API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 22nd, 2014
299
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 42.38 KB | None | 0 0
raw download clone embed print report
  1. 2014-11-21 13:46:07,265 - detector - INFO - Starting with process ID 4928
  2. 2014-11-21 13:46:07,265 - detector - INFO - Selected Profile Name: Win7SP1x64
  3. 2014-11-21 13:46:07,265 - detector - INFO - Selected Driver: C:\Users\*******\AppData\Local\Temp\_MEI14322\drivers\winpmem64.sys
  4. 2014-11-21 13:46:07,265 - detector.service - INFO - Launching service destroyer...
  5. 2014-11-21 13:46:07,265 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
  6. 2014-11-21 13:46:07,265 - detector.service - INFO - Trying to stop the winpmem service...
  7. 2014-11-21 13:46:07,265 - detector.service - INFO - Trying to delete the winpmem service...
  8. 2014-11-21 13:46:07,265 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
  9. 2014-11-21 13:46:07,280 - detector.service - INFO - Trying to start the winpmem service...
  10. 2014-11-21 13:46:07,296 - detector - INFO - Service started
  11. 2014-11-21 13:46:07,296 - detector - INFO - Selected Yara signature file at C:\Users\******\AppData\Local\Temp\_MEI14322\rules\signatures.yar
  12. 2014-11-21 13:46:07,296 - detector - INFO - Obtaining address space and generating config for volatility
  13. 2014-11-21 13:46:08,467 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0A01B570>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x09228A50>
  14. 2014-11-21 13:46:08,467 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x09228FD0>, DTB: 0x187000
  15. 2014-11-21 13:46:08,467 - detector - INFO - Starting yara scanner...
  16. 2014-11-21 14:39:28,693 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275036, Value:
  17.  
  18. 73 31 31 31 6f 30 30 30 30 30 30 30 30 2e 64 61 s111o00000000.da
  19. 74 24 73 63 72 65 65 6e 72 65 63 32 00 74 31 31 t$screenrec2.t11
  20. 31 6f 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 1o00000000.dat$s
  21. 63 72 65 65 6e 72 65 63 33 00 66 31 31 33 6f 30 creenrec3.f113o0
  22. 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
  23. 65 6e 72 65 63 34 00 77 31 31 34 6f 30 30 30 30 enrec4.w114o0000
  24. 30 30 30 30 2e 64 61 74 24 73 63 72 65 65 6e 72 0000.dat$screenr
  25. 65 63 35 00 75 31 31 32 51 30 30 30 30 30 30 30 ec5.u112Q0000000
  26. 30 2e 64 61 74 24 73 63 72 65 65 6e 72 65 63 36 0.dat$screenrec6
  27. 00 76 31 31 32 51 30 30 30 30 30 30 30 30 2e 64 .v112Q00000000.d
  28. 61 74 24 73 63 72 65 65 6e 72 65 63 37 00 76 31 at$screenrec7.v1
  29. 31 32 4f 30 30 30 30 30 30 30 30 2e 64 61 74 24 12O00000000.dat$
  30. 6d 69 63 72 65 63 00 24 73 6b 79 70 65 72 65 63 micrec.$skyperec
  31. 31 00 5b 25 31 39 73 5d 20 25 32 35 73 3a 20 20 1.[%19s].%25s:..
  32. 20 20 25 73 24 73 6b 79 70 65 72 65 63 32 00 47 ..%s$skyperec2.G
  33. 6c 6f 62 61 6c 5c 7b 41 34 38 46 31 41 33 32 2d lobal\{A48F1A32-
  34.  
  35. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275053, Value:
  36.  
  37. 74 31 31 31 6f 30 30 30 30 30 30 30 30 2e 64 61 t111o00000000.da
  38. 74 24 73 63 72 65 65 6e 72 65 63 33 00 66 31 31 t$screenrec3.f11
  39. 33 6f 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 3o00000000.dat$s
  40. 63 72 65 65 6e 72 65 63 34 00 77 31 31 34 6f 30 creenrec4.w114o0
  41. 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
  42. 65 6e 72 65 63 35 00 75 31 31 32 51 30 30 30 30 enrec5.u112Q0000
  43. 30 30 30 30 2e 64 61 74 24 73 63 72 65 65 6e 72 0000.dat$screenr
  44. 65 63 36 00 76 31 31 32 51 30 30 30 30 30 30 30 ec6.v112Q0000000
  45. 30 2e 64 61 74 24 73 63 72 65 65 6e 72 65 63 37 0.dat$screenrec7
  46. 00 76 31 31 32 4f 30 30 30 30 30 30 30 30 2e 64 .v112O00000000.d
  47. 61 74 24 6d 69 63 72 65 63 00 24 73 6b 79 70 65 at$micrec.$skype
  48. 72 65 63 31 00 5b 25 31 39 73 5d 20 25 32 35 73 rec1.[%19s].%25s
  49. 3a 20 20 20 20 25 73 24 73 6b 79 70 65 72 65 63 :....%s$skyperec
  50. 32 00 47 6c 6f 62 61 6c 5c 7b 41 34 38 46 31 41 2.Global\{A48F1A
  51. 33 32 2d 41 33 34 30 2d 31 31 44 30 2d 42 43 36 32-A340-11D0-BC6
  52. 42 2d 30 30 41 30 43 39 30 33 25 2e 30 34 58 7d B-00A0C903%.04X}
  53.  
  54. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275070, Value:
  55.  
  56. 66 31 31 33 6f 30 30 30 30 30 30 30 30 2e 64 61 f113o00000000.da
  57. 74 24 73 63 72 65 65 6e 72 65 63 34 00 77 31 31 t$screenrec4.w11
  58. 34 6f 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 4o00000000.dat$s
  59. 63 72 65 65 6e 72 65 63 35 00 75 31 31 32 51 30 creenrec5.u112Q0
  60. 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
  61. 65 6e 72 65 63 36 00 76 31 31 32 51 30 30 30 30 enrec6.v112Q0000
  62. 30 30 30 30 2e 64 61 74 24 73 63 72 65 65 6e 72 0000.dat$screenr
  63. 65 63 37 00 76 31 31 32 4f 30 30 30 30 30 30 30 ec7.v112O0000000
  64. 30 2e 64 61 74 24 6d 69 63 72 65 63 00 24 73 6b 0.dat$micrec.$sk
  65. 79 70 65 72 65 63 31 00 5b 25 31 39 73 5d 20 25 yperec1.[%19s].%
  66. 32 35 73 3a 20 20 20 20 25 73 24 73 6b 79 70 65 25s:....%s$skype
  67. 72 65 63 32 00 47 6c 6f 62 61 6c 5c 7b 41 34 38 rec2.Global\{A48
  68. 46 31 41 33 32 2d 41 33 34 30 2d 31 31 44 30 2d F1A32-A340-11D0-
  69. 42 43 36 42 2d 30 30 41 30 43 39 30 33 25 2e 30 BC6B-00A0C903%.0
  70. 34 58 7d 24 73 6b 79 70 65 72 65 63 33 00 24 6d 4X}$skyperec3.$m
  71. 6f 75 73 65 72 65 63 31 00 6d 73 63 31 38 33 51 ouserec1.msc183Q
  72.  
  73. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x6827508D, Value:
  74.  
  75. 77 31 31 34 6f 30 30 30 30 30 30 30 30 2e 64 61 w114o00000000.da
  76. 74 24 73 63 72 65 65 6e 72 65 63 35 00 75 31 31 t$screenrec5.u11
  77. 32 51 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 2Q00000000.dat$s
  78. 63 72 65 65 6e 72 65 63 36 00 76 31 31 32 51 30 creenrec6.v112Q0
  79. 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
  80. 65 6e 72 65 63 37 00 76 31 31 32 4f 30 30 30 30 enrec7.v112O0000
  81. 30 30 30 30 2e 64 61 74 24 6d 69 63 72 65 63 00 0000.dat$micrec.
  82. 24 73 6b 79 70 65 72 65 63 31 00 5b 25 31 39 73 $skyperec1.[%19s
  83. 5d 20 25 32 35 73 3a 20 20 20 20 25 73 24 73 6b ].%25s:....%s$sk
  84. 79 70 65 72 65 63 32 00 47 6c 6f 62 61 6c 5c 7b yperec2.Global\{
  85. 41 34 38 46 31 41 33 32 2d 41 33 34 30 2d 31 31 A48F1A32-A340-11
  86. 44 30 2d 42 43 36 42 2d 30 30 41 30 43 39 30 33 D0-BC6B-00A0C903
  87. 25 2e 30 34 58 7d 24 73 6b 79 70 65 72 65 63 33 %.04X}$skyperec3
  88. 00 24 6d 6f 75 73 65 72 65 63 31 00 6d 73 63 31 .$mouserec1.msc1
  89. 38 33 51 30 30 30 2e 64 61 74 24 6d 6f 75 73 65 83Q000.dat$mouse
  90. 72 65 63 32 00 24 64 72 69 76 65 72 00 5c 5c 5c rec2.$driver.\\\
  91.  
  92. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682750AA, Value:
  93.  
  94. 75 31 31 32 51 30 30 30 30 30 30 30 30 2e 64 61 u112Q00000000.da
  95. 74 24 73 63 72 65 65 6e 72 65 63 36 00 76 31 31 t$screenrec6.v11
  96. 32 51 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 2Q00000000.dat$s
  97. 63 72 65 65 6e 72 65 63 37 00 76 31 31 32 4f 30 creenrec7.v112O0
  98. 30 30 30 30 30 30 30 2e 64 61 74 24 6d 69 63 72 0000000.dat$micr
  99. 65 63 00 24 73 6b 79 70 65 72 65 63 31 00 5b 25 ec.$skyperec1.[%
  100. 31 39 73 5d 20 25 32 35 73 3a 20 20 20 20 25 73 19s].%25s:....%s
  101. 24 73 6b 79 70 65 72 65 63 32 00 47 6c 6f 62 61 $skyperec2.Globa
  102. 6c 5c 7b 41 34 38 46 31 41 33 32 2d 41 33 34 30 l\{A48F1A32-A340
  103. 2d 31 31 44 30 2d 42 43 36 42 2d 30 30 41 30 43 -11D0-BC6B-00A0C
  104. 39 30 33 25 2e 30 34 58 7d 24 73 6b 79 70 65 72 903%.04X}$skyper
  105. 65 63 33 00 24 6d 6f 75 73 65 72 65 63 31 00 6d ec3.$mouserec1.m
  106. 73 63 31 38 33 51 30 30 30 2e 64 61 74 24 6d 6f sc183Q000.dat$mo
  107. 75 73 65 72 65 63 32 00 24 64 72 69 76 65 72 00 userec2.$driver.
  108. 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 24 6a \\\\.\\driverw$j
  109. 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 6f 77 anedow1.Jane.Dow
  110.  
  111. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682750C7, Value:
  112.  
  113. 76 31 31 32 51 30 30 30 30 30 30 30 30 2e 64 61 v112Q00000000.da
  114. 74 24 73 63 72 65 65 6e 72 65 63 37 00 76 31 31 t$screenrec7.v11
  115. 32 4f 30 30 30 30 30 30 30 30 2e 64 61 74 24 6d 2O00000000.dat$m
  116. 69 63 72 65 63 00 24 73 6b 79 70 65 72 65 63 31 icrec.$skyperec1
  117. 00 5b 25 31 39 73 5d 20 25 32 35 73 3a 20 20 20 .[%19s].%25s:...
  118. 20 25 73 24 73 6b 79 70 65 72 65 63 32 00 47 6c .%s$skyperec2.Gl
  119. 6f 62 61 6c 5c 7b 41 34 38 46 31 41 33 32 2d 41 obal\{A48F1A32-A
  120. 33 34 30 2d 31 31 44 30 2d 42 43 36 42 2d 30 30 340-11D0-BC6B-00
  121. 41 30 43 39 30 33 25 2e 30 34 58 7d 24 73 6b 79 A0C903%.04X}$sky
  122. 70 65 72 65 63 33 00 24 6d 6f 75 73 65 72 65 63 perec3.$mouserec
  123. 31 00 6d 73 63 31 38 33 51 30 30 30 2e 64 61 74 1.msc183Q000.dat
  124. 24 6d 6f 75 73 65 72 65 63 32 00 24 64 72 69 76 $mouserec2.$driv
  125. 65 72 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 er.\\\\.\\driver
  126. 77 24 6a 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 w$janedow1.Jane.
  127. 44 6f 77 27 73 20 78 33 32 20 6d 61 63 68 69 6e Dow's.x32.machin
  128. 65 24 6a 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 e$janedow2.Jane.
  129.  
  130. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682750E4, Value:
  131.  
  132. 76 31 31 32 4f 30 30 30 30 30 30 30 30 2e 64 61 v112O00000000.da
  133. 74 24 6d 69 63 72 65 63 00 24 73 6b 79 70 65 72 t$micrec.$skyper
  134. 65 63 31 00 5b 25 31 39 73 5d 20 25 32 35 73 3a ec1.[%19s].%25s:
  135. 20 20 20 20 25 73 24 73 6b 79 70 65 72 65 63 32 ....%s$skyperec2
  136. 00 47 6c 6f 62 61 6c 5c 7b 41 34 38 46 31 41 33 .Global\{A48F1A3
  137. 32 2d 41 33 34 30 2d 31 31 44 30 2d 42 43 36 42 2-A340-11D0-BC6B
  138. 2d 30 30 41 30 43 39 30 33 25 2e 30 34 58 7d 24 -00A0C903%.04X}$
  139. 73 6b 79 70 65 72 65 63 33 00 24 6d 6f 75 73 65 skyperec3.$mouse
  140. 72 65 63 31 00 6d 73 63 31 38 33 51 30 30 30 2e rec1.msc183Q000.
  141. 64 61 74 24 6d 6f 75 73 65 72 65 63 32 00 24 64 dat$mouserec2.$d
  142. 72 69 76 65 72 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 river.\\\\.\\dri
  143. 76 65 72 77 24 6a 61 6e 65 64 6f 77 31 00 4a 61 verw$janedow1.Ja
  144. 6e 65 20 44 6f 77 27 73 20 78 33 32 20 6d 61 63 ne.Dow's.x32.mac
  145. 68 69 6e 65 24 6a 61 6e 65 64 6f 77 32 00 4a 61 hine$janedow2.Ja
  146. 6e 65 20 44 6f 77 27 73 20 78 36 34 20 6d 61 63 ne.Dow's.x64.mac
  147. 68 69 6e 65 24 76 65 72 73 69 6f 6e 73 31 00 66 hine$versions1.f
  148.  
  149. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275108, Value:
  150.  
  151. 5b 25 31 39 73 5d 20 25 32 35 73 3a 20 20 20 20 [%19s].%25s:....
  152. 25 73 24 73 6b 79 70 65 72 65 63 32 00 47 6c 6f %s$skyperec2.Glo
  153. 62 61 6c 5c 7b 41 34 38 46 31 41 33 32 2d 41 33 bal\{A48F1A32-A3
  154. 34 30 2d 31 31 44 30 2d 42 43 36 42 2d 30 30 41 40-11D0-BC6B-00A
  155. 30 43 39 30 33 25 2e 30 34 58 7d 24 73 6b 79 70 0C903%.04X}$skyp
  156. 65 72 65 63 33 00 24 6d 6f 75 73 65 72 65 63 31 erec3.$mouserec1
  157. 00 6d 73 63 31 38 33 51 30 30 30 2e 64 61 74 24 .msc183Q000.dat$
  158. 6d 6f 75 73 65 72 65 63 32 00 24 64 72 69 76 65 mouserec2.$drive
  159. 72 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 r.\\\\.\\driverw
  160. 24 6a 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 $janedow1.Jane.D
  161. 6f 77 27 73 20 78 33 32 20 6d 61 63 68 69 6e 65 ow's.x32.machine
  162. 24 6a 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 44 $janedow2.Jane.D
  163. 6f 77 27 73 20 78 36 34 20 6d 61 63 68 69 6e 65 ow's.x64.machine
  164. 24 76 65 72 73 69 6f 6e 73 31 00 66 69 6e 73 70 $versions1.finsp
  165. 79 76 32 24 76 65 72 73 69 6f 6e 73 32 00 66 69 yv2$versions2.fi
  166. 6e 73 70 79 76 34 24 62 6f 6f 74 6b 69 74 31 00 nspyv4$bootkit1.
  167.  
  168. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275169, Value:
  169.  
  170. 6d 73 63 31 38 33 51 30 30 30 2e 64 61 74 24 6d msc183Q000.dat$m
  171. 6f 75 73 65 72 65 63 32 00 24 64 72 69 76 65 72 ouserec2.$driver
  172. 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 24 .\\\\.\\driverw$
  173. 6a 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 6f janedow1.Jane.Do
  174. 77 27 73 20 78 33 32 20 6d 61 63 68 69 6e 65 24 w's.x32.machine$
  175. 6a 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 44 6f janedow2.Jane.Do
  176. 77 27 73 20 78 36 34 20 6d 61 63 68 69 6e 65 24 w's.x64.machine$
  177. 76 65 72 73 69 6f 6e 73 31 00 66 69 6e 73 70 79 versions1.finspy
  178. 76 32 24 76 65 72 73 69 6f 6e 73 32 00 66 69 6e v2$versions2.fin
  179. 73 70 79 76 34 24 62 6f 6f 74 6b 69 74 31 00 62 spyv4$bootkit1.b
  180. 6f 6f 74 6b 69 74 5f 78 33 32 64 72 69 76 65 72 ootkit_x32driver
  181. 24 62 6f 6f 74 6b 69 74 32 00 62 6f 6f 74 6b 69 $bootkit2.bootki
  182. 74 5f 78 36 34 64 72 69 76 65 72 24 74 79 70 6f t_x64driver$typo
  183. 31 00 53 63 72 65 65 6e 53 68 6f 72 74 20 52 65 1.ScreenShort.Re
  184. 63 6f 72 64 69 6e 67 24 6d 73 73 6f 75 6e 64 64 cording$mssoundd
  185. 78 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 x.System\Current
  186.  
  187. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x6827518A, Value:
  188.  
  189. 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 24 6a \\\\.\\driverw$j
  190. 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 6f 77 anedow1.Jane.Dow
  191. 27 73 20 78 33 32 20 6d 61 63 68 69 6e 65 24 6a 's.x32.machine$j
  192. 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 44 6f 77 anedow2.Jane.Dow
  193. 27 73 20 78 36 34 20 6d 61 63 68 69 6e 65 24 76 's.x64.machine$v
  194. 65 72 73 69 6f 6e 73 31 00 66 69 6e 73 70 79 76 ersions1.finspyv
  195. 32 24 76 65 72 73 69 6f 6e 73 32 00 66 69 6e 73 2$versions2.fins
  196. 70 79 76 34 24 62 6f 6f 74 6b 69 74 31 00 62 6f pyv4$bootkit1.bo
  197. 6f 74 6b 69 74 5f 78 33 32 64 72 69 76 65 72 24 otkit_x32driver$
  198. 62 6f 6f 74 6b 69 74 32 00 62 6f 6f 74 6b 69 74 bootkit2.bootkit
  199. 5f 78 36 34 64 72 69 76 65 72 24 74 79 70 6f 31 _x64driver$typo1
  200. 00 53 63 72 65 65 6e 53 68 6f 72 74 20 52 65 63 .ScreenShort.Rec
  201. 6f 72 64 69 6e 67 24 6d 73 73 6f 75 6e 64 64 78 ording$mssounddx
  202. 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 43 .System\CurrentC
  203. 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 69 63 ontrolSet\Servic
  204. 65 73 5c 6d 73 73 6f 75 6e 64 64 78 46 69 6e 53 es\mssounddxFinS
  205.  
  206. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751A2, Value:
  207.  
  208. 4a 61 6e 65 20 44 6f 77 27 73 20 78 33 32 20 6d Jane.Dow's.x32.m
  209. 61 63 68 69 6e 65 24 6a 61 6e 65 64 6f 77 32 00 achine$janedow2.
  210. 4a 61 6e 65 20 44 6f 77 27 73 20 78 36 34 20 6d Jane.Dow's.x64.m
  211. 61 63 68 69 6e 65 24 76 65 72 73 69 6f 6e 73 31 achine$versions1
  212. 00 66 69 6e 73 70 79 76 32 24 76 65 72 73 69 6f .finspyv2$versio
  213. 6e 73 32 00 66 69 6e 73 70 79 76 34 24 62 6f 6f ns2.finspyv4$boo
  214. 74 6b 69 74 31 00 62 6f 6f 74 6b 69 74 5f 78 33 tkit1.bootkit_x3
  215. 32 64 72 69 76 65 72 24 62 6f 6f 74 6b 69 74 32 2driver$bootkit2
  216. 00 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 .bootkit_x64driv
  217. 65 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 er$typo1.ScreenS
  218. 68 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d hort.Recording$m
  219. 73 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c ssounddx.System\
  220. 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 CurrentControlSe
  221. 74 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 t\Services\mssou
  222. 6e 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 nddxFinSpy.detec
  223. 74 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 tion.ShadowTech.
  224.  
  225. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751C2, Value:
  226.  
  227. 4a 61 6e 65 20 44 6f 77 27 73 20 78 36 34 20 6d Jane.Dow's.x64.m
  228. 61 63 68 69 6e 65 24 76 65 72 73 69 6f 6e 73 31 achine$versions1
  229. 00 66 69 6e 73 70 79 76 32 24 76 65 72 73 69 6f .finspyv2$versio
  230. 6e 73 32 00 66 69 6e 73 70 79 76 34 24 62 6f 6f ns2.finspyv4$boo
  231. 74 6b 69 74 31 00 62 6f 6f 74 6b 69 74 5f 78 33 tkit1.bootkit_x3
  232. 32 64 72 69 76 65 72 24 62 6f 6f 74 6b 69 74 32 2driver$bootkit2
  233. 00 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 .bootkit_x64driv
  234. 65 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 er$typo1.ScreenS
  235. 68 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d hort.Recording$m
  236. 73 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c ssounddx.System\
  237. 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 CurrentControlSe
  238. 74 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 t\Services\mssou
  239. 6e 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 nddxFinSpy.detec
  240. 74 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 tion.ShadowTech.
  241. 52 41 54 00 24 73 74 72 69 6e 67 31 00 23 53 74 RAT.$string1.#St
  242. 72 69 6e 67 73 24 73 74 72 69 6e 67 32 00 23 47 rings$string2.#G
  243.  
  244. 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751E3, Value:
  245.  
  246. 66 69 6e 73 70 79 76 32 24 76 65 72 73 69 6f 6e finspyv2$version
  247. 73 32 00 66 69 6e 73 70 79 76 34 24 62 6f 6f 74 s2.finspyv4$boot
  248. 6b 69 74 31 00 62 6f 6f 74 6b 69 74 5f 78 33 32 kit1.bootkit_x32
  249. 64 72 69 76 65 72 24 62 6f 6f 74 6b 69 74 32 00 driver$bootkit2.
  250. 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 65 bootkit_x64drive
  251. 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 68 r$typo1.ScreenSh
  252. 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d 73 ort.Recording$ms
  253. 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c 43 sounddx.System\C
  254. 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 urrentControlSet
  255. 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 6e \Services\mssoun
  256. 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 74 ddxFinSpy.detect
  257. 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 52 ion.ShadowTech.R
  258. 41 54 00 24 73 74 72 69 6e 67 31 00 23 53 74 72 AT.$string1.#Str
  259. 69 6e 67 73 24 73 74 72 69 6e 67 32 00 23 47 55 ings$string2.#GU
  260. 49 44 24 73 74 72 69 6e 67 33 00 23 42 6c 6f 62 ID$string3.#Blob
  261. 24 73 74 72 69 6e 67 34 00 53 68 61 64 6f 77 54 $string4.ShadowT
  262.  
  263. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751F6, Value:
  264.  
  265. 66 69 6e 73 70 79 76 34 24 62 6f 6f 74 6b 69 74 finspyv4$bootkit
  266. 31 00 62 6f 6f 74 6b 69 74 5f 78 33 32 64 72 69 1.bootkit_x32dri
  267. 76 65 72 24 62 6f 6f 74 6b 69 74 32 00 62 6f 6f ver$bootkit2.boo
  268. 74 6b 69 74 5f 78 36 34 64 72 69 76 65 72 24 74 tkit_x64driver$t
  269. 79 70 6f 31 00 53 63 72 65 65 6e 53 68 6f 72 74 ypo1.ScreenShort
  270. 20 52 65 63 6f 72 64 69 6e 67 24 6d 73 73 6f 75 .Recording$mssou
  271. 6e 64 64 78 00 53 79 73 74 65 6d 5c 43 75 72 72 nddx.System\Curr
  272. 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 entControlSet\Se
  273. 72 76 69 63 65 73 5c 6d 73 73 6f 75 6e 64 64 78 rvices\mssounddx
  274. 46 69 6e 53 70 79 00 64 65 74 65 63 74 69 6f 6e FinSpy.detection
  275. 00 53 68 61 64 6f 77 54 65 63 68 20 52 41 54 00 .ShadowTech.RAT.
  276. 24 73 74 72 69 6e 67 31 00 23 53 74 72 69 6e 67 $string1.#String
  277. 73 24 73 74 72 69 6e 67 32 00 23 47 55 49 44 24 s$string2.#GUID$
  278. 73 74 72 69 6e 67 33 00 23 42 6c 6f 62 24 73 74 string3.#Blob$st
  279. 72 69 6e 67 34 00 53 68 61 64 6f 77 54 65 63 68 ring4.ShadowTech
  280. 20 52 61 74 2e 65 78 65 24 73 74 72 69 6e 67 35 .Rat.exe$string5
  281.  
  282. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275208, Value:
  283.  
  284. 62 6f 6f 74 6b 69 74 5f 78 33 32 64 72 69 76 65 bootkit_x32drive
  285. 72 24 62 6f 6f 74 6b 69 74 32 00 62 6f 6f 74 6b r$bootkit2.bootk
  286. 69 74 5f 78 36 34 64 72 69 76 65 72 24 74 79 70 it_x64driver$typ
  287. 6f 31 00 53 63 72 65 65 6e 53 68 6f 72 74 20 52 o1.ScreenShort.R
  288. 65 63 6f 72 64 69 6e 67 24 6d 73 73 6f 75 6e 64 ecording$mssound
  289. 64 78 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e dx.System\Curren
  290. 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 tControlSet\Serv
  291. 69 63 65 73 5c 6d 73 73 6f 75 6e 64 64 78 46 69 ices\mssounddxFi
  292. 6e 53 70 79 00 64 65 74 65 63 74 69 6f 6e 00 53 nSpy.detection.S
  293. 68 61 64 6f 77 54 65 63 68 20 52 41 54 00 24 73 hadowTech.RAT.$s
  294. 74 72 69 6e 67 31 00 23 53 74 72 69 6e 67 73 24 tring1.#Strings$
  295. 73 74 72 69 6e 67 32 00 23 47 55 49 44 24 73 74 string2.#GUID$st
  296. 72 69 6e 67 33 00 23 42 6c 6f 62 24 73 74 72 69 ring3.#Blob$stri
  297. 6e 67 34 00 53 68 61 64 6f 77 54 65 63 68 20 52 ng4.ShadowTech.R
  298. 61 74 2e 65 78 65 24 73 74 72 69 6e 67 35 00 53 at.exe$string5.S
  299. 68 61 64 6f 77 54 65 63 68 5f 52 61 74 53 68 61 hadowTech_RatSha
  300.  
  301. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275223, Value:
  302.  
  303. 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 65 bootkit_x64drive
  304. 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 68 r$typo1.ScreenSh
  305. 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d 73 ort.Recording$ms
  306. 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c 43 sounddx.System\C
  307. 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 urrentControlSet
  308. 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 6e \Services\mssoun
  309. 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 74 ddxFinSpy.detect
  310. 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 52 ion.ShadowTech.R
  311. 41 54 00 24 73 74 72 69 6e 67 31 00 23 53 74 72 AT.$string1.#Str
  312. 69 6e 67 73 24 73 74 72 69 6e 67 32 00 23 47 55 ings$string2.#GU
  313. 49 44 24 73 74 72 69 6e 67 33 00 23 42 6c 6f 62 ID$string3.#Blob
  314. 24 73 74 72 69 6e 67 34 00 53 68 61 64 6f 77 54 $string4.ShadowT
  315. 65 63 68 20 52 61 74 2e 65 78 65 24 73 74 72 69 ech.Rat.exe$stri
  316. 6e 67 35 00 53 68 61 64 6f 77 54 65 63 68 5f 52 ng5.ShadowTech_R
  317. 61 74 53 68 61 64 6f 77 54 65 63 68 00 64 65 74 atShadowTech.det
  318. 65 63 74 69 6f 6e 00 47 68 30 73 74 00 24 00 47 ection.Gh0st.$.G
  319.  
  320. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752AF, Value:
  321.  
  322. 23 53 74 72 69 6e 67 73 24 73 74 72 69 6e 67 32 #Strings$string2
  323. 00 23 47 55 49 44 24 73 74 72 69 6e 67 33 00 23 .#GUID$string3.#
  324. 42 6c 6f 62 24 73 74 72 69 6e 67 34 00 53 68 61 Blob$string4.Sha
  325. 64 6f 77 54 65 63 68 20 52 61 74 2e 65 78 65 24 dowTech.Rat.exe$
  326. 73 74 72 69 6e 67 35 00 53 68 61 64 6f 77 54 65 string5.ShadowTe
  327. 63 68 5f 52 61 74 53 68 61 64 6f 77 54 65 63 68 ch_RatShadowTech
  328. 00 64 65 74 65 63 74 69 6f 6e 00 47 68 30 73 74 .detection.Gh0st
  329. 00 24 00 47 68 6f 73 74 24 00 69 6e 66 6c 61 74 .$.Ghost$.inflat
  330. 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 e.1.1.4.Copyrigh
  331. 74 20 31 39 39 35 2d 32 30 30 32 20 4d 61 72 6b t.1995-2002.Mark
  332. 20 41 64 6c 65 72 24 00 64 65 66 6c 61 74 65 20 .Adler$.deflate.
  333. 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 20 1.1.4.Copyright.
  334. 31 39 39 35 2d 32 30 30 32 20 4a 65 61 6e 2d 6c 1995-2002.Jean-l
  335. 6f 75 70 20 47 61 69 6c 6c 79 24 00 25 73 5c 73 oup.Gailly$.%s\s
  336. 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e hell\open\comman
  337. 64 24 00 47 65 74 43 6c 69 70 62 6f 61 72 64 44 d$.GetClipboardD
  338.  
  339. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752C0, Value:
  340.  
  341. 23 47 55 49 44 24 73 74 72 69 6e 67 33 00 23 42 #GUID$string3.#B
  342. 6c 6f 62 24 73 74 72 69 6e 67 34 00 53 68 61 64 lob$string4.Shad
  343. 6f 77 54 65 63 68 20 52 61 74 2e 65 78 65 24 73 owTech.Rat.exe$s
  344. 74 72 69 6e 67 35 00 53 68 61 64 6f 77 54 65 63 tring5.ShadowTec
  345. 68 5f 52 61 74 53 68 61 64 6f 77 54 65 63 68 00 h_RatShadowTech.
  346. 64 65 74 65 63 74 69 6f 6e 00 47 68 30 73 74 00 detection.Gh0st.
  347. 24 00 47 68 6f 73 74 24 00 69 6e 66 6c 61 74 65 $.Ghost$.inflate
  348. 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 .1.1.4.Copyright
  349. 20 31 39 39 35 2d 32 30 30 32 20 4d 61 72 6b 20 .1995-2002.Mark.
  350. 41 64 6c 65 72 24 00 64 65 66 6c 61 74 65 20 31 Adler$.deflate.1
  351. 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 20 31 .1.4.Copyright.1
  352. 39 39 35 2d 32 30 30 32 20 4a 65 61 6e 2d 6c 6f 995-2002.Jean-lo
  353. 75 70 20 47 61 69 6c 6c 79 24 00 25 73 5c 73 68 up.Gailly$.%s\sh
  354. 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 ell\open\command
  355. 24 00 47 65 74 43 6c 69 70 62 6f 61 72 64 44 61 $.GetClipboardDa
  356. 74 61 24 00 57 72 69 74 65 50 72 6f 63 65 73 73 ta$.WriteProcess
  357.  
  358. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752CE, Value:
  359.  
  360. 23 42 6c 6f 62 24 73 74 72 69 6e 67 34 00 53 68 #Blob$string4.Sh
  361. 61 64 6f 77 54 65 63 68 20 52 61 74 2e 65 78 65 adowTech.Rat.exe
  362. 24 73 74 72 69 6e 67 35 00 53 68 61 64 6f 77 54 $string5.ShadowT
  363. 65 63 68 5f 52 61 74 53 68 61 64 6f 77 54 65 63 ech_RatShadowTec
  364. 68 00 64 65 74 65 63 74 69 6f 6e 00 47 68 30 73 h.detection.Gh0s
  365. 74 00 24 00 47 68 6f 73 74 24 00 69 6e 66 6c 61 t.$.Ghost$.infla
  366. 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 te.1.1.4.Copyrig
  367. 68 74 20 31 39 39 35 2d 32 30 30 32 20 4d 61 72 ht.1995-2002.Mar
  368. 6b 20 41 64 6c 65 72 24 00 64 65 66 6c 61 74 65 k.Adler$.deflate
  369. 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 .1.1.4.Copyright
  370. 20 31 39 39 35 2d 32 30 30 32 20 4a 65 61 6e 2d .1995-2002.Jean-
  371. 6c 6f 75 70 20 47 61 69 6c 6c 79 24 00 25 73 5c loup.Gailly$.%s\
  372. 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 shell\open\comma
  373. 6e 64 24 00 47 65 74 43 6c 69 70 62 6f 61 72 64 nd$.GetClipboard
  374. 44 61 74 61 24 00 57 72 69 74 65 50 72 6f 63 65 Data$.WriteProce
  375. 73 73 4d 65 6d 6f 72 79 24 00 41 64 6a 75 73 74 ssMemory$.Adjust
  376.  
  377. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752DC, Value:
  378.  
  379. 53 68 61 64 6f 77 54 65 63 68 20 52 61 74 2e 65 ShadowTech.Rat.e
  380. 78 65 24 73 74 72 69 6e 67 35 00 53 68 61 64 6f xe$string5.Shado
  381. 77 54 65 63 68 5f 52 61 74 53 68 61 64 6f 77 54 wTech_RatShadowT
  382. 65 63 68 00 64 65 74 65 63 74 69 6f 6e 00 47 68 ech.detection.Gh
  383. 30 73 74 00 24 00 47 68 6f 73 74 24 00 69 6e 66 0st.$.Ghost$.inf
  384. 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 late.1.1.4.Copyr
  385. 69 67 68 74 20 31 39 39 35 2d 32 30 30 32 20 4d ight.1995-2002.M
  386. 61 72 6b 20 41 64 6c 65 72 24 00 64 65 66 6c 61 ark.Adler$.defla
  387. 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 te.1.1.4.Copyrig
  388. 68 74 20 31 39 39 35 2d 32 30 30 32 20 4a 65 61 ht.1995-2002.Jea
  389. 6e 2d 6c 6f 75 70 20 47 61 69 6c 6c 79 24 00 25 n-loup.Gailly$.%
  390. 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d s\shell\open\com
  391. 6d 61 6e 64 24 00 47 65 74 43 6c 69 70 62 6f 61 mand$.GetClipboa
  392. 72 64 44 61 74 61 24 00 57 72 69 74 65 50 72 6f rdData$.WritePro
  393. 63 65 73 73 4d 65 6d 6f 72 79 24 00 41 64 6a 75 cessMemory$.Adju
  394. 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c 65 67 65 stTokenPrivilege
  395.  
  396. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752F7, Value:
  397.  
  398. 53 68 61 64 6f 77 54 65 63 68 5f 52 61 74 53 68 ShadowTech_RatSh
  399. 61 64 6f 77 54 65 63 68 00 64 65 74 65 63 74 69 adowTech.detecti
  400. 6f 6e 00 47 68 30 73 74 00 24 00 47 68 6f 73 74 on.Gh0st.$.Ghost
  401. 24 00 69 6e 66 6c 61 74 65 20 31 2e 31 2e 34 20 $.inflate.1.1.4.
  402. 43 6f 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 Copyright.1995-2
  403. 30 30 32 20 4d 61 72 6b 20 41 64 6c 65 72 24 00 002.Mark.Adler$.
  404. 64 65 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f deflate.1.1.4.Co
  405. 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 pyright.1995-200
  406. 32 20 4a 65 61 6e 2d 6c 6f 75 70 20 47 61 69 6c 2.Jean-loup.Gail
  407. 6c 79 24 00 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 ly$.%s\shell\ope
  408. 6e 5c 63 6f 6d 6d 61 6e 64 24 00 47 65 74 43 6c n\command$.GetCl
  409. 69 70 62 6f 61 72 64 44 61 74 61 24 00 57 72 69 ipboardData$.Wri
  410. 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 24 teProcessMemory$
  411. 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 .AdjustTokenPriv
  412. 69 6c 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c ileges$.WinSta0\
  413. 44 65 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 Default$.#32770$
  414.  
  415. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275322, Value:
  416.  
  417. 47 68 6f 73 74 24 00 69 6e 66 6c 61 74 65 20 31 Ghost$.inflate.1
  418. 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 20 31 .1.4.Copyright.1
  419. 39 39 35 2d 32 30 30 32 20 4d 61 72 6b 20 41 64 995-2002.Mark.Ad
  420. 6c 65 72 24 00 64 65 66 6c 61 74 65 20 31 2e 31 ler$.deflate.1.1
  421. 2e 34 20 43 6f 70 79 72 69 67 68 74 20 31 39 39 .4.Copyright.199
  422. 35 2d 32 30 30 32 20 4a 65 61 6e 2d 6c 6f 75 70 5-2002.Jean-loup
  423. 20 47 61 69 6c 6c 79 24 00 25 73 5c 73 68 65 6c .Gailly$.%s\shel
  424. 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 24 00 l\open\command$.
  425. 47 65 74 43 6c 69 70 62 6f 61 72 64 44 61 74 61 GetClipboardData
  426. 24 00 57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 $.WriteProcessMe
  427. 6d 6f 72 79 24 00 41 64 6a 75 73 74 54 6f 6b 65 mory$.AdjustToke
  428. 6e 50 72 69 76 69 6c 65 67 65 73 24 00 57 69 6e nPrivileges$.Win
  429. 53 74 61 30 5c 44 65 66 61 75 6c 74 24 00 23 33 Sta0\Default$.#3
  430. 32 37 37 30 24 00 23 33 32 37 37 31 24 00 23 33 2770$.#32771$.#3
  431. 32 37 37 32 24 00 23 33 32 37 37 34 47 68 30 73 2772$.#32774Gh0s
  432. 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 00 21 t.....vB..q....!
  433.  
  434. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275329, Value:
  435.  
  436. 69 6e 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f inflate.1.1.4.Co
  437. 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 pyright.1995-200
  438. 32 20 4d 61 72 6b 20 41 64 6c 65 72 24 00 64 65 2.Mark.Adler$.de
  439. 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 flate.1.1.4.Copy
  440. 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 32 20 right.1995-2002.
  441. 4a 65 61 6e 2d 6c 6f 75 70 20 47 61 69 6c 6c 79 Jean-loup.Gailly
  442. 24 00 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c $.%s\shell\open\
  443. 63 6f 6d 6d 61 6e 64 24 00 47 65 74 43 6c 69 70 command$.GetClip
  444. 62 6f 61 72 64 44 61 74 61 24 00 57 72 69 74 65 boardData$.Write
  445. 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 24 00 41 ProcessMemory$.A
  446. 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c djustTokenPrivil
  447. 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c 44 65 eges$.WinSta0\De
  448. 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 00 23 fault$.#32770$.#
  449. 33 32 37 37 31 24 00 23 33 32 37 37 32 24 00 23 32771$.#32772$.#
  450. 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 76 32774Gh0st.....v
  451. 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a 0c B..q....!...0...
  452.  
  453. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275357, Value:
  454.  
  455. 64 65 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f deflate.1.1.4.Co
  456. 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 pyright.1995-200
  457. 32 20 4a 65 61 6e 2d 6c 6f 75 70 20 47 61 69 6c 2.Jean-loup.Gail
  458. 6c 79 24 00 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 ly$.%s\shell\ope
  459. 6e 5c 63 6f 6d 6d 61 6e 64 24 00 47 65 74 43 6c n\command$.GetCl
  460. 69 70 62 6f 61 72 64 44 61 74 61 24 00 57 72 69 ipboardData$.Wri
  461. 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 24 teProcessMemory$
  462. 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 .AdjustTokenPriv
  463. 69 6c 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c ileges$.WinSta0\
  464. 44 65 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 Default$.#32770$
  465. 00 23 33 32 37 37 31 24 00 23 33 32 37 37 32 24 .#32771$.#32772$
  466. 00 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 .#32774Gh0st....
  467. 00 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa .vB..q....!...0.
  468. 0a 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 .........$..Y...
  469. 88 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 .a...H...*..Y...
  470. 88 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 .i...X...(..Y...
  471.  
  472. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x6827538B, Value:
  473.  
  474. 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f %s\shell\open\co
  475. 6d 6d 61 6e 64 24 00 47 65 74 43 6c 69 70 62 6f mmand$.GetClipbo
  476. 61 72 64 44 61 74 61 24 00 57 72 69 74 65 50 72 ardData$.WritePr
  477. 6f 63 65 73 73 4d 65 6d 6f 72 79 24 00 41 64 6a ocessMemory$.Adj
  478. 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c 65 67 ustTokenPrivileg
  479. 65 73 24 00 57 69 6e 53 74 61 30 5c 44 65 66 61 es$.WinSta0\Defa
  480. 75 6c 74 24 00 23 33 32 37 37 30 24 00 23 33 32 ult$.#32770$.#32
  481. 37 37 31 24 00 23 33 32 37 37 32 24 00 23 33 32 771$.#32772$.#32
  482. 37 37 34 47 68 30 73 74 00 00 00 00 00 76 42 d6 774Gh0st.....vB.
  483. 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a 0c 00 00 .q....!...0.....
  484. 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 61 13 00 .....$..Y....a..
  485. 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 69 13 00 .H...*..Y....i..
  486. 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 71 13 00 .X...(..Y....q..
  487. 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 7a 13 00 .h......Y....z..
  488. 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 82 13 00 .x...,..Y.......
  489. 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 8a 13 00 .....2..Y.......
  490.  
  491. 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753A2, Value:
  492.  
  493. 47 65 74 43 6c 69 70 62 6f 61 72 64 44 61 74 61 GetClipboardData
  494. 24 00 57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 $.WriteProcessMe
  495. 6d 6f 72 79 24 00 41 64 6a 75 73 74 54 6f 6b 65 mory$.AdjustToke
  496. 6e 50 72 69 76 69 6c 65 67 65 73 24 00 57 69 6e nPrivileges$.Win
  497. 53 74 61 30 5c 44 65 66 61 75 6c 74 24 00 23 33 Sta0\Default$.#3
  498. 32 37 37 30 24 00 23 33 32 37 37 31 24 00 23 33 2770$.#32771$.#3
  499. 32 37 37 32 24 00 23 33 32 37 37 34 47 68 30 73 2772$.#32774Gh0s
  500. 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 00 21 t.....vB..q....!
  501. ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 24 9e ...0..........$.
  502. dd 59 00 00 00 88 61 13 00 00 48 f4 a5 0a 2a 9e .Y....a...H...*.
  503. dd 59 00 00 00 88 69 13 00 00 58 f4 a5 0a 28 9e .Y....i...X...(.
  504. dd 59 00 00 00 88 71 13 00 00 68 f4 a5 0a 2e 9e .Y....q...h.....
  505. dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 0a 2c 9e .Y....z...x...,.
  506. dd 59 00 00 00 88 82 13 00 00 88 f4 a5 0a 32 9e .Y............2.
  507. dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 0a 30 9e .Y............0.
  508. dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 0a 36 9e .Y............6.
  509.  
  510. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753B4, Value:
  511.  
  512. 57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f WriteProcessMemo
  513. 72 79 24 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 ry$.AdjustTokenP
  514. 72 69 76 69 6c 65 67 65 73 24 00 57 69 6e 53 74 rivileges$.WinSt
  515. 61 30 5c 44 65 66 61 75 6c 74 24 00 23 33 32 37 a0\Default$.#327
  516. 37 30 24 00 23 33 32 37 37 31 24 00 23 33 32 37 70$.#32771$.#327
  517. 37 32 24 00 23 33 32 37 37 34 47 68 30 73 74 00 72$.#32774Gh0st.
  518. 00 00 00 00 76 42 d6 20 71 8e 06 08 00 21 ae 0a ....vB..q....!..
  519. 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 .0..........$..Y
  520. 00 00 00 88 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 ....a...H...*..Y
  521. 00 00 00 88 69 13 00 00 58 f4 a5 0a 28 9e dd 59 ....i...X...(..Y
  522. 00 00 00 88 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 ....q...h......Y
  523. 00 00 00 88 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 ....z...x...,..Y
  524. 00 00 00 88 82 13 00 00 88 f4 a5 0a 32 9e dd 59 ............2..Y
  525. 00 00 00 88 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 ............0..Y
  526. 00 00 00 88 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 ............6..Y
  527. 00 00 00 88 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 ............4..Y
  528.  
  529. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753C8, Value:
  530.  
  531. 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 AdjustTokenPrivi
  532. 6c 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c 44 leges$.WinSta0\D
  533. 65 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 00 efault$.#32770$.
  534. 23 33 32 37 37 31 24 00 23 33 32 37 37 32 24 00 #32771$.#32772$.
  535. 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 #32774Gh0st.....
  536. 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a vB..q....!...0..
  537. 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 ........$..Y....
  538. 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 a...H...*..Y....
  539. 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 i...X...(..Y....
  540. 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 q...h......Y....
  541. 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 z...x...,..Y....
  542. 82 13 00 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 ........2..Y....
  543. 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 00 00 00 88 ........0..Y....
  544. 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 00 00 00 88 ........6..Y....
  545. 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 00 00 00 88 ........4..Y....
  546. a5 13 00 00 c8 f4 a5 0a 3a 9e dd 59 00 00 00 88 ........:..Y....
  547.  
  548. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753DF, Value:
  549.  
  550. 57 69 6e 53 74 61 30 5c 44 65 66 61 75 6c 74 24 WinSta0\Default$
  551. 00 23 33 32 37 37 30 24 00 23 33 32 37 37 31 24 .#32770$.#32771$
  552. 00 23 33 32 37 37 32 24 00 23 33 32 37 37 34 47 .#32772$.#32774G
  553. 68 30 73 74 00 00 00 00 00 76 42 d6 20 71 8e 06 h0st.....vB..q..
  554. 08 00 21 ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 ..!...0.........
  555. f0 24 9e dd 59 00 00 00 88 61 13 00 00 48 f4 a5 .$..Y....a...H..
  556. 0a 2a 9e dd 59 00 00 00 88 69 13 00 00 58 f4 a5 .*..Y....i...X..
  557. 0a 28 9e dd 59 00 00 00 88 71 13 00 00 68 f4 a5 .(..Y....q...h..
  558. 0a 2e 9e dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 ....Y....z...x..
  559. 0a 2c 9e dd 59 00 00 00 88 82 13 00 00 88 f4 a5 .,..Y...........
  560. 0a 32 9e dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 .2..Y...........
  561. 0a 30 9e dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 .0..Y...........
  562. 0a 36 9e dd 59 00 00 00 88 9b 13 00 00 b8 f4 a5 .6..Y...........
  563. 0a 34 9e dd 59 00 00 00 88 a5 13 00 00 c8 f4 a5 .4..Y...........
  564. 0a 3a 9e dd 59 00 00 00 88 ad 13 00 00 d8 f4 a5 .:..Y...........
  565. 0a 38 9e dd 59 00 00 00 88 b5 13 00 00 e8 f4 a5 .8..Y...........
  566.  
  567. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753F0, Value:
  568.  
  569. 23 33 32 37 37 30 24 00 23 33 32 37 37 31 24 00 #32770$.#32771$.
  570. 23 33 32 37 37 32 24 00 23 33 32 37 37 34 47 68 #32772$.#32774Gh
  571. 30 73 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 0st.....vB..q...
  572. 00 21 ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 .!...0..........
  573. 24 9e dd 59 00 00 00 88 61 13 00 00 48 f4 a5 0a $..Y....a...H...
  574. 2a 9e dd 59 00 00 00 88 69 13 00 00 58 f4 a5 0a *..Y....i...X...
  575. 28 9e dd 59 00 00 00 88 71 13 00 00 68 f4 a5 0a (..Y....q...h...
  576. 2e 9e dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 0a ...Y....z...x...
  577. 2c 9e dd 59 00 00 00 88 82 13 00 00 88 f4 a5 0a ,..Y............
  578. 32 9e dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 0a 2..Y............
  579. 30 9e dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 0a 0..Y............
  580. 36 9e dd 59 00 00 00 88 9b 13 00 00 b8 f4 a5 0a 6..Y............
  581. 34 9e dd 59 00 00 00 88 a5 13 00 00 c8 f4 a5 0a 4..Y............
  582. 3a 9e dd 59 00 00 00 88 ad 13 00 00 d8 f4 a5 0a :..Y............
  583. 38 9e dd 59 00 00 00 88 b5 13 00 00 e8 f4 a5 0a 8..Y............
  584. 3e 9e dd 59 00 00 00 88 bd 13 00 00 f8 f4 a5 0a >..Y............
  585.  
  586. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753F8, Value:
  587.  
  588. 23 33 32 37 37 31 24 00 23 33 32 37 37 32 24 00 #32771$.#32772$.
  589. 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 #32774Gh0st.....
  590. 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a vB..q....!...0..
  591. 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 ........$..Y....
  592. 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 a...H...*..Y....
  593. 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 i...X...(..Y....
  594. 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 q...h......Y....
  595. 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 z...x...,..Y....
  596. 82 13 00 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 ........2..Y....
  597. 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 00 00 00 88 ........0..Y....
  598. 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 00 00 00 88 ........6..Y....
  599. 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 00 00 00 88 ........4..Y....
  600. a5 13 00 00 c8 f4 a5 0a 3a 9e dd 59 00 00 00 88 ........:..Y....
  601. ad 13 00 00 d8 f4 a5 0a 38 9e dd 59 00 00 00 88 ........8..Y....
  602. b5 13 00 00 e8 f4 a5 0a 3e 9e dd 59 00 00 00 88 ........>..Y....
  603. bd 13 00 00 f8 f4 a5 0a 3c 9e dd 59 00 00 00 88 ........<..Y....
  604.  
  605. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275400, Value:
  606.  
  607. 23 33 32 37 37 32 24 00 23 33 32 37 37 34 47 68 #32772$.#32774Gh
  608. 30 73 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 0st.....vB..q...
  609. 00 21 ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 .!...0..........
  610. 24 9e dd 59 00 00 00 88 61 13 00 00 48 f4 a5 0a $..Y....a...H...
  611. 2a 9e dd 59 00 00 00 88 69 13 00 00 58 f4 a5 0a *..Y....i...X...
  612. 28 9e dd 59 00 00 00 88 71 13 00 00 68 f4 a5 0a (..Y....q...h...
  613. 2e 9e dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 0a ...Y....z...x...
  614. 2c 9e dd 59 00 00 00 88 82 13 00 00 88 f4 a5 0a ,..Y............
  615. 32 9e dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 0a 2..Y............
  616. 30 9e dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 0a 0..Y............
  617. 36 9e dd 59 00 00 00 88 9b 13 00 00 b8 f4 a5 0a 6..Y............
  618. 34 9e dd 59 00 00 00 88 a5 13 00 00 c8 f4 a5 0a 4..Y............
  619. 3a 9e dd 59 00 00 00 88 ad 13 00 00 d8 f4 a5 0a :..Y............
  620. 38 9e dd 59 00 00 00 88 b5 13 00 00 e8 f4 a5 0a 8..Y............
  621. 3e 9e dd 59 00 00 00 88 bd 13 00 00 f8 f4 a5 0a >..Y............
  622. 3c 9e dd 59 00 00 00 88 c6 13 00 00 08 f5 a5 0a <..Y............
  623.  
  624. 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275408, Value:
  625.  
  626. 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 #32774Gh0st.....
  627. 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a vB..q....!...0..
  628. 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 ........$..Y....
  629. 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 a...H...*..Y....
  630. 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 i...X...(..Y....
  631. 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 q...h......Y....
  632. 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 z...x...,..Y....
  633. 82 13 00 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 ........2..Y....
  634. 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 00 00 00 88 ........0..Y....
  635. 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 00 00 00 88 ........6..Y....
  636. 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 00 00 00 88 ........4..Y....
  637. a5 13 00 00 c8 f4 a5 0a 3a 9e dd 59 00 00 00 88 ........:..Y....
  638. ad 13 00 00 d8 f4 a5 0a 38 9e dd 59 00 00 00 88 ........8..Y....
  639. b5 13 00 00 e8 f4 a5 0a 3e 9e dd 59 00 00 00 88 ........>..Y....
  640. bd 13 00 00 f8 f4 a5 0a 3c 9e dd 59 00 00 00 88 ........<..Y....
  641. c6 13 00 00 08 f5 a5 0a 02 9e dd 59 00 00 00 88 ...........Y....
  642.  
  643. 2014-11-21 15:22:57,411 - detector - INFO - Scanning finished
  644. 2014-11-21 15:22:57,411 - detector.service - INFO - Trying to stop the winpmem service...
  645. 2014-11-21 15:22:57,427 - detector.service - INFO - Trying to delete the winpmem service...
  646. 2014-11-21 15:22:57,427 - detector - INFO - Service stopped
  647. 2014-11-21 15:22:57,427 - detector - INFO - Analysis finished
  648. 2014-11-21 23:58:17,229 - detector - INFO - Starting with process ID 1028
  649. 2014-11-21 23:58:17,229 - detector - INFO - Selected Profile Name: Win7SP1x64
  650. 2014-11-21 23:58:17,229 - detector - INFO - Selected Driver: C:\Users\******\AppData\Local\Temp\_MEI38042\drivers\winpmem64.sys
  651. 2014-11-21 23:58:17,229 - detector.service - INFO - Launching service destroyer...
  652. 2014-11-21 23:58:17,229 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
  653. 2014-11-21 23:58:17,229 - detector.service - INFO - Trying to stop the winpmem service...
  654. 2014-11-21 23:58:17,229 - detector.service - INFO - Trying to delete the winpmem service...
  655. 2014-11-21 23:58:17,229 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
  656. 2014-11-21 23:58:17,259 - detector.service - INFO - Trying to start the winpmem service...
  657. 2014-11-21 23:58:17,259 - detector - INFO - Service started
  658. 2014-11-21 23:58:17,259 - detector - INFO - Selected Yara signature file at C:\Users\*******\AppData\Local\Temp\_MEI38042\rules\signatures.yar
  659. 2014-11-21 23:58:17,259 - detector - INFO - Obtaining address space and generating config for volatility
  660. 2014-11-21 23:58:18,447 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x09E8BAB0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x092130B0>
  661. 2014-11-21 23:58:18,447 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x09213530>, DTB: 0x187000
  662. 2014-11-21 23:58:18,447 - detector - INFO - Starting yara scanner...
  663. 2014-11-22 01:41:09,101 - detector - INFO - Scanning finished
  664. 2014-11-22 01:41:09,101 - detector.service - INFO - Trying to stop the winpmem service...
  665. 2014-11-22 01:41:09,101 - detector.service - INFO - Trying to delete the winpmem service...
  666. 2014-11-22 01:41:09,101 - detector - INFO - Service stopped
  667. 2014-11-22 01:41:09,101 - detector - INFO - Analysis finished
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!