1.3
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.60
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
查询计算机名称
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545293.4525 GetComputerNameA |
computer_name:
TU-PC
|
success | 1 | 0 |
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
一个或多个进程崩溃
(13 个事件)
动态指标
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\.exe |
将读写内存保护更改为可读执行(可能是为了避免在同时设置所有 RWX 标志时被检测)
(3 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在用户文件夹中创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\.exe |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2011-06-15 03:01:16
PE Imphash
98f67c550a7da65513e63ffd998f6b2e
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0002a728 | 0x0002b000 | 5.947197438251493 |
| .data | 0x0002c000 | 0x00001b74 | 0x00001000 | 0.0 |
| .rsrc | 0x0002e000 | 0x00012000 | 0x00001000 | 3.439104562125941 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0002e2f8 | 0x00000cd0 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x0002e2e4 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_VERSION | 0x0002e0f0 | 0x000001f4 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library MSVBVM60.DLL:
• 0x401000 EVENT_SINK_GetIDsOfNames
• 0x401004 __vbaStrI2
• 0x401008 None
• 0x40100c _CIcos
• 0x401010 _adj_fptan
• 0x401014 __vbaStrI4
• 0x401018 __vbaVarVargNofree
• 0x40101c __vbaFreeVar
• 0x401020 __vbaStrVarMove
• 0x401024 __vbaLenBstr
• 0x401028 __vbaLateIdCall
• 0x40102c __vbaPut3
• 0x401030 __vbaEnd
• 0x401034 __vbaFreeVarList
• 0x401038 _adj_fdiv_m64
• 0x40103c __vbaPut4
• 0x401040 EVENT_SINK_Invoke
• 0x401044 __vbaRaiseEvent
• 0x401048 __vbaFreeObjList
• 0x40104c None
• 0x401050 __vbaStrErrVarCopy
• 0x401054 None
• 0x401058 _adj_fprem1
• 0x40105c __vbaRecAnsiToUni
• 0x401060 None
• 0x401064 __vbaCopyBytes
• 0x401068 __vbaStrCat
• 0x40106c __vbaLsetFixstr
• 0x401070 __vbaRecDestruct
• 0x401074 __vbaSetSystemError
• 0x401078 None
• 0x40107c __vbaHresultCheckObj
• 0x401080 __vbaNameFile
• 0x401084 _adj_fdiv_m32
• 0x401088 __vbaAryVar
• 0x40108c Zombie_GetTypeInfo
• 0x401090 __vbaAryDestruct
• 0x401094 None
• 0x401098 None
• 0x40109c __vbaBoolStr
• 0x4010a0 __vbaExitProc
• 0x4010a4 __vbaI4Abs
• 0x4010a8 None
• 0x4010ac __vbaOnError
• 0x4010b0 __vbaObjSet
• 0x4010b4 _adj_fdiv_m16i
• 0x4010b8 __vbaObjSetAddref
• 0x4010bc _adj_fdivr_m16i
• 0x4010c0 None
• 0x4010c4 __vbaFpR4
• 0x4010c8 None
• 0x4010cc __vbaStrFixstr
• 0x4010d0 _CIsin
• 0x4010d4 __vbaErase
• 0x4010d8 None
• 0x4010dc None
• 0x4010e0 None
• 0x4010e4 __vbaChkstk
• 0x4010e8 __vbaFileClose
• 0x4010ec EVENT_SINK_AddRef
• 0x4010f0 __vbaGenerateBoundsError
• 0x4010f4 __vbaGet3
• 0x4010f8 __vbaStrCmp
• 0x4010fc None
• 0x401100 __vbaGet4
• 0x401104 __vbaPutOwner3
• 0x401108 __vbaVarTstEq
• 0x40110c __vbaAryConstruct2
• 0x401110 __vbaObjVar
• 0x401114 __vbaI2I4
• 0x401118 DllFunctionCall
• 0x40111c __vbaVarLateMemSt
• 0x401120 __vbaFpUI1
• 0x401124 __vbaRedimPreserve
• 0x401128 __vbaStrR4
• 0x40112c _adj_fpatan
• 0x401130 __vbaFixstrConstruct
• 0x401134 __vbaLateIdCallLd
• 0x401138 Zombie_GetTypeInfoCount
• 0x40113c __vbaRedim
• 0x401140 __vbaRecUniToAnsi
• 0x401144 EVENT_SINK_Release
• 0x401148 __vbaNew
• 0x40114c None
• 0x401150 __vbaUI1I2
• 0x401154 _CIsqrt
• 0x401158 EVENT_SINK_QueryInterface
• 0x40115c __vbaExceptHandler
• 0x401160 None
• 0x401164 None
• 0x401168 __vbaStrToUnicode
• 0x40116c None
• 0x401170 _adj_fprem
• 0x401174 _adj_fdivr_m64
• 0x401178 None
• 0x40117c None
• 0x401180 None
• 0x401184 __vbaFPException
• 0x401188 None
• 0x40118c None
• 0x401190 __vbaGetOwner3
• 0x401194 __vbaUbound
• 0x401198 None
• 0x40119c __vbaFileSeek
• 0x4011a0 None
• 0x4011a4 None
• 0x4011a8 _CIlog
• 0x4011ac __vbaErrorOverflow
• 0x4011b0 __vbaFileOpen
• 0x4011b4 __vbaVarLateMemCallLdRf
• 0x4011b8 None
• 0x4011bc None
• 0x4011c0 __vbaNew2
• 0x4011c4 __vbaInStr
• 0x4011c8 _adj_fdiv_m32i
• 0x4011cc None
• 0x4011d0 _adj_fdivr_m32i
• 0x4011d4 __vbaStrCopy
• 0x4011d8 __vbaI4Str
• 0x4011dc __vbaFreeStrList
• 0x4011e0 _adj_fdivr_m32
• 0x4011e4 _adj_fdiv_r
• 0x4011e8 None
• 0x4011ec None
• 0x4011f0 __vbaVarSetVar
• 0x4011f4 __vbaI4Var
• 0x4011f8 None
• 0x4011fc __vbaLateMemCall
• 0x401200 __vbaVarAdd
• 0x401204 None
• 0x401208 __vbaAryLock
• 0x40120c None
• 0x401210 __vbaStrComp
• 0x401214 __vbaVarDup
• 0x401218 __vbaStrToAnsi
• 0x40121c None
• 0x401220 __vbaFpI2
• 0x401224 __vbaFpI4
• 0x401228 __vbaVarLateMemCallLd
• 0x40122c None
• 0x401230 __vbaVarSetObjAddref
• 0x401234 __vbaRecDestructAnsi
• 0x401238 __vbaLateMemCallLd
• 0x40123c _CIatan
• 0x401240 __vbaAryCopy
• 0x401244 __vbaStrMove
• 0x401248 None
• 0x40124c __vbaCastObj
• 0x401250 __vbaR8IntI4
• 0x401254 None
• 0x401258 _allmul
• 0x40125c __vbaVarLateMemCallSt
• 0x401260 _CItan
• 0x401264 None
• 0x401268 __vbaAryUnlock
• 0x40126c _CIexp
• 0x401270 __vbaFreeObj
• 0x401274 __vbaFreeStr
• 0x401278 None
• 0x40127c None
L!This program cannot be run in DOS mode.
MSVBVM60.DLL
xr2uyr
xrrzr1hzrf
xrhxrtzr>Uxrvrbrzr
yrwUxr7vrzr
yrwrEtxr?wrhxr)uxrPwrvr#wrwrObwr
yr@9zrvrJwrjrQwr*
xrHxrHKxrwrGxr=wrF
yrTwrF
yrQvruzrbyrxr.yrIwr&nxr
yr{xr*ayr?wr
vr\wr"Uxr
xr[wrYUxrUxrzrwrwrE
zr4uzrwr
yr\xr%zrvrVwrwrvrPwrvr
yrvr$Fxr
yrxvrj|xr
uzr-xr_]yrUxrwrwr
xrkyrvr];wrzr@wr\Txrwr~jrz
xrEjxr
yrxrE`wr5jr
wrtLxr|syrzrwzrX"wr%wr_yr-zxrmzrjr`yrYuzrpuzrzrkxrwr
yrhvrtjxrlxr]zrNxrayr-xrzryrf
wrHwrQxrwr0jxr`wr0wr
uExWatch
sge-@l
frmExplorer
uExWatch1
Win.uExWatch
tmrSec
tmrPri
Timer1
picIcon
picCapt
VB5! *
sge-@l
mExInternet
mExComp
mExJoin
uExWatch
mExReg
mExMatch
Win.uExWatch
uExWatch
mExM c@
Q|~hC6l<
frmExplorer
mExMain
mExHooks
mExInternet
mExComp
mExJoin
uExWatch
mExReg
mExMatch
user32
SetWindowsHookExA
UnhookWindowsHookEx
CallNextHookEx
kernel32
RtlMoveMemory
GetWindowTextA
GetForegroundWindow
GetAsyncKeyState
GetKeyState
user32.dll
GetWindowTextLengthA
gdi32.dll
BitBlt
CreateDCA
DeleteDC
gdiplus.dll
GdipCreateBitmapFromHBITMAP
gdiplus
GdipGetImageEncodersSize
GdipGetImageEncoders
lstrlenW
WideCharToMultiByte
GdipSaveImageToFile
CreateToolhelp32Snapshot
GdipDisposeImage
GdiplusStartup
GdiplusShutdown
ClientToScreen
GetWindowThreadProcessId
kernel32.dll
Process32First
Process32Next
CloseHandle
OpenProcess
Psapi.dll
GetModuleFileNameExA
TerminateProcess
Thread32First
Thread32Next
ResumeThread
OpenThread
FindFirstFileA
FindNextFileA
FindClose
advapi32.dll
OpenProcessToken
GetCurrentProcess
advapi32
LookupPrivilegeValueA
AdjustTokenPrivileges
9ShellIE
GetExitCodeProcess
fsge-@l
+3qC:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
picCapt
tmrPri
Timer1
tmrSec
C:\WINDOWS\system32\ieframe.dll
SHDocVw
uExWatch1
picIcon
DeleteFileA
ShellIE_WindowRegistered
+3q"=h
SHGetPathFromIDListA
GetFileAttributesA
WritePrivateProfileStringA
shell32.dll
SHGetSpecialFolderLocation
RegOpenKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
__vbaStrToUnicode
RegDeleteValueA
RegSetValueExA
SHGetFileInfoA
DrawIconEx
DestroyIcon
WriteFile
GetComputerNameA
GetUserNameA
urlmon
URLDownloadToFileA
GlobalFree
wininet.dll
DeleteUrlCacheEntryA
mpr.dll
WNetOpenEnumA
WNetEnumResourceA
WNetCloseEnum
GlobalAlloc
lstrcpyA
Netapi32.dll
NetShareAdd
NetShareDel
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetCloseHandle
CreateFileA
ReadFile
: & p
SetFilePointer
VBA6.DLL
__vbaNameFile
__vbaCastObj
__vbaAryUnlock
__vbaStrI4
__vbaAryLock
__vbaLsetFixstr
__vbaStrFixstr
__vbaAryDestruct
__vbaGenerateBoundsError
__vbaStrToAnsi
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaAryConstruct2
__vbaLateMemCallLd
__vbaLateIdCallLd
__vbaI4Var
__vbaVarTstEq
__vbaExitProc
__vbaLateIdCall
__vbaFreeObjList
__vbaI2I4
__vbaErrorOverflow
__vbaFpR4
__vbaFreeVarList
__vbaNew
__vbaObjSet
__vbaSetSystemError
__vbaFreeVar
__vbaInStr
__vbaLenBstr
__vbaOnError
__vbaStrCopy
__vbaFreeStr
__vbaStrCat
__vbaHresultCheckObj
__vbaFreeStrList
__vbaStrMove
__vbaStrCmp
__vbaEnd
__vbaFreeObj
__vbaNew2
__vbaStrR4
__vbaPut3
__vbaPut4
__vbaFileClose
__vbaGet3
__vbaFileOpen
__vbaI4Str
__vbaVarDup
__vbaAryVar
__vbaAryCopy
__vbaBoolStr
__vbaRedimPreserve
__vbaRedim
__vbaErase
__vbaVarAdd
GetDIBits
__vbaUbound
__vbaI4Abs
__vbaCopyBytes
__vbaStrComp
__vbaStrI2
__vbaFixstrConstruct
__vbaRecDestruct
__vbaRecDestructAnsi
__vbaStrVarMove
__vbaVarSetObjAddref
__vbaVarLateMemCallLdRf
__vbaVarLateMemCallSt
__vbaObjVar
__vbaLateMemCall
__vbaFpI2
__vbaVarLateMemSt
__vbaVarLateMemCallLd
__vbaVarSetVar
__vbaPutOwner3
__vbaGetOwner3
__vbaFileSeek
__vbaUI1I2
__vbaFpUI1
__vbaGet4
__vbaFpI4
__vbaR8IntI4
KaPN~K
MIEObject
UserControl
AddSubClass
IEObject_DocumentComplete
IEObject_OnQuit
SetIENothing
ValidatePath
PathChange
IEClosed
__vbaVarVargNofree
__vbaStrErrVarCopy
__vbaObjSetAddref
__vbaRaiseEvent
uExWatch
lCookie
strPath
MSVWeE
}#jhh0e@
}#j|h0e@
}#jPh0e@
@fPEPMQj
}#jPh0e@
}#jPh0e@
MQhDe@
}#jXh0e@
UREPMQUREPj
MQUREPMQURj
EPMQUREPMQj
MQUREPMQj
MQUREPMQURj
LRh(o@
LRh4o@
LRh@o@
LRhLo@
EPMQUREPj
EPMQUREPMQj
EPMQUREPj
EPMQUREPj
EPMQUREPj
}#j\hxy@
@f`MQUREPMQj
dMQUREPj
dEPMQUREPj
MQUREPj
}#j\hxy@
EPMQUREPMQURj
f`MQUREPMQj
EPMQUREPj
MQUREPMQUREPj
EPMQUREPj
EPMQUREPj
}#j\hxy@
DEPMQUREPMQURj
EPMQURj
bSVWeEh
fMfUf;t
MQPLE}
UfEfEE
MQP E}
fEMQURj
MfUfUE
} j hw@
EEPfMQU
MQP@E}
UREPMQj
%UREPMQURj
0SVWeE
7PURPWV
UREPMQj
xSVWeE
MQVPL;}
UREPVQ@}
MpwM|1E
(UREPj
MQUREPj
=ZSVWeE
WSVWeEp
VSVWeE
QxRhU@
MQURhP
@f@`RdPhQj
xPQhU@
PxQhU@
-`RdPhQj
]OSVWeE
xRPhU@
QxRhU@
dQhRlPpQj
xRPhU@
RxPhU@
dRhPlQpRj
LPPQTRXP\Q`RdPhQlRpPj
dQhRlPpQj
hQlRpPj
`RdPhQlRpPj
`PdQhRlPpQj
\R`PdQhRlPpQj
^LQPRTPXQ\R`PdQhRlPpQj
:SVWeE
]EPMQUREPj
MQUREPj
]UREPj
<EPMQUREPj
MQUREPj
]3SVWeEX
MQPLE}
fUfEf;t
EURfEPM
EPR@E}
MQPLE}
fUfEf;l
EMQfURE
URQ@E}
fUfEf;d
UfEfEE
} j hw@
EMQfURE
URQ@E}
EPMQURj
%MQUREPMQj
}+SVWeE
|RPhU@
Q|RhU@
lQpRtPj
f<lPpQtRj
f<pPtQj
UREPh@
@f<pQtRj
|RPhU@
PMQ+P@
R|PhU@
FlRpPtQj
EEEEExHEEE
HUQxRP
xUQERMPQj
MUQERMPUQRj
EMPUQERMPQj
xERMPUQRj
TSVWeE
xSVWeE
UERMPQj
EMPUQRj
pqE4UM
UERMPQj
HSVWeE0
M;t(f9
SVWeE@
MQURS8
EPMQr7
REPhp@
EPMQl5
UREPMQj
u<U3+B
UREPMQj
u<U3+B
REPh4@
QURhp@
REPh(@
UREPMQj
u<U3+B
UREPMQj
u<U3+B
UREPMQj
u<U3+B
EPMQ:%
UREPMQj
u<U3+B
REPhH@
QURh(@
REPhh@
h Pj8j
hB PpQ
EPMQR!
UREPMQj
u<U3+B
UREPMQj
u<U3+B
UREPMQj
u<U3+B
UREPMQj
u<U3+B
QURhh@
REPh0@
PMQh(@
PMQhl@
+MQUREPj
SVWeE @
MfE_^d
SVWeE0 @
MfE_^d
]SVWeE@ @
RfEPjh
fUREPj
SVWeE @
QfURjj
fEPfMQ
fEPMQj
SVWeE @
EPMQUREPMQURj
7UREPMQUREPMQj
<SVWeE !@
SVWeE0!@
UWRh0aA
SVWeE@!@
UWRh zA
SVWeEX!@
]]]]]]]]]]]p`P0,($
MPhXo@
ERMPQj
ft*hHB
UERMPUQERMPUQRj
EMPUQRj
EMPUQERMPQj
UQERMPQj
p0P`QR
`pQERMPQj
R P$Q(RMPQ
UERMPUQRj
EMPUQRj
VUERMPUQERMPUQRj
`pRMPUQRj
SVWeEh!@
]M]]]]]]]]]xhXH8
MPhXo@
ERMPQj
E3MEPQ
ft*hHB
lMUQRj
UERMPUQERMPUQRj
EMPUQERMPQj
UQERMPQj
HXQhRxPQj
S,C$M+
QRSMPQ!
UERMPUQRj
MUQERMPUQRj
UQERMPQj
HXQhRxPQj
S,C$M+
C44M++
RPSVMQ+
UERMPUQRj
\MUQERMPUQERMPQj
HXQhRxPQj
$SVWeEx!@
QR3PV}}}
EWWMPQ
SVWeE!@
$PQhT@
R$PhT@
SVWeE!@
MQUREP5E
SVWeE`"@
u0E3+H
EPMQUR
u0M3+Q
u3E3+H
mSVWeE"@
EPMQURj
MQUREPj
SVWeE@#@
}SVWeEp#@
-SVWeE#@
PlQhU@
lPQhU@
QDRhU@
DQRhU@
REP,fE
fMfMAE
SVWeE$@
EPj(MQ<E
EPhLS@
SVWeEH%@
R@PhU@
@RPhU@
UREPtQ
fhpRtPj
SVWeE%@
xR8PhU@
8RxPhU@
UREPlQ
@f`hRlPj
PxQhU@
fMfMh7A
SVWeE(&@
SVWeE8&@
pQRhU@
PpQhU@
TPXQ\R`Pj
M\R`Pj
pPDQhU@
DPpQhU@
HQLRPPTQXR\P`Qj
XQ\R`Pj
<R@PDQHRLPPQTRXP\Q`Rj
fMfUf;<
<P@QDRHPLQPRTPXQ\R`Pj
X(f_^][
}vSVWeE
PPTQXRj
uFEM+H
\QRhU@
R\PhU@
@QUREP
\PQhU@
P\QhU@
PQTRXPj
SVWeE'@
uuuuuuuuuuuxhXH8$j
EPxQ=(
MPhDe@
UREPMQUREPMQUREPj
XQhRxPj
XPhQxRj
XQhRxPj
XQhRxPj
XQhRxPj
XQhRxPj
XQhRxPj
XQhRxPj
XQhRxPj
IUREPMQUREPMQUREPj
XQhRxPj
SVWeE'@
}}}}}}}}}}}xhXH4j
WjUR|B
MPhDe@
UREPMQUREPMQUREPj
hQxREPj
hPxQURj
hQxREPj
hQxREPj
hQxREPj
hQxREPj
hPxQUR<
hQxREPj
hQxREPj
hQxREPj
FUREPMQUREPMQUREPj
hQxREPj
]KSVWeE
JSVWeEP(@
MQUREP
HSVWeE(@
MQUREP
mGSVWeE(@
EPj@N<
UREPMQUR
j UREPpj
4pRtPxQ|REPMQUREPMQUREPMQj
4@RPP`Qj
hpRtPxQ|REPMQUREPMQUREPMQj
4@RPP`Qj
=ASVWeEx)@
?SVWeE)@
j@`QUR
j@`REP
j@MQpR
QURhho@
MQhho@
<SVWeE
PUR2}E
SVWeEx*@
]]]p`\U
QURS5,
EPMQURj
SjhDe@
?;t&f?
Euf;}}Pf
$MQUREPj
(SVWeE*@
d;t"f9
uft'f9
SVWeE*@
]]]]]]U
MQUREPj
!UREPMQj
z~_^][
,SVWeE*@
E;t!f8
lSVWeE*@
EEEEEEEU
UREPMQj
EPPjh
|BPEPj
EPMQURj
!EPMQURj
@flMQUREPj
!MQUREPj
SVWeEH,@
EPMQURj
4MQUREPj
SVWeE@-@
SVWeE-@
@fEUREPMQUREPj
MQUREPj
)MQUREPMQURj
@fEMQUREPMQURj
EPMQURj
)EPMQUREPMQj
SVWeEx.@
|xtplhd`\XTPLHD@<840,(
QVPP;}
PP RSSP:
QRPQRj
RPQRPj
M;tKf9
kM;tOf9
|QRPQRPQRPQRPQRPQRPQRPQRPQRPQRP(Q,R0P4Q8R<P@QDRHPLQPRTPXQ\R`PdQhRlPpQtRxPj3
QRPQRPQ
|RPQRPQRPQRPQRPQRPQRPQRPQRPQRPQ0R4P8Q<R@PDQHRLPPQTRXP\Q`RdPhQlRpPtQxRj1
PQRPQRP
(P,Q0R4P8Q<R@PDQHRLPPQTRXP\Q`RdPhQlRpPtQxR|PQRPQRPQRPQRPQRPQRPQRPQRPQRPQRj3
PQRPQRP
px+ptT$ D$ \$
SVWeE.@
pZuhtYB
MfE_^d
SVWeE.@
EEEEEEEEEEEU
MPVEPj
@fpEPMQURj
EPMQUREPj
MPVMQj
uKURhD@
MQPjh
|7MPEPj
'PURh@
%EPMQUREPj
`SVWeE
3}}}}3EfE
MMMM}}}U
}WURWEP&WMQj
}WMQUREPH&WMQj
M;t f9
MWURURI
MQ%WWj
EPMQURe
}M;t&f9
REPMQA
URft6EPG$E
SVWeE(/@
Puuuu|
UVRMj@QP
UERMPQj
MfE_^d
SVWeE8/@
SQSP7 5t
SURj@|P
Q SURj
SMQj(S
URfUfk(
~9t!f9
3Et!f9
SVWeE`/@
3}uuuuEEEEuuj
uuVMQU
MQfUfk
MQfUfk
SVWeE/@
uuuuu3
MMMMuuj
DMt"f9
@Mt"f9
<Mt"f9
MQfUfk
8Mt"f9
4Mt"f9
Ex|t$f9
0Mt"f9
,Mt"f9
(Mt"f9
$Mt"f9
Mt"f9
SVWeE/@
SVWeE/@
(SVWeE
HSVWeE(0@
URPQx}
MQUREPj
!MQUREPj
SVWeEP0@
SVWeE0@
SVWeE0@
MSVWeE0@
fMfUf;U
EPMQUREPMQj
EPMQUREPMQj
EUQERMPQj
ERMPUQRj
MfE_^d
SVWeE(1@
UREPMQUREPMQUREPMQUREPj
(MQUREPMQUREPMQj
]SVWeEX1@
EPMQUREPMQj
MQUREPMQURj
EPMQUREPMQj
(SVWeE1@
ERjd]E]
MPhDe@
}SVWeE1@
EPMQUR
=SVWeE
EPMQUR
SVWeE@2@
EPMQUR
dSVWeEx2@
M]]7]]E(
SVWeE2@
uuuuupj
d PMQ5
MQUR3EPMQj
UREPMQURj
UREPMQj
MSVBVM60.DLL
EVENT_SINK_GetIDsOfNames
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarVargNofree
__vbaFreeVar
__vbaStrVarMove
__vbaLenBstr
__vbaLateIdCall
__vbaPut3
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
__vbaPut4
EVENT_SINK_Invoke
__vbaRaiseEvent
__vbaFreeObjList
__vbaStrErrVarCopy
_adj_fprem1
__vbaRecAnsiToUni
__vbaCopyBytes
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
__vbaNameFile
_adj_fdiv_m32
__vbaAryVar
Zombie_GetTypeInfo
__vbaAryDestruct
__vbaBoolStr
__vbaExitProc
__vbaI4Abs
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFpR4
__vbaStrFixstr
_CIsin
__vbaErase
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaGet3
__vbaStrCmp
__vbaGet4
__vbaPutOwner3
__vbaVarTstEq
__vbaAryConstruct2
__vbaObjVar
__vbaI2I4
DllFunctionCall
__vbaVarLateMemSt
__vbaFpUI1
__vbaRedimPreserve
__vbaStrR4
_adj_fpatan
__vbaFixstrConstruct
__vbaLateIdCallLd
Zombie_GetTypeInfoCount
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaGetOwner3
__vbaUbound
__vbaFileSeek
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVarLateMemCallLdRf
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarSetVar
__vbaI4Var
__vbaLateMemCall
__vbaVarAdd
__vbaAryLock
__vbaStrComp
__vbaVarDup
__vbaStrToAnsi
__vbaFpI2
__vbaFpI4
__vbaVarLateMemCallLd
__vbaVarSetObjAddref
__vbaRecDestructAnsi
__vbaLateMemCallLd
_CIatan
__vbaAryCopy
__vbaStrMove
__vbaCastObj
__vbaR8IntI4
_allmul
__vbaVarLateMemCallSt
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr
#"'#"'#"'#"'#"'#"'#"'#"'#"'#"'#"'#"'#"'#"'
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
WGcy[xMu
s-DpW#%
{=pd=3!Ji
|tuxN!
@�@�@�@�@�@�
@�@�@�@�@�@�
@�@�@�@�@�@�@�
@�@�@�@�@�@�
@�@�@�@�@�@�@�@�
@�@�@�@�@�@�
@�@�@�@�@�@�
@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�
@�@�@�@�f�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�
A�A�A�A�A�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�
A�A�A�A�A�A�
A�A�A�A�A�A�A�
A�A�A�A�A�A�A�
_�e�x�t�e�n�t�x�
_�e�x�t�e�n�t�y�
S�e�D�e�b�u�g�P�r�i�v�i�l�e�g�e�
M�i�c�r�o�s�o�f�t� �I�n�t�e�r�n�e�t� �E�x�p�
B�*�\�A�D�:�\�C�o�d�e�\�E�x�p�l�o�r�e�r�\�E�x�p�l�o�r�e�r�.�v�b�p�
S�e�D�e�b�u�g�P�r�i�v�i�l�e�g�e�
M�i�c�r�o�s�o�f�t� �I�n�t�e�r�n�e�t� �E�x�p�l�o�r�e�r�
h�t�t�p�:�/�/�s�c�h�e�m�a�s�.�m�i�c�r�o�s�o�f�t�.�c�o�m�/�c�d�o�/�c�o�n�f�i�g�u�r�a�t�i�o�n�/�
R�I�K�V�d�O�4�>�+�
h�Z�\�1�*�1�
d�w�(�/�.�,�J�,�
s�y�s�t�e�m�\�
v�W�e�=�<�7�
I�K�?�:�M�9�U�]�G�
I�0�[�d�C�i�
"�Y�a�(�_�_�C�x�q�
p�f�b�v�o�h�=�N�A�.�M�6�
7�*�X�(�&�H�V�a�r�\�g�r�
M�G�B�+�!�.�F�4�B�
u�o�O�T�B�h�
I�0�W�d�C�j�
|�b�.�5�}�S�F�%�*�-�
L�U�F�P�v�P�k�
7�'�W�(�#�K�V�O�k�
:�m�s�+�i�m�
e�_�7�x�u�(�
w�_�{�S�T�c�8�j�s�}�
�J�L�>�z�o�f�
y�L�_�@�.�>�1�*�2�7�3�?�
I�K�?�:�M�8�U�]�L�
y�n�^�@�S�4�
s�y�s�t�e�m�3�2�\�d�r�i�v�e�r�s�\�
1�*�7�"�&�&�R�F�G�
v�v�s�e�X�b�j�O�}�
I�-�X�b�L�q�
�e�u�%�-�9�
I�K�?�:�M�3�U�]�K�
�U�?�d�d�r�
T�W�b�i�[�j�Z�\�n�o�c� �M�)�z�
j�H�]�1�*�6�
j�H�V�1�*�6�
M�G�G�+�!�,�F�4�C�
u�f�O�T�K�h�
I�0�Z�d�C�o�
"�Y�g�(�_�i�C�x�u�
p�f�e�v�o�k�=�N�;�.�M�/�
7�*�X�(�&�O�V�a�l�
:�D�M�j�d�s�
7�Z�<�(�V�2�
M�G�G�j�E�X�1�*�2�
^�[�U�O�T�@�
Y�Y�I�t�o�d�
�I�0�V�:�,�Q�
w�J�L�U�!�+�d�T�[�
Y�Y�Q�t�o�`�
�I�0�Z�:�,�M�
w�J�I�U�!�.�d�T�a�
I�K�;�:�M�7�U�]�L�
I�K�=�:�M�2�U�]�O�
w�\�%�i�J�+�r�K�[�
I�0�[�:�)�N�U�?�_�
U�!�/�y�a�i�j�`�f�
U�/�l�1�!�N�7�*�Y�g�J�r�
a�V�u�=�H�X�C�Q�d�s�q�{�
:�/�;�U�B�P�
p�i�c�s�y�s�.�
p�s�V�j�H�\�d�J�
C�E�>�^�[�S�b�j�N�}�
P�r�o�c�e�s�s�
<�M�a�i�l�>�
<�/�M�a�i�l�>�
<�/�D�b�l�C�l�k�>�
<�D�b�l�C�l�k�>�
w�p�1�*�4�J�F�E�
#�&�+�3�6�p�i�]�a�_�[�
I�`�B�d�v�T�
C�9�T�4�;�O�O�K�i�
<�/�C�l�i�c�k�>�
J�F�F�z�x�\�
i�c�q�w�[�:�J�/�h�s�S�
b�L�j�S�T�`�%�K�`�+�T�o�[�t�
e�\�x�V�O�a�
m�e�8�U�D�S�w�I�
W�Y�q�e�I�:�8�
%�9�R�@�R�c�
7�6�~�(�5�%�
<�/�E�n�t�e�r�>�
:�G�0�S�i�C�
<�x�C�o�m�m�a�n�d�
<�/�x�C�o�m�m�a�n�d�>�
<�T�i�t�l�e�>�
<�/�T�i�t�l�e�>�
b�C�a�p�t�u�r�e�
C�a�p�t�u�r�e�
<�E�n�t�e�r�>�
<�C�l�i�c�k�>�
U�s�e�S�S�L�
A�u�t�h�e�n�t�i�c�a�t�e�
U�s�e�r�n�a�m�e�
P�a�s�s�w�o�r�d�
<�I�n�s�t�a�n�t�>�
<�/�I�n�s�t�a�n�t�>�
K�e�y�w�o�r�d�
<�A�t�t�a�c�k�>�
<�/�A�t�t�a�c�k�>�
%�S�y�s�t�e�m�R�o�o�t�%�
%�P�r�o�g�r�a�m�F�i�l�e�s�%�
T�e�x�t�B�o�d�y�
<�D�o�w�n�l�o�a�d�>�
<�/�D�o�w�n�l�o�a�d�>�
<�U�p�d�a�t�e�>�
<�/�U�p�d�a�t�e�>�
V�e�r�s�i�o�n�
y�y�m�m�d�d�
C�l�i�p�b�o�a�r�d�
d�/�m�/�y�y� �h�:�m�
D�I�S�P�L�A�Y�
i�m�a�g�e�/�p�n�g�
i�m�a�g�e�/�g�i�f�
i�m�a�g�e�/�j�p�e�g�
i�m�a�g�e�/�t�i�f�f�
i�m�a�g�e�/�b�m�p�
[�"�s�z�P�W�"�]�
\�S�y�s�t�e�m�R�o�o�t�\�
%�s�y�s�t�e�m�r�o�o�t�%�
U�l�1�'�;�v�Z�c�P�a�G�
I�K�@�O�Z�D�
U�?�d�8�p�r�
1�U�'�3�d�W�d�
%�{�P�>�=�a�
5�9�A�B�C�Q�E�F�0�1�
C�D�O�.�M�e�s�s�a�g�e�
B�o�d�y�P�a�r�t�
t�e�x�t�/�p�l�a�i�n�
C�o�n�t�e�n�t�M�e�d�i�a�T�y�p�e�
b�a�s�e�6�4�
C�o�n�t�e�n�t�T�r�a�n�s�f�e�r�E�n�c�o�d�i�n�g�
C�h�a�r�s�e�t�
A�d�d�B�o�d�y�P�a�r�t�
d�d�/�m�m�/�y�y� �h�h�:�m�m�
S�u�b�j�e�c�t�
A�d�d�A�t�t�a�c�h�m�e�n�t�
s�e�n�d�u�s�i�n�g�
C�o�n�f�i�g�u�r�a�t�i�o�n�
F�i�e�l�d�s�
s�m�t�p�s�e�r�v�e�r�
s�m�t�p�s�e�r�v�e�r�p�o�r�t�
s�m�t�p�c�o�n�n�e�c�t�i�o�n�t�i�m�e�o�u�t�
s�m�t�p�u�s�e�s�s�l�
s�m�t�p�a�u�t�h�e�n�t�i�c�a�t�e�
s�e�n�d�u�s�e�r�n�a�m�e�
s�e�n�d�p�a�s�s�w�o�r�d�
U�p�d�a�t�e�
R�e�m�a�r�k� �f�o�r� �
0�0�0�0�0�0�0�0�
f�i�l�e�:�/�/�/�
e�x�p�l�o�r�e�r�.�e�x�e�,� �
y�L�b�+�$�8�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t�
P�r�o�d�u�c�t�N�a�m�e�
F�i�l�e�V�e�r�s�i�o�n�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
I�n�t�e�r�n�a�l�N�a�m�e�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
W�i�n�.�e�x�e�
Process Tree
- 043fcc06efe0f7cf128953396a83769cf74d182bfe98f5680950f24da4c54892.exe (616) "C:\Users\Administrator\AppData\Local\Temp\043fcc06efe0f7cf128953396a83769cf74d182bfe98f5680950f24da4c54892.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | e54f340fa57ad2dd_.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\.exe |
| Size | 215.3KB |
| Processes | 616 (043fcc06efe0f7cf128953396a83769cf74d182bfe98f5680950f24da4c54892.exe) |
| Type | MS-DOS executable, MZ for MS-DOS |
| MD5 | ed1d260fc69acaded2ee774d69f81f63 |
| SHA1 | fa53d18681986b723c5a774a9bf3b9c991c9c88f |
| SHA256 | e54f340fa57ad2dd819d1540e73c5475a8da5d7faf5ef72ee468e47f46da4fae |
| CRC32 | A3696477 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | aaf402f458d253a9_~DFC9E9E5291AD6589B.TMP |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\~DFC9E9E5291AD6589B.TMP |
| Size | 3.0KB |
| Type | Composite Document File V2 Document, Cannot read section info |
| MD5 | d62633aa5b64a32a2f4bc3b26ef713c0 |
| SHA1 | eaa4513549ace0de17caebd558e304b0274deda6 |
| SHA256 | aaf402f458d253a9c0afd4cc1270082b2439db1b1e6f604e3ee924887ddb5552 |
| CRC32 | E43DE888 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.