Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2014-11-21 13:46:07,265 - detector - INFO - Starting with process ID 4928
- 2014-11-21 13:46:07,265 - detector - INFO - Selected Profile Name: Win7SP1x64
- 2014-11-21 13:46:07,265 - detector - INFO - Selected Driver: C:\Users\*******\AppData\Local\Temp\_MEI14322\drivers\winpmem64.sys
- 2014-11-21 13:46:07,265 - detector.service - INFO - Launching service destroyer...
- 2014-11-21 13:46:07,265 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
- 2014-11-21 13:46:07,265 - detector.service - INFO - Trying to stop the winpmem service...
- 2014-11-21 13:46:07,265 - detector.service - INFO - Trying to delete the winpmem service...
- 2014-11-21 13:46:07,265 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
- 2014-11-21 13:46:07,280 - detector.service - INFO - Trying to start the winpmem service...
- 2014-11-21 13:46:07,296 - detector - INFO - Service started
- 2014-11-21 13:46:07,296 - detector - INFO - Selected Yara signature file at C:\Users\******\AppData\Local\Temp\_MEI14322\rules\signatures.yar
- 2014-11-21 13:46:07,296 - detector - INFO - Obtaining address space and generating config for volatility
- 2014-11-21 13:46:08,467 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0A01B570>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x09228A50>
- 2014-11-21 13:46:08,467 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x09228FD0>, DTB: 0x187000
- 2014-11-21 13:46:08,467 - detector - INFO - Starting yara scanner...
- 2014-11-21 14:39:28,693 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275036, Value:
- 73 31 31 31 6f 30 30 30 30 30 30 30 30 2e 64 61 s111o00000000.da
- 74 24 73 63 72 65 65 6e 72 65 63 32 00 74 31 31 t$screenrec2.t11
- 31 6f 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 1o00000000.dat$s
- 63 72 65 65 6e 72 65 63 33 00 66 31 31 33 6f 30 creenrec3.f113o0
- 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
- 65 6e 72 65 63 34 00 77 31 31 34 6f 30 30 30 30 enrec4.w114o0000
- 30 30 30 30 2e 64 61 74 24 73 63 72 65 65 6e 72 0000.dat$screenr
- 65 63 35 00 75 31 31 32 51 30 30 30 30 30 30 30 ec5.u112Q0000000
- 30 2e 64 61 74 24 73 63 72 65 65 6e 72 65 63 36 0.dat$screenrec6
- 00 76 31 31 32 51 30 30 30 30 30 30 30 30 2e 64 .v112Q00000000.d
- 61 74 24 73 63 72 65 65 6e 72 65 63 37 00 76 31 at$screenrec7.v1
- 31 32 4f 30 30 30 30 30 30 30 30 2e 64 61 74 24 12O00000000.dat$
- 6d 69 63 72 65 63 00 24 73 6b 79 70 65 72 65 63 micrec.$skyperec
- 31 00 5b 25 31 39 73 5d 20 25 32 35 73 3a 20 20 1.[%19s].%25s:..
- 20 20 25 73 24 73 6b 79 70 65 72 65 63 32 00 47 ..%s$skyperec2.G
- 6c 6f 62 61 6c 5c 7b 41 34 38 46 31 41 33 32 2d lobal\{A48F1A32-
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275053, Value:
- 74 31 31 31 6f 30 30 30 30 30 30 30 30 2e 64 61 t111o00000000.da
- 74 24 73 63 72 65 65 6e 72 65 63 33 00 66 31 31 t$screenrec3.f11
- 33 6f 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 3o00000000.dat$s
- 63 72 65 65 6e 72 65 63 34 00 77 31 31 34 6f 30 creenrec4.w114o0
- 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
- 65 6e 72 65 63 35 00 75 31 31 32 51 30 30 30 30 enrec5.u112Q0000
- 30 30 30 30 2e 64 61 74 24 73 63 72 65 65 6e 72 0000.dat$screenr
- 65 63 36 00 76 31 31 32 51 30 30 30 30 30 30 30 ec6.v112Q0000000
- 30 2e 64 61 74 24 73 63 72 65 65 6e 72 65 63 37 0.dat$screenrec7
- 00 76 31 31 32 4f 30 30 30 30 30 30 30 30 2e 64 .v112O00000000.d
- 61 74 24 6d 69 63 72 65 63 00 24 73 6b 79 70 65 at$micrec.$skype
- 72 65 63 31 00 5b 25 31 39 73 5d 20 25 32 35 73 rec1.[%19s].%25s
- 3a 20 20 20 20 25 73 24 73 6b 79 70 65 72 65 63 :....%s$skyperec
- 32 00 47 6c 6f 62 61 6c 5c 7b 41 34 38 46 31 41 2.Global\{A48F1A
- 33 32 2d 41 33 34 30 2d 31 31 44 30 2d 42 43 36 32-A340-11D0-BC6
- 42 2d 30 30 41 30 43 39 30 33 25 2e 30 34 58 7d B-00A0C903%.04X}
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275070, Value:
- 66 31 31 33 6f 30 30 30 30 30 30 30 30 2e 64 61 f113o00000000.da
- 74 24 73 63 72 65 65 6e 72 65 63 34 00 77 31 31 t$screenrec4.w11
- 34 6f 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 4o00000000.dat$s
- 63 72 65 65 6e 72 65 63 35 00 75 31 31 32 51 30 creenrec5.u112Q0
- 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
- 65 6e 72 65 63 36 00 76 31 31 32 51 30 30 30 30 enrec6.v112Q0000
- 30 30 30 30 2e 64 61 74 24 73 63 72 65 65 6e 72 0000.dat$screenr
- 65 63 37 00 76 31 31 32 4f 30 30 30 30 30 30 30 ec7.v112O0000000
- 30 2e 64 61 74 24 6d 69 63 72 65 63 00 24 73 6b 0.dat$micrec.$sk
- 79 70 65 72 65 63 31 00 5b 25 31 39 73 5d 20 25 yperec1.[%19s].%
- 32 35 73 3a 20 20 20 20 25 73 24 73 6b 79 70 65 25s:....%s$skype
- 72 65 63 32 00 47 6c 6f 62 61 6c 5c 7b 41 34 38 rec2.Global\{A48
- 46 31 41 33 32 2d 41 33 34 30 2d 31 31 44 30 2d F1A32-A340-11D0-
- 42 43 36 42 2d 30 30 41 30 43 39 30 33 25 2e 30 BC6B-00A0C903%.0
- 34 58 7d 24 73 6b 79 70 65 72 65 63 33 00 24 6d 4X}$skyperec3.$m
- 6f 75 73 65 72 65 63 31 00 6d 73 63 31 38 33 51 ouserec1.msc183Q
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x6827508D, Value:
- 77 31 31 34 6f 30 30 30 30 30 30 30 30 2e 64 61 w114o00000000.da
- 74 24 73 63 72 65 65 6e 72 65 63 35 00 75 31 31 t$screenrec5.u11
- 32 51 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 2Q00000000.dat$s
- 63 72 65 65 6e 72 65 63 36 00 76 31 31 32 51 30 creenrec6.v112Q0
- 30 30 30 30 30 30 30 2e 64 61 74 24 73 63 72 65 0000000.dat$scre
- 65 6e 72 65 63 37 00 76 31 31 32 4f 30 30 30 30 enrec7.v112O0000
- 30 30 30 30 2e 64 61 74 24 6d 69 63 72 65 63 00 0000.dat$micrec.
- 24 73 6b 79 70 65 72 65 63 31 00 5b 25 31 39 73 $skyperec1.[%19s
- 5d 20 25 32 35 73 3a 20 20 20 20 25 73 24 73 6b ].%25s:....%s$sk
- 79 70 65 72 65 63 32 00 47 6c 6f 62 61 6c 5c 7b yperec2.Global\{
- 41 34 38 46 31 41 33 32 2d 41 33 34 30 2d 31 31 A48F1A32-A340-11
- 44 30 2d 42 43 36 42 2d 30 30 41 30 43 39 30 33 D0-BC6B-00A0C903
- 25 2e 30 34 58 7d 24 73 6b 79 70 65 72 65 63 33 %.04X}$skyperec3
- 00 24 6d 6f 75 73 65 72 65 63 31 00 6d 73 63 31 .$mouserec1.msc1
- 38 33 51 30 30 30 2e 64 61 74 24 6d 6f 75 73 65 83Q000.dat$mouse
- 72 65 63 32 00 24 64 72 69 76 65 72 00 5c 5c 5c rec2.$driver.\\\
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682750AA, Value:
- 75 31 31 32 51 30 30 30 30 30 30 30 30 2e 64 61 u112Q00000000.da
- 74 24 73 63 72 65 65 6e 72 65 63 36 00 76 31 31 t$screenrec6.v11
- 32 51 30 30 30 30 30 30 30 30 2e 64 61 74 24 73 2Q00000000.dat$s
- 63 72 65 65 6e 72 65 63 37 00 76 31 31 32 4f 30 creenrec7.v112O0
- 30 30 30 30 30 30 30 2e 64 61 74 24 6d 69 63 72 0000000.dat$micr
- 65 63 00 24 73 6b 79 70 65 72 65 63 31 00 5b 25 ec.$skyperec1.[%
- 31 39 73 5d 20 25 32 35 73 3a 20 20 20 20 25 73 19s].%25s:....%s
- 24 73 6b 79 70 65 72 65 63 32 00 47 6c 6f 62 61 $skyperec2.Globa
- 6c 5c 7b 41 34 38 46 31 41 33 32 2d 41 33 34 30 l\{A48F1A32-A340
- 2d 31 31 44 30 2d 42 43 36 42 2d 30 30 41 30 43 -11D0-BC6B-00A0C
- 39 30 33 25 2e 30 34 58 7d 24 73 6b 79 70 65 72 903%.04X}$skyper
- 65 63 33 00 24 6d 6f 75 73 65 72 65 63 31 00 6d ec3.$mouserec1.m
- 73 63 31 38 33 51 30 30 30 2e 64 61 74 24 6d 6f sc183Q000.dat$mo
- 75 73 65 72 65 63 32 00 24 64 72 69 76 65 72 00 userec2.$driver.
- 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 24 6a \\\\.\\driverw$j
- 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 6f 77 anedow1.Jane.Dow
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682750C7, Value:
- 76 31 31 32 51 30 30 30 30 30 30 30 30 2e 64 61 v112Q00000000.da
- 74 24 73 63 72 65 65 6e 72 65 63 37 00 76 31 31 t$screenrec7.v11
- 32 4f 30 30 30 30 30 30 30 30 2e 64 61 74 24 6d 2O00000000.dat$m
- 69 63 72 65 63 00 24 73 6b 79 70 65 72 65 63 31 icrec.$skyperec1
- 00 5b 25 31 39 73 5d 20 25 32 35 73 3a 20 20 20 .[%19s].%25s:...
- 20 25 73 24 73 6b 79 70 65 72 65 63 32 00 47 6c .%s$skyperec2.Gl
- 6f 62 61 6c 5c 7b 41 34 38 46 31 41 33 32 2d 41 obal\{A48F1A32-A
- 33 34 30 2d 31 31 44 30 2d 42 43 36 42 2d 30 30 340-11D0-BC6B-00
- 41 30 43 39 30 33 25 2e 30 34 58 7d 24 73 6b 79 A0C903%.04X}$sky
- 70 65 72 65 63 33 00 24 6d 6f 75 73 65 72 65 63 perec3.$mouserec
- 31 00 6d 73 63 31 38 33 51 30 30 30 2e 64 61 74 1.msc183Q000.dat
- 24 6d 6f 75 73 65 72 65 63 32 00 24 64 72 69 76 $mouserec2.$driv
- 65 72 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 er.\\\\.\\driver
- 77 24 6a 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 w$janedow1.Jane.
- 44 6f 77 27 73 20 78 33 32 20 6d 61 63 68 69 6e Dow's.x32.machin
- 65 24 6a 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 e$janedow2.Jane.
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682750E4, Value:
- 76 31 31 32 4f 30 30 30 30 30 30 30 30 2e 64 61 v112O00000000.da
- 74 24 6d 69 63 72 65 63 00 24 73 6b 79 70 65 72 t$micrec.$skyper
- 65 63 31 00 5b 25 31 39 73 5d 20 25 32 35 73 3a ec1.[%19s].%25s:
- 20 20 20 20 25 73 24 73 6b 79 70 65 72 65 63 32 ....%s$skyperec2
- 00 47 6c 6f 62 61 6c 5c 7b 41 34 38 46 31 41 33 .Global\{A48F1A3
- 32 2d 41 33 34 30 2d 31 31 44 30 2d 42 43 36 42 2-A340-11D0-BC6B
- 2d 30 30 41 30 43 39 30 33 25 2e 30 34 58 7d 24 -00A0C903%.04X}$
- 73 6b 79 70 65 72 65 63 33 00 24 6d 6f 75 73 65 skyperec3.$mouse
- 72 65 63 31 00 6d 73 63 31 38 33 51 30 30 30 2e rec1.msc183Q000.
- 64 61 74 24 6d 6f 75 73 65 72 65 63 32 00 24 64 dat$mouserec2.$d
- 72 69 76 65 72 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 river.\\\\.\\dri
- 76 65 72 77 24 6a 61 6e 65 64 6f 77 31 00 4a 61 verw$janedow1.Ja
- 6e 65 20 44 6f 77 27 73 20 78 33 32 20 6d 61 63 ne.Dow's.x32.mac
- 68 69 6e 65 24 6a 61 6e 65 64 6f 77 32 00 4a 61 hine$janedow2.Ja
- 6e 65 20 44 6f 77 27 73 20 78 36 34 20 6d 61 63 ne.Dow's.x64.mac
- 68 69 6e 65 24 76 65 72 73 69 6f 6e 73 31 00 66 hine$versions1.f
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275108, Value:
- 5b 25 31 39 73 5d 20 25 32 35 73 3a 20 20 20 20 [%19s].%25s:....
- 25 73 24 73 6b 79 70 65 72 65 63 32 00 47 6c 6f %s$skyperec2.Glo
- 62 61 6c 5c 7b 41 34 38 46 31 41 33 32 2d 41 33 bal\{A48F1A32-A3
- 34 30 2d 31 31 44 30 2d 42 43 36 42 2d 30 30 41 40-11D0-BC6B-00A
- 30 43 39 30 33 25 2e 30 34 58 7d 24 73 6b 79 70 0C903%.04X}$skyp
- 65 72 65 63 33 00 24 6d 6f 75 73 65 72 65 63 31 erec3.$mouserec1
- 00 6d 73 63 31 38 33 51 30 30 30 2e 64 61 74 24 .msc183Q000.dat$
- 6d 6f 75 73 65 72 65 63 32 00 24 64 72 69 76 65 mouserec2.$drive
- 72 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 r.\\\\.\\driverw
- 24 6a 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 $janedow1.Jane.D
- 6f 77 27 73 20 78 33 32 20 6d 61 63 68 69 6e 65 ow's.x32.machine
- 24 6a 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 44 $janedow2.Jane.D
- 6f 77 27 73 20 78 36 34 20 6d 61 63 68 69 6e 65 ow's.x64.machine
- 24 76 65 72 73 69 6f 6e 73 31 00 66 69 6e 73 70 $versions1.finsp
- 79 76 32 24 76 65 72 73 69 6f 6e 73 32 00 66 69 yv2$versions2.fi
- 6e 73 70 79 76 34 24 62 6f 6f 74 6b 69 74 31 00 nspyv4$bootkit1.
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275169, Value:
- 6d 73 63 31 38 33 51 30 30 30 2e 64 61 74 24 6d msc183Q000.dat$m
- 6f 75 73 65 72 65 63 32 00 24 64 72 69 76 65 72 ouserec2.$driver
- 00 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 24 .\\\\.\\driverw$
- 6a 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 6f janedow1.Jane.Do
- 77 27 73 20 78 33 32 20 6d 61 63 68 69 6e 65 24 w's.x32.machine$
- 6a 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 44 6f janedow2.Jane.Do
- 77 27 73 20 78 36 34 20 6d 61 63 68 69 6e 65 24 w's.x64.machine$
- 76 65 72 73 69 6f 6e 73 31 00 66 69 6e 73 70 79 versions1.finspy
- 76 32 24 76 65 72 73 69 6f 6e 73 32 00 66 69 6e v2$versions2.fin
- 73 70 79 76 34 24 62 6f 6f 74 6b 69 74 31 00 62 spyv4$bootkit1.b
- 6f 6f 74 6b 69 74 5f 78 33 32 64 72 69 76 65 72 ootkit_x32driver
- 24 62 6f 6f 74 6b 69 74 32 00 62 6f 6f 74 6b 69 $bootkit2.bootki
- 74 5f 78 36 34 64 72 69 76 65 72 24 74 79 70 6f t_x64driver$typo
- 31 00 53 63 72 65 65 6e 53 68 6f 72 74 20 52 65 1.ScreenShort.Re
- 63 6f 72 64 69 6e 67 24 6d 73 73 6f 75 6e 64 64 cording$mssoundd
- 78 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 x.System\Current
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x6827518A, Value:
- 5c 5c 5c 5c 2e 5c 5c 64 72 69 76 65 72 77 24 6a \\\\.\\driverw$j
- 61 6e 65 64 6f 77 31 00 4a 61 6e 65 20 44 6f 77 anedow1.Jane.Dow
- 27 73 20 78 33 32 20 6d 61 63 68 69 6e 65 24 6a 's.x32.machine$j
- 61 6e 65 64 6f 77 32 00 4a 61 6e 65 20 44 6f 77 anedow2.Jane.Dow
- 27 73 20 78 36 34 20 6d 61 63 68 69 6e 65 24 76 's.x64.machine$v
- 65 72 73 69 6f 6e 73 31 00 66 69 6e 73 70 79 76 ersions1.finspyv
- 32 24 76 65 72 73 69 6f 6e 73 32 00 66 69 6e 73 2$versions2.fins
- 70 79 76 34 24 62 6f 6f 74 6b 69 74 31 00 62 6f pyv4$bootkit1.bo
- 6f 74 6b 69 74 5f 78 33 32 64 72 69 76 65 72 24 otkit_x32driver$
- 62 6f 6f 74 6b 69 74 32 00 62 6f 6f 74 6b 69 74 bootkit2.bootkit
- 5f 78 36 34 64 72 69 76 65 72 24 74 79 70 6f 31 _x64driver$typo1
- 00 53 63 72 65 65 6e 53 68 6f 72 74 20 52 65 63 .ScreenShort.Rec
- 6f 72 64 69 6e 67 24 6d 73 73 6f 75 6e 64 64 78 ording$mssounddx
- 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e 74 43 .System\CurrentC
- 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 69 63 ontrolSet\Servic
- 65 73 5c 6d 73 73 6f 75 6e 64 64 78 46 69 6e 53 es\mssounddxFinS
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751A2, Value:
- 4a 61 6e 65 20 44 6f 77 27 73 20 78 33 32 20 6d Jane.Dow's.x32.m
- 61 63 68 69 6e 65 24 6a 61 6e 65 64 6f 77 32 00 achine$janedow2.
- 4a 61 6e 65 20 44 6f 77 27 73 20 78 36 34 20 6d Jane.Dow's.x64.m
- 61 63 68 69 6e 65 24 76 65 72 73 69 6f 6e 73 31 achine$versions1
- 00 66 69 6e 73 70 79 76 32 24 76 65 72 73 69 6f .finspyv2$versio
- 6e 73 32 00 66 69 6e 73 70 79 76 34 24 62 6f 6f ns2.finspyv4$boo
- 74 6b 69 74 31 00 62 6f 6f 74 6b 69 74 5f 78 33 tkit1.bootkit_x3
- 32 64 72 69 76 65 72 24 62 6f 6f 74 6b 69 74 32 2driver$bootkit2
- 00 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 .bootkit_x64driv
- 65 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 er$typo1.ScreenS
- 68 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d hort.Recording$m
- 73 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c ssounddx.System\
- 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 CurrentControlSe
- 74 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 t\Services\mssou
- 6e 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 nddxFinSpy.detec
- 74 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 tion.ShadowTech.
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751C2, Value:
- 4a 61 6e 65 20 44 6f 77 27 73 20 78 36 34 20 6d Jane.Dow's.x64.m
- 61 63 68 69 6e 65 24 76 65 72 73 69 6f 6e 73 31 achine$versions1
- 00 66 69 6e 73 70 79 76 32 24 76 65 72 73 69 6f .finspyv2$versio
- 6e 73 32 00 66 69 6e 73 70 79 76 34 24 62 6f 6f ns2.finspyv4$boo
- 74 6b 69 74 31 00 62 6f 6f 74 6b 69 74 5f 78 33 tkit1.bootkit_x3
- 32 64 72 69 76 65 72 24 62 6f 6f 74 6b 69 74 32 2driver$bootkit2
- 00 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 .bootkit_x64driv
- 65 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 er$typo1.ScreenS
- 68 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d hort.Recording$m
- 73 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c ssounddx.System\
- 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 CurrentControlSe
- 74 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 t\Services\mssou
- 6e 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 nddxFinSpy.detec
- 74 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 tion.ShadowTech.
- 52 41 54 00 24 73 74 72 69 6e 67 31 00 23 53 74 RAT.$string1.#St
- 72 69 6e 67 73 24 73 74 72 69 6e 67 32 00 23 47 rings$string2.#G
- 2014-11-21 14:39:28,707 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751E3, Value:
- 66 69 6e 73 70 79 76 32 24 76 65 72 73 69 6f 6e finspyv2$version
- 73 32 00 66 69 6e 73 70 79 76 34 24 62 6f 6f 74 s2.finspyv4$boot
- 6b 69 74 31 00 62 6f 6f 74 6b 69 74 5f 78 33 32 kit1.bootkit_x32
- 64 72 69 76 65 72 24 62 6f 6f 74 6b 69 74 32 00 driver$bootkit2.
- 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 65 bootkit_x64drive
- 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 68 r$typo1.ScreenSh
- 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d 73 ort.Recording$ms
- 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c 43 sounddx.System\C
- 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 urrentControlSet
- 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 6e \Services\mssoun
- 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 74 ddxFinSpy.detect
- 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 52 ion.ShadowTech.R
- 41 54 00 24 73 74 72 69 6e 67 31 00 23 53 74 72 AT.$string1.#Str
- 69 6e 67 73 24 73 74 72 69 6e 67 32 00 23 47 55 ings$string2.#GU
- 49 44 24 73 74 72 69 6e 67 33 00 23 42 6c 6f 62 ID$string3.#Blob
- 24 73 74 72 69 6e 67 34 00 53 68 61 64 6f 77 54 $string4.ShadowT
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x682751F6, Value:
- 66 69 6e 73 70 79 76 34 24 62 6f 6f 74 6b 69 74 finspyv4$bootkit
- 31 00 62 6f 6f 74 6b 69 74 5f 78 33 32 64 72 69 1.bootkit_x32dri
- 76 65 72 24 62 6f 6f 74 6b 69 74 32 00 62 6f 6f ver$bootkit2.boo
- 74 6b 69 74 5f 78 36 34 64 72 69 76 65 72 24 74 tkit_x64driver$t
- 79 70 6f 31 00 53 63 72 65 65 6e 53 68 6f 72 74 ypo1.ScreenShort
- 20 52 65 63 6f 72 64 69 6e 67 24 6d 73 73 6f 75 .Recording$mssou
- 6e 64 64 78 00 53 79 73 74 65 6d 5c 43 75 72 72 nddx.System\Curr
- 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 entControlSet\Se
- 72 76 69 63 65 73 5c 6d 73 73 6f 75 6e 64 64 78 rvices\mssounddx
- 46 69 6e 53 70 79 00 64 65 74 65 63 74 69 6f 6e FinSpy.detection
- 00 53 68 61 64 6f 77 54 65 63 68 20 52 41 54 00 .ShadowTech.RAT.
- 24 73 74 72 69 6e 67 31 00 23 53 74 72 69 6e 67 $string1.#String
- 73 24 73 74 72 69 6e 67 32 00 23 47 55 49 44 24 s$string2.#GUID$
- 73 74 72 69 6e 67 33 00 23 42 6c 6f 62 24 73 74 string3.#Blob$st
- 72 69 6e 67 34 00 53 68 61 64 6f 77 54 65 63 68 ring4.ShadowTech
- 20 52 61 74 2e 65 78 65 24 73 74 72 69 6e 67 35 .Rat.exe$string5
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275208, Value:
- 62 6f 6f 74 6b 69 74 5f 78 33 32 64 72 69 76 65 bootkit_x32drive
- 72 24 62 6f 6f 74 6b 69 74 32 00 62 6f 6f 74 6b r$bootkit2.bootk
- 69 74 5f 78 36 34 64 72 69 76 65 72 24 74 79 70 it_x64driver$typ
- 6f 31 00 53 63 72 65 65 6e 53 68 6f 72 74 20 52 o1.ScreenShort.R
- 65 63 6f 72 64 69 6e 67 24 6d 73 73 6f 75 6e 64 ecording$mssound
- 64 78 00 53 79 73 74 65 6d 5c 43 75 72 72 65 6e dx.System\Curren
- 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 53 65 72 76 tControlSet\Serv
- 69 63 65 73 5c 6d 73 73 6f 75 6e 64 64 78 46 69 ices\mssounddxFi
- 6e 53 70 79 00 64 65 74 65 63 74 69 6f 6e 00 53 nSpy.detection.S
- 68 61 64 6f 77 54 65 63 68 20 52 41 54 00 24 73 hadowTech.RAT.$s
- 74 72 69 6e 67 31 00 23 53 74 72 69 6e 67 73 24 tring1.#Strings$
- 73 74 72 69 6e 67 32 00 23 47 55 49 44 24 73 74 string2.#GUID$st
- 72 69 6e 67 33 00 23 42 6c 6f 62 24 73 74 72 69 ring3.#Blob$stri
- 6e 67 34 00 53 68 61 64 6f 77 54 65 63 68 20 52 ng4.ShadowTech.R
- 61 74 2e 65 78 65 24 73 74 72 69 6e 67 35 00 53 at.exe$string5.S
- 68 61 64 6f 77 54 65 63 68 5f 52 61 74 53 68 61 hadowTech_RatSha
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: FinSpy at address: 0x68275223, Value:
- 62 6f 6f 74 6b 69 74 5f 78 36 34 64 72 69 76 65 bootkit_x64drive
- 72 24 74 79 70 6f 31 00 53 63 72 65 65 6e 53 68 r$typo1.ScreenSh
- 6f 72 74 20 52 65 63 6f 72 64 69 6e 67 24 6d 73 ort.Recording$ms
- 73 6f 75 6e 64 64 78 00 53 79 73 74 65 6d 5c 43 sounddx.System\C
- 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 urrentControlSet
- 5c 53 65 72 76 69 63 65 73 5c 6d 73 73 6f 75 6e \Services\mssoun
- 64 64 78 46 69 6e 53 70 79 00 64 65 74 65 63 74 ddxFinSpy.detect
- 69 6f 6e 00 53 68 61 64 6f 77 54 65 63 68 20 52 ion.ShadowTech.R
- 41 54 00 24 73 74 72 69 6e 67 31 00 23 53 74 72 AT.$string1.#Str
- 69 6e 67 73 24 73 74 72 69 6e 67 32 00 23 47 55 ings$string2.#GU
- 49 44 24 73 74 72 69 6e 67 33 00 23 42 6c 6f 62 ID$string3.#Blob
- 24 73 74 72 69 6e 67 34 00 53 68 61 64 6f 77 54 $string4.ShadowT
- 65 63 68 20 52 61 74 2e 65 78 65 24 73 74 72 69 ech.Rat.exe$stri
- 6e 67 35 00 53 68 61 64 6f 77 54 65 63 68 5f 52 ng5.ShadowTech_R
- 61 74 53 68 61 64 6f 77 54 65 63 68 00 64 65 74 atShadowTech.det
- 65 63 74 69 6f 6e 00 47 68 30 73 74 00 24 00 47 ection.Gh0st.$.G
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752AF, Value:
- 23 53 74 72 69 6e 67 73 24 73 74 72 69 6e 67 32 #Strings$string2
- 00 23 47 55 49 44 24 73 74 72 69 6e 67 33 00 23 .#GUID$string3.#
- 42 6c 6f 62 24 73 74 72 69 6e 67 34 00 53 68 61 Blob$string4.Sha
- 64 6f 77 54 65 63 68 20 52 61 74 2e 65 78 65 24 dowTech.Rat.exe$
- 73 74 72 69 6e 67 35 00 53 68 61 64 6f 77 54 65 string5.ShadowTe
- 63 68 5f 52 61 74 53 68 61 64 6f 77 54 65 63 68 ch_RatShadowTech
- 00 64 65 74 65 63 74 69 6f 6e 00 47 68 30 73 74 .detection.Gh0st
- 00 24 00 47 68 6f 73 74 24 00 69 6e 66 6c 61 74 .$.Ghost$.inflat
- 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 e.1.1.4.Copyrigh
- 74 20 31 39 39 35 2d 32 30 30 32 20 4d 61 72 6b t.1995-2002.Mark
- 20 41 64 6c 65 72 24 00 64 65 66 6c 61 74 65 20 .Adler$.deflate.
- 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 20 1.1.4.Copyright.
- 31 39 39 35 2d 32 30 30 32 20 4a 65 61 6e 2d 6c 1995-2002.Jean-l
- 6f 75 70 20 47 61 69 6c 6c 79 24 00 25 73 5c 73 oup.Gailly$.%s\s
- 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e hell\open\comman
- 64 24 00 47 65 74 43 6c 69 70 62 6f 61 72 64 44 d$.GetClipboardD
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752C0, Value:
- 23 47 55 49 44 24 73 74 72 69 6e 67 33 00 23 42 #GUID$string3.#B
- 6c 6f 62 24 73 74 72 69 6e 67 34 00 53 68 61 64 lob$string4.Shad
- 6f 77 54 65 63 68 20 52 61 74 2e 65 78 65 24 73 owTech.Rat.exe$s
- 74 72 69 6e 67 35 00 53 68 61 64 6f 77 54 65 63 tring5.ShadowTec
- 68 5f 52 61 74 53 68 61 64 6f 77 54 65 63 68 00 h_RatShadowTech.
- 64 65 74 65 63 74 69 6f 6e 00 47 68 30 73 74 00 detection.Gh0st.
- 24 00 47 68 6f 73 74 24 00 69 6e 66 6c 61 74 65 $.Ghost$.inflate
- 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 .1.1.4.Copyright
- 20 31 39 39 35 2d 32 30 30 32 20 4d 61 72 6b 20 .1995-2002.Mark.
- 41 64 6c 65 72 24 00 64 65 66 6c 61 74 65 20 31 Adler$.deflate.1
- 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 20 31 .1.4.Copyright.1
- 39 39 35 2d 32 30 30 32 20 4a 65 61 6e 2d 6c 6f 995-2002.Jean-lo
- 75 70 20 47 61 69 6c 6c 79 24 00 25 73 5c 73 68 up.Gailly$.%s\sh
- 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 ell\open\command
- 24 00 47 65 74 43 6c 69 70 62 6f 61 72 64 44 61 $.GetClipboardDa
- 74 61 24 00 57 72 69 74 65 50 72 6f 63 65 73 73 ta$.WriteProcess
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752CE, Value:
- 23 42 6c 6f 62 24 73 74 72 69 6e 67 34 00 53 68 #Blob$string4.Sh
- 61 64 6f 77 54 65 63 68 20 52 61 74 2e 65 78 65 adowTech.Rat.exe
- 24 73 74 72 69 6e 67 35 00 53 68 61 64 6f 77 54 $string5.ShadowT
- 65 63 68 5f 52 61 74 53 68 61 64 6f 77 54 65 63 ech_RatShadowTec
- 68 00 64 65 74 65 63 74 69 6f 6e 00 47 68 30 73 h.detection.Gh0s
- 74 00 24 00 47 68 6f 73 74 24 00 69 6e 66 6c 61 t.$.Ghost$.infla
- 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 te.1.1.4.Copyrig
- 68 74 20 31 39 39 35 2d 32 30 30 32 20 4d 61 72 ht.1995-2002.Mar
- 6b 20 41 64 6c 65 72 24 00 64 65 66 6c 61 74 65 k.Adler$.deflate
- 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 .1.1.4.Copyright
- 20 31 39 39 35 2d 32 30 30 32 20 4a 65 61 6e 2d .1995-2002.Jean-
- 6c 6f 75 70 20 47 61 69 6c 6c 79 24 00 25 73 5c loup.Gailly$.%s\
- 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 shell\open\comma
- 6e 64 24 00 47 65 74 43 6c 69 70 62 6f 61 72 64 nd$.GetClipboard
- 44 61 74 61 24 00 57 72 69 74 65 50 72 6f 63 65 Data$.WriteProce
- 73 73 4d 65 6d 6f 72 79 24 00 41 64 6a 75 73 74 ssMemory$.Adjust
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752DC, Value:
- 53 68 61 64 6f 77 54 65 63 68 20 52 61 74 2e 65 ShadowTech.Rat.e
- 78 65 24 73 74 72 69 6e 67 35 00 53 68 61 64 6f xe$string5.Shado
- 77 54 65 63 68 5f 52 61 74 53 68 61 64 6f 77 54 wTech_RatShadowT
- 65 63 68 00 64 65 74 65 63 74 69 6f 6e 00 47 68 ech.detection.Gh
- 30 73 74 00 24 00 47 68 6f 73 74 24 00 69 6e 66 0st.$.Ghost$.inf
- 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 late.1.1.4.Copyr
- 69 67 68 74 20 31 39 39 35 2d 32 30 30 32 20 4d ight.1995-2002.M
- 61 72 6b 20 41 64 6c 65 72 24 00 64 65 66 6c 61 ark.Adler$.defla
- 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 72 69 67 te.1.1.4.Copyrig
- 68 74 20 31 39 39 35 2d 32 30 30 32 20 4a 65 61 ht.1995-2002.Jea
- 6e 2d 6c 6f 75 70 20 47 61 69 6c 6c 79 24 00 25 n-loup.Gailly$.%
- 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f 6d s\shell\open\com
- 6d 61 6e 64 24 00 47 65 74 43 6c 69 70 62 6f 61 mand$.GetClipboa
- 72 64 44 61 74 61 24 00 57 72 69 74 65 50 72 6f rdData$.WritePro
- 63 65 73 73 4d 65 6d 6f 72 79 24 00 41 64 6a 75 cessMemory$.Adju
- 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c 65 67 65 stTokenPrivilege
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: ShadowTech at address: 0x682752F7, Value:
- 53 68 61 64 6f 77 54 65 63 68 5f 52 61 74 53 68 ShadowTech_RatSh
- 61 64 6f 77 54 65 63 68 00 64 65 74 65 63 74 69 adowTech.detecti
- 6f 6e 00 47 68 30 73 74 00 24 00 47 68 6f 73 74 on.Gh0st.$.Ghost
- 24 00 69 6e 66 6c 61 74 65 20 31 2e 31 2e 34 20 $.inflate.1.1.4.
- 43 6f 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 Copyright.1995-2
- 30 30 32 20 4d 61 72 6b 20 41 64 6c 65 72 24 00 002.Mark.Adler$.
- 64 65 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f deflate.1.1.4.Co
- 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 pyright.1995-200
- 32 20 4a 65 61 6e 2d 6c 6f 75 70 20 47 61 69 6c 2.Jean-loup.Gail
- 6c 79 24 00 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 ly$.%s\shell\ope
- 6e 5c 63 6f 6d 6d 61 6e 64 24 00 47 65 74 43 6c n\command$.GetCl
- 69 70 62 6f 61 72 64 44 61 74 61 24 00 57 72 69 ipboardData$.Wri
- 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 24 teProcessMemory$
- 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 .AdjustTokenPriv
- 69 6c 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c ileges$.WinSta0\
- 44 65 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 Default$.#32770$
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275322, Value:
- 47 68 6f 73 74 24 00 69 6e 66 6c 61 74 65 20 31 Ghost$.inflate.1
- 2e 31 2e 34 20 43 6f 70 79 72 69 67 68 74 20 31 .1.4.Copyright.1
- 39 39 35 2d 32 30 30 32 20 4d 61 72 6b 20 41 64 995-2002.Mark.Ad
- 6c 65 72 24 00 64 65 66 6c 61 74 65 20 31 2e 31 ler$.deflate.1.1
- 2e 34 20 43 6f 70 79 72 69 67 68 74 20 31 39 39 .4.Copyright.199
- 35 2d 32 30 30 32 20 4a 65 61 6e 2d 6c 6f 75 70 5-2002.Jean-loup
- 20 47 61 69 6c 6c 79 24 00 25 73 5c 73 68 65 6c .Gailly$.%s\shel
- 6c 5c 6f 70 65 6e 5c 63 6f 6d 6d 61 6e 64 24 00 l\open\command$.
- 47 65 74 43 6c 69 70 62 6f 61 72 64 44 61 74 61 GetClipboardData
- 24 00 57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 $.WriteProcessMe
- 6d 6f 72 79 24 00 41 64 6a 75 73 74 54 6f 6b 65 mory$.AdjustToke
- 6e 50 72 69 76 69 6c 65 67 65 73 24 00 57 69 6e nPrivileges$.Win
- 53 74 61 30 5c 44 65 66 61 75 6c 74 24 00 23 33 Sta0\Default$.#3
- 32 37 37 30 24 00 23 33 32 37 37 31 24 00 23 33 2770$.#32771$.#3
- 32 37 37 32 24 00 23 33 32 37 37 34 47 68 30 73 2772$.#32774Gh0s
- 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 00 21 t.....vB..q....!
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275329, Value:
- 69 6e 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f inflate.1.1.4.Co
- 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 pyright.1995-200
- 32 20 4d 61 72 6b 20 41 64 6c 65 72 24 00 64 65 2.Mark.Adler$.de
- 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f 70 79 flate.1.1.4.Copy
- 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 32 20 right.1995-2002.
- 4a 65 61 6e 2d 6c 6f 75 70 20 47 61 69 6c 6c 79 Jean-loup.Gailly
- 24 00 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c $.%s\shell\open\
- 63 6f 6d 6d 61 6e 64 24 00 47 65 74 43 6c 69 70 command$.GetClip
- 62 6f 61 72 64 44 61 74 61 24 00 57 72 69 74 65 boardData$.Write
- 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 24 00 41 ProcessMemory$.A
- 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c djustTokenPrivil
- 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c 44 65 eges$.WinSta0\De
- 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 00 23 fault$.#32770$.#
- 33 32 37 37 31 24 00 23 33 32 37 37 32 24 00 23 32771$.#32772$.#
- 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 76 32774Gh0st.....v
- 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a 0c B..q....!...0...
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275357, Value:
- 64 65 66 6c 61 74 65 20 31 2e 31 2e 34 20 43 6f deflate.1.1.4.Co
- 70 79 72 69 67 68 74 20 31 39 39 35 2d 32 30 30 pyright.1995-200
- 32 20 4a 65 61 6e 2d 6c 6f 75 70 20 47 61 69 6c 2.Jean-loup.Gail
- 6c 79 24 00 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 ly$.%s\shell\ope
- 6e 5c 63 6f 6d 6d 61 6e 64 24 00 47 65 74 43 6c n\command$.GetCl
- 69 70 62 6f 61 72 64 44 61 74 61 24 00 57 72 69 ipboardData$.Wri
- 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 24 teProcessMemory$
- 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 .AdjustTokenPriv
- 69 6c 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c ileges$.WinSta0\
- 44 65 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 Default$.#32770$
- 00 23 33 32 37 37 31 24 00 23 33 32 37 37 32 24 .#32771$.#32772$
- 00 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 .#32774Gh0st....
- 00 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa .vB..q....!...0.
- 0a 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 .........$..Y...
- 88 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 .a...H...*..Y...
- 88 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 .i...X...(..Y...
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x6827538B, Value:
- 25 73 5c 73 68 65 6c 6c 5c 6f 70 65 6e 5c 63 6f %s\shell\open\co
- 6d 6d 61 6e 64 24 00 47 65 74 43 6c 69 70 62 6f mmand$.GetClipbo
- 61 72 64 44 61 74 61 24 00 57 72 69 74 65 50 72 ardData$.WritePr
- 6f 63 65 73 73 4d 65 6d 6f 72 79 24 00 41 64 6a ocessMemory$.Adj
- 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 6c 65 67 ustTokenPrivileg
- 65 73 24 00 57 69 6e 53 74 61 30 5c 44 65 66 61 es$.WinSta0\Defa
- 75 6c 74 24 00 23 33 32 37 37 30 24 00 23 33 32 ult$.#32770$.#32
- 37 37 31 24 00 23 33 32 37 37 32 24 00 23 33 32 771$.#32772$.#32
- 37 37 34 47 68 30 73 74 00 00 00 00 00 76 42 d6 774Gh0st.....vB.
- 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a 0c 00 00 .q....!...0.....
- 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 61 13 00 .....$..Y....a..
- 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 69 13 00 .H...*..Y....i..
- 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 71 13 00 .X...(..Y....q..
- 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 7a 13 00 .h......Y....z..
- 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 82 13 00 .x...,..Y.......
- 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 8a 13 00 .....2..Y.......
- 2014-11-21 14:39:28,723 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753A2, Value:
- 47 65 74 43 6c 69 70 62 6f 61 72 64 44 61 74 61 GetClipboardData
- 24 00 57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 $.WriteProcessMe
- 6d 6f 72 79 24 00 41 64 6a 75 73 74 54 6f 6b 65 mory$.AdjustToke
- 6e 50 72 69 76 69 6c 65 67 65 73 24 00 57 69 6e nPrivileges$.Win
- 53 74 61 30 5c 44 65 66 61 75 6c 74 24 00 23 33 Sta0\Default$.#3
- 32 37 37 30 24 00 23 33 32 37 37 31 24 00 23 33 2770$.#32771$.#3
- 32 37 37 32 24 00 23 33 32 37 37 34 47 68 30 73 2772$.#32774Gh0s
- 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 00 21 t.....vB..q....!
- ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 24 9e ...0..........$.
- dd 59 00 00 00 88 61 13 00 00 48 f4 a5 0a 2a 9e .Y....a...H...*.
- dd 59 00 00 00 88 69 13 00 00 58 f4 a5 0a 28 9e .Y....i...X...(.
- dd 59 00 00 00 88 71 13 00 00 68 f4 a5 0a 2e 9e .Y....q...h.....
- dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 0a 2c 9e .Y....z...x...,.
- dd 59 00 00 00 88 82 13 00 00 88 f4 a5 0a 32 9e .Y............2.
- dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 0a 30 9e .Y............0.
- dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 0a 36 9e .Y............6.
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753B4, Value:
- 57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f WriteProcessMemo
- 72 79 24 00 41 64 6a 75 73 74 54 6f 6b 65 6e 50 ry$.AdjustTokenP
- 72 69 76 69 6c 65 67 65 73 24 00 57 69 6e 53 74 rivileges$.WinSt
- 61 30 5c 44 65 66 61 75 6c 74 24 00 23 33 32 37 a0\Default$.#327
- 37 30 24 00 23 33 32 37 37 31 24 00 23 33 32 37 70$.#32771$.#327
- 37 32 24 00 23 33 32 37 37 34 47 68 30 73 74 00 72$.#32774Gh0st.
- 00 00 00 00 76 42 d6 20 71 8e 06 08 00 21 ae 0a ....vB..q....!..
- 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 .0..........$..Y
- 00 00 00 88 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 ....a...H...*..Y
- 00 00 00 88 69 13 00 00 58 f4 a5 0a 28 9e dd 59 ....i...X...(..Y
- 00 00 00 88 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 ....q...h......Y
- 00 00 00 88 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 ....z...x...,..Y
- 00 00 00 88 82 13 00 00 88 f4 a5 0a 32 9e dd 59 ............2..Y
- 00 00 00 88 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 ............0..Y
- 00 00 00 88 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 ............6..Y
- 00 00 00 88 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 ............4..Y
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753C8, Value:
- 41 64 6a 75 73 74 54 6f 6b 65 6e 50 72 69 76 69 AdjustTokenPrivi
- 6c 65 67 65 73 24 00 57 69 6e 53 74 61 30 5c 44 leges$.WinSta0\D
- 65 66 61 75 6c 74 24 00 23 33 32 37 37 30 24 00 efault$.#32770$.
- 23 33 32 37 37 31 24 00 23 33 32 37 37 32 24 00 #32771$.#32772$.
- 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 #32774Gh0st.....
- 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a vB..q....!...0..
- 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 ........$..Y....
- 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 a...H...*..Y....
- 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 i...X...(..Y....
- 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 q...h......Y....
- 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 z...x...,..Y....
- 82 13 00 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 ........2..Y....
- 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 00 00 00 88 ........0..Y....
- 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 00 00 00 88 ........6..Y....
- 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 00 00 00 88 ........4..Y....
- a5 13 00 00 c8 f4 a5 0a 3a 9e dd 59 00 00 00 88 ........:..Y....
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753DF, Value:
- 57 69 6e 53 74 61 30 5c 44 65 66 61 75 6c 74 24 WinSta0\Default$
- 00 23 33 32 37 37 30 24 00 23 33 32 37 37 31 24 .#32770$.#32771$
- 00 23 33 32 37 37 32 24 00 23 33 32 37 37 34 47 .#32772$.#32774G
- 68 30 73 74 00 00 00 00 00 76 42 d6 20 71 8e 06 h0st.....vB..q..
- 08 00 21 ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 ..!...0.........
- f0 24 9e dd 59 00 00 00 88 61 13 00 00 48 f4 a5 .$..Y....a...H..
- 0a 2a 9e dd 59 00 00 00 88 69 13 00 00 58 f4 a5 .*..Y....i...X..
- 0a 28 9e dd 59 00 00 00 88 71 13 00 00 68 f4 a5 .(..Y....q...h..
- 0a 2e 9e dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 ....Y....z...x..
- 0a 2c 9e dd 59 00 00 00 88 82 13 00 00 88 f4 a5 .,..Y...........
- 0a 32 9e dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 .2..Y...........
- 0a 30 9e dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 .0..Y...........
- 0a 36 9e dd 59 00 00 00 88 9b 13 00 00 b8 f4 a5 .6..Y...........
- 0a 34 9e dd 59 00 00 00 88 a5 13 00 00 c8 f4 a5 .4..Y...........
- 0a 3a 9e dd 59 00 00 00 88 ad 13 00 00 d8 f4 a5 .:..Y...........
- 0a 38 9e dd 59 00 00 00 88 b5 13 00 00 e8 f4 a5 .8..Y...........
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753F0, Value:
- 23 33 32 37 37 30 24 00 23 33 32 37 37 31 24 00 #32770$.#32771$.
- 23 33 32 37 37 32 24 00 23 33 32 37 37 34 47 68 #32772$.#32774Gh
- 30 73 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 0st.....vB..q...
- 00 21 ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 .!...0..........
- 24 9e dd 59 00 00 00 88 61 13 00 00 48 f4 a5 0a $..Y....a...H...
- 2a 9e dd 59 00 00 00 88 69 13 00 00 58 f4 a5 0a *..Y....i...X...
- 28 9e dd 59 00 00 00 88 71 13 00 00 68 f4 a5 0a (..Y....q...h...
- 2e 9e dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 0a ...Y....z...x...
- 2c 9e dd 59 00 00 00 88 82 13 00 00 88 f4 a5 0a ,..Y............
- 32 9e dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 0a 2..Y............
- 30 9e dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 0a 0..Y............
- 36 9e dd 59 00 00 00 88 9b 13 00 00 b8 f4 a5 0a 6..Y............
- 34 9e dd 59 00 00 00 88 a5 13 00 00 c8 f4 a5 0a 4..Y............
- 3a 9e dd 59 00 00 00 88 ad 13 00 00 d8 f4 a5 0a :..Y............
- 38 9e dd 59 00 00 00 88 b5 13 00 00 e8 f4 a5 0a 8..Y............
- 3e 9e dd 59 00 00 00 88 bd 13 00 00 f8 f4 a5 0a >..Y............
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x682753F8, Value:
- 23 33 32 37 37 31 24 00 23 33 32 37 37 32 24 00 #32771$.#32772$.
- 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 #32774Gh0st.....
- 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a vB..q....!...0..
- 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 ........$..Y....
- 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 a...H...*..Y....
- 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 i...X...(..Y....
- 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 q...h......Y....
- 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 z...x...,..Y....
- 82 13 00 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 ........2..Y....
- 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 00 00 00 88 ........0..Y....
- 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 00 00 00 88 ........6..Y....
- 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 00 00 00 88 ........4..Y....
- a5 13 00 00 c8 f4 a5 0a 3a 9e dd 59 00 00 00 88 ........:..Y....
- ad 13 00 00 d8 f4 a5 0a 38 9e dd 59 00 00 00 88 ........8..Y....
- b5 13 00 00 e8 f4 a5 0a 3e 9e dd 59 00 00 00 88 ........>..Y....
- bd 13 00 00 f8 f4 a5 0a 3c 9e dd 59 00 00 00 88 ........<..Y....
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275400, Value:
- 23 33 32 37 37 32 24 00 23 33 32 37 37 34 47 68 #32772$.#32774Gh
- 30 73 74 00 00 00 00 00 76 42 d6 20 71 8e 06 08 0st.....vB..q...
- 00 21 ae 0a 08 30 aa 0a 0c 00 00 00 c0 d0 e0 f0 .!...0..........
- 24 9e dd 59 00 00 00 88 61 13 00 00 48 f4 a5 0a $..Y....a...H...
- 2a 9e dd 59 00 00 00 88 69 13 00 00 58 f4 a5 0a *..Y....i...X...
- 28 9e dd 59 00 00 00 88 71 13 00 00 68 f4 a5 0a (..Y....q...h...
- 2e 9e dd 59 00 00 00 88 7a 13 00 00 78 f4 a5 0a ...Y....z...x...
- 2c 9e dd 59 00 00 00 88 82 13 00 00 88 f4 a5 0a ,..Y............
- 32 9e dd 59 00 00 00 88 8a 13 00 00 98 f4 a5 0a 2..Y............
- 30 9e dd 59 00 00 00 88 93 13 00 00 a8 f4 a5 0a 0..Y............
- 36 9e dd 59 00 00 00 88 9b 13 00 00 b8 f4 a5 0a 6..Y............
- 34 9e dd 59 00 00 00 88 a5 13 00 00 c8 f4 a5 0a 4..Y............
- 3a 9e dd 59 00 00 00 88 ad 13 00 00 d8 f4 a5 0a :..Y............
- 38 9e dd 59 00 00 00 88 b5 13 00 00 e8 f4 a5 0a 8..Y............
- 3e 9e dd 59 00 00 00 88 bd 13 00 00 f8 f4 a5 0a >..Y............
- 3c 9e dd 59 00 00 00 88 c6 13 00 00 08 f5 a5 0a <..Y............
- 2014-11-21 14:39:28,739 - detector - WARNING - Process Avira.OE.Servi (pid: 2508) matched: Gh0st at address: 0x68275408, Value:
- 23 33 32 37 37 34 47 68 30 73 74 00 00 00 00 00 #32774Gh0st.....
- 76 42 d6 20 71 8e 06 08 00 21 ae 0a 08 30 aa 0a vB..q....!...0..
- 0c 00 00 00 c0 d0 e0 f0 24 9e dd 59 00 00 00 88 ........$..Y....
- 61 13 00 00 48 f4 a5 0a 2a 9e dd 59 00 00 00 88 a...H...*..Y....
- 69 13 00 00 58 f4 a5 0a 28 9e dd 59 00 00 00 88 i...X...(..Y....
- 71 13 00 00 68 f4 a5 0a 2e 9e dd 59 00 00 00 88 q...h......Y....
- 7a 13 00 00 78 f4 a5 0a 2c 9e dd 59 00 00 00 88 z...x...,..Y....
- 82 13 00 00 88 f4 a5 0a 32 9e dd 59 00 00 00 88 ........2..Y....
- 8a 13 00 00 98 f4 a5 0a 30 9e dd 59 00 00 00 88 ........0..Y....
- 93 13 00 00 a8 f4 a5 0a 36 9e dd 59 00 00 00 88 ........6..Y....
- 9b 13 00 00 b8 f4 a5 0a 34 9e dd 59 00 00 00 88 ........4..Y....
- a5 13 00 00 c8 f4 a5 0a 3a 9e dd 59 00 00 00 88 ........:..Y....
- ad 13 00 00 d8 f4 a5 0a 38 9e dd 59 00 00 00 88 ........8..Y....
- b5 13 00 00 e8 f4 a5 0a 3e 9e dd 59 00 00 00 88 ........>..Y....
- bd 13 00 00 f8 f4 a5 0a 3c 9e dd 59 00 00 00 88 ........<..Y....
- c6 13 00 00 08 f5 a5 0a 02 9e dd 59 00 00 00 88 ...........Y....
- 2014-11-21 15:22:57,411 - detector - INFO - Scanning finished
- 2014-11-21 15:22:57,411 - detector.service - INFO - Trying to stop the winpmem service...
- 2014-11-21 15:22:57,427 - detector.service - INFO - Trying to delete the winpmem service...
- 2014-11-21 15:22:57,427 - detector - INFO - Service stopped
- 2014-11-21 15:22:57,427 - detector - INFO - Analysis finished
- 2014-11-21 23:58:17,229 - detector - INFO - Starting with process ID 1028
- 2014-11-21 23:58:17,229 - detector - INFO - Selected Profile Name: Win7SP1x64
- 2014-11-21 23:58:17,229 - detector - INFO - Selected Driver: C:\Users\******\AppData\Local\Temp\_MEI38042\drivers\winpmem64.sys
- 2014-11-21 23:58:17,229 - detector.service - INFO - Launching service destroyer...
- 2014-11-21 23:58:17,229 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
- 2014-11-21 23:58:17,229 - detector.service - INFO - Trying to stop the winpmem service...
- 2014-11-21 23:58:17,229 - detector.service - INFO - Trying to delete the winpmem service...
- 2014-11-21 23:58:17,229 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
- 2014-11-21 23:58:17,259 - detector.service - INFO - Trying to start the winpmem service...
- 2014-11-21 23:58:17,259 - detector - INFO - Service started
- 2014-11-21 23:58:17,259 - detector - INFO - Selected Yara signature file at C:\Users\*******\AppData\Local\Temp\_MEI38042\rules\signatures.yar
- 2014-11-21 23:58:17,259 - detector - INFO - Obtaining address space and generating config for volatility
- 2014-11-21 23:58:18,447 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x09E8BAB0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x092130B0>
- 2014-11-21 23:58:18,447 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x09213530>, DTB: 0x187000
- 2014-11-21 23:58:18,447 - detector - INFO - Starting yara scanner...
- 2014-11-22 01:41:09,101 - detector - INFO - Scanning finished
- 2014-11-22 01:41:09,101 - detector.service - INFO - Trying to stop the winpmem service...
- 2014-11-22 01:41:09,101 - detector.service - INFO - Trying to delete the winpmem service...
- 2014-11-22 01:41:09,101 - detector - INFO - Service stopped
- 2014-11-22 01:41:09,101 - detector - INFO - Analysis finished
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement