PESCAN.IO - Analysis Report Valid Code
File Structure:
Analysis Image
Information:
Size: 5,50 MB
SHA-256 Hash: EBAE4309C6B076AB30549EFB657FBAA776B58CB7FE0D3368FD735A58EC02E9C1
SHA-1 Hash: BC1D5AE7288CAC0ADDEBE0CE4241E0FD197BA12D
MD5 Hash: A6892855B85D5AC12EECEA547D40EB01
Imphash: C4ADF2886224EA0F70DE259DA18F6678
MajorOSVersion: 5
CheckSum: 00000000
EntryPoint (rva): 4FE444
SizeOfHeaders: 400
SizeOfImage: 590000
ImageBase: 400000
Architecture: x86
ExportTable: 54C000
ImportTable: 546000
Characteristics: A18E
TimeDateStamp: 67A4FCE5
Date: 06/02/2025 18:18:13
File Type: DLL
Number Of Sections: 10
ASLR: Disabled
Section Names: .text, .itext, .data, .bss, .idata, .didata, .edata, .rdata, .reloc, .rsrc
Number Of Executable Sections: 2
Subsystem: Windows GUI
Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 4FBE00 1000 4FBC74
.itext 60000020 (Executable) 4FC200 1600 4FD000 1490
.data C0000040 (Writeable) 4FD800 3E000 4FF000 3DFB0
.bss C0000000 (Writeable) 0 0 53D000 8ED8
.idata C0000040 (Writeable) 53B800 4200 546000 4182
.didata C0000040 (Writeable) 53FA00 400 54B000 390
.edata 40000040 53FE00 200 54C000 C5
.rdata 40000040 540000 200 54D000 44
.reloc 42000040 540200 3B400 54E000 3B318
.rsrc 40000040 57B600 5800 58A000 5800
Entry Point:
The section number (2) - (.itext) have the Entry Point
Information -> EntryPoint (calculated) - 4FD644
Code -> 558BEC83C4C0B8341F8F00E82034B1FF33C0556884E48F0064FF30648920B8CC1E8F00A330069400B801000000E8563AFFFF
PUSH EBP
MOV EBP, ESP
ADD ESP, -0X40
MOV EAX, 0X8F1F34
CALL 0XFFB14430
XOR EAX, EAX
PUSH EBP
PUSH 0X8FE484
PUSH DWORD PTR FS:[EAX]
MOV DWORD PTR FS:[EAX], ESP
MOV EAX, 0X8F1ECC
MOV DWORD PTR [0X940630], EAX
MOV EAX, 1
CALL 0XFFFF4A88
Signatures:
Certificate - Digital Signature Not Found:
• The file is not signed
Packer/Compiler:
Compiler: Borland Delphi 7
Detect It Easy (die)
PE: compiler: Embarcadero Delphi(10.2 Tokyo)[-]
PE: linker: Turbo Linker(2.25*,Delphi)[DLL32]
Entropy: 7.17642
Suspicious Functions:
Library Function Description
KERNEL32.DLL LoadLibraryA | Possible Call API By Name Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot | Possible Call API By Name Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL ReadProcessMemory | Possible Call API By Name Reads data from an area of memory in a specified process.
KERNEL32.DLL GetProcAddress | Possible Call API By Name Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
Ws2_32.DLL socket | Possible Call API By Name Create a communication endpoint for networking applications.
Ws2_32.DLL connect | Possible Call API By Name Establish a connection to a specified socket.
WSOCK32.DLL Send | Possible Call API By Name The send function sends data on a connected socket.
KERNEL32.DLL CreateMutexW Create a named or unnamed mutex object for controlling access to a shared resource.
KERNEL32.DLL VirtualAlloc Reserve, commit, or both, a region of memory within the virtual address space of a process.
KERNEL32.DLL CopyFileW Copies an existing file to a new file.
KERNEL32.DLL WriteFile Writes data to a specified file or input/output (I/O) device.
KERNEL32.DLL LoadLibraryA Loads the specified module into the address space of the calling process.
KERNEL32.DLL LoadLibraryW Loads the specified module into the address space of the calling process.
KERNEL32.DLL CreateToolhelp32Snapshot Creates a snapshot of the specified processes, heaps, threads, and modules.
KERNEL32.DLL CreateRemoteThread Creates a thread in the address space of another process.
KERNEL32.DLL WriteProcessMemory Writes data to an area of memory in a specified process.
KERNEL32.DLL GetProcAddress Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
KERNEL32.DLL CreateFileA Creates or opens a file or I/O device.
KERNEL32.DLL DeleteFileA Deletes an existing file.
KERNEL32.DLL IsDebuggerPresent Determines if the calling process is being debugged by a user-mode debugger.
USER32.DLL GetAsyncKeyState Retrieves the status of a virtual key asynchronously.
Ws2_32.DLL socket Create a communication endpoint for networking applications.
Ws2_32.DLL connect Establish a connection to a specified socket.
ADVAPI32.DLL CryptEncrypt Performs a cryptographic operation on data in a data block.
ADVAPI32.DLL CryptDecrypt Performs a cryptographic operation on data in a data block.
SHELL32.DLL ShellExecuteExW Performs a run operation on a specific file.
Windows REG (UNICODE):
Software\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService
Software\Proxy\
Software\Browser\Application\AvastBrowser.exe
Software\Browser
Software\Brave-Browser\Application\brave.exe
Software\Brave-Browser
Software\Browser\User Data
Software\Brave-Browser\User Data
Software\Qualcomm\Eudora\CommandLine\current
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId
Software\Tor Project\Firefox\Launcher
Software\Opera Stable
Software\Mozilla
Software\Embarcadero\Locales
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Far2\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Ghisler\Windows Commander\InstallDir
Software\Ghisler\Windows Commander\FtpIniName
Software\Ghisler\Total Commander\InstallDir
Software\Ghisler\Total Commander\FtpIniName
Software\FlashFXP\3\InstallerDathPath
Software\FlashFXP\4\InstallerDathPath
Software\FlashFXP\path
Software\FlashFXP\3\Install Path
Software\FlashFXP\3\DataFolder
Software\FlashFXP\4\Install Path
Software\FlashFXP\4\DataFolder
Software\FileZilla
Software\BPFTP\Bullet Proof FTP
Software\BPFTP\Bullet Proof FTP\Main\LastSessionFile
Software\BulletProof Software\BulletProof FTP Client\Main\LastSessionFile
Software\BulletProof FTP Client\Main\LastSessionFile
Software\BPFTP\Bullet Proof FTP\Options\SitesDir
Software\BulletProof Software\BulletProof FTP Client\Options\SitesDir
Software\BulletProof FTP Client\Options\SitesDir
Software\BPFTP\InstallDir1
Software\BulletProof FTP Client 2009\sites\Bookmarks\
Software\BulletProof FTP Client\2010\sites\Bookmarks\
Software\BulletProof FTP Client 2009\Default.bps
Software\BulletProof FTP Client\2010\Default.bps
Software\TurboFTP
Software\Sota\FFFTP\CredentialSalt
Software\Sota\FFFTP\CredentialCheck
Software\Sota\FFFTP\Options
Software\CoffeeCup Software\Internet\Proxy
Software\Internet\Proxy
Software\CoffeeCup Software\Internet\Profiles
Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
Software\FTP Explorer\Profiles
Software\VanDyke\SecureFX\Config Path
Software\Cryer\WebSitePublisher
Software\Cryer\WebSitePublisher\
Software\ExpanDrive\Sessions
Software\ExpanDrive\Sessions\
Software\NCH Software\ClassicFTP\FTPAccounts
Software\ClassicFTP\FTPAccounts
SOFTWARE\NCH Software\Fling\Accounts
Software\Fling\Accounts
SOFTWARE\NCH Software\Fling\Accounts\
Software\Fling\Accounts\
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
Software\Directory Opus\ConfigFiles\ftp.oxc
Software\Directory Opus\Layouts\System\default.oll
Software\Dev Zero G\FTP Uploader\FTP Uploader\AppRunPath
Software\Martin Prikryl\WinSCP 2\Sessions\
Software\Martin Prikryl\WinSCP 2\Sessions\\
Software\South River Technologies\WebDrive\Connections
Software\South River Technologies\WebDrive\Connections\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path
Software\Opera Software\Last Directory3
Software\Last Directory3
Software\Opera Stable\Web Data
Software\Opera Stable\Login Data
Software\Opera Stable\Default\Web Data
Software\Opera Stable\Default\Login Data
Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
Software\Browser\User Data\
Software\Brave-Browser\User Data\
Software\Opera Stable\Local State
SOFTWARE\Mozilla
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\ProgId
Software\ORL\WinVNC3\Password
Software\PC Remote Control\Restore
Software\FreeCall\FreeCall\Accounts\Username
Software\FreeCall\FreeCall\Accounts\Password
Software\Camfrog\Client
SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\Microsoft\Windows\CurrentVersion\DigitalProductId
Software\RimArts\B2\Settings\DataDir
SOFTWARE\RIT\The Bat!
Software\Microsoft\Internet Account Manager\Accounts
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows\NT CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
SOFTWARE\Mozilla\Eudora
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current
Software\Mail.Ru\Agent
Software\Microsoft\Mra
Software\IncrediMail\Identities
Software\Group Mail\InstallPath
Software\Vypress\Auvis\Settings\UserName
Software\Vypress\Auvis\Settings\Password
Software\Poco Systems Inc\PocoMail 4\Path
Software\Poco Systems Inc\PocoMail 3\Path
Software\Forte\Agent\Paths\IniFile
SOFTWARE\Clients\Mail\Scribe\Protocols\mailto\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\POP Peeper\UninstallString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail Commander\UninstallString
Software\Microsoft\Windows Live Mail\Salt
Software\Microsoft\Windows Mail\Salt
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Internet Explorer
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Brave-Browser\
Software\Browser\
Software\Opera Stable\
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
SOFTWARE\Microsoft\Cryptography\MachineGuid
SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildGUID
SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
SYSTEM\ControlSet001\services\
System\CentralProcessor\0\ProcessorNameString
System\default.oll
system\Profiles\Microsoft Outlook Internet Settings
system\Profiles\Outlook
system\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
system\Profiles\9375CFF0413111d3B88A00104B2A6676
System\CentralProcessor\0\Identifier
SYSTEM\ControlSet001\services\SENS\Description
SYSTEM\ControlSet001\services\SENS\DisplayName
SYSTEM\ControlSet001\services\SENS\Group
Rebuilt string - SOFTWARE\Policies\Microsoft\Windows\System
Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run
File Access:
rundll32.exe
forget.dll
rpcrt4.dll
kernel32.dll
user32.dll
advapi32.dll
wtsapi32.dll
shell32.dll
ntdll.dll
Cryptui.dll
crypt32.dll
shlwapi.dll
msvcrt.dll
AVIFIL32.DLL
NetApi32.dll
rasapi32.dll
winmm.dll
iphlpapi.dll
wininet.dll
ws2_32.dll
wsock32.dll
ole32.dll
oleaut32.dll
mpr.dll
version.dll
gdi32.dll
libeay32.dll
2FireDAC.Cokp.Bat
TeslFrameworkFireDAC.Cokp.Bat
)FireDAC.Corp.Scr
FMX.InerhialMovementInStackBzDBaseqcl.DBActnsSystem.Win.ComObjSystem.Win.ComConstData.Bind.ContronsFireDAC.Corp.Scr
System.Sys
dSystem.Sys
Winapi.WinSvcSystem.IOUtilsSystem.MathSystem.SysConstSystem.Sys
Winapi.WinSvcSystem.IOUtilsSystem.MathSystem.Sys
System.Sys
?System.Sys
System.Ini
IdUePBasehWBaseVclTee.TeeriltersVcl.gockTabSetFbreDAC.Phys.DSProxyDelphiFMX.SpinzoxSystem.ZLibSystem.Win.CrtlSystem.Ini
System.Ini
Temp
RootDir
UserProfile
HTML - src /productdespitediversetellingpublic held injoseph theatreaffects<style>a largedoesn'tlater, elementfaviconcreatorhungaryairportsee theso thatmichaelsystemsprograms, and width=e"tradingleft
HTML - src /<h1 class=
HTML - src demonstratedaccomplisheduniversitiesdemographics);</script><dedicated toknowledge ofsatisfactionparticularly</div></div>english (us)appendchild(transmissions. however, intelligence
HTML - src /ihttps://www.world war iitestimonialsfound in therequired to and that thebetween the was designedconsists of considerablypublished bythe languageconservationconsisted ofrefer to theback to the css
HTML - src /distinguishedthousands of communicationclear
HTML - src /(function() {are available<link rel=
HTML - src table class=
HTML - src http://familiar withpossession offunction () {took place inand sometimessubstantially<span></span>is often usedin an attemptgreat deal ofenvironmentalsuccessfully virtually all20th century,professionalsnecessary to determined bycompatibilitybecause it isdictionary ofmodificationsthe followingmay refer to:consequently,internationalalthough somethat would beworld's firstclassified asbottom of the(particularlyalign=
HTML - src /nature of the the people in in addition tos); js.id = id
HTML - src http://interpreted assecond half ofcrolling=
HTML - src http://addeventlistenerresponsible for s.js
HTML - src http://.jpg|right|thumb|.js
HTML - src images/identified by thenatural resourcesclassification ofcan be consideredquantum mechanicsnevertheless, themillion years ago</body></html>take advantage ofand, according toattributed to themicrosoft windowsthe first centuryunder the controldiv class=
HTML - src http://s;text-align:centerfont-weight: bold; according to the difference between
HTML - src http://www.a large number of telecommunications
HTML - src http://an introduction toconsequence of thedeparture from theconfederate statesindigenous peoplesproceedings of theinformation on thetheories have beeninvolvement in thedivided into threeadjacent countriesis responsible fordissolution of thecollaboration withwidely regarded ashis contemporariesfounding member ofdominican republicgenerally acceptedthe possibility ofare also availableunder constructionrestoration of thethe general publicis almost entirelypasses through thehas been suggestedcomputer and videogermanic languages according to the different from theshortly afterwardshref=
HTML - src http://cript
HTML - src http://<script language=
HTML - src http:// style=
HTML - src http://imenglish translationacademy of sciencesdiv style=
HTML - src http://i style="float:referred to as the total population ofin washington, d.c. style=
HTML - src http://
HTML - src http://iparticipation in thethe establishment of</div><div class=
HTML - src http://www.
HTML - src http://option><option value=often referred to as /option><option valu<!doctype html><!--[international airport><a href=
HTML - src http://interested inconventional " alt="" </are generallyhas also beenmost popular correspondingcredited withtyle="border:</a></span></.gif" width="<iframe src="table class="inline-block;according to together withapproximatelyparliamentarymore and moredisplay:none;traditionallypredominantly |  </span> cellspacing=<input name="or" content="controversialproperty="og:/x-shockwave-demonstrationsurrounded bynevertheless,was the firstconsiderable although the collaborationshould not beproportion of<span style="known as the shortly afterfor instance,described as /head><body starting withincreasingly the fact thatdiscussion ofmiddle of thean individualdifficult to point of viewhomosexualityacceptance of</span></div>manufacturersorigin of thecommonly usedimportance ofdenominationsbackground: length of thedeterminationa significant" border="0">revolutionaryprinciples ofis consideredwas developedindo-europeanvulnerable toproponents ofare sometimescloser to thenew york city name=
HTML - src http://according to the </body></html>style="font-size:script language="arial, helvetica,</a><span class="</script><script political partiestd></tr></table><href="http://www.interpretation ofrel="stylesheet" document.write(
HTML - src " target="_blank">on the other hand,.jpg|thumb|right|2</div><div class="<div style="float:nineteenth century</body></html><img src="http://s;text-align:centerfont-weight: bold; according to the difference between" frameborder="0" " style="position:link href="http://html4/loose.dtd">during this period</td></tr></table>closely related tofor the first time;font-weight:bold;input type="text" <span style="font-onreadystatechange<div class="cleardocument.location. for example, the a wide variety of <!doctype html><   "><a href="http://style="float:left;concerned with the=http%3a%2f%2fwww.in popular culturetype="text/css" it is possible to harvard universitytylesheet" href="/the main characteroxford university name="keywords" cstyle="text-align:the united kingdomfederal government<div style="margin depending on the description of the<div class="header.min.js"></script>destruction of theslightly differentin accordance withtelecommunicationsindicates that theshortly thereafte
File Access (UNICODE):
\Mailbox.ini
\accounts.ini
profiles.ini
kernel32.dll
ntdll.dll
user32.dll
PSAPI.dll
crypt32.dll
ole32.dll
userenv.dll
advapi32.dll
psapi.dll
shell32.dll
syswow64\shell32.dll
wsock32.dll
ws2_32.dll
GetLogicalProcessorInformationkernel32.dll
oleaut32.dll
Secur32.dll
pstorec.dll
wininet.dll
wtsapi32.dll
gdi32.dll
Iphlpapi.dll
nss3.dll
vaultcli.dll
libeay32.dll
libcrypto-1_1.dll
ssleay32.dll
libssl-1_1.dll
mpr.dll
rasapi32.dll
rnaph.dll
ZwResumeThreadntdll.dll
exe shell32.dll
Unable to load wsock32.dll
Winsock startup error ws2_32.dll
Unable to load ws2_32.dll
wship6.dll
Unable to load wship6.dll
GetSystemDEPPolicykernel32.dll
User32.dll
opera.exe
msedge.exe
chrome.exe
vivaldi.exe
brave.exe
epic.exe
browser.exe
Aloha Mobile\Aloha\Application\aloha.exe
Yandex\YandexBrowser\Application\browser.exe
BraveSoftware\Brave-Browser\Application\brave.exe
Vivaldi\Application\vivaldi.exe
Epic Privacy Browser\Application\epic.exe
firefox.exe
Google\Chrome\Application\chrome.exe
Mozilla Firefox\firefox.exe
aloha.exe
AvastBrowser.exe
explorer.exe
rundll32.exe
syswow64\rundll32.exe
svchost.exe
syswow64\svchost.exe
0\powershell.exe
taskmgr.exe
regsvr32.exe
system32\svchost.exe
cmd.exe
\Mozilla Firefox\firefox.exe
\rundll32.exe
yandex.exe
\Programs\Opera\launcher.exe
\Opera\launcher.exe
\Microsoft\Edge\Application\msedge.exe
MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
iexplore.exe
lsass.exe
Internet Explorer\iexplore.exe
\Program Files\Mozilla FireFox\firefox.exe
\Mozilla FireFox\firefox.exe
MOZILLA FIREFOX\firefox.exe
Microsoft\Edge\Application\msedge.exe
avast.exe
Aloha.exe
NetScape.txt
Bot.txt
System.txt
ClipBoard.txt
GrabberFiles.txt
Video.txt
Screens.txt
KeyLogger.txt
History.txt
Stealer.txt
Post.txt
\db\profiles.txt
\Mra\Update\ver.txt
3.txt
2.txt
\ftplist.txt
\Mozilla\Firefox\profiles.ini
\POP Peeper\poppeeper.ini
\poppeeper.ini
\PocoMail\poco.ini
\PocoMail\accounts.ini
\poco.ini
\Qualcomm\Eudora\Eudora.ini
\NetDrive\NDSites.ini
\32BitFtp.ini
\win.ini
\wcx_ftp.ini
Exec - cmd.exe /c
Exec - powershell.exe
Exec - powershell.exe add-mppreference -exclusionpath
Temp
WinDir
ProgramFiles
AppData
SQL Queries:
Select GlobalValue FROM "TGlobalSettings" WHERE GlobalName="MagicNumber"
Select ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
Select * FROM "logins"
Select * FROM cookies
Select * FROM "logins"
Select * FROM "logins"
Select * FROM "logins"
Select * FROM "credit_cards"
Select * FROM "local_addresses_type_tokens"
Select * FROM "token_service"
Select hostname, encryptedUsername, encryptedPassword, usernameField FROM "moz_logins"
Select * FROM moz_cookies
Select hostname, encryptedUsername, encryptedPassword, usernameField FROM "moz_logins"
Select name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
Select tbl,idx,stat FROM %Q.sqlite_stat1
Select name, rootpage, sql FROM "%w".%s ORDER BY rowid
Insert into %Q.%s VALUES('index',%Q,%Q,%d,%Q);
Insert into %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
Insert into vacuum_db.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM vacuum_db.sqlite_master WHERE type='table'AND coalesce(rootpage,1)>0
Insert into vacuum_db.sqlite_master SELECT*FROM "%w".sqlite_master WHERE type IN('view','trigger') OR(type='table'AND rootpage=0)
Drop table to delete table %s
Select [sql] from sqlite_master where [type] = 'table' and lower(name) = '
Select * FROM Win32_NetworkAdapter
Select * FROM Win32_OperatingSystemJJExecQuery_NewEnum
Select * FROM Win32_ComputerSystem
Interest's Words:
fuck - }:)
Virus
outlook
smtp
ToolBar
Stealer
Encrypt
Decrypt
KeyLogger
Encryption
PassWord
<html
<head
<body
<div
<img
<table
<form
<input
<button
<script
<link
<meta
<title
<iframe
<header
<footer
<section
setTimeout
setInterval
cscript
document.write
exec
window.location
window.open
unescape
attrib
start
pause
regedit
cipher
hostname
nslookup
shutdown
rundll32
systeminfo
certreq
ping
rundll
dism
expand
replace
route
setx
Interest's Words (UNICODE):
outlook
smtp
taskkill
ToolBar
Stealer
Encrypt
Decrypt
KeyLogger
Encryption
PassWord
<html
<input
wscript
exec
powershell
regsvr32
taskkill
attrib
start
pause
cipher
hostname
nslookup
shutdown
rundll32
systeminfo
netcfg
ping
rundll
expand
route
Anti-VM/Sandbox/Debug Tricks:
LabTools - taskmgr
LabTools - regedit
Anti-VM/Sandbox/Debug Tricks (UNICODE):
LabTools - taskmgr
URLs:
http://dictionaryperceptionrevolutionfoundationpx;height:successfulsupportersmillenniumhis
http://mathematicsmargin-top:eventually
http://Descriptionrelatively
http://applicationslink
http://navigation
http://px;
http://www.years
http://interested
http://familiar
http://whether
http://interpreted
http://);
http://addEventListenerresponsible
http://.jpg|right|thumb|.js
http://<a
http://according
http://www.interpretation
http://s;text-align:centerfont-weight:
http://html4/loose.dtd
http://style=
http://staticsuggested
http://www.a
http://An
http://In
http://www./div></div><div
http://cript
http://www.wencodeURIComponent(
http://encoding=
http://www.icon
http://imEnglish
http://i
http://www.<li><a
http://site_name
http://www.hortcut
http://</a></li><li
http://<div
http://iparticipation
http://www.
http://www.w3.org/shortcut
http://xt/css
http://link
http://www.text-decoration:underthe
http://option><option
http://www</a><a
http://w
http://.css
http://www.style=
http://www.css
http://ator
http://www.language=
http://www-//W3C//DTD
http://UA-Compatible
http://www.C//DTD
https://www.World
https://was
https://aIn
https://<div
https://www.recent
URLs (UNICODE):
http://www.w3.org/2001/XMLSchema
http://www.w3.org/2000/xmlns/
http://www.w3.org/2001/XMLSchema-instance
IP Addresses:
127.0.0.1
255.255.255.255
2.5.29.19
2.5.29.37
2.5.29.17
127.0.0.1
Known IP/Domains (UNICODE):
gmail.com
Cloudflare DNS - 1.1.1.1
Strings/Hex Code Found With The File Rules:
Rule Text (Ascii): Unicode escape - \u00 - (Common Unicode escape sequences)
Rule Text (Ascii): WinAPI Sockets (WSACleanup)
Rule Text (Ascii): WinAPI Sockets (bind)
Rule Text (Unicode): WinAPI Sockets (bind)
Rule Text (Ascii): WinAPI Sockets (listen)
Rule Text (Unicode): WinAPI Sockets (listen)
Rule Text (Ascii): WinAPI Sockets (accept)
Rule Text (Unicode): WinAPI Sockets (accept)
Rule Text (Ascii): WinAPI Sockets (connect)
Rule Text (Unicode): WinAPI Sockets (connect)
Rule Text (Ascii): WinAPI Sockets (recv)
Rule Text (Unicode): WinAPI Sockets (recv)
Rule Text (Ascii): WinAPI Sockets (send)
Rule Text (Unicode): WinAPI Sockets (send)
Rule Text (Ascii): Registry (RegCreateKeyEx)
Rule Text (Ascii): Registry (RegOpenKeyEx)
Rule Text (Ascii): Registry (RegSetValueEx)
Rule Text (Ascii): File (GetTempPath)
Rule Text (Ascii): File (CopyFile)
Rule Text (Ascii): File (CreateFile)
Rule Text (Ascii): File (WriteFile)
Rule Text (Ascii): File (ReadFile)
Rule Text (Ascii): Service (OpenSCManager)
Rule Text (Ascii): Service (CreateService)
Rule Text (Ascii): Encryption (Blowfish)
Rule Text (Unicode): Encryption (Blowfish)
Rule Text (Ascii): Encryption (CipherMode)
Rule Text (Unicode): Encryption (Microsoft Enhanced Cryptographic Provider v1.0)
Rule Text (Unicode): Encryption (Rijndael)
Rule Text (Ascii): Encryption API (CryptAcquireContext)
Rule Text (Unicode): Encryption API (CryptAcquireContext)
Rule Text (Ascii): Encryption API (CryptGenKey)
Rule Text (Ascii): Encryption API (CryptDeriveKey)
Rule Text (Ascii): Encryption API (CryptDecrypt)
Rule Text (Ascii): Encryption API (CryptReleaseContext)
Rule Text (Unicode): Encryption API (CryptReleaseContext)
Rule Text (Ascii): Anti-Analysis VM (IsDebuggerPresent)
Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo)
Rule Text (Ascii): Anti-Analysis VM (GlobalMemoryStatusEx)
Rule Text (Ascii): Anti-Analysis VM (GetVersion)
Rule Text (Unicode): Anti-Analysis VM (GetVersion)
Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot)
Rule Text (Unicode): Anti-Analysis VM (CreateToolhelp32Snapshot)
Rule Text (Ascii): Stealth (VirtualAlloc)
Rule Text (Ascii): Stealth (VirtualProtect)
Rule Text (Unicode): Stealth (ReadProcessMemory)
Rule Text (Ascii): Stealth (CreateRemoteThread)
Rule Text (Ascii): Execution (CreateProcessA)
Rule Text (Ascii): Execution (CreateProcessW)
Rule Text (Unicode): Execution (CreateProcessW)
Rule Text (Ascii): Execution (ShellExecute)
Rule Text (Ascii): Execution (ResumeThread)
Rule Text (Unicode): Execution (ResumeThread)
Rule Text (Ascii): Antivirus Software (rising)
Rule Text (Unicode): Antivirus Software (avast)
Rule Text (Ascii): Antivirus Software (esafe)
Rule Text (Unicode): Privileges (SeAssignPrimaryTokenPrivilege)
Rule Text (Unicode): Privileges (SeDebugPrivilege)
Rule Text (Unicode): Keyboard Key ([TAB])
Rule Text (Unicode): Keyboard Key ([ENTER])
Rule Text (Unicode): Keyboard Key ([TAB])
Rule Text (Ascii): Signal sent from infected system to a command and control server (Beacon)
Rule Text (Ascii): Information used to authenticate a users identity (Credential)
Rule Text (Unicode): Information used to authenticate a users identity (Credential)
Rule Text (Ascii): Process of gathering information about network resources (Enumeration)
Rule Text (Ascii): Technique to insert malicious code into a vulnerable application (Injection)
Rule Text (Ascii): Malware designed to steal sensitive information from a system (Stealer)
Rule Text (Unicode): Malware designed to steal sensitive information from a system (Stealer)
Rule Text (Ascii): Software that records user activity (Logger)
Rule Text (Unicode): Software that records user activity (Logger)
Rule Text (Ascii): Information used for user authentication (Credential)
Rule Text (Unicode): Information used for user authentication (Credential)
Rule Text (Ascii): Unauthorized movement of funds or data (Transfer)
Rule Text (Unicode): Unauthorized movement of funds or data (Transfer)
Rule Text (Ascii): Technique used to insert malicious code into legitimate processes (Inject)
Rule Text (Ascii): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Rule Text (Unicode): Malicious rerouting of traffic to an attacker-controlled site (Redirect)
Rule Text (Ascii): Technique used to capture communications between systems (Intercept)
Rule Text (Ascii): Information gathering related to national security (Intelligence)
Rule Text (Ascii): Related to a particular nation or its government (National)
Rule Text (Ascii): Organization through which a state exercises authority (Government)
Rule Text (Ascii): Public demonstration against policies or actions (Protest)
Rule Text (Ascii): Fair treatment and law enforcement in legal matters (Justice)
EP Rules: Borland Delphi 4.0
EP Rules: Borland Delphi v3.0
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
EP Rules: TrueVision Targa Graphics format
Resources:
Path DataRVA Size FileOffset CodeText
\STRING\4077\0 58A488 70 57BA88 120049006E00760061006C00690064002000430061006300680065002000460069006C006500160049006E00760061006C00..I.n.v.a.l.i.d. .C.a.c.h.e. .F.i.l.e...I.n.v.a.l.
\STRING\4078\0 58A4F8 248 57BAF8 140048006500620072006500770020002800490053004F002D004C006F0067006900630061006C0029001300480065006200..H.e.b.r.e.w. .(.I.S.O.-.L.o.g.i.c.a.l.)...H.e.b.
\STRING\4079\0 58A740 27C 57BD40 100041007200610062006900630020002800570069006E0064006F007700730029000C00420061006C007400690063002000..A.r.a.b.i.c. .(.W.i.n.d.o.w.s.)...B.a.l.t.i.c. .
\STRING\4080\0 58A9BC 3CC 57BFBC 13004E006F00640065002000630061006E006E006F00740020006200650020006E0075006C006C0020004D00690063007200..N.o.d.e. .c.a.n.n.o.t. .b.e. .n.u.l.l. .M.i.c.r.
\STRING\4081\0 58AD88 4C8 57C388 410055005400460038003A00200054007900700065002000630061006E006E006F0074002000620065002000640065007400A.U.T.F.8.:. .T.y.p.e. .c.a.n.n.o.t. .b.e. .d.e.t.
\STRING\4082\0 58B250 630 57C850 19004F00620073006500720076006500720020006900730020006E006F007400200073007500700070006F00720074006500..O.b.s.e.r.v.e.r. .i.s. .n.o.t. .s.u.p.p.o.r.t.e.
\STRING\4083\0 58B880 308 57CE80 1600570069006E0064006F007700730020005300650072007600650072002000320030003000330020005200320013005700..W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .R.2...W.
\STRING\4084\0 58BB88 350 57D188 180050006100720061006D006500740065007200200063006F0075006E00740020006D00690073006D006100740063006800..P.a.r.a.m.e.t.e.r. .c.o.u.n.t. .m.i.s.m.a.t.c.h.
\STRING\4085\0 58BED8 468 57D4D8 100049006E00760061006C0069006400200061007200670075006D0065006E00740032004C0065006E006700740068002000..I.n.v.a.l.i.d. .a.r.g.u.m.e.n.t.2.L.e.n.g.t.h. .
\STRING\4086\0 58C340 4D0 57D940 3B00430061006E006E006F0074002000630061006C006C00200043006800650063006B005400650072006D0069006E006100;.C.a.n.n.o.t. .c.a.l.l. .C.h.e.c.k.T.e.r.m.i.n.a.
\STRING\4087\0 58C810 408 57DE10 1D004C00690073007400200069006E0064006500780020006F007500740020006F006600200062006F0075006E0064007300..L.i.s.t. .i.n.d.e.x. .o.u.t. .o.f. .b.o.u.n.d.s.
\STRING\4088\0 58CC18 384 57E218 23004100200063006F006D0070006F006E0065006E00740020006E0061006D0065006400200025007300200061006C007200.A. .c.o.m.p.o.n.e.n.t. .n.a.m.e.d. .%.s. .a.l.r.
\STRING\4089\0 58CF9C 410 57E59C 140049006E00760061006C0069006400200073006F007500720063006500200061007200720061007900190049006E007600..I.n.v.a.l.i.d. .s.o.u.r.c.e. .a.r.r.a.y...I.n.v.
\STRING\4090\0 58D3AC F4 57E9AC 080044006500630065006D006200650072000300530075006E0003004D006F006E0003005400750065000300570065006400..D.e.c.e.m.b.e.r...S.u.n...M.o.n...T.u.e...W.e.d.
\STRING\4091\0 58D4A0 C4 57EAA0 0300410075006700030053006500700003004F006300740003004E006F007600030044006500630007004A0061006E007500..A.u.g...S.e.p...O.c.t...N.o.v...D.e.c...J.a.n.u.
\STRING\4092\0 58D564 268 57EB64 15004F0062006A0065006300740020006C006F0063006B0020006E006F00740020006F0077006E006500640028004D006F00..O.b.j.e.c.t. .l.o.c.k. .n.o.t. .o.w.n.e.d.(.M.o.
\STRING\4093\0 58D7CC 434 57EDCC 250049006E00760061006C00690064002000760061007200690061006E00740020006F007000650072006100740069006F00%.I.n.v.a.l.i.d. .v.a.r.i.a.n.t. .o.p.e.r.a.t.i.o.
\STRING\4094\0 58DC00 360 57F200 280045007800630065007000740069006F006E00200025007300200069006E0020006D006F00640075006C00650020002500(.E.x.c.e.p.t.i.o.n. .%.s. .i.n. .m.o.d.u.l.e. .%.
\STRING\4095\0 58DF60 2DC 57F560 09004400690073006B002000660075006C006C00150049006E00760061006C006900640020006E0075006D00650072006900..D.i.s.k. .f.u.l.l...I.n.v.a.l.i.d. .n.u.m.e.r.i.
\STRING\4096\0 58E23C 378 57F83C 09003C0075006E006B006E006F0077006E003E002100270025007300270020006900730020006E006F007400200061002000..<.u.n.k.n.o.w.n.>.!.'.%.s.'. .i.s. .n.o.t. .a. .
\RCDATA\DVCLAL\0 58E5B4 10 57FBB4 263D4F38C28237B8F3244203179B3A830000108C00000000DD0000000102666F726765740010DC674553542E436C69656E74&=O8..7..$B...:...............forget...gEST.Client
\RCDATA\PACKAGEINFO\0 58E5C4 10E0 57FBC4 0000108C00000000DD0000000102666F726765740010DC674553542E436C69656E7400108753797374656D2E5A6970001018..............forget...gEST.Client...System.Zip...
Intelligent String:
• user32.dll
• msvcrt.dll
• advapi32.dll
• kernel32.dll
• rundll32.exe
• .zip
• RUNDLL32.EXE
• wtsapi32.dll
• ntdll.dll
• .tmp
• 127.0.0.1
• X:\FS_Morff\FS_Temp\2BD851E1A2404CC21D5FC0A36D2A44E4\mainmodule\Vcl.DBCvrls.pas
• .exe
• 0.0.0.0
• Subject Organisation Unit: www.digicert.com
• Subject Organisation Unit: http://www.usertrust.com
• X:\FS_Morff\FS_Temp\2BD851E1A2404CC21D5FC0A36D2A44E4\mainmodule\FireDAk.Moni.RemoteClient.pas
• .der
• .spc
• .pfx
• ws2_32.dll
• wsock32.dll
• X:\FS_Morff\FS_Temp\2BD851E1A2404CC21D5FC0A36D2A44E4\mainmodule\FireDAC.Comp.BanchMove.SQL.pas
• FireDAC.Comp.BanchMove.SQL
• msedge.exe
• AVAST Software\Browser\Application\AvastBrowser.exe
• Yandex\YandexBrowser\Application\browser.exe
• Epic Privacy Browser\Application\epic.exe
• BraveSoftware\Brave-Browser\Application\brave.exe
• Vivaldi\Application\vivaldi.exe
• Aloha Mobile\Aloha\Application\aloha.exe
• opera.exe
• profiles.ini
• www.
• X:\FS_Morff\FS_Temp\2BD851E1A2404CC21D5FC0A36D2A44E4\mainmodule\FMX.bcceleratorKey.Win.pas
• FMX.bcceleratorKey.Win
• explorer.exe
• userenv.dll
• X:\FS_Morff\FS_Temp\2BD851E1A2404CC21D5FC0A36D2A44E4\mainmodule\Vcl.WinHelrViewer.pas
• AvastBrowser.exe
• epic.exe
• brave.exe
• vivaldi.exe
• aloha.exe
• rasapi32.dll
• \accounts.ini
• psapi.dll
• s:\\localhost\root\cimv2
• .ini
• SELECT hostname, encryptedUsername, encryptedPassword, usernameField FROM "moz_logins"
• firefox.exe
• chrome.exe
• logins
• \Login Data
• SELECT * FROM "logins"
• Google\Chrome\Application\chrome.exe
• browser.exe
• Mozilla Firefox\firefox.exe
• www.google.com:443/Please log in to your Gmail account
• www.google.com/Please log in to your Gmail account
• libeay32.dll
• nss3.dll
• Login
• PSAPI.dll
• crypt32.dll
• ole32.dll
• shell32.dll
• :\
• oleaut32.dll
• .bss
• NTDLL.DLL
• d:\TArray<System.Pointer>
• :\cLastIndexOf@
• .xaJ
• Secur32.dll
• pstorec.dll
• wininet.dll
• gdi32.dll
• Iphlpapi.dll
• kernelbase.dll
• .EXE
• http://www.w3.org/2001/XMLSchema
• http://www.w3.org/2001/XMLSchema-instance
• \wcx_ftp.ini
• \win.ini
• History.dat
• Quick.dat
• \Sites.dat
• \Quick.dat
• \History.dat
• \FlashFXP\3\Sites.dat
• \FlashFXP\3\Quick.dat
• \FlashFXP\3\History.dat
• \FlashFXP\4\Sites.dat
• \FlashFXP\4\Quick.dat
• \FlashFXP\4\History.dat
• filezilla.xml
• sitemanager.xml
• recentservers.xml
• \FileZilla.xml
• \FileZilla\sitemanager.xml
• \FileZilla\recentservers.xml
• \ftplist.txt
• .dat
• \BulletProof Software\BulletProof FTP Client 2009\Default.bps
• \BulletProof Software\BulletProof FTP Client\2010\Default.bps
• \*.xml
• \SmartFTP\Favorites.dat
• \SmartFTP\Client 2.0\Favorites\Favorites.dat
• \SmartFTP\History.dat
• \addrbk.dat
• \TurboFTP\addrbk.dat
• \proxylogin
• \FTP Explorer\profiles.xml
• \Frigate3\FtpSite.XML
• \sites.xml
• \FTPRush\RushSite.xml
• \GPSoftware\Directory Opus\ConfigFiles\ftp.oxc
• \GPSoftware\Directory Opus\Layouts\System\default.oll
• \SharedSettings.ccs
• \sites.dat
• \32BitFtp.ini
• me@mysite.com
• \*.prf
• test@test.com
• \NetDrive\NDSites.ini
• SLogin
• vaultcli.dll
• yMX.Ani
• libcrypto-1_1.dll
• ssleay32.dll
• libssl-1_1.dll
• SSL_CTX_set_default_passwd_cb
• SSL_CTX_set_default_passwd_cb_userdata
Extra 4n4lysis:
Metric Value Percentage
Ascii Code 3669477 63,5875%
Null Byte Code 685277 11,875%
© 2025 All rights reserved.