12.0
0-day
39 个模型检测该样本为恶意!
重新分析
更多

e6c32ec6965b96c741a2e916faa8c1e296d8da47474fe7feda65427c9565a705

01ef38a653c02d32081b61282a84e07b.exe

分析耗时

100s

最近分析

文件大小

682.0KB
静态报毒 动态报毒 A + MAL ANDROM AVII CLASSIC DELF DELPHILESS ELDORADO ELTI FAREIT GENCIRC HIGH CONFIDENCE HJYCOY INJECTNET KRYPTIK MALWARE@#2I79CEPVT63R0 NYBVX PUTTY QGW@AIIMHQJI REMCOS SCORE SIMDA STATIC AI SUSPICIOUS PE WACATAC X2059 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20210127 2017.9.26.565
McAfee Fareit-FSK!01EF38A653C0 20210127 6.0.6.653
Tencent Malware.Win32.Gencirc.118d77cc 20210127 1.0.0.1
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619168642.878124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619168644.331124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619168645.331124
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619168639.831124
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619134517.873372
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 49413952
registers.edi: 0
registers.eax: 0
registers.ebp: 49414024
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5d e9 7a a2 f8
exception.symbol: 01ef38a653c02d32081b61282a84e07b+0x79481
exception.instruction: div eax
exception.module: 01ef38a653c02d32081b61282a84e07b.exe
exception.exception_code: 0xc0000094
exception.offset: 496769
exception.address: 0x479481
success 0 0
1619168646.613124
__exception__
stacktrace: 
01ef38a653c02d32081b61282a84e07b+0x12fdd @ 0x412fdd
01ef38a653c02d32081b61282a84e07b+0x1296e @ 0x41296e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38797108
registers.edi: 34600026
registers.eax: 41287712
registers.ebp: 38797116
registers.edx: 6893568
registers.ebx: 41287712
registers.esi: 875368452
registers.ecx: 0
exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec
exception.symbol: 01ef38a653c02d32081b61282a84e07b+0x2b41
exception.instruction: mov cl, byte ptr [edx]
exception.module: 01ef38a653c02d32081b61282a84e07b.exe
exception.exception_code: 0xc0000005
exception.offset: 11073
exception.address: 0x402b41
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://missingandfound.com.my/mb/Panel/fre.php
Performs some HTTP requests (1 个事件)
request POST http://missingandfound.com.my/mb/Panel/fre.php
Sends data using the HTTP POST Method (1 个事件)
request POST http://missingandfound.com.my/mb/Panel/fre.php
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619134517.780372
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619134517.873372
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619134517.889372
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00830000
success 0 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619168645.238124
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01ef38a653c02d32081b61282a84e07b.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
flags: 1
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01ef38a653c02d32081b61282a84e07b.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.582550572117714 section {'size_of_data': '0x00008c00', 'virtual_address': '0x0007a000', 'entropy': 7.582550572117714, 'name': 'DATA', 'virtual_size': '0x00008af4'} description A section with a high entropy has been found
entropy 7.715512009123029 section {'size_of_data': '0x0001dc00', 'virtual_address': '0x00092000', 'entropy': 7.715512009123029, 'name': '.rsrc', 'virtual_size': '0x0001da58'} description A section with a high entropy has been found
entropy 0.2261380323054332 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619168644.128124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2620 called NtSetContextThread to modify thread in remote process 360
Time & API Arguments Status Return Repeated
1619134518.139372
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 360
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2620 resumed a thread in remote process 360
Time & API Arguments Status Return Repeated
1619134518.952372
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 360
success 0 0
Generates some ICMP traffic
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1619134518.045372
CreateProcessInternalW
thread_identifier: 2404
thread_handle: 0x000000ec
process_identifier: 360
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\01ef38a653c02d32081b61282a84e07b.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000f0
inherit_handles: 0
success 1 0
1619134518.045372
NtUnmapViewOfSection
process_identifier: 360
region_size: 4096
process_handle: 0x000000f0
base_address: 0x00400000
success 0 0
1619134518.061372
NtMapViewOfSection
section_handle: 0x000000f8
process_identifier: 360
commit_size: 663552
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f0
allocation_type: 0 ()
section_offset: 0
view_size: 663552
base_address: 0x00400000
success 0 0
1619134518.139372
NtGetContextThread
thread_handle: 0x000000ec
success 0 0
1619134518.139372
NtSetContextThread
thread_handle: 0x000000ec
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 360
success 0 0
1619134518.952372
NtResumeThread
thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 360
success 0 0
1619168640.409124
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 360
success 0 0
File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Injector.DHA
FireEye Generic.mg.01ef38a653c02d32
CAT-QuickHeal Trojan.Kryptik
ALYac Trojan.Injector.DHA
Malwarebytes Trojan.MalPack.DLF
Sangfor Malware
K7AntiVirus Trojan ( 005660fb1 )
BitDefender Trojan.Injector.DHA
K7GW Trojan ( 005660fb1 )
Cybereason malicious.653c02
BitDefenderTheta Gen:NN.ZelphiF.34780.QGW@aiImhQji
Cyren W32/Delf.KL.gen!Eldorado
APEX Malicious
ClamAV Win.Dropper.Remcos-7759529-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
NANO-Antivirus Trojan.Win32.InjectNET.hjycoy
Rising Trojan.Injector!1.C7A3 (CLASSIC)
Ad-Aware Trojan.Injector.DHA
Sophos ML/PE-A + Mal/Fareit-AA
Comodo Malware@#2i79cepvt63r0
F-Secure Trojan.TR/Injector.nybvx
VIPRE Trojan.Win32.Simda.ba (v)
Emsisoft Trojan.Injector.DHA (B)
Ikarus Trojan.Inject
Jiangmin Backdoor.Androm.avii
Avira TR/Injector.nybvx
Antiy-AVL Trojan/Win32.Wacatac
Arcabit Trojan.Injector.DHA
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
Microsoft PWS:Win32/Fareit
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
McAfee Fareit-FSK!01EF38A653C0
VBA32 Trojan.Kryptik
ESET-NOD32 a variant of Win32/Injector.ELTI
Tencent Malware.Win32.Gencirc.118d77cc
SentinelOne Static AI - Suspicious PE
Fortinet W32/Injector.ELTI!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48413c VirtualFree
0x484140 VirtualAlloc
0x484144 LocalFree
0x484148 LocalAlloc
0x48414c GetVersion
0x484150 GetCurrentThreadId
0x48415c VirtualQuery
0x484160 WideCharToMultiByte
0x484168 MultiByteToWideChar
0x48416c lstrlenA
0x484170 lstrcpynA
0x484174 LoadLibraryExA
0x484178 GetThreadLocale
0x48417c GetStartupInfoA
0x484180 GetProcAddress
0x484184 GetModuleHandleA
0x484188 GetModuleFileNameA
0x48418c GetLocaleInfoA
0x484190 GetLastError
0x484198 GetCommandLineA
0x48419c FreeLibrary
0x4841a0 FindFirstFileA
0x4841a4 FindClose
0x4841a8 ExitProcess
0x4841ac WriteFile
0x4841b4 RtlUnwind
0x4841b8 RaiseException
0x4841bc GetStdHandle
Library user32.dll:
0x4841c4 GetKeyboardType
0x4841c8 LoadStringA
0x4841cc MessageBoxA
0x4841d0 CharNextA
Library advapi32.dll:
0x4841d8 RegQueryValueExA
0x4841dc RegOpenKeyExA
0x4841e0 RegCloseKey
Library oleaut32.dll:
0x4841e8 SysFreeString
0x4841ec SysReAllocStringLen
0x4841f0 SysAllocStringLen
Library kernel32.dll:
0x4841f8 TlsSetValue
0x4841fc TlsGetValue
0x484200 LocalAlloc
0x484204 GetModuleHandleA
Library advapi32.dll:
0x48420c RegQueryValueExA
0x484210 RegOpenKeyExA
0x484214 RegCloseKey
Library kernel32.dll:
0x48421c lstrcpyA
0x484220 lstrcmpA
0x484224 WriteFile
0x48422c WaitForSingleObject
0x484230 VirtualQuery
0x484234 VirtualAlloc
0x484238 Sleep
0x48423c SizeofResource
0x484240 SetThreadLocale
0x484244 SetFilePointer
0x484248 SetEvent
0x48424c SetErrorMode
0x484250 SetEndOfFile
0x484254 ResetEvent
0x484258 ReadFile
0x48425c MulDiv
0x484260 LockResource
0x484264 LoadResource
0x484268 LoadLibraryA
0x484274 GlobalUnlock
0x484278 GlobalReAlloc
0x48427c GlobalHandle
0x484280 GlobalLock
0x484284 GlobalFree
0x484288 GlobalFindAtomA
0x48428c GlobalDeleteAtom
0x484290 GlobalAlloc
0x484294 GlobalAddAtomA
0x484298 GetVersionExA
0x48429c GetVersion
0x4842a0 GetTickCount
0x4842a4 GetThreadLocale
0x4842ac GetSystemTime
0x4842b0 GetSystemInfo
0x4842b4 GetStringTypeExA
0x4842b8 GetStdHandle
0x4842bc GetProcAddress
0x4842c0 GetModuleHandleA
0x4842c4 GetModuleFileNameA
0x4842c8 GetLocaleInfoA
0x4842cc GetLocalTime
0x4842d0 GetLastError
0x4842d4 GetFullPathNameA
0x4842d8 GetFileAttributesA
0x4842dc GetDiskFreeSpaceA
0x4842e0 GetDateFormatA
0x4842e4 GetCurrentThreadId
0x4842e8 GetCurrentProcessId
0x4842ec GetCPInfo
0x4842f0 GetACP
0x4842f4 FreeResource
0x4842f8 InterlockedExchange
0x4842fc FreeLibrary
0x484300 FormatMessageA
0x484304 FindResourceA
0x484308 FindNextFileA
0x48430c FindFirstFileA
0x484310 FindClose
0x484320 ExitThread
0x484324 ExitProcess
0x484328 EnumCalendarInfoA
0x484334 CreateThread
0x484338 CreateFileA
0x48433c CreateEventA
0x484340 CompareStringA
0x484344 CloseHandle
Library version.dll:
0x48434c VerQueryValueA
0x484354 GetFileVersionInfoA
Library gdi32.dll:
0x48435c UnrealizeObject
0x484360 StretchBlt
0x484364 SetWindowOrgEx
0x484368 SetViewportOrgEx
0x48436c SetTextColor
0x484370 SetStretchBltMode
0x484374 SetROP2
0x484378 SetPixel
0x48437c SetDIBColorTable
0x484380 SetBrushOrgEx
0x484384 SetBkMode
0x484388 SetBkColor
0x48438c SelectPalette
0x484390 SelectObject
0x484394 SelectClipRgn
0x484398 SaveDC
0x48439c RestoreDC
0x4843a0 Rectangle
0x4843a4 RectVisible
0x4843a8 RealizePalette
0x4843ac PatBlt
0x4843b0 MoveToEx
0x4843b4 MaskBlt
0x4843b8 LineTo
0x4843bc IntersectClipRect
0x4843c0 GetWindowOrgEx
0x4843c4 GetTextMetricsA
0x4843d0 GetStockObject
0x4843d4 GetPixel
0x4843d8 GetPaletteEntries
0x4843dc GetObjectA
0x4843e0 GetDeviceCaps
0x4843e4 GetDIBits
0x4843e8 GetDIBColorTable
0x4843ec GetDCOrgEx
0x4843f4 GetClipBox
0x4843f8 GetBrushOrgEx
0x4843fc GetBitmapBits
0x484400 ExtTextOutA
0x484404 ExcludeClipRect
0x484408 DeleteObject
0x48440c DeleteDC
0x484410 CreateSolidBrush
0x484414 CreatePenIndirect
0x484418 CreatePalette
0x484420 CreateFontIndirectA
0x484424 CreateDIBitmap
0x484428 CreateDIBSection
0x48442c CreateCompatibleDC
0x484434 CreateBrushIndirect
0x484438 CreateBitmap
0x48443c BitBlt
Library user32.dll:
0x484444 CreateWindowExA
0x484448 WindowFromPoint
0x48444c WinHelpA
0x484450 WaitMessage
0x484454 UpdateWindow
0x484458 UnregisterClassA
0x48445c UnhookWindowsHookEx
0x484460 TranslateMessage
0x484468 TrackPopupMenu
0x484470 ShowWindow
0x484474 ShowScrollBar
0x484478 ShowOwnedPopups
0x48447c ShowCursor
0x484480 SetWindowsHookExA
0x484484 SetWindowTextA
0x484488 SetWindowPos
0x48448c SetWindowPlacement
0x484490 SetWindowLongA
0x484494 SetTimer
0x484498 SetScrollRange
0x48449c SetScrollPos
0x4844a0 SetScrollInfo
0x4844a4 SetRect
0x4844a8 SetPropA
0x4844ac SetParent
0x4844b0 SetMenuItemInfoA
0x4844b4 SetMenu
0x4844b8 SetForegroundWindow
0x4844bc SetFocus
0x4844c0 SetCursor
0x4844c4 SetClassLongA
0x4844c8 SetCapture
0x4844cc SetActiveWindow
0x4844d0 SendMessageA
0x4844d4 ScrollWindow
0x4844d8 ScreenToClient
0x4844dc RemovePropA
0x4844e0 RemoveMenu
0x4844e4 ReleaseDC
0x4844e8 ReleaseCapture
0x4844f4 RegisterClassA
0x4844f8 RedrawWindow
0x4844fc PtInRect
0x484500 PostQuitMessage
0x484504 PostMessageA
0x484508 PeekMessageA
0x48450c OffsetRect
0x484510 OemToCharA
0x484514 MessageBoxA
0x484518 MapWindowPoints
0x48451c MapVirtualKeyA
0x484520 LoadStringA
0x484524 LoadKeyboardLayoutA
0x484528 LoadIconA
0x48452c LoadCursorA
0x484530 LoadBitmapA
0x484534 KillTimer
0x484538 IsZoomed
0x48453c IsWindowVisible
0x484540 IsWindowEnabled
0x484544 IsWindow
0x484548 IsRectEmpty
0x48454c IsIconic
0x484550 IsDialogMessageA
0x484554 IsChild
0x484558 InvalidateRect
0x48455c IntersectRect
0x484560 InsertMenuItemA
0x484564 InsertMenuA
0x484568 InflateRect
0x484570 GetWindowTextA
0x484574 GetWindowRect
0x484578 GetWindowPlacement
0x48457c GetWindowLongA
0x484580 GetWindowDC
0x484584 GetTopWindow
0x484588 GetSystemMetrics
0x48458c GetSystemMenu
0x484590 GetSysColorBrush
0x484594 GetSysColor
0x484598 GetSubMenu
0x48459c GetScrollRange
0x4845a0 GetScrollPos
0x4845a4 GetScrollInfo
0x4845a8 GetPropA
0x4845ac GetParent
0x4845b0 GetWindow
0x4845b4 GetMessagePos
0x4845b8 GetMenuStringA
0x4845bc GetMenuState
0x4845c0 GetMenuItemInfoA
0x4845c4 GetMenuItemID
0x4845c8 GetMenuItemCount
0x4845cc GetMenu
0x4845d0 GetLastActivePopup
0x4845d4 GetKeyboardState
0x4845dc GetKeyboardLayout
0x4845e0 GetKeyState
0x4845e4 GetKeyNameTextA
0x4845e8 GetIconInfo
0x4845ec GetForegroundWindow
0x4845f0 GetFocus
0x4845f4 GetDesktopWindow
0x4845f8 GetDCEx
0x4845fc GetDC
0x484600 GetCursorPos
0x484604 GetCursor
0x484608 GetClientRect
0x48460c GetClassNameA
0x484610 GetClassInfoA
0x484614 GetCapture
0x484618 GetActiveWindow
0x48461c FrameRect
0x484620 FindWindowA
0x484624 FillRect
0x484628 EqualRect
0x48462c EnumWindows
0x484630 EnumThreadWindows
0x484634 EndPaint
0x484638 EndDeferWindowPos
0x48463c EnableWindow
0x484640 EnableScrollBar
0x484644 EnableMenuItem
0x484648 DrawTextA
0x48464c DrawMenuBar
0x484650 DrawIconEx
0x484654 DrawIcon
0x484658 DrawFrameControl
0x48465c DrawFocusRect
0x484660 DrawEdge
0x484664 DispatchMessageA
0x484668 DestroyWindow
0x48466c DestroyMenu
0x484670 DestroyIcon
0x484674 DestroyCursor
0x484678 DeleteMenu
0x48467c DeferWindowPos
0x484680 DefWindowProcA
0x484684 DefMDIChildProcA
0x484688 DefFrameProcA
0x48468c CreatePopupMenu
0x484690 CreateMenu
0x484694 CreateIcon
0x484698 ClientToScreen
0x4846a0 CheckMenuItem
0x4846a4 CallWindowProcA
0x4846a8 CallNextHookEx
0x4846ac BeginPaint
0x4846b0 BeginDeferWindowPos
0x4846b4 CharNextA
0x4846b8 CharLowerBuffA
0x4846bc CharLowerA
0x4846c0 CharToOemA
0x4846c4 AdjustWindowRectEx
Library kernel32.dll:
0x4846d0 Sleep
Library oleaut32.dll:
0x4846d8 SafeArrayPtrOfIndex
0x4846dc SafeArrayGetUBound
0x4846e0 SafeArrayGetLBound
0x4846e4 SafeArrayCreate
0x4846e8 VariantChangeType
0x4846ec VariantCopy
0x4846f0 VariantClear
0x4846f4 VariantInit
Library ole32.dll:
0x4846fc CoTaskMemAlloc
0x484700 CoCreateInstance
0x484704 CoUninitialize
0x484708 CoInitialize
Library comctl32.dll:
0x484718 ImageList_Write
0x48471c ImageList_Read
0x48472c ImageList_DragMove
0x484730 ImageList_DragLeave
0x484734 ImageList_DragEnter
0x484738 ImageList_EndDrag
0x48473c ImageList_BeginDrag
0x484740 ImageList_Remove
0x484744 ImageList_DrawEx
0x484748 ImageList_Draw
0x484758 ImageList_Add
0x484760 ImageList_Destroy
0x484764 ImageList_Create
0x484768 InitCommonControls

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49177 103.233.0.85 missingandfound.com.my 80
192.168.56.101 49181 103.233.0.85 missingandfound.com.my 80
192.168.56.101 49182 103.233.0.85 missingandfound.com.my 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49238 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 50005 239.255.255.250 3702
192.168.56.101 57757 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://missingandfound.com.my/mb/Panel/fre.php 
POST /mb/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: missingandfound.com.my
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 879A4CE0
Content-Length: 169
Connection: close
http://missingandfound.com.my/mb/Panel/fre.php 
POST /mb/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: missingandfound.com.my
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 879A4CE0
Content-Length: 196
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.