3460	success	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-18 03:58:23

Imports

Library MSVBVM60.DLL:

• 0x401000 __vbaVarSub

• 0x401004 _CIcos

• 0x401008 _adj_fptan

• 0x40100c __vbaVarMove

• 0x401010 __vbaAryMove

• 0x401014 __vbaFreeVar

• 0x401018 __vbaStrVarMove

• 0x40101c __vbaFreeVarList

• 0x401020 _adj_fdiv_m64

• 0x401024

• 0x401028 __vbaStrErrVarCopy

• 0x40102c _adj_fprem1

• 0x401030 __vbaVarCmpNe

• 0x401034 __vbaStrCat

• 0x401038 __vbaHresultCheckObj

• 0x40103c __vbaLenVar

• 0x401040 _adj_fdiv_m32

• 0x401044 __vbaAryDestruct

• 0x401048 __vbaExitProc

• 0x40104c __vbaVarForInit

• 0x401050 __vbaOnError

• 0x401054 __vbaObjSet

• 0x401058

• 0x40105c _adj_fdiv_m16i

• 0x401060 __vbaObjSetAddref

• 0x401064 _adj_fdivr_m16i

• 0x401068 __vbaBoolVarNull

• 0x40106c _CIsin

• 0x401070 __vbaErase

• 0x401074 __vbaVarZero

• 0x401078 __vbaChkstk

• 0x40107c

• 0x401080 EVENT_SINK_AddRef

• 0x401084

• 0x401088 __vbaAryConstruct2

• 0x40108c __vbaVarTstEq

• 0x401090 __vbaCyI4

• 0x401094 __vbaVarLikeVar

• 0x401098 __vbaVarOr

• 0x40109c __vbaRedimPreserve

• 0x4010a0 _adj_fpatan

• 0x4010a4 __vbaRedim

• 0x4010a8 EVENT_SINK_Release

• 0x4010ac _CIsqrt

• 0x4010b0 EVENT_SINK_QueryInterface

• 0x4010b4 __vbaExceptHandler

• 0x4010b8 _adj_fprem

• 0x4010bc _adj_fdivr_m64

• 0x4010c0 __vbaFPException

• 0x4010c4 __vbaUbound

• 0x4010c8 __vbaStrVarVal

• 0x4010cc __vbaVarCat

• 0x4010d0

• 0x4010d4 _CIlog

• 0x4010d8 _adj_fdiv_m32i

• 0x4010dc _adj_fdivr_m32i

• 0x4010e0 __vbaStrCopy

• 0x4010e4 __vbaFreeStrList

• 0x4010e8 _adj_fdivr_m32

• 0x4010ec _adj_fdiv_r

• 0x4010f0

• 0x4010f4 __vbaVarTstNe

• 0x4010f8 __vbaI4Var

• 0x4010fc __vbaAryLock

• 0x401100 __vbaVarDup

• 0x401104 __vbaVarCopy

• 0x401108

• 0x40110c _CIatan

• 0x401110 __vbaCastObj

• 0x401114 __vbaStrMove

• 0x401118 _allmul

• 0x40111c __vbaLenVarB

• 0x401120 _CItan

• 0x401124 __vbaAryUnlock

• 0x401128 __vbaVarForNext

• 0x40112c _CIexp

• 0x401130 __vbaI4ErrVar

• 0x401134 __vbaFreeObj

• 0x401138 __vbaFreeStr

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.24.14
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	62191	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57236	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	58970	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.