Suspicious payload detected into myweb.stedwards.edu/zcarpen/Picture.bmp

Quttera investigation engine statistics of the detected payload/shellcode

Offset of the detected payload: 0

Payload emulation counters:

WRITES_TO_PROCESS_STACK_MEMORY	12
BUFFER_INSIDE_WRITES_COUNT	0
REFERENCES_TO_PROCESS_INTERNALS	0
BUFFER_OUTSIDE_WRITES_COUNT	2
FAR_JUMPS_COUNT	0
FULLY_INITIALIZED_INSTRUCTIONS	91
PROVIDED_ABSOLUTE_MEMORY_ADDRESSES	0
PROC_CALLS_INSIDE_INV_BUFFER	0
BUFFER_OUTSIDE_READS_COUNT	11
UNDEFINED_DIRECT_CALLS	0
JUMPS_INSIDE_INV_BUFFER	8
CORRECTLY_PARSED_INSTRUCTIONS	100
MEMORY_MODIFYING_MATH_INSTRUCTIONS	0
BUFFER_INSIDE_READS_COUNT	0
SYSTEM_CALLS_COUNT	0
UNRECOGNIZED_CALL_TARGETS	0
REFERENCES_TO_PROCESS_IMPORTS	0
CORRECT_PROCEDURES_CALLS	0
EIP_RETRIEVAL_INSTRUCTIONS	0
JUMPS_TO_PROCESS_INTERNALS	0
EXECUTED_ARITHMETIC_INSTRUCTIONS	50
CALLS_TARGETED_IMPORTS_SECTION	0
UNRECOGNIZED_JUMP_TARGETS	0
CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS	12
REFERENCES_TO_PROCESS_EXPORTS	0
EXECUTES_BITS_OPERATING_INSTRUCTIONS	0
IMMEDIATE_OPERANDS_INSTRUCTIONS	0
INDIRECT_BUFFER_REFERENCES	15
MAX_WRITTEN_MEMORY_BLOCK	0
CORRECTLY_EXECUTED_INSTRUCTIONS	91
READS_FROM_PROCESS_STACK_MEMORY	9
CALLS_TARGETED_EXPORTS_SECTION	0

Detection disassembly:

PUSH 0x7546325A
POPAD
PUSH EDI (0x7546325A)
XOR DS:[EBP + 0x59] (0x00000059),DH (0x00)	;random write instruction
XOR BH (0x00),DS:[EAX] (0x00000000)
JNZ 0x61	;random read instruction
INC ECX (0x00000000)
INC ECX (0x00000001)
INC ESI (0x00000000)
POP EDX (0x00000000)
INC ECX (0x00000002)
INC ECX (0x00000003)
PUSH ECX (0x00000004)
INC ECX (0x00000004)
INC ECX (0x00000005)
INC ECX (0x00000006)
INC EDX (0x7546325A)
XOR AL (0x00),0x4E
PUSH ECX (0x00000007)
PUSH EDI (0x7546325A)
JS 0x30	;random read instruction
POP EDX (0x7546325B)
POP EAX (0x0000004E)
DEC EDX (0x7546325A)
JNZ 0x59	;random read instruction
POP EAX (0x00000007)
POP EAX (0x00000004)
JNO 0x68	;random read instruction
PUSH EDX (0x75463259)
DEC CX (0x0007)
PUSH ESI (0x00000001)
DEC ESI (0x00000001)
INC EBX (0x00006800)
INC ECX (0x00000007)
OUTS DX (0x3259),DWORD DS:[ESI] (0x00000000)
INC ECX (0x00000008)
INC ESP (0x093539E7)
POP EDX (0x75463259)
INC EDI (0x7546325A)
PUSH ECX (0x00000009)
INC EBX (0x00006801)
INC ECX (0x00000009)
CMP DS:[BX + 0x41] (0x00006843),DL (0x00)	;random read instruction
PUSH 0x6D564834
INS ES:[EDI] (0x0000325B),DX (0x0000)	;random write instruction
JP 0x61	;random read instruction
INC ECX (0x0000000A)
INC ECX (0x0000000B)
INC ECX (0x0000000C)
INC ECX (0x0000000D)
INC ECX (0x0000000E)
INC ECX (0x0000000F)
PUSH 0x6B
INC ECX (0x00000010)
INC EDX (0x59000000)
INC ECX (0x00000011)
INC ECX (0x00000012)
INC ECX (0x00000013)
INC ECX (0x00000014)
DEC EAX (0x00000000)
JNBE 0x63	;random read instruction
BOUND EAX (0xFFFFFFFF),DS:[ECX + 0x41] (0x00000056),[0x0000005A] (0x0000005A)	;random read instruction
INC ECX (0x00000015)
INC ECX (0x00000016)
INC ECX (0x00000017)
INC ECX (0x00000018)
INC ESP (0x093539E0)
INC ECX (0x00000019)
POP ECX (0x0000001A)
IMUL EAX (0xFFFFFFFF),DS:[ECX + 0x42] (0x34000042),0x41
INC ECX (0x34000000)
INC ECX (0x34000001)
INC ECX (0x34000002)
DEC EAX (0x00000000)
JNBE 0x6F	;random read instruction
INC EBX (0x00006802)
INC ECX (0x34000003)
DEC ESI (0x00000000)
IMUL EBX (0x00006803),DS:[EDX + 0x41] (0x59000042),0x49
DEC ESP (0x093539E5)
INC ESP (0x093539E4)
XOR DL (0x01),DS:[ECX + 0x57] (0x3400005B)	;random read instruction
INC ECX (0x34000004)
INS ES:[EDI] (0x0000325B),DX (0x0001)	;random write instruction
POP ECX (0x34000005)
PUSH EAX (0xFFFFFFFF)
INC ESP (0x093539E5)
JS 0x59	;random read instruction
INC EBX (0x00000000)
DEC EAX (0xFFFFFFFF)
CMP DS:[BP + 0x62] (0x00000062),EAX (0xFFFFFFFE)	;random read instruction
INS ES:[EDI] (0x0000325B),DX (0x0001)	;random write instruction
INC ESI (0xFFFFFFFF)
IMUL ESP (0x093539E6),DS:[EDX + 0x47] (0x59000048),0x57615756
PUSH ESI (0x00000000)
XOR EDX (0x59000001),DS:[EBP + 0x33] (0x00000033)	;random read instruction
PUSH EDX (0x0D4E3950)
PUSH 0x6E564764
POP EDX (0x0D4E3950)
INC EDI (0x7546325B)