Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [*] MalFamily: "Skeeyah"
- [*] MalScore: 10.0
- [*] File Name: "Exes_41120f31b68a138be54ca024aa89556c.exe"
- [*] File Size: 2057672
- [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- [*] SHA256: "342eecde391817bdddf00059f818a5e336ac26c3eda88672c95f314c5f6a58e8"
- [*] MD5: "41120f31b68a138be54ca024aa89556c"
- [*] SHA1: "a120aad4cd31ef9ec4c289b6499d9b7c8d0e542e"
- [*] SHA512: "f48eb3cfc06051139012f1efe9013307355ed6c9b81d9a3e81709647263782e43b77433322b4cdaec575bcfe45c007c143a0aff49a1864f706657d400b56c00b"
- [*] CRC32: "522A06F8"
- [*] SSDEEP: "49152:pke+N1DZcdhrN5ilW5QuYeTx4/TJblzAhTQ0afFs4E:GeKDZcdr5MxuYeTm/81Y8"
- [*] Process Execution: [
- "Exes_41120f31b68a138be54ca024aa89556c.exe",
- "virto.CMD",
- "chkvrtb.exe",
- "npprot.exe",
- "sc.exe",
- "NPLStat.exe",
- "Virtob_UnHooker.exe",
- "Dmem.exe",
- "zzz.exe",
- "zzz.exe",
- "services.exe",
- "npprot.exe",
- "sdclt.exe",
- "GoogleUpdate.exe"
- ]
- [*] Signatures Detected: [
- {
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details": [
- {
- "IP": "172.217.0.35:443"
- }
- ]
- },
- {
- "Description": "Creates RWX memory",
- "Details": []
- },
- {
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details": [
- {
- "ioc": "http://crl.globalsign.net/root-r2.crl0"
- }
- ]
- },
- {
- "Description": "Reads data out of its own binary image",
- "Details": [
- {
- "self_read": "process: Exes_41120f31b68a138be54ca024aa89556c.exe, pid: 1608, offset: 0x00000000, length: 0x000be66e"
- },
- {
- "self_read": "process: Exes_41120f31b68a138be54ca024aa89556c.exe, pid: 1608, offset: 0x000bb004, length: 0x0013b5a8"
- },
- {
- "self_read": "process: zzz.exe, pid: 2148, offset: 0x0000003c, length: 0x00000004"
- },
- {
- "self_read": "process: zzz.exe, pid: 2148, offset: 0x000000f8, length: 0x00000004"
- },
- {
- "self_read": "process: zzz.exe, pid: 2896, offset: 0x0000003c, length: 0x00000004"
- },
- {
- "self_read": "process: zzz.exe, pid: 2896, offset: 0x000000f8, length: 0x00000004"
- }
- ]
- },
- {
- "Description": "A process created a hidden window",
- "Details": [
- {
- "Process": "zzz.exe -> \\xc3\\x9a`\\xc3\\x85t\\xc3\\x9a\\xc3\\xb8$w?\\xc2\\xab\\x12u\\x1c\\xc3\\xbd\\x18\\gtfile77\\Checkgtf.exe"
- },
- {
- "Process": "zzz.exe -> \\xc3\\x9a`\\xc3\\x85t\\xc3\\x9a\\xc3\\xb8$w?\\xc2\\xab\\x12u\\x1c\\xc3\\xbd\\x18\\gtfile77\\Checkgtf.exe"
- }
- ]
- },
- {
- "Description": "Drops a binary and executes it",
- "Details": [
- {
- "binary": "C:\\Users\\user\\npprot.exe"
- },
- {
- "binary": "C:\\zv\\virto2\\chkvrtb.exe"
- },
- {
- "binary": "C:\\zv\\virto2\\Virtob_UnHooker.exe"
- },
- {
- "binary": "C:\\zv\\virto2\\NPLStat.exe"
- },
- {
- "binary": "C:\\zv\\virto2\\zzz.exe"
- },
- {
- "binary": "C:\\zv\\virto2\\virto.CMD"
- },
- {
- "binary": "C:\\zv\\virto2\\Dmem.exe"
- }
- ]
- },
- {
- "Description": "Performs some HTTP requests",
- "Details": [
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
- },
- {
- "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
- },
- {
- "url": "http://www.msftncsi.com/ncsi.txt"
- }
- ]
- },
- {
- "Description": "Creates an autorun.inf file",
- "Details": []
- },
- {
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details": [
- {
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 9828678 times"
- }
- ]
- },
- {
- "Description": "Installs itself for autorun at Windows startup",
- "Details": [
- {
- "service name": "NPVProt"
- },
- {
- "service path": "C:\\Users\\user\\npprot.exe"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Asynchronous"
- },
- {
- "data": "1"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\ShutDown"
- },
- {
- "data": "AtShutDown"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon"
- },
- {
- "data": "unknown"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Startup"
- },
- {
- "data": "AtStartup"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logoff"
- },
- {
- "data": "AtWinLogoff"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Impersonate"
- },
- {
- "data": "0"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\DLLName"
- },
- {
- "data": "NPlogon.dll"
- },
- {
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logon"
- },
- {
- "data": "AtWinLogon"
- }
- ]
- },
- {
- "Description": "Attempts to identify installed AV products by installation directory",
- "Details": [
- {
- "file": "C:\\ProgramData\\Symantec\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
- },
- {
- "file": "C:\\Program Files (x86)\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
- },
- {
- "file": "C:\\Program Files (x86)\\Norton AntiVirus\\Quarantine"
- },
- {
- "file": "C:\\ProgramData\\Symantec\\Norton AntiVirus\\Quarantine"
- },
- {
- "file": "C:\\ProgramData\\Symantec\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
- },
- {
- "file": "C:\\Program Files (x86)\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
- }
- ]
- },
- {
- "Description": "File has been identified by 25 Antiviruses on VirusTotal as malicious",
- "Details": [
- {
- "CAT-QuickHeal": "TrojanSpy.Skeeyah"
- },
- {
- "Cylance": "Unsafe"
- },
- {
- "Alibaba": "TrojanSpy:Win32/Agent.e7bc34b5"
- },
- {
- "NANO-Antivirus": "Trojan.Win32.Agent.elgrqy"
- },
- {
- "Symantec": "Trojan.Gen"
- },
- {
- "Avast": "Win32:Malware-gen"
- },
- {
- "Tencent": "Win32.Trojan-spy.Agent.Oyog"
- },
- {
- "Sophos": "Mal/Generic-S"
- },
- {
- "Comodo": "Malware@#2vtdu87oixepi"
- },
- {
- "DrWeb": "Trojan.MulDrop6.56400"
- },
- {
- "Invincea": "heuristic"
- },
- {
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.tc"
- },
- {
- "Paloalto": "generic.ml"
- },
- {
- "Webroot": "W32.Trojan.Gen"
- },
- {
- "Microsoft": "TrojanSpy:Win32/Skeeyah.A!rfn"
- },
- {
- "AegisLab": "Trojan.Win32.Agent.4!c"
- },
- {
- "McAfee": "Artemis!41120F31B68A"
- },
- {
- "TACHYON": "Trojan-Spy/W32.Agent.2057672"
- },
- {
- "VBA32": "TrojanSpy.Agent"
- },
- {
- "Rising": "Spyware.Agent!8.C6 (CLOUD)"
- },
- {
- "Ikarus": "Trojan-Spy.Win32.Agent"
- },
- {
- "Fortinet": "W32/Malicious_Behavior.VEX"
- },
- {
- "AVG": "Win32:Malware-gen"
- },
- {
- "Panda": "Trj/CI.A"
- },
- {
- "MaxSecure": "Trojan.Malware.1728101.susgen"
- }
- ]
- },
- {
- "Description": "Creates a copy of itself",
- "Details": [
- {
- "copy": "C:\\zv\\Mem\\Exes_41120f31b68a138be54ca024aa89556c.exe.Mem"
- },
- {
- "copy": "C:\\zv\\Mem\\EXES_41120F31B68A138BE54CA024AA89556C.EXE.MEM"
- }
- ]
- },
- {
- "Description": "Attempts to modify or disable Security Center warnings",
- "Details": []
- }
- ]
- [*] Started Service: [
- "NPVProt"
- ]
- [*] Executed Commands: [
- "\"C:\\zv\\virto2\\virto.CMD\"",
- "C:\\zv\\virto2\\virto.CMD ",
- "c:\\zv\\Virto2\\chkvrtb.exe",
- "C:\\Users\\user\\npprot.exe /INSTALL",
- "SC start NPVProt",
- "C:\\zv\\virto2\\InstZvFort.exe //H",
- "C:\\zv\\virto2\\SetNPLogon.exe ",
- "C:\\zv\\virto2\\NPLStat.exe ",
- "C:\\zv\\virto2\\Virtob_UnHooker.exe ",
- "c:\\zv\\Virto2\\DMEM.EXE /SCAN",
- "c:\\zv\\Virto2\\zzz.exe /FOLEXE C:\\ZV\\MEM",
- "c:\\zv\\Virto2\\zzz.exe /SCANPC",
- "c:\\zv\\cmd.bat",
- "C:\\Users\\user\\npprot.exe",
- "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
- "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc",
- "\\xc3\\x9a`\\xc3\\x85t\\xc3\\x9a\\xc3\\xb8$w?\\xc2\\xab\\x12u\\x1c\\xc3\\xbd\\x18\\gtfile77\\Checkgtf.exe",
- "c:\\zv\\Virto2\\ScrnSht.exe"
- ]
- [*] Mutexes: [
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\Op1mutx9",
- "Global\\Ap1mutx7",
- "Global\\_kuku_joker_v4.00",
- "Global\\_kkiuynbvnbrev406",
- "Global\\RORR",
- "Global\\SLDT",
- "Global\\ydnm",
- "Global\\IRRD",
- "Global\\XAOP",
- "Global\\ZAOP",
- "Global\\xttk",
- "Global\\owoq",
- "Global\\zlka",
- "Global\\ALCMTrayMutex",
- "Global\\uku_joker_v3.06",
- "Global\\KUKU300a",
- "Global\\KUKU301a",
- "Global\\ATIPTAAB",
- "Global\\rLlP",
- "Global\\L0aR",
- "Global\\La0S",
- "Global\\osqw",
- "Global\\L30N",
- "Global\\R30S",
- "Global\\#!Pandora_LS!#",
- "Global\\L34f",
- "Global\\l31F",
- "Global\\a13f_",
- "Global\\eyvb",
- "Global\\itr0",
- "Global\\xqnl",
- "Global\\vqyd",
- "Global\\l2r0",
- "Global\\ltr0",
- "Global\\l0r2",
- "Global\\bmvu",
- "Global\\l0r8",
- "Global\\l0r3",
- "Global\\nzcn",
- "Global\\wcoc",
- "Global\\l0s2",
- "Global\\l0s3",
- "Global\\LEAX",
- "Global\\ChineseHacker-2",
- "Global\\ogkf",
- "Global\\l0r5",
- "Global\\REAF",
- "Global\\oddy",
- "Global\\qfdze",
- "Global\\coyz",
- "Global\\flpn",
- "Global\\L34N",
- "Global\\l0s6",
- "Global\\m10n",
- "Global\\onln",
- "Global\\likl",
- "Global\\PEINFECT",
- "Global\\uxJLpe1m",
- "Global\\kuku_joker_v3.04",
- "Global\\ahio",
- "Global\\CNNIC#v1",
- "Global\\PNP#DMUTEX#1#DL5",
- "Global\\__CORE_DL5__",
- "Global\\__DL5_INF__",
- "Global\\PNP#NETMUTEX#1#DL5",
- "Global\\Angry Angel v3.0",
- "Global\\cBot-usb01",
- "Global\\__DL5EX__",
- "Global\\__DL_CORE_MUTEX__",
- "Global\\ACPI#PNP0D0D#1#Amd_DL5",
- "Global\\dltd",
- "Global\\gplp",
- "Global\\mxqb",
- "Global\\amoq",
- "Global\\vkbs",
- "Global\\kkru",
- "Global\\l0s7",
- "Global\\nqef",
- "Global\\kefr",
- "Global\\trvr",
- "Global\\hvfat",
- "Global\\lucp",
- "Global\\rfuy",
- "Global\\woemnm593jfe",
- "Global\\kswt",
- "Global\\l0r0",
- "Global\\l0r1",
- "Global\\l0r4",
- "Global\\l0r6",
- "Global\\l0r7",
- "Global\\l0r9",
- "Global\\l0s0",
- "Global\\l0s1",
- "Global\\l0s4",
- "Global\\l0s5",
- "Global\\l0s8",
- "Global\\l0s9",
- "Global\\GhiYhjmskLowqQ",
- "Global\\svjv",
- "Global\\ljhn",
- "Global\\orlg",
- "Global\\epno",
- "Global\\doun",
- "Global\\fakb",
- "Global\\ntda",
- "Global\\rlem",
- "Global\\ssfz",
- "Global\\vnjx",
- "Global\\ehso",
- "Global\\iyxx",
- "Global\\xeur",
- "Global\\hgic",
- "Global\\mkzo",
- "Global\\oysq",
- "Global\\vfvm",
- "Global\\euhq",
- "Global\\irni",
- "Global\\lyuw",
- "Global\\vouy",
- "Global\\mefc",
- "Global\\wteny",
- "Global\\cgxz",
- "Global\\chbr",
- "Global\\pnqd",
- "Global\\dmtu",
- "Global\\itvh",
- "Global\\zlqe",
- "Global\\tlql",
- "Global\\bsyu",
- "Global\\ujwe",
- "Global\\mnra",
- "Global\\afbi",
- "Global\\cmka",
- "Global\\qsjw",
- "Global\\xill",
- "Global\\crwr",
- "Global\\emlxd",
- "Global\\flyj",
- "Global\\qqxo",
- "Global\\rhbd",
- "Global\\akyg",
- "Global\\sleh",
- "Global\\m11n",
- "Global\\rwqag",
- "Global\\hxzg",
- "Global\\icwme",
- "Global\\vpee",
- "Global\\iowme",
- "Global\\jpea",
- "Global\\ludb",
- "Global\\gaelicum",
- "Global\\bkfn",
- "Global\\duyk",
- "Global\\qxqs",
- "Global\\cufi",
- "Global\\vqgs",
- "Global\\zfvy",
- "Global\\nyxs",
- "Global\\tixj",
- "Global\\wexb",
- "Global\\vpnn",
- "Global\\bwsd",
- "Global\\ghij",
- "Global\\djuk",
- "Global\\LtkC3",
- "Global\\ir4cnxm3oi333",
- "Global\\joet",
- "Global\\jaet",
- "Global\\hbek",
- "Global\\vhex",
- "Global\\weal",
- "Global\\fclp",
- "Global\\tweb",
- "Global\\_kelly_",
- "Global\\bjkg",
- "Global\\pizt",
- "Global\\pujh",
- "Global\\feiz",
- "Global\\jfec",
- "Global\\rudt",
- "Global\\zqoc",
- "Global\\citf",
- "Global\\rvtg",
- "Global\\rgab",
- "Global\\fjhg",
- "Global\\lncs",
- "Global\\rbzm",
- "Global\\tepn",
- "Global\\ybhy",
- "Global\\aoof",
- "Global\\ibyn",
- "Global\\KyUffThOkYwRRtgPP",
- "Global\\A_D70",
- "Global\\dwvbhjaoxdkv",
- "Global\\xvwrr",
- "Global\\AleB0",
- "Global\\AnrP2",
- "Global\\IrpF2",
- "Global\\M_x10",
- "Global\\daytt",
- "Global\\JdcBc",
- "Global\\M_x11",
- "Global\\uclsq",
- "Global\\M_D61",
- "Global\\M_D62",
- "Global\\JdcBd",
- "Global\\nadxb",
- "Global\\ArpC0",
- "Global\\yoyxh",
- "Global\\qfwte",
- "Global\\xhppq",
- "Global\\znrzy",
- "Global\\rflpt",
- "Global\\przjl",
- "Global\\ugipb",
- "Global\\vydcp",
- "Global\\dtbfh",
- "Global\\qgfdo",
- "Global\\shkqj",
- "Global\\uqema",
- "Global\\egxbk",
- "Global\\gnkzg",
- "Global\\domcv",
- "Global\\rmzku",
- "Global\\sorpr",
- "Global\\vdsty",
- "Global\\yzclj",
- "Global\\zsoxr",
- "Global\\deavw",
- "Global\\whfbb",
- "Global\\wmwjh",
- "Global\\zugwl",
- "Global\\qvsvf",
- "Global\\udagn",
- "Global\\zvuhr",
- "Global\\julct",
- "Global\\wljao",
- "Global\\yzsvu",
- "Global\\mekhz",
- "Global\\geqgn",
- "Global\\bjmuo",
- "Global\\jkrsf",
- "Global\\mareh",
- "Global\\saykv",
- "Global\\gdfiv",
- "Global\\ntdxs",
- "Global\\ogedr",
- "Global\\JdcBa",
- "Global\\mddcc",
- "Global\\tzqsq",
- "Global\\m15n",
- "Global\\srylm",
- "Global\\psoik",
- "Global\\ywxab",
- "Global\\ocgpa",
- "Global\\wdvpm",
- "Global\\jztal",
- "Global\\aihjf",
- "Global\\jheix",
- "Global\\uhrdb",
- "Global\\ocvoz",
- "Global\\srldg",
- "Global\\cydfe",
- "Global\\yvtwq",
- "Global\\haeazjkmewvo",
- "Global\\mznsg",
- "Global\\zjtsy",
- "Global\\gkmry",
- "Global\\melor",
- "Global\\eyiby",
- "Global\\hylxw",
- "Global\\fnnrf",
- "Global\\wreyg",
- "Global\\ajeck",
- "Global\\fouic",
- "Global\\glrnn",
- "Global\\ltaae",
- "Global\\rivga",
- "Global\\auxbw",
- "Global\\bliym",
- "Global\\sqksh",
- "Global\\fcjqq",
- "Global\\tiiyb",
- "Global\\xrzpo",
- "Global\\xvdsr",
- "Global\\ckowm",
- "Global\\hcinv",
- "Global\\kdekb",
- "Global\\uznrk",
- "Global\\gtedz",
- "Global\\jomlz",
- "Global\\pevpw",
- "Global\\trjnq",
- "Global\\kiqfw",
- "Global\\huufe",
- "Global\\kxosd",
- "Global\\myobf",
- "Global\\qamfp",
- "Global\\dhxkv",
- "Global\\uzrpn",
- "Global\\ggbaq",
- "Global\\ekuet",
- "Global\\eljsz",
- "Global\\esgoh",
- "Global\\rsxea",
- "Global\\fknth",
- "Global\\wpxnz",
- "Global\\hkeqd",
- "Global\\rwofw",
- "Global\\laubt",
- "Global\\saikh",
- "Global\\vqttc",
- "Global\\vrxuq",
- "Global\\qyfnc",
- "Global\\hwbkx",
- "Global\\ppcne",
- "Global\\zllyi",
- "Global\\lilnw",
- "Global\\LtkC1",
- "Global\\LtkC2",
- "Global\\nkaci",
- "Global\\rutzh",
- "Global\\ssvfm",
- "Global\\uqnwg",
- "Global\\bfezo",
- "Global\\guacz",
- "Global\\ktvsz",
- "Global\\nivoz",
- "Global\\wjlcb",
- "Global\\wybzj",
- "Global\\xsjzd",
- "Global\\mhujb",
- "Global\\ainya",
- "Global\\cimem",
- "Global\\hzrgl",
- "Global\\yrwzk",
- "Global\\ozqxc",
- "Global\\nnobl",
- "Global\\iiunx",
- "Global\\fzjsu",
- "Global\\fwwtv",
- "Global\\ffiev",
- "Global\\darfo",
- "Global\\bbrne",
- "Global\\ryzgi",
- "Global\\isphc",
- "Global\\fewgb",
- "Global\\ekmos",
- "Global\\exijm",
- "Global\\fxlgw",
- "Global\\mmple",
- "Global\\oyysc",
- "Global\\wypfe",
- "Global\\xnhkv",
- "Global\\zycyq",
- "Global\\egcsu",
- "Global\\hzaqf",
- "Global\\m13n",
- "Global\\m14n",
- "Global\\m16n",
- "Global\\m12n",
- "Global\\m17n",
- "Global\\m18n",
- "Global\\m19n",
- "Global\\blnej",
- "Global\\fitra",
- "Global\\qouxs",
- "Global\\fvgqc",
- "Global\\argfn",
- "Global\\dhvum",
- "Global\\ewwwl",
- "Global\\flckl",
- "Global\\gnnna",
- "Global\\hclyg",
- "Global\\kqaxi",
- "Global\\mqpfy",
- "Global\\nebxd",
- "Global\\oudjo",
- "Global\\qsvho",
- "Global\\rvyea",
- "Global\\rwetb",
- "Global\\tplbj",
- "Global\\vrdnu",
- "Global\\xkkqo",
- "Global\\xzemv",
- "Global\\yzjdq",
- "Global\\elhgf",
- "Global\\mnapu",
- "Global\\dtzye",
- "Global\\epqqv",
- "Global\\mfzbe",
- "Global\\owugg",
- "Global\\ptzwb",
- "Global\\pvlhq",
- "Global\\rddoz",
- "Global\\stoka",
- "Global\\trlqm",
- "Global\\wpkjg",
- "Global\\xivay",
- "Global\\yakku",
- "Global\\ybhld",
- "Global\\yhurj",
- "Global\\ykpix",
- "Global\\zbvpf",
- "Global\\pupyk",
- "Global\\uxypj",
- "Global\\zyzeu",
- "Global\\ikcfm",
- "Global\\xrilk",
- "Global\\fajfr",
- "Global\\qoxrk",
- "Global\\seduk",
- "Global\\rdehh",
- "Global\\vnsbn",
- "Global\\jioym",
- "Global\\xxqoa",
- "Global\\snonj",
- "Global\\lsguk",
- "Global\\flaat",
- "Global\\dgfvu",
- "Global\\xgqur",
- "Global\\weoua",
- "Global\\ghkrc",
- "MUTEXFS",
- "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
- "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
- "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
- "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
- ]
- [*] Modified Files: [
- "C:\\zv\\virto2\\virsgx00.db",
- "C:\\zv\\virto2\\virto.CMD",
- "C:\\zv\\virto2\\NPProt.exe",
- "C:\\zv\\virto2\\Virtob_UnHooker.exe",
- "C:\\zv\\virto2\\AIIR.DLL",
- "C:\\zv\\virto2\\KRNLOBJ.DB",
- "C:\\zv\\virto2\\exe_only.reg",
- "C:\\zv\\virto2\\all_ext.reg",
- "C:\\zv\\virto2\\PCLEAN.DLL",
- "C:\\zv\\virto2\\chkvrtb.exe",
- "C:\\zv\\virto2\\CLEAN.DLL",
- "C:\\zv\\virto2\\zzz.exe",
- "C:\\zv\\virto2\\ECLEAN.DLL",
- "C:\\zv\\virto2\\OLLY.DLL",
- "C:\\zv\\virto2\\DISASM.DLL",
- "C:\\zv\\virto2\\Dmem.exe",
- "C:\\zv\\virto2\\gzip.exe",
- "C:\\zv\\virto2\\NPLStat.exe",
- "C:\\Windows\\System32\\KRNLOBJ.DB",
- "C:\\Users\\user\\npprot.exe",
- "C:\\ProgramData\\Net Protector\\chkvrtb.ini",
- "C:\\zv\\unhook.log",
- "C:\\zv\\ProcName.log",
- "C:\\zv\\Mem\\zzz.exe.Mem",
- "C:\\zv\\Mem\\PROCDISP.EXE.Mem",
- "C:\\zv\\Mem\\Execscan.exe.Mem",
- "C:\\zv\\Mem\\spoolsv.exe.Mem",
- "C:\\zv\\Mem\\Notepad.exe.Mem",
- "C:\\zv\\Mem\\Dmem.exe.Mem",
- "C:\\zv\\Mem\\NPLStat.exe.Mem",
- "C:\\zv\\Mem\\sc.exe.Mem",
- "C:\\zv\\Mem\\virto.CMD.Mem",
- "C:\\zv\\Mem\\Exes_41120f31b68a138be54ca024aa89556c.exe.Mem",
- "C:\\zv\\Mem\\mscorsvw.exe.Mem",
- "C:\\zv\\Mem\\armsvc.exe.Mem",
- "C:\\zv\\FASTSCAN\\DisAsm.Dll",
- "C:\\zv\\FASTSCAN\\olly.Dll",
- "C:\\zv\\FASTSCAN\\Eclean.Dll",
- "C:\\zv\\srel0202.ini",
- "C:\\zv\\Mem\\mem.log",
- "C:\\zv\\pcl.ini",
- "C:\\zv\\Mem\\ARMSVC.EXE.MEM",
- "C:\\zv\\Mem\\DMEM.EXE.MEM",
- "C:\\zv\\Mem\\EXES_41120F31B68A138BE54CA024AA89556C.EXE.MEM",
- "C:\\zv\\Mem\\MSCORSVW.EXE.MEM",
- "C:\\zv\\Mem\\NOTEPAD.EXE.MEM",
- "C:\\zv\\Mem\\NPLSTAT.EXE.MEM",
- "C:\\zv\\Mem\\SC.EXE.MEM",
- "C:\\zv\\Mem\\VIRTO.CMD.MEM",
- "C:\\zv\\Mem\\ZZZ.EXE.MEM",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
- "C:\\zv\\Eventsrv.log",
- "C:\\zv\\fs1.log",
- "C:\\zv\\bugcache.TXT",
- "C:\\zv\\virto2\\scriptx.db",
- "C:\\zv\\virto2\\scriptA.db",
- "C:\\zv\\virto2\\Report\\17-06-2019_16-54-38_ScanFolder.log",
- "C:\\ProgramData\\Net Protector\\NPAVSCN.DAT",
- "C:\\zv\\REMDRV.LOG",
- "C:\\ProgramData\\Net Protector\\scnInfo.ini",
- "C:\\zv\\virto2\\Report\\17-06-2019_16-54-50_ScanPC.log",
- "C:\\Windows\\assembly\\GAC_32\\MSBuild\\3.5.0.0__B03F5F7F11D50A3A\\MSBuild.exe",
- "C:\\Windows\\assembly\\GAC_64\\MSBuild\\3.5.0.0__B03F5F7F11D50A3A\\MSBuild.exe",
- "C:\\Windows\\assembly\\GAC_MSIL\\COMSVCCONFIG\\3.0.0.0__B03F5F7F11D50A3A\\COMSVCCONFIG.EXE",
- "C:\\Windows\\assembly\\GAC_MSIL\\dfsvc\\2.0.0.0__B03F5F7F11D50A3A\\dfsvc.exe",
- "C:\\Windows\\assembly\\GAC_MSIL\\Narrator\\6.1.0.0__31BF3856AD364E35\\Narrator.exe",
- "C:\\Windows\\assembly\\GAC_MSIL\\PRESENTATIONFONTCACHE\\3.0.0.0__31BF3856AD364E35\\PRESENTATIONFONTCACHE.EXE",
- "C:\\Windows\\assembly\\GAC_MSIL\\SMSVCHOST\\3.0.0.0__B03F5F7F11D50A3A\\SMSVCHOST.EXE",
- "C:\\Windows\\assembly\\GAC_MSIL\\WSATCONFIG\\3.0.0.0__B03F5F7F11D50A3A\\WSATCONFIG.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\COMSVCCONFIG\\5F1A06C0108B2C81CDE1DC491D74043D\\COMSVCCONFIG.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\dfsvc\\2C3E7FDA8DE40E45E7F5E004094DC7C9\\DFSVC.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\MSBuild\\AF28543D9B3E7D9F110448ECCE53CD72\\MSBUILD.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\Narrator\\0BAE62C3FC6C327ED24989263988173D\\NARRATOR.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\PRESENTATIONFONTCAC#\\B3ADE8D5C0D4BB5D4940BCAFD3453642\\PRESENTATIONFONTCACHE.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\SMSVCHOST\\1BC1EE3C3AA45D28DCF4657BCEB2FCB4\\SMSVCHOST.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\WSATCONFIG\\96A8BDAFBA9F9D3E33CD974BFAA67E58\\WSATCONFIG.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\COMSVCCONFIG\\D632B7434F821829827657E23AC98589\\COMSVCCONFIG.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\dfsvc\\9BC0D921859B039D6E9F642148333949\\DFSVC.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\MSBuild\\1A154709CDFE214029EA88C51AB2B579\\MSBUILD.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\Narrator\\4CC02FAD33053737088D4C18267CA0A0\\NARRATOR.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\PRESENTATIONFONTCAC#\\0246845F487E5F33D3564EFF578665A3\\PRESENTATIONFONTCACHE.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\SMSVCHOST\\04D794428D635F6A82AC57DD3D6F3628\\SMSVCHOST.NI.EXE",
- "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\WSATCONFIG\\36CA2928B2191011831AB673861C6AC6\\WSATCONFIG.NI.EXE",
- "C:\\Windows\\bfsvc.exe",
- "C:\\Windows\\BITLOCKERDISCOVERYVOLUMECONTENTS\\BITLOCKERTOGO.EXE",
- "C:\\Windows\\Boot\\PCAT\\memtest.exe",
- "C:\\Windows\\explorer.exe",
- "C:\\Windows\\FVEUPDATE.EXE",
- "C:\\Windows\\HelpPane.exe",
- "C:\\Windows\\hh.exe",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ACROBROKER.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\AcroRd32.exe",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ACRORD32INFO.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ACROTEXTEXTRACTOR.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\adelrcp.exe",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ADOBECOLLABSYNC.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\eula.exe",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\LOGTRANSPORT2.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\RDRSERVICESUPDATER.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\READER_SL.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\WOW_HELPER.EXE",
- "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\_4BITMAPIBROKER.EXE",
- "C:\\Windows\\INSTALLER\\{16CD92A4-0152-4CB7-8FD6-9788D3363616}\\PYTHON_ICON.EXE",
- "C:\\Windows\\INSTALLER\\{90150000-001F-0409-0000-0000000FF1CE}\\misc.exe",
- "C:\\Windows\\INSTALLER\\{90150000-001F-040C-0000-0000000FF1CE}\\misc.exe",
- "C:\\Windows\\INSTALLER\\{90150000-001F-0C0A-0000-0000000FF1CE}\\misc.exe",
- "C:\\Windows\\INSTALLER\\{90150000-006E-0409-0000-0000000FF1CE}\\misc.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\accicons.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\dbcicons.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\GRV_ICONS.EXE",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\inficon.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\joticon.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\lyncicon.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\misc.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\msouc.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\OSMADMINICON.EXE",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\OSMCLIENTICON.EXE",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\outicon.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\pptico.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\pubs.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\sscicons.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\wordicon.exe",
- "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\xlicons.exe",
- "C:\\Windows\\INSTALLER\\{E9E68605-DE3F-4B4C-871B-FEB06DC5D167}\\ARPPRODUCTICON.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\NETFXSBS10.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\APPLAUNCH.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_COMPILER.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_REGBROWSERS.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_REGIIS.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_REGSQL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_WP.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\CasPol.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\csc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\cvtres.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\dfsvc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\dw20.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\IEExec.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ilasm.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\INSTALLUTIL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\jsc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBuild.exe",
- "C:\\zv\\huristic.log",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\mscorsvw.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ngen.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\RegAsm.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\RegSvcs.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\vbc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\COMSVCCONFIG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\infocard.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SERVICEMODELREG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMCONFIGINSTALLER.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMSVCHOST.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\WSATCONFIG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WPF\\XAMLVIEWER\\XAMLVIEWER_V0300.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\ADDINPROCESS.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\ADDINPROCESS32.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\ADDINUTIL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\csc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\DATASVCUTIL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\EdmGen.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\MSBuild.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\vbc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\WFSERVICESREG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\APPLAUNCH.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_COMPILER.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_REGBROWSERS.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_REGIIS.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_REGSQL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_STATE.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_WP.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\CasPol.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\csc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\cvtres.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\dfsvc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\dw20.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\IEExec.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ilasm.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\INSTALLUTIL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\jsc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\Ldr64.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\MSBuild.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\mscorsvw.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ngen.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\RegAsm.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\RegSvcs.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\vbc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\COMSVCCONFIG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\infocard.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SERVICEMODELREG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMCONFIGINSTALLER.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMSVCHOST.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\WSATCONFIG.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WPF\\PRESENTATIONFONTCACHE.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WPF\\XAMLVIEWER\\XAMLVIEWER_V0300.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\ADDINPROCESS.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\ADDINPROCESS32.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\ADDINUTIL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\csc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\DATASVCUTIL.EXE",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\EdmGen.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\MSBuild.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\vbc.exe",
- "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\WFSERVICESREG.EXE",
- "C:\\Windows\\notepad.exe",
- "C:\\Windows\\py.exe",
- "C:\\Windows\\pyw.exe",
- "C:\\Windows\\regedit.exe",
- "C:\\Windows\\SERVICING\\GC64\\tzupd.exe",
- "C:\\Windows\\SERVICING\\TRUSTEDINSTALLER.EXE",
- "C:\\Windows\\Speech\\Common\\sapisvr.exe",
- "C:\\Windows\\splwow64.exe",
- "C:\\Windows\\System32\\ADAPTERTROUBLESHOOTER.EXE",
- "C:\\Windows\\System32\\ARP.EXE",
- "C:\\Windows\\System32\\at.exe",
- "C:\\Windows\\System32\\AtBroker.exe",
- "C:\\Windows\\System32\\attrib.exe",
- "C:\\Windows\\System32\\auditpol.exe",
- "C:\\Windows\\System32\\autochk.exe",
- "C:\\Windows\\System32\\autoconv.exe",
- "C:\\Windows\\System32\\autofmt.exe",
- "C:\\Windows\\System32\\BITSADMIN.EXE",
- "C:\\Windows\\System32\\bootcfg.exe",
- "C:\\Windows\\System32\\BTHUDTASK.EXE",
- "C:\\Windows\\System32\\Bubbles.scr",
- "C:\\Windows\\System32\\cacls.exe",
- "C:\\Windows\\System32\\calc.exe",
- "C:\\Windows\\System32\\CERTENROLLCTRL.EXE",
- "C:\\Windows\\System32\\certreq.exe",
- "C:\\Windows\\System32\\certutil.exe",
- "C:\\Windows\\System32\\charmap.exe",
- "C:\\Windows\\System32\\chkdsk.exe",
- "C:\\Windows\\System32\\chkntfs.exe",
- "C:\\Windows\\System32\\choice.exe",
- "C:\\Windows\\System32\\cipher.exe",
- "C:\\Windows\\System32\\cleanmgr.exe",
- "C:\\Windows\\System32\\cliconfg.exe",
- "C:\\Windows\\System32\\clip.exe",
- "C:\\Windows\\System32\\cmd.exe",
- "C:\\Windows\\System32\\cmdkey.exe",
- "C:\\Windows\\System32\\cmdl32.exe",
- "C:\\Windows\\System32\\cmmon32.exe",
- "C:\\Windows\\System32\\cmstp.exe",
- "C:\\Windows\\System32\\colorcpl.exe",
- "C:\\Windows\\System32\\com\\comrepl.exe",
- "C:\\Windows\\System32\\com\\MigRegDB.exe",
- "C:\\Windows\\System32\\comp.exe",
- "C:\\Windows\\System32\\compact.exe",
- "C:\\Windows\\System32\\COMPUTERDEFAULTS.EXE",
- "C:\\Windows\\System32\\control.exe",
- "C:\\Windows\\System32\\convert.exe",
- "C:\\Windows\\System32\\credwiz.exe",
- "C:\\Windows\\System32\\cscript.exe",
- "C:\\Windows\\System32\\ctfmon.exe",
- "C:\\Windows\\System32\\cttune.exe",
- "C:\\Windows\\System32\\CTTUNESVR.EXE",
- "C:\\Windows\\System32\\dccw.exe",
- "C:\\Windows\\System32\\dcomcnfg.exe",
- "C:\\Windows\\System32\\ddodiag.exe",
- "C:\\Windows\\System32\\DEVICEPAIRINGWIZARD.EXE",
- "C:\\Windows\\System32\\DEVICEPROPERTIES.EXE",
- "C:\\Windows\\System32\\dfrgui.exe",
- "C:\\Windows\\System32\\dialer.exe",
- "C:\\Windows\\System32\\diantz.exe",
- "C:\\Windows\\System32\\diskpart.exe",
- "C:\\Windows\\System32\\diskperf.exe",
- "C:\\Windows\\System32\\diskraid.exe",
- "C:\\Windows\\System32\\Dism\\DismHost.exe",
- "C:\\Windows\\System32\\Dism.exe",
- "C:\\Windows\\System32\\DISPLAYSWITCH.EXE",
- "C:\\Windows\\System32\\dllhost.exe",
- "C:\\Windows\\System32\\dllhst3g.exe",
- "C:\\Windows\\System32\\DNSCACHEUGC.EXE",
- "C:\\Windows\\System32\\doskey.exe",
- "C:\\Windows\\System32\\dpapimig.exe",
- "C:\\Windows\\System32\\DPISCALING.EXE",
- "C:\\Windows\\System32\\dplaysvr.exe",
- "C:\\Windows\\System32\\dpnsvr.exe",
- "C:\\Windows\\System32\\DRIVERQUERY.EXE",
- "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\BRMFCMF.INF_AMD64_NEUTRAL_67B5984F8E8FF717\\BrmfRsmg.exe",
- "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\BRMFCWIA.INF_AMD64_NEUTRAL_817B8835AED3D6B7\\BrmfRsmg.exe",
- "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\BTH.INF_AMD64_NEUTRAL_E54666F6A3E5AF91\\fsquirt.exe",
- "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\DIVACX64.INF_AMD64_NEUTRAL_FA0F82F024789743\\ditrace.exe",
- "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\DIVACX64.INF_AMD64_NEUTRAL_FA0F82F024789743\\xlog.exe",
- "\\??\\PIPE\\wkssvc",
- "\\??\\pipe\\GoogleCrashServices\\S-1-5-18"
- ]
- [*] Deleted Files: [
- "C:\\zv\\Virto2Info.log",
- "C:\\zv\\ChkVirto.log",
- "C:\\ProgramData\\Net Protector\\scncndn.ini",
- "C:\\zv\\ProcName.log",
- "C:\\zv\\vb_npav.ini",
- "C:\\zv\\eventsrv.log",
- "C:\\zv\\fastscan.log",
- "C:\\zv\\memscan.log",
- "C:\\zv\\fs2.log",
- "C:\\zv\\huristic.log",
- "C:\\ProgramData\\Net Protector\\scrche.dat",
- "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}\\74.0.3729.169_73.0.3683.86_chrome_updater.exe",
- "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}"
- ]
- [*] Modified Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options\\curextsel",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options\\userextlist",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options\\memscan",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Asynchronous",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\DLLName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Impersonate",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logoff",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logon",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\ShutDown",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Startup",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\ScrDbDate",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS\\VirusDBDate",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Message Labs\\Net Protector\\Config",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Message Labs\\Net Protector\\Config\\Avstat",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS\\Scnper",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\CrashInfo",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\Step",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\LastScan",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\LastScan\\Date",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\LastScan\\Count",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS\\FlCnt",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Message Labs\\Net Protector\\Config\\NTDRIVEREXTS",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\65D2E23834BB46617DFBFC4CBA750E45#69632",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\8DCC69147FD015F14E2E996FCEAEF94F#87888",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\915978E96127EBEB87A5CD3CF356A763#65536",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\FBE8E04888D349424DA6655F053F61F7#83792",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\EB3D179DB297502BDC131B51F1FDE466#202752",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{6D2B9BDF-D0B3-4319-B42F-2DF594E0BCF7}",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{6D2B9BDF-D0B3-4319-B42F-2DF594E0BCF7}\\PersistedPingString",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{6D2B9BDF-D0B3-4319-B42F-2DF594E0BCF7}\\PersistedPingTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
- "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\LastCheckSuccess",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
- "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue"
- ]
- [*] Deleted Registry Keys: [
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\CrashInfo",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\Step",
- "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\MemScnStarted",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince"
- ]
- [*] DNS Communications: []
- [*] Domains: []
- [*] Network Communication - ICMP: []
- [*] Network Communication - HTTP: [
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.digicert.com",
- "version": "1.1",
- "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
- "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
- "port": 80
- },
- {
- "count": 1,
- "body": "",
- "uri": "http://www.msftncsi.com/ncsi.txt",
- "user-agent": "Microsoft NCSI",
- "method": "GET",
- "host": "www.msftncsi.com",
- "version": "1.1",
- "path": "/ncsi.txt",
- "data": "GET /ncsi.txt HTTP/1.1\r\nConnection: Close\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftncsi.com\r\n\r\n",
- "port": 80
- }
- ]
- [*] Network Communication - SMTP: []
- [*] Network Communication - Hosts: []
- [*] Network Communication - IRC: []
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "MultiByteToWideChar",
- "address": "0x48c034"
- },
- {
- "name": "LCMapStringA",
- "address": "0x48c038"
- },
- {
- "name": "LCMapStringW",
- "address": "0x48c03c"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x48c040"
- },
- {
- "name": "IsBadWritePtr",
- "address": "0x48c044"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x48c048"
- },
- {
- "name": "IsBadCodePtr",
- "address": "0x48c04c"
- },
- {
- "name": "SetStdHandle",
- "address": "0x48c050"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x48c054"
- },
- {
- "name": "CreateProcessA",
- "address": "0x48c058"
- },
- {
- "name": "CompareStringA",
- "address": "0x48c05c"
- },
- {
- "name": "CompareStringW",
- "address": "0x48c060"
- },
- {
- "name": "SetEnvironmentVariableA",
- "address": "0x48c064"
- },
- {
- "name": "GetStringTypeA",
- "address": "0x48c068"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x48c06c"
- },
- {
- "name": "GetCurrentDirectoryW",
- "address": "0x48c070"
- },
- {
- "name": "GetCurrentDirectoryA",
- "address": "0x48c074"
- },
- {
- "name": "DeleteFileA",
- "address": "0x48c078"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x48c07c"
- },
- {
- "name": "GetCPInfo",
- "address": "0x48c080"
- },
- {
- "name": "VirtualFree",
- "address": "0x48c084"
- },
- {
- "name": "HeapCreate",
- "address": "0x48c088"
- },
- {
- "name": "HeapDestroy",
- "address": "0x48c08c"
- },
- {
- "name": "GetEnvironmentVariableA",
- "address": "0x48c090"
- },
- {
- "name": "GetFileType",
- "address": "0x48c094"
- },
- {
- "name": "GetStdHandle",
- "address": "0x48c098"
- },
- {
- "name": "SetHandleCount",
- "address": "0x48c09c"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x48c0a0"
- },
- {
- "name": "GetEnvironmentStrings",
- "address": "0x48c0a4"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x48c0a8"
- },
- {
- "name": "FreeEnvironmentStringsA",
- "address": "0x48c0ac"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x48c0b0"
- },
- {
- "name": "HeapFree",
- "address": "0x48c0b4"
- },
- {
- "name": "HeapSize",
- "address": "0x48c0b8"
- },
- {
- "name": "HeapAlloc",
- "address": "0x48c0bc"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x48c0c0"
- },
- {
- "name": "GetVersion",
- "address": "0x48c0c4"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x48c0c8"
- },
- {
- "name": "GetStartupInfoA",
- "address": "0x48c0cc"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x48c0d0"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x48c0d4"
- },
- {
- "name": "TerminateProcess",
- "address": "0x48c0d8"
- },
- {
- "name": "ExitProcess",
- "address": "0x48c0dc"
- },
- {
- "name": "GetTickCount",
- "address": "0x48c0e0"
- },
- {
- "name": "GetSystemTime",
- "address": "0x48c0e4"
- },
- {
- "name": "GetOEMCP",
- "address": "0x48c0e8"
- },
- {
- "name": "Sleep",
- "address": "0x48c0ec"
- },
- {
- "name": "CloseHandle",
- "address": "0x48c0f0"
- },
- {
- "name": "SetEndOfFile",
- "address": "0x48c0f4"
- },
- {
- "name": "SetFilePointer",
- "address": "0x48c0f8"
- },
- {
- "name": "CompareFileTime",
- "address": "0x48c0fc"
- },
- {
- "name": "FileTimeToLocalFileTime",
- "address": "0x48c100"
- },
- {
- "name": "FileTimeToDosDateTime",
- "address": "0x48c104"
- },
- {
- "name": "SystemTimeToFileTime",
- "address": "0x48c108"
- },
- {
- "name": "GetLocalTime",
- "address": "0x48c10c"
- },
- {
- "name": "LocalFileTimeToFileTime",
- "address": "0x48c110"
- },
- {
- "name": "DosDateTimeToFileTime",
- "address": "0x48c114"
- },
- {
- "name": "SetFileTime",
- "address": "0x48c118"
- },
- {
- "name": "GetACP",
- "address": "0x48c11c"
- },
- {
- "name": "ReadFile",
- "address": "0x48c120"
- },
- {
- "name": "GetFileSize",
- "address": "0x48c124"
- },
- {
- "name": "GetLastError",
- "address": "0x48c128"
- },
- {
- "name": "LocalFree",
- "address": "0x48c12c"
- },
- {
- "name": "GetFullPathNameW",
- "address": "0x48c130"
- },
- {
- "name": "GetFullPathNameA",
- "address": "0x48c134"
- },
- {
- "name": "GetTempPathW",
- "address": "0x48c138"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x48c13c"
- },
- {
- "name": "MoveFileW",
- "address": "0x48c140"
- },
- {
- "name": "CopyFileW",
- "address": "0x48c144"
- },
- {
- "name": "DeleteFileW",
- "address": "0x48c148"
- },
- {
- "name": "GetFileAttributesW",
- "address": "0x48c14c"
- },
- {
- "name": "CreateDirectoryW",
- "address": "0x48c150"
- },
- {
- "name": "SetCurrentDirectoryW",
- "address": "0x48c154"
- },
- {
- "name": "SetCurrentDirectoryA",
- "address": "0x48c158"
- },
- {
- "name": "SetFileAttributesW",
- "address": "0x48c15c"
- },
- {
- "name": "GetFileTime",
- "address": "0x48c160"
- },
- {
- "name": "RemoveDirectoryW",
- "address": "0x48c164"
- },
- {
- "name": "GetTimeZoneInformation",
- "address": "0x48c168"
- },
- {
- "name": "MoveFileA",
- "address": "0x48c16c"
- },
- {
- "name": "WriteFile",
- "address": "0x48c170"
- },
- {
- "name": "CopyFileA",
- "address": "0x48c174"
- },
- {
- "name": "GetFileAttributesA",
- "address": "0x48c178"
- },
- {
- "name": "FormatMessageA",
- "address": "0x48c17c"
- },
- {
- "name": "GetTempPathA",
- "address": "0x48c180"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x48c184"
- },
- {
- "name": "CreateDirectoryA",
- "address": "0x48c188"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x48c18c"
- },
- {
- "name": "CreateFileA",
- "address": "0x48c190"
- },
- {
- "name": "GetComputerNameA",
- "address": "0x48c194"
- },
- {
- "name": "IsBadReadPtr",
- "address": "0x48c198"
- },
- {
- "name": "CreateFileW",
- "address": "0x48c19c"
- },
- {
- "name": "GetVersionExA",
- "address": "0x48c1a0"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x48c1a4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x48c1a8"
- },
- {
- "name": "LoadLibraryA",
- "address": "0x48c1ac"
- },
- {
- "name": "LocalAlloc",
- "address": "0x48c1b0"
- },
- {
- "name": "FreeLibrary",
- "address": "0x48c1b4"
- },
- {
- "name": "RtlUnwind",
- "address": "0x48c1b8"
- },
- {
- "name": "GetExitCodeProcess",
- "address": "0x48c1bc"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "RegisterClassExW",
- "address": "0x48c1d8"
- },
- {
- "name": "LoadCursorA",
- "address": "0x48c1dc"
- },
- {
- "name": "DialogBoxParamW",
- "address": "0x48c1e0"
- },
- {
- "name": "CreateWindowExW",
- "address": "0x48c1e4"
- },
- {
- "name": "LoadStringW",
- "address": "0x48c1e8"
- },
- {
- "name": "OffsetRect",
- "address": "0x48c1ec"
- },
- {
- "name": "CopyRect",
- "address": "0x48c1f0"
- },
- {
- "name": "GetWindowRect",
- "address": "0x48c1f4"
- },
- {
- "name": "GetDesktopWindow",
- "address": "0x48c1f8"
- },
- {
- "name": "MessageBoxW",
- "address": "0x48c1fc"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x48c200"
- },
- {
- "name": "EndDialog",
- "address": "0x48c204"
- },
- {
- "name": "GetMessageA",
- "address": "0x48c208"
- },
- {
- "name": "TranslateMessage",
- "address": "0x48c20c"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x48c210"
- },
- {
- "name": "MessageBoxA",
- "address": "0x48c214"
- },
- {
- "name": "GetDlgItem",
- "address": "0x48c218"
- },
- {
- "name": "SendMessageA",
- "address": "0x48c21c"
- },
- {
- "name": "SetWindowPos",
- "address": "0x48c220"
- },
- {
- "name": "PostMessageA",
- "address": "0x48c224"
- },
- {
- "name": "SetTimer",
- "address": "0x48c228"
- },
- {
- "name": "GetDlgItemTextA",
- "address": "0x48c22c"
- },
- {
- "name": "LoadStringA",
- "address": "0x48c230"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x48c234"
- },
- {
- "name": "DestroyWindow",
- "address": "0x48c238"
- },
- {
- "name": "BeginPaint",
- "address": "0x48c23c"
- },
- {
- "name": "EndPaint",
- "address": "0x48c240"
- },
- {
- "name": "GetDlgItemTextW",
- "address": "0x48c244"
- },
- {
- "name": "SetWindowTextW",
- "address": "0x48c248"
- },
- {
- "name": "MoveWindow",
- "address": "0x48c24c"
- },
- {
- "name": "SetDlgItemTextW",
- "address": "0x48c250"
- },
- {
- "name": "EnableWindow",
- "address": "0x48c254"
- },
- {
- "name": "SetDlgItemTextA",
- "address": "0x48c258"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "SHGetPathFromIDListW",
- "address": "0x48c1c4"
- },
- {
- "name": "SHBrowseForFolderW",
- "address": "0x48c1c8"
- },
- {
- "name": "ShellExecuteExW",
- "address": "0x48c1cc"
- },
- {
- "name": "SHGetMalloc",
- "address": "0x48c1d0"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "CertNameToStrA",
- "address": "0x48c020"
- },
- {
- "name": "CertFreeCertificateContext",
- "address": "0x48c024"
- },
- {
- "name": "CryptDecodeObject",
- "address": "0x48c028"
- },
- {
- "name": "CertCloseStore",
- "address": "0x48c02c"
- }
- ],
- "dll": "CRYPT32.dll"
- },
- {
- "imports": [
- {
- "name": "WSAStartup",
- "address": "0x48c260"
- },
- {
- "name": "setsockopt",
- "address": "0x48c264"
- },
- {
- "name": "WSAGetLastError",
- "address": "0x48c268"
- },
- {
- "name": "socket",
- "address": "0x48c26c"
- },
- {
- "name": "inet_addr",
- "address": "0x48c270"
- },
- {
- "name": "htons",
- "address": "0x48c274"
- },
- {
- "name": "gethostbyname",
- "address": "0x48c278"
- },
- {
- "name": "connect",
- "address": "0x48c27c"
- },
- {
- "name": "ioctlsocket",
- "address": "0x48c280"
- },
- {
- "name": "select",
- "address": "0x48c284"
- },
- {
- "name": "bind",
- "address": "0x48c288"
- },
- {
- "name": "closesocket",
- "address": "0x48c28c"
- },
- {
- "name": "recv",
- "address": "0x48c290"
- },
- {
- "name": "send",
- "address": "0x48c294"
- },
- {
- "name": "shutdown",
- "address": "0x48c298"
- }
- ],
- "dll": "WS2_32.dll"
- },
- {
- "imports": [
- {
- "name": "RegOpenKeyExA",
- "address": "0x48c000"
- },
- {
- "name": "CryptAcquireContextA",
- "address": "0x48c004"
- },
- {
- "name": "CryptReleaseContext",
- "address": "0x48c008"
- },
- {
- "name": "CryptGenRandom",
- "address": "0x48c00c"
- },
- {
- "name": "RegQueryValueExA",
- "address": "0x48c010"
- },
- {
- "name": "RegCloseKey",
- "address": "0x48c014"
- },
- {
- "name": "GetUserNameA",
- "address": "0x48c018"
- }
- ],
- "dll": "ADVAPI32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00204fd4",
- "overlay": {
- "size": "0x0013b5c8",
- "offset": "0x000bb000"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x0046ffb4",
- "timestamp": "2009-10-31 12:28:29",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x0008b000",
- "entropy": "6.55",
- "raw_address": "0x00001000",
- "virtual_size": "0x0008a4f2",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0008c000",
- "size_of_data": "0x00012000",
- "entropy": "4.44",
- "raw_address": "0x0008c000",
- "virtual_size": "0x00011796",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0009e000",
- "size_of_data": "0x0001c000",
- "entropy": "6.08",
- "raw_address": "0x0009e000",
- "virtual_size": "0x00020878",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x000bf000",
- "size_of_data": "0x00001000",
- "entropy": "2.23",
- "raw_address": "0x000ba000",
- "virtual_size": "0x000008d0",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0009c9e0",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000008c"
- },
- {
- "virtual_address": "0x000bf000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000008d0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0008c000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000002a0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "61a42ebe2c6271565f77bdad50265621",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 6,
- "versioninfo": []
- }
- }
- [*] Resolved APIs: [
- "kernel32.dll.IsProcessorFeaturePresent",
- "cryptsp.dll.CryptAcquireContextA",
- "cryptsp.dll.CryptGenRandom",
- "cryptsp.dll.CryptReleaseContext",
- "uxtheme.dll.ThemeInitApiHook",
- "user32.dll.IsProcessDPIAware",
- "ole32.dll.OleInitialize",
- "cryptbase.dll.SystemFunction036",
- "ole32.dll.CreateBindCtx",
- "ole32.dll.CoTaskMemAlloc",
- "propsys.dll.PSCreateMemoryPropertyStore",
- "propsys.dll.PSPropertyBag_WriteDWORD",
- "ole32.dll.CoGetApartmentType",
- "ole32.dll.CoRegisterInitializeSpy",
- "ole32.dll.CoTaskMemFree",
- "comctl32.dll.#236",
- "oleaut32.dll.#6",
- "ole32.dll.CoGetMalloc",
- "propsys.dll.PSPropertyBag_ReadDWORD",
- "comctl32.dll.#320",
- "ole32.dll.StringFromGUID2",
- "comctl32.dll.#324",
- "comctl32.dll.#323",
- "advapi32.dll.RegEnumKeyW",
- "oleaut32.dll.#2",
- "propsys.dll.PSPropertyBag_ReadBSTR",
- "propsys.dll.PSPropertyBag_ReadStrAlloc",
- "shell32.dll.#102",
- "advapi32.dll.OpenThreadToken",
- "ole32.dll.CoInitializeEx",
- "ole32.dll.CoCreateInstance",
- "advapi32.dll.InitializeSecurityDescriptor",
- "advapi32.dll.SetEntriesInAclW",
- "ntmarta.dll.GetMartaExtensionInterface",
- "advapi32.dll.SetSecurityDescriptorDacl",
- "advapi32.dll.IsTextUnicode",
- "comctl32.dll.#328",
- "comctl32.dll.#334",
- "comctl32.dll.#332",
- "comctl32.dll.#338",
- "ole32.dll.CoUninitialize",
- "sechost.dll.ConvertSidToStringSidW",
- "profapi.dll.#104",
- "propsys.dll.#430",
- "advapi32.dll.RegOpenKeyExW",
- "advapi32.dll.RegGetValueW",
- "advapi32.dll.RegCloseKey",
- "ole32.dll.CoTaskMemRealloc",
- "propsys.dll.InitPropVariantFromStringAsVector",
- "propsys.dll.PSCoerceToCanonicalValue",
- "propsys.dll.PropVariantToStringAlloc",
- "ole32.dll.PropVariantClear",
- "ole32.dll.CoAllowSetForegroundWindow",
- "kernel32.dll.InitializeSRWLock",
- "kernel32.dll.AcquireSRWLockExclusive",
- "kernel32.dll.AcquireSRWLockShared",
- "kernel32.dll.ReleaseSRWLockExclusive",
- "kernel32.dll.ReleaseSRWLockShared",
- "shell32.dll.SHGetFolderPathW",
- "advapi32.dll.SaferGetPolicyInformation",
- "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
- "setupapi.dll.CM_Get_Device_Interface_List_ExW",
- "comctl32.dll.#386",
- "sfc.dll.SfcIsFileProtected",
- "setupapi.dll.PnpIsFilePnpDriver",
- "kernel32.dll.RegOpenKeyExW",
- "kernel32.dll.RegCloseKey",
- "devrtl.dll.DevRtlGetThreadLogToken",
- "apphelp.dll.AllowPermLayer",
- "kernel32.dll.BaseIsAppcompatInfrastructureDisabled",
- "apphelp.dll.SdbInitDatabase",
- "apphelp.dll.SdbGetMatchingExe",
- "apphelp.dll.SdbReleaseDatabase",
- "mpr.dll.WNetGetConnectionW",
- "ole32.dll.CoCreateGuid",
- "rpcrt4.dll.RpcStringBindingComposeW",
- "rpcrt4.dll.RpcBindingFromStringBindingW",
- "rpcrt4.dll.RpcStringFreeW",
- "rpcrt4.dll.RpcBindingSetAuthInfoExW",
- "rpcrt4.dll.NdrClientCall2",
- "ntdll.dll.RtlDllShutdownInProgress",
- "comctl32.dll.#329",
- "ole32.dll.OleUninitialize",
- "ole32.dll.CoRevokeInitializeSpy",
- "comctl32.dll.#388",
- "oleaut32.dll.#500",
- "comctl32.dll.InitCommonControlsEx",
- "dwmapi.dll.DwmIsCompositionEnabled",
- "comctl32.dll.RegisterClassNameW",
- "kernel32.dll.SortGetHandle",
- "kernel32.dll.SortCloseHandle",
- "uxtheme.dll.EnableThemeDialogTexture",
- "uxtheme.dll.OpenThemeData",
- "uxtheme.dll.GetThemeBool",
- "gdi32.dll.GetLayout",
- "gdi32.dll.GdiRealizationInfo",
- "gdi32.dll.FontIsLinked",
- "advapi32.dll.RegQueryInfoKeyW",
- "gdi32.dll.GetTextFaceAliasW",
- "advapi32.dll.RegEnumValueW",
- "advapi32.dll.RegQueryValueExW",
- "gdi32.dll.GetFontAssocStatus",
- "advapi32.dll.RegQueryValueExA",
- "advapi32.dll.RegEnumKeyExW",
- "gdi32.dll.GdiIsMetaPrintDC",
- "uxtheme.dll.BufferedPaintInit",
- "uxtheme.dll.BufferedPaintRenderAnimation",
- "uxtheme.dll.BeginBufferedAnimation",
- "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
- "uxtheme.dll.DrawThemeParentBackground",
- "uxtheme.dll.GetThemePartSize",
- "uxtheme.dll.DrawThemeBackground",
- "uxtheme.dll.GetThemeBackgroundContentRect",
- "uxtheme.dll.DrawThemeText",
- "gdi32.dll.GetTextExtentExPointWPri",
- "uxtheme.dll.EndBufferedAnimation",
- "uxtheme.dll.GetThemeTextExtent",
- "uxtheme.dll.GetThemeTransitionDuration",
- "kernel32.dll.LoadLibraryA",
- "kernel32.dll.LoadLibraryW",
- "kernel32.dll.CreateFileW",
- "kernel32.dll.GetFileAttributesW",
- "kernel32.dll.FindFirstFileW",
- "kernel32.dll.FindNextFileW",
- "kernel32.dll.MoveFileW",
- "ntdll.dll.NtQueryInformationProcess",
- "ntdll.dll.NtCreateFile",
- "ntdll.dll.NtCreateProcess",
- "ntdll.dll.NtCreateUserProcess",
- "ntdll.dll.NtCreateProcessEx",
- "ntdll.dll.NtOpenFile",
- "ntdll.dll.NtDeviceIoControlFile",
- "ntdll.dll.NtQueryDirectoryFile",
- "ntdll.dll.LdrLoadDll",
- "ntdll.dll.NtResumeThread",
- "netapi32.dll.NetpwPathCanonicalize",
- "dnsapi.dll.DnsQuery_A",
- "ws2_32.dll.closesocket",
- "ws2_32.dll.send",
- "ws2_32.dll.recv",
- "ws2_32.dll.sendto",
- "ws2_32.dll.recvfrom",
- "ntdll.dll.NtQueryInformationThread",
- "uxtheme.dll.IsThemePartDefined",
- "uxtheme.dll.GetThemeFont",
- "uxtheme.dll.GetThemeColor",
- "imm32.dll.ImmIsIME",
- "uxtheme.dll.CloseThemeData",
- "uxtheme.dll.GetThemeMargins",
- "uxtheme.dll.GetThemeTextMetrics",
- "comctl32.dll.HIMAGELIST_QueryInterface",
- "comctl32.dll.DrawShadowText",
- "comctl32.dll.DrawSizeBox",
- "comctl32.dll.DrawScrollBar",
- "comctl32.dll.SizeBoxHwnd",
- "comctl32.dll.ScrollBar_MouseMove",
- "comctl32.dll.ScrollBar_Menu",
- "comctl32.dll.HandleScrollCmd",
- "comctl32.dll.DetachScrollBars",
- "comctl32.dll.AttachScrollBars",
- "comctl32.dll.CCSetScrollInfo",
- "comctl32.dll.CCGetScrollInfo",
- "comctl32.dll.CCEnableScrollBar",
- "comctl32.dll.QuerySystemGestureStatus",
- "uxtheme.dll.#49",
- "uxtheme.dll.GetThemeInt",
- "uxtheme.dll.#47",
- "kernel32.dll.FlsAlloc",
- "kernel32.dll.FlsGetValue",
- "kernel32.dll.FlsSetValue",
- "kernel32.dll.FlsFree",
- "olly.dll.Disasm",
- "eclean.dll.eXpaj",
- "eclean.dll.eVirutCF_Aep",
- "eclean.dll.eCheckVirutCH",
- "eclean.dll.eVirutD_Aep",
- "eclean.dll.eVirutD_CallOverWrite",
- "eclean.dll.eExpiro",
- "eclean.dll.eExpiroNR",
- "eclean.dll.eExpiroNS",
- "eclean.dll.salityVParameters",
- "eclean.dll.get_VirtobCH_Size",
- "disasm.dll.VirutCE_DecryptKey",
- "disasm.dll.VirutCE_AEP",
- "disasm.dll.VirutCE_AEP_File",
- "disasm.dll.VirtutCE_EJumpOffset",
- "disasm.dll.VirtobCEI_AtAep",
- "disasm.dll.VirtobCE_BufferSize",
- "pclean.dll.PolyCleanFileEx",
- "uxtheme.dll.DrawThemeParentBackgroundEx",
- "uxtheme.dll.GetThemeEnumValue",
- "uxtheme.dll.BeginBufferedPaint",
- "uxtheme.dll.DrawThemeTextEx",
- "advapi32.dll.CheckTokenMembership",
- "pclean.dll.GetPCleanVirusName",
- "imm32.dll.ImmAssociateContext",
- "uxtheme.dll.GetThemeBackgroundExtent",
- "uxtheme.dll.EndBufferedPaint",
- "uxtheme.dll.BufferedPaintStopAllAnimations",
- "uxtheme.dll.BufferedPaintUnInit",
- "sechost.dll.LookupAccountNameLocalW",
- "advapi32.dll.LookupAccountSidW",
- "sechost.dll.LookupAccountSidLocalW",
- "kernel32.dll.LCMapStringEx",
- "kernel32.dll.InitializeCriticalSectionEx",
- "kernel32.dll.InitOnceExecuteOnce",
- "kernel32.dll.CreateEventExW",
- "kernel32.dll.CreateSemaphoreW",
- "kernel32.dll.CreateSemaphoreExW",
- "kernel32.dll.CreateThreadpoolTimer",
- "kernel32.dll.SetThreadpoolTimer",
- "kernel32.dll.WaitForThreadpoolTimerCallbacks",
- "kernel32.dll.CloseThreadpoolTimer",
- "kernel32.dll.CreateThreadpoolWait",
- "kernel32.dll.SetThreadpoolWait",
- "kernel32.dll.CloseThreadpoolWait",
- "kernel32.dll.FlushProcessWriteBuffers",
- "kernel32.dll.FreeLibraryWhenCallbackReturns",
- "kernel32.dll.GetCurrentProcessorNumber",
- "kernel32.dll.CreateSymbolicLinkW",
- "kernel32.dll.GetTickCount64",
- "kernel32.dll.GetFileInformationByHandleEx",
- "kernel32.dll.SetFileInformationByHandle",
- "kernel32.dll.InitializeConditionVariable",
- "kernel32.dll.WakeConditionVariable",
- "kernel32.dll.WakeAllConditionVariable",
- "kernel32.dll.SleepConditionVariableCS",
- "kernel32.dll.TryAcquireSRWLockExclusive",
- "kernel32.dll.SleepConditionVariableSRW",
- "kernel32.dll.CreateThreadpoolWork",
- "kernel32.dll.SubmitThreadpoolWork",
- "kernel32.dll.CloseThreadpoolWork",
- "kernel32.dll.CompareStringEx",
- "kernel32.dll.GetLocaleInfoEx",
- "goopdate.dll.DllEntry",
- "kernel32.dll.RtlCaptureStackBackTrace",
- "wkscli.dll.NetWkstaGetInfo",
- "cscapi.dll.CscNetApiGetInterface",
- "kernel32.dll.CreateMutexExW",
- "dbghelp.dll.MiniDumpWriteDump",
- "rpcrt4.dll.UuidCreate",
- "cryptsp.dll.CryptAcquireContextW",
- "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
- "ole32.dll.CoGetClassObject",
- "ole32.dll.CoGetMarshalSizeMax",
- "ole32.dll.CoMarshalInterface",
- "ole32.dll.CoUnmarshalInterface",
- "ole32.dll.StringFromIID",
- "ole32.dll.CoGetPSClsid",
- "ole32.dll.CoReleaseMarshalData",
- "ole32.dll.DcomChannelSetHResult",
- "psmachine.dll.DllGetClassObject",
- "psmachine.dll.DllCanUnloadNow",
- "advapi32.dll.RegOpenKeyW",
- "ntdll.dll.RtlGetVersion",
- "kernel32.dll.GetNativeSystemInfo",
- "winhttp.dll.WinHttpAddRequestHeaders",
- "winhttp.dll.WinHttpCheckPlatform",
- "winhttp.dll.WinHttpCloseHandle",
- "winhttp.dll.WinHttpConnect",
- "winhttp.dll.WinHttpCrackUrl",
- "winhttp.dll.WinHttpCreateUrl",
- "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
- "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
- "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpGetProxyForUrl",
- "winhttp.dll.WinHttpOpen",
- "winhttp.dll.WinHttpOpenRequest",
- "winhttp.dll.WinHttpQueryAuthSchemes",
- "winhttp.dll.WinHttpQueryDataAvailable",
- "winhttp.dll.WinHttpQueryHeaders",
- "winhttp.dll.WinHttpQueryOption",
- "winhttp.dll.WinHttpReadData",
- "winhttp.dll.WinHttpReceiveResponse",
- "winhttp.dll.WinHttpSendRequest",
- "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
- "winhttp.dll.WinHttpSetCredentials",
- "winhttp.dll.WinHttpSetOption",
- "winhttp.dll.WinHttpSetStatusCallback",
- "winhttp.dll.WinHttpSetTimeouts",
- "winhttp.dll.WinHttpWriteData",
- "shlwapi.dll.StrCmpNW",
- "shlwapi.dll.#153",
- "ws2_32.dll.GetAddrInfoW",
- "ws2_32.dll.WSASocketW",
- "ws2_32.dll.#2",
- "ws2_32.dll.#21",
- "ws2_32.dll.#9",
- "ws2_32.dll.WSAIoctl",
- "ws2_32.dll.FreeAddrInfoW",
- "ws2_32.dll.#6",
- "ws2_32.dll.#5",
- "schannel.dll.SpUserModeInitialize",
- "advapi32.dll.RegCreateKeyExW",
- "ws2_32.dll.WSASend",
- "ws2_32.dll.WSARecv",
- "advapi32.dll.RevertToSelf",
- "secur32.dll.FreeContextBuffer",
- "ncrypt.dll.SslOpenProvider",
- "ncrypt.dll.GetSChannelInterface",
- "bcryptprimitives.dll.GetHashInterface",
- "ncrypt.dll.SslIncrementProviderReferenceCount",
- "ncrypt.dll.SslImportKey",
- "bcryptprimitives.dll.GetCipherInterface",
- "ncrypt.dll.SslLookupCipherSuiteInfo",
- "user32.dll.LoadStringW",
- "ncrypt.dll.BCryptOpenAlgorithmProvider",
- "ncrypt.dll.BCryptGetProperty",
- "ncrypt.dll.BCryptCreateHash",
- "ncrypt.dll.BCryptHashData",
- "ncrypt.dll.BCryptFinishHash",
- "ncrypt.dll.BCryptDestroyHash",
- "crypt32.dll.CertGetCertificateChain",
- "userenv.dll.GetUserProfileDirectoryW",
- "sechost.dll.ConvertStringSidToSidW",
- "userenv.dll.RegisterGPNotification",
- "gpapi.dll.RegisterGPNotificationInternal",
- "sechost.dll.OpenSCManagerW",
- "sechost.dll.OpenServiceW",
- "sechost.dll.CloseServiceHandle",
- "sechost.dll.QueryServiceConfigW",
- "winsta.dll.WinStationRegisterNotificationEvent",
- "advapi32.dll.CreateWellKnownSid",
- "rpcrt4.dll.RpcAsyncInitializeHandle",
- "rpcrt4.dll.NdrAsyncClientCall",
- "cryptsp.dll.CryptCreateHash",
- "cryptsp.dll.CryptHashData",
- "cryptsp.dll.CryptVerifySignatureA",
- "cryptsp.dll.CryptDestroyKey",
- "cryptsp.dll.CryptDestroyHash",
- "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
- "ncrypt.dll.BCryptImportKeyPair",
- "ncrypt.dll.BCryptVerifySignature",
- "ncrypt.dll.BCryptDestroyKey",
- "crypt32.dll.CertVerifyCertificateChainPolicy",
- "crypt32.dll.CertFreeCertificateChain",
- "crypt32.dll.CertDuplicateCertificateContext",
- "ncrypt.dll.SslEncryptPacket",
- "ncrypt.dll.SslDecryptPacket",
- "kernel32.dll.WTSGetActiveConsoleSessionId",
- "winsta.dll.WinStationQueryInformationW",
- "rpcrt4.dll.I_RpcExceptionFilter",
- "rpcrt4.dll.RpcBindingFree",
- "kernel32.dll.IsWow64Process",
- "psapi.dll.GetProcessImageFileNameW",
- "crypt32.dll.CertFreeCertificateContext",
- "ncrypt.dll.SslFreeObject"
- ]
- [*] Static Analysis: {
- "pe": {
- "peid_signatures": null,
- "imports": [
- {
- "imports": [
- {
- "name": "MultiByteToWideChar",
- "address": "0x48c034"
- },
- {
- "name": "LCMapStringA",
- "address": "0x48c038"
- },
- {
- "name": "LCMapStringW",
- "address": "0x48c03c"
- },
- {
- "name": "VirtualAlloc",
- "address": "0x48c040"
- },
- {
- "name": "IsBadWritePtr",
- "address": "0x48c044"
- },
- {
- "name": "SetUnhandledExceptionFilter",
- "address": "0x48c048"
- },
- {
- "name": "IsBadCodePtr",
- "address": "0x48c04c"
- },
- {
- "name": "SetStdHandle",
- "address": "0x48c050"
- },
- {
- "name": "FlushFileBuffers",
- "address": "0x48c054"
- },
- {
- "name": "CreateProcessA",
- "address": "0x48c058"
- },
- {
- "name": "CompareStringA",
- "address": "0x48c05c"
- },
- {
- "name": "CompareStringW",
- "address": "0x48c060"
- },
- {
- "name": "SetEnvironmentVariableA",
- "address": "0x48c064"
- },
- {
- "name": "GetStringTypeA",
- "address": "0x48c068"
- },
- {
- "name": "GetStringTypeW",
- "address": "0x48c06c"
- },
- {
- "name": "GetCurrentDirectoryW",
- "address": "0x48c070"
- },
- {
- "name": "GetCurrentDirectoryA",
- "address": "0x48c074"
- },
- {
- "name": "DeleteFileA",
- "address": "0x48c078"
- },
- {
- "name": "WaitForSingleObject",
- "address": "0x48c07c"
- },
- {
- "name": "GetCPInfo",
- "address": "0x48c080"
- },
- {
- "name": "VirtualFree",
- "address": "0x48c084"
- },
- {
- "name": "HeapCreate",
- "address": "0x48c088"
- },
- {
- "name": "HeapDestroy",
- "address": "0x48c08c"
- },
- {
- "name": "GetEnvironmentVariableA",
- "address": "0x48c090"
- },
- {
- "name": "GetFileType",
- "address": "0x48c094"
- },
- {
- "name": "GetStdHandle",
- "address": "0x48c098"
- },
- {
- "name": "SetHandleCount",
- "address": "0x48c09c"
- },
- {
- "name": "GetEnvironmentStringsW",
- "address": "0x48c0a0"
- },
- {
- "name": "GetEnvironmentStrings",
- "address": "0x48c0a4"
- },
- {
- "name": "FreeEnvironmentStringsW",
- "address": "0x48c0a8"
- },
- {
- "name": "FreeEnvironmentStringsA",
- "address": "0x48c0ac"
- },
- {
- "name": "UnhandledExceptionFilter",
- "address": "0x48c0b0"
- },
- {
- "name": "HeapFree",
- "address": "0x48c0b4"
- },
- {
- "name": "HeapSize",
- "address": "0x48c0b8"
- },
- {
- "name": "HeapAlloc",
- "address": "0x48c0bc"
- },
- {
- "name": "HeapReAlloc",
- "address": "0x48c0c0"
- },
- {
- "name": "GetVersion",
- "address": "0x48c0c4"
- },
- {
- "name": "GetCommandLineA",
- "address": "0x48c0c8"
- },
- {
- "name": "GetStartupInfoA",
- "address": "0x48c0cc"
- },
- {
- "name": "GetModuleHandleA",
- "address": "0x48c0d0"
- },
- {
- "name": "GetCurrentProcess",
- "address": "0x48c0d4"
- },
- {
- "name": "TerminateProcess",
- "address": "0x48c0d8"
- },
- {
- "name": "ExitProcess",
- "address": "0x48c0dc"
- },
- {
- "name": "GetTickCount",
- "address": "0x48c0e0"
- },
- {
- "name": "GetSystemTime",
- "address": "0x48c0e4"
- },
- {
- "name": "GetOEMCP",
- "address": "0x48c0e8"
- },
- {
- "name": "Sleep",
- "address": "0x48c0ec"
- },
- {
- "name": "CloseHandle",
- "address": "0x48c0f0"
- },
- {
- "name": "SetEndOfFile",
- "address": "0x48c0f4"
- },
- {
- "name": "SetFilePointer",
- "address": "0x48c0f8"
- },
- {
- "name": "CompareFileTime",
- "address": "0x48c0fc"
- },
- {
- "name": "FileTimeToLocalFileTime",
- "address": "0x48c100"
- },
- {
- "name": "FileTimeToDosDateTime",
- "address": "0x48c104"
- },
- {
- "name": "SystemTimeToFileTime",
- "address": "0x48c108"
- },
- {
- "name": "GetLocalTime",
- "address": "0x48c10c"
- },
- {
- "name": "LocalFileTimeToFileTime",
- "address": "0x48c110"
- },
- {
- "name": "DosDateTimeToFileTime",
- "address": "0x48c114"
- },
- {
- "name": "SetFileTime",
- "address": "0x48c118"
- },
- {
- "name": "GetACP",
- "address": "0x48c11c"
- },
- {
- "name": "ReadFile",
- "address": "0x48c120"
- },
- {
- "name": "GetFileSize",
- "address": "0x48c124"
- },
- {
- "name": "GetLastError",
- "address": "0x48c128"
- },
- {
- "name": "LocalFree",
- "address": "0x48c12c"
- },
- {
- "name": "GetFullPathNameW",
- "address": "0x48c130"
- },
- {
- "name": "GetFullPathNameA",
- "address": "0x48c134"
- },
- {
- "name": "GetTempPathW",
- "address": "0x48c138"
- },
- {
- "name": "GetModuleFileNameW",
- "address": "0x48c13c"
- },
- {
- "name": "MoveFileW",
- "address": "0x48c140"
- },
- {
- "name": "CopyFileW",
- "address": "0x48c144"
- },
- {
- "name": "DeleteFileW",
- "address": "0x48c148"
- },
- {
- "name": "GetFileAttributesW",
- "address": "0x48c14c"
- },
- {
- "name": "CreateDirectoryW",
- "address": "0x48c150"
- },
- {
- "name": "SetCurrentDirectoryW",
- "address": "0x48c154"
- },
- {
- "name": "SetCurrentDirectoryA",
- "address": "0x48c158"
- },
- {
- "name": "SetFileAttributesW",
- "address": "0x48c15c"
- },
- {
- "name": "GetFileTime",
- "address": "0x48c160"
- },
- {
- "name": "RemoveDirectoryW",
- "address": "0x48c164"
- },
- {
- "name": "GetTimeZoneInformation",
- "address": "0x48c168"
- },
- {
- "name": "MoveFileA",
- "address": "0x48c16c"
- },
- {
- "name": "WriteFile",
- "address": "0x48c170"
- },
- {
- "name": "CopyFileA",
- "address": "0x48c174"
- },
- {
- "name": "GetFileAttributesA",
- "address": "0x48c178"
- },
- {
- "name": "FormatMessageA",
- "address": "0x48c17c"
- },
- {
- "name": "GetTempPathA",
- "address": "0x48c180"
- },
- {
- "name": "GetModuleFileNameA",
- "address": "0x48c184"
- },
- {
- "name": "CreateDirectoryA",
- "address": "0x48c188"
- },
- {
- "name": "SetFileAttributesA",
- "address": "0x48c18c"
- },
- {
- "name": "CreateFileA",
- "address": "0x48c190"
- },
- {
- "name": "GetComputerNameA",
- "address": "0x48c194"
- },
- {
- "name": "IsBadReadPtr",
- "address": "0x48c198"
- },
- {
- "name": "CreateFileW",
- "address": "0x48c19c"
- },
- {
- "name": "GetVersionExA",
- "address": "0x48c1a0"
- },
- {
- "name": "WideCharToMultiByte",
- "address": "0x48c1a4"
- },
- {
- "name": "GetProcAddress",
- "address": "0x48c1a8"
- },
- {
- "name": "LoadLibraryA",
- "address": "0x48c1ac"
- },
- {
- "name": "LocalAlloc",
- "address": "0x48c1b0"
- },
- {
- "name": "FreeLibrary",
- "address": "0x48c1b4"
- },
- {
- "name": "RtlUnwind",
- "address": "0x48c1b8"
- },
- {
- "name": "GetExitCodeProcess",
- "address": "0x48c1bc"
- }
- ],
- "dll": "KERNEL32.dll"
- },
- {
- "imports": [
- {
- "name": "RegisterClassExW",
- "address": "0x48c1d8"
- },
- {
- "name": "LoadCursorA",
- "address": "0x48c1dc"
- },
- {
- "name": "DialogBoxParamW",
- "address": "0x48c1e0"
- },
- {
- "name": "CreateWindowExW",
- "address": "0x48c1e4"
- },
- {
- "name": "LoadStringW",
- "address": "0x48c1e8"
- },
- {
- "name": "OffsetRect",
- "address": "0x48c1ec"
- },
- {
- "name": "CopyRect",
- "address": "0x48c1f0"
- },
- {
- "name": "GetWindowRect",
- "address": "0x48c1f4"
- },
- {
- "name": "GetDesktopWindow",
- "address": "0x48c1f8"
- },
- {
- "name": "MessageBoxW",
- "address": "0x48c1fc"
- },
- {
- "name": "PostQuitMessage",
- "address": "0x48c200"
- },
- {
- "name": "EndDialog",
- "address": "0x48c204"
- },
- {
- "name": "GetMessageA",
- "address": "0x48c208"
- },
- {
- "name": "TranslateMessage",
- "address": "0x48c20c"
- },
- {
- "name": "DispatchMessageA",
- "address": "0x48c210"
- },
- {
- "name": "MessageBoxA",
- "address": "0x48c214"
- },
- {
- "name": "GetDlgItem",
- "address": "0x48c218"
- },
- {
- "name": "SendMessageA",
- "address": "0x48c21c"
- },
- {
- "name": "SetWindowPos",
- "address": "0x48c220"
- },
- {
- "name": "PostMessageA",
- "address": "0x48c224"
- },
- {
- "name": "SetTimer",
- "address": "0x48c228"
- },
- {
- "name": "GetDlgItemTextA",
- "address": "0x48c22c"
- },
- {
- "name": "LoadStringA",
- "address": "0x48c230"
- },
- {
- "name": "DefWindowProcA",
- "address": "0x48c234"
- },
- {
- "name": "DestroyWindow",
- "address": "0x48c238"
- },
- {
- "name": "BeginPaint",
- "address": "0x48c23c"
- },
- {
- "name": "EndPaint",
- "address": "0x48c240"
- },
- {
- "name": "GetDlgItemTextW",
- "address": "0x48c244"
- },
- {
- "name": "SetWindowTextW",
- "address": "0x48c248"
- },
- {
- "name": "MoveWindow",
- "address": "0x48c24c"
- },
- {
- "name": "SetDlgItemTextW",
- "address": "0x48c250"
- },
- {
- "name": "EnableWindow",
- "address": "0x48c254"
- },
- {
- "name": "SetDlgItemTextA",
- "address": "0x48c258"
- }
- ],
- "dll": "USER32.dll"
- },
- {
- "imports": [
- {
- "name": "SHGetPathFromIDListW",
- "address": "0x48c1c4"
- },
- {
- "name": "SHBrowseForFolderW",
- "address": "0x48c1c8"
- },
- {
- "name": "ShellExecuteExW",
- "address": "0x48c1cc"
- },
- {
- "name": "SHGetMalloc",
- "address": "0x48c1d0"
- }
- ],
- "dll": "SHELL32.dll"
- },
- {
- "imports": [
- {
- "name": "CertNameToStrA",
- "address": "0x48c020"
- },
- {
- "name": "CertFreeCertificateContext",
- "address": "0x48c024"
- },
- {
- "name": "CryptDecodeObject",
- "address": "0x48c028"
- },
- {
- "name": "CertCloseStore",
- "address": "0x48c02c"
- }
- ],
- "dll": "CRYPT32.dll"
- },
- {
- "imports": [
- {
- "name": "WSAStartup",
- "address": "0x48c260"
- },
- {
- "name": "setsockopt",
- "address": "0x48c264"
- },
- {
- "name": "WSAGetLastError",
- "address": "0x48c268"
- },
- {
- "name": "socket",
- "address": "0x48c26c"
- },
- {
- "name": "inet_addr",
- "address": "0x48c270"
- },
- {
- "name": "htons",
- "address": "0x48c274"
- },
- {
- "name": "gethostbyname",
- "address": "0x48c278"
- },
- {
- "name": "connect",
- "address": "0x48c27c"
- },
- {
- "name": "ioctlsocket",
- "address": "0x48c280"
- },
- {
- "name": "select",
- "address": "0x48c284"
- },
- {
- "name": "bind",
- "address": "0x48c288"
- },
- {
- "name": "closesocket",
- "address": "0x48c28c"
- },
- {
- "name": "recv",
- "address": "0x48c290"
- },
- {
- "name": "send",
- "address": "0x48c294"
- },
- {
- "name": "shutdown",
- "address": "0x48c298"
- }
- ],
- "dll": "WS2_32.dll"
- },
- {
- "imports": [
- {
- "name": "RegOpenKeyExA",
- "address": "0x48c000"
- },
- {
- "name": "CryptAcquireContextA",
- "address": "0x48c004"
- },
- {
- "name": "CryptReleaseContext",
- "address": "0x48c008"
- },
- {
- "name": "CryptGenRandom",
- "address": "0x48c00c"
- },
- {
- "name": "RegQueryValueExA",
- "address": "0x48c010"
- },
- {
- "name": "RegCloseKey",
- "address": "0x48c014"
- },
- {
- "name": "GetUserNameA",
- "address": "0x48c018"
- }
- ],
- "dll": "ADVAPI32.dll"
- }
- ],
- "digital_signers": null,
- "exported_dll_name": null,
- "actual_checksum": "0x00204fd4",
- "overlay": {
- "size": "0x0013b5c8",
- "offset": "0x000bb000"
- },
- "imagebase": "0x00400000",
- "reported_checksum": "0x00000000",
- "icon_hash": null,
- "entrypoint": "0x0046ffb4",
- "timestamp": "2009-10-31 12:28:29",
- "osversion": "4.0",
- "sections": [
- {
- "name": ".text",
- "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x00001000",
- "size_of_data": "0x0008b000",
- "entropy": "6.55",
- "raw_address": "0x00001000",
- "virtual_size": "0x0008a4f2",
- "characteristics_raw": "0x60000020"
- },
- {
- "name": ".rdata",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x0008c000",
- "size_of_data": "0x00012000",
- "entropy": "4.44",
- "raw_address": "0x0008c000",
- "virtual_size": "0x00011796",
- "characteristics_raw": "0x40000040"
- },
- {
- "name": ".data",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
- "virtual_address": "0x0009e000",
- "size_of_data": "0x0001c000",
- "entropy": "6.08",
- "raw_address": "0x0009e000",
- "virtual_size": "0x00020878",
- "characteristics_raw": "0xc0000040"
- },
- {
- "name": ".rsrc",
- "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
- "virtual_address": "0x000bf000",
- "size_of_data": "0x00001000",
- "entropy": "2.23",
- "raw_address": "0x000ba000",
- "virtual_size": "0x000008d0",
- "characteristics_raw": "0x40000040"
- }
- ],
- "resources": [],
- "dirents": [
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0009c9e0",
- "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
- "size": "0x0000008c"
- },
- {
- "virtual_address": "0x000bf000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
- "size": "0x000008d0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_TLS",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x0008c000",
- "name": "IMAGE_DIRECTORY_ENTRY_IAT",
- "size": "0x000002a0"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
- "size": "0x00000000"
- },
- {
- "virtual_address": "0x00000000",
- "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
- "size": "0x00000000"
- }
- ],
- "exports": [],
- "guest_signers": {},
- "imphash": "61a42ebe2c6271565f77bdad50265621",
- "icon_fuzzy": null,
- "icon": null,
- "pdbpath": null,
- "imported_dll_count": 6,
- "versioninfo": []
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement