Comnie dropper | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 95/100
Dynamic Analysis Report
Classification: Trojan, Dropper

ea4a4162cd6ffad02d142c48067c1239253f688b8f163fd2887229d8a3240253 (SHA256)

addin.xlam.xls

Excel Document

Created at 2018-08-05 19:41:00

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xfe4 Analysis Target Medium excel.exe "C:\Program Files\Microsoft Office\Office16\EXCEL.EXE" -

Behavior Information - Grouped by Category

Process #1: excel.exe
4229 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\office16\excel.exe
Command Line "C:\Program Files\Microsoft Office\Office16\EXCEL.EXE"
Initial Working Directory C:\Users\Nd9E1FYi\Desktop\
Monitor Start Time: 00:00:45, Reason: Analysis Target
Unmonitor End Time: 00:02:28, Reason: Self Terminated
Monitor Duration 00:01:43
OS Process Information
»
Information Value
PID 0xfe4
Parent PID 0x770 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username X2VS1CUM\Nd9E1FYi
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 820
0x DD0
0x C34
0x E10
0x D58
0x 574
0x C24
0x 844
0x 68
0x 654
0x F10
0x EFC
0x FB0
0x A78
0x 418
0x B74
0x 310
0x C2C
0x EA0
0x 3C0
0x C30
0x C38
0x C44
0x CDC
0x E28
0x 8F8
0x 2DC
0x 314
0x BE8
0x EC4
0x 954
0x BB0
0x 7C0
0x F0C
0x FE8
0x FF0
0x DAC
0x FDC
0x D6C
0x FEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000007a1be00000 0x7a1be00000 0x7a1bffffff Private Memory rw True False False -
private_0x0000007a1c000000 0x7a1c000000 0x7a1c0fffff Private Memory rw True False False -
private_0x0000007a1c100000 0x7a1c100000 0x7a1c1fffff Private Memory rw True False False -
private_0x0000007a1c200000 0x7a1c200000 0x7a1c2fffff Private Memory rw True False False -
private_0x0000007a1c300000 0x7a1c300000 0x7a1c3fffff Private Memory rw True False False -
private_0x0000007a1c400000 0x7a1c400000 0x7a1c4fffff Private Memory rw True False False -
private_0x0000007a1c500000 0x7a1c500000 0x7a1c5fffff Private Memory rw True False False -
private_0x0000007a1c600000 0x7a1c600000 0x7a1c6fffff Private Memory rw True False False -
private_0x0000007a1c700000 0x7a1c700000 0x7a1c7fffff Private Memory rw True False False -
private_0x0000007a1c800000 0x7a1c800000 0x7a1c8fffff Private Memory rw True False False -
private_0x0000007a1c900000 0x7a1c900000 0x7a1c9fffff Private Memory rw True False False -
private_0x0000007a1cb00000 0x7a1cb00000 0x7a1cbfffff Private Memory rw True False False -
private_0x0000007a1cc00000 0x7a1cc00000 0x7a1ccfffff Private Memory rw True False False -
private_0x0000007a1cd00000 0x7a1cd00000 0x7a1cdfffff Private Memory rw True False False -
private_0x0000007a1cf00000 0x7a1cf00000 0x7a1cffffff Private Memory rw True False False -
private_0x0000007a1d000000 0x7a1d000000 0x7a1d0fffff Private Memory rw True False False -
private_0x0000007a1d100000 0x7a1d100000 0x7a1d1fffff Private Memory rw True False False -
private_0x0000007a1d300000 0x7a1d300000 0x7a1d3fffff Private Memory rw True False False -
private_0x0000007a1dd00000 0x7a1dd00000 0x7a1ddfffff Private Memory rw True False False -
private_0x0000007a1de00000 0x7a1de00000 0x7a1defffff Private Memory rw True False False -
private_0x0000007a1df00000 0x7a1df00000 0x7a1dffffff Private Memory rw True False False -
private_0x0000007a1e000000 0x7a1e000000 0x7a1e0fffff Private Memory rw True False False -
private_0x0000007a1e100000 0x7a1e100000 0x7a1e1fffff Private Memory rw True False False -
private_0x0000007a1e200000 0x7a1e200000 0x7a1e2fffff Private Memory rw True False False -
private_0x0000007a1e300000 0x7a1e300000 0x7a1e3fffff Private Memory rw True False False -
private_0x0000007a1e400000 0x7a1e400000 0x7a1e4fffff Private Memory rw True False False -
private_0x0000007a1e500000 0x7a1e500000 0x7a1e5fffff Private Memory rw True False False -
private_0x0000007a1e700000 0x7a1e700000 0x7a1e7fffff Private Memory rw True False False -
private_0x0000007a1e800000 0x7a1e800000 0x7a1e8fffff Private Memory rw True False False -
private_0x0000007a1e900000 0x7a1e900000 0x7a1e9fffff Private Memory rw True False False -
msores.dll 0x24900000000 0x24904e3efff Memory Mapped File r False False False -
pagefile_0x0000024904e40000 0x24904e40000 0x24904e40fff Pagefile Backed Memory rw True False False -
pagefile_0x0000024904e50000 0x24904e50000 0x24904e54fff Pagefile Backed Memory rw True False False -
pagefile_0x0000024904e60000 0x24904e60000 0x2490565ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000024905660000 0x24905660000 0x24905660fff Pagefile Backed Memory r True False False -
pagefile_0x0000024905670000 0x24905670000 0x24905670fff Pagefile Backed Memory r True False False -
private_0x0000024905680000 0x24905680000 0x2490577ffff Private Memory rw True False False -
private_0x0000024905780000 0x24905780000 0x2490597ffff Private Memory rw True False False -
pagefile_0x0000024905980000 0x24905980000 0x24905980fff Pagefile Backed Memory rw True False False -
private_0x0000024905990000 0x24905990000 0x24905990fff Private Memory rw True False False -
private_0x00000249059a0000 0x249059a0000 0x249059a0fff Private Memory rw True False False -
private_0x00000249059b0000 0x249059b0000 0x249059b0fff Private Memory rw True False False -
private_0x00000249059c0000 0x249059c0000 0x24905abffff Private Memory rw True False False -
pagefile_0x0000024905ac0000 0x24905ac0000 0x24905ac1fff Pagefile Backed Memory r True False False -
pagefile_0x0000024905ad0000 0x24905ad0000 0x24905ad0fff Pagefile Backed Memory rw True False False -
pagefile_0x0000024905ae0000 0x24905ae0000 0x24905b6bfff Pagefile Backed Memory r True False False -
private_0x0000024905b70000 0x24905b70000 0x24905b70fff Private Memory rw True False False -
private_0x0000024905b80000 0x24905b80000 0x24905b80fff Private Memory rw True False False -
private_0x0000024905b90000 0x24905b90000 0x24905b90fff Private Memory rw True False False -
pagefile_0x0000024905ba0000 0x24905ba0000 0x24905ba1fff Pagefile Backed Memory r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db 0x24905bb0000 0x24905bcbfff Memory Mapped File r True False False -
pagefile_0x0000024905bd0000 0x24905bd0000 0x24905bd0fff Pagefile Backed Memory rw True False False -
cversions.2.db 0x24905be0000 0x24905be3fff Memory Mapped File r True False False -
cversions.2.db 0x24905bf0000 0x24905bf3fff Memory Mapped File r True False False -
pagefile_0x0000024905c00000 0x24905c00000 0x24905c0bfff Pagefile Backed Memory rw True False False -
pagefile_0x0000024905c10000 0x24905c10000 0x24905c11fff Pagefile Backed Memory r True False False -
private_0x0000024905c20000 0x24905c20000 0x24905c43fff Private Memory rw True False False -
private_0x0000024905c50000 0x24905c50000 0x24905c50fff Private Memory rw True False False -
private_0x0000024905c60000 0x24905c60000 0x24905c68fff Private Memory rw True False False -
pagefile_0x0000024905c70000 0x24905c70000 0x24905c8efff Pagefile Backed Memory rw True False False -
pagefile_0x0000024905c90000 0x24905c90000 0x24905c91fff Pagefile Backed Memory r True False False -
normidna.nls 0x24905ca0000 0x24905cb1fff Memory Mapped File r False False False -
cversions.2.db 0x24905cc0000 0x24905cc3fff Memory Mapped File r True False False -
pagefile_0x0000024905cd0000 0x24905cd0000 0x24905cd1fff Pagefile Backed Memory r True False False -
comdlg32.dll.mui 0x24905ce0000 0x24905cecfff Memory Mapped File r False False False -
pagefile_0x0000024905cf0000 0x24905cf0000 0x24905cf1fff Pagefile Backed Memory r True False False -
private_0x0000024905d00000 0x24905d00000 0x249060fffff Private Memory rw True False False -
pagefile_0x0000024906100000 0x24906100000 0x24906101fff Pagefile Backed Memory r True False False -
~fontcache-system.dat 0x24906110000 0x24906185fff Memory Mapped File r False False False -
~fontcache-fontface.dat 0x24906190000 0x2490718ffff Memory Mapped File r False False False -
~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat 0x24907190000 0x2490798ffff Memory Mapped File r False False False -
segoeui.ttf 0x24907990000 0x24907a6efff Memory Mapped File r False False False -
private_0x0000024907a70000 0x24907a70000 0x24907e6ffff Private Memory rw True False False -
private_0x0000024907e70000 0x24907e70000 0x24907e70fff Private Memory rw True False False -
d2d1.dll.mui 0x24907e80000 0x24907ec1fff Memory Mapped File r False False False -
windows.storage.dll.mui 0x24907ed0000 0x24907ed7fff Memory Mapped File r False False False -
cversions.2.db 0x24907ee0000 0x24907ee3fff Memory Mapped File r True False False -
{dc92199f-58e0-47b2-a19d-f989f346654c}.2.ver0x0000000000000001.db 0x24907ef0000 0x24907ef0fff Memory Mapped File r True False False -
pagefile_0x0000024907f00000 0x24907f00000 0x24907f01fff Pagefile Backed Memory r True False False -
pagefile_0x0000024907fd0000 0x24907fd0000 0x24907fd1fff Pagefile Backed Memory r True False False -
explorerframe.dll.mui 0x24907fe0000 0x24907fe6fff Memory Mapped File r False False False -
private_0x0000024907ff0000 0x24907ff0000 0x24907ff0fff Private Memory rw True False False -
pagefile_0x0000024908000000 0x24908000000 0x2490800bfff Pagefile Backed Memory rw True False False -
private_0x0000024908010000 0x24908010000 0x2490880ffff Private Memory rw True False False -
segoeuil.ttf 0x24908810000 0x249088e3fff Memory Mapped File r False False False -
seguisb.ttf 0x249088f0000 0x249089d2fff Memory Mapped File r False False False -
segoeuib.ttf 0x249089e0000 0x24908abbfff Memory Mapped File r False False False -
pagefile_0x0000024908ac0000 0x24908ac0000 0x24908acffff Pagefile Backed Memory rw True False False -
pagefile_0x0000024908ad0000 0x24908ad0000 0x24908adffff Pagefile Backed Memory rw True False False -
pagefile_0x0000024908ae0000 0x24908ae0000 0x24908aeffff Pagefile Backed Memory rw True False False -
private_0x0000024908af0000 0x24908af0000 0x24908ef4fff Private Memory rw True False False -
private_0x0000024908f00000 0x24908f00000 0x24909310fff Private Memory rw True False False -
private_0x0000024909320000 0x24909320000 0x24909730fff Private Memory rw True False False -
private_0x0000024909740000 0x24909740000 0x24909740fff Private Memory rw True False False -
private_0x0000024909750000 0x24909750000 0x24909750fff Private Memory rw True False False -
private_0x0000024909760000 0x24909760000 0x2490995ffff Private Memory rw True False False -
private_0x0000024909960000 0x24909960000 0x249099dffff Private Memory rw True False False -
c_1255.nls 0x249099e0000 0x249099f0fff Memory Mapped File r False False False -
staticcache.dat 0x24909a00000 0x2490aa3ffff Memory Mapped File r False False False -
pagefile_0x000002490aa40000 0x2490aa40000 0x2490aefcfff Pagefile Backed Memory rw True False False -
pagefile_0x000002490af00000 0x2490af00000 0x2490b3bcfff Pagefile Backed Memory rw True False False -
private_0x000002490b3c0000 0x2490b3c0000 0x2490b3c3fff Private Memory rw True False False -
private_0x000002490b3d0000 0x2490b3d0000 0x2490b3d3fff Private Memory rw True False False -
private_0x000002490b3e0000 0x2490b3e0000 0x2490b3e3fff Private Memory rw True False False -
private_0x000002490b3f0000 0x2490b3f0000 0x2490b3f2fff Private Memory rw True False False -
pagefile_0x000002490b400000 0x2490b400000 0x2490b401fff Pagefile Backed Memory r True False False -
private_0x000002490b410000 0x2490b410000 0x2490c3dffff Private Memory rw True False False -
pagefile_0x000002490c3e0000 0x2490c3e0000 0x2490c7dafff Pagefile Backed Memory r True False False -
private_0x000002490c7e0000 0x2490c7e0000 0x2490c7e0fff Private Memory rw True False False -
private_0x000002490c7f0000 0x2490c7f0000 0x2490c7f0fff Private Memory rw True False False -
iconcache_idx.db 0x2490c800000 0x2490c803fff Memory Mapped File rw True False False -
private_0x000002490c810000 0x2490c810000 0x2490c811fff Private Memory rw True False False -
pagefile_0x000002490c820000 0x2490c820000 0x2490c83efff Pagefile Backed Memory rw True False False -
private_0x000002490c840000 0x2490c840000 0x2490c887fff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db 0x2490c890000 0x2490c8d4fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x2490c8e0000 0x2490c96dfff Memory Mapped File r True False False -
private_0x000002490c970000 0x2490c970000 0x2490ca6ffff Private Memory rw True False False -
pagefile_0x000002490ca70000 0x2490ca70000 0x2490cb45fff Pagefile Backed Memory rw True False False -
pagefile_0x000002490cb50000 0x2490cb50000 0x2490cc25fff Pagefile Backed Memory rw True False False -
private_0x000002490cc30000 0x2490cc30000 0x2490cc41fff Private Memory rw True False False -
private_0x000002490cc50000 0x2490cc50000 0x2490cc50fff Private Memory rw True False False -
private_0x000002490cc60000 0x2490cc60000 0x2490cc60fff Private Memory rw True False False -
private_0x000002490cc70000 0x2490cc70000 0x2490cc70fff Private Memory rw True False False -
private_0x000002490cc80000 0x2490cc80000 0x2490cc80fff Private Memory rw True False False -
private_0x000002490cc90000 0x2490cc90000 0x2490cc90fff Private Memory rw True False False -
private_0x000002490cca0000 0x2490cca0000 0x2490cca0fff Private Memory rw True False False -
pagefile_0x000002490ccb0000 0x2490ccb0000 0x2490cce5fff Pagefile Backed Memory rw True False False -
private_0x000002490ccf0000 0x2490ccf0000 0x2490ccf0fff Private Memory rw True False False -
private_0x000002490cd00000 0x2490cd00000 0x2490cd00fff Private Memory rw True False False -
pagefile_0x000002490cd10000 0x2490cd10000 0x2490cd45fff Pagefile Backed Memory rw True False False -
private_0x000002490cd50000 0x2490cd50000 0x2490cd53fff Private Memory rw True False False -
private_0x000002490cd60000 0x2490cd60000 0x2490cd61fff Private Memory rw True False False -
pagefile_0x000002490cd70000 0x2490cd70000 0x2490cd70fff Pagefile Backed Memory r True False False -
private_0x000002490cd80000 0x2490cd80000 0x2490cd80fff Private Memory rw True False False -
private_0x000002490cda0000 0x2490cda0000 0x2490cdaffff Private Memory rw True False False -
pagefile_0x000002490cdb0000 0x2490cdb0000 0x2490d28dfff Pagefile Backed Memory rw True False False -
private_0x000002490d300000 0x2490d300000 0x2490d30ffff Private Memory rw True False False -
kernelbase.dll.mui 0x2490d310000 0x2490d3effff Memory Mapped File r False False False -
private_0x000002490d4a0000 0x2490d4a0000 0x2490d4affff Private Memory rw True False False -
private_0x000002490d4c0000 0x2490d4c0000 0x2490d4cffff Private Memory rw True False False -
pagefile_0x000002490d4d0000 0x2490d4d0000 0x2490d856fff Pagefile Backed Memory rw True False False -
pagefile_0x000002490d860000 0x2490d860000 0x2490dbe6fff Pagefile Backed Memory rw True False False -
iconcache_16.db 0x2490dbf0000 0x2490dceffff Memory Mapped File rw True False False -
private_0x000002490ddf0000 0x2490ddf0000 0x2490deeffff Private Memory rw True False False -
private_0x000002490def0000 0x2490def0000 0x2490e0effff Private Memory rw True False False -
private_0x000002490e0f0000 0x2490e0f0000 0x2490e2effff Private Memory rw True False False -
pagefile_0x000002490e2f0000 0x2490e2f0000 0x2490e441fff Pagefile Backed Memory rw True False False -
pagefile_0x000002497b0a0000 0x2497b0a0000 0x2497b0affff Pagefile Backed Memory rw True False False -
private_0x000002497b0b0000 0x2497b0b0000 0x2497b0b6fff Private Memory rw True False False -
For performance reasons, the remaining 597 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll 118.00 KB MD5: 6ee9227fcc2f69b03e607f417766c5c7
SHA1: e29b0f80bf85d9f2d32a6812b27a8fd15cffd64f
SHA256: 6e7e55e48458356f698efa53a66c6861b7954b0f3c8eea4d2b3c605ef0bab910
SSDeep: 1536:t7MENknZMUFHCRa7/ltkbkWpeYjPiXlACOmNZx8yM4dCf:t7MfiUFHCiQ0mklACOmWyR
False
C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll 10.00 MB MD5: 44c3e1a579176174c89621efb47e8292
SHA1: e1c4904751f79f1d2f03fc51ab1e559f837ba3df
SHA256: 65dcd3cb854cbc68242dd5f1170d08d3ae16d88cddba7416df121e4d30b892d7
SSDeep: 3072:t7MfiUFHCiQ0mklACOmWyRkHxr0ceciIMsb1d3t8AyRAikvv2pl:t7Mq7iQ3kOCOD5tZyRJl
False
C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Conime.lnk 0.90 KB MD5: df525d7725ed63771626fb33c272dce0
SHA1: 8612b2aa73e0e234d904b7b07863bcdc1accd11c
SHA256: 9a6930c3a11ded007e9b9c8904d5b4f78e7c278185795b4786374d5a88716f5e
SSDeep: 12:8Ul0nm/3BVSXzt1WlpcW+fTWlQEQ1XwEQ1IIhiNL4t2Yg859zXJ:8UlT/BuUlpV+fClO0a5I7
False
Host Behavior
COM (4)
»
Operation Class Interface Additional Information Success Count Logfile
Create Scripting.FileSystemObject IUnknown cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create ADODB.Stream IUnknown cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
Create WScript.Shell IUnknown cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (765)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll - True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 1
Fn
Create C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Conime.lnk - True 1
Fn
Write C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll - True 1
Fn
Write C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll size = 512 True 383
Fn
Data
Write C:\Users\Nd9E1FYi\AppData\Local\Temp\proxyconf.dll size = 514 True 378
Fn
Data
Registry (36)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common - True 1
Fn
Open Key HKEY_CLASSES_ROOT\Licenses - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 - False 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 - True 1
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 - True 2
Fn
Open Key HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = RequireDeclaration, data = 158, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 data = C:\Program Files\Microsoft Office\Office16\EXCEL.EXE True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 data = C:\Windows\System32\stdole2.tlb True 1
Fn
Read Value HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Enumerate Keys HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} - True 1
Fn
Module (119)
»
Operation Module Additional Information Success Count Logfile
Load Comctl32.dll base_address = 0x7ffbac410000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x7ffb9bae0000 True 1
Fn
Load C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL base_address = 0x2490ab70000 True 1
Fn
Load OLEAUT32.DLL base_address = 0x7ffbb5f50000 True 1
Fn
Load VBE7.DLL base_address = 0x7ffb9bd70000 True 18
Fn
Get Handle Unknown module name base_address = 0x7ff79fde0000 True 1
Fn
Get Handle Unknown module name base_address = 0x7ffba6820000 True 1
Fn
Get Handle C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL base_address = 0x0 False 1
Fn
Get Handle USER32 base_address = 0x7ffbb6170000 True 1
Fn
Get Handle oleaut32.dll base_address = 0x7ffbb5f50000 True 1
Fn
Get Handle ole32.dll base_address = 0x7ffbb6020000 True 1
Fn
Get Filename - process_name = c:\program files\microsoft office\office16\excel.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 2
Fn
Get Address Unknown module name function = MsiProvideQualifiedComponentA, address_out = 0x7ffba68b84b0 True 1
Fn
Get Address Unknown module name function = MsiGetProductCodeA, address_out = 0x7ffba68b24d0 True 1
Fn
Get Address Unknown module name function = MsiReinstallFeatureA, address_out = 0x7ffba68b99e0 True 1
Fn
Get Address Unknown module name function = MsiProvideComponentA, address_out = 0x7ffba68b7fd0 True 1
Fn
Get Address Unknown module name function = GetSystemMetrics, address_out = 0x7ffbb61829f0 True 1
Fn
Get Address Unknown module name function = MonitorFromWindow, address_out = 0x7ffbb617f620 True 1
Fn
Get Address Unknown module name function = MonitorFromRect, address_out = 0x7ffbb6181cd0 True 1
Fn
Get Address Unknown module name function = MonitorFromPoint, address_out = 0x7ffbb6185460 True 1
Fn
Get Address Unknown module name function = EnumDisplayMonitors, address_out = 0x7ffbb61a27e0 True 1
Fn
Get Address Unknown module name function = GetMonitorInfoA, address_out = 0x7ffbb61820b0 True 1
Fn
Get Address Unknown module name function = EnumDisplayDevicesA, address_out = 0x7ffbb6192800 True 1
Fn
Get Address Unknown module name function = DispCallFunc, address_out = 0x7ffbb5f5b1d0 True 1
Fn
Get Address Unknown module name function = LoadTypeLibEx, address_out = 0x7ffbb5f54cd0 True 1
Fn
Get Address Unknown module name function = UnRegisterTypeLib, address_out = 0x7ffbb5f84ac0 True 1
Fn
Get Address Unknown module name function = CreateTypeLib2, address_out = 0x7ffbb5f6d810 True 1
Fn
Get Address Unknown module name function = VarDateFromUdate, address_out = 0x7ffbb5f65ec0 True 1
Fn
Get Address Unknown module name function = VarUdateFromDate, address_out = 0x7ffbb5f66050 True 1
Fn
Get Address Unknown module name function = GetAltMonthNames, address_out = 0x7ffbb5fae9c0 True 1
Fn
Get Address Unknown module name function = VarNumFromParseNum, address_out = 0x7ffbb5f663d0 True 1
Fn
Get Address Unknown module name function = VarParseNumFromStr, address_out = 0x7ffbb5f65620 True 1
Fn
Get Address Unknown module name function = VarDecFromR4, address_out = 0x7ffbb5f518d0 True 1
Fn
Get Address Unknown module name function = VarDecFromR8, address_out = 0x7ffbb5f51580 True 1
Fn
Get Address Unknown module name function = VarDecFromDate, address_out = 0x7ffbb5fb5060 True 1
Fn
Get Address Unknown module name function = VarDecFromI4, address_out = 0x7ffbb5f52340 True 1
Fn
Get Address Unknown module name function = VarDecFromCy, address_out = 0x7ffbb5fb5030 True 1
Fn
Get Address Unknown module name function = VarR4FromDec, address_out = 0x7ffbb5fb54c0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromTypeInfo, address_out = 0x7ffbb5fb37d0 True 1
Fn
Get Address Unknown module name function = GetRecordInfoFromGuids, address_out = 0x7ffbb5fb3650 True 1
Fn
Get Address Unknown module name function = SafeArrayGetRecordInfo, address_out = 0x7ffbb5fb4a80 True 1
Fn
Get Address Unknown module name function = SafeArraySetRecordInfo, address_out = 0x7ffbb5fb4ae0 True 1
Fn
Get Address Unknown module name function = SafeArrayGetIID, address_out = 0x7ffbb5fb4a50 True 1
Fn
Get Address Unknown module name function = SafeArraySetIID, address_out = 0x7ffbb5f56770 True 1
Fn
Get Address Unknown module name function = SafeArrayCopyData, address_out = 0x7ffbb5f62d80 True 1
Fn
Get Address Unknown module name function = SafeArrayAllocDescriptorEx, address_out = 0x7ffbb5f55890 True 1
Fn
Get Address Unknown module name function = SafeArrayCreateEx, address_out = 0x7ffbb5fb4910 True 1
Fn
Get Address Unknown module name function = VarFormat, address_out = 0x7ffbb5fb9660 True 1
Fn
Get Address Unknown module name function = VarFormatDateTime, address_out = 0x7ffbb5fb9870 True 1
Fn
Get Address Unknown module name function = VarFormatNumber, address_out = 0x7ffbb5fb98f0 True 1
Fn
Get Address Unknown module name function = VarFormatPercent, address_out = 0x7ffbb5fb9a00 True 1
Fn
Get Address Unknown module name function = VarFormatCurrency, address_out = 0x7ffbb5fb9750 True 1
Fn
Get Address Unknown module name function = VarWeekdayName, address_out = 0x7ffbb5fb9e40 True 1
Fn
Get Address Unknown module name function = VarMonthName, address_out = 0x7ffbb5fb9af0 True 1
Fn
Get Address Unknown module name function = VarAdd, address_out = 0x7ffbb5fa5010 True 1
Fn
Get Address Unknown module name function = VarAnd, address_out = 0x7ffbb5fa7890 True 1
Fn
Get Address Unknown module name function = VarCat, address_out = 0x7ffbb5fa5a00 True 1
Fn
Get Address Unknown module name function = VarDiv, address_out = 0x7ffbb5fa5b40 True 1
Fn
Get Address Unknown module name function = VarEqv, address_out = 0x7ffbb5fa7a20 True 1
Fn
Get Address Unknown module name function = VarIdiv, address_out = 0x7ffbb5fa7a50 True 1
Fn
Get Address Unknown module name function = VarImp, address_out = 0x7ffbb5fa7c10 True 1
Fn
Get Address Unknown module name function = VarMod, address_out = 0x7ffbb5fa7d00 True 1
Fn
Get Address Unknown module name function = VarMul, address_out = 0x7ffbb5fa61d0 True 1
Fn
Get Address Unknown module name function = VarOr, address_out = 0x7ffbb5fa7f20 True 1
Fn
Get Address Unknown module name function = VarPow, address_out = 0x7ffbb5fa6ab0 True 1
Fn
Get Address Unknown module name function = VarSub, address_out = 0x7ffbb5fa6ce0 True 1
Fn
Get Address Unknown module name function = VarXor, address_out = 0x7ffbb5fa80c0 True 1
Fn
Get Address Unknown module name function = VarAbs, address_out = 0x7ffbb5fa4210 True 1
Fn
Get Address Unknown module name function = VarFix, address_out = 0x7ffbb5fa44f0 True 1
Fn
Get Address Unknown module name function = VarInt, address_out = 0x7ffbb5fa46e0 True 1
Fn
Get Address Unknown module name function = VarNeg, address_out = 0x7ffbb5fa48b0 True 1
Fn
Get Address Unknown module name function = VarNot, address_out = 0x7ffbb5fa7e80 True 1
Fn
Get Address Unknown module name function = VarRound, address_out = 0x7ffbb5fa4c40 True 1
Fn
Get Address Unknown module name function = VarCmp, address_out = 0x7ffbb5f68ba0 True 1
Fn
Get Address Unknown module name function = VarDecAdd, address_out = 0x7ffbb5fa8e30 True 1
Fn
Get Address Unknown module name function = VarDecCmp, address_out = 0x7ffbb5f52170 True 1
Fn
Get Address Unknown module name function = VarBstrCat, address_out = 0x7ffbb5f63340 True 1
Fn
Get Address Unknown module name function = VarCyMulI4, address_out = 0x7ffbb5f51d70 True 1
Fn
Get Address Unknown module name function = VarBstrCmp, address_out = 0x7ffbb5f69080 True 1
Fn
Get Address Unknown module name function = CoCreateInstanceEx, address_out = 0x7ffbb6f382a0 True 1
Fn
Get Address Unknown module name function = CLSIDFromProgIDEx, address_out = 0x7ffbb6036a20 True 1
Fn
Get Address Unknown module name address_out = 0x7ffb9baef200 True 1
Fn
Get Address Unknown module name function = 711, address_out = 0x7ffb9c0e9eb0 True 3
Fn
Get Address Unknown module name function = 716, address_out = 0x7ffb9c0a9158 True 3
Fn
Get Address Unknown module name function = 698, address_out = 0x7ffb9beb1044 True 3
Fn
Get Address Unknown module name function = 710, address_out = 0x7ffb9c0e9bbc True 3
Fn
Get Address Unknown module name function = 593, address_out = 0x7ffb9c065248 True 3
Fn
Get Address Unknown module name function = 666, address_out = 0x7ffb9be0ac40 True 3
Fn
Get Address Unknown module name function = DllDebugObjectRPCHook, address_out = 0x7ffbb6f07890 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
System (14)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 660, y_out = 493 True 1
Fn
Get Cursor x_out = 575, y_out = 323 True 1
Fn
Get Time type = Local Time, time = 2018-08-05 21:42:07 (Local Time) True 6
Fn
Get Time type = Local Time, time = 2018-08-05 21:42:16 (Local Time) True 2
Fn
Get Time type = Local Time, time = 2018-08-05 21:43:30 (Local Time) True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = DDRYBUR False 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image