1.4
低危
DACN
0.14
FACILE
1.00
IMCLNet
0.84
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Worm:Win32/Vobfus.8f507e80 | 20190527 | 0.3.0.5 |
| Avast | Win32:Downloader-VGN [Trj] | 20200311 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Inject.ab | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_90% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200311 | 2013.8.14.323 |
| McAfee | Beebone-FPS!93270F74984B | 20200310 | 6.0.6.653 |
| Tencent | Win32.Worm.Vobfus.Hqlb | 20200311 | 1.0.0.1 |
静态指标
一个或多个进程崩溃
(50 out of 1024 个事件)
动态指标
将读写内存保护更改为可读执行(可能是为了避免在同时设置所有 RWX 标志时被检测)
(2 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00001000', 'virtual_size': '0x00014874', 'size_of_data': '0x00014a00', 'entropy': 7.631630765542721} | entropy | 7.631630765542721 | description | 发现高熵的节 | |||||||||
| entropy | 0.8375634517766497 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
尝试解除Cuckoo监控的Windows函数的钩子
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727110791.030875 __anomaly__ |
tid:
1808
subcategory: exception function_name: message: Encountered 1025 exceptions, quitting. |
success | 0 | 0 |
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Gen:Variant.Barys.101 |
| APEX | Malicious |
| AVG | Win32:Downloader-VGN [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Barys.101 |
| AhnLab-V3 | Trojan/Win32.Jorik.C171981 |
| Alibaba | Worm:Win32/Vobfus.8f507e80 |
| Antiy-AVL | Worm/Win32.Vobfus |
| Arcabit | Trojan.Barys.101 |
| Avast | Win32:Downloader-VGN [Trj] |
| Avira | WORM/Vobfus.ZNF |
| Baidu | Win32.Trojan.Inject.ab |
| BitDefender | Gen:Variant.Barys.101 |
| BitDefenderTheta | Gen:NN.ZevbaF.34098.gq0@aahhlbli |
| Bkav | HW32.Packed. |
| CAT-QuickHeal | Trojan.Beebone.D |
| ClamAV | Win.Trojan.VBGeneric-7165356-0 |
| Comodo | TrojWare.Win32.VB.ASKO@51fl9u |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cybereason | malicious.4984be |
| Cylance | Unsafe |
| Cyren | W32/A-b0da4efd!Eldorado |
| DrWeb | Win32.HLLW.Autoruner1.55527 |
| ESET-NOD32 | a variant of Win32/Injector.AMJN |
| Emsisoft | Gen:Variant.Barys.101 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/A-b0da4efd!Eldorado |
| F-Secure | Worm.WORM/Vobfus.ZNF |
| FireEye | Generic.mg.93270f74984bef09 |
| Fortinet | W32/Refroso.AGEA!tr |
| GData | Gen:Variant.Barys.101 |
| Ikarus | Trojan.Inject |
| Invincea | heuristic |
| Jiangmin | Worm/Vobfus.ykv |
| K7AntiVirus | Trojan ( 005042e71 ) |
| K7GW | Trojan ( 005042e71 ) |
| Kaspersky | Worm.Win32.Vobfus.eqbr |
| Lionic | Worm.Win32.Vobfus.lKG8 |
| MAX | malware (ai score=81) |
| McAfee | Beebone-FPS!93270F74984B |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.nc |
| MicroWorld-eScan | Gen:Variant.Barys.101 |
| Microsoft | Worm:Win32/Vobfus.RS |
| NANO-Antivirus | Trojan.Win32.Vobfus.dzobdh |
| Paloalto | generic.ml |
| Panda | Trj/Dtcontx.G |
| Qihoo-360 | Win32/Worm.f71 |
| Rising | Worm.Vobfus!8.10E (CLOUD) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Symmi |
| Sangfor | Malware |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-09-09 12:28:02
PE Imphash
830517bc79f90b2e964a71d12dc1f260
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00014874 | 0x00014a00 | 7.631630765542721 |
| .rdata | 0x00016000 | 0x00000ff8 | 0x00001000 | 5.310282509113411 |
| .data | 0x00017000 | 0x000012e8 | 0x00000200 | 0.0 |
| .rsrc | 0x00019000 | 0x00002c60 | 0x00002e00 | 5.72735718515172 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x00019460 | 0x00000a00 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x00019460 | 0x00000a00 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x00019460 | 0x00000a00 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_ICON | 0x00019460 | 0x00000a00 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00019424 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00019424 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00019424 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00019424 | 0x00000014 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_VERSION | 0x00019210 | 0x00000200 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library SHELL32.DLL:
• 0x416000 SHBrowseForFolder
Library MSVBVM60.DLL:
• 0x416008 __vbaVarSub
• 0x41600c __vbaStrI2
• 0x416010 _CIcos
• 0x416014 _adj_fptan
• 0x416018 __vbaStrI4
• 0x41601c __vbaVarMove
• 0x416020 __vbaVarVargNofree
• 0x416024 __vbaAryMove
• 0x416028 __vbaFreeVar
• 0x41602c __vbaCyMul
• 0x416030 __vbaStrVarMove
• 0x416034 __vbaEnd
• 0x416038 __vbaFreeVarList
• 0x41603c _adj_fdiv_m64
• 0x416040 _adj_fprem1
• 0x416044 None
• 0x416048 __vbaStrCat
• 0x41604c __vbaHresultCheckObj
• 0x416050 None
• 0x416054 _adj_fdiv_m32
• 0x416058 __vbaAryDestruct
• 0x41605c None
• 0x416060 __vbaOnError
• 0x416064 _adj_fdiv_m16i
• 0x416068 _adj_fdivr_m16i
• 0x41606c __vbaVarIndexLoad
• 0x416070 None
• 0x416074 __vbaBoolVar
• 0x416078 __vbaRefVarAry
• 0x41607c _CIsin
• 0x416080 __vbaErase
• 0x416084 __vbaVarZero
• 0x416088 __vbaChkstk
• 0x41608c __vbaFileClose
• 0x416090 __vbaCyVar
• 0x416094 EVENT_SINK_AddRef
• 0x416098 __vbaGenerateBoundsError
• 0x41609c __vbaCyI2
• 0x4160a0 __vbaAryConstruct2
• 0x4160a4 __vbaCyI4
• 0x4160a8 None
• 0x4160ac __vbaFpUI1
• 0x4160b0 __vbaRedimPreserve
• 0x4160b4 _adj_fpatan
• 0x4160b8 __vbaRedim
• 0x4160bc EVENT_SINK_Release
• 0x4160c0 _CIsqrt
• 0x4160c4 __vbaVarAnd
• 0x4160c8 EVENT_SINK_QueryInterface
• 0x4160cc __vbaVarMul
• 0x4160d0 __vbaExceptHandler
• 0x4160d4 None
• 0x4160d8 _adj_fprem
• 0x4160dc _adj_fdivr_m64
• 0x4160e0 __vbaVarDiv
• 0x4160e4 __vbaFPException
• 0x4160e8 __vbaGetOwner3
• 0x4160ec __vbaUbound
• 0x4160f0 None
• 0x4160f4 _CIlog
• 0x4160f8 __vbaFileOpen
• 0x4160fc None
• 0x416100 __vbaNew2
• 0x416104 __vbaVar2Vec
• 0x416108 __vbaVarInt
• 0x41610c _adj_fdiv_m32i
• 0x416110 _adj_fdivr_m32i
• 0x416114 __vbaStrCopy
• 0x416118 __vbaFreeStrList
• 0x41611c __vbaVarNot
• 0x416120 __vbaDerefAry1
• 0x416124 _adj_fdivr_m32
• 0x416128 _adj_fdiv_r
• 0x41612c None
• 0x416130 __vbaI4Var
• 0x416134 __vbaVarCmpEq
• 0x416138 __vbaAryLock
• 0x41613c __vbaVarAdd
• 0x416140 __vbaVarDup
• 0x416144 __vbaAryVarVarg
• 0x416148 __vbaVarCopy
• 0x41614c __vbaFpI4
• 0x416150 _CIatan
• 0x416154 __vbaStrMove
• 0x416158 __vbaAryCopy
• 0x41615c __vbaStrVarCopy
• 0x416160 __vbaI4Cy
• 0x416164 _allmul
• 0x416168 _CItan
• 0x41616c __vbaAryUnlock
• 0x416170 __vbaUI1Var
• 0x416174 _CIexp
• 0x416178 __vbaFreeStr
• 0x41617c __vbaFreeObj
L!This program cannot be run in DOS mode.
`.rdata
@.data
SHELL32.DLL
MSVBVM60.DLL
6__=E?
UserControl1
VB5!6&*
pdyaaer
Ii?Vc@rGM
MSCOMM32.OCX
MSCommLib.MSComm
MSComm
UserControl1
+3q"=h
b N9K?_fsz
y#n!dSU1_E
0UK$[{#UR4'
pMzE)}sEk?QdO14v
@%nKE8
k @9_83}G
,<{B`8b'(1y v
VcS^,$TZ1(UR
~csyXQ'ii
bKu7D^jy
=|?QMaEDt
6hY 94AE<J
TQmy#f
BnO:3I
pa=]~K
?T%Tm6e}
` >j-e
8{x0O4'R
m3^ -C[%R
!8<=$&yB'
lyh%1zfA
5>&5<(8P
fKA4eNRK
?PbTYN/R!VW
*`~8g5<o{
}~Eg*u* .
fMDRI2a
-ql(%`c1v'N<;/o
%?(S8E
3j;pN@)R
\C{t,s
A@? qAAVm
NGNN#r|m
6kC+1^:@ci
d4W}Qk
3,dU%_o
^,DqpK
8T`cJ8i"
k7h=vO/u4Oc!
)C2P [
RYZ/W $RB
%bq0>q
)yWal"qu
k+{pJ;h
z+D'u^HQj8
pdN6L7YSa,
t53f\&
D@@V1P
D?_,Y7
H^? hqHJ<>/R%e
tDdE@H
N-|s!={E^
^@dSqRs
=\Ti{w
_att*a
N!^||:lo
9`sNs5:2
LW4\?m!
q>mjeiH
"7(l%+g3
Y5i*WY
X?[H}-^!H8#
P}B>3}OD)x;
+=U&dE[o;^"kMCi
+u^}:h#
[U{nF3
\NtsX:6*H
hxh70iBz
[e y@T
ST#pJXl
>1m_l%-
W~KU B6Z-R
bmDhj">
TKil yTa
K/xYB@kp
S _ ;b1N
5_L-=k
wAAz=0F
WdSF;U~^I0V.m.Iq
B@.Gl5gL
NprLx4
}lILMn4!#
z`8X|"S6?2i
YqL1s2
\dU}BT$
!i[I71K,Y$
rd6sj:&i
SJ-:<S?M[l`l
,=d3&#
-9w!8M n0
k 7lKu
Y C0uxY)
*u[Cvg
YkF<4&&6
zOHHg|i
YJ#=oDjaWP
sJ&<1~
-#eY::i8
=2xuU
D?g4gk.aIri_FY
OI=qG3
s yC3M
k7_wGDU
4=k=RYg
87Z'6z
2W7>RP
XxW&(1tf
n-g!y0d
}K3?k)@58
SIHo)MB
<+w?E_
t)eT.:y
sv^mo;5||6_C
Dp\nm2deS#d.
ffFXR"
;J.y9LNF; bGox
U 19:6W=y
9UB*|VID
xOepo=.l
D/s"zNx4_
[hd~~U+D
*q7,%%dd
q=7{4H
sv0]`%
*FZoUO
Z@w'"0`NM
C@:w=jRyyi
(C!olb7
b"e<- f>x
kK.9+s
A]99CwnC^
;j0[OD
"<Up6s
>}=H6Ai'J
jsDBoC
Nw"WY/
D ss3)
X&82-9^]
'bA}3h9*U
;A(u/|u
@ 8XlH.y
&9xMxw/ =
KYs9zW*)G
)f,Q3Z%:NIr
z{vV`y
Qsvhl vUn0Bq$
Xdf]*V
#p~{)D
Zbh+Lm
sfv6uv
{/gwPWLY~
>Vk=?P1E
_un7\tJ0~-d
=VYJR]l|
PwL+6aoxm/
WoTZPS
AO~<|g
M)1w2o
O-#V<*'^
x_O!<h[ W$R
@6j,_-=HK
(4/2a(Ib>
#8iDc,;90r
E-?7+wi}
HoqWf)`
LzclG[4U
O@hI_kJ/4"$
S_wkIA
+av)3okKY@
!_iz~I
2]L!&pF
oM>h~+R
`?RHz>@[
,9XC]60F8e/A
([~IdQH7J
/<jzM?L2/wn-=:%9K
n18DBJ%x
i`R[]"
|>g9^+0E!FDbS
|TIE8P
6=vw?bpY
<y 8N/
1Seg)Mw-UiH
<D/mp/ouad\_
/KU$db2x
u}Bp@x
jE=&rf2>'/
C\jW,&a
qmw~%J
=Y8M0^;U
=f[aChw
dlYO'~Y
Lmfoo-1
G"6$"2
[$ kk[tG
R$vJ@9
,!Lpkh
8TzpuPX
2LF2w{
K\NnEq
717Jx(oO
y>!9b'9;aUxq<A
I9 g$W
'H.7;H4&
%^@$lr
IeKNUA]
BmvPK,
~b$p+.bS
0B`s~uc
"$S+k-(t
+LhAV,#;K
^^]SNX)}
vE3`FA<ExUCVK.2H
Q'(v$v)
tsQo\EE ?0d|r9_U{
an>X&}
9;:JsP!$}D
t:IEaXV
v-gRI1s#R
'ebg n1FV4+ !L$f
_>mKGZ
jV_Fv)7
~usg .
M-1t94D
;Hw20/):
g641E>'U*(djj_Z~
N=rqb`?{4|H
5f3gA'X
r>l0K3Dnk
[kCwfw=2$bd
NLB bp\
6yXHPkj|/s <8K\
veceE.
4J6+e'
r* a5:X8?X"
eL"A.4h0
@^[t31)"<<q*
M,Wi$69
/Q]^Hv<m3r
iVbiJp
Bj2E/Nf`
?/[wem=
*. BR|Lk
lyndT%
.9zQzX|" /{
)jZyXVV%
pxD+A\
w"G>-3KOTUm|ni>
&I/R^2RHPc,D
\d;m=fbU5*;
R!voS`WPG1
nXJgQY/Fji/
\}M=bkZk
QV<S.5
[&iX+]
qe0j\{
7_s|nR4g
9(NU+=
YF"hwTh
\oNCU
MDhOak{37eTZ
c`;:O)de
U: CwH
#z<j6J
>VdLV7BDJ*
\TvH"I9~L
.1/iy"LN?'m0
M~b+'gy*
7"j&5__
8as1oW9
&F[$Tw\,m
p,5~80(
8/V3i93S
.E%|{Q
%WeS_/(+
{qj2.9FFe{
LL/!jN|F_7:+1./X^z
p&E-efu
(5B8Fef5
I<_68M\Z
fV}tpf!M:<@
BuZ]n#
LC%R>ud
ivbLsX
.DS#<`n?~uO
QGC(Vt
`es[bQYd
z lC}R
G9`U2~V
6^L!L
:"k &\(=
&+[*'"
y*8+<9
7 W&J?(
_>Y5I 6Ln
=5!G :f
rf\RV#&4*
8+-\dO
AO0/E<
Rv:KI_
izX4{~Mj
~d"}$ g4%X
<E5L%Q
sAJ+RE
%-D#F= P-Bh
FRM>i@):xljMKNP#xBfVNF
(vR&[dl
XpY/88dV
p'B04sET
B>PX])`8S@
CyXdPMw,C$
{SM.q>$2
'#Tv`>l
75(q=h0J
U/ZILLv
K.emEi
g%^%? aS
i7>p}(
0hKB F
]0fw2N
2~kLJpa:cpt^H=$sai 5
ljse@I[YU
txsC%2
K!%,7H
-i{>UF
D?G9Nh
VZc5'*h
))c,rqh7
vrpJv 2vdPk
^uMfeG
IUrY\"C
T]]TX'Ha;C7~
>_@w@\NO&2^
VHEU/Tu
r:: )1r
oO/\/>}+R,
g}DSbQ,
0-=ov#
La@hCKtQ
'-)Ze7
X|G!>U]
tfi?.3
tv:@]L
(UH:iJ;zHz_:{t
n)]vU7(0=(fo?
,q62KT
r#U2v*;j;
j=k(4*
2\UER2O
VZ ee%`#UB{q
/!{^]`z
%>sF>W
GS5SWA
iv X+Q
c>Fg<l
D`%?>HDJ
Im.L^#
\;,?~1NJ
old}vjg'A
YGo/)$
b1+!>0
(@P-d!
b9+^A`$>
,MP"!BC1uk'a
iO3<'KQ/2Y &4oyw!
a-`{*_T2bz
*,%r@ PJ;Zb= .[1"s;
rfq|~};.21gE|X
ip|EZ4(S
-Z'>_KI&g'Y25
tTQV8(
Qs^?Y2#Y5
0Lj}wU^
$7D$k<B
Q:O3L8d`Y
<'.-ME
%NNgj9
%%7"@ >rd
~8<(5`$& ` ka
o i*%17w
viG)#2
b-;{ \h4
zkFLDN\to9Nz
dyBbgjNe2/M'(d
{sb9\eu
]l.))9(
!_GWo\#;t1
-M\`p:[m@
6V#:QXt[O,
o"5{NTTTfXJ5
V[Ie!wT
{% 5@t
%}%mP?
"4[6G4q/K
]<<iTA
i'4Bv
^F_YZAqCz(XT>UjAC8NY
h.0`B 9m91ulx*5;O
;h:J@7YI>^XN;IpoB/"
*{px8!hK=^ +<D6M
8uN{4
~,UVZ ,2
iIz8X>M$.fxL6VV{,R`E^z?7
7Z VY5
-=|H[*
8:TMt$AjR
2cq1`fOH
'jf*o0)'~3F7`bp
e.*wj`n
4Px8jp
B.?M%v
v^?X6n+/-"
GNDv]Z
WU*h'c"@
m:MOC?m#
Nf5.XNJboPVd NnR{KHV
+9yf+H
?\PL=ku
x}4){L*A
RL$3uj
rf"}pGk6
w$<UJu|
\%Y^816&\huCa>
I^xJ!QzMPg
9pV}o J
H'&@qOKc,Xjr.jV
IkIz}to"^h(
r_ka@reW
E'Px+s
7HU)2f}h5Wi-]SGN
K'Wd&]
(O5/Ia
mP>:f]R[h
<iSknXRC
J|l9%\
!V_5~y^)tq
o^3\XS
jy@ k%CP
`8E<pu
!e\*Sa*
J6i.F7!!%If
HyF\1@E
b C5MRkV'#
9pc-HP
t~{HN6 :p
j]4EuEXw
02BwPU:
,9/#6Q.L:#7?5
zcV(gzIyU
}Ywj8B|qYs
m((!wm
?gra_WW^
W~`Z NrtO\~z0P0YK5j
VA{XqK5
=p8se`
s.wFfXtcYIQ
I:9_T"
XI~<&H@X^
s:'vTJip
CX;-&,D=4/A#&~
(rg}(S*
M|6/D+0jW
QM\|opH
>R%]0&
$kVXS@HR
2})|m-
9$ZY^#
]nvdpY
V8As`mS3".Wb
"r5UIj
|uxpi!R.
<Ts W/
^enwl5
K9oQ/'
O]0 vnjPy
MbTo[
RjJ(?3O
eVD9Hi
d 8w f=LSA
);hOqnl?d
63:]y 3KATqm_0BL|
Yh#t~n'9C4y+gk|
cs""}Ab9-
E@" VS HV
*q>&=]0ZxJt
5k(6/2
wu/]A:y"
wI/ak@M
rK (}|WF
ym>0Ib1L[
0{u3\cmV4
Mzajq'
If,pP*
:`$!`K[pM8
`.+osPX
V1CYt[
F0wV K
)A#i;.G
2#~oGx]YK<r
?4CWD4&BRT]y!
~Y;Ykh
>wX<G1S
ul(W|;OX
=$PE;HE3
~o].}JZIC,YN(J~
!R":dJa^P!
a%jWJI
&AA2LQ6a\:
> hoO#
cYMaQe
Z;"p-!
9Mk>7Nq
z?$mak 4
D)I8_^
oZ5n67O<CGm
oIF\FV(
f2A[B6fBp#
o)t9EQZY_d1mt!T
RTs@%p;\
=3L<-K{
R)6Ykg
RF9aZ!K.
/'=oDH>m
zO@~ ,+ch
.1beg9
r.X]sY
=1<?!#=:
>/N8[2
Y"l <z1nl
s.U_ZI4
C6:ZH_
U*V:)V]
dW+/4F
7XcyID
".0}g2C
0z'G ,
iq~kWcO$_?5
rxo#jpo
JXq1~?*
^]'We5!
x9 HYN
rX.@&uw73}
6TS~ZaLa
FZD,(4&_oX|]`,w\-0M
yo{(O{
wpe=&ZbR
Y7X,+<
M9vpZ%
9l4v=)3Tu
TUthF;
"O` 4(2#75
i`bPP6y
-$_)g.
X&GAj_
'i4gE4
oP`x<df&`
e#W%Fw
PEaBxV,
65.UM38-a+cU|
|L%= 0<
O6Fvd_Dhzs
aphW"wt|j(iu
0zq{ke
.XRPCa`i
Pvc _FxZ
5"p?x&YXrs%QBXZ"z9
t$|}pyk
7|MOR>a
eAX0k
>~IkP@:/
>F;_G;Wx_?
=qk;F&`=-
X l6ny<
C\q+H
?$]5 oEs
eRh?#h
eg]p =I
{=_7a7R
Azm|G+
n-6 j=lKuH
3Eb: zm!X)^)}
pDK<V8#|
)B}890
B;ua=bO
M ?l`8
geY: [H
]4)~Wla
<kR&X8
OMWOUH
I#>6pi\
c'n>^j
t0z# $qGO`
w\BxJR?<GA
]s6P$X
vqj=]NI
WtQa.9y@
OGeHF}%z5
8K:X"yE
ZMP<PLa
oGvbYq
NIo&-(W,!
&EDqX$>
WAMu/0~o$
nrxu`w
AHzF*0
tI.@19u
>GTU,;}m
.Roib,
s_hddZAP
0m0pbE
-{O F
Q-hAKb"ZZ
K<.6tnw
wX7h}#qF+Q
K4JBb2
R'4Nb(fxuDC
*%nY|J
)YDu!N
y-O@uQje
J`#[=<!iHL!}]#f
gg5W"(MEK
nn,eED
76SjNV9NMEck
x'^$*{
O( +@e#3.S^
Y.)@NH
Er^)j~`-"
whS<Sf-j
=\^[Tp<
uZS7BB-z7lk(
_wN>|D
6mo%LJ!=
uR#ZHW@-
e%r\'2"
ym "*"U!4w:
# #y4Wd
72DxI-
}_dlY +)/!k=w=
Aq `K0*B?:[78
PmOm"i7`SJ'LL}
11}7Lk
ocQe8pAJuu4xh#
8"'`?E_
3':#Z5xH)
@bT9u}U
,DXb vJh0
Q]v?4Y
(Bigxr=(
b%JBe({
'M4i2~
AFy]/o
w^yz_dfX$
%l4)qqB
{a\ z[zH
j(qg#n
ynqr_`WJ{2
P-+PSL1P|^Z
lEq,__
I_%_mR
@Y6#f\Dt
dOj-O\}(j'Oo
5nglwRL
:B]Z/6moj
0Zghjd0
Idz))uPdy
pUU$Se|*BY&
aT#>A8gjcFx
9C|od$s
,}z]GH.
Z'uviu
"_?\4`"2EUt "l
Sa^/ZV~
_:qU_H|ArK
6qEQ_nI
^x{ASD
N:.Q--TN
{A;O8]
VjaDs3
fruPis
H+[B\ww]
qs*anm
8--,({{
4]3 No6
0J 1W3
n-kB:*
F2tZ@4&|
$_^?g,6
\DR/n'4nc"K
yK~Yp
P#J3Pr9Y#s|
nOBS0S2
R|n2&vz
{>|]C@
H=@e1H
chUZ)+
7OJEqm
9t`HYR
b/u,}Q{X?1uyfO
:UpyoY
BoA;@"UdB
@#Np!T[
2yJw'U
9&$ y%JT(X
+EaHJK
{lP,\g=}
kXr$8@Qj
I60n0?
z9@m/~
:a.ebZ
/mt!Qy
[m8|EZ
)NRSi]JGR?O
}Gbi-)
]jsw
$u>I<)
w5wbmu&f{XU_
vO2T X
f0cM~#kU
1sL2l5R_
VD)c9[T
ez1ix$
w4|_BW3I4
5~ITp@l4z_
7qZC9<hyh
WlJ$Lh
Mp;Bo9L
6K&XsS
D}_>,W
dX")_]
,y85qY
tC@+P5u;?S
Z#HbX}
sto(zTo!
"}.ZkY6
~xH/1h
i5hN #
.${G9 GXJ;9$oCm
BzX<13
jrwaJS
f>vR%5
Gsw`Fr
aDK//`q2i
_&_7Wc
i=S >D@
'QHJo,\;xjv~:N
g.KH?-s|P9x
I^JfI#qN_FjQL
1:<U?f
4/v5;D
I: d4f]{R,mW
k%(f n
Vi2@A<9=O
R,H#kII
cmFt\1
4f>TK?_Py
%pgagO`
K "f-
2Z6Pzi~:Jz?)8
-++kN_5
V9G9uz6F\;eH]
?&]>rf&QZ~fEY&R1+iT@^5
Tr`hDTmV
D,i>FUX['!
M4e}p|
pu;bvm
%VKF%v
3`;M0FiR
sk|;AIlo+l
3L')ube
gzkj:F !7
'$/[Bpc[[
?c]ut@?~z
5][^ne9A
pUfKgzm
Bh>HEt
f#X, ,
Ck-5ST
WnBcM%R
+6t`u3L
f'ZN82h
tZ9b@<{
_cqkp"z]D
w*Ld%+
JEO3f#|R!kr|mJ
S)Qs[R
QH^:+Ng9q~
@8@;Z"0
5m@VmaA:D
gCzEaG#a!m0
$G+RbX
fesJop{c0'd@
>w[gZ-
$F{".G
_GhJo3
b8-1xRG
7^"2AQ
JFUbd1t
s;i%w8~B]`
NLG%7s
~< O>=
jG5Bv\#*`&wd
GJ~!2vSrz8vF7UfQh
R6(R4HC =KOoh
"keLY1>BPERx6
"_/I>spGD1Fl
6@_L#nHvXD
$?[1!-U:^p
&W47`\OM
wgipFYIRtb
A\?qY O^hn
RI(fN(6uz
~7W8cn^@_et" 2w_dVG
nj&o:Rn"
3`\/[L7
[1b-!/lTh#B b
T;6F1q5}(S>"^
&-#d_L/
,3>}@GX'
cpJb,5XFY
+<gw]9Sl>dp
N;w6|g
4~'@LKb
V@0-:QV`z'
>oX*2w
a/V_#o^Xnf
&0G97U'
)DuWrL~Vr
M|"8pUhq8
:EE!]Omb9a
cY-H`
/`0KOi
S,-qShk$v
m|G O&|
m?HW`[f3sI<
eo3})-
j3~ytu4l
Oa2v~? /
oj4t.]Un``
P8hXaKp
?PDyY.4V
1iQi."hR
Be?3hVq
mp!V[-C
t/=0/G:
qlKZu?JnW2
:,U>\x
^N<@P7
VRz:LG
k?wGo*O?
+M_[*23
jZ3*yg
^?kf{&L
5mTAsu
`@2M:^X/#~*@
_9WHFC
^Cz^HLH
LE;"tz(
4Jo-a =
)%[lc>4>momFVl{
Seh[NU
j:;R=l
_|.^>9
;e=\dqhbBd
;}:#p8Aew*x
2;TtNn
r%cr'o
/:b*uh2
kbsl2:d
<LhC|;|z8rk*8i6ru
1jDTKkgWjw`!
RUDv)WoAQy>
1^ REz2
1II~qXOc?
`W8u3RHUg
J4*< ,
k[J~/XW!
wp\Gv+;
AB[{wv
h8Uw;\
yc1Q>0nI,4)Cx8@
aTB-kSy"8%7"S
,es#4VQ
J*yHQ+K=
ehzd2K~n
Ff7InF
"RXl79
PWt]G*^
b\ weD:W9X
=L`)Km;/W
3F;u*A
aj\C73
?Mo(L(<77J4
c7_U[kP?,5%"IF=x{
<)Qr!E
`bT`=Wpj
\*,8;OD^
yWeuF*
w>mZcmd`75N
bz~JvV+<Wn0W
l`[Nk*
s PZ#-
'_Y;4X#j
T3v]2d
AM#Egy%>^Kfv y/:hj\x
oYhVp,
~a*\&j.x
h}-*4)2U9yEeaNO)
?^Or][G
gczk=z9
OENS#[WGtw
s,YUyp;v-5NhgG_>zE
Y,?tVEu
|C<J8Pg
R4=smd.(|:G
` QSK
l4_!?]`
C!w'AK
AU!wZ!W`
9;%_S3U"
cFc4sQ*$Hg4j
Hx[V-C.i*
jk nI}
rJSou1)Z!g(9
/UkJ/Q
ialfaEj<
K1Fx7\
?Qv#r^&SA l
-*<|N 0XKsP.m
q3%i<v_d~>MeoC
KeAkT}^*
lsx*SI%
{tnVo[#1 g
,_QlTw;g
Ao|za/n\
3<^mO#j9
[eBa`:/E@
~" sy}
01oyT8
Sa{{glH.@
r96^T=ud`
H$B^EO
hF|dN+
:*T}j4CT(\2
\5g?>]#Zl
t9v~~x
%&5Fbwpm/X
Yh.h5s2RI
jSb%eOb6i-"4tS
[Pc~FBg
/!eC`5
]SH.bV
# -|v`:
f]z@6Z34JL
4e}qO+0:\%'Y@\0
WGa?K20
=Jq2+w%P+eI~2.z
c5E Ads
k3]"bQoBHuc (EW)
&2-h_GL3ceg-PIqfYa
brc+k
# 8f`T
32( |X6
^Uil{"r
\H >|0
"q\@!d|
UW0gQ
+5W"?T
8Wo.@9I
6(Srm4
%&@a>kr
h6xkFu
bgO0Z?fk
v/:zgb&
%BNS(#dH
{I6,<v
mAvllq
?%:tC,
?I1dkr#|]
p%!LUo@Lbh6
|7[a}?
P#z3\$
:D$Vm&qv
ujwgws
63o0,F\ Mx
T$e9jA^0|
[U*wOoxIN
yjm37ZY
|}},HcGkE
Bg&d8
I(\zic#J
fM*9Zv4*H
[vDdH!
K363au\Y*jh
2;M7 @
,(5h~{gn|'5mz
ngu+;gp?+lW
eOBM*H
5#!,<1HA1;DR+~#
t%'sg\c(fp;,
'Lq"]N
CG/hG1
^@wZ=7
1[{Tg{MzhU8
?O;Vr]v(Vz
1x6\k 3
`K?<NNp]
VRTG{Cw
hH|W^+
?P5RN]/Z
eiwQNgsUAZGi
9EO/8m
Gb`R \&iBTx6&)*'<]J/L)`
{J`w 8p
R4Xu>&0
1 yIR`go
w^Z|uS
*PS4gI{<4n
9<thf(-ub
GX G`#b
DG7*L!
Y$6 }LoC
q}oRT_nXovy
DU+8<p
)wQ5dvH@"%%
jcb_&'f
`Dq0od
,/?l3(8d=X
PEJX`*Ctc
/p$9W6$eW%)
_t7}LE[hK]:7q{Q2
C(+6_=
&-NF@U$xsP
MeR=G5M
. M-8FL9#
8;U*.p(
GUAST#
s/D(5Myz!d
bu +4*
.]%-T4
&mv*`J
Zx:C,6
o<lvnthlX5; =x@chY
"}@T`k@*;L:
7D]Ezce
vbbHA?
mWCi!{jZ7]D
{}1s+7!
(k.lEtSX
zE_l|4F
.N###RM
NvC&`S
cr<h=wC
J*Z%eh>_"h3
.nj~pu:F
,'l;AP{Z
-GcyR'
4||[qfz@`$;.|b
)RGc}o$L"
gN4gT'WCw
Z+"g>S?&&}
p isf7`)%
`Vp-]ScnU
QR"$7i
k&Mi<a
(!1Kp>p6
Edd1 r
Ju>y Q
Acx!#v$* .
4O92U~-
+EQ+F/gRr
Odo<)gD
^8NF }R
$1Y58x75
%|h*?"
X6&f$A`1T(
j2@Vwx.U43
Rr21a@
,M/6}= N+h2
Limw];xZ
g<lQ/z~O)5
(Hy25Q`
!2psyl}zat>\
'uzF_A\
U`|z%cgdE>
\S&*E@yg
9Yc=iD(/nh
=o+zyB0
M#IF~X3
up%ZjiS
caV8IYR
k?s4c<
K9{`Q9
x1)A!{'e "
Th\K:Z G{C1
q|j4-S-
B:t,J:V
G _.i8VNr
&;zD _MeHJ)wC45%1
zFB|vksE
JV[6ih>
,bED;1h
[G$fQ!q
7yY9MQn>(h[-
+bV1}_/k{pZHeI&#;#^
0F/:TE
-E7j+Vs
mc?H& k
4nx\i=8O,
=c::,2srwrYHpL
2m-OEI"-
"xXGC1><_LC
);<(Ec[%(c
O9-tD $
tjSm3'
p)%Dl!87nR`
G$h +"
#*AeI!
~<&V+]
ALGCf]
6BC^Kh
af<a,vr s~{0%
AI$`a(9e
*|;3\.UE0
7x] kK02'V2
4 V>-uqyI
,V!}v?*:]%Ln{Iat:'oUC|
s6_Aojm
k<!MR0
*W+[Bxj'
}<%NsCpXud
[Op=7 R
%_"atz(d
$xC~<
CZ=HUH]*zKe,T
MSVBVM60.DLL
VBA6.DLL
__vbaCyMul
__vbaAryVarVarg
__vbaVarCmpEq
__vbaBoolVar
__vbaUI1Var
__vbaVarNot
__vbaVarIndexLoad
__vbaVarAdd
__vbaCyVar
__vbaRefVarAry
__vbaUbound
__vbaFpI4
__vbaStrVarMove
__vbaI4Var
__vbaCyI2
__vbaVar2Vec
__vbaVarVargNofree
__vbaVarAnd
__vbaVarDiv
__vbaVarInt
__vbaVarMul
__vbaVarSub
__vbaVarDup
__vbaI4Cy
__vbaCyI4
__vbaVarMove
__vbaVarZero
__vbaAryUnlock
__vbaAryLock
__vbaFreeVar
__vbaStrCopy
__vbaAryCopy
__vbaFreeObj
__vbaStrI4
__vbaHresultCheckObj
__vbaNew2
__vbaRedimPreserve
__vbaDerefAry1
__vbaFileClose
__vbaGetOwner3
__vbaEnd
Ii__vbaRedim
__vbaFileOpen
__vbaFreeVarList
__vbaStrI2
SHELL32
SHBrowseForFolder
__vbaErase
__vbaFreeStrList
__vbaStrCat
__vbaAryMove
__vbaFreeStr
__vbaStrVarCopy
__vbaStrMove
__vbaFpUI1
__vbaOnError
__vbaAryDestruct
__vbaGenerateBoundsError
__vbaVarCopy
HScroll1
__vbaAryConstruct2
H&!2Ea:\
UserControl
+3qC:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
VScroll1
Combo1
MSComm1
C:\Windows\system32\MSCOMM32.oca
MSCommLib
6__=E?
cwjBgB?:O3f
H&!2Ea:\
UserControl1
Combo1
Combo1
VScroll1
HScroll1
MSComm1
MSCommLib.MSComm
SVWeEaA
SVWeEaA
EPEPEPEPj
EPEPEPEPj
jLXSVWeEaA
MPEPOMwEPEPj
MVEPEPj
j|X SVWeE@bA
jEPj)r
MPEPdMEPEPj
M}PhLpA
EPEPEPj
5EPEPEPj
M{EPEPj
SVWeEbA
uPgEP^EE
EPtPtPEPj
5EPM|tPEPj
MPMHEPj
SVWeE0cA
EPEPh~
MMPEPkM/EPEPEPj
EP5M'E
EPEPEPEPj
BEP| &
EEhQ/A
*MEPEPEPj
xSVWeEcA
MPEPMEPEPj
EPEPEPEPPEPPEP|PPlP
MMZlP|PEPEPj
SVWeEcA
EPEPEPEPj
/XEPEM
EEhK3A
jPXSVWeE(dA
PugfEE
MPEPMEPEPj
MEPEPj
jdX{SVWeE`dA
MLEPEPj
SVWeEdA
XCuEPr
EPhDpA
PEPMEPEPj
MPEP\MEPEPj
XuEPKTpA
4EP[P5DpA
X@pEPEP
XuEPEPXHpA
XuEP.EP
XuEPHEPTT
0EP5\pA
EPpPEP
EPEPEPj
3EPMMEPEPEPj
j|XSVWeEHeA
@EPCEE
SVWeExeA
jEPj/\
MPEPNMvEPEPj
#TEPEM
jEPjor
MPEPdMEPEPj
&MkEPEPj
SVWeEeA
j$X*SVWeEeA
SVWeE0fA
PEP&MEPEPEPj
PlPEPP\PEPcPcE+EPu"0x
EPEPEhGA
MM'EPEPEPj
jPXSVWeEfA
EEE]EPEP
EPMhHA
jpXSVWeEfA
jEPj9I
MPEP;McEPEPj
EPEPEP
EPEPEP,
EPEPEPEPj
EPEPEP
M0PEPM
MEPEPj
M@M8fE
M5P|PM
M\PlPwM;lP|PEPj
HP8f-f
%MlP|PEPj
SVWeEgA
EPwEPEPEPfUM/EPEPEPEPj
EPEPEPEPj
MEPEPEPEPEPj
/SVWeEgA
MHEPEPEPj
*M#EPEPEPj
SVWeEgA
0PEPtM
E@@EvE
MExxPj
SVWeE`hA
XgEEPhPpA
MEPEPj
RPzPzRP
E@P5PpA
u;PEEPEEE
EEEPEPEhWA
M(EPEPj
QQSVWeEhA
8sj:sr:s6s1h:s,8s
8s-6sbr:s
9s8u8s
7sr'7s5
9s7s*s5I8s
9s7s]9s
8s7s~9s7sn:szb9s
A7sM8s
8sF7sI
8s7s4u:s7s
9s7s,6s#9s:s*6s`v:swG8sk}9sP
u:sV8s7s17s9s<7sU8s
7s::sw:s
9sk8sk8sd:s7s5
9sp8s5*sM8s":sq7sw:sm:st:sk:spu:sP9sk8s6s
8su:s8s
9s7sM8s8sk8sG7s
MSVBVM60.DLL
SHELL32.DLL
SHBrowseForFolder
__vbaVarSub
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarMove
__vbaVarVargNofree
__vbaAryMove
__vbaFreeVar
__vbaCyMul
__vbaStrVarMove
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaOnError
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaVarIndexLoad
__vbaBoolVar
__vbaRefVarAry
_CIsin
__vbaErase
__vbaVarZero
__vbaChkstk
__vbaFileClose
__vbaCyVar
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaCyI2
__vbaAryConstruct2
__vbaCyI4
__vbaFpUI1
__vbaRedimPreserve
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
_CIsqrt
__vbaVarAnd
EVENT_SINK_QueryInterface
__vbaVarMul
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaVarDiv
__vbaFPException
__vbaGetOwner3
__vbaUbound
_CIlog
__vbaFileOpen
__vbaNew2
__vbaVar2Vec
__vbaVarInt
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
__vbaVarNot
__vbaDerefAry1
_adj_fdivr_m32
_adj_fdiv_r
__vbaI4Var
__vbaVarCmpEq
__vbaAryLock
__vbaVarAdd
__vbaVarDup
__vbaAryVarVarg
__vbaVarCopy
__vbaFpI4
_CIatan
__vbaStrMove
__vbaAryCopy
__vbaStrVarCopy
__vbaI4Cy
_allmul
_CItan
__vbaAryUnlock
__vbaUI1Var
_CIexp
__vbaFreeStr
__vbaFreeObj
qrs;wge^c|
%28JHSM[^ny
)).B\N<[o}
-/?Y\ZX
.A<<]=
((/>MYZi
(0@T[=T
&)0@AMO`
'1DCF[MT
')DEPRRg
'*GESQW
*DVEac
5IVfi
8$&O+[HRZU/POP**+O
,@D@I@9IMIKK8:ML7K77
<JPLMPSTSVSS^aVSLCKC
*?IC@ISLMKKKKLKMMMMK
8LTOMPULIIKLOSLO9C@9
<LPSUVOK[TUOZVOIZLLK
+KRO@SCII8K95MIRJCL7
VS_[^^Z[S[R[\P[dP\"
0P^T6VL:KJL:JM9S35M:
[ddaM\[T`M^[Z^M[XMZ
0TP[:\JL::S:676K)6\)
WOUOdO[c\\Md`UdI9UM[
8_Z[V[97I;O5:-;VS:-?
QP[\fVdd[fTfaZaS^cd@
7TY\C^SSJIZM::M^M
Qe^Xo[efo\aacca[J
6K%SXYVLOddUCMOUT:74
Wofed`df^U\d^\RTT^[9
Zeddc\[T\\UTS^SRU9D?
G]dfc`fd`cdUOZ
O[STB
M[[[doood\c
]\OCSMK$
NZ]`cX
``c^\_
Qoof`ooeoooooc2
QcoooocceffoooA
eooooof``beddA'
QWbccHdoboffQfQ
A%=F'FbW1Ao
(#.E(#=A#4F1'B"
|lmff+
=>2@[]V%S
[V<!":MKO
7NPP$>Y
)&#$5?Ash&68N
pp/**+(/xt@
cg(.vQEi
q+tZUTH
! !! ! !!!! !!! !!!
/OOPMKKPMPQ__a^_abq
^*0(//KMKOP^_o`_arqq
N'(()*/0LKPRP`qass
&"-+##$%,.LLLNQapsq
TJJYfddg
229511IC@>3c|
176=UA?eihrqq
:8<DT]~
wxwwyzy
vmunntnnvvuyuz
vunnllnllmntunzh
jEjkkjjjjjFkjvvjk{
yyyyyyyy
C�o�p�y�r�i�g�h�t� �(�c�)� �1�9�9�4� �
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�s�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�B�0�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
P�r�o�d�u�c�t�N�a�m�e�
p�d�y�a�a�e�r�
F�i�l�e�V�e�r�s�i�o�n�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
I�n�t�e�r�n�a�l�N�a�m�e�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
n�g�p�p�r�.�e�x�e�
E�N�K�S�Q�Q�T�T�Y�\�o�l�Y�]�Z�Y�Y�Y�\�^�^�b�e�b�`�k�d�h�e�e�m�j�m�o�q�q�u�a�g�`�e�j�t�n�a�d�b�e�m�x�|�s�q�w�w�y�}�y�
^�_�d�c�f�b�g�i�l�l�i�u�r�y�y�}�a�d�b�f�i�l�i�m�j�u�y�v�|�a�b�f�b�e�o�j�m�s�v�v�r�{�~�~�y�
/� �P�6�p�L�
,�/�K�P�i�p�
/�-�P�?�p�R�
>�2�6�>�K�L�K�_�b�e�h�
~�c�n�j�y�m�v�y�
a�=�?�Q�\�_�]�L�Q�S�]�T�Y�_�^�b�c�g�h�o�g�e�m�k�r�s�b�c�f�h�m�a�h�h�o�n�n�w�B�I�S�X�\�k�
~�a�d�k�n�u�w�{�}�
Process Tree
- 5ea095093188bd5a44d019ff52931b897cd7f5fd73622fa09f2434f18368645b.exe (2244) "C:\Users\Administrator\AppData\Local\Temp\5ea095093188bd5a44d019ff52931b897cd7f5fd73622fa09f2434f18368645b.exe"
Hosts
No hosts contacted.
DNS
No domains contacted.
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.